It is my distinct pleasure to be able to moderate a panel with such experience on it and of former friends , current friends , new friends I'm not sure how to describe all of that so I'm looking forward to a really rich conversation . I do want to set the stage early . Audience questions are encouraged . Don't wait till the end .
If you have a question , as we go through the process , as we're going through here , please raise your hand . We'll figure out how we get it incorporated . I will see you . We'll figure out how we get it incorporated into this . It's important , I think , for me and for the panelists here that no one leaves the room with a question that didn't get answered .
Hopefully we've navigated a conversation that will do that , but I'm particularly looking forward to this .
We heard on the previous panel you've heard on and off throughout the course of the afternoon about how important all of these technologies are , how important information sharing is , what AI is going to do for things , how much data there is and how much needs to remains to be exploited in the environment , where the gaps are that are there .
This panel is really powerful for me because it brings it home for a particular community . When we were talking earlier , one of the one of my colleagues here really made that point and I thought it was really profound .
We're talking about critical infrastructure here , right the place where , when something goes bad , we feel it as citizens , and we feel it oftentimes very quickly and very profoundly in our daily lives . And so you know , I think that's one of the reasons why it has so much attention rightfully so , but certainly why we have to keep the attention on it .
What I'd like to do is to ask each of my panelists to really talk about for a moment what their focus is and their priorities are in terms of security and resilience of critical infrastructure . And if they , you know , if you want to introduce yourself more as a part of that , feel free to . And so I think Nick will start here .
Great , yeah , thanks , bobby . Great to be here with the Homeland Security and Defense Forum . I think that for me , working at the Office of the National Cyber Director at the White House , the critical infrastructure mission is really core to what we do , right , if you look at the national cybersecurity strategy , the first pillar is defend critical infrastructure .
That is very much how we orient ourselves and some of the issues that my team is working on in particular , one of them is implementation of the national cybersecurity strategy . We just released our second version of the implementation plan . First time a year ago , just about on Saturday , was the first version .
This is something that you're going to keep seeing from the interagency . I mean , one of the things that's also exciting about this panel . In addition to having Matt for some private sector perspective , we also have great representatives from the interagency and you saw that with Neil and Chris on the last panel as well working together .
Cyber is a team sport , and the way that the implementation plan is structured is to ensure that we have kind of coherent vision of how we're implementing the President's National Cybersecurity Strategy .
A couple other things that we're particularly interested in at ONCD these days Lots of attention on cyber insurance , something that is a both immature but maturing marketplace , right , and I think that , particularly with the advent of ransomware , we've seen a lot of folks who are customers and people who are trying to get policies seeing coverage limits as premiums go
up , which is not ideal , and we're looking for ways to better mature that market . Something else I know we'll talk about later regulatory harmonization , huge priority for us at the Office of the National Cyber Director , and working to ensure , as we put requirements out there for critical infrastructure , we're harmonizing them to the greatest extent possible .
I could go on and on . We have now 100 initiatives that are highlighted in the implementation plan . I know most of them by number , but not all , so you know , forgive me if I get one wrong , but you know , I think that's kind of a quick overview of what the critical infrastructure mission means to ONCD .
That's great Breadth of focus right , which is really necessary for the environment . So we're talking about Cynthia .
So hello everyone . I'm Cynthia Kaiser . I'm a deputy assistant . What both FBI Cyber Division and across all of our 56 field offices are focusing on is hunting for understanding and ultimately trying to stop foreign cyber operations from compromising critical infrastructure .
Really , in the past year , the FBI and our partners have identified cyber actors located in China , iran and Russia who have all in some way compromised operational technology networks across US critical infrastructure entities , which could have a damaging effect , if successful , across all of our communities .
And so really countering these operations is why the FBI is committed to assisting victims and making it harder and really more painful for cyber adversaries to succeed , including , when possible , stopping these operations entirely , and really , for our teams , what that's meant is using intensive data and other analytics to hunt for and find adversaries across systems .
We've worked with our federal , private sector and international partners to identify and notify victims , offer victims assistance , including technical assistance as necessary and appropriate , from our FBI cyber action team , our CAT team , and developing technical operations so we can remove adversaries' access to the infrastructure they use to conduct these operations .
And then I think critical to all of that activity is being proactive about sharing the information necessary to counter and protect our networks from cyber adversaries , and that includes getting out there the sophisticated tactics and unsophisticated tactics that our adversaries are using to be successful .
Really helpful . I mean the breadth of the threat actors , the breadth of the environment , the need to engage and I know you've had some really successful operations of late Iranga .
Thanks . Good afternoon everyone . My name is Iranga Kahangama . I'm the Assistant Secretary for Cyber Infrastructure Risk and Resilience at DHS and I think where we think about cyber and critical infrastructure is really both at the nexus of policy and operational work .
And so when we think about what priorities we're looking at in this space over the next several months there are few and they span the range of policy and operational type things .
In the policy space , I think top of mind is incident reporting and building out an implementable cyber incident reporting regime nationally , as promulgated through legislation from Congress , and so working through that over the next 12 months will be a key priority for the department .
And then , I think , likewise operationally , a lot of what Cynthia mentioned resonates with us , obviously in helping protect critical infrastructure , particularly as we look at threats from the PRC sophisticated threats as the typhoon , and making sure that we are able to promulgate guidance and work with victims to identify and remediate these types of activities .
I think Second to that and related , is that a national conversation not just about how to prevent these types of incidents , but a conversation about resilience and making sure that critical infrastructure owners and operators are resilient even in the face of potentially inevitable cyber attacks , recognizing you may not stop every single one .
So how do you have that resilient nature that allows you as an entity , to continue to provide essential services to Americans ? And then , I think , finally , related to that , as our role through CISA , being a national coordinator of critical infrastructure , how do we raise the bar for all of those sectors that have varying levels of maturity ?
When we talk about a team sport , you know that includes all the sectors that we're working on , and so really building the tools and capabilities and knowledge across all the sector risk management agencies so that , whether you're a hospital , a water sector or a financial institution , you have the same level of communication , protection and knowledge to help defend
yourself against some of these cyber attacks . And then I'd be remiss to say if I didn't include election . Security is obviously one of the interim priorities for the department and the government writ large , but thanks for having me here today .
Yeah , it's just nothing like dropping that at the end , I'd be remiss to say Matt .
So did a beat with CISA and DHS , had a great time , loved the mission so much , wanted to go into critical infrastructure and joined a company that really invests in not just protecting itself but working with the government to protect others .
So my role is to really address the cyber and emerging threats that come out that really are a challenge for critical infrastructure and into the future , and to build those strategies to where we really are looking to make sure that all of our things are threat informed .
So we're not just building a really hardened box , we're building a box that our adversaries are trying to break , and how they're trying to break it matters .
And so really really enjoying what I'm doing now Did enjoy the time in DHS as well , but it's a real fun world out there to know Everybody's got an IOC for you , everybody's knocking on your door when you don't want them to , and it's really something that's a game that doesn't slow down but at the same time it really paints where our adversaries are looking at
critical infrastructure and how it really is a supply chain issue . It is a vulnerability management issue . It is a management issue all the way up to the C-suite . I can assure you that there's no one in critical infrastructure that doesn't know about cyber now , that may not have been the case eight years ago .
It is the case now , and so it's a luxury now to have that conversation come up and for everyone to be more mature .
As you can tell , we've got quite the breadth of experience here . So , again , if you have a question , please don't wait till the end . Hold on to it . I have lots of them and so if no one has one , we will have a fun conversation anyway .
I would really like to start with this with the theme about driving the increased security and resilience for critical infrastructure operators in Surabaya . I really like the fact that you brought the resilient side of that into there . For me , having been involved in this for quite some time , what I've loved about what's going on now is how integrated it is right .
It really takes the whole of government to whole of nation and makes it real in a way that we had hoped for before but had never been able to do so . I think that's really wonderful , and the fact that it's the first pillar in the strategy really made a state there . So I'd like to get an update on a couple of things here .
Nick , you talked about regulatory harmonization . Setting security standards is an important part of this overall secure and resilient space .
You want to give us a little bit of an update about where you are in that , particularly sort of , given the environments we're in today , the headwinds and tailwinds in this space , and I think both are working for you and against you .
Sure , yeah , absolutely so . I think you know , if you look at the strategy right , the first pillar is defend critical infrastructure .
The first strategic objective in that first pillar is a recognition that we need to set requirements , and that's really driven by the fact that , if you look at what we're trying to achieve writ large with the strategy , one of the things we're trying to do is to enhance , encourage investment in long-term cybersecurity and resilience , and the feeling was , I think
appropriately , that regulation is an important tool in the toolbox . It's not the only tool . It should not be the default per se , but we should also not handicap ourselves by saying , oh , we're just going to look to what we can do voluntarily .
These are matters of national security and we need to ensure that all citizens of the United States are able to benefit from the functions that are performed by critical infrastructure , so we need to ensure that there's a minimum requirement . Several folks have already mentioned maturity , right , and that is part of what's driving this .
There are sectors that have had cybersecurity , information security , data security , some form of that on their information and communications technology for decades , and there are sectors for whom there are not any today , nor have there ever been , and we really need to do a good job of lifting everyone up right , raising all boats in terms of saying there are some
table stakes that you need to have with respect to your cybersecurity . That's the thesis here , that's what we're driving at , but there are a couple of nuances that we put into the strategy and that we're trying to carry forward as well . One of those is that we're really interested in effective regulation .
Right , we are not interested in regulation for regulation's sake . We are interested in regulation that drives investment , because that's what we need in cybersecurity and resilience .
And the way that we develop effective regulation is to talk to the people who are actually the owners and the operators of critical infrastructure , who are operating the information systems we're interested in , and that is critical to our success , right ? So that is one piece of how we do this .
The other is to say the focus needs to be on incentivizing investment , not on compliance , and this has historically been a big problem because of the way we do sector-specific regulation .
In the financial services sector , there are more than a dozen just federal regulators , and what you'll see in sectors that have more maturity , you see folks who come and say look , we're spending between of a CISO , a chief information security officer , anywhere from 30% to 50% of their time is being spent on compliance activities , and when those compliance activities
particularly when they're duplicative , when they're dealing with the same systems , the same set of requirements , but you have to prove the same thing multiple times to different regulators , that is impeding . That is not driving investment in cybersecurity and resilience . It's driving investment in compliance , and that's something that we feel very strongly .
We need to get away from One of the ways that we've talked about doing so , and we've seen great partners in industry in the interagency . There is interest in the regulators in addressing this , but also in Congress .
So last month , I testified in front of the Senate Homeland Security and Governmental Affairs Committee about specifically this topic , and one of the points we raised is , in order to design a framework that will allow for reciprocity , which is our true goal here , we need to bring all of the relevant parties to the table , including independent regulatory commissions , and
I think we've seen just this week some exciting activity from Chairman Peters and Senator Lankford to continue to advance the ball forward on this front . So , yeah , I think that's kind of , if you look at the full scope of .
We need to have requirements , but they need to be developed with input from the folks whom we're trying to incentivize , and we need to focus on getting investments in cybersecurity , not in compliance . That's , that's our thesis here .
I was going to ask you the how part of that and you answered it in your answer , so , thank you . Thank you for that , perhaps talking about how we have to engage with the people who are going to be impacted by it .
Maybe this is a good point to transition to Sarsia , because you've just finished engaging with the people who are going to be going to be impacted by . Do you want to give us a little bit of an update on that , not expecting you to have read all of the comments yet there certainly .
No , happy to talk a little bit about this . Yeah , I will caveat . So cercea comments closed a week ago , uh , last week , and you know that includes a holiday in between .
So obviously our legal and policy teams have , uh , you know , not not fully fleshed out in the in the first few days , um , all of the comments , but obviously we're very excited and we're very happy to have the public comment period .
I think it's worth noting that it's the it's the it's the end of the formal period , but even in the run up before we promulgated the NPRM system engaged in a wide range of national level conversations to help shape that , and so we look forward to adjudicating and addressing all of those . I think what I can and will say about Sarsia is a few things .
One , um , building off of Nick's point , we are going to be viewing and administering Circea with an eye towards harmonization as well . We have obviously heard , more broadly than the comment period , from industry that duplicative reporting requirements are a very high burden and a very confusing world in cyberspace for companies and fortune .
To that end , concurrent with you know , looking at the comments , we are also establishing conversations between the department and all the other agencies that have cyber reporting requirements to identify ways that we can harmonize reporting .
There's clauses in SIRS-CIA that allow for reciprocal sharing of information such that you can sign an agreement and a report to one will count as a report to another and vice versa , through CISA . So we want to make sure that we're maximizing the ability to do that .
Now that's quite complicated because each agency has different requirements and so you need to make sure that you know they're substantially similar enough and that those are fleshed out .
But those are , you know , really really wonky but interesting conversations that my office is actively having right now as we develop CIRSIA , conversations that my office is actively having right now as we develop SIRSIA .
So we're hoping to provide some harmonization in the implementation of SIRSIA as it relates to , you know , other industries that may also have to report to other federal agencies . The other two things I'll say about SIRSIA is that I think it's important that people realize it's not just kind of like paper policy exercise that we're going through .
There's the policy part of it which you know we're adjudicating comments and determining what the thresholds and triggers are going to be specifically . You know there are legal requirements based off of that , but this is also ultimately like a government IT project at the end of the day , and I think that's really important and something that people miss .
And so we're obviously very cognizant of the IT infrastructure , the security needs , the user experience aspect of this as well , and building it out in a way that is technically proficient , that is interoperable with existing systems .
You know , making sure people like FBI can get really rapid sharing of these reports is really important to us , and so building the technical infrastructure is something we're very much in the weeds of as well , and that gets tricky for , I'm sure , those in the room that are trying to build IT infrastructure with IT requirements that are contingent on thousands of
public comments , and so you have both of these this IT project and the policy world kind of moving concurrently at the same time , and so I think it's underappreciated how difficult that can be to kind of pinpoint where the requirements go . And then the final thing I'll just say is that you know the the policy goals are not simply just to aggregate data .
It's not simply to do a land grab of getting the most amount of information possible .
It's to get the right amount of information in the right format that can be best utilized to maximize prevention , security and resilience in this space , and so we take the decisions that we make are through those lenses , and so those require tradeoffs in different spaces to make sure that we're maximizing use of it .
And that may be different based on the specific use cases in the law and kind of the information environment that we're in . But I do , you know , want to emphasize that a lot of the decisions we will make will obviously be in response to the public comments .
But it's not simply about gaining data , it's about gaining the right kind of data in the right context . So we look forward to continue to work with folks on that and putting out some more information in due course .
Certainly , cynthia . If there's anything with the partnership for the FBI there , I think that's reallyanga noted .
We're actually really involved in talking with CISA and you know we actually have a team that sits over at CISA and being engaged on not only like thinking through what does this look like when FBI is working with a victim , ensuring that , like we're helping them be compliant with SRISIA , but that data and operability piece and ensuring that we're all operating from
the same amount of information , that we're sharing information quickly , but we're also sharing the right kind of information in the right way , and it's a . It's one of these that are the concept is absolutely the right move and it's great for us all to say this .
And then the details it's really hard work , right , you know , and we have a lot of smart people doing that really hard , really detailed work . But the IT aspect of that I think sometimes is not as well talked about and really critical to the success of Sosia as it's implemented forward .
I think the more friction we put in the system , the less valuable the system is , and so finding that right balance , I think , is important . It's interesting I note the focus on resilience in your earlier comments , but not Aranga on the sort of the value proposition for SIRS-EA reporting and so Well , no , that's not .
That's definitely part of it .
I figured as much just needed to .
No , yeah , thanks for the platform and the nudge . So I mean , I think what I will say is that the other broad policy , you know doctrine that we have with SIRSIA is that it's not about just what comes in but what comes back out .
The other end right incidents on national level , data around where intrusions are happening , what they're being targeted , and being able for CISA and DHS to put out trend analysis , industry-specific , sector-specific reports and be that authoritative data source so that everyone from you know law enforcement to the intel community to you know sanctions targetters at Treasury
can all have this information to understand how we do that .
And that includes resilience , because I think , as you build in that data and that visibility across sectors , if we can go to the agriculture sector and say , hey , did you know that , like 90% of your attacks are going through these three vulnerabilities these are the efforts you need to make that will make you quite resilient , or that you know this is the
specific type of things that you know the adversary is going after . That's with the goal of making the entities more secure and more resilient . So definitely tied closely with Circea .
I'm so excited for us to be customers of all that , by the way , it's going to be really great . Yeah , I think I see .