00:00of questions. We all know CISA plays an important role, a sector risk management agency for eight
00:06of the 16 critical infrastructure sectors, as well as the national coordinator of the
00:09sector risk management agencies. They do a lot of work. I'd like to hear from you all.
00:15What do you think, how would you assess CISA's effectiveness as a partner when it comes to
00:22OT cybersecurity? You can start with Ms. Zetter if you want. I don't have direct because I'm not a
00:31practitioner, so I don't have that assessment to know firsthand. But what I do know is that CISA
00:36in the past had, I would say in the last decade really, a lot of expertise that they were able to
00:45give to critical infrastructure, either to go out into the field and do critical assessments of the
00:50networks, give them risk assessments about what they needed to do, and then also they had flyaway
00:56teams that when a system was compromised, that they would be able to go out and assist directly in
01:01doing some kind of remediation. So I think that the impact of CISA has been really great, but of course
01:08they're limited in their resources and who they can give assistance to. I would say that my
01:14commentary about CISA probably is reflective of a number of government agencies that deal in this
01:19space, which is really good Americans trying really hard to do good work that have very talented
01:24people, but are hardly being effective for the amount of money we're spending on it, in comparison
01:28to what's happening elsewhere. As an example, flyaway teams, the instant response teams, etc., there's
01:34absolutely nothing unique happening there in comparison already in the private sector. I think
01:38there's a very important role and responsibility for government to play, and I think a focused CISA would
01:42be extremely impactful. And I, you know, in passing talked to Sean Blanky, I'm really excited about the way
01:47they're looking at it now. But I think a lot of times we overstate the effectiveness, and I'm sure
01:52that this is not going to hurt me any friends at CISA, and many of my friends are there, but I will say
01:57that we've got a couple of years before we have significant issues, and I'm very concerned about
02:02next couple of years going to war with China and it being focused on our OT, and I would really like
02:06to move past pleasantries, so we should focus them a heck of a lot more.
02:09I would say that I think CISA can certainly grow in its effectiveness, and I think we will see that
02:19under Sean Blanky. I think things like automated information sharing, the Einstein program, Cyber
02:25Century, I think there's a number of places there where we can modernize some of that legacy
02:31infrastructure. They're operating not necessarily with the most updated sensors, and I understand that
02:37it is expensive to upgrade the systems, but if we want CISA to be acting as the, you know, the front-line
02:43defense for cybersecurity, and as an expert, they need to have, you know, up-to-date systems. They need
02:51to have sensors on the networks that are, that are the, what is modern right now. But I think that'll,
02:59I think that's all right.
03:02Dr. Gleason.
03:03I would say some of our best and most effective work with CISA has been when they've worked
03:07in partnership with some of the other federal departments with stake in the space, in particular
03:12with the Department of Energy, looking at threats to the energy sector, and the Department
03:15of Defense, looking at defense-critical infrastructure. Just to echo on some earlier comments, I think
03:21CISA also works best when they do work that is appropriate to the government to do and not
03:27trying to do what the private sector is already taking care of. The government has specific
03:32advantages in our access to the intelligence community, in the ability to do things that
03:38the private sector is not or shouldn't be doing. I think the more that the government sticks
03:45to that space, the more effective that, that those programs will be. And I also want to
03:51echo, definitely look forward to Sean Planky coming in and very excited about Nick Anderson
03:57coming in. We've had great experiences working with him previously and think their leadership
04:02will be very effective.
04:03I think we can all agree that we're very excited to see Sean Planky get confirmed as, as soon
04:09as possible. It'll be, it'll be a good day for, I think, for CISA to have him in there.
04:13Mr. Lee, I want to go back to, because you were very passionate in your hands today and
04:17you really want to get a focus. Can you go a little more in depth? Because this is like,
04:20this is the stuff we're going to have to work on.
04:22Stan's Institute, which is the leading cybersecurity provider, analyzed every single industrial
04:27cyber attack that's ever taken place and just asked the basic question of what security
04:30controls actually worked. It was five. And we know exactly what those five are. We know
04:35exactly how to do it. And if you look at regulation standards and everything else, it's not
04:38five. Further, when you look at our rural communities, as mentioned,
04:43about 98% of this country is in that sort of below the cyber poverty line discussion.
04:47And they're not doing pretty much anything unless it's really passionate members there
04:51trying to help. But going back to what Kim said as well, you've got a large number of
04:55companies that will stand up and say how robust their security programs are. And I'm in a lot
04:59of those environments and they're terrifying. So I have three kids that did not really want
05:04to go back in the army for, you know, extra time. It was, I really want to get this right.
05:09And I think if we're going to be serious about the conversation, it's focus on what we can actually do
05:12across the next couple of years, pick a point of view, you're going to upset some people in doing
05:17so, but we need to do it. And at the same time, I would say you can roll out quickly. I think
05:23about 95% anecdotally, about 95% of all cyber spend goes to enterprise
05:27IT about 5% OT. That is where your national security is, your environments, your local
05:32communities, and all of your ability to generate revenue. You look at sort of the visibility in
05:37this country. If you actually want to monitor your OT infrastructure to figure out is China already
05:42there, I would say probably about 10% of the infrastructure around the country is being monitored.
05:47So when we're having big discussions about what comes next, I would just highlight that we're not
05:51even really being serious about what we know today. I appreciate that. Thank you very much.
Comments