►
From YouTube: Cybersecurity Showdown
Description
Cyber threats have enormous implications for government security, economic prosperity and public safety. Learn about key cybersecurity issues and perspectives: government, financial and consumer data, water and energy threats, IT security and law enforcement challenges—all with an eye toward collaborative strategies to combat these elusive and ever evolving threats.
A
If
you
would
like
to
ask
a
question
at
the
end
of
our
program,
please
use
the
microphone
in
the
center
or
the
sides
of
the
room.
Cyber
security
threats,
as
we've
heard
a
lot
over
the
last
few
weeks,
have
enormous
implications
for
government
security,
economic
prosperity
and
public
safety.
Today's
session
will
inform
you
about
the
major
cyber
security
challenges
facing
our
country
today,
and
explain
some
of
the
strategies
and
collaborative
efforts
being
developed
to
combat
these
threats.
A
You
know,
I
I
have
come
lately
to
the
issue
of
cybersecurity.
I
had
for
a
number
of
years.
This
was
maybe
10
years
ago,
file
server
sitting
on
the
internet
completely
unprotected
with
a
static
IP
address,
which
means
it
was
findable
and
I
found
back
then
that
it
took
about
a
minute
and
a
half
or
FTP
to
be
compromised
and
maybe
half
an
hour
for
sequel
server
to
be
compromised.
But
people
didn't
get
much
beyond
that.
A
Today,
though,
when
we
have
an
environment
where
there's
literally
hundreds
of
thousands
of
attacks
out
there,
what
I
did
then
was
folly
and
what
I,
if
I
were
to
do
it
now
would
be
even
more
foolish
to
do
and
there's
a
lot
of
attacks
that
are
going
on
on
our
state
on
our
cities
and
even
sitting
on
your
desk.
There
are
tax
going
on
and
it's
going
to
be
a
real
issue
over
the
next
few
years
to
deal
with
that
we
have
a
very
distinguished
panel
today
to
present
and
I'll
introduce
them
briefly.
A
Our
first
speaker
today
will
be
Andy
Bachman,
a
senior
cyber
and
energy
security,
strategist
stripped
strategist.
If
I
can
pronounce
that
word
for
Idaho
National,
Labs,
national
homeland
security
prior
to
joining
inl,
he
founded
a
strategic
energy
sector
security.
Consulting
firm
was
an
advisor
on
energy
security
matters
at
the
chair,
Toth
group
in
Washington
DC,
and
was
a
security
lead
for
ibm's,
global
energy
and
utilities,
business,
a
frequent
speaker,
standards,
developer
and
advisor
on
topics
of
the
intersection
of
grid,
modernization
and
security.
Mr.
A
Bachmann
has
provided
expert
testimony
and
analysis
on
energy
sector
security
standards
and
gaps
in
federal
state,
local
groups
and
state
utility.
Commission's
he's
testified
to
the
Federal
Energy
Regulatory
Commission,
and
on
security
readiness
and
smart
grid
interoperability
standards
and
on
the
security
and
privacy
readiness
of
ami
and
smart
meter
systems
at
the
Massachusetts
grid.
Modernization
hearings:
he
has
also
been
a
contributor
or
author
to
various
cybersecurity
guides
position,
papers,
reports
and
articles
and
I.
Think
from
that
bio
you
can
get
the
idea.
A
B
B
B
Beautifully
and
briskly
done.
Okay,
all
right
thanks!
Everybody
for
attending
I
understand
one
on
the
very
tail
end
of
a
multi-day
conference,
so
I
appreciate
you
bringing
whatever
level
of
energy
and
interest
remains
in
you
after
so
many
days.
Hopefully,
the
topic
is
one
of
enough
concern
to
you
that
it
still
keeps
you
keep.
B
B
I'm
attached
to
the
one
in
Idaho,
which
has
a
particular
cluster
of
professionals
and
experts
who
focus
on
control
systems,
industrial
control
systems,
the
security
and
resilience
of
which
is
fundamental
to
the
security
and
reliability
of
the
electric
grid,
to
the
way
the
Department
of
Defense
works
and
to
a
other
other
critical
infrastructure.
Lifeline
infrastructure
sectors
operate.
So
that's
why
I'm
there
I'm
based
in
Boston,
I'm
in
DC
a
lot
so
getting
around.
But
just
you
know
these
were
resource.
B
That
can
be
something
that
state
level
folks
can
take
advantage
of
to,
and
certainly,
if
you're
not
sure
how
to
enter
that
system
to
try
it
because
it
because
it's
spread
out
and
overwhelming
at
the
last
slide
here,
there's
contact
information
for
me
a
welcome
any
of
you
to
follow
up
for
any
for
any
reason,
I'm
not
even
going
to
talk
about
this.
Just
look
at
the
slide
for
a
second
see,
it
see
the
mountains.
This
is
where
52
nuclear
test
reactors
were
built.
This
is
a
lot
of
the
control
system.
B
Security
work
that
I
described
has
been
going
on
for
quite
some
time.
It's
becoming
a
senator
universe
on
that
topic,
and
it's
where
I
just
saw
in
the
press
this
morning,
I
think
the
53rd
test
reactor
built
by
new
scale,
small
modular
reactors,
is
officially
announced
that
it's
going
to
be
built
on
this
on
this
range.
Okay.
So
the
main
points
I'm
going
to
talk
to
you
about
today
are
going
to
be
Ukraine
lessons
from
Ukraine
and
then
a
couple
other
topics
for
you.
Then
my
buzzer
will
go
off
right.
B
B
It
was
short-lived,
so
by
outage
standards
it
wasn't
tremendously
damaging,
and
yet
it's
we've
expected
this
for
some
time,
or
at
least
we've
been
guarding
against
this.
For
some
time
in
preparing
for
it
here
here
is
a
real-world
case
didn't
affect
the
United
States
directly,
but
it
there
are
lots
of
lessons
that
have
come
out
of
it
all
right,
so
in
just
in
short
order.
B
It
happened
on
december,
twenty
third,
but
it
started
in
the
spring
and
that
we
know
because
of
the
forensics
activity
that
was
performed
by
a
couple.
Very
close
colleagues
of
mine
who've
been
to
ukraine
twice
since
the
incident.
Since
the
blackout
happened,
they
learned
that
the
government
officials
in
ukraine
and
the
utility
operators
did
a
tremendous
job.
They
did
that
they
did.
What
we
think
is
an
outstanding
job.
Responding
to
this
that
part
that's
not
outstanding,
and
that
you
know
played
a
role
in
the
event
happening.
B
The
first
place
is
that
the
adversaries-
and
we
don't
say
who
the
adversaries
are-
the
adversaries
were
clearly
in
the
systems
and
starting
to
learn
and
do
surveillance
and
move
around
spring
of
that
year.
So
there's
a
lot
of
groundwork
being
laid
and
it
was
being
done
without
anyone
noticing
it
and
that's
something
for
the
US
electric
sector
and
all
other
critical
infrastructures
to
be
aware
of
these
days.
B
Since
official
reports
are,
they
vary,
but,
generally
speaking,
it
takes
many
months,
hundreds
of
days
for
most
breaches,
meaning
when
someone
successfully
penetrated
the
defenses
of
an
organization
to
even
be
detected
and
all
that
time
is
free
time
for
the
adversary,
whether
in
whether
they're
nation-state
a
criminal
or
some
other
type
of
person
or
organization
to
just
basically
stakeout
map
out
the
lay
of
the
land
and
insert
things
that
they
want
to
use
later
on.
Okay,
without
getting
too
technical,
I
made
I
want
you
to.
B
If
you
bring
these
lessons
back
to
your
state
to
your
Public
Utility
Commission,
there
were
a
number
of
recommendations,
things
that
Ukraine
could
have
done
better.
That
would
have
either
prevented,
or
at
least
slowed
down
or
lessen
the
impact
of
the
attack
and
the
place
that
I'll
point
you
to
is
it's
non-governmental.
B
It's
a
training
organization
called
the
SANS
Institute
s,
ANS
Institute,
and
they
published
a
thing
called
a
defence
use
case
or
a
duck
on
Ukraine,
and
it's
basically
a
top-to-bottom
report
nonclassified
on
everything
that
we've
learned
that
could
be
shared
and
recommendations
for
utilities.
Why
is
this?
And
so,
if
you
have
a
hard
time
finding
that
just
right
mail,
send
it
right
to
you
or.
A
B
Somehow
related
to
this
again
sans
institute
defence
use
case
on
Ukraine,
why
does
this
matter
to
you?
Well,
the
targets
of
the
attack.
We're
open
air
goes.
That's
Ukrainian
for
distribution
utility
distribution
is
the
level
of
voltage.
That's
been
stepped
down
from
high
voltage,
transmission,
high-voltage
transmission
runs
from
the
generation
sources
across
many
miles
goes
down
to
get
stepped
down
and
transformers,
and
it
becomes
a
distribution
level,
electricity,
and
these
three
utilities
were
the
ones
that
were
targeted
when
you
think
about
distribution
utilities.
B
Those
are
ones
that
take
electricity
into
the
cities
to
our
cities
into
our
towns.
These
are
also
the
ones
the
united
states
that
are
not
covered,
with
a
few
exceptions
by
the
newark
sips
you've
heard
of
the
newark
sips.
Perhaps
these
are
mandatory
security
controls
for
the
bulk
electric
system,
which
means
big
generation,
big
transmission,
big
control,
centers.
The
most
important
parts
arguably
of
the
grid,
however,
leaves
all
the
rest
of
it,
which
is
really
all
the
most
of
it
uncovered
by
anything
mandatory.
B
So
the
attack
on
Ukraine
was
attacked
on
the
type
of
utilities
and
the
types
of
equipment
and
systems
that
states
are
responsible
for
the
public
utility
commissions
are
responsible
for
that's.
Why
I'm
talking
to
you
about
it
and
interested
in
following
up?
If
you
want
to
know
more
or
do
something
about
it,
I
think
I'm
going
to
have
used
up
most
of
my
time,
so
I'm
going
to
skip
just
really
quickly
through
a
couple
topics.
I
want
to
leave
ample
time
for
other
folks.
B
Other
speakers
in
that,
certainly
for
Q&A
afterwards
to
significant
government
programs
that
could
have
an
impact
on
utilities
in
your
state.
Hopefully
we'll
have
a
positive
impact,
our
crisp,
that's
a
Department
of
Energy
Program,
cyber
security
risk
information
sharing
program.
Tell
you
more
about
it
afterwards!
No
time
now
and
grid
X
is
an
exercise
that
happens
every
other
year.
B
It
happened
november
of
last
year,
grade
x3
great
explore
will
be
november
of
2017
and
in
this
last
one
it
grows
every
year
or
every
time
it
happens,
as
you
might
imagine,
there
were
I
think
four
thousand
plus
individuals
involved
over
160
utilities.
As
I
mentioned
to
Joe,
almost
every
FBI
field
office
in
the
country
was
involved.
It's
played
at
the
state,
local
federal
level,
and
it
gets
as
real
as
it
can.
It
makes
it
real
I
always
talk
about
exercise
as
putting
people
in
stress
positions.
B
Why
do
you
exercise
you
go
in
stress
positions,
you
test
yourself.
You
make
mistakes,
but
the
end
of
the
day,
you're
you're
stronger,
and
if,
when
you
do
it
again,
you'll
be
more
ready
for
something
that
might
happen
in
the
real
world
so
grid
X
you
can
you
can
search
for
it.
You
can
come
back
to
me
I'm
part
of
the
planning
committee
for
that
exercise.
I,
don't
even
want
to
show
you
the
slide,
but
if
you'll
just
look
at
the
the
Box
on
the
right
head
decide,
all
this
is
is
the
Box.
B
The
yellow
circle
part
is
proof
that,
in
that
this
mighty
complicated
constellation
of
different
organizations,
government
and
commercial
that
are
involved
in
this
exercise-
there
is
local
state
provincial
government
involved.
Provincial
mean
in
Canada
is
a
big
part
of
it
as
well
and
there'll
be
a
conference
in
November.
Excuse
me,
it
might
be
october
called
grid
sac,
con
gr,
ID
s,
EC
cln,
be
in
Quebec,
City
and
I'll.
Give
you
really
good
or
folks
you
recommend
get
to
it.
Help
help
get
to.
B
I
play
a
part
in
the
New
York
Rev
reforming
the
energy
vision,
which
is
a
great
modernization
program,
we're
trying
to
make
sure
that
security
is
an
integral
part.
Appropriate
amounts
of
security
and
privacy
are
integral
parts
of
that
initiative
from
the
onset
and
not
waiting
till
everything
is
deployed,
and
then
people
go.
Oh,
no!
It's
too
late.
We
need
to
add
something
the
the
time
to
do.
B
This
is
during
the
during
the
initiative
itself
not
later
on
once
you
have
a
breach
and
realized
you
wish
you
had
done
it
earlier
and
lastly,
California
CES
21
is
California
energy
systems
for
the
21st
century.
They're
doing
some
fantastic,
cutting-edge
security,
research
and
development
and
ultimately
deployment
primarily
coming
out
of
their
PUC,
driven
by
the
the
cpuc
and
being
enacted
by
the
three
large
iou's
and
other
players
in
that
ecosystem.
So
that's
it
that's
my
email
address.
You
can
write
to
it.
That's
my
twitter
ID!
B
A
Our
next
speaker
is
Joe
Demarest
mr.
Demarest,
as
an
executive
director
in
the
advisory
services
practice
of
Ernst
&
Young.
His
private
experience
includes
some
of
the
most
critical
roles
in
the
FBI
and
the
office
of
global
security
at
Goldman
Sachs
&
Company.
He
served
as
assistant
director
in
charge
of
the
FBI's
New
York
field
office,
where
he
led
the
largest
and
most
complex
national
security
and
criminal
programs.
A
He
was
also
selected
to
take
on
the
critical
role
of
leading
the
cyber
division
and
the
directors
priority
next
generation
cyber
initiative,
an
initiative
to
transform
all
aspects
of
the
bureau
cyber
program.
Most
recently,
he
served
as
associate
executive
assistant
director
to
FBI's
Criminal
cyber
response
and
surveillance
branch
to
the
director's
office
where
he
served
as
chief
operations
officer
for
the
branch.
C
A
good
morning
in
none
thank
you
max
for
the
kind
introduction
I
am
now
currently
with
the
Ernst
&
Young.
I
joined
innocent
young
in
the
risk
advisory
practices
last
year
at
the
spending
25
years
with
the
FBI
last
4
years
spent
on
overhauling
the
FBI
cyber
operations
working
closely
with
director
Molly
than
informally,
or
than
director
Comey
as
well.
Today,
we
thought
in
our
planning
sessions
for
this
panel
that
I'd
briefly
go
over
the
actors
or
the
adversaries
who
are
currently
or
have
targeted
state
entities.
C
C
So
if
you
look
across
the
top
will
talk
about
the
the
current
state
threats
or
those
actors
who
are
looking
at
you
as
a
potential
victim.
If
you
look
across
the
top
of
the
bar
and
goals,
we
have
the
threat
actors,
the
specific
targets,
they're
aiming
for
the
attack
vectors
or
how
they
actually
go
about
doing
what
they
do
along
the
left
bar
on
the
vertical
you
see,
the
Acura
types
nation
state,
sponsored
actors,
cybercriminals
activists
and
we'll
talk
briefly
about
the
insider
threat.
C
C
In
some
cases,
I'll
say
more
more
so
for
government
across
the
internet,
in
what
they're
involved
in
as
you
can
probably
imagine,
most
of
the
actors
are
emanating
of
Asia
Eurasia
and
some
we
have
found
in
the
Middle
East,
so
specific
targeting
government
entities.
Obviously
no
one
is
exempt
when
it
comes
to
targeting,
for
political
purposes
of
geopolitical
purposes,
from
afar
they're
looking
at
critical
infrastructure,
so
Andy
mentioned
energy
companies
or
a
big
interest
transportation
as
well,
which
is
not
listed
to
your
legislative
leaders.
C
C
So
what
you
put
in
writing
and
it
could
be
done
for
malicious
purposes
or
intelligence
purposes
by
some
of
these
nation
state
actors,
so
how
they
go
about
doing
it
so
spear,
phishing
email,
those
are
those
emails
that
are
crafted
and
directed
specifically
at
a
target
audience
or
an
individual.
So
they
will
research.
You
online
social
media
profile.
C
It
will
open
it
and
then
with
an
attachment
or
otherwise
and
then
potentially
exposure,
Network
events
malware
and
when
we
talk
about
zero-day
exploits
its
exploits,
or
at
least
malware
software
for
malicious
purposes
that
has
never
been
seen
before,
actually
created
technically
created
for
that
specific
attack
against
that
specific
victim
or
entity.
And
the
last
piece
here
is
USB
stick
so
interesting
cases.
C
My
time
of
the
FBI
were
USB
sticks
were
found,
sprinkled
about
parking
lot
areas
or
within
waiting
rooms
of
a
given
entity
or
outside
of
a
DoD
facility,
and,
as
you
can
imagine,
right
staff
employees,
you
find
something:
it's
shiny.
It's
nice
great,
imagine
taking
that
back,
you're,
not
even
realizing
what
you're
doing
right
and
plugging
it
into
your
laptop
home
laptop
or
you
know
your
desktop
so
moving
on
the
cybercriminals.
C
Very
advanced
today
and
growing
right,
the
it's
it's
little
little
effort
for
tremendous
gain
from
a
from
a
monetary
standpoint,
as
you
look
across
the
globe
today,
mainly
emanating
of
Eastern
Europe
Central
Europe,
Southeast
Asia
as
well.
We
have
this
group
of
hackers
for
hire
now
it's
developing
on
the
darknet
and
we'll
talk
more
about
that,
maybe
potentially
during
QA,
but
people
who
are
letting
themselves
out
to
the
highest
bidder
to
conduct
whatever
you'd
like
them
to
do
from
a
technical
standpoint
interested
in
employee
PII.
C
You
see
a
number
of
breaches
today
or
accidental
disclosures
of
our
w2s.
You
can
imagine
all
the
information
is
contained
in
their
voter
registration
records,
the
employee
health
and
education
records
driver's
licenses
and
the
like,
but
many
of
these
groups
do
today
and
we
found
in
working
with
the
ey
threat
cyber
the
threat,
the
intelligence
team.
C
There
is
groups
now
in
the
dark
net
that
are
aggregating
all
this
information,
creating
profiles
for
you,
as
an
individual
from
you,
can
imagine,
write
your
name
hopefully
date
of
birth,
social
isince
information
like
and
they
use
that
right
in
the
cell
right
and
the
more
information
you
have
on
a
complete
bio,
the
more
more
money
if
they
make
on
your
record
malicious
documents.
The
way
they
get
into
you
so
large
institution
advertising
online
for
certain
key
positions
received
an
email
very
well
written
polished
with
an
attack
CV
or
resume.
C
Today
we
had
a
company,
we
were
working
with
in
the
hundreds
of
thousands
of
known
vulnerabilities,
known,
published
on
your
abilities
that
still
existed
in
their
particular
network
activist.
You
could
run
through
them
from
anonymous
a
lull
sack
lizard
squad,
any
others
there's
for
some
reason,
they've
decided,
there's
a
political,
a
sociological
issue
that
they
have
taken
issue
with
a
specific
organization
or
otherwise,
and
by
the
use
of
using
botnets,
which
are
with
web
robots,
where
they
enslave
your
machine
or
your
computer
and
then
form
these
robots.
C
If
you
will
botnets,
consisting
of
hundreds
of
thousands
to
what
you've
seen
them
over
a
million
infected
computers
to
conduct
different
attacks
and
the
the
most
common
was
the
distributed
denial-of-service
attack
and
that's
really
an
attack
of
these
computers,
all
the
enslaved
computers
coming
into
your
website
and
asking
for
information.
Basically,
there
was
one
that
was
research
was
done.
It
was
on
a
I'll,
say,
a
financial
services
company.
C
C
So
those
are
the
actors
and
those
the
actors
we
have
seen
when,
in
my
time
of
the
FBI
in
shortly
now,
working
with
industry
and
in
the
government
public
services
space,
we
see
that
you
have
these
groups
of
actors
who
are
certainly
focused
on
you
and
the
importance
of
cybersecurity
today
is
no
doubt
something
that
we
believe
right
and
have
seen.
Certainly,
my
timing
government
with
ey
we're
still
at
the
very
tip
of
the
iceberg,
on
what
we're
going
to
be
doing
as
a
country
when
it
comes
to
cyber
security.
C
So
if
you
permit
me
I'll,
run
through
the
anatomy
of
a
hat,
will
do
this
at
a
very
high
level
and,
as
you
look
at
the
graphic
on
your
left,
you'll
see
we'll
have
all
the
external
actions
to
take
place
then
on
the
right.
The
internal
actions
right,
those
are
the
things
after
they
successfully
breached
your
networks,
the
attack
stages
you
see
across
the
horizontal
in
the
center.
You
have
the
groundwork,
the
engagement,
the
presence,
and
then
you
affect
the
consequence
of
what
they
do
so
groundwork.
C
C
They
conduct
research
on
your
company
for
whatever
reasons,
if
they're,
if
you're
involved
in
some
negotiations
from
a
state
perspective
with
certain
entities
external
to
your
state,
they'll,
develop
the
resources
right
to
start
doing
the
research
on
what
tools
right
that
are
currently
available.
They
need
to
build
to
access
known
vulnerabilities
that
you
may
have
in
your
networks
and
then
in
the
same
phase.
The
initiating
this
is
also
where
you
know
I
mentioned
the
spear
fishing
and
drafting
and
creating
those.
C
This
is
where
all
that's
done,
and
this
part
of
it
on
the
engagement
piece
is
when
they
release
those
their
spear.
Phishing
emails
generally
done
what
we've
seen
in
groups
of
three
three
distinct
groups
within
a
company
within
government
with
three
different
types
of
topics,
so
they're
not
caught
right
once
you
defeat
one,
it
generally
can
thwart
the
ongoing
at
least
the
remaining
of
the
attack,
and
it
could
be
from
topics
related
to
current
legislative
efforts.
It
could
be
staffing
it
could
be,
as
I
mentioned,
someone
applying
for
a
position
within
within
government
once
in.
C
C
This
is
where
they
do
a
lot
of
that
searching
for
the
important
information
that
they're
currently
looking
for,
or
those
juicy
tidbits
of
data
right,
employee
records,
the
PII
and
the
like,
which
they
look
to
extract
and
ultimately
sell
once
in
they
are
looking
to
elevate
or
escalate
privileges
right
to
those
administrators
accounts
by
compromising
right
a
lot
of
times.
It's
actually
they're
found
from
the
username
and
password
for
specific
systems
to
widen
your
view
throughout
throughout
your
networks
and
then,
lastly,
the
effect
right.
So
what
are
they
trying
to
do?
C
Ransomware
is
denying
access
to
certain
files
consuming
resources
right,
so
they
do
take
your
computer
over
for
different
reasons
to
conduct
a
DDoS
distributed
denial-of-service
attack
or
taking
over
components
of
your
computer
right.
Your
desktop
your
webcam
and
they're,
like
we've,
seen
multiple
cases
of
that.
The
keystroke
logging
and
the
like
extracting
data
destroying
hardware
software
and
the
Sony
attack
we
work
very
closely
with
Sony
through
entire
breach
in
what
occurred
there
and,
lastly,
just
enabled
future
operations
with
them.
With
that
I
know,
my
time
is
over.
Let
me
just
close
with
this.
C
The
cyber
security
environment
is
completely
complex.
There's
no
way
of
truly
preventing
every
attack.
It's
just
not
going
to
happen.
The
actors
are
skilled,
they're,
trained,
financially
supported
and
their
patient
and
you're
not
only
targeting
our
technical
systems,
but
also
our
people
and
the
processes
we
use
for
certain
key
functions
within
government
today.
So
I
look
forward
to
a
more
discussion
during
the
Q&A
session
and
I
will
cede
the
floor.
Thank
you.
A
Operations
for
the
IJ
is
Aegis
Institute.
It
was
funded
in
2001
as
an
integrated
justice
information
system
in
response
to
US
Department
of
Justice's
interest
in
raising
private
sector
participation
in
the
advancement
of
national
initiatives
affecting
justice
and
public
safety
and
homeland
security.
As
a
member
of
the
prestigious
federal
one
hundred
and
twenty
fourteen
mr.
Jarrah
was
instrumental
in
conceiving
and
implementing
a
new
standards
base.
Interoperability
program,
also
known
as
spring
board
certification
program
to
help
advance
information
sharing
in
the
Justice
Public
Safety
and
Homeland
Security
environments,
his
ed.
E
Thanks
max
and
I
trust
me
I'm
not
going
to
talk
about
interoperability
today,
I'm
going
to
share
some
thoughts
about
things
that
we
have
discovered
as
part
of
our
information,
sharing
efforts
around
safeguarding
and
especially
around
cyber
security
in
the
law
enforcement
community.
So
let
me
start
with
actually
sharing
a
chart
with
you
which
actually
depicts
how
as
inhuman
we
actually
adapt
to
a
technology
and
how,
as
an
organization,
we
adapt
and
then
where
the
policy
sits
in
that
adaption.
E
So
as
we
all
know
that
technology
is
moving
at
very
fast
pace,
innovation
takes
is
placed
on
daily
basis.
We
are
getting
a
lot
of
new
tools.
New
technology
and
humans
are
behind
that
curve.
Adopting
so
we're
very
good
when
a
new
technology
comes
in,
we
go
and
buy
it
because
we
want
the
latest
and
greatest
gadget.
We
want
the
latest
technology,
but
as
an
organization
we
are
way
behind
in
adopting
the
technology.
E
Bringing
the
technology
into
our
mission
to
help
us
in
our
operations
and
policies
are
very
behind
that
curve,
because
quite
often,
when
we
go
and
buy
these
technologies
and
make
an
investment,
we
don't
think
about
the
policy.
I
know
that
Andy
and
Joe
talked
about
some
of
the
security
and
privacy
concerns.
Quite
often,
we
forget
that
policy
is
the
heart
as
we
move
forward
in
adopting
technology
and
hence
the
cyber
threat
that
exists
out.
E
E
We
have
discovered
36
different
interactions
that
a
law
enforcement
agency
can
have
with
different
mission
partners
on
daily
ss,
so
what
that
means
36
ways
of
actually
compromising
your
system
getting
into
your
technology
data
assets
and
as
we
get
more
connected,
that
also
means
high
risk.
So
we
live
in
a
connected
world.
We
all
are
carrying
different
devices,
we're
connecting
two
different
information
assets.
So
what
we're
doing
is
increasing
our
risk
and
opening
the
gates
for
the
hackers
to
get
into
the
system.
E
If
we
don't
do
anything
around
policy,
but
also,
above
all,
making
an
investment
in
the
technology
that
can
help
us
solve
some
of
those
challenges.
This
is
a
chart
that
shows
adjust
a
snapshot
from
2006
to
2014,
about
the
federal
agencies.
Actually,
who
reported
the
number
of
hacks,
and
you
can
see
that
it's
on
rice
in
2006
there
was
only
5500
incidents
reported
for
the
federal
agencies
and
in
2014
it's
almost
at
67,000,
and
this
is
not
even
the
complete
data
set
because
we
don't
have
all
the
information.
E
This
is
purely
based
on
what
was
self-reported
by
the
federal
agencies.
So
what
are
some
of
the
cyber
threats?
Our
law
enforcement
agencies
are
facing.
I
know
Joe
touched
on
some
of
those.
We
live
in
an
environment
where
public
safety
agencies
are
at
the
heart
risk.
In
government
agencies,
law
enforcement
is
at
the
high
risk
today.
E
The
challenge
is
that
our
law
enforcement
agencies
face
is
that
hackers
are
defacing
the
website
getting
the
data
publicizing
it
on
the
web,
attacking
our
court
system
or
police
departments
getting
the
data,
locking
it
encrypting,
encrypting
it
and
asking
for
the
ransomware
some
of
the
third
observations.
These
are
some
of
the
type
of
attacks.
I
know
that
joe
acaba
ransomware.
E
But
the
sad
story
is
that
twenty
two
point
six
percent
actually
ended
up
paying
the
ransom
to
recover
that
data
because
they
did
not
have
any
backup
and
then,
above
all,
fifty-eight
percent
actually
lost
the
data
because
they
did
refuse
to
pay
the
ransom
ware
or
they
did
not
had
the
actual
way
to
back
up,
because
they
were
not
negotiating
that
with
their
solution
provider
or
did
not
have
any
program
in
place
within
their
agency
to
actually
back
up
their
data
on
daily
basis.
So
they
ended
up
losing
the
data.
E
So
what
does
this
tell
us?
The
victim
anybody
sitting
in
this
room
or
other
in
our
government
offices
can
be
attacked
and
can
be
a
victim.
But
what
we
lack
is
a
good
metrics,
because
today
it's
hard
for
us
to
tell
us
how
big
this
problem
is
because
most
lenses
are
self-reported,
and
sometimes
we
don't
even
know
that
our
systems
have
been
compromised
and
it
might
be
few
months
few
days
before
we
went
to
realize
that
our
systems
have
been
compromised
so
bottom
line
that
we
are
unprepared.
E
We
need
to
do
a
whole
lot
to
actually
protect
our
data
assets
and
make
it
a
priority
that,
as
we
are
collecting
the
data
as
we
are
moving
into
the
digital
world,
we
have
to
do
a
lot
more
from
policy
to
technology.
To
address
these
challenges.
There
is
a
study
that
was
done
by
International
Association
of
Chiefs
of
Police
and
national
white-collar
crime,
Center
between
2013
2
2015
and
the
observations
the
study
actually
made
were
that
most
of
the
law
enforcement
agencies
were
aware
of
these
threats.
E
They
knew
what
the
consequences
will
be
if
their
system
is
compromised,
but
they
did
not
put
the
risk
management
framework
in
place
to
manage
this
risk
to
be
responsive
to
the
risk
to
be
proactive
and
some
of
the
things
that
we
discovered
the
challenges
that
were
shared
as
part
of
this
study
that,
quite
often
they
did
not
had
control
of
their
infrastructure.
It
was
managed
by
some
other
IT
department,
so
they
didn't
know
what
was
going
on.
E
This
is
a
snapshot
of
data
that
was
published
by
open
security
foundation
in
2014.
We
all
are
here
consumers
and
in
2014
over
billion
consumer
records
were
compromised
and
some
of
the
ways
the
data
was
compromised
was
by
using
some
of
the
services
like
taxis
and
limousines,
where
we
use
our
credit
card
doing
online
transaction
ecommerce,
because
we
did
not
look
if
this
site
can
be
trusted.
We
used
put
our
information,
credit
bureau.
We
think
it's
a
but
again
they
were
compromised
and
we
all
know
in
2014
target
hack
home
depot.
E
So
we
know
that
even
the
big
organizations
are
struggling
with
this
problem,
so
that's
set
the
stage
for
even
law
enforcement
agency
that
we
have
long
ways
to
go
to
address
this
problem.
Some
of
the
things
that
we
are
doing
nationally
from
cyber
security.
It
is
a
policy
issue.
We
have
to
do
something
around
the
policy,
so
white
house
issued
an
executive
order
and
a
presidential
policy
directive,
and
these
are
some
of
the
examples
around
critical
infrastructure.
E
So
what
we
need
to
do
is
take
some
of
these
lessons
learned
and
some
of
the
policy
and
figure
how
our
states
and
counties
and
cities
can
actually
leverage
these
policies
to
come
up
with
a
policy
framework
to
address
some
of
the
cyber
threats.
What
we
need
is
a
risk
management
framework.
We
need
to
manage
this
as
a
risk.
Like
any
other
business,
we
need
to
figure
out.
Hackers
are
very
smart.
E
They
are
figuring
out
a
better
way
and
faster
way
to
hack
our
system,
so
we
need
to
be
prepared
how
we
respond
and
stop
that
hat
once
they're
in
at
a
machine,
speed
level,
and
we
need
to
do
a
better
job
of
protecting
our
infrastructure
so
from
strategy
perspective
that
we're
working
with
the
Chiefs
of
Police
across
the
country
and
across
the
world
is
that
we
need
to
keep
this
message
simple.
We
need
to
talk
in
a
mission
context.
We
need
to
work
with
executives
to
understand
how
deep
this
problem
is.
E
We
need
to
educate
them.
We
need
to
come
up
with
a
model
policy.
We
can
collectively
work
and
address
some
of
the
challenges
that
our
state
and
locals
face
and,
above
all,
it's
about
the
collaboration.
It's
about
the
partnership.
It
is
a
partnership
where
government
and
industry
needs
to
collaborate
and
work
together
to
fight
this
cyber
threat
issue,
because
industries
definitely
ahead
of
the
curve
to
do
this.
Thanks.
A
Thank
you
for
your
really
solid
presentations
here.
I
think
you
probably
scared
us
a
little
bit
here,
but
that's
kind
of
the
point.
Didn't
it
I'm
wondering
if
people
have
questions
and
if
you
come
to
the
mic
and
provide
your
question
for
the
panel,
that
would
be
great,
and
please
start
with
your
name
and
state.
Thank.
D
D
B
A
B
You
for
those
great
questions
and
I'm
going
to
try
to
give
you
a
selected
response
to
part
of
it
and
then
actually
niall
take
over
terms
of
collaboration
between
state
state
level,
folks
and
federal
on
cyber
security
issues,
particularly
as
pertain
to
critical
infrastructure
which
DHS
defines
of
16
or
17
different
sectors.
Now
that
are
so
classified
and
I
saw
an
article
yesterday.
That
said,
it
would
be
helpful
if
voting
machines
now
became
part
of
critical
infrastructure,
so
the
DHS
could
play
a
more
meaningful
role
in
this
very
interesting
time
in
which
we
live.
B
I,
don't
know
if
that
will
happen.
I
don't
know
if
that
will
help
back
to
the
point
question
at
hand,
since
my
focus
area
is
so
much
on
the
electric
sector,
I'll
mainly
speak
to
that,
but
allow
you
to
infer
that
most
of
what
I
say
for
electric
sector
applies
to,
if
not
all
those
different
critical
infrastructure
sectors
them
at
least
to
the
lifeline
sectors
which,
again,
if
you're
not
familiar
with
that
term,
are
electric
oil,
natural
gas,
water
and
wastewater
and
transportation,
and
I
think,
also
communications,
okay.
B
Unwieldy
and
hard
to
deal
with
two
places.
I
would
point
you
state
of
Maryland
and
other
states
to
have
best
access
best
interactions
with
the
folks
that
are
on
the
borderlands
between
the
states
and
federal.
First,
let's
go
to
the
e
I
sack
that
used
to
be
called
the
ESI
sac,
but
just
to
keep
you
on
your
toes.
They
got
rid
of
one
of
the
letters
so
now
its
electricity
information
sharing
an
analysis
center.
B
There's
no
threat
that
things
that
are
discovered
through
conversations
will
in
any
way
impact
them
from
the
newark
zip
standards
that
I
told
you
that
that
some
of
you
familiar
with
the
mandatory
security
standards
for
the
bulk
electric
system,
so
I'd
advise
you
to
look
up
and
establish
some
rapport
with
e
I
sack
if
you're
shy
or
nervous
and
you'd
like
an
introduction,
I'd
be
happy
to
make
that
introduction.
The
second
organization
I'd
recommend
to
get
at
some
of
the
things
you're
seeking
is
network.
You
all
are
familiar
with
neric
right.
B
B
I'd
recommend,
if
you
or
the
folks
that
you
charged
with
following
security
matters
particularly
grid
related
in
your
state,
are
interested.
Neric
has
a
critical
infrastructure,
sub
committee
that
meets
regularly.
That
has
teleconferences
that
I've
spoken
I've
briefed
multiple
times
and
that's
a
great
fire
hose
for
you
and
I'll
leave
it
holy
buff.
There.
E
So
from
the
private
sector-
yes,
there
definitely
collaborating
and
what
a
great
example
that
we
always
love
to
talk
about
is
the
financial
sector.
Financial
sector
has
done
a
great
job
of
standing
up
information
analysis,
Center
also
known
as
FSI
sec.
We're
learning
a
lot
from
them,
because
financial
sector
has
a
motivation
because
they
don't
want
to
lose
the
revenue
and
get
the
bad
reputation,
because
there
will
be
a
functional
implications
on
their
business.
E
So
as
such
a
lot
of
the
technology,
companies
are
also
not
forming
a
partnership
and
collaborating
and
keeping
their
comparative
edge
on
the
side
and
getting
together
to
form
the
information
sharing
analysis
center
around
cyber
threat.
So
right
now
we
are
making
progress,
but
it's
slow,
even
in
the
private
sector.
We're
sharing
information
and
one
of
the
thought
processes
that
we
more
we
can
share
about
these
threads
and
even
if
it's
anonymously,
we're
still
serving
each
other
and
helping
each
other
in
this
fight
against
cyber
crime.
E
So
as
such,
for
example,
Microsoft
semantics-
and
these
guys
are
actually
five
also
from
the
partnership,
and
the
biggest
thing
that
we
have
learned
is
that
sometime,
these
companies
actually
also
come
under
the
radar
from
for
sharing
too
much.
So
one
of
the
big
things
that
they're
looking
at
is
how
we
can
share
this
information
and
serve
the
purpose,
but
also
not
lose
our
competitive
edge.
F
D
E
E
Yes,
we
do,
and
the
thing
is
that
we're
also
leveraging
that,
because
we
tend
not
to
talk
a
lot
about
standards,
but
we
do
are
also
working
on
leveraging
and
through
that
partnership,
also
creating
what
we
are
calling
a
common
language:
how
to
share
these
cyber
threats
and
the
information
that
we
can
share
with
each
other.
Because
quite
often,
we
also
find
ourselves
that
we
use
different
terminology
and
it
confuses
the
world.
And
so
we
decide
not
to
share
that.
So
we're
actually
working
collaboratively
on
that
all.
A
A
All
right
other,
if
there
are
no
more
questions,
we
have
a
couple
recommend.
Oh
yes,
please
go
ahead.
F
Thank
You
Curt
McCormick
representative
from
Vermont,
at
the
risk
of
sounding
like
a
Luddite
I,
think
in
our
in
our
culture,
anything
that
electronic
is
considered
better
and
we
keep
doing
things
that
we
used
to
do
in
another
way.
We
now
do
it
electronically,
we're
literally
voting
with
our
telephones
now,
instead
of
just
raising
our
hands
and
that
assumption
is
that's
better
I
think
because
it's
electronic
and
that's
not
to
say
we
don't
need
electronics
and
electronics
20
some
great
things.
F
I
I'm
thinking
of
a
horrible
plane
collision
over
Europe,
where
the
air
traffic
controller
overruled
the
computer,
and
he
was
wrong.
The
computer
was
right
so
I'm
really
not
a
lot
right,
but
I
do
think.
We
are
so
dependent
on
computers
now
and
we
don't
need
to
be
so.
I
asked
this
question
of
Ted
Koppel
the
other
day
and
I
want
to
ask
it
of
probably
you
Andrew.
F
So
if
it
gets
hacked,
we
were
in
big
trouble
and
Koppel
actually
explained
how
in
the
Ukraine
they
got
out
of
that
and
got
back
up
pretty
quickly,
thanks
to
the
fact
that
they
were
not
so
electronic
dependent
can't
we
in
case
of
our
electric
utilities,
which
might
be
the
most
important
thing
to
pay
attention
to
can't
we
at
least
get
back
to
and
mandate
the
utilities
have
manual
systems
and
protocol,
always
ready
on
a
moment's
notice
to
bypass
the
computer
instead
of
the
computer,
bypassing
humans,
throwing
switches
shouldn't.
We
have
that
shouldn't.
F
B
Start
from
Vermont
to
be
completely
honest
with
you,
you're
you're
right
on
in
a
lot
of
ways
and
to
fully
unpack
and
give
you
a
very
satisfying
answer,
which
I
think
we
can
maybe
talk
afterwards,
keeping
it
down
to
30
seconds
or
so.
A
recent
Senate
hearing
called
the
s301
8recent,
meaning
last
couple
weeks
was
on
this
topic.
Lessons
learned
from
Ukraine
restored
much
faster,
because
they'd
only
recently
started
to
significantly
digitize
their
control
of
their
control
systems,
and
so
the
personnel
who
were
used
to
doing
it
in
a
more
manual
fashion
we're
still
there.
B
They
hadn't
been
let
go
for
efficiency
reasons.
They
haven't
been
completely
replaced
by
automation,
and
this
is
a
big
feather
in
their
cap.
So
your
point
is
well
taken,
but
there
are
some
things
that
I
would
have
to
say
to
you
about
how
the
u.s.
is
much
different
than
that,
and
it
will
be
highly
non-trivial
to
start
to
move
in
that
direction.
B
A
And
I
think
part
of
what
happens
is
that
a
lot
of
our
systems
were
designed
initially
without
security
in
mind,
so
we've
got
email
systems,
we've
got
an
internet
which
did
not
have
security
at
a
rock
solid
basis,
and
it's
going
to
take
some
work
to
get
that
back
up
all
right.
Well,
let's
thank
the
panel
for
your
consideration.
I
think
there
will
be
around
for
a
few
minutes
and
thank
you
all
for
coming.