Skip to main content

tv   Homeland Security Officials Discuss the Departments Cybersecurity Mission  CSPAN  April 8, 2021 10:03am-11:06am EDT

10:03 am
>> former and current homeland security department officials talks about the agency's cybersecurity official and goes. -- goals. this is one hour. >> the senior advisor and i lead the democratic institutions project here at csis. i was formerly the undersecretary for what was then called the national protection and programs director and is now the infrastructure security agency. we are very excited to be able to have this conversation this afternoon about the cybersecurity mission with a wonderful group of people who -- folks who are really my friends and colleagues. it is a bit like old home week
10:04 am
here for me and i am hoping that as a result, this will be lively conversation. all of these folks know each other and have worked together and really are continuing to work together. i will introduce our panelists and get us started. michael daniel is currently the president and ceo of the cyber threat alliance. it was started by some of the major cybersecurity companies back when michael and i were still in government. their goal is to come together to share real-time, high-quality cyber threat information among companies to improve the cyber ecosystem. michael served from june of 2012 to january of 2017 as the special assistant to president obama and the cybersecurity coordinator on the national security council staff. that is where michael and i
10:05 am
worked closely together. he lead the interagency development of cyber security strategy and policy on the national level and oversaw agency implementation of that policy. prior to that, michael spent 17 years at the office of management and budget. bless you. chris krebs was the first director of the cybersecurity and infrastructure security agency, having succeeded where i failed in getting that congress to move on that legislation. to transition. prior to that, he was serving as senior counselor to the secretary of homeland security. advising the secretary on a range of critical infrastructure and resilience issues. i really came to first know chris when he was working at
10:06 am
microsoft where he was a member of their government affairs team and the director of cybersecurity policy and someone that was very supportive of the work we were doing at dhs and the transition efforts we had underway. someone i turned to frequently for guidance and advice. really appreciated his support. tim mauer is the current senior counselor for cybersecurity. prior to joining, tim was the writer of the cyber policy coalition and that is where tim and i worked together on issues around cybersecurity. particularly, tim led an effort to -- in research analysis and then implementation, looking at the geopolitical influence of the internet and when
10:07 am
cybersecurity with a focus on the global financial system as well as influence operations and other issues. tim is an author. he published a book largely about the use of proxies by nationstates in cyber. before joining carnegie, he was the director of the resilience project at new america and head of research for their cybersecurity initiative. kimba is another alum of dhs, kemba is serving in microsoft's digital crime unit enters responsible for launching and leading that ransomware program. she started her career at microsoft. providing counsel to the democracy program through the 2020 presidential election but she spent a decade at dhs serving at several attorney levels. including lead attorney as it
10:08 am
-- a representative to the committee on foreign investment for the united states and she was a cybersecurity attorney which is where i got to know her. she was also for some time the primary sample security legal advisor to the election task force. that is now called the election security initiative. a wonderful team we have here today to have this converstaion --conversation to better understand the role of cybersecurity. i want to remind everyone that is watching that you can ask questions. there is a big green button, ask questions here. hit that button and typing your questions. my colleague will be putting those together and providing
10:09 am
them to me so that i can ask our panelists at the end of our moderated conversation. we will start with tim. i think this is your first public appearance as the senior counselor to secretary mayorkas. i don't think that is a role that many people are familiar with. i thought we could start with you talking about about this role. i know it is new to you. you have not been in a very long but tell us how you see the role and how you interact. how does it relate to the other parts of dhs? tim: thank you. thank you for hosting this event. thank you for your leadership when you were in government. also at csis and it is great to reconnect.
10:10 am
i am now in my new role and delighted to be part of this fantastic panel. a big thanks to all of you who have paved the way with where we are today. before i describe my role, let me highlight this team that the secretary has been building at dhs over the past 2 months. the team that has come together include folks like jen who is a leading legal expert and scholar. jake brown is a senior advisor in our management unit. we have eric and david. this team, laments the cyber expertise the department already has. we are deeply grateful for all of the work that the staff has been doing. not just in the past few weeks but the past few months. you mentioned some of the roles
10:11 am
that i had and chris had before. it was not until chris became the senior counselor to -- it was a growing reflection that cybersecurity remains a top priority for government, that we continue to face a lot of challenges. secretary mayorkas has made cybersecurity one of his top priorities. in order to reflect this as a priority for him as a secretary, he decided that one of his senior counselors would be dedicated to this issue. unlike counselors at some of the other departments across the u.s. government, dhs is a little different. given the deep bench we have on
10:12 am
cyber expertise, my role is to essentially keep an eye on what needs to rise to the level of the secretary when it comes to cybersecurity so that i can either brief him or prepare him or if things happen suddenly, we have information ready to go so that he can make decisions. it means i engage with three sets of stakeholders in my day-to-day job. starting with the department itself and then coordinating to the secretary's priorities. as i mentioned, we have the benefit and luxury of the department to have this fantastic team. this makes my job thankfully a lot easier. the second part is engaging with our partners across the interagency and counterparts at the other agencies so that we can help advance the agenda and priority of the administration. and as you have seen, president
10:13 am
biden already during the transition had issued a statement making it clear that cybersecurity is one of his priorities and he is committed to elevating it across all levels of government. i am delighted to have kemba on this call as well. and michael in his new role, engaging with partners outside of government. given that we can not implement this vision alone, we need to be in lockstep with partners outside of government as well. concretely, my role, when i started it, we wanted to outline the secretary's vision for the department. i spent the past few weeks working with the department and our partners to put together the decision that the secretary announced last week. >> we want to get into that,
10:14 am
some of the content of the secretary's speech. i might ask you first to expand just briefly -- you talk about your work with the other components within dhs. chris put csis on the map. i think there were other parts of the department that have important cybersecurity related missions. if you could talk a little bit more about those. >> happy to. looking back at the past year, i think it was a challenging year for everybody to truly focus their attention on protecting the election. with respect to the work and division for the department that the secretary outlined last week.
10:15 am
for those of you that are not familiar with cisa, let me recap that. cisa's role is focused on protecting the civilian agencies. cisa has a key roll to play here. -- role to play here. it is a key interlocker. we to focus on what we can do to protect and help our respective partners across the country. what a lot of people are not aware of is that in addition to cisa, the department has a number of components with important cyber missions. the u.s. secret service has a two front mission.
10:16 am
the first one everyone is familiar with with respect to protecting the president and senior cabinet officials, this secret service has an important cybersecurity mission. they investigate cybercrime. they have been doing so for decades. the secret service, in addition to the fbi is very much focused on investigating cybercrimes. the department is not just focused on the resilient aspect and what we can do to increase basic cyber hygiene and protecting, that is cisa's focus. last but certainly not least, the coast guard is also part of the department of home security and also has an important cyber mission because it is the sector with respect to the maritime transportation system.
10:17 am
if you consider the amount of imports and exports, that gives you a sense for the enormous task with respect to the -- protecting the maritime transportation system. the coast guard is also working with u.s. cyber command within the limitation on that piece of work and protecting the postcard networks -- coast guard networks as well. the previous administration had a plan to increase the maritime system that we are continuing to implement. tsa is not only focused on airports but it has some important responsibilities with respect to service transportation and cybersecurity. cisa is the top priority as far as focus but there are a lot of sectors that we try to empower. >> at think it is important as well, i'm not sure that people don't understand that cisa is not just a cybersecurity agency.
10:18 am
congress very intentionally left the all hazards mission for cisa. it is responsible for both physical and virtual threats to our infrastructure. that is important given the convergence between physical and cyber. as you prioritize risks and reduce those risks. you need to look at both the physical and the cyber. i know that you get that and chris understood that from day one as well. tim, i want to jump into the secretary's speech. you talked about some 60 day sprints. i think we want to jump on that.
10:19 am
this came up with respect to the >> components like the department but any large company like that is how do you channel the attention of the most senior leadership to empower the work that is happening across the organization? how do you provide strategic direction and a sense of urgency to keep priorities forward. the series of sprints is designed to help facilitate the work across the department and also use the secretary to help drive forward a specific set of priorities. the series of sprints we announced for the coming year, each sprint will last 60 days. we will focus on tackling ransomware more effectively, second, the cybersecurity workforce which includes the workforce at the department but also the role we can play with respect to the federal government's workforce.
10:20 am
the third sprint was focused on industrial control systems. the vulnerabilities associated with that. the fourth was focused on -- will focus on transportation and cybersecurity. making sure that we continue to implement that work. the fifth will focus on election security, making sure that continues to be a top priority and the last will focus on the international dimension of the department's work. as it relates to cybersecurity. the 60 day sprint is designed to think through how we can elevate existing initiatives that have been taken forward by the components. how can we remove roadblocks for work that has been stuck at some point in the past and how can we make that happen? third, are there gaps that can be filled with new initiatives or where threats have evolved?
10:21 am
during that 60 day time, we can move along. the work does not end within the 60 days. i wish we could software ransomware but that will not be happening. it is more designed to draw attention to a particular area and empower the components. also that of our partners to drive the work forward and elevate it to a new level. then there are four areas where the secretary sustains leadership attention to ensure the protection of the federal government and that work, given the recent campaign. last, that is a more on the horizon issue, preparing to come from it the series of sprints -- complement those series of sprints. >> just a few issues. not too much on your plate. michael, you're familiar with 60 day sprints. i certainly remember a few 60 day sprints during our time but this is a lot of issues.
10:22 am
do you think it is the right issue? the right set of issues? is there anything you would add to that list? it is pretty long already. maybe you can talk from the white house perspective. on the value of this notion of a 60 day sprint. michael: sure. one of the things that is very true in a large organization is that processes will expand to fill whatever time you give them. if you say you are going to spend six months on it -- it is not like anybody is going to get it done early. it will always expand to fill whatever time you give it. in many ways, by studying those kinds of rapid deadlines, what you are enabling is the process to actually move and not get mired down in bureaucratic --
10:23 am
just the natural sort of bureaucratic tendencies. they are very useful tools. i think tim framed it in the right way. you are not going to solve the problem in that length of time. don't frame it as we are going to solve this problem in a window. this is where we will put focus for a while. we are going to move the process forward so you knocked out some roadblocks. i think that is very good. i think in terms of the sense of issues, i agree those are some of the key issues to deal with. if you take ransomware, that has transitioned from what was an economic nuisance eight years ago to a national security and public health and safety threat today. eight years ago, the ransomware had guys mostly locking up individual laptops and the ransom was $100. or something like that. now, they are encrypting whole school systems and putting forth ransoms in the millions.
10:24 am
the average ransom payment now is well over $300,000. that has emerged as a national security problem. we have to change the way we are approaching it. as a government and a private sector. what we have been doing is clearly not enough. there are other issues we refer to in the workforce. industrial control systems and transportation security. all of those things that are critical in there. the challenge for the department will be managing those sprints and managing those ongoing efforts that tim referenced amongst all the other crises that will inevitably come up. the bad guys -- as my friends in the military would say, the bad guys get a vote in what happens.
10:25 am
i think it is also important department have the ability to have some resources that can be deployed to whatever those emerging crises are. we don't know what they are, we just know that they will happen. some of them you can almost set your clock by. which is, tim i would tell you be ready for whatever is going to happen around the fourth of july, thanksgiving and christmas because the bad guys know when our holidays are. it is not an accident. we are going to have to deal with those circumstances. i really think that is a good set of priorities for the department to have. >> great. kemba, i know that you and michael have been part of a group that have been looking at ransomware as an issue. outside of your work at microsoft, microsoft has also
10:26 am
been in very engaged as a company on this issue. the group you are now providing legal guidance to is going to be providing legal advice to be focused on ransomware. talk about the work that microsoft has done and some of the things that you are doing with regards to how we approach and change our approach to dealing with this growing threat. >> absolutely. there is a lot that i have learned since the presidential election. the first is that as michael alluded to, ransomware is a high priority at this point with little to no cost to entry. very few barriers to entry. it has evolved into ransomware as a service. it is based and driven on human intelligence and research. it is now modular. someone like me, who has never
10:27 am
coded anything can get into this criminal business. what do i mean by that? it is now modular. you can purchase them all where, access to networks. you can target specific industries and really lock up an entire hospital or school system. it is human intelligence driven so the bad guys know exactly how much you can afford or potentially afford to pay to unlock your system. they understand the sensitive nature of certain data and either prepare to sell it on the black market or spell it into the public and ransom victims in that way. payment is often required in cryptocurrency and more specifically, in bitcoin just because of this is anonymous
10:28 am
nature of the cryptocurrency and decentralized nature of it. this is a complex crime. we need to treat it like that. we need to treat it like a criminal enterprise. microsoft's response, i can talk about that a bit more detail than i can the ransomware task force. our plan is to reduce profits, hit them where it hurts, we will do that by disrupting the payment distribution system, so the cryptocurrency, the flow in crypto but we can also do it by disrupting the negotiation process. we have learned quite a bit about specific ransomware families and how they negotiate. we found opportunities to disrupt that. at the same time, our approach is to increase the cost of entry by improving microsoft product security and engaging and collaborating with other platforms that may be used as a resource.
10:29 am
in the broader sense, microsoft is working across the industry, we are working with government entities, we are working very closely with dhs, particularly secret service and i'm security -- homeland security. we are seeing where we can make it more challenging for the ransomware criminal enterprise. like everyone here has acknowledged, we are not solving the problem right away but our plan is to make a sizable dent by adducing the profitability of it and by increasing the cross -- cost of entry.
10:30 am
>> that is a lot and an interesting array of activities for a private sector company. when you talk about disrupting the flow of cryptocurrency to the bad guys, i assume you're doing that in coordination with some piece of government, fbi? kemba: incarnation with the fbi, secret service, homeland security, the u.s. postal inspector. the expert piece that goes into that is vast. the crypto economy is a specialized area, and the government really does have quite a few deep expertise in that space. it is not always widely publicized, but it is there and exists. and there are a lot of resources that we can use, forensic tools to be able to analyze the flow
10:31 am
of transactions, and the on and off ramps. there is a sizable cyber insurance market we work with cryptocurrency exchanges. we work with the large financial institutions in this process, and in the courts. that is where we intend to have our largest impact. of course, microsoft works in the threat intelligence space. and works with law enforcement to assign attributions to criminals in the space, and that is also, a vast set of work, that is complicated work, it is not easy to assign attributions because it is so modular and human intelligence driven. you are also disrupting the infrastructure and working with
10:32 am
antivirus companies to harden products and services and develop alerts. we work with victims, particularly those that might be customers of microsoft to help reduce the harm done by ransom. to mediate the problem, to try and extract and filtrate the ransomware in their networks. then also, harden it and close the gates so they cannot be read victimized. it is a vast problem, and the point that i am focused on along with my colleagues and what the president focused on is hurting them where the profits are in making it harder for people without necessarily development skills to enter the market. suzanne: great. chris, you have certainly seen this, we are on the front lines, when you were fighting this
10:33 am
thread. it is interesting from here -- to hear from your perspective and i am sure this has come up in your private sector and the work that you are doing with alex stamos, and with respect to ransomware. then, use that as an example to talk about some of the challenges that the system faces when trying to approach a mission as vast as this one that includes so many parts of our government, and really pulp -- calls on cisa in its inner agency, kind of leader of some aspects of the interagency process when responding to something as massive as ransomware. >> 2018 for me was the year that ransomware really hits the main stage, when you think about
10:34 am
atlanta, north carolina, baltimore twice, colorado department of transportation, nine parishes in louisiana, countless schools and hospitals even today, the top three targets are hospitals, schools, and state and local governments. what i was most frustrated about three years ago now at this point was that it did not rank in terms of cyber security threats, ransomware. we were focused on state actors and the exquisite threats posed by the chinese mss and the russians. but what i was seeing on a daily basis where american communities being functionally disrupted i ransomware on a daily basis, and that is what the american people see and i was concerned that it would be death by 1000 cuts coming our way where citizens would lose confidence in the ability of the government to
10:35 am
deliver core services that they needed. we started turning the gas, turning it up on ransomware with probably the most notable developments in 2019, in the late summer where we made a hard pivot on election security towards ransomware as a threat toward state and local election systems like the voter registration database and i think that is when the light turned on for a number of folks interagency. about the same time i thought about what a bigger strategy, a national level strategy might look like to counter and stop ransomware. when i think about what the new administration might want to do, i think it has three parts. as my partner and former counterpart from the u.k. called it, the triplet. first, we have to improve defenses and defenses alone are not going to stop this because the bad guys will flow like
10:36 am
water to where the vulnerabilities are, and second, the business model and as kemba talked about we have to talk about the financial transactions and the hard policy conversations. about ransomware as an enterprise, there are things we need to do in the criminal system in terms of looking at payments, whether it can be legal. i do not suggest we can read victimized victim, take -- or take a closer look at that. third, we have to go more aggressively after the actors and sovereign states that are hosting them and allowing them in some cases with not just tacit approval but direct approval to operate. but going back to defense, the one thing that the federal government can do is provide more support to state and locals, that was what was behind my picking up the ball that you
10:37 am
were carrying on cybersecurity advisors within cisa and providing more direct, on the ground support across the country and i was glad to see in 20, the national defense authorization act and the cyber state coordinator that would provide for 50 additional siebel's -- cybersecurity advisors to work with state and local agencies. but, as we talk about infrastructure investments, i really think that it is well past time for a 21st century digital infrastructure investment act where we provide the equivalent of a block rant where they cannot arise -- modernize their i.t. infrastructure that will boost american tech companies and provide more high paying tech jobs to more americans, and, yes, it will help stop ransomware. it will improve defenses by
10:38 am
going to cloud-based services. just that one thing alone of multi factor will really put a dent in the current iteration of ransomware. suzanne: great. there is a growing discussion and debate around public policy with regards to payment of ransom ransomware demands, and i do think that is something that were going to have to really wrestle with, it is a complicated issue. please. >> if i could pick up on a point that chris made, i think right on target and thankfully cyber policy has been an area where there is a fair amount of continuity across the administrations and parties including on the hill. chris, what you just alluded to, and the steps that we can take to protect against ransomware, the good news is that a lot of the steps that need to be taken
10:39 am
will also help us protect organizations against a whole series of other potential threat factors. so, ransomware currently poses this risk and has woken up a lot of people across the country to the threat of malicious cyber activity when buffalo, the school system went off-line for a couple of days, and the one that dates back years from now. there is an awareness that this is a risk and hopefully steps can be taken that will not only protect against ransomware but increases the basic cybersecurity levels for a whole range of other potential factors. our current concern, under the previous administration, it was joining with the fbi and hss warning specifically of the impact ransomware could have on hospitals and health care facilities, which if we think about the rollout of vaccines,
10:40 am
production, transportation, employment and that is something where we are concerned it is about people making money, but a temporary disruption of certain services could have an impact on that front which is why we are particularly concerned about it right now and we made a priority, and a first sprint, because we want to make sure that we manage the risk and use it to have a broader systemic impact on the road beyond the initial. suzanne: excellent. michael: just one other thing i want to build on, and this is something that i very much have come to over the same time period is this disconnect between where a lot of the government's focus was, which was appropriately on nationstate actors that pose a threat, but if you talk about, and chris is right. if you talk about what affects most americans, they will never
10:41 am
run into the russian sbr, they will run into ransomware, business email compromise, other kinds of scams. that is what we are dealing with. and, the larger point to my mind is that this argues for not that you take cyber command and say that your job is to fight cyber criminals. like, we need cyber command to stay focused on nationstate threats. what we need to do is build up capabilities and organization, and build capabilities in law enforcement and change the way we think about law enforcement in the 21st century. the metric for the fbi and secret service has also -- has always been guys in cuffs, and it might be the case that we cannot physically get to these attackers and so we need to broaden the aperture for law enforcement. in terms of the performance
10:42 am
metrics, is an fbi agent or secret service agent being successful in their job. it is not just about the arrests or prosecutions about the broader disruptions. and so, it is not like we can forget about the russians, chinese, iranians, and north koreans. but we also have to do the criminals, so the u.s. government is capable of doing that, but we have to have that level of prioritization across government. >> that also means we also have to have a level of coordination or something that make sure that while the fbi is making the shift and taking this key role in ransomware and is doing so in lockstep with cisa in terms of deriving the information necessary so that all defenders
10:43 am
can raise their game, and state department with respect to the international cooperation and the private sector with the work that microsoft is doing. michael, let us talk a little bit about that white house coordination. you know, as tim noted i am a member of the commission, we recommended a national cybersecurity director and they made it a legal requirement and put it in law in the defense authorization act. the administration established a deputy nash -- deputy national for cybersecurity and they are working through how to set up that national cyber director office and who will lead it, and how it will relate to the deputy rector for cybersecurity at the nsc. but, you have given this a lot of thought, and you were the cybersecurity coordinator, obviously.
10:44 am
i would be interested in your thoughts both on what you think it should look like at the white house level, but importantly, how both of these roles really, but how the white house can best support cisa and dhs and its important mission, and particularly in its mission where it is being asked to work the inner agency, if it will -- if they will, to lead and coordinate certain issues at the cisa level. michael: sure. i think the white house has an important role in coordinating cyber related issues, and one of the key reasons is that cybersecurity is strangely what i call one of those es issues, meaning that is it a national security is you, yes/ yes. you just go down the list and it is yes to all of those things,
10:45 am
which means that will be an issue that will never just be in one agency's job jar. you listen to how all of us have been talking, tim and his list of all of the others that he works with, and agency names that we have been throwing out and we have not gotten to some of them that have big cybersecurity roles. for the u.s. government, you need people in the white house that are focused on coordinating across all of those different bureaucratic structures. and, it is not because those people do not know what they are doing, they are not really highly competent and very initiative focused, it is just their job is to focus on their mission, and you need somebody whose job it is to focus on the broader set and bring the missionaries -- missions together. i also think that there are -- i was certainly able to do that
10:46 am
job with a lot of support directly from the president and national security adviser, but there are things that the national security council is not really well set up to do. two of them in particular are interacting with the private sector, and interacting with congress, which is something that you very much need to be doing in cybersecurity policy. and so, that is why that having a national cyber director that is an office within the broader executive office of the president, so there is a set of agencies that support the white house, it is critically important because it can take on those functions and very much congress clearly assigned that. that is why it is a presidentially appointed senate confirmed position. that is why it clearly has the authority to interact, with the private sector. and so, i think with when you
10:47 am
look at that, there is a lot of work that can be done in there. i also think that there are some dangers. and, one of them is making sure that you get that relationship with the deputy national security adviser right, because let us face it, there is plenty of work to do. it is not like it has to inevitably be a bureaucratic turf war, because there is plenty of work to go around, but you need to get it structured right so they are not constantly clashing. the other thing is you need to structure the position so it is not a super cisa director. we have -- the administration has not named one, but we have that position. as i argued for the run-up for this, i use the example that chris already has a boss, he does not need another boss
10:48 am
telling him how to do his job, he needs someone at the white house that enables him to do his job or enables the next cisa director is to do their job. the ncd should be focusing on those issues, for example, do not follow in cisa's job job, where they need the support of really all you sector specific agencies across the board, you need to be paying attention to what cisa is doing here and working with them so we go with a unified voice to the big energy sector, health sector, whatever it is so the u.s. government knows what it -- looks like it knows what it is doing when it goes out there. those are the kind of things that the ncd should be doing. my own view means that you focus the ncd on being the strategic enabler for the government and it becomes the focus of where do we need to be three to five
10:49 am
years down the road, how do i build the capability in cisa, how do i build the capability in treasury, how do i build the capability in eta, the sector specific agency for the water space -- water sector. how do i build it so the government is ready to do the missions we wanted to do. that is where i think the real value of the ncd could be. suzanne: yes, great. you certainly have a unique perspective on that so that is helpful. chris, i know that you and i spoke often. you are a fake -- frequent to subtend those meetings, and i know that you share, as do i, michael's concerns about how this will relate with cisa and how important it is to get that right, so that this position empowers cisa and does not undermine the leadership of the
10:50 am
role that congress and the white house have given. you have also recently suggested that you think it is at least equally if not more important to name a -- to nominate a director and have someone who is senate confirmed even though you and i think very highly of brandon, and he has been doing a terrific job. why is it so important to have a senate confirmed head of cisa and what are your thoughts on this ncd position. chris: brandon has been doing a fantastic job and it is just one of those constant whether it is validation or the plan that we put together for succession in the event of an untimely departure, my untimely departure that we have some sense of continuity in transition, and brandon has been doing a fantastic job and i could not be prouder of the work the team has
10:51 am
been doing. but, when you look at the mission, when you look at the scope and scale of the mission of cisa, the budget, the personnel, the leadership challenges, just given the fact it is an established agency that has such an important mission you need to advocate leader in place as the administration continues to work through its 60 day review and beyond of the national cyber director position, and to michael point his last one was the most credible -- critical about the need for someone to be setting a vision for what the federal civilian executive branch, the.gov, what does it look like in three to five years, but it is not just the implementation, but how do we set budgets across the agencies so they are putting their part into the pot, and to date we have not seen a lot of,
10:52 am
or at least total compliance in terms of paying up for some of the security services that cisa has been offering through the -- the continuous diagnostics and mitigation program. the second thing is someone has to do it, whether it is dan, or someone to michael's point has to be running some sort of god's eye view over cybersecurity operations within the federal government whether it is the intelligence community, military operations, law enforcement, defensive and civilian side, someone has to has -- has to have a daily job which is better suited for the national security council, but nonetheless that has to be a clear mission for someone right now. suzanne: go ahead, please. kemba: from the private sector perspective now that i am here and out of dhs, one of the
10:53 am
things i have observed is the private sector has a hard time finding the right bellybutton. and, as you know the private sector owns and controls most of the critical infrastructure and you know from the recent breaches, has a lot of signals and information. it is difficult to find the right bellybutton. the private sector once to just -- wants to just tell the government and not navigate through an inner agency to figure out who is responsible for what. having these structures in place i think will help with better, actionable information sharing, and operations across the private sector and the government in ways that have not occurred so smoothly in the past. suzanne: you are being gentle. so, tim, we have some questions from our audience related to the
10:54 am
growth trajectory for cisa and relatedly, the comments that cisa needs additional resources just to do the mission that it currently has, and the question is, can it really wait until the 2022 funds are available, or do we have an urgent need for funding given where you started this conversation? the vast set of issues, urgent issues that are on your plate? tim: thanks. we are currently working on the budget proposal and, first of all, we were delighted to see that congress provided cisa with additional funding to the american rescue act because of the recent campaigns that we witnessed and experienced and the 650 million dollars that we are provided with more resources to execute its mission to defend
10:55 am
and protect the civilian federal agencies. that is something that we welcomed and considered a down payment for the work that needs to be done in the coming weeks and months, but most likely, years looking at the state that some of the systems are in and the work that is required to modernize them. so, with respect to its evolution and trajectory, thanks to the work of the commission and members of congress who integrated several of the proposals that the commission shared with congress last year, the last year national defense authorization act included a broad series of new authorities that we are now very focused on implementing ranging from new threat hunting authorities, so that cisa can on the request provide assistance to other federal agencies to see if hackers are in the networks to
10:56 am
shorten the amount of time it would take for us to detect them and then take action and response. it includes a joint cyber planning office that will increase our capability to do scenario planning and be prepared for future incidents. so, that is another key development. and we want to make sure that for the next year and also beyond that system's authority -- cisa's authority and expectations and the work that chris has been leading with respect to protecting the election, those aligned with the resources and capacity of the organization, so that is a big management challenge that we are very focused on and the secretary is focused on and we are keen to work with congress and our other partners to help assist the mature -- cisa mature and we can work with the private sector when it comes to
10:57 am
network defense so the role as the quarterback for government working with other partners across the agency and we are committed to set up the cyber director for success so accommodations like these are important for how best to operationalize that so that is how we will think about it. suzanne: terrific. we only have a few minutes left but i wants to put a provocative issue out there, as if talking about talking about ransomware was not provocative enough that we sort of skated over that. but, talking about cisa's role in all of the activities that it does and all of the work that it is doing in response the two massive packs -- hacks with solar winds and the attack through microsoft exchange, it has raised the issue of are our domestic agencies capable and
10:58 am
equipped to defend our networks inside the united states, particularly when our adversaries are using u.s. infrastructure to carry out much of its malicious cyber activity. or, -- which makes it unlawful, for nsa. nsa currently does not have the authority to sit on domestic networks or probable through domestic networks to try and find suspicious activity. and so, the issue has been raised again, as it is periodically and has been for at least a decade if not more, certainly since the cyber mission was given about whether the nsa and those entities that are typically foreign focused should be given broader authority within the united states to look for this kind of activity happening on u.s.
10:59 am
infrastructure, and so, i am curious about what all of you think about this suggestion, and chris, we will start with you. chris: i am rarely of the opinion that more government surveillance is a good thing. i am similarly of the opinion that additional government bureaucracy is rarely a good thing. i think this is to kemba's point about we need to have more meaningful operational relationships and information share between the government industries. i think there is a whole lot that can be done in terms of working with industry to get them to share better information about what is happening across their platforms, if they are being abused, then we can ask additional requirements. i think the last administration in the 11th hour executive order issued a know your customer
11:00 am
requirements. i think that is a great approach that we can dissect through a comment period that the department of commerce among other things is looking at. i think that is where we start, but i am supremely uncomfortable with any sort of additional domestic and crowded -- intelligence capabilities being sought or given. suzanne: i see you have taken your mute button off. tim: i just think that it is the wrong way to go for several reasons. one, i would agree with chris. we have dealt with this in a number of different situations, even after 9/11 and the counterterrorist mission. and, i think that really, the answer is not to suddenly tap in and say something new. we need them actually doing their mission overseas and to stay focused on that. we have domestic agencies that have the ability to get this authority already through the
11:01 am
department of justice and the fbi. we can use that. maybe we need the fbi and nsa to share more internally, and do a better job crossing those your aquatic silos, like what we had to do with counterterrorism information in the early 2000's, now we need to do more of that with cybersecurity information. the other thing is that i think that there is this idea that cyberspace is this thing out there that is in the ether, but when you actually start really focusing on what it would mean, you were alluding to this, that is not just having the nsa float gently over kansas, that means having the government probe and poke at somebody's network that they own, that is owned by an american business or something like that.
11:02 am
, an organization, and suddenly that takes on a different task when you put it in those concrete terms. it is an easy talking point, the reality is way more complicated, and so i think that rather than focusing their, the efforts should be on figuring out what gaps we have, and in that information, and who already has that, between companies like microsoft, google, facebook and palo alto and all of those cybersecurity companies out there, i bet we have that. the issue is how do we bring that together in a useful fashion. suzanne: as you point out, michael, that while the nationstate adversaries, if they were in fact the ones ultimately
11:03 am
to whom we can attribute these attacks, they may have taken some of their last steps using u.s. infrastructure. you have to believe that there was a fair amount of planning with this, but it was done back in their home offices, and their nationstates, which is where we expect our foreign intelligence folks to be gathering information for us about plans and intentions. so, as was said earlier, with respect to coordinating the inner agencies inside the united states, there is plenty of work to be done and plenty of work to be done in respect to understanding and detecting nationstate activities overseas as well as domestically. i think that is exactly right. so, unfortunately, we are out of time and i want to be respectful of people's schedules. this was a great conversation and we barely scratched the surface. i have already decided that i
11:04 am
want to get the gang back together again before too long because there are always important issues to discuss, but i think we helped illuminate the role of cisa through a deep dive on it ransomware, and the relevance of the organizational structure that goes with it and the role that -- role of the private sector as well. i know you are all very busy people so thank you for joining us for this conversation, that was terrific, and thank you for all of you who tuned in. [captions copyright national cable satellite corp. 2021] [captioning performed by the national captioning institute, which is responsible for its caption content and accuracy. visit ncicap.org] >> president biden will be talking about gun violence prevention joined by merrick garland, and that is set to start at 11:45 eastern. coming up, nancy pelosi will hold her weekly news briefing starting at 2:00 p.m. eastern. and after that a look at proposals to change the structure of federal courts, live at 4:00 p.m. eastern on c-span, c-span.org, or listen
11:05 am
with the radio app. >> congress returns from their holiday recess next week, the senate returns monday at 3:00 p.m. eastern to continue work on the nomination of polly trenton to be deputy of transportation. later they will work on more nominations including wendy sherman to be deputy secretary of state and gary gensler to chair the exterior -- the securities and exchange commission. the houses back tuesday for legislative business and members are expected to work on equal pay for women legislation as well as a bill to prevent workplace violence against health care and social services workers. president biden's infrastructure and jobs package is not expected on the house floor until later in the spring or early summer. watch live coverage of the house on c-span, the senate on
11:06 am
c-sp

6 Views

info Stream Only

Uploaded by TV Archive on