The State of Cybersecurity Conference, Georgetown University 9/20/18

November 9, 2019 posted by

(bell ringing) – Okay we’re ready to go. So we have now a fireside chat on the new DHS National Cyber Security Risk Management Center and I’d like to introduce
Norma Krayem who is going to do the fireside chatting. – Thank you. Well Bob is a little
disappointed already that there is no fire but I am very happy to
be here with Bob today and really thank you to
Georgetown and Comcast and Freddie Mac and the chamber
for a wonderful conference. And Bob, I think almost
everyone knows Bob, Bob Kolasky is the director of the new DHS National Risk Management
Center which was announced what two months ago. – End of July, 45 days ago – End of July. 45 days ago that would be six hours, 32 minutes and five seconds and Bob has worked at the
department of Homeland Security for quite some time, we have
worked together on many issues, and he really is a leader
on critical infrastructure and cyber security issues, and really is a wonderful leader
for this new organization. Now everyone was waiting with
baited breath to hear about the new National Risk Management Center, what it is, what does it
do, what does it mean, and we are gonna spend some time on that. But just I think 12 minutes
ago, luckily for Bob, the White House has released its brand new cyber security strategy and
there are so many pieces of that that we’re very excited
to talk about today and certainly the
center’s a piece of that. So Bob why don’t you tell
us a little bit about that and we’ll go from there. – Yes so as Norma said around
4:00 the administration released the national
cyber security strategy. It is the first update of a
full national cyber security strategy since 2003 and
it is the over arching strategic document that
will guide executive branch cyber security activities. You know I think
crucially a couple things, it builds off the national
security strategy and uses the same structure so
very much in the theme of you’ll hear from me, cyber security is a
national security issue. Cyber means cyber offense and
defense as national security component pieces. There are a number of pillars
that are consistent with the national security strategy within the cyber security strategy, you
know there are things that are directly relevant where DHS
really plays a leadership role and things like protecting
federal networks and taking new actions to
modernize federal IT to get to networks that are easier to protect, that’s something that MPPD and
DHS are in a leadership role protecting critical infrastructure, working with infrastructure
owners and operators, building out increased
risk management capability through public private partnerships. Thinking about critical elements
of that you’re gonna hear a lot of what I reference
at the work we’re doing at the National Risk Management
Center and those themes are in the national
cyber security strategies so it’s always helpful to have high level strategic documents then
drive down to programatic implementation which
we’re doing with an MPPD and then there are other elements of the cyber security strategy
that are things that I think as a community we’ve all
recognized as important for a long time that
cyber is a combination of offense and defense, that
there’s a need to not just let adversaries, adversary
nation states go unabated in their activities and we
gotta figure out whatever we can do and be aggressive
changing the context by which they are operating, conducting their cyber operations. There are elements of that,
elements of deterrents, elements of sanctioning,
elements of offense, offensive activities or
the willingness to take offensive activities that are
incumbent in this strategy. And so you know what I
think that’s important. You know that other thing
that’s clear as we release this cyber strategy has
become increasingly clear over the last several years as
we got near peer adversaries from nation states, China,
Russia, North Korea, Iran, you know we can argue how
close to near peer they are, but we got nation states that
have pretty sophisticated capabilities and we need the whole, the whole unified effort of
the public and private sector, the national security apparatus,
the elements of government to go after those threats
and you know I think the cyber security strategy
will help organize our activity. – I mean is obviously is
a big deal that it’s the first strategy that has
come out in 15 years that is looking at a whole
of government approach when we look at what
offensive and defensive means for critical infrastructure
and in that time as you’ve worked at DHS and people in
the audience have been working to both I think talk to
their C suite about what cyber risk means, why systemic
risk is something that needs to be managed by the whole
of the organization and the business is really important. We are seeing and all
the companies in the room have been working very hard
to manage their cyber risk but we have talked about
that line if you will between what is expected of companies
to manage their risk in the above the line. And it sounds like this
strategy is designed as well as this center to talk about what
will the whole of government resources and the new Risk
Management center do to help companies work on some of that. So maybe talk a little bit
between the new strategy in the center and what are
you looking for in some of your new projects. – Sure so you know I think that’s
a good way to think about cyber risk as a whole in
our strategic approach I hope it sort of gets that the
below line stuff that all, you know to keep going with
that analogy that’s the responsibility of an organization. We need to build capacity
so that there’s less below the line stuff you know capacity. And certainly DHS, the federal
governments there to help support capacity building efforts. And so we wanna continue to elevate, do what we can to elevate
the tools, the companies, let’s just run with companies, that companies need to
manage cyber security risk. But to your point,
companies are taking those increasingly seriously, there
are more tools out there, there’s more than this framework
has helped in a lot of ways to really go out increasing
the overall level of baseline capability of cyber security
in a lot of different places. Yeah the National Risk
Management Center fundamentally does sit at the sort of you
know go with the pyramid of this sort of place
where perhaps there’s not incentives to go further
or the risks that belongs to a company is owned
actually by somebody else or there are other elements
to the risk so there’s a cross sector element, there’s
a cross organizational element there’s shared things that
perhaps you know can’t be controlled by companies making
their own risk management decisions or the companies
don’t have the incentive to make the investments
or it’s impossible to sort of do company by company investment. And there are a lot of
different elements of which the government should have
strategies to intercede to you know what I call
shared risk right now. So the center, a lot of our
activities will be looking for those areas of shared
risk and inspiring, catalyzing, planning activity
around the public and private sector, the whole
interagency to go after some of that shared risk. – So in the vein you
talked, you have talked, the secretary, the vice
president associate of the New York summit about the
tri sector cross sector risk. That’s really one area that
I think people would like to hear about and the
second is really about supply chain risk. And we could probably talk
about either for hours, but you know take both briefly
and talk about what you’re doing there and what you may
see the outcomes could be. – So one of the pieces of
feedback we got that led us to establish the National
Risk Management Center and as we established the
National Risk Management Center was the need to have focused
efforts on where there were again sort of I’ll keep going
with pockets of shared risk that are worth putting
concerted focused efforts. And two of our early priorities based on, that are consistent with
what you just asked are working with the tri sector and working with the particularly with the
comps in IT sector and ICT supply chain so I’ll take
both of those in that order. The tri sector that you
referred to Norma is communications, electricity,
banking and finance. And over the last several
years senior folks representing big companies in those sectors
have tried to push us to convene mechanism for those
three sectors to work together because of the idea that they’re
shared risk, electricity, electricity depends on communications, finance communications depends
on electricity finance, you know that sort of thing
and that there’s a need to help each other to have confidence. All three of those industries
wanna have confidence that the other parts of
the industry are taking this seriously and then
they wanna see areas where what they can do can help reinforce resilience across those three sectors. So they were driving
and they’ve been driving through a number of calls
to create a tri sector body, we are on the cusp of
chartering it and it will be, it will have representatives, it will be charted and chaired
by the Department of Energy, the Department of Homeland Security, the Department of Treasury
as well as the leadership of the three sector coordinating councils. And then we’re gonna work issues together, in some ways it’s a simple as that. The first three priorities
that we’ve come together around are doing a better job of
feeding sector understanding into intelligence collection requirements and getting intelligence
collection and setting up processes so that intelligence, what we know about threats can get in the hands of those that big
companies in those three sectors, representatives of those
sectors to take action to mitigate risk. Secondly is cross sector
playbooks where there’s actually sort of doing the planning of
okay if this scenario happens how is it going to play out? How is what I’m gonna do
impact what you’re gonna do and work through that sort
of stuff and let’s put it in the plan, let’s
exercise across the sectors. And you know the third
area is really identifying what are the most
critical functional pieces within how the electricity
sector operates, how the grid operates, how
communications is delivered where everyone knows each other
sort of critical notes and they can prioritize
their resilience activities around that. So that’s what we’re
trying to do with that. It’s an advancement in the
critical infrastructure partnership structure that
we’ve set up because it’s really starting to get focused on
some concentrated areas, risks that transcend sectors
and working it through that way so that’s that. In terms of the ICT
supply chain task force at a basic level and I don’t
wanna go sort of too monologue, this is supposed to be a discussion. At a basic level what we’re
trying to do is bring the IT comms companies together
with the government, define elements of supply
chain risk in terms of hardware software shared services and start to break down where
the component pieces exist, how to get more trust into the system, you know to make sure we’re
not introducing things through foreign ownership adversaries,
you know certain kinds of foreign ownership, adversaries
or small businesses or unknowns into a supply chain
and as we learn from each other through that how then we
get that word out to help help people be better buyers. You know within the
federal government we wanna we feel like we have a
long way to go in our own supply chain to be better
purchasers of software and hardware but how can we translate that into the critical infrastructure
committee as well. – Okay so in the case of the
tri sector model that seems like a very specific and
focused example where the you know the sectors have
been working together anyways and you’re helping to convene, but if, for other sectors who are in the room, what does it really mean
to come to the center? And what types of
resources and things do you plan to offer? Because I do think there are
a lot of people in the room who have worked collaboratively
with DHS over time and they’re trying to distinguish
what the center will do versus what maybe other pieces. And I think whether
it’s other pieces at DHS or other pieces in other agencies so talk about that. – Yeah so I will correct one
thing from that introduction from the gentleman at
the podium who called it Cyber Security Risk Management Center, it is not a cyber security
risk management center, it is a risk management center. I’m here, we’re at the
cyber security session, we talked at the cyber
securities summit, but it’s, the reason that distinction
matters is we really wanna focus on things that
present strategic risks to the national critical infrastructure, and I don’t mean to correct
you that it was your fault, I just wanna make this clear that cyber is a lot of the means
that that’s gonna happen, the ways that strategic affect
of critical infrastructure can be caused but cyber’s
not the only means and… – So you’re getting that
cyber and physical together. – Yeah and we’ve been very…
– Any risk? – We’ve been very active
on you know the preparation in front of Hurricane Florence
in seeing if there was anything that might’ve happened
because of that hurricane that’s now a tropical
depression that could cause real significant critical
infrastructure impacts. And so going to services that we offer in kind of how to think of us as a center, I like to say we’re a
planning and analysis center, we’re not an operation center you know, most of you have been in the
room of a place like the NKIK or other things where
you see pizza and TVs and liaison officers. – You see people working very hard first, and the pizzas are only
there because we’ve made them work for 24 hours. – Yes. But that’s not the image
you should have with the National Risk Management Center. That is a place where we
do planning and an analysis that we hope to have the
ability to regulate projects, bring people in more regularly
and we have from outside, bring the inter agency
together to do workshops, to put things together,
but it’s not a 24 7 center around that. So it’s a planning and
analysis center, service, things we do, we are one
of the leaders in the federal government if not
the leader in modeling critical infrastructure impacts
of an incident happening whether it’s a hurricane
bearing down on North Carolina or whether it’s a cyber attack that could take out operations of these
critical infrastructures, you know things we saw last year. What would be the cascading
impacts of that kind et cetera? We think that kind of modeling
is useful in the middle of an incident but that
model is also useful for planning purposes and so
that’s something that certainly we wanna do. Helping prioritize critical
infrastructure for a lot of different risk management
decisions is something that we do within the National
Risk Management Center and we’ll work with industry and inter agency partners to do. And then really I hope putting
together planning teams to go after kinda the biggest, go after a big set of challenges
of areas where we think as a country maybe we’re taking
on a little too much risk. – So there’s definitely
a lot of opportunity in again cross sector we’re
seeing, but they’re all, there’s certainly a lot of
sectors right now in the economy that maybe they’re used to being, managing privacy issues or
maybe they’re were traditionally regulated for safety and some security. We do have a lot of sectors
where that cyber physical broader risk management
structure really needs some help. And when you think about the
sector specific agencies, we’re trying to see, we’ve
talked about transportation, we’ve talked about health, you know there are a lot of
different sectors that are trying to figure out how to
manage and aggregate risk. And so I know you want companies
or entities to come to you with ideas, are you working
with some of the other agencies to look at whether these
sectors or others and then, well answer that and then
I wanna talk a little bit about international issues as well. – Sure so you know all this depends on working together, sharing information, actually
getting to the point where you’re talking about where
at risk lies vulnerabilities, concentrations of things, does require, requires at a minimum
trust in authorities. And so on the authorities side you know the critical infrastructure
partnership advisory council authorities have gotten
us to place where we’ve set pretty robust structures,
coordinating councils, public private partnerships,
the SSAs rely heavily on that to get most of the significant
critical infrastructures owners in any one sector to the table. So that allows us to
have a shared discussion on vulnerabilities and risks
and potential solutions without worrying about
competitive information or your know competitive issues
or without worrying about you know getting the details
of what’s in those discussions and then we rely on sort of the protected critical infrastructure
information authorities so that people can actually submit,
businesses can submit information about their
own vulnerabilities without worrying about that being
FOIAble or subject to sunshine laws or that just by
acknowledging a vulnerability that you’re somehow liable
because you’ve acknowledged a vulnerability and not mitigate it. So that helps authority wise. Trust I mean I think trust
is something that we’ve worked really hard with DHS
and MPPD to build over time and it’s consistency,
it’s seen value in things, it’s following up on what
you say you’re gonna do and it’s not breaking you know, it’s not breaking the commitment you make. And you know I think generally
we’re at a pretty good place with the critical
infrastructure community, I think you know with the
sector specific agencies we work regularly with them and seen what DHS has tools that we can bring to bear
to augment a lot of sector specific agencies aren’t
fundamentally security agencies. So we have security tools
to support their efforts and their security obligations. – And I think that’s a really
important point and maybe within the scope of the
new cyber security strategy and the Risk Management Structure Center, what we want is that collaborative
partnership between DHS who understand security
and cyber with the SSA. What we’re seeing sometimes
in other agencies is they are wanting to build additional capacity in their own agencies on some of
these issues and I think from the private sectors
perspective we want and need a seamless approach to
managing security and risk. And so as much as this
strategy helps the agencies work together that’s important. And for people who aren’t
familiar with PCII authority, the Protected Critical
Information Authority infrastructure information thank you, it’s a great program at
DHS where you can work collaboratively with them
and you get the protections he talked about. Federal, FOIA, state
and local sunshine laws, and protection against
regulatory reach back. And that may be something
as you talk about this center and how people work
with you for more people to understand because I
do think people wanna work with the center, as you
talk about what it means that’s important, but
those authorities to help protect companies I think
people are trying to understand because they’re being
besieged from governors and mayors and other
people who all wanna help. – Yeah I mean at a sort of bigger level if that keeps being a limiting factor, we have to recognize
those limiting factors and you know in the ambition that
I think Secretary Nielson has given us, let’s identify
those limiting factors and let’s go after those
limiting factors and you know that’s not all within the remit of the Department of Homeland
Security but you know, let’s have the dialogue
with congress and within the executive branch of hey
things still are limiting our ability to collectively work together. And I don’t wanna be
scared of those things, I wanna say okay this is what
we can do until we change some of the rules and I think
most business I talk to like, I can only, you know this
is the amount of legal risk I’m willing to take and
doing things that I think are smart decisions. Please help me get to a different place. – So I think that would
be the call to action. For those in the room
start making your lists, you can give them to Bob on the way out, oh you’re welcome I’m sure
they’ll appreciate that. Yes. So are there specific
projects as you look ahead, and there are these very
core specific things, Secretary Nielsen has
sort of tasked you to do, you’re working your way through those, there’s a lot of other things you want. What are your probably
next few priorities? – Yeah I mean we are aligning
the work we’ve been doing, supporting election infrastructure. Secretaries of state, state
election directors making sure that our elections are secure, the actual voting process in the run up to 2018
election, that’s front of mind. I remain, we remain concerned
over foreign influence over elections and propaganda
and our adversaries trying to sow discord and
things like that you know. That’s a strategic risk
right now that you know, we’re doing some work
with an MPPD that we’re aligned with on that. I don’t wanna, I don’t wanna
diminish the importance of that over the next few weeks. And then going into the 2020 election, but then sort of to the core National Risk Center
business processes the thing I’m most excited about us
doing quickly is working with industry and our inter
agency partners to identify a set of national critical
functions which are the things that critical infrastructure
produces that are absolutely essential to national
security economic security or the functions that are come through. And putting that identification
together for the purpose of doing risk prioritization
and that’ll get us broken out of the little bit of the
sector by sector model. What are the big cross
cutting functions when we’ve been talking about last position
navigation timing services and so many of the sectors
rely on that and it you know, there’s potential that something
could happen that would degrade P&T services away
that’s too much national risk. And as we identify those
and then have conversations you know we put in the
structures to get industry and government together to talk
about where our priorities should be and then we’re gonna
pick a list of priorities working together and then
that will really guide sort of the 2019 part of our agenda. But what we wanna do differently, like there’s a need to
be sensitive for national security reasons and some of this, but I want enough community
wide discussions that you get a sense of where our
priorities are consistent with the strategic
direction we’ve been given. – Now having you almost you
go from the inverted funnel, I mean you think about
national critical functions, it’s the basics, the lights
stay on, you can get money, you have clear water right. How do you, obviously these
are things you’ve been working on for some time, so do you
have a set list and you’re gonna be talking to people about
adding to that and then prioritizing from there? – We have an idea of what
a list would look like but really as part of the stand up we wanna and we’re planning a workshop
in October and I’ve been talking to a lot of different people, we want sort of a final set list, not a final in that it won’t change, but a set list that really
guides our activities and so yeah we’re in the
process of working through a set list. – So that’ll be the next
conference that will roll out the list of national critical
functions no I’m just teasing. – But and part of the
reason for this thinking is those of you who do work
closely enough with ops centers or living close to the day
to day recognize and we certainly see it just the
pounding of things that are going on in cyberspace on a
day to day basis and you know we get to read the intelligence
of things that people might be trying to and
it’s just hard to navigate all of that until you’ve got a, okay these things might be
going on but these are the things that I think are the
most important and if we can align unfortunately what we think, if what we see is the
adversaries seeming to understand the things that are most
critical that helps direct our activity. And so the prioritization
isn’t just for planning but it’s also to understand
you know how to make sense of the million dots of
information that you know, that’s good that we’re
creating those million dots of information and going
back to what the center is and what it isn’t, the end
kick exists to get every single piece of information
you could possibly get where you can help the end
kick you know prioritize how that information might be then
leading to a change in the risk environment. – I’m gonna ask you one last
question and maybe go to questions from the
audience, what if you had, what are the top, I didn’t
warn Bob about this question by the way, what are the top
two things you would want every company in this room
to think about and then come to talk to the center about. – Um. – You could pick one or five. (laughter) – Your risk, what you’re doing about your risk. Now I mean so to some extent right, and I used this analogy when
we were talking in preparation for that, the center wants to
be a place where we’re really having the conversations kind
of at the chief risk officer board level that so you know of where is cyber risk existing
in your systems that you think you need help managing
and where is there cyber risk that you think might be out
there or other risks that you think that might be out
there that perhaps you need somebody elses help to manage
and I think it does require you know the board level
conversations and thinking about risk and but you know
the word that’s most important in what we’re trying to do
is management and I’ve set the goal for reduction
like I think we should be held accountable for five years from now have we reduced cyber risk? Management suggests there
are a lot of strategies for reducing cyber risk
but the ultimate goal hopefully not just managing
the risk or transferring it or accepting it, let’s
go at reducing risk. And so I hope corporations
are really thinking about what they can do to reduce their exposure. – I’ll say this and then
definitely go to questions, I think there’s been a
dramatic change in awareness and understanding at the C suite level, even in the last 24 months
and more on the systemic operational level as to what
cyber means to companies. It’s more than just the
data side and sometimes you hate to joke that it’s
you know you’re lucky if only your data was stolen. But we think about the
operational impacts to the economy national and homeland security, I do think that people are
starting to understand that more. So the center can help
bring that greater awareness at a higher level and
think about what resources makes sense for companies then
they can ask your for help, I think that will be a huge change. So we’re gonna go to some questions, the one thing I would ask
everybody is to say your name and your organization before
you ask your question. Thank you. – [Romy] Alright thank you. Romy Siport from Freddie Mac. I’m just curious to get
your thoughts around the, the approach, the classical approach to
risk management which is you kind of define your risk appetite, where you, below the appetite
how you accept risk or even I just heard you talk
about transferring risk so that’s, those are some
of the classical practices of risk management. How do think the center is
going to transform some of those thinking as you’re
analyzing the data and as you hopefully sharing that data back with the, with the private sector. – That’s a hard one. Let me start by. – It’s a soft one. – No I recognize you’re
describing those as classical approaches and I’ve read enough
risk management literature to agree with you, but the
federal government those are not classical approaches within
the federal government of risk management right. That the conversation of risk
transfer and risk acceptance and that sort of stuff is
stuff that’s been really hard for us to be explicit
about in a lot of areas. And the reason I bring up that
point is one of the things I hope we can do is align
risk management models in thinking a little bit more
so that we can explain how we approach risk
and you explained risk and we can really start to sort of understand that because we’ve
got his different theory of our responsibility of risk
management we might be you know creating
inefficiencies there and so you know I don’t know that
you’ll ever hear me say hey we agree to accept
that risk explicitly, you know I don’t have to
sign a statement because I’m a public company to say that, but sort of having the implicit
discussion that you know, the things that we didn’t
put at the top of the list are things that where we’ve
agreed to accept a little risk or that there are other
risk management strategies out there other than going
hard at putting security in a system so I think one of
the things hopefully we can do as a center is create
a little more synergy between what I think
are a couple different risk management theories. – Aren’t you over also trying
to help companies or entities to understand where their risk fits in in a broader world? I mean I do think everyone
is responsible for their own risk. But putting my old federal
government hat on sorry, you know you’re thinking
about what the nation looks like for risk and it’s
not just one company here, one company here, it’s the
aggregated risk together, you probably have a different
view of that than companies. – Which may come to different
risk decision making because of that. – And if you explain
that though to companies I think that’s really
where maybe that disconnect between your definition and
theirs could be bridged. – [Brian] Brian Brown. So I guess you can hear me okay. Excellent panel, thank you very much. So I guess I have a little
bit easier question, so Norma this is kinda toward you as well. So as a company, what’s the
legal implication of your cyber risk right, cause
cyber security costs money, and lawyers cost money, I
mean I know your firm is very reasonably priced with your rates. – Well they’re worth
every dollar I’m sure. – We are worth every dollar
that you pay us and more. – [Brian] And a lot much more than that, but what’s the legal implication
thereof and obviously what’s the business implication, what’s the dollars and
sense and sort of ROI and I will now sit down, thank you. – Okay point number one all
the questions were supposed to be for Bob. No just kidding. No I am here. Well let me say this
I’m not gonna give you legal advice today. I do think it is important to
understand that the broader world believes that cyber
is part of your normal risk. And it depends on what sector
you’re in and where you fit and if you’re regulated
or not but the awareness, there’s an expectation
that you have the awareness and then how you manage and
mitigate that risk is really dependent on your regulatory structure and your other requirements. I think the piece that’s
important cause I don’t know what sector that you’re in, the cross sector components
are really important to understand, your supply
chain and other things. And so that’s usually when we
talk to companies about how you look at your risk and
what should you think about, we run through things like that, we talk about resources that
DHS and other people can have, we’ll ask about your insurance,
but things like that. I’m happy to talk about
that more afterwards. – [Audience Member] Norma and
Bob congratulations on this new post and good luck I
know it’s quite a challenge you’ve undertaken. I just had a question about something, you rewrite CPAK and PCII
and I just ask for an update on the PCII, a couple
years ago DHS had initiated a process to update those
rules and I’m just curious as to whether that is
now gonna get restarted given the focus on trust and authorities. – I think that you know
there was a sort of pause in regulatory activities at
the transfer of administration and you know looking at what
we were doing I think the PCII update certainly is
something that remains a regulation, a regulatory
framework the we wanna push, regulatory’s the wrong, rule
making framework that we wanna push because there’s
nothing sort of regulatory there so you know it gets
wrapped up a little bit in that pause but we will be
following up and we will be building off the presses and
the comments we’ve already taken and the feedback
we’ve already taken. You know one of the big
things we wanna do with the update of course is
provide as much clarity as possible in cyber security
information and how to take advantage of the fact that
collecting cyber security information of vulnerability
is the machine speed it’s a different process than the original use case for an original
use case for a PCII. – Yeah good point. Well we’re excited to hear that. Next question. – [Scott] Hi Bob Scott
Sharon from Awesome. We heard today quite a
bit about the example of the elections and how DHS is
working at the state level to tackle that and when
I look at the critical infrastructure areas in many
cases the customer for that critical infrastructure is
also state and sometimes local entities. How does your new
organization work with state and local governments
in their procurements of critical infrastructure
to ensure that they also are aware of some of the
risks that you’re aware of at the federal level. – Yeah I think the supply
chain is a perfect example of as we work to better provide ability for us to make within federal government to make risk based decisions at things we’re procuring
in the supply chain as that information gets out to
owners and operators there’s an example, certainly
there’s an example for state and local government to
take advantage of what we’re learning of our own procurement decisions. So that’s one example, in terms
of functional identification and prioritization I think that you know, part of what’s inferent in a
lot of what we’re talking about you Norma you answered that
question is know where your own risk is. We can help, we have capability
to help understand where risks are and that will then
push that kind of thinking down you know we’ll work
explicitly with state and local governments depending on
the nature of the risk that we’re prioritizing while still
an election infrastructure, lot of that’s owned to
keep going with this, owned by state and local
governments and so that’s the case we’ll work directly then
there are other things where hopefully our work and what
we’re doing through the center will inspire you know a better
functional understanding of risks at different levels. – Well I think we may have
taken up a little bit more of your time than we had
planned today but we, we were very excited really
to hear about the center and the new cyber security strategy, I can’t wait to read it, personally I hope it’s
150 pages in font three, that’ll be weekend
reading for me personally. – If I can’t get somebody
I’ll have to pay a lawyer to explain what’s in the strategy. – I know I know, see you
can explain what’s in the strategy? – Is there anything else you
wanted to mention or share before we just really
thank you for your time. – I mean you referenced half
jokingly that we’ll come back and talk about function but we want, we wanna do a lot more of
talking about what we’re doing in the center in forums
like this so we can get, we can explain, we get
feedback and you know, we’re open for business
and look forward to working with many of the people in this room. – Well thank you Bob. Join me in thanking Bob for
talking about the new center. (audience applause)

1 Comment
Tags: , ,

One Reply to “The State of Cybersecurity Conference, Georgetown University 9/20/18”

  1. Ultima VI says:

    . 30:31 .

Leave a Comment

Your email address will not be published. Required fields are marked *