tv Cybersecurity Director Discusses Mission Threats CSPAN December 3, 2021 1:55am-2:28am EST
, i had the opportunity to see it and i thought it was an excellent speech. not an easy speech to deliver, a notoriously fickle crowd. i learned a lot and i think you did a tremendous job of educating people on tremendous topics, but most importantly you did a nice job creating trust with a community not easy to build trust with. kudos to you for that. that will serve you well in your agenda. three other things were your keynote, i learned anyone saying cisa will be banned forever, it is cisa. i learned that another agency was almost named acdc. that would've been so cool, and the third thing i learned is you are a pretty good dancer and you
do a mean impersonation of elaine from seinfeld. to kick things off, i would like to give you an opportunity to introduce this and tell us why and how this is unique from other government agencies. >> first of all, thanks very much for the invite to be here, it is great to spend a beautiful friday morning with everybody. thank you for the kind instruction, i thanks to my friend jamile out there who set this up. let me just start with the mission. we are the government's newest agency. we were set up at the end of 2018 to be the nation's cyber and infrastructure defense agency to fill a gap. our innate -- mission is to lead
the national effort to understand, manage, and produce risk to the cyber and physical infrastructure americans rely on every hour of every day. how do we get our water? how do we get our power? i gas of the pump, food is the grocery store, money at the bank? these are the networks and systems that basically underpin our lives, and that is what we are responsible for reducing risk to, so we have two key goals that fall out of that. the first is to be the operational lead for federal security, the protection and defense of the .gov, at the second and more relevant to this audience is to be the national coordinator for critical infrastructure security and resilience. as we know, 85% of critical infrastructure is in private hands, and that is why private partnerships like this are so incredibly important to the
success of our mission. that is why i am glad to be here with you today. >> that goes back to the trust we talked about. the way it exists is critical to all of us moving the agenda for from -- forward from a cyber perspective. i am shocked when i hear jen speak and i tell her her keynote, she was three weeks into the job at a blanket. today is 100 days into the job. she is still new, but it is impressive to have this conversation at this level of depth with you. could you share your priorities, what you have been able to publish, and where do you think you are going to go? >> first of all, i will say i did not know when to expect when i took this job.
obviously it was amazing to be nominated for it, and given what is going on in the world, i thought it was really important to come back to government to do the job, but i had never served in the department of homeland security before. i was in the army, the intelligence community, the white house but never dhs. in all honesty, this is the best job i have ever done. i think it is the best job in government. i was going to the confirmation process, a good friend of mine, deputy secretary at homeland said it is interesting, in the world of national security, the world where i spent most of my time, counterterrorism, intel, the federal government has monopoly power, but in homeland security and cyber security the federal government isn't it will partner with our territorial
colleagues, so it is all about partnership, which i love. i probably spend 60% or 70% or more meeting with partners either in the industry or at the state and local level, which is incredibly fun, because it is all about building partnerships, relationships, and trust. it is a fantastic job. it is hard to think, 100 days, that sounds like it has been a while but every day has been fantastic. i see a couple of things i am focused on over the three years, whatever it is, maybe four buckets i will give you. the first is really leading the transformation. it is the newest agency founded by my good friend, and it went through a pandemic, a contentious election cycle and a bunch of things that happened this year that would -- were
intense work. the transformation piece of this is not a trivial endeavor. we went to a big reorganization and we need to make sure that we have, the people, the technology , the process to set us up for success in the coming 10, 20, 50, 100 years. we can talk more about that from a workforce perspective. in effect, it is all of the work that we have to do on federal cybersecurity. at the executive order that came out in may, there are 35 different tasks we are a part of or we lead, so a ton of work there that i think is really fundamental to ensuring that we can better protect and defend that .govs. the third big bucket is critical infrastructure, cybersecurity, we are the national coordinator.
a lot of work to build those partnerships, specifically we are doing 100 eight sprints with several sectors, the pipeline sector, the water sector, the chemical sector and we are laying out performance goals and standards that came out of the national white house security memorandum, so a lot of good work so that we can baseline and harmonize a lot of the work coming on out there in terms of cybersecurity performance goals, and finally, it is partnerships. i talked a lot about that, and that has to be underpinned by trust, whether it is a business relationship or a marriage, it is all about the foundational trust. one of the things i am excited about that we have done over the past few months is the jctc. i'm excited about the people things. we set up a partnership with the
ceo of girls who code, so we have a collaborative partnership with them and we are really focused on diversity, which is a personal passion of mine, and i would say for those of you who do not know is share the mic and cyber data, so my own twitter account is being taken over by my teammate, so check that out today, it is a great program. a lot of leaders across the government. >> [indiscernible] >> when i first mentioned this my lawyers also come up what are you doing? i am actually super excited about it, so please check that out. these opportunities to build a diverse workforce. i am the director, i think of myself in three key roles. i am the chief transformation officer and the chief recruiting officer and i told my chief --
team i am the chief lending officer because we need to create a team and culture that prizes innovation and inclusion and ownership and empowerment, and if you build an environment that at the end of the day is one of psychological safety where you have people coming from all backgrounds and bring different perspectives to enable us to solve our most difficult problems than that is really an environment of belonging, and that is what i have done throughout my career. a huge focus on culture as well. >> it is a complicated process you are describing. it makes perfect sense, and listening to you talk, just reflect on the jctc, the last letter is collaborative, inside outside, it is public, private,
it takes a community to collaborate to move the agenda forward with respect to improving cybersecurity. the theme of the capital cybersecurity summit is bridging the gap between policy and practice. can you tell us a little more about the jcdc announced in april? >> it is great to think about, because there is good policy out there. i was in the white house for two doors, -- tours, and that is the center of gravity for policy but at the end of the date you have to figure out how to operationalize the policy, and being at the cutting edge, being at the operational lead for a lot of things in the cybersecurity world is fun to do that, it is super fun. where did that come from? it was a fantastic idea.
i think it was first envisioned by the national infrastructure advisory council, and then it was picked up by a cyberspace commission, and i cannot say enough good things about the commission. at the end of the day there are a lot of commissions out there that government does, but very few have actually unable to come up with recommendations that found their way into law, and certainly at this one did, and to be honest this is before i was nominated, benefited a lot from what was in the nda. one of the things was the joint cyber planning office, and the idea behind this is bringing. the -- behind this is bringing people together. if you look at the legislation it is much more than planning, it is creating a common operating picture, it is
planning, exercising, and implementing cyber defense plans , so when i came on board being a retired military officer and someone who has done a lot of planning, i thought this was a fabulous opportunity to do something early on to really be that signal on we are going to be both proactive, not real active -- reactive and be not another agency of the bureaucracy but something more akin to the private sector. i point to two unique things. people ask how is this different? is the only federal cyber entity in statute, and lot that combines the power of the federal government, so by statute you have csa, nsa, fbi , all of those agencies that bring the full force of the federal government when it comes
to cyber operations and ingenuity of the private sector to come together to create that common picture to solve the issues, to be able to plan and exercise against my serious that's -- threats and to implement those plans. csa has a superpower, it is our very expensive information sharing authority. where some agencies can share bilaterally, we can share many to many, so we have already run into more than 16 partners, our alliance partners to solve that visibility issue, but we have been able to use that to the benefit of all of our partners as we are able to get information that is seen globally on other infrastructure and share that with other partners. the other day with our teammates
fbi, that was erased by some of our partners, so i am hopeful this paradigm shift in mission from plain old partnership to true operational collaboration from information sharing to true information enabling, i think we can seize this moment in time to make us -- a substantive difference for the nation. >> the organizing committee for this year's event, we were getting our thoughts collected, there was a lot going on on the government side, the policy side , the commercial practice side. it bridging the gap between policy and practice. it is healthy for me to hear and imagine that something like jcdc can exist and be the bridge. that is the bridge between policy and practice. quickly, efficiently, with agility, all of the things we know are important.
i personally am excited to see where jcdc can go as a bridge. >> can i just make one comment? having spent the last four .5 years at morgan stanley, it is interesting, two operations -- observations, when i was looking back at the government from the private sector it often came off as incoherent, not well organized to support the private sector, and that is why i think having an entity that has all of those organizations is so important to show to your point in near real time. we have to move at the speed of cyber. we know that our adversaries are. that is why i think that coherence, that cohesion, munication of authorities and superpowers across all of the
federal cyber ecosystems can make a real difference. >> fail fast, test and the wild stuff, it is critical to success as you know. speaking of not telling fast -- failing fast, lead to get your feelings on president biden's executive order. two months later you are confirmed as the director. given the very limited amount of time we have here today, i would love to get your thoughts on two specific fronts that are front and center for me personally and probably many people in this room and back to this bridging the gap between policy and practice, the commercial side of this collaborative we are talking about. the first thing i would like to get your thoughts on is the zero trust security model. it instructs agencies that breaches are inevitable or have already occurred.
how should we be thinking about that, and how do you think about zero trust and how does that play into this concept of public-private partnership? >> that is a great question. we talk so much about the importance of trust and now we are talking about the importance of zero trust, a little ironic. to the eo, i thought it was great contribution and my teammate said before i arrived they worked very closely with the interagency in the white house, and i think the detail, the sense of urgency that is encapsulated in that water is really important. it is mostly focused on cybersecurity, but much of what and there is really a signaling mechanism to signal to committees that these are important things you need to do, modernizing your infrastructure, to enable you to have greater
visibility into that infrastructure, to develop incident response playbooks, to ensure that you are doing after action reviews, because that is another thing on the cybersecurity review board that we are going to announce shortly, which i am excited about. so all of that stuff is very accessible in many spaces, and with all of the experts here, there is a lot of talk about zero trust, and it is usually important when you think about the concept of assuming that breach, right? trust nobody, verify everybody. we do not live in a world anymore where perimeter is ok. we need to create architectures that allow us to defend in-depth , so at a very high level that is the theory of the case 40 trust. what we have done is a couple of things. if you read that paragraph about monetization, it talks about secure cloud and zero trust.
omd put out a zero trust strategy and we followed it up with a model that we issued and put it up for comment. what comments on -- we want comments on everything that we do and we want feedback because this is about community and there is a huge amount of experts out there. we did that and put out a cloud technical reference architecture. if there are two things we are saying is moved into the cloud and substantiate these principles that allow us to be better, safer, more secure throughout the full network, so a lot of work done there and a lot of expertise we are tapping into. a lot of this is being worked with our teammates at nift and new teammates at the national cyber director office. the other good thing in the
order, it is all about software supply chains, right? we saw with solar winds, but that is not isolated. we have been looking at supply chain attacks, and even at morgan stanley we were very focused on securing the supply chain and ensuring all of our vendors were vetted and secure. we could spend $1 billion at a big bank, but we are only as secure as our weakest link, and that is why at the end of the date this collective sense principle is so critical to all of us, because everything is connected, everything is interdependent, therefore everything is vulnerable. the software supply chain work on this, the big news out of that was the s bomb, software build of materials. we need acronyms that only sound
like 1980's rock bands. it is not a perfect solution, because just when you say is in the building materials does not mean it is also insured, but it is a good way to start incentivizing knowing what is in your products, knowing what is in your inventory, and the importance of this software supply chain, and we have got world-class experts who are helping us because we are the globally in global supply chain. alan friedman just came over to us from nift, but i am excited about that executive order because it really puts us in the lead for things that i think, i hope, i intend will help us make a real difference in cybersecurity, and i do not think anybody can look at that and say the status quo is acceptable. it is not. we are working with congress to reform the federal
infrastructure monetization security act and einstein and are continuing diagnostic and mitigation programs. some exciting space and a lot of great parties in the coming years. >> a hundred percent and at the tectonic shifts happening in the world, the cloud, the commercial side of this, policy to practice bridge, it is so transformative, and to see it in clear detail with respect to the io -- eo that it really is a collaborative between public and private. good stuff. finally, you talked a lot about the importance of workforce, and it is a priority of yours. you mentioned you consider yourself the chief recruiting officer.
can you share what you are doing more specifically to build its employee population, talent, diversity, and how do you see that diversified pool of talent being critical to the success? >> the things that i have written and what i have told the workforce and set up there publicly, it really is for me all about people. cybersecurity is not about technology. it is ultimately about people. ensuring we have a talent management ecosystem that cannot just attract but retain the best talent in the world, csa is a place where the best network defenders want to come work, and that is what i am working to build with my team, and that starts out with the ecosystem. it is not just great recruiting, but it is onboarding and
integration in mentoring and coaching and reward and recognition and allowing for mobility and rotation and having a succession plan, so we are looking at that employee experience in a private sectory way. much of what i'm doing is a lot about what i learned in the private sector, so what i am looking to do is to cut down on a lot of the bureaucracy we deal with in the hiring world and try to accelerate the ability to tap into great talent, diverse talent pipelines and bring them on a team and get them intruding as rapidly as possible. that is the big, strategic picture. from a more tactical perspective , the focus on diversity, i mentioned our partnership with girls who code. this week we released news about a new grant, $1 million each to
the cyber warrior foundation and mpower, which is focused on developing unrealized talent in underserved communities, which is fabulous. we are really tapping into these groups that would not necessarily think about cybersecurity as a profession, so i am very excited about other opportunities like that, and everything i am super motivated about is we are finally going to implement new authority we got seven years ago to enable us to hire and pay much more flexibly. this new authority is called the cyber talent system and it takes people of the government scale and allows us to hire on the two most important things to me, aptitude. i do not care what your degrees are, to be honest. at the end of the day i care about aptitude. one of my most tactical,
smartest people had no degree. it is about puzzle solvers, genetically altered -- aptitude and attitude, so we will ring and people in a much more flexible way and pay them closer to market. it will also really importantly allow us to bring people in and out of the industry. for everybody that wants to i would welcome you to reach out to me or if you know someone who was to join us, but at the end of the date not everyone wants to make a career government so we may have people that want to bring in a couple of years. we will kick off the program in the next couple of months. we are trying to increase opportunities to strengthen the connective tissue between the public and private sector, because that is all about understanding each other and
that brings us trust, so very exciting stuff. >> is interesting to think about the bridge from policy to practice in the context of human capital and talent. can the private sector feed the public sector from that bridge for a period of time. talent in the right place at the right time is good for everybody. i love the way you are thinking about the problem. it is clear you are earning a private-sector view to this, and i also think that will serve our country well,csa -- well, csa, and our country -- and you well as well. the software is easy, it is the people that can be messy, and if we cared for people the same way we care about our code base is we might be served well by that.