2014 Government Cyber-Security Forum Agenda

Kaspersky Government Cybersecurity Forum Agenda

Walk through the policy, technical and implementation concepts and implications of a robust, resilient national critical infrastructure with expert in security analysis, operational security, systems engineering, policies, and acquisitions.

Tuesday, October 28, 2014

Times Description Speaker
8:00 AM Breakfast and Registration
8:30 AM Welcome and Opening Remarks Phillip Bond President & CEO, Bond & Associates
8:40 AM
Kaspersky Government Security Solutions, Inc. Introduction

Phillip Bond President & CEO, Bond & Associates

Adam Firestone President & General Manager, Kaspersky Government Security Solutions, Inc.

8:50 AM Scenario Adam Firestone President & General Manager, Kaspersky Government Security Solutions, Inc.
8:55 AM
Keynote: Impacts of a Cyberattack on Our National Critical Infrastructure Tom Davis Former United States Representative
9:45 AM Panel Discussion: National Critical Infrastructure Stakeholders: Identifying Concerns and Risk

Jeffrey Carr CEO and President, Taia Global and Founder, Suits and Spooks

Hilary Macmillan Vice President, Cybersecurity Intelligence Executive (CIX), Kaspersky Government Security Solutions, Inc.

Robert ClarkCyber Operational Lawyer for the Army Cyber Institute, United States Military Academy

Robert Burton Federal Procurement Attorney, Venable LLP

Other Panelists TBD

10:45 AM Coffee Break  
11:00 AM Introduction: Building In Resiliency From the Start Challenge Speaker TBD
11:10 AM Challenge Break-Out Session: Building In Resiliency From the Start – Requirements Discussion & Identification

Christopher Reilley Lead Security Analyst, Cybersecurity Intelligence Executive (CIX), Kaspersky Government Security Solutions, Inc.

Other Panelists TBD

12:10 PM Lunch: Fireside Chat

Mike Lennon Managing Editor, SecurityWeek

Howard Schmidt Former White House Cyber Security Coordinator

1:35 PM Keynote: Realizing Cyberresilent Systems
Joel Brenner Former National Counterintelligence Executive and Author of American the Vulnerable
2:25 PM Panel Discussion: Evaluating Cyber-Resiliency

Christopher Reilley Lead Security Analyst, Cybersecurity Intelligence Executive (CIX), Kaspersky Government Security Solutions, Inc.

Catherine Lotrionte Director of CyberProject, School of Foreign Services, Georgetown University

3:25 PM Coffee Break  
3:40 PM Keynote: Towards a More Resilient Cyber Posture: A Way- Ahead Adam Firestone President & General Manager, Kaspersky Government Security Solutions, Inc.
4:25 PM Closing Remarks Phillip Bond President & CEO, Bond & Associates
5:00 PM Adjourn  

Session Descriptions

Opening KEYNOTE: Impacts of a CyberAttack AGAINST our National Critical Infrastructure

The cyberattack scenario portrayed during the opening session is not just the stuff of Hollywood blockbusters. We’re all at risk from the inherent vulnerabilities in our national critical infrastructure (NCI) and threats with the capability and motivation to exploit them. So far, we’ve only seen these risks realized on a small scale or in a training capacity, but concern is growing that a potentially disastrous event is not far off.

To avoid disaster, we as a community need to mitigate these risks now by identifying the vulnerabilities extant in our critical infrastructure systems, as well as those that continue to arise from today’s constantly changing computing environment. Emerging risk factors range from widespread remote access and monitoring capability and a growing preference for bring-your-own-device (BYOD) environments to the increasing complexity of system configurations. By working toward holistic and shared understanding of this ever-evolving threat landscape, we can ensure we are prepared for a worst-case scenario.

This talk will guide participants to a comprehensive understanding of the risks and we face. The keynote will challenge the audience to engage fully in the day’s activities and to share, learn and become fully enfranchised in the need for a systematic approach to ensuring the cyberresilience of critical systems.

Panel Discussion: National Critical Infrastructure Stakeholders: Identifying Concerns and Risks

There are many stakeholder communities within the larger cybersecurity polity, and each of these groups has a unique viewpoint on the cyber risks that we all face. Panelists in this talk will represent these different communities. They will articulate their concerns regarding the lack of cyberresilient systems and share their top three risks confronting the NCI.

The panelists will draw on their expertise and experience regarding vulnerabilities in critical infrastructure to assess the current threat landscape and articulate a high-level mitigation plan for each identified risk. These mitigations will form a set of top-level requirements that will be addressed in the next session.

Challenge Break Out Session: Building Resiliency from the Start – Requirements Discussion and Identification

To build effective, secure and resilient systems, we need to take an interdisciplinary approach to identifying and meeting the requirements for improved cybersecurity early in the system development lifecycle. During this interactive session, participants will work in groups of eight or fewer to discuss how to address the set of top-level requirements identified in the previous panel discussion. Each working group will represent the perspective of a specific stakeholder community and should consider questions such as:

  1. What will the solution to the requirement look like once it's implemented?
  2. How will the technologies and components that constitute the solution be sourced?
  3. What needs to be done regarding this particular requirement at the policy and process/procedure levels to develop and maintain a cybercompetent workforce?

The working groups’ responses to these questions will serve as a primary resource for the white paper that will be issued following this conference.

LUNCHTIME FIRESIDE CHAT

The availability of the services provided by our NCI is at risk from not only the vulnerabilities that currently exist in the ecosystem but also the new threats that continue to arise as that ecosystem evolves. These new threats are a direct result of a wide variety of technology developments, including the increasing prevalence of insecure access control implementations, widespread use of network-connected monitoring and control systems, and the growing popularity of BYOD environments. While these vulnerabilities are widely recognized in the relevant operational, regulatory and policy communities, a number of challenges and roadblocks stand in the way of efforts to address the situation.

This discussion with Howard Schmidt and Ari Schwartz will explore the factors that contribute to these vulnerabilities and how utility owners; regulators; and federal, state and local governments are dealing with them. The fireside chat will also examine what organizations should be doing internally, and in cooperation with their communities, to identify and mitigate the risks they face.

Afternoon Keynote: Realizing CyberResilient Systems

Innovative thinking and innovative solutions are the lifeblood of the U.S. economy, and continued innovation requires a robust and reliable NCI. Yet the systems that are currently implemented in critical sectors are often inherently insecure. Current approaches to this problem generally consist of either adding in security solutions once the systems are operational or accepting the risks – either deliberately or unwittingly. Major gaps in security will remain as long as the policies, processes and procedures that guide and inform the design, development, evaluation and implementation of systems across the U.S. government and the NCI are formulated without regard for the cyber risks that pervade today’s computing environment.

This talk will present a plan for realizing secure systems and system configurations and will recommend a number of policy, process and technology changes that can be realistically implemented to achieve this goal.

PANEL DISCUSSION: Evaluating CyberResiliency

Security considerations don't end with a developed product; it takes rigorous testing and evaluation, continuous monitoring and skilled management of the implemented solution through a holistic, ongoing security program to ensure systems are truly effective, secure and resilient. To be effective, this security program should include training and education mechanisms; comprehensive security-related policies, processes and procedures; auditing protocols; and penetration testing programs. The program should also adhere to security management tenets along the lines of the ISO 9000 principles of customer focus, leadership and involvement of all staff functions, a process approach, and a systems approach to management, continuous improvement, fact-based decision-making, and mutually beneficial supplier relationships.

Panelists will evaluate current practices for evaluating and maintaining an effective cybersecurity posture and offer their thoughts on how these practices can be improved. Panelists represent multiple stakeholder groups and will offer their unique perspectives on what an effective holistic security program might look like.

Final Keynote: Towards a more Resilient Cyber Posture: A Way-AHEAD

To strengthen our cybersecurity posture, we must design and develop cyberresilient systems that are built to withstand the attacks they will, at some point, fall victim to. This talk will walk through the systems engineering process to illustrate how the security concerns and risk mitigations discussed during the day can be effectively addressed in the system development lifecycle.

This talk will progress from the requirements phase through implementation, operation and retirement, articulating how a three-pronged understanding of the problem space – domain, engineering process and technology – is essential for realizing effective, secure and resilient systems. This talk will also address the policy, process and procedural changes, and the educational foundations needed for this transformation within the community, and will culminate in a call for all of us to actively work toward a systematic and comprehensive solution to our current cyber challenges.