trump, who is against trade deals. other how do you explain the opposition of clinton and donald trump? >> it is interesting to hear this issue tossed around on the campaign trail. hillary to start was pulled to the left by bernie sanders. she did support this as secretary of state. see she says she does not high enough labor standards. she thinks the deal will hurt american working families. say if bernie sanders had not been in the race if she would have come out with the same position. onother areas she is running obama's ticket and legacy. donald trump, has many products made in china. doess businesses, it he use foreign labor.

he is trying to present himself as advocating for the american worker and the everyday man. likenk that he does not this deal because it sends jobs overseas, he is trying to appeal to the electorate. >> you have republicans and democrats both for and against on both sides of the aisle. how do you account for that? you have different areas of the country -- they feel differently. if they elect a republican, that republican made before trade. you're looking at industrial states like pennsylvania and ohio. and then you may have some port cities or washington and oregon that are dependent on exports and trade.

it is not so much the partisan politics of the state that the geographic importance. >> a trade reporter for political. thank you for being here. supreme --ars after after a supreme court ruling, courts across the country have struck down state laws and saying they discriminate against specific sets of voters. aturday night, we look voting rights and the impact on the 2016 election. we will feature part of the 2013 supreme court oral argument in shelby. to dos of congress look -- look at whether to restore that. id -- a lotis voter of places are not going to have that. what does that mean?

you just keep walking in and voting? >> what is happening is a sweeping effort to disempower and disenfranchised people of , poor people, and young people from one end of our country to another. >> watch our issue spotlight on ating rights, saturday night 8:00 p.m. eastern on c-span and c-span.org. ofafter the recent hacking e-mails at the dnc, bloomberg news writes that another set of e-mails were compromised. this time at the democratic congressional campaign committee. 2.0one by the name of released e-mails. this weekend, nancy pelosi sent to members and their staff warning them of the situation. -- i have reads

received scores of mostly obscene and sick calls. number andg my phone i advise you to do so as well. this is a sad course of events, not only for us, but more importantly for our country. hacking is under investigation by the fbi. now, federal cyber security officials discuss their efforts to protect the federal i.t. infrastructure. adobe systems sponsored this forum. this is about one hour and 45 minutes. >> good morning and welcome. i am the president of government executive media group.

it is my pleasure to welcome you. out anotherto point thing that you have on your chair which is another event we have upcoming. it is a weeklong celebration of everything of interest to the feds. we are going to look at workforce technology and transition -- three pillars. and have a weeklong pact group of events. you can see the whole schedule. we hope you will join us for this event. housekeeping. take a moment to silence your cell phones. do not put your cell phone away. we want you to tell us how we

are doing. we want this to be a lively discussion. send your comments and suggestions. #ngcyber. oure has underwritten customer experience summits. we are thrilled to partner with them again. to start things off this morning, we are privileged to have trevor rudolph participate. he is the chief of the cyber and national security unit. the first-ever team tasked with strengthening cyber security. in this role, he is responsible for i do for his -- for advising the federal chief. team led ahis successful cyber security sprint.

the federald strategy and implementation plan. welcomingn me in trevor rudolph to the podium this morning. trevor. [applause] mr. rudolph: good morning everyone. it is a pleasure to be here. i want to thank everyone in the audience for your attendance. for adobe for hosting and sponsoring the event. i jumped at the opportunity to i do this morning because see part of my role as being an advocate for federal cyber security professionals and telling what i call the whole story. that goodn by that is

news rarely makes headlines. opportunitytake the to brief you this morning on some think urging development. a common get started, aestion i get is -- as community, we can see that the white house is publishing a lot of policies. to what end? what is the strategy? as folks remember, about a year ago, we had a number of devastating cyber security incidents that impacted millions of people. as a result of those incidents, we realized that our basic cyber hygiene was not where it needed to be. through the course of 30 day target our focus was on

operational actions, high-impact to shore up the hygiene as quickly as possible. a couple of highlights. the scores went up. unprecedented in terms of progress. incidents were related to poor authentication. critical vulnerabilities are down 99%. agencies are reporting to us the time it takes them to detect incidents has been cut in half. all good news. into the cyber security strategy and implementation plan. the goal was to shore up our policies and procedures in a 12 month time frame. we realized we did not have a lot of time left.

the goal was not to dramatically change the face of cyber security but to get our house in order. the majority of those tasks are very much on their way to full implementation. lastly, and what we are focused on today, is cyber security national action plan. the president announced the plan with the fy 17 budget in february and it is a combination of a number of issues that we think and feel strongly will , notdrive strategic change just with this administration but into the next one. we will talk a little bit about the details there. a lot of people ask me --what is the plan? you go to the white house webpage and you will get a high-level overview of what it is. let us drive deeper.

billion cyber security proposal which represents a 35% increase over the previous budget year. it is quite substantial. another thing i'd like to mention to anyone who will listen is that it is very serious. leadership is tracking this almost daily. what does that mean for people like me? a lot of great hair. we are frequently brought in to make guestsho you and asked about the progress of all of these initiatives. it is something we take seriously. makeast point i want to from a strategic framing standpoint is one of the other components is the president

us on how to look into improving cyber security practices. we expect those recommendations to come late this fall. on the framing is what we found out in the lead up and in the middle of the sprint and our effort. there were three systemic issues ,hat we face in federal i.t. specifically federal cyber security. the first is the abundance of legacy i.t.. it is frankly difficult to use, expensive to maintain, and difficult to secure. the second is the fragmented governance or management of i.t. there are 24 agencies, over 125 -- each one of

those agencies are making their own independent risk decisions. at the headquarters level. at the bureau level, they are making their own independent risk decisions. no one has an enterprisewide view in mind. even the folks that sit at the center of government do not have the authority to say no, you cannot make that risk decision. that is a big problem we need to think about as a community as we move into the next administration. the last is workforce challenges that we have across i.t. the statistic here is that in the federal government, we have a shortage of about 10,000 people to do the cyber security work that we have. and across the country, the statistic is 1 billion and worldwide, over 2 million. if you are in the job market,

now is the time, apparently. let us take a million -- let us take a moment to reflect. let us recognize a recent win we had in the white house. a policy win. of --.in the form who in the crowd knows about this? a pretty good number. foundationaly the policy document and the government for how we manage information resources. the reason this is significant addresses all of those issues. fragmented governance. as well as workforce issues. this policy, given how central it is to how the government updated,, it was not or has not been updated since

2000. that is particularly troubling. when you see what the old version told agencies to do versus what the new version tells agencies to do. the three key elements you will see -- the document is long but worth the read. real-timeis the knowledge of your environment as -- at a single point in time. the idea is to have continuous awareness. proactive risk management and shared responsibility. on the operators and security operation centers but it is up to all of us including deputy secretaries and secretaries to get the job done. document, we the have some folks in the vendor community here, you will see sections in this security

appendix about supply chain threats and protecting against them. ensuring all agency personnel are accountable for strong cyber security practices. let us talk about old versus new. --uote from the old version it says the use of the system shall be reauthorized every three years. the very next sentence says -- you will create a three ring binder. [laughter] billionss millions or of tax dollars and adds debatable value at best. good news. this is the update. on a time or-- event driven tolerance. industryhe move that

has done many years ago. the government was late to catch up. getting this published was more of a battle than it should have been. we can say goodbye to the three ring binders and to the cottage industry that we had created. very good news on that front. another sample for you. agenciesersion -- should assure that each system appropriately uses effective security. the proper use of passwords. think about that. my colleague michael daniel says he wants to kill the password. how will you do that when your foundational policy document says something like that? good news. strong verification as opposed to the use of the passwords.

ensure that, to identity is protected and only the right hoax are accessing the information they should be accessing. positive development there. i would encourage you again to go into more detail on this. we had the first take it the in the office and we ate it. it was a great celebration. do not go another 16 years before the next update. we should probably update this every four or five years. let us dive more deeply. i mentioned legacy i.t. there is a lot of data out there but here are some highlights. problem,e legacy i.t. we did some math. i.t. dataed upon the that we have and we found civilian agencies were spending 71% of

we found over five years i.t. investments that were over 90% in the state, growing at an annual rate of 6% while investments that received a one-time infusion of developmental dollars declined in cost at 5%. so, what we are proposing here is a $3.1 billion fund to help address the systemic issue. we need help from the other branch of government to make this a reality. what we estimate is the $3.1 billion one-time seed funding would help address at least $12 billion in modernization over 10 years, but i'm told that was calculated with some very fancy cash flow analysis. again i went to reiterate if we don't get action from the other

branch of government, this may never be a reality. i will say we have received a great deal of bipartisan support for this particular initiative and we are encouraged, but we got to keep up the momentum. if there's anything folks in this audience can do to be advocates as well, we will greatly appreciate it. moving on away from legacy i.t., i mention the fragmented governance of i.t. what does that mean? in one context, what it means is as a government, we have not thought about our crown jewels as an enterprise. what does the adversary really want? why do they want it? that kicked off an effort called the high-value asset effort. really all this is is the assets the potential adversaries or , known adversaries are mr. -- are very interested in.

let's see why that would be so damaging if lost to a nationstate or an activist group. federal or national critical infrastructure data, travel data. think about how much data is out there in terms of who flies, where they fly, who should not be flying. things of that nature. as we know from the opm collection,is bulk background investigations are simply one of them. thinking of the dangers consequences of somebody getting hold of that information is pretty startling. and of course sensitive economic data could have catastrophic consequences on our economy if it were to be lost. the thing that is important to note for this group is that this is not a one-time effort. this is not the federal government saying we have 20 high-value assets across federal

government. check, done. that is not what we are talking about. this is a continuous, potentially never ending, risk managing and governing process. for how to manage our crown jewels as an enterprise. that is what this is. the process is underway for identification but the independent verification of security for these assets and the real-time remediation of the security around these assets. this process of identifying the high-value assets, prioritizing them, independently verifying the security, and remediating them will likely never end. not anytime soon. there was a connection to the previous slide because what we will find in a lot of these cases is that the way to secure these assets and systems is to modernize them. very good. very good. that is a theme you will see probably for the next couple of years from the white house on

this front. so, you can't modernize legacy i.t. you can't actually identify and secure your high-value assets without what? people. people. again let's go back to that , 10,000 person gap. it is pretty startling. the good news is a couple of things. one, for the first time ever, we have a work for strategy across the federal government. we released it just a couple of weeks ago. in that, we are targeting four areas. the first is identifying the need. that sounds basic, but actually much more difficult to do across 125 plus agencies, but until you actually know the full universe of your need, you can actually -- can't actually do anything about it. expanding cyber security workforce through education and

training is a big component. recruiting the nation's best for federal service. retaining the folks we have to develop them into the skilled professional. so what i would like to tell folks is that there is some good news on the horizon. in the first half of this fiscal year, we have hired 3000 professionals against that 10,000 number, and we will maintain that pace to the end of the fiscal year. folks know, as we hire are retiring or leaving for the private sector. i would say that we actually have to accelerate that pace substantially to actually get a of this systemic issue. what we are trying to do with the strategy and effort in federal government is to rethink the way we do recruitment and retention. instead of a perspective cyber security professional going to 125 different websites to learn about not just opportunities at

agencies, but to also learn about training, career paths in the federal government, what we want to do is create a one-stop shop in partnership with opm so those candidates can actually see everything, the universe of what their careers could look like at the click of a mouse. you can't do that today, and that is what we are driving towards. another thing we need to reimagine is how we recruit as an enterprise. some of the folks in this room may have heard me talk about the fact that we have this great program, the scholarship for service program sponsored by the national science foundation and other federal partners. if you go there today that is what you get all the young cyber security talent. what you will notice is that across the room, not every single federal agency, but a dozen or so federal agencies competing against one another for talent. if you think about it from an enterprise standpoint, it does

not make a whole lot of sense. what we are doing is reimagining how we will recruit those folks. what i mean by that is instead of having 12 agencies compete against each other, they could get on a call before the career fair and say this is the need we have a department x. we need a forensic analyst stat. the other agency would say we have a surplus of that but need a pin tester tomorrow, so they would be able to work together to fill the enterprise-wide need. thinking as a community is something we have not done in this space to the extent that we need to. i'm very encouraged. if you have not read the strategy, please read the intro and go to page 13 to 18, a detailed list of initiatives at the tactical level they give you a better sense of what we are doing here.

it is frankly pretty exciting. i want to wrap here, the next slide, and then open up for questions on what the next couple of months will look like. unless you live under a rock, you know we have a presidential campaign going on. very exciting, very exciting. but what we have to do -- if you think about it, so much of the success we had over the last year has been because we had that deputy secretary level retention. -- attention to the issue of cyber security. they realize if i don't pay attention, i could be on the hot seat. we have all seen the hearings, nobody wants to be in that position. our challenge is really as we move forward over the next couple of months is prioritizing the work we are doing, codifying a lot of it. a fact sheet on the white house website will not suffice as far as having these initiatives survive into the next administration.

my team is hyper focused on this codification piece. implementation. we need some quick wins and results to communicate to the next team so they understand initiatives of the past administration are worthwhile and should be continued into the next one. in that last these, communication, i would add another bullet, which is education. sitting down with that next round of deputy secretaries on day one or day two and giving them a detailed threat brief. this is what i would do, my playbook. giving them a threat brief of all the major actors out there tying it specifically to the initiatives we pursue. then showing them where the gaps are. whether it be legal authorities or actual policy gaps, so that they can put their stamp on it for the future. i think that will be critical if we can get these few steps right, i think we will be in a

good position. but frankly we will have to rely on highly skilled career staff to carry us through the transition. i see a lot of faces in this room of people who represent that highly skilled career staff, so we will be counting on you. i appreciate the time. thank you very much. i will pause here for any questions. go ahead. >> wait for the microphone, please. >> earlier you mentioned three particular areas you are looking to address in terms of challenges, legacy i.t., fragmented government, and workforce challenges. do you see one issue as most acute, or to put it another way, what is the biggest threat to cyber resilience in the government? mr. rudolph: that is a great question. i have a personal passion in the workforce area. not only am i somebody who comes in and gives talks to people

find people like yourselves, but i actually have hiring responsibility myself. i built this team inside the white house to focus on federal cyber security, and i have gone to the day-to-day challenges of getting the darn position description posted on usa jobs. it can be a little frustrating. there is a character limit, you can't put all the qualifications you want in the job description. please put it into something people can understand. thank you. [laughter] i appreciate that. if we can't get the fundamentals right, how are we going to think about modernizing our legacy apps? how are we going to think about legislative proposals that would help the fragmentation issues we have across the federal government? you need the people to do the work. i would say frankly that is the most important. in my assessment. sir? that is a true story.

>> mike nelson with cloud flair. when you take cyber security 101, you learn about confidentiality, integrity, availability. but when you read news reports and frankly most government reports, all the focus is on confidentiality because all the big incidents have been when data has been stolen. we have to worry about data being altered and we certainly have to worry about peter dos attacks that make websites unavailable. in the last 24 hours, the austrian census bureau, its website was brought to its knees by p-dos attack. you have a concern that we will see more attacks like the australian attack? and do you worry that some of the data sets we are trying to protect could be hacked from the inside and just a few numbers altered, but enough to compromise the integrity of that data and cause citizens to lose

faith in that data? what are we going to do about the insuring threat? mr. rudolph: it is a huge concern of ours. i like the way you frame the question. if you read the news media, it appears the emphasis is on the c. as opposed to the i and a. we are worried about all of it. in the opm cases we were concerned about all 3, and concerned about all 3 in terms of major incidents across all government. i think what you will see, and i did not include this in prepared remarks, but you will see a movement that you have seen in private industry from the perimeter defense of the data level production. if you read a130, you will see themes of how we need to move in that direction. they are starting to think through what that means from the tools and capabilities standpoint to make those capabilities available to agencies.

as we expand into later phases of cdm, we are addressing data level production. you alluded to the insider threat, which is is an ever present concern. it may be the most difficult threat to address, frankly, and one i don't think we have cracked, federal or nationwide, and we will have to dedicate a lot of time to that in the next administration as well. sir? >> good morning. thank you for coming in talking with us. you mention something that i think resonates, but in this particular case, supply chain. as you look at industry and government, both sectors are under constant attack, but there seems to be a challenge between the need to know versus the need to share information so that you can actively mediate across

the spectrum's. how do you see industry are doing better with federal government and vice a versa to do that, need to know, need to share, keeping confidentiality of course, but sharing best practices to fix this together? mr. rudolph: that is a tremendous question. it is one where i would admit that we have not closed the gap in the way we need to over the last couple of years. you will see some guidance from omb that speaks to this issue. it has already been out for public comment. i can talk about it to a certain extent, but it is improving cyber security protections in federal acquisitions. we will talk about that partnership between industry and government in terms of what we can share and what we can't. i think the controlled unclassified information rule will help a lot. we didn't get it implemented. at the base level, i think it

comes down to trust and relationships between industry and government, having a pre-existing working relationship could help with that trust. but having the policy framework in place actually facilitate that trust is the big missing piece of the puzzle. i hope we can fix it in the very near future. sir? >> you talked about the i.t. modernization fund. i wonder if you might comment on that versus the other legislation that is out on move i.t. that was introduced a couple of weeks ago, and where maybe your viewpoint is on that, your prospective. what is more viable? congress is still in recess for a while, so we won't know about that. if i can steal a second question, which is that partnership you talked about with opm on the cyber workforce issue, what might that look like going forward?

i think that is interesting. any comment about the challenges of putting on a job description and hiring thousands more people will be tough. mr. rudolph: the first question on move i.t., i can't speak on that one because we have not had an opportunity to fully review the particulars of the legislation, so it would be premature to comment at this point in time. my only comment is legacy i.t. is bad. i hope that is helpful. the second one is you mention a partnership with opm as far as addressing workforce challenges actually a much broader , partnership. so what we have done is stood up a bit of a steering committee or working group across all the cyber security workforce practitioners, across homeland security, opm, nsf, nsa, and

others to work collaboratively across the federal government to implement the strategy i referenced earlier, but to actually share basic best practices. one example is, and this is also public information, dhs has developed this tool to generate common position descriptions for cyber security professionals. it is really, really powerful. a method or tool to use for federal agencies. just not everybody knows about it. actually sharing that across federal agencies and getting broader adoption is going to be key. we also have an opportunity with cyber security awareness and october toming up in work better across federal agencies. but that the ticket are working group is meeting pretty regularly. i am due to get a briefing on that next week, so i am very encouraged. that type of cross-agency cooperation, and the folks at

commerce, i forgot to mention them with the work with the framework, but that type of cooperation is frankly what is needed to succeed in this area. i am very encouraged. do we have time for another question? one more question. ma'am? >> thank you. earlier you mentioned one of your primary goals was to secure top talent in order to work in the federal government. just from being at schools in the bay area, it seems like people are going into the apples of the world and not exactly looking at federal government. do you have any suggestions on how to improve this and attract top talent? mr. rudolph: yes. first answer is that all of the suggestions i would have are in the strategy. we spent a lot of time brainstorming on that over the

last year and i am pleased where the strategy is. on a more basic level, i would say that as a government, we need to stop thinking about hiring cyber professionals as just people who work in the security operations center or who have a programming background, because it is broader than that. we need acquisition professionals, lawyers, leaders who actually understand cyber security as well. this is not original, but it is great. we should think about hiring intellectual athletes, right? intellectual athletes, really good employees with intellectual curiosity and want to learn. train them up in the space and make a long-term investment in them. i think we will have some success and that area. i would also say finally that we are actually making some inroads in terms of how we compete for young talent against the private

sector and the silicon valley folks. the reason we are making some progress is because i promise you this, no one really in the room has a better mission, a day-to-day mission, then the federal employees in this room. if you think about the assets we are protecting and who we are protecting them from, that's the kind of stuff that gets me off the couch, you know what i mean? that is the pitch to these young mid-career and senior employees out in the private sector and you're trying to get them in to government. we've had a lot of success with the united states digital service group and other groups around the government. i think if we keep pushing the mission message, we will be successful. alright? thank you guys for the time. i appreciate it. [applause] constance: thank you so much for

that great presentation, trevor. up next we are excited from the technical director of security solutions at adobe systems federal. he has more than 16 years of experience in information security. with adobe, he is responsible for managing the line of security solutions in enterprise rights management and digital signatures, as well as the security of adobe acrobat, reader, and document cloud. he is responsible for security solutions across the public sector. please help me and join me in gotwold tor. stephen the stage. >> their ago. thank you. can you hear me ok? even if i come over here, can you hear me ok? ok.

security is -- if gray hair is a badge of honor for security folks. i'm not going to talk about hacking. we're going to talk about defense. to do that -- let's take a little walk down security lane and see what you remember on our stroll down security lane. 1995, who remembers cap'n crunch? the other gray hairs in the room, excellent. john draper, not don draper from "mad men," pulled a whistle out of a box of cap'n crunch, it blows at a specific frequency and gives him long distance access to the phone network. awesome. pretty cool.

the first worm, self-replicating malware occurred back then. fast-forward to 2000, back orifice. that is not a typo. hackers have a strange sense of humor. it is a remote access tool to turn on your system, microphone, camera, spy on you. how much fun can that be? "i love you." three little words, it looks like a text file. you click on it, self replicates, you end up e-mailing your friends "i love you" and it goes on and on. it was a big disaster on our internet at the time. what kills me, and this is where education is key, is that only a few weeks later do we remember anna kournikova. basically the same model, it

promised it picture of anna kournikova naked. as security professionals, we have to be good at saying, really? [laughter] so when somebody says yes, i will help that prince from nigeria. he has to get his money over here somehow. you can say, really? we have to get good at saying really? , the bill gates decree, 2005, a really interesting time. he said, you know what? no more. we are focusing on security. stop everything else. that is pretty cool. i think that was a pretty cool time. paris hilton got hacked. celebrity hacking comes into play. 2010, we see nationstates rearing their heads more. operation aurora, stuxnet, things of this nature. i'm glossing over the acrobat adobe stuff. i promised i would take off my marketing hat today and put on

my industry evangelist hat. i lied, lying steve. that is what they call me. there is g-pack that happen in 2015. it was really popular this year in case you are black hat folks. the interesting one i want to talk about is some thing called the i-kettle hack. who has heard of that hack? look at that, a bright young student in the room. it is a kettle in england that you can put on your wireless network to remote control your kettle. awesome. you don't have to get off the couch. what's interesting about the ikettle hack, i don't want to make fun for people who want to remotely control their kettle. there is a hack where if you

scan it, and send a command to it, you can get it to cough up the wireless lan password. that hurts. so now the hacker has access to your wireless lan. they can get on your wireless lan. what is the point of all this? attacks evolve, and mitigation s evolves, and they are going to get on our networks, and we are going to try to keep them out, right? so we do. we started with firewalls to keep them out of the network. more recently we talked about assuming the breach, meaning they will get in our networks, so we have fallen back to the devices. we have personal firewalls now, for instance. i want to talk about the data layer, protecting the actual data, data centric security solutions. i want to talk about three solutions today. first one is drm, probably the worst name ever given to a

technology because it had a lot of bad baggage with it in the consumer side with music and such. digital rights management. i think there are 3 important points to get across as you look at drm solutions today in the market. the first thing to realize is it is operating at the data layer. you are encrypting the document, ok? so when you see that pdf sitting on your desktop that has been encrypted with something like drm, it is an encrypted block. -- blob. you open it up, and it is scrambled eggs. there is the understanding. it is protected with a metric key, typically 256, using something like aes. there is no attacking that file. there is no brute force attack on that file. they will try from other angles and we will talk about in a minute. the first thing to get, wrap

your head around, that file stays encrypted no matter where it goes. cd-rom, put it in your e-mail. we don't care. it is a scrambled back of bits. that means the client who wants to double-click on it have to figure out how to get a decryption key. typically the drm systems are tied to a server to authenticate themselves against the server to see if they can get the key or not. what you get from that by tethering a drm solution against a server like this is you get a dynamic capability out of your documents, which is very powerful. dynamic meaning i could view it today, but maybe i'm not allowed to view it tomorrow, and i can

change permission real time. so that is very powerful. also, because you are tethering back to the server, it is very much about continuous monitoring today. we see that in a lot of frameworks. not only should we be continuously monitoring our networks, but our documents. what is happening with those documents? who is opening them? when are they opening them? from what ip address are they opening them? those are the key factors in the drm solution i would say to look for. is it perfect? no, nothing is perfect. really? no, nothing is perfect. we have encrypted something with a strong encryption algorithm, a brute force attack will not happen in our lifetime, or until computers get great enough to go after them. what they will attack are things like authentication, passwords. if somebody is sharing a

password, they could be a problem, right? that is where smartcards are nice with a pin or other multifactor. so what can we do? as they come back, we can do some analytics on those document interaction events. what would be interesting to look for? you just open a document in the washington, d.c. area, and a minute later open the same document or another document in eastern europe. that seems interesting. maybe we revoke access to that document. until we figure out what is going on with your account.

someone has probably stolen your authentication credentials. print 10ve tends to documents a week and all of a sudden, he printed 20-50 documents. that might be interesting. send an alert to security. check out what is going on. did my friend from the cloud disappear? i liked your question. i have been talking about confidentiality. assets ingh-value your organization and encrypt them at the data level so you can maintain control over them. go into theoes content management system and grab a document which they have access to, that is fine, and the

turn around and e-mail it to a friend or they get hacked and they lose that document, it is gone. if it is encrypted, and you still have the encrypted document sitting in the content management system, that is fine. it looks like a pdf. take it out. they go to open it, they have to andto decrypt that document so they will have to authenticate it. that is about keeping secrets. , i love that one. no one ever talks about it. digital signatures are one of the greatest things ever. we use them when we go to a website. how do you know you are going to your bank's website?

do you just trust that url? you see the lock and it is backed by certificates. you have checked the authentication of that. you get a little warning. this code is coming from an unknown source. what do you get from a digital signature? integrity and authentication. you can do this on documents as well. is -- if ipdf -- it get a document i can see who it came from, who signed it, and if anything has been altered on the way. who is using this today?

where is a good place for it? transcript -- that is a nice thing to be able to say -- schools like stanford are starting to digitally sign them. that is pretty good. asan see that the transcript an employer came from stanford. if someone tried to alter it, i get a red asked. publishing office -- they used to be the government printing office. the printed everything on paper but they have moved to electronic delivery.

they sign their documents. , havedgets for instance an electronic signature. budget withing a change to values on it. the digital signature -- it is about integrity and authenticity of documents. confidentiality. we have had the fall back with the digital layers of security and we can put security mitigations on the data itself. we can encrypt it with drm, we analyze it it and with our analytics engines, and we can also protect it.

i have blathered on enough. and i allowed to take questions? are there any questions? chickens. nothing. ok. thank you. [applause] >> a shy group. it is now my pleasure to introduce our panel. while they are doing that, i am

going to introduce them. we have marian bailey. nicely.yl event is theday's senior events and technology editor. i also want to take this opportunity to thank you all for attending today. with that, i am going to turn it over to frank. the floor is yours. i will introduce our panelists quickly. can talk about yourselves a little bit before we get started. cheryl, we will start with you.

cheryl: i am chief information security officer at cia. before that, i spent quite a bit dni.me at the and i worked together rather closely. we have known each other for 15 years. it is a small community. although i think we are both trying to grow it. >> i am the third wheel. >> for sure. frank: marion, tell us about yourself. marian: i am with nsa. i have been there for 30 plus years. co-opsa group of young come in to the pentagon.

me -- how long have you been here at nsa? longer than any of you have been alive. i am on a joint duty assignment. i really look across the department of defense which is a huge landscape at the cyber security activities we are undertaking. and how we make progress in this area. jobk: trevor did a good discussing what happened last summer. foras not the best summer the federal government in cyber security. how wenel will get into have been affected. we talked about what you just finished up doing.

you just finished sending letters to those affected. what has been the impact broadly since then? >> it was a monumental activity. not just the letters. one of the things we learned from it -- especially at the senior leadership level is there are systems and data that we do not pay enough attention to and we would not consider mission-critical data. huge impact. we finished mailing. until you go through something like this, you do not understand the undertaking all that was involved in that type of breach.

we had a lot of help from the wantedouse because they the situation handled in a certain way. help andpolitical lessons learned for all of us. of that whole thing -- congress decided that the department of defense would run i.t. for the clearance process system in the future. opmre working closely with and making sure the current system is secure enough. we are also making sure we develop a new system. how is it for you guys? agency, we were probably not impacted quite as heavily as most of the rest of the government with clearances

where information is regularly process to through opm. we do our own clearance. we also higher from outside. we did have people who were involved and did get letters because their previous employment may have been with dod. remember, a good chunk of the ic is dod and going through the same clearance process. frank: you would not have gotten a letter. >> i did not get a letter. a letter along with my husband and my children. a lot of people got letters and were upset. we still worry about it. we have to. one of the best things that came out of this -- there is always a silver lining.

aware of whate as opm was being processed in and what data was potentially accessible by internet connectivity until this happened. it is more extensive than many of us thought. we think we are on a path to improve protections around that level. missions do we have that retain privacy data? deep divemade us do a across all of our missions. frank: that concludes the

negative nancy portion of our panel. on the dod side, the cyber strategy that came out in april. let's go broadly. on what dod is doing. then we will get to some specific duties. death -- theecond ecdef pushed this out. after he released the cyber strategy, the department released a cyber implementation plan. we released a cyber security discipline implementation plan. a year ago, we made a concerted effort that we would focus on the basics.

youe are a million things can do in cyber security and we decided to do a back to basics campaign. intrusions from the last year and a half. 98% of them were due to something simple that someone knew they should have done but it was not implemented. we went back to a top 10 list. we have been marching down that path. do you want to ask me some questions? frank: when trevor was talking about accountability, i wanted you to address these core card. marian: all of these top 10 have gone out. people were not doing it because they have so many inks to do.

they were not prioritized highly. what we decided to do was a scorecard. prompted a tremendous amount of activity. likes a bad grade. doing those every single friday. every service. 10 scorecards for each service. sit there and explain why they have their numbers. pki. user logs in with a what percentage is the air force? the navy? everyone should be 100%. windows is a huge operating environment we use. getting through the legacy stuff. we had something to track that.

all of those kinds of things. releasing that to the cio once a week, getting people's attention. i have watched a culture change. the secretary of defense also gets to see it once a month. he invites the services to have a chat about that. frank: are those chats positive? marian? initially, when we first started this, at the senior level, they thought it who wascommander worried about this. quickly, we realized they needed to care about this. we have seen tremendous improvements. the culture has been created.

accountability. and people caring at the senior level about cyber security. he is a very smart person. how about from your cia perspective? what has changed since opm? >> opm did not really cause major disruption or change at our agency. we have spent the last year trying to get the definitive list of what might have been compromised from opm that belonged to us but as far as

what happened to add opm -- did it change the focus or direction of how we protect our systems? absolutely not. we have been on that path for a long time. would say weif i are ahead of the game but we are aware of the issues. i should not say the bad word. it is not in my talking points. but we have been focused on insider threat and protecting the data for as long as i have been doing cyber security and that has been quite a while. you guys had a big move to cloud -- that got a lot of headlines. what has changed within because of that? is there a mutual

learning between the cloud provider and you guys? does it change the way you do business in turnley? cloud has been a significant change for the entire ic and our agency in particular. with thee ones contract with amazon so we are responsible for the security of what is provided to the entire ic as far as the hosting infrastructure. when amazon came in, we started off with what we thought was still a very short timeline for approving its operation. if you go backt, historically, big acquisitions like that and big services like beingyou could see years spent on analysis of the system. in our case, when amazon really got everything in place and when

they thought it was ready for us to make sure it was secure enough, we ended up with two months. the ic worked closely with amazon. of the first that they actually opened up the hood and let us see some of their innerworkings under a specific disclosure agreements. i cannot give you any details. it was a really good learning experience. all of whatderstand amazon does to protect your information commercially and our information internally. we also found a few things and gave them feedback on changes we would like them to make for us. the good news is that they took

a lot of that to heart. they implemented a lot of the changes they made for the intelligence community commercially and you are benefiting by that when you use aws hosting. the other thing that has changed significantly as a result of this including cloud is the get this alley, i of the time -- all of my data is out there. i still cannot meet that two-hour timeframe but we are under extreme pressure to enable mission, and spin things that much more quickly. you talked earlier about the need to share and protect. we are focused on both. trying to move at the speed of mission but make sure that the

mission information is adequately protected. it has been a great experience. i will say one more thing about amazon. people love that a lasted computer. you think about it for analysis and getting results quickly. from a cyber perspective, it is great. think about it -- in the past, when we would tell people to audit, systems would shut down because they filled up with audit information and then the cyber people would get yelled at. or we tell you to encrypt the data. too upset tos get use it because it takes too long. now, go to elastic compute. when the system fills up, you spin up another. there is no longer any of that from the system filling

up and being unable to do the work. where we tell you to encrypt and you tell us that it is adding overhead. it does not anymore. cloud has been a godsend for folks trying to implement systems quickly and for us to secure the workload better. we are very happy with it. our agency and many of the other ic components are busily working to move their workloads into the cloud and off of legacy. into the new. frank: is there a lot of collaboration among the agencies? every time we provide a new ic wide service, we had the 17 components look at it. they can participate in the testing.

are given the body of evidence and the ability to adopt the existing infrastructure. theythey go to secure it, only need to focus on the delta of what they are implementing. on top of what has already been approved. in ic, absolutely. we have been working closely on this as well as the cloud. frank: for the dod. you are in the j r s s phase. ramifications dod wide? >> on operations also. dodle that do not know the

wonderfullyk we are homogeneous. we do have a very good command structure. really a very loosely federated infrastructure. of everything. i think general alexander came in and said -- i cannot see across my networks. we were looking at doing some type of common information environment. and common infrastructure. that is kind of what j i.e. is. a common set of security admit midpoint locations around the infrastructure. the army, the navy, and the air force -- they can consistently

implement security. the can also give us ability to share among all of them. it goes a long way to helping us have a more homogeneous environment. pertinent share information. it is probably important for cyber defense also. maybe you contact about what has changed. cheryl,ht apply to you, in terms of what you have seen the last few years. how has the threat changed? >> we are constantly looking at the threats. what it is. are they the right protections. where do we need to focus? i do see it changing. initially, we did perimeter protection. you are protected in the

department of defense -- we have internet access points. a lot of heavy protection around those points. am movingtoday, if i to a mobile environment, things do not come through that necessarily. our endpoints are where we want to focus. that is where the biggest threat is. we have 1.7 million end-users. that is a lot. we do not have that many people. i have three computers on my desk. and a laptop from home. as well as a blackberry. are entrancethings into the apartment. we need a way to protect all of us. we constantly look at that thread. we're spending this money on this perimeter device. how long -- how far does it get

us? what is the best way to attack them. we are starting to move towards the journey. >> trevor made a comment about insider threats being the most difficult to guard against. is that the case for you guys as well? none of them are necessarily easy. threats are difficult because the person has a valid identity in your infrastructure. much one have seen how individual can do. there are some cool things out there. we are looking at the things that we can implement better.

all of a sudden, he does something different than that. and you have to question that. he was saying that in two years, he can see something be done. we are looking into that. the cat card. it is the id to get into the pentagon. it is a physical id. using it as an authentication mechanism. we are looking at better things we can use. cheryl, isn't talked about how that is changing for you guys.

kind of in the stone age regarding mobile technology. not to be a jerk. it is cool to be able to have myself on in my purse. we do not allow personal devices in or out because they are attack factors. , without adom allow waiver, mobile devices that are provided by the government in and out. -- we get a blackberry don't use those anymore, either way. you get a smartphone from the government which we have locked down, you are supposed to use it away from work. desk,me phone is on your and i still carry a pager -- frank: how very 1990 of you.

shell: we do have a strategy to move ahead. we partner closely with an essay in particular on what is the best way to secure mobile devices. one of the things we want to focus on the most which we spoke how can you do your work if you cannot carry your tablet or device. i still do not know how to write with pen and paper were. we are focused closely. secure mobileide computing to our workforce at least inside the facility. how do we secure wireless inside our facility. we know you cannot walk into a best buy anymore and purchase it laptop -- a desktop computer.

i have to admit, i do like might take monitors on my desk. i have two. i can read the work across the monitors. you useooking into when doctor -- to -- a frank: not a lot of pokemon go players at the cia hq. i am going to say something not in my script. cheryl: there is another government agency i know up that has spent a lot of time going around their compound eliminating pokemon go points.

frank: that is awesome. how much time do we have for questions? about cross government collaboration in cyber industry as well. let us talk about that. where are those points where you are wanting interaction? marion: in the department of the secretary is huge collaboration. he has brought industry people in two key positions in the government to bring a more innovative flavor to the department of defense. serviceshave digital which is actually looking at

some of the key things that we do and how they can bring industry practices and products in. i will tell you that i went through a cultural revolution myself. it was pretty interesting. in.k: not just kids coming marion: white hackers. but it was very focused. it is not just wild and wonderful. everyone coming in to hack whatever they want. websites.specific watching toe out make sure that the hackers did not go beyond where they were allowed to go. they had very stringent rules.

it is run very methodically. if they identified something, they had to give the government 30 days to fix it. i think it was extremely successful. we are looking at other areas to do the same thing. thinking:ant people we are why do. it is very specific and prescriptive. frank: we did a panel and he came in in a hoodie. we spent a tremendous amount of time with industry also.

we do trips up to new york. not just a couple of us. a whole entourage. it can be 40 or more. t -- frank: a party bus style? yes. it is interesting who they go to to bring innovation in to their city. -- that is the process we are trying to bring in. and then to pick something fairly quickly. you talked earlier about mr. our sin.

he is pushing us to be innovative. bring new ideas. he looks at what industry can do and says. -- doug will do it. it is exciting to work in an environment -- people think is a policy organization. it is nothing like that. crazy and wild. goodunds like a pretty party bus. frank: i lost my train of thought. seeing thing on the ic side. do you guys have party buses? if i wouldon't know call us a party bus but we do

partner closely with industry. we have labs where we bring industry in to help us resolve and determine what is out there, that they have and we need. test it quickly. bring it in for a quick review. the clouds help us a lot with that. we have the opportunity do spin up an instance and try it out quickly. then we can use it further. we have been working closely .ith we do not have a clone of what is out there commercially in the ic but we have been able to look at the commercial products that we think people want and bury

his agencies will say -- i think i would like to try that. here is the company. we were thinking about a contract with that country. point, whichever agency determines they want to use it, they will have to do that security assessment. the cool thing is that they can share that assessment with the rest of us so we don't have to reenter bent the wheel. a lot of partnership within the industry. a lot of requirements in groups like inky tell. they help us solve difficult problems. what struck me first is that the informational timeline

-- months go through the vetting process, it seems like it would .ake sense we will keep you posted. it is a big bus. the other thing i want to mention, as far as industry collaboration -- we are looking at how we can do a better job with certification. breaking this technology in more quickly. have been talking to a lot of of our industry partners. we are at a point where we are looking at almost immaturity computer.

cloud, we look at what they do. there is an auditing. before it comes into government. we go through our standard testing. it is taking about 18 months before we implement something. way too long. we are kind of doing the same thing three times. it is not necessarily certifying he process -- the other thing we are looking at, talking to the industry, is -- has a different requirement. can --looking at how we how the energy sector has

certified this. makes sense. on that, i want to open it to audience questions. is there a microphone? any questions? >> mike nelson. i want to ask a very yet of the cia question i asked trevor earlier. confidentiality integrity availability. have any of you had problems with the tax closing down your website? is this a growing problem or is it under control? we always hear about attacks to get the data but not about hacks that close down websites.

cheryl: we experience attempts to deduct a website a few years ago. and everyonce a month other day. not to name any particular vendor product but we have withd through the issues first off, provider we monitored her very closely. we have the mechanism to move our website into a more protected enclave every time we see this coming. we have also taken some of the best practices of having the

-- the home website you do not touch. since we have made those changes, i cannot think of a time when we actually were --.rienced thing a true we are looking and watching for that kind of stuff all of the time. sincehas been a long time there was something we really worried about. frank: any other questions? >> my name is how we lent. electromagnetic pulse that have a -- which can direct impact on our nation's i.t. structure. do either of you play in that world?

frank: you did not sign up for this, cheryl. to through ae publication review process to get permission for what i'm allowed to say publicly. emp itself, not really. iner than what we look at terms of contingency planning and make sure that all of the eggs are in one day data center. happens,ing like that we tried very hard to make sure that lets you are going to do it worldwide, grant going to use -- lose everything. marion: we looked at what we see the risk is or likelihood is and

take appropriate actions. frank: that has come to light a lot more lately. not just emp attacks but also solar flares. think there is any simple solution. marion: everyone has redundancy. across the entire government, we have identified our critical infrastructure. that is what we are looking at. frank: a question back there. >> i would like to say i appreciate everything you do. i am impressed that the two of you have a permission that has given continuity to the development of the security of the agency you represent.

the first issue you presented on, regarding the letter. i am one that received the letter. more than one. i think it was mailed several times. which i thought was a little confusing. i did not know if there were multiple breaches. why thoseon is -- federal employees have been given protection for just two years or maybe three and how can 20t information be protected years from now, whoever has it, how we can figure out that they have timed the use of this for later. >> that is an interesting statement.

there are conversations happening all of the time wondering if it should be for life, what is the appropriate timeline. that is a whole new area. privacy protection. how long you should be protected ?or it is interesting. my information was taken. i feel like i cannot even walk without getting a text on my phone that i am walking. collegeter is going to tomorrow in florida. i was there doing prep stuff and we went into walgreens. before i got to sign, i got a text saying -- you are using the wall street in florida. i do not think we know what the whole fallout is going to be in

the future. question we talked about the move to cloud and what industry is doing as security as a service. i know there are some challenges in that. is that something you are using? marion: we have invested quite a bit of time in identifying what are the three best tools and solutions to secure data in the cloud. the other nugget there is knowing your data. not all are david's equal. not put the same --

every time we have a new capability, a system move into the cloud -- we are not focused on i.t. at on data. and who needs the data. and how well we need to protect the data. we spend a lot of time making sure that the right secure solution is implemented in place around the data so it doesn't go where it is not belonging. i have a blue team. boy to hat hackers. the team isng about they work directly with system administrators. they are learning better techniques about what can be done against their system. at the same time, we are testing them. we also work with people that are monitoring networks.

,hen the blue team is testing they immediately reach out to ?he folks doing the monitoring him, they say see exactly what they did including eight team shot. including a team shot. -- k: cheryl: we have put out the rfp and it has been in operation for two years with a new focus on how do we get more sensitive data properly protected. it gets back to the question of what are the techniques and tools and security -- solutions we will add as we try to put more sensitive data out there.

frank: dod has been more cautious about cloud usage. marion: we are moving. we have our own cloud. we are looking at different periods for different applications. we are that big. we are looking at different variants. all of the things that cheryl said for us apply as well. all data is not equal. frank: last question appear. -- up here. >> my question is directed to you, marion. the --ernment issued clause. by 2017, industry will have to be compliant. number one, from your vantage point, what are you seeing in

terms of industry challenges or challenges with meeting that. based on where dod is going, do we think we will be will to bridge the gap with requirements. marion: i probably will disagree with you a little bit. proponent of that clause because i spent 35 years at nsa and i saw how our adversary got in. can look at airplanes that were developed in other countries and you can see that they look a lot like our airplanes. the game has changed to a little. the whole economic advantage activity. i we need to be really cautious.

that kind of an achilles heel for us is our industry networks. the defense industrial base. we are working with all of those partners closely. i started this conversation with a back to basics talk. history they, -- yesterday, i spoke about the statistics we got from six out where industry was required to report to us. there were a lot of things that were great. the two things they were struggling with the most were the multi-factor authentication.

we don't necessarily look at that as industry having a problem. we are looking at it as -- what are the products they are using and why are the vendors of those products providing better capabilities. we were challenged to figure out how to solve the problem for them. i don't see us relaxing that. it is an achilles heel for us. any major weapon system being developed, there are multiple resources. frank: i think that wraps it up. i want to thank our panelists. have a good rest of your day. if you ever need press on your bus for the west coast -- take [applause]

it for that one. i am sure. [applause] >>, live, your calls and comments on washington journal. formern newsmakers with new mexico governor gary johnson. bill clintonormer and jimmy carter discussed politics, the supreme court, and battling isis. a, anight, on q and documentary film instructor talks about his students award-winning documentary, some

of which have been grand prize winners in our studentcam document -- studentcam contest. >> i am not the kind of teacher who looks at something that is not very good and say -- that is nice. i will say -- what is not working? eventually, every single one of my kids makes a better piece than they first day. eventually, the kids that did really well internalize all of this so i no longer have to say things to them. their brain does. at 8:00 p.m. eastern on c-span's q&a. >> this morning, a roundtable discussion on the 2016 campaign with republican pollster and strategist and democratic strategists. they will also discuss the accuracy of nationwide polling and how the tone is affecting public opinion.

later, the latest on the relations between the u.s. and iran. as always, we will take your calls and you can join the conversation on face and twitter. washington journal is next. >> don't believe the garbage you read. let me tell you something. donald trump, the republican party, all of you, we're going to put him in the white house nd save this country together. host: the chairman of the r.n.c., reince priebus, at a campaign stop friday afternoon in erie, pennsylvania. his surprise appearance comes amid a number of stories that some in the g.o.p. are calling on the party to cut its ties with donald trump, a campaign that continues to falter in the polls. according to the latest, good sunday morning, it is suggest 14.