WEBVTT

00:00:00.000 --> 00:00:04.010
[Host] Hello everyone and welcome to today's Tech Talk
with the Department of Homeland Security Science

00:00:04.010 --> 00:00:08.020
and Technology Directorate. Today we are going
to be discussing critical infrastructure

00:00:08.020 --> 00:00:12.020
and we have two very special guests. Mr. Bill Brian,
acting under secretary for DHS.

00:00:12.020 --> 00:00:16.020
for DHS Science and Technology directorate and Mr. Chris
Crebbs, the assistant secretary for infrastructure

00:00:16.020 --> 00:00:20.030
protection here at DHS. So we are gonna start off
like we usually do. I'm gonna ask

00:00:20.030 --> 00:00:24.040
some questions, then we will open it up to the audience.
So I wanted get started, I wanna kick things off

00:00:24.040 --> 00:00:28.040
by asking Mr. Crebbs can you kinda set the stage for us.
Define what critical

00:00:28.040 --> 00:00:32.050
infrastructure is and why its vital to protect it? [Chris]
Great, thanks so

00:00:32.050 --> 00:00:36.050
there's a text book definition critical infrastructure
and there's probably a

00:00:36.050 --> 00:00:40.060
broader more accessible definition. So by the book,
there at least in the United States

00:00:40.060 --> 00:00:44.060
there are 16 critical infrastructure sectors
and those are basically energy,

00:00:44.060 --> 00:00:48.070
dams, commercial facilities, government

00:00:48.070 --> 00:00:52.080
basically kind of the basis building blocks of society

00:00:52.080 --> 00:00:56.080
and the economy. But more broadly the way I
like to think about critical infrastructure

00:00:56.080 --> 00:01:00.090
really those things we take for granted, it's the water, it's

00:01:00.090 --> 00:01:04.090
the lights. It's the ability to go on the internet.
It's to make a phone call.

00:01:04.090 --> 00:01:08.100
It's hitting the ATM. It's any of those things.
One of the things that just

00:01:08.100 --> 00:01:12.110
sustain basic life functions in the Unites States.

00:01:12.110 --> 00:01:16.110
And frankly everywhere that we truly take for granted

00:01:16.110 --> 00:01:20.120
so my job is to make sure that those

00:01:20.120 --> 00:01:24.130
things that everyone take for granted, is to help
ensure those things are still up and running

00:01:24.130 --> 00:01:28.130
on a day to day basis. [Host] Literally making sure the lights

00:01:28.130 --> 00:01:32.140
stay on. [Chris] Yep. [Host] Mr. Brian, so you have a
background in critical infrastructure from your previous

00:01:32.140 --> 00:01:36.140
time at the Department of Energy, the Department of
Defense. I wonder if you can tell us a little bit about how

00:01:36.140 --> 00:01:40.150
you see the S&T fitting into the critical infrastructure efforts?
[Bill] Sure and thank you having

00:01:40.150 --> 00:01:44.160
us. Thanks for hosting this event and Chris, thank you for

00:01:44.160 --> 00:01:48.160
being apart of this panel. Chris and I are good colleagues
here at the Department and

00:01:48.160 --> 00:01:52.170
look forward well into the future. So to get into your question

00:01:52.170 --> 00:01:56.180
about infrastructure and how S&T fits
into critical infrastructure.

00:01:56.180 --> 00:02:00.190
In all of thee infrastructure that Chris referenced

00:02:00.190 --> 00:02:04.190
there are gaps in areas in areas of protection and areas

00:02:04.190 --> 00:02:08.200
of liability, survivability, resiliency and so forth. And our job

00:02:08.200 --> 00:02:12.210
in S&T is frankly is to identify where those gaps are.

00:02:12.210 --> 00:02:16.220
Then identify what types of requirements?
What kind of rigor do we

00:02:16.220 --> 00:02:20.230
have to put in to try and fill that gap and then going after to

00:02:20.230 --> 00:02:24.240
fill that gap. I think it's really important here in the department, unlike other agencies I've worked in

00:02:24.240 --> 00:02:28.250
they were singularly tracked and folks in our
particular sector in DoD was the defense

00:02:28.250 --> 00:02:32.260
[unintelligble], energy was the energy sector.
Here within the Department of Homeland Security

00:02:32.260 --> 00:02:36.260
Chris has oversight of all the sectors and

00:02:36.260 --> 00:02:40.280
so he has to look at the broad spectrum
of critical infrastructure.

00:02:40.280 --> 00:02:44.290
And so we frankly take our leads from Chris

00:02:44.290 --> 00:02:48.290
when working with the other sectors on where those
major gaps are, when we need technology to fill them.

00:02:48.290 --> 00:02:52.300
And we do that for a variety of sectors. We do that with a

00:02:52.300 --> 00:02:56.320
variety of partners. We work with industry. We work
with academia through our centers of excellence.

00:02:56.320 --> 00:03:00.330
We will work with other government agencies and the key is

00:03:00.330 --> 00:03:04.340
we are finding in the world of science and technology
or research and development

00:03:04.340 --> 00:03:08.340
is you know, you don't have 5-10 years to find this solution.

00:03:08.340 --> 00:03:12.350
And frankly, you don't have 2-3 years in many cases.
We will have

00:03:12.350 --> 00:03:16.360
weeks, months and even in my short time here,
we have had days to come up with

00:03:16.360 --> 00:03:20.380
a solution. Although imperfect

00:03:20.380 --> 00:03:24.390
solution so we can fill a gap. [Host] Chris
do you want to expand on any of that?

00:03:24.390 --> 00:03:28.400
As far as what DHS's role is in protecting
critical infrastructure? [Chris] As I mentioned

00:03:28.400 --> 00:03:32.410
at least in the United States, other countries have
different [unintelligilble]. I think the British have

00:03:32.410 --> 00:03:36.420
8 and Australians may 7, but it doesn't matter. Again it's

00:03:36.420 --> 00:03:40.430
those key function services that under pin the economy,

00:03:40.430 --> 00:03:44.450
take care of the things we depend on. The way it actually

00:03:44.450 --> 00:03:48.460
works though is that most of these 16
sectors are primarily owned

00:03:48.460 --> 00:03:52.470
or operated by the private sector. There are reports going

00:03:52.470 --> 00:03:56.490
back and frankly we haven't actually gotten
to the primary source, but 85%

00:03:56.490 --> 00:04:00.500
of the nations infrastructure is operated by the private

00:04:00.500 --> 00:04:04.510
sector. So from my perspective within the department

00:04:04.510 --> 00:04:08.510
I'm actually not responsible for ensuring the actual security

00:04:08.510 --> 00:04:12.960
requirements in each individual facility across
those sectors. What I do is a broader,

00:04:12.960 --> 00:04:16.980
as Bill mentioned is broader coordination, so sit back

00:04:16.980 --> 00:04:20.990
take a look at particularity the interconnections
between the critical infrastructure sectors, being able to look

00:04:20.990 --> 00:04:25.010
and say what are the key dependencies?
Because, let's think back to hurricane

00:04:25.010 --> 00:04:29.010
Harvey. Massive storm, it was a rain event

00:04:29.010 --> 00:04:33.010
dumped a lot of water in Houston. It was a lot of flooding.

00:04:33.010 --> 00:04:37.020
I think what people may not have fully really appreciated

00:04:37.020 --> 00:04:41.020
before the storm, that 30-40% of the nation were refining oil

00:04:41.020 --> 00:04:45.030
refineries, petroleum refining capacity is in that little bin

00:04:45.030 --> 00:04:49.030
region of Texas. So we had a significant
amount of the nations

00:04:49.030 --> 00:04:53.040
refining capacity offline. Now to get a facility back up and

00:04:53.040 --> 00:04:57.050
running is not necessarily as simple as the
rain stops, the weather drains out.

00:04:57.050 --> 00:05:01.050
There is a system of systems in place.

00:05:01.050 --> 00:05:05.060
What is the crude oil getting into the refinery? What is the

00:05:05.060 --> 00:05:09.060
power that gets into the refinery? What are the chemical
feeds stops that allows for the cracking process?

00:05:09.060 --> 00:05:13.070
How do you then get the stuff off the facilities and is it a
pipeline, is it a rail, is ita bridge?

00:05:13.070 --> 00:05:17.070
What do you do with the by products? How do you
feed it in through the pipeline that then runs

00:05:17.070 --> 00:05:21.080
up the east coast to D.C. and New York? So it's

00:05:21.080 --> 00:05:25.080
increasingly, particularly physically but most important

00:05:25.080 --> 00:05:29.100
from a information technology and cyber perspective

00:05:29.100 --> 00:05:33.100
interconnected system of systems. So it's not
just about are the lights

00:05:33.100 --> 00:05:37.110
on. It's what are the lights feeding into?
What is that power piece

00:05:37.110 --> 00:05:41.120
to making sure that the manufacturing and oil refining.

00:05:41.120 --> 00:05:45.120
So again, what we do is sit back and we work with the

00:05:45.120 --> 00:05:49.130
sectors at specific agencies, so for instance with electricity

00:05:49.130 --> 00:05:53.140
the Department of Energy is the Sector Specific
Agency (SSA), so we provide

00:05:53.140 --> 00:05:57.140
a technical backup in terms of modeling capabilities and

00:05:57.140 --> 00:06:01.150
help them understand what the broader holistic
national picture is for critical infrastructure.

00:06:01.150 --> 00:06:05.160
[Host] And I want to come back from to that system of systems idea. We're gonna touch on that in a little

00:06:05.160 --> 00:06:09.160
bit, but Mr. Brian, I wounder if you could explain
how S&T supports some of

00:06:09.160 --> 00:06:13.170
MPP efforts, in critical infrastructure security resilience?

00:06:13.170 --> 00:06:17.180
[Bill] Let me first state that [unintelligible]

00:06:17.180 --> 00:06:21.190
I've worked a lot in this and the reason I'm bringing this up,
is I experienced this in Energy when I was there.

00:06:21.190 --> 00:06:25.200
And how I tackle the energy system at that time was there

00:06:25.200 --> 00:06:29.200
is a reliability, survivability resiliency element in energy right.

00:06:29.200 --> 00:06:33.210
Resilient reliability, is what you do before an event before
it occurs? Survivability, how you get through an event.

00:06:33.210 --> 00:06:37.210
Resiliency is how you recover from the event. So in

00:06:37.210 --> 00:06:41.210
addressing this question, I think nestled within resiliency
is that factor of reliability and survivability.

00:06:41.210 --> 00:06:45.220
So a lot of what we're doing, I'll give you

00:06:45.220 --> 00:06:49.230
some examples of that. We have a tunnel plug project

00:06:49.230 --> 00:06:53.240
in New York, New Jersey so that the tunnels don't
flood in the event we have

00:06:53.240 --> 00:06:57.250
water rising and in addition of flooding,
so it's to keep the tunnel dry.

00:06:57.250 --> 00:07:01.260
So is that a reliability issue, uh no.

00:07:01.260 --> 00:07:05.270
Cause it's not gonna help the subway or the train
move any faster. [Host] Right.

00:07:05.270 --> 00:07:09.280
[Bill Visitor survivability issue. Most likely it is.
Cause that will help that tunnel survive

00:07:09.280 --> 00:07:13.280
that all weather event, but by doing that you
make that system more resilient in the end.

00:07:13.280 --> 00:07:17.290
So all of our requirements are not necessarily focused on

00:07:17.290 --> 00:07:21.300
resiliency, it's on some of these other elements.
You take sometimes on the reliability

00:07:21.300 --> 00:07:25.310
side, its efficiences. People want better databases to

00:07:25.310 --> 00:07:29.320
track certain things going on. We have a large

00:07:29.320 --> 00:07:33.330
data engine that we use. We actually shared this with

00:07:33.330 --> 00:07:37.350
MPPD and they worked with us and actually got trained
on how to use this, during the recent hurricanes.

00:07:37.350 --> 00:07:41.350
You know, it's not necessarily a resiliency thing but it

00:07:41.350 --> 00:07:45.360
was a reliability issue of dealing with that crisis at the time.

00:07:45.360 --> 00:07:49.370
So sometimes we'll work on things to satisfy everyone of

00:07:49.370 --> 00:07:53.380
those. I think we do a reliability, survivability thing up front,
it really enhances our ability

00:07:53.380 --> 00:07:57.380
our ability for resiliency at the end.

00:07:57.380 --> 00:08:01.390
Very recently and specifically on aviation security with MPPD,

00:08:01.390 --> 00:08:05.400
cyber security, they have a very robust cyber security

00:08:05.400 --> 00:08:09.420
effort going on in MPPD, we have a very small piece of that.

00:08:09.420 --> 00:08:13.430
But at the end of the day, what we do within science and

00:08:13.430 --> 00:08:17.440
technology has to be very reflective of what the components
would want us to do. We are a service

00:08:17.440 --> 00:08:21.450
organization to them. So they kind
of drive those requirements.

00:08:21.450 --> 00:08:25.470
Identify the gaps, we work on the requirements
together on how to satisfy those gaps.

00:08:25.470 --> 00:08:29.480
[Host] Absolutely. [Chris] What your hearing Bill say is

00:08:29.480 --> 00:08:33.500
partnership. So I mentioned early on, I don't actually
have a lot of [unintelligible] authority

00:08:33.500 --> 00:08:37.510
to go compel someone to do this that or the other.
So what's core to my mission set

00:08:37.510 --> 00:08:41.510
is partnership. And you've heard the phrase "public private partnerships".

00:08:41.510 --> 00:08:45.520
Frankly, its probably been over used a little bit, but really on

00:08:45.520 --> 00:08:49.520
a day to day basis, I'm working with my partners both

00:08:49.520 --> 00:08:53.530
across government, S&T some of the other federal agencies that I've mentioned, DoE,

00:08:53.530 --> 00:08:57.530
Department of Defense, Treasury,
Health and Human Services

00:08:57.530 --> 00:09:01.540
and what we are working together is with partnership
with industry as well. I mentioned that 85%

00:09:01.540 --> 00:09:05.540
so what we have to be able to do from
a customer service perspective

00:09:05.540 --> 00:09:09.550
is figure out what their requirements are.
What kind of tools do they need? What kind of

00:09:09.550 --> 00:09:13.550
analysis that they need that they may not even have
the capability to do whereas

00:09:13.550 --> 00:09:17.560
we working with DoE and the national labs and just our

00:09:17.560 --> 00:09:21.560
own organic capabiities, have an enormous, enormous

00:09:21.560 --> 00:09:25.560
wealth of capability and talent. So what we have to do is

00:09:25.560 --> 00:09:29.570
figure out what that demand signal is that requirement
for our customers, our stakeholders

00:09:29.570 --> 00:09:33.580
and figure out how to bring the federal effort to
bare on the problem.

00:09:33.580 --> 00:09:37.590
And again those are things that we saw throughout Harvey,

00:09:37.590 --> 00:09:41.590
but also in not just in natural disasters but in man made

00:09:41.590 --> 00:09:45.600
events technological. So when you think about chemical

00:09:45.600 --> 00:09:49.610
reactions and other issues like that.
But also as Bill alluded to is cyber security

00:09:49.610 --> 00:09:53.620
and other security issues. [Bill] Again,
if I may add on to what Chris says.

00:09:53.620 --> 00:09:57.630
I think theres a misnomer out there that what we do
at the Department of Homeland Security

00:09:57.630 --> 00:10:01.630
even S&T I know for sure, possibly in his organization.
Is some people often view

00:10:01.630 --> 00:10:05.640
us as the technology provider, we are
going to actually get this for them.

00:10:05.640 --> 00:10:09.650
We are going to procure this for them, that is
definitely not the case. That is not what we do.

00:10:09.650 --> 00:10:13.660
In his job, he helps the sectors identify and develop

00:10:13.660 --> 00:10:17.660
those requirements for what they are missing. In my world

00:10:17.660 --> 00:10:21.670
we do have the responsibility I think when we take on

00:10:21.670 --> 00:10:25.680
and R&D project that it has to have a finish line
of getting it into the hands of

00:10:25.680 --> 00:10:29.690
the customer. So if Chris would come to me
and say we have a need "this"

00:10:29.690 --> 00:10:33.700
and we work out the requirement of what exactly
"this" actually is. The ownership is on me

00:10:33.700 --> 00:10:37.710
to make sure that in the course of developing that
product at the very end of it we've got a partner

00:10:37.710 --> 00:10:41.720
that its going to be transition to. There is going to be
an acquisition trail to acquire that capability.

00:10:41.720 --> 00:10:45.730
So we are not here dolling out technologies that we

00:10:45.730 --> 00:10:49.740
develop, but developing for industry to manufacture and
get into the hands of people who can use it the most.

00:10:49.740 --> 00:10:53.750
[Chris] So we're going to keep this going, I'm going
to jump in now.[Laughter]

00:10:53.750 --> 00:10:57.760
There's a part of the partnership, I think really what
the most part of the partnership is

00:10:57.760 --> 00:11:01.770
terms of informing the processes and requirements from

00:11:01.770 --> 00:11:01.780
customers is our information sharing process.

00:11:01.780 --> 00:11:05.790
customers is our information sharing process. That's also

00:11:05.790 --> 00:11:09.800
kinda been overused a cliche term. But in terms
of sharing information with

00:11:09.800 --> 00:11:13.810
infrastructure owners and operators about
the threat, increases awareness

00:11:13.810 --> 00:11:17.820
and then they are then able to make more risk informed
decisions and sometimes they do get

00:11:17.820 --> 00:11:21.830
to us but we're not sure what that means or we
don't know where to go with this. [Host] Right.

00:11:21.830 --> 00:11:25.840
[Chris] Then we work with Bill and that's refining
and bringing the capabilities in.

00:11:25.840 --> 00:11:29.850
[Host] So, it sounds like so much of this is really coordinating and having the right people at the table

00:11:29.850 --> 00:11:33.860
understanding what's out there? What the problems are? How do we address them? Who can help us

00:11:33.860 --> 00:11:37.870
address them and then what does that need to look
like at a finished product? [Bill] Yes. [Host]

00:11:37.870 --> 00:11:41.880
And understanding that this is not a procurement
issue this is more about making

00:11:41.880 --> 00:11:45.890
this available to people out there in the field.
The operators as we often refer to them.

00:11:45.890 --> 00:11:49.910
And I really like the point you made about, it's not just

00:11:49.910 --> 00:11:53.920
resiliency. There's different types of, you know setting up
before, during, after an emergency.

00:11:53.920 --> 00:11:57.930
We're going to take our first Facebook question.

00:11:57.930 --> 00:12:01.940
Is S&T currently looking at open source solutions

00:12:01.940 --> 00:12:05.960
to be apart of critical infrastructure? [Bill] That's a great

00:12:05.960 --> 00:12:09.970
question and getting back to coment earlier about
we no longer have 5-10 years

00:12:09.970 --> 00:12:13.980
to develop a solution. We often have a very short period of

00:12:13.980 --> 00:12:18.000
time, months, weeks if not days. So you can't take

00:12:18.000 --> 00:12:22.010
something from ground zero and create it in
a matter of months. You have to

00:12:22.010 --> 00:12:26.010
leverage other research and development and even
sometimes leverage other products that exist

00:12:26.010 --> 00:12:30.020
in the market. So a big part of what we do in S&T is what we

00:12:30.020 --> 00:12:34.030
call tech forging. So as requirements come in, if we have

00:12:34.030 --> 00:12:38.030
the requirement and we have the gap and we develop
the requirement, we'll go out and try to find

00:12:38.030 --> 00:12:42.040
a capability that already exists around the globe, not

00:12:42.040 --> 00:12:46.040
just here in the United States but around the globe to ee if there is a technology that meets that requirement.

00:12:46.040 --> 00:12:50.050
And if we find those that are close, that are missing
the mark we'll

00:12:50.050 --> 00:12:54.060
then invest additional R&D dollars working
with that provider to get that

00:12:54.060 --> 00:12:58.060
capability where it needs to be to meet our requirement
for the government or the sector owner or operator.\

00:12:58.060 --> 00:13:02.070
And then we will get that out and in transition to them.

00:13:02.070 --> 00:13:06.070
[Host] Our next question from Facebook. There are
many sectors interconnected between the federal

00:13:06.070 --> 00:13:10.080
and private sector that require government and industry to

00:13:10.080 --> 00:13:14.090
work together. How can the government and the private sector work together to ensure continuation of

00:13:14.090 --> 00:13:18.090
operations plans are in place in the event of an
emergency or natural crisis?

00:13:18.090 --> 00:13:22.100
So this is a great question actually and it builds on the

00:13:22.100 --> 00:13:26.110
partnership theme that we've already been talking about.
It's not just about sitting down

00:13:26.110 --> 00:13:30.110
at the table and figuring what the requirements are but
it's also joint planning. We do a great

00:13:30.110 --> 00:13:34.120
deal of that frankly with the infrastructure sectors.

00:13:34.120 --> 00:13:38.120
Within my organization there's something

00:13:38.120 --> 00:13:42.130
called the national infrastructure protection plan.
It kind of puts thee

00:13:42.130 --> 00:13:46.140
the framework around how sectors
and governments interact.

00:13:46.140 --> 00:13:50.140
There are a number of different, there are kinda two pieces

00:13:50.140 --> 00:13:54.150
to the pie. The sector coordinating counsel, where the
private sector owner and operators get together and

00:13:54.150 --> 00:13:58.160
coordinate and then there is a government coordinating
counsel and that's where the government stakeholders

00:13:58.160 --> 00:14:02.180
get together. Then they come together as CCGCC

00:14:02.180 --> 00:14:06.190
joint engagement and that is the plan, through that

00:14:06.190 --> 00:14:10.200
we do planning. So there is sector specific planning.
Each sector has a sector specific plan.

00:14:10.200 --> 00:14:14.220
It's up to the sector to define what that look like and it's not

00:14:14.220 --> 00:14:18.230
necessarily the government saying "though shall do a
plan". It's the sectors, the owner operators

00:14:18.230 --> 00:14:22.240
saying this is what our plan should look like. These are
the sorts of things we want to get out of an engagement

00:14:22.240 --> 00:14:26.250
with the private sector. Then theres off shoots of that.
There is a number of different

00:14:26.250 --> 00:14:30.260
operations plans and response plans. Just last year in

00:14:30.260 --> 00:14:34.270
January the national cyber response plan was
released and that is a

00:14:34.270 --> 00:14:38.280
joint planning process for what happens when theres

00:14:38.280 --> 00:14:42.280
significant cyber incident and that was a joint planning
effort between government and industry

00:14:42.280 --> 00:14:46.290
in fact before I came into government,
I was the infrastructure

00:14:46.290 --> 00:14:50.300
i'm sorry, the information technology sector representative.

00:14:50.300 --> 00:14:54.320
One of two, to the planning process, so that kinda shows
that there's a lot to the planning process.

00:14:54.320 --> 00:14:58.310
There is a lot of jointness in joint planning going on
and among those are continuity of operations.

00:14:58.310 --> 00:15:02.320
plans and how do we as government ensure that when

00:15:02.320 --> 00:15:06.330
the lights go off or whatever it is that we work with the

00:15:06.330 --> 00:15:10.340
private sector joint. [Host] I wanna get back to that

00:15:10.340 --> 00:15:14.350
point you made earlier about how the sectors
are linked. How they impact each other.

00:15:14.350 --> 00:15:18.360
Can you tell us a little bit more about that?
You know and Mr. Brian

00:15:18.360 --> 00:15:22.370
please jump in. How do the critical infrastructure
sectors impact each and how does that

00:15:22.370 --> 00:15:26.380
complexity impact DHS's efforts? [Chris] So it's

00:15:26.380 --> 00:15:30.400
the interconnectedness also interdependencies.
What are the key

00:15:30.400 --> 00:15:34.410
reliances between each sector, but when you
kinda step back and think about it

00:15:34.410 --> 00:15:38.420
there are a number of key cross cutting themes
for pretty much any critical infrastructure

00:15:38.420 --> 00:15:42.440
or key services. Our communications

00:15:42.440 --> 00:15:46.450
and then also when you step back a little bit the finance

00:15:46.450 --> 00:15:50.470
sector. What are these core things after
a hurricane comes through?

00:15:50.470 --> 00:15:54.480
It's what the first thing you do? You get the lights back on

00:15:54.480 --> 00:15:58.490
then you get restored communications so that we can
do command and control for the response operations.

00:15:58.490 --> 00:16:02.510
But at the same time your looking from there.
Why do you want the power to be back on?

00:16:02.510 --> 00:16:06.520
So the hospitals can be up and running. So the
banks can be up and running. So gasoline stations

00:16:06.520 --> 00:16:10.520
are up and running and dispensing fuel, not
just for first responders but

00:16:10.520 --> 00:16:14.520
evacuees. So I think increasingly,

00:16:14.520 --> 00:16:18.530
we are seeing these less than about vertical sectors

00:16:18.530 --> 00:16:22.530
of the 16 sectors but what are those cross cutting functions

00:16:22.530 --> 00:16:26.540
that are so critical and that is increasingly

00:16:26.540 --> 00:16:30.540
the situation when we think about cyber security
impacts on critical infrastructure.

00:16:30.540 --> 00:16:34.550
What are those core control systems for instance?

00:16:34.550 --> 00:16:38.550
What are those core services that are being
provided whether its communications

00:16:38.550 --> 00:16:42.560
or some sort of managed service. [Bill] I'll add

00:16:42.560 --> 00:16:46.560
in everyone of those that Chris identified.

00:16:46.560 --> 00:16:50.570
There are different variety of vectors

00:16:50.570 --> 00:16:54.570
that could take them out. Whether it's
man-made, whether it's natural

00:16:54.570 --> 00:16:58.580
and what's really challenging as being a representative

00:16:58.580 --> 00:17:02.580
of [unintelligible] energy sector. The biggest challenge for

00:17:02.580 --> 00:17:06.590
me at that time was how do we scope to the industry

00:17:06.590 --> 00:17:10.600
what to prepare for. You know, if you want

00:17:10.600 --> 00:17:14.610
me to make investments in protection and you
want me to make investments in resiliency

00:17:14.610 --> 00:17:18.620
How do you measure that? How do I do the cost
benefit analysis of when is too much, too much.

00:17:18.620 --> 00:17:22.620
And that's a challenge, it's not easy. I'm not
saying it's easy to figure out.

00:17:22.620 --> 00:17:26.630
But I think as part of the government working
with them through this partnership mechanism.

00:17:26.630 --> 00:17:30.640
We're able to come to that point, that place.
Where it says you know preparing for the

00:17:30.640 --> 00:17:34.640
100 year storm, is probably the right thing to do.
Maybe more cost efficient than the 1000

00:17:34.640 --> 00:17:38.640
year storm, but this is where the partnership
between industry and government

00:17:38.640 --> 00:17:42.650
is so so critical, because we can't do that on our own

00:17:42.650 --> 00:17:46.660
in government and we need industry to let us know
what is in that realm of possibility

00:17:46.660 --> 00:17:50.660
and where and what point do we cross that line
into too much spending

00:17:50.660 --> 00:17:54.670
where it's wasteful spending and it's
probably not going to work?

00:17:54.670 --> 00:17:58.680
[Bill] The last way I encourage people to think
about this is, less about

00:17:58.680 --> 00:18:02.690
a single facility, but it's a core function and it

00:18:02.690 --> 00:18:06.700
then translates into systemic risk. What are those

00:18:06.700 --> 00:18:10.720
core functions in the finance sectors like the bulk payment

00:18:10.720 --> 00:18:14.730
system? Does it have to happen for the society,
for the economy to continue function.

00:18:14.730 --> 00:18:18.740
And thats from a scarcity perspective, where
we talking about resources and

00:18:18.740 --> 00:18:22.750
limited resources, thats increasing where
we are focusing our attention.

00:18:22.750 --> 00:18:26.760
But it's not just a put a couple people on the project

00:18:26.760 --> 00:18:30.770
to function on it, but it is also looking at scalable tools.
what are the solutions working with

00:18:30.770 --> 00:18:34.780
S&T to figure out really how to have a one
to many approach, rather a

00:18:34.780 --> 00:18:38.790
whack them all at the endpoints. [Host] That's really
a good point. [Chris] Exactly.

00:18:38.790 --> 00:18:42.800
[Host] Another question from Facebook. The
private sector is not sharing at the levels that

00:18:42.800 --> 00:18:46.810
many in various DHS programs would like to see.
How can DHS improve

00:18:46.810 --> 00:18:50.820
the participation of the private sector? [Bill] So
this is a great question, something that

00:18:50.820 --> 00:18:54.830
that I have actually been thinking lot about having just
come out the private sector. I've seen both sides

00:18:54.830 --> 00:18:58.840
of the equation. I think one of the things frankly, from the

00:18:58.840 --> 00:19:02.850
DHS and PPD side, which is the National Protection
Program Directorate thats responsible for

00:19:02.850 --> 00:19:06.870
for the departments primary cyber security missions

00:19:06.870 --> 00:19:10.880
based particularly interfacing with critical infrastructure.

00:19:10.880 --> 00:19:14.890
You know I don't expect the private sector to share
something unless they necessarily

00:19:14.890 --> 00:19:18.900
get something out of it. So from our side it's more about

00:19:18.900 --> 00:19:22.920
really articulating the value proposition.
Here's what you get out of sharing

00:19:22.920 --> 00:19:26.930
with us. If you join into the automated indicator
sharing program, that means

00:19:26.930 --> 00:19:30.940
your gonna push information into a broader program and

00:19:30.940 --> 00:19:34.960
it's gonna push back out. We have about
200 members in the AIS program

00:19:34.960 --> 00:19:38.970
that we've shared since March 2016,
over 1.3 million indicators.

00:19:38.970 --> 00:19:42.980
That's a pretty big deal. It can be better.
We can do more of that.

00:19:42.980 --> 00:19:47.000
So again, what I've gotta do a better job of
with my team is really articulate

00:19:47.000 --> 00:19:51.010
value propositions and the benefits of engaging.

00:19:51.010 --> 00:19:55.020
And so we are making a pretty hard push into

00:19:55.020 --> 00:19:59.020
just it's branding and marketing and we gotta do a better

00:19:59.020 --> 00:20:03.030
job at that. Not just with private sector, but also with our

00:20:03.030 --> 00:20:07.030
congressional committees. And that starts, and
I've gotta do this plug, I do it all the time

00:20:07.030 --> 00:20:11.040
It starts with helping me. Bill can

00:20:11.040 --> 00:20:15.040
go to his stakeholder and say I'm with DHS S&T,
Science and Technology. They know what that is,

00:20:15.040 --> 00:20:19.050
When I go I'm from NPPD they don't know what I do.
[Laughter]

00:20:19.050 --> 00:20:23.050
So I've gotta do a better job. I need a better name and we

00:20:23.050 --> 00:20:27.060
are working on that pretty closely with house
Homeland Security. You know whether it's the,

00:20:27.060 --> 00:20:31.060
you know I think the going name right now is the
cyber security and infrastructure security agency.

00:20:31.060 --> 00:20:35.070
That's a pretty clear articulation to our customers
of what we do and

00:20:35.070 --> 00:20:39.080
it makes things a lot easier. I've got stories about
the hurricanes, I won't bore people

00:20:39.080 --> 00:20:43.090
with, but it's important to me that really your name

00:20:43.090 --> 00:20:47.090
tells people what you do. [Bill] I think the value proposition

00:20:47.090 --> 00:20:51.100
piece that Chris mentioned, getting industry to
share more information is

00:20:51.100 --> 00:20:55.110
spot on. The only thing that I would add is once
we get that information

00:20:55.110 --> 00:20:59.110
we have to do, we have to really look at how

00:20:59.110 --> 00:21:03.110
we handle that information, what we do with it.. It is vitally

00:21:03.110 --> 00:21:07.110
important that we maintain credibility with these partners

00:21:07.110 --> 00:21:11.120
because I'm not in the business of partnerships
as much, because I can pay people

00:21:11.120 --> 00:21:15.130
money and they'll partner with me.
You've got money, they'll partner.

00:21:15.130 --> 00:21:19.140
Chris on the other hand has to go out there in
good faith and conscience with

00:21:19.140 --> 00:21:23.140
not giving money to do this, but say listen
we really want to work with you.

00:21:23.140 --> 00:21:27.150
So I have to ensure what I do compliments
with what he does.

00:21:27.150 --> 00:21:31.160
And what we do, doesn't destroy the efforts
that he is trying to achieve.

00:21:31.160 --> 00:21:35.170
A lot of it is being able to handle the data that industry
shares with us and be responsible with it.

00:21:35.170 --> 00:21:39.180
[Chris] And the last note on that is that we are typically
viewed as the U.S. government is the authoritative

00:21:39.180 --> 00:21:43.190
source. So when the United States computer
emergency response team

00:21:43.190 --> 00:21:47.200
cert puts out a indicator or bulletin on a
certain cyber security threat

00:21:47.200 --> 00:21:51.210
those sorts of things have weight and matter. That's what

00:21:51.210 --> 00:21:55.210
the c-suite actually places a lot of value and importance in.

00:21:55.210 --> 00:21:59.220
So for us it is critically important to be accurate.

00:21:59.220 --> 00:22:03.230
But at the same time acknowledging that with
a certain degree of speed

00:22:03.230 --> 00:22:07.240
context can be lacking or you know you can be

00:22:07.240 --> 00:22:11.250
off by a degree or two. So keeping a relationship with

00:22:11.250 --> 00:22:15.260
industry. Bringing them in to validate and then pushing out

00:22:15.260 --> 00:22:19.270
working together on issues. [Host] Really maintaining
that trust is essential given

00:22:19.270 --> 00:22:23.280
how critical these systems are to the information

00:22:23.280 --> 00:22:27.280
that is coming from these organizations is very important.

00:22:27.280 --> 00:22:31.290
[Chris] So without trust, I am dead in the water.
I cannot do my job without the trust

00:22:31.290 --> 00:22:35.300
of the critical infrastructure community. It's that important

00:22:35.300 --> 00:22:39.300
to my day to day execution of mission. [Host] And I
want to pivot a little thinking

00:22:39.300 --> 00:22:43.310
partners. Mr. Crebbs, how does DHS coordinate with

00:22:43.310 --> 00:22:47.320
federal, state, local, tribal government organizations on

00:22:47.320 --> 00:22:51.330
critical infrastructure? [Chris] So I mentioned early
on the National Infrastructure Protection Plan.

00:22:51.330 --> 00:22:55.340
The partnership framework. The sector coordinating
counsels and the government coordinator.

00:22:55.340 --> 00:22:59.350
The counsels are those for, where everybody gets together

00:22:59.350 --> 00:23:03.360
and exchanges information, does joint planning.

00:23:03.360 --> 00:23:07.380
We exercise, we train together, but we also

00:23:07.380 --> 00:23:11.390
have field presence. Bill's got some folks out

00:23:11.390 --> 00:23:15.400
scattered across the country that work in tech hubs, but

00:23:15.400 --> 00:23:19.410
we also have a series of field cadres.

00:23:19.410 --> 00:23:23.430
Protective security advisors and cyber security
advisors that are really out there

00:23:23.430 --> 00:23:27.440
doing the day to day, boots on the ground work,
knocking on doors, building relationships.

00:23:27.440 --> 00:23:31.450
We've got, we have an approach it's called connect, plan,

00:23:31.450 --> 00:23:35.460
train and

00:23:35.460 --> 00:23:39.470
there's a fourth piece that's in here somewhere. [Laughter]

00:23:39.470 --> 00:23:43.490
Report, report. But what that really means is
you gotta connect, you gotta work with

00:23:43.490 --> 00:23:47.510
your stakeholders. You gotta work with the local
first responders and your other, and your partners.

00:23:47.510 --> 00:23:51.510
You gotta train. You really have to exercise these things.
You have to also have a plan.

00:23:51.510 --> 00:23:55.520
That's what your training to, thats what your exercising to.
But then on the reporting side, it's the

00:23:55.520 --> 00:23:59.520
see something, say something campaign. If you see something you report it and we can help.

00:23:59.520 --> 00:24:03.530
[Host] Alright we are gonna do one more question

00:24:03.530 --> 00:24:07.530
from Facebook. How will you
engage educational institutions and

00:24:07.530 --> 00:24:11.540
students to become involved in improving
the automated indicator sharing program?

00:24:11.540 --> 00:24:15.540
Is it important to fund these initiatives? [Chris] Another

00:24:15.540 --> 00:24:19.550
great question. So in terms of educational
institution and students

00:24:19.550 --> 00:24:23.560
I kinda look at this two different ways.
This is again a partnership piece.

00:24:23.560 --> 00:24:27.560
So the program itself is focused on critical infrastructure
partner sharing indicators.

00:24:27.560 --> 00:24:31.570
But we do need a broader community of collaboration, both

00:24:31.570 --> 00:24:35.570
in terms of hiring. So I definitely want
to work with universities on

00:24:35.570 --> 00:24:39.580
in educational institutions, on helping define a cyber

00:24:39.580 --> 00:24:43.590
security education requirement or curriculum.

00:24:43.590 --> 00:24:47.590
But I've got a number of different job

00:24:47.590 --> 00:24:51.600
openings. Hundreds of job openings right now.
So really want to make sure that we are providing

00:24:51.600 --> 00:24:55.610
information out to students. Say hey, these
are the opportunities for you

00:24:55.610 --> 00:24:59.610
in the future. In terms of the program itself.
We're working with

00:24:59.610 --> 00:25:03.620
a number of different institutions, centers
of excellence on how

00:25:03.620 --> 00:25:07.630
do we define, and also with Bills team,
how do we define what the technology is?

00:25:07.630 --> 00:25:11.630
How do we define that value proposition and then improve

00:25:11.630 --> 00:25:15.640
you know wether it's AIS version 2.0, AIS version 3.0?

00:25:15.640 --> 00:25:19.650
[Host] Well I want to wrap up. I just want to
ask one more question.

00:25:19.650 --> 00:25:23.660
We talked about a lot today and we really
appreciate your time. Is there any

00:25:23.660 --> 00:25:27.670
thing, sort of a last minute. One thing you want
people to take away about critical infrastructure

00:25:27.670 --> 00:25:31.680
that you wanna tell our audience about?

00:25:31.680 --> 00:25:35.680
[Chris] Happy to start, since your the host I'll
let you close it out. I think

00:25:35.680 --> 00:25:39.690
if we've seen anything over the last 6 months even both on

00:25:39.690 --> 00:25:43.700
the cyber security side and on the physical infrastructure

00:25:43.700 --> 00:25:47.710
side, so you think about the events that have happened, the ransomware attacks.

00:25:47.710 --> 00:25:51.720
Then with the hurricanes and some of the other unfortunate

00:25:51.720 --> 00:25:55.730
shootings and other terrorist attacks. You gotta

00:25:55.730 --> 00:25:59.740
go bac to that connect, plan, train, report mentality.

00:25:59.740 --> 00:26:03.750
We really need to push forward that. I loved what

00:26:03.750 --> 00:26:07.760
Bill said about reliability, survivability and resilience.
We have to kinda continue pushing

00:26:07.760 --> 00:26:11.770
awareness and planning to ensure that we can survive

00:26:11.770 --> 00:26:15.780
another category 4 hurricane. That we are prepared, that

00:26:15.780 --> 00:26:19.790
we have a culture of preparedness. And it doesn't

00:26:19.790 --> 00:26:23.800
start in the government. It starts frankly in our communities.

00:26:23.800 --> 00:26:27.810
With our employers. Really start instilling
that mentality of preparedness

00:26:27.810 --> 00:26:31.830
in a preparedness culture with their employees, because

00:26:31.830 --> 00:26:35.840
the most effective response is

00:26:35.840 --> 00:26:39.850
not gonna just be the government showing up. We saw it in

00:26:39.850 --> 00:26:43.860
Harvey. Think about the Cajun Navy. The Cajun
Navy comes in and plucks people off roots

00:26:43.860 --> 00:26:47.870
and move the around in support of the government
response. So it is a whole of nation,

00:26:47.870 --> 00:26:51.880
whole of community response. We need to think about that

00:26:51.880 --> 00:26:55.890
everyday. Are you ready? Can you handle three days without power? Maybe it's a week without power.

00:26:55.890 --> 00:26:59.910
What's your financial situation if your not
able to get to the bank for awhile?

00:26:59.910 --> 00:27:03.920
If the stores are not open. So again, we really
need to instill that culture of preparedness

00:27:03.920 --> 00:27:07.940
going forward. [Bill] I would add

00:27:07.940 --> 00:27:11.950
the vectors ,the threat vectors and I'll use
that term threat vectors

00:27:11.950 --> 00:27:15.960
that we have to be concerned with across all the sectors
and across the country as a whole

00:27:15.960 --> 00:27:19.980
are rapidly changing and they are becoming more

00:27:19.980 --> 00:27:23.990
and more diverse. The internet of things are opening up a

00:27:23.990 --> 00:27:28.010
whole new world of vulnerabilities.
I think the younger generation

00:27:28.010 --> 00:27:32.010
in colleges and universities today, unlike me

00:27:32.010 --> 00:27:36.020
they grew up with this stuff. I didn't get my first computer

00:27:36.020 --> 00:27:40.030
until I was 26 years old. It had a 20 megabyte

00:27:40.030 --> 00:27:44.030
hard drive and I was proud of it. So things have changed

00:27:44.030 --> 00:27:48.040
alot. And so I would encourage these young people

00:27:48.040 --> 00:27:52.040
out there looking for career opportunities. Chris
mentioned the need in his organization.

00:27:52.040 --> 00:27:56.050
I woud say that on our website, S&T's website you'll get

00:27:56.050 --> 00:28:00.050
access to a lot of information about the projects
were working on. Also how to engage

00:28:00.050 --> 00:28:04.060
with us. We have a guide out there right now to show

00:28:04.060 --> 00:28:08.060
our industry or you can engage with S&T and
shows you the kinda things we're looking

00:28:08.060 --> 00:28:12.070
at bringing on expertise to do. I think that
would be very valuable. I think

00:28:12.070 --> 00:28:16.080
the important thing is to stay engaged with us.
Don't think we are sitting here in Washington

00:28:16.080 --> 00:28:20.080
and there's no way for you to ever have access to us.

00:28:20.080 --> 00:28:24.090
We are accessible. It may seem cumbersome at moments

00:28:24.090 --> 00:28:28.090
but it is our hope and intent that we do get those

00:28:28.090 --> 00:28:32.110
good idea and the best and brightest to come out
and solve the problems we have to solve.

00:28:32.110 --> 00:28:36.120
So thank you very much. [Host] Absolutely,
thank you so much for your time. Thank you both.

00:28:36.120 --> 00:28:40.130
You all can continue following our conversation.
We are gonna be promoting critical infrastructure

00:28:40.130 --> 00:28:44.130
all month. Follow us on Twitter, Facebook and Linkedin.
Thank you so much for joining and we will

00:28:44.130 --> 00:28:45.834
see you next time.