State of the Security Union with Jeanette Manfra (DHS)

[Music] Foreign [Music] So very warm welcome to you you are the Most senior cyber security official we Have uh at disruptor this year I'm Absolutely thrilled to have you um You're the assistant director at sisa at Homeland Security the new Consolidated Cyber security agency that's been around For about a year now that's correct How's that year been It's been pretty good Um not sure how many people know about Our agency but we are specifically Designed to work with the private sector To defend against the most sophisticated Threats of our country so what kind of Threats have you seen that the threat Landscape over the last year you know How's that how's that changed Well it often and depends on what you're Talking about a lot of times when we're In the there's a lot that you work on There's there's a lot that we work on Um you know sort of at a high level what We focus on is on on one hand um we're Very involved in protecting Federal Networks so everything from you know if You think about the database that houses Everybody's Social Security numbers Which a lot of people need to have Access to to our immigration systems to Your you know School financial aid forms

There's a lot of information that the Government holds so we do a lot of work With that all the way to critical Infrastructure so you know trying to Prevent nation-states from getting into Our election systems our electricity our Financial systems and uh and so it's a It's a broad sort of swath that we cover The biggest thing that that I'm really Proud of that we accomplished over the Last year is we released something Called the national critical functions And uh and this was really important Because in in cyber security is Especially in in DC which is a you know Sort of a unique place that has a unique Conversations about technology and uh in Cyber security and it can get very Um you can get very Broad and and over The years we really started to realize Is we needed to Define what it was we're Actually defending and and so it's not Sort of a specific industry necessarily Which was the big shift and and Elections really taught us this is when You have an adversary that's seeking to Undermine a confidence in our Democratic Institutions Um there in some ways they're doing it That through you know trying to Traditional hacking but then there's a Lot of other ways that an adversaries Accomplish uh try to accomplish their Goals and so um so coming up with these

National critical functions which is Public and and covers everything from Thinking about how we're trying to Defend the internet ecosystem uh and to Broader areas so you mentioned the the Nation-state threats about the U.S faces You've got Russia North Korea Iran uh China and what does it mean to to build Better cyber defenses against the Nation-state attacks I I think the there is so there is an Element of you know building Um the actual technology defenses and um And and that's important and and when You think about a lot of these Um institutions that are these the Targets of some of these nation states Um some of them have a fair amount of Resources at their disposal Um many of them do not Um many of them are run by state and Local organizations and Um and and so they are often the least Able to procure a lot of these you know Sort of sexy cyber security technologies That that people uh like to talk about So um so there is a component of of you Know how do we work with the market to Build more Secure Solutions particularly In the industrial Control Systems There's a space that we work in and a Lot but then there's also in in really What we've learned over the last couple Years in particular

Um it's it's also about building a more Resilient and aware public uh much of Our institutions are built on trust and Adversaries have have learned how that They can manipulate that trust in those Institutions so it's not just sort of a Technology thing that we're that we have To approach it's it's really these these Sort of broader trust issues Um and importantly for the federal Government you know how do we get Information out into the public but also How do we get it to those who can who Own those systems who can do something About the threat so you have a quite a Senior job uh you have a agency doing a Lot of work Um you know most people will have a Nine-to-five job Um I don't I cover cyber security it's a It's never ending you know some people Go home and have a beer and I don't get To do that you know for you is it ever Is it ever quiet or is it is it just Like drinking from a fire hose It's a it's a you know it's it's Relative Um I've been doing this now Um a really long time I was uh in the Army for several years and I've been With the department for a little over a Decade and Um so I think what I what I've sort of Forced myself at least to do is

Um you have to you're in this for the Long Haul and there is always something Going on there is always a breach There's always reporters that are Reporting on things that you have to Deal with there's pesky reports and uh And so there's there's always something Going on I think it's really important Um you know I have a I have an amazing Team of Um several hundred people that um you Know we do have 24 7 operations and and It's about putting the trust in the team It's Um recognizing that every day can't be That sort of most urgent fire hose you Got to save it for for when things are Really bad so you know you've been in Government for you know over a decade You know and so you know the US Government has a bit of a skills Shortage you know and the Private Industry is you know pays more national Security clearance takes a while you Know it's a national security risk that The US government struggles in places to Compete with With Private Industry I Would say it's broader it's a national Security risk that we don't have the Talent regardless of government or the Private sector Um we don't have enough you know there's A lot of people that talk about the you Know Tech shortage overall but

Particularly to security It suffers even More and we have a massive shortage that We are actually expecting that will will Grow larger so we we actually spend a Lot of time investing in even K-12 Curriculum we have a scholarship program That we put in place and and I think We're trying to change the way that People think about working with the Government too A lot of times Historically people think you know you Go to the government then you've got 30 Years and then you can you know you have Your retirement paycheck that's fine That's great if people want to do that But I also recognize that there's people That I'll you know pay for a scholarship They come work for us for three to five Years we train them they're awesome but Then they go and they they work in the Private sector for a few years and maybe After their kids are done with college They can come back and work for us and But but I think some people refer to That in a in a negative way I think it Builds a community of people of a shared Sort of experience they understand what It's like on the government side they Understand what it's like in the private Sector and in security we're really all Trying to do kind of the same things and Um so so that's the culture and we Actually Um will be debuting in the next year an

Entirely new Um Workforce program that's really Modeled after how tech companies recruit And retain individuals Um and uh and so we're really trying to Change the nature overall of getting People more into security overall but Also particularly encourage them to work For us even if it's only for a couple Years so sisa does a lot of warm Businesses about the emerging threats Some have complained that the you know They're not getting the intelligence That they they need you know what can The government do more to you know Protect private businesses So I would say first of all private Businesses there isn't accountability They need to be responsible for Protecting themselves oftentimes we do a Lot of incident response and um and and We see a lot of people that weren't Doing Um really some of the the basics and Oftentimes it's because they didn't Think that they had anything of value That somebody would be after they didn't Really think about the fact that they Have a business relationship with maybe They weren't the end Target maybe they Were just the stage to get to the uh to The ultimate Target or they don't think About the fact that um you know their Their product has is collecting a lot of

Private information that a criminal Could monetize or a nation-state could Even collect so um so that's kind of Part of it and we're really trying to And I don't know a lot of people are Aware but this is National cyber Awareness month this is October Um so consider yourself all aware and um But one of the things we're trying to Really focus on particularly in October Is raising the level of public awareness Everybody now interacts with the Internet or computer in a network system In some way so how can you be Accountable for that how do you act as a Responsible consumer as an online Citizen in your business and Um and so in terms of that I think it's Very important and I also think a lot of People think cyber security can be fixed By better and more intelligence Intelligence is not going to solve any Security problem much less cyber Security and and a lot of it we'd like To see you know more Market Solutions Um you know more automation more Orchestration of capabilities that are At a price point that Um you know more organizations can Afford and and I think the government Has an opportunity to to sort of push Some of that more standards we do need To get more intelligence out to I will Say we need to do better on that when we

Have intelligence we need to get it to Organizations and importantly it needs To be in a way that they can do Something with it it can't be just hey Here you know here's this IP address It's bad it needs to be you know here's What's going on here's what we Understand and that's often very hard For government to to release that Information so what can improve that Intelligence sharing relationship it Goes both ways you've got companies like Facebook of complained historically that You know in the run-ups of the 2016 Election they won't get enough Information you know and it does go both Ways so how can you know how can the Government proactively try to improve That that relationship well I think There's there's a few things and and Those are valid complaints and we've Spent a lot of time a lot of what we do Is we're the point for sharing that Information even if we're not the ones That originally collected it Um and and what we found is that you'll Have and you heard from the former Director of NSA you have the NSA you'll Have other intelligence Community people And they have a piece of the puzzle Um but where we sort of see ourselves is That's one part of it but it's missing Context and you know we do we're doing a Bunch of work with the bank Banks right

Now and talk about these National Critical functions and you know Understanding how the wholesale payment System works and um and you know you're Talking about the trillions of dollars That banks are clearing every day that's Something that an adversary would Probably want to disrupt or degrade or Even just give the perception that They're doing that so it's not so much About and the government needs to have That understanding of how those systems Work in a way that in a level of depth That you can then turn to the collectors And say hey can you tell me if you've Got anybody looking to collect against This type of software that they're using As an example that then would be useful Information that would then be a Potential indicator warning that Somebody is trying to trying to do Something in the case of you know Foreign influence when you're talking About with Facebook we need to Um there's there's potential Um you know information that is often Some of the most sensitive info Information and and so we have to break Down a lot of those barriers of um and We have to think about the private Sector as a partner in intelligence Sharing which is a big shift for the Government so two years ago Um it was widely reported that the you

Know the NSA let accident you know Mistakenly let go of Um of its prize hacking tools which were Used to launch and spread the wannacry Uh ransomware attack which uh I think Most people who are quite you know aware Of you know that happening is quite a Damaging event so what is the US doing To prevent another you know public wanna Style you know one cry style attack I don't know that we could ever prevent Something like that Um you know when you just have something That completely manifests itself and is A worm and kind of uh even I think the Original Perpetrators of that and uh didn't Expect probably that sort of impact Um what we are we we do want to prevent And there's uh you know there's a lot of Things on the preparedness and Prevention that we have already talked About in terms of Um frankly The updating your patches some of those Kind of basic things that would have Prevented a fair amount of people from From being a victim of that Um but but I also think it's it's Important to um you know build more Resilience in our systems to we talk a Lot about mitigating the consequences so Um acknowledge that these bad things are Going to happen but how can we be better

Prepared to work together so for for Wannacry Um when um you know and I've talked About those a little bit but not a lot Of people really I think understand the Years of work that have gone in in Building Global alliances I run the United States cert a computer Emergency Response Team every most countries have Sort of a version of that and when when Juana Christ started in Asia we were Getting information from our partners in Um in Asia about what was going on they Were passing information over to us and When the in the Brits in in Europe they Were so in the U.S for for really that Kind of entire first half of the day we Were getting Advanced information Because of the um those Partnerships we Had built overseas and those and those National asserts were getting Information from their um their local Businesses who were being um attacked And um you know luckily there was a an Enterprising individual who was able to Find a way to kill it um and and didn't Impact the us as much but what we really Recognized is is that we needed to have Those sorts of mechanisms but much much More robust in the United States to Think about like how how do you mobilize Industry and government and allies to Combat something like this as it's Emerging and so so since then we've

We've been building more of those plans We have a lot of representatives from Companies that sit on our floor with us And we work through these things Together so that if we have these sorts Of scenarios come up that were that were Ready to respond quickly even if we Didn't prevent it so the companies in This room you know the startups um and Large businesses alike you know have one Thing in common and that's that they They very much rely on the supply chain Which is something I know you know System is obviously very you know Involved in Um you know it's where businesses get Their Technologies from their their Services Hardware software Um what kind of threats do you see you Know against the global supply chain and Of course it's a it's a difficult Question every supply chain is different But you know what kind of threats do you See Um well there's there's a lot of Different there's a lot of different Threats you see a lot of um you know Foreign governments that are sort of Finding clever ways to mask their Influence in Investments Um and um in in finding uh ways to Maneuver around the ways that the Government traditionally can can have Some ability to to block Investments

That we're concerned about I would say The the best advice I could give would Be how we thought about Kaspersky and You know for for many many years there Was a lot of conversation about you know Should use it should or not and um and I Was very frustrated because and this Gets to the intelligence thing too is a Lot of people want Um intelligence to just give them this Is the right answer and and that's Usually not what you're going to get and And so what we decided with Kaspersky is That we were not comfortable with Government data being housed in a Country where whether a company wanted To or not could be required to hand that Data over to the security service and And so we have the authority to actually Direct Federal Agencies to um to take Action and and we decided to do it Publicly for due process reasons we Wanted anybody who would be potentially Impacted by this decision to to remove Kaspersky and um our thinking was and I Would encourage anybody when you're Thinking about your your supply chain Whether that's from a software Hardware Or just business relationship Perspective sort of three things and That we think about and we'll continue To think about from a broad National Policies is is the first is like the Laws of the country and I know that's

Something that a lot of people don't Necessarily want to talk about but the Laws of the country where either the Data is housed or transited or where the Company operates it's important to Consider and if there's not that Judicial review and and you know company Can be compelled you want to maybe Consider is is that a place where I want My my data to be held Um but that can't be the only thing that You consider because that's not the Economy we live in and um I don't think It makes sense just to sort of suddenly Ban all things just because it comes From one country so we try to be a Little bit more nuanced and because the Second thing was really to think about What sort of access does that piece of In this case software have Um you know an antivirus there's a fair Amount of access that it has to your Computer and your data and um and so That was that really is that second part And then the last part from this is more From a national perspective Um is um what's what's the market Penetration you know something gets the First two but it's not something that's Widely used in the U.S then that's Probably not something we're going to Get fired up about so we only have a Little bit of time left um it's my final Question is you know is it truly

Possible to secure the supply chain and How much should government do how much Should private businesses take Responsibility for it don't think it's Possible to 100 secure anything And so we we talk a lot about risk Management Um and you know we see ourselves as risk Advisors and Risk Managers I think Everybody has to be a risk manager in in Your own organization you have to Understand what's most important Um and you have and and just Um you know understand the risk that You're taking on if you acquire a Company if you're you know join uh you Know have investment from you know Certain individuals or organizations Understand what that what that risk Actually is but then make the decisions Based off of your own risk calculus and That's how I think of the broader supply Chain is um you know a lot of people Talking about 5G and all the challenges There and um it's it we have to think About it from a national perspective is In many cases we've outsourced the Manufacturing of certain components of Our communication systems outside of of This country and that's the economics of Of where we are and we can't spin that Around on a dime so we have to think About how do we create more trust in Transparency in our supply chain and

Again I would say supply chain broadly Meaning it products and services Um and so so that's really what more Transparency what it so that anybody can Make that risk decision Um as and more broadly at that National Level really having that understanding Of where where we can't accept risk Um and um and where frankly there's Areas where you have to accept risk Sadly that's all the time we have thank You so much cheers Foreign