Responding to Hacks Against America
James Andrew Lewis: Hi everyone. Thank you for joining our event here, Responding to Attacks Against America. We have a great set of speakers. My name is Jim Lewis, I’m from CSIS. The show will be Anne Neuberger, who is the Deputy National Security Advisor for Cyber Security and Emerging Technology.
We will have a(n) off-the-cuff set of remarks for the first 15, 20 minutes. She and I will go back and forth. Then we’ll turn to our distinguished panel, who I will introduce at that time. And if there’s time at the end, we’ll take questions from the audience. But it’s going to be a little tight. So let’s go ahead and get started and get rolling.
Anne Neuberger – I don’t know if people know her, but she has a long and distinguished career in the federal government, which is hard for someone who appears to be so young. But she comes out of a very senior set of positions at NSA, now is at the White House. Then was instrumental in driving through this executive order.
So, Anne, I don’t know if you want to open with some remarks. I can give you a question to tee things up. Up to you.
Anne Neuberger: Thanks so much, Jim, for the invitation. I really appreciate that. I’ll just make some brief remarks about the executive order which the president recently signed, and then I look forward to the conversation with you.
So in terms of the executive order, President Biden came in and clearly articulated that cyber is a key priority for this administration. In the first hundred days of the administration, we, clearly, saw via a set of incidents that there needed to be a key focus on a set of core problems and, really, push the ball hard on some issues that we haven’t made enough progress on as a country in the last decade.
The first piece was, certainly, the security of federal networks and a recognition from both the SolarWinds attacks and others that we needed to set aggressive but achievable guidelines to really modernize the cybersecurity of federal networks.
The second key piece of that is to say, how do we jumpstart the market for secure software? Jim and I will talk about some of the aspects of that. But you’ll see in the executive order some key pieces that were meant to jumpstart the broader market for secure software, clearly using the power of federal-government procurement to drive security in the software everybody uses – government, corporations, citizens in the United States and around the world.
And the final piece was to say let’s reduce the risk of incidents happening. But if they do, how do we ensure we can respond more quickly and more effectively and then learn from incidents that occur as well?
So with that, Jim, I’ll turn it over to you so we can have a conversation about the elements of the executive order or cybersecurity.
James Andrew Lewis: Great. Thank you, Anne, and welcome.
This is a really long and complex executive order. It’s got a lot of pieces. A friend of mine showed me – he found 45 – she found 45 different actions in it. Tell me how it works. Tell me what you want to get out of it. What are the specifics that you want to emphasize?
Anne Neuberger: Absolutely. I’ll highlight three things that we really wanted to emphasize. First, we named five specific high-impact cybersecurity technologies that we want to see rolled out across the federal government on a tight timeline; encryption, for example, in six months, because we said even if an incident occurs, if network data is encrypted, it’s far harder for an adversary to glean that information and use it. So that’s goal number one.
Goal number two I talked about was bringing visibility to the cybersecurity of products so that individuals purchasing software can actually say we want to use more secure products and put their money on that.
And then, finally, related to that, the transparency, by, for example, requiring companies to do either third-party or automated audits of software and make available the results so that if a purchasing manager wants to purchase software, they can ask for the results of those automated assessments and they can compare and say this product has 10 critical vulnerabilities, this product has two, this product has zero, and say we’re purchasing the product with zero critical vulnerabilities, which is an important message and what we believe incentivized building more secure software.
And in line with that final piece, we said let’s use the power of federal procurement. The U.S. buys a great deal of technology. Let’s put our money where our mouth is and say we will only purchase software that meets some of the new software standards that are defined. And, as you noted, we jumpstarted the software standards, but we also asked NIST to develop a process that builds in and brings in the private sector for input because rolling all of that up we were seeking to establish aggressive but achievable goals and to bring the private sector into that, because at the end of the day that’s the root of innovation and – in the United States.
James Andrew Lewis: So you – I want to talk about software security later on. But maybe we can start with cyber hygiene, which seems pretty basic. But I think what you found in your review of SolarWinds was it’s perhaps not as fully implemented as we might like in the federal government. What are the things you’d call out for that? And also tell us how you hope that the practices you’re going to mandate for the feds will spill over into the private sector.
Anne Neuberger: Absolutely. So that was one of the disappointments was to really see the state of federal networks. And we asked ourselves, what would measurably, quickly reduce the risk of ongoing hacks with the breadth and sophistication – the breadth of the SolarWinds impact.
So we outlined five key things in the executive order: One, rolling out endpoint detection across the federal networks, right, to say you need to be looking for things at the endpoint for malicious cyberactivity and then bringing that data back together and asking CISA to have that data so that they can hunt across and find anomalies and then spread the security across federal networks.
The second, I noted encryption – the need to encrypt data on the wire, as well as at rest, so that even if a hack occurs, we were protected from sensitive government information being used.
The third were things like a good security operations center staffed. You know, we really want the federal government to be a place people want to work, and ensuring that SOCs are sufficiently staffed is important. Logging, so that if a hack occurs, we can see the impact, see what was taken, and get a better sense of the national-security impact, is a key one as well.
So those were the very specific practices which were outlined for the federal government. And to your point, finally, there is a point around federal government only buying – I should say only buying security software and setting the standard for what that means.
So those are really the two parts that we hope spread. One, organizations who really want to be secure saying, well, if we focus on these five things, we can measurably improve our security – the focus on tight timelines, to say we’ve really got to stop kicking the can down the road and hold ourselves accountable to get this done. And then, finally, to say let’s use the power of our purchasing. Let’s become demanding consumers, demanding software as well as cool apps and usability in the products that we buy, and giving the visibility so that a purchaser can actually assess what is secure/what isn’t secure to put their dollars against that.
James Andrew Lewis: Great. Yeah, software security is, for me, probably the centerpiece of the EO. The other parts are important too; I’m not – I’m not downplaying them. But this is the one that could have the biggest effect. So what were you thinking when you wrote that? And in particular, using the federal acquisitions regulations – we can be nerdy for a minute – using the FAR to drive better software, tell us how you think that’s going to work.
Anne Neuberger: We really said: What are the tools we have as a government? And we have all kinds of regulatory tools, and then we have our authorities, and then we have the positive incentives. And we said, you know, what’s the best way to incentivize? Money, at the end of the day. And we said, at the end of the day we may not be able to impact the whole sector, but the U.S. government buys so much IT. And what we’ve seen in prior such effort is that when we set a standard and as we’ve talked with CISOs – take a quick step back.
We did huge amounts of coordination with the private sector in developing this executive order, both for input and ideas but also to get a sense that we could be – everything we were outlining, you know, as I keep saying, aggressive but achievable. And one key piece we heard again and again was there’s such a missed opportunity to use federal procurement to drive a secure market, and that’s really what we tried to set here and, looking at federal acquisition, to say across the federal, DOD, let’s put that in place.
So I think that, to your point, that’s the biggest innovation in laying out the initial guidelines, but then setting a regular process to keep it updated as well.
James Andrew Lewis: Tell us a little bit about how you think NIST will do this? I know that’s a little below the level of a deputy national security adviser, but you’ve put so much emphasis on standards. Where are we in the standards process for software?
Anne Neuberger: Absolutely. So I want to take a moment to call out all the colleagues across. I mentioned the private sector’s involvement in building this EO, giving input, but I also want to really call out all the individuals across the U.S. government who both were involved in drafting it as well as, you know, played key roles or are playing key roles in implementation.
I’ll note, for example, you know, CISA has achieved its first action already in the executive order. And really, the team at CISA was superb in that. We’ve been working on this executive order pretty much since the second or third week of the administration. And as it was evolving, you know, they said no need to wait till it’s finalized. We see the actions coming. We know they’re really important. We’ll jump in and get started. Which was really – which was really terrific.
Certainly, Commerce, both NTIA and NIST, have key parts and played key role in this executive order – NTIA on the software bill of materials work, which took work that had really matured a lot in the last number of years and we said let’s push it over the finish line with this executive order, and then, finally, at NIST. And the role – NIST has done tremendous work over the last number of years.
Certainly its controls – 800-53 – have become the standard. But I’ve also heard this feedback that sometimes a long list of controls, it’s hard to figure out that 80/20 rule. How do you know when you’ve achieved enough to measurably reduce your risk? So we’ve asked NIST to focus that work in on specifically, A, how you build software. We wanted to really continue to encourage and drive innovation, so we focused the software standards in a way that we felt could continue to drive ongoing innovation by saying, much as when you’re building a building in an earthquake-prone zone you have building standards, well, when you’re building software in a world where there are sophisticated nation-state attackers constantly hunting for vulnerabilities in that software, build it in more secure ways. Build it on systems logically or physically disconnected. Build it on systems requiring multi-factor authentication in order to know if an individual is truly a coder. And we thought and we did a deep dive on some of what got done in the SolarWinds supply-chain hack to learn from the kind of practices that would have prevented that kind of – or make far harder that kind of a compromise of the software-build processes at SolarWind(s). And we baked that into the core components that are outlined in the EO that are required for the way software is built and maintained.
James Andrew Lewis: So it’s been a busy year for you guys. I mean, I’m looking at my watch because it’s about time for the next gigantic hack to surface. But you’ve had – you’ve had – (laughs) – sorry – you’ve had SolarWinds. You’ve had Exchange. You’ve had Colonial Pipeline. Where do you see the commonalities in them?
Anne Neuberger: First, I strongly disagree that it’s about time for another hack.
James Andrew Lewis: (Not even ?) Russia. (Laughs.)
Anne Neuberger: So let’s just on the record say that, that strongly, strongly disagree.
James Andrew Lewis: OK.
Anne Neuberger: To your point of what is the –
James Andrew Lewis: How do you think – how do you think the EO – go ahead. Go ahead.
Anne Neuberger: You had asked about the commonality.
James Andrew Lewis: How do you –
Anne Neuberger: Go ahead.
James Andrew Lewis: Yeah. Uh-huh.
Anne Neuberger: I think the commonality really is calling on –
James Andrew Lewis: No, I was going to say what do you see as these things having in common, you know.
Anne Neuberger: They call on us to really recognize that technology, software and hardware, are the underpinnings of our society today – whether it’s the software that drives network management of companies, whether it’s the software on the IT and operational side that drives a pipeline, whether it’s the email servers all across the United States. And because common technology is used in so many places, there is scope and scale for attackers as well.
And recognizing that technology is the underpinning of our society, government, critical infrastructure, providing critical services, each of us communicating. And because of that, we need to change our mindset around software and hardware to demand security in those products. For too often it’s been OK to sell software and hardware products and sell security software separately, or, frankly, make security the configuration responsibility of the user. And I think, given the criticality of technology to our lives today, we as consumers have to begin – and when I say consumers, I mean individuals, companies, and governments – need to start demanding that we can have more confidence in the technology our lives rely on.
And we took really massive, major, key steps in the EO to start outlining that change in thinking, to say incident response is no longer going to be the acceptable mindset we operate in. Building secure from the outset needs to be where we go.
James Andrew Lewis: Yeah. And when we get to the panel, one of the things I want to talk to them about is how the EO could change the business model for cybersecurity because I think that if that works, that’ll be great.
What do – what do you see as the other drivers for implementation here? What do you see as the things that will move us forward? Because the EO’s really just the start.
Anne Neuberger: Absolutely. The EO is a start. I think the heightened awareness, Jim, that you highlighted in the series of attacks in the first hundred days and the impact of those have also helped greatly in creating a sense of urgency.
Certainly, the next phase of what we look at is the security of critical infrastructure. You saw it in the pipeline security directive that TSA issued last night, you know, and we worked closely to ensure that that first stage was significant and a follow-on second stage, as they talked about, will be as well. So, certainly, thinking about security of critical infrastructure.
And then a third key piece is today we operate in the – in an environment that wasn’t built for the connectivity or criticality upon which we treat it. And I think thinking through, for technology that’s coming online now or being built now for the next few years, how do we build secure? Do we need to build, for example, a new, segregated network connectivity just for critical services? 5G is a huge focus for us. How do we ensure secure standards for that? How – are there commercial ways for digital identity so that we can ensure both devices and people have – particularly when they want to have authenticated identity online. And we can create – can we create an environment – voluntary – where it’s built secure from the start in the infrastructure, in the identity of devices and people, so that our most critical services are connected to a more secure environment?
And I think looking to the future, you know, item one is let’s really reduce the risk of the environment are in – we’re in to an acceptable risk. But then, in parallel, a key priority is how do we build a more secure environment for our most critical services so we’re not operating with a level of risk; we’re operating in – as the United States and as a global community.
James Andrew Lewis: So a lot of people took your position as a good sign. I mean, it really elevates the issue of cybersecurity, and if we have time, we can talk about how that links to emerging technologies. I think they are linked, but we can – we can come back to that.
What does – what does your position say about this administration? Where does your job link to the larger issues of national security and foreign policy that we look at? Say, when you think about the upcoming national security strategy, what – where do you fit in and what are you looking forward to?
Anne Neuberger: Cyber has become a tool of countries around the world to achieve their national objectives. Whether it’s Russia seeking to destabilize democratic countries or to malignly influence the discourse in those countries, whether it’s countries seeking to shake confidence in digital infrastructure or, for example, overall use of technology – will we have use of technology in line with our democratic values, rule of law, the kind of – the more democratic model? Or will we have the more authoritarian model we see in China or other more autocratic countries?
So, certainly, A, from the perspective, first, of cyber and use of cyber in undermining technology is a part of national power and, as such, as we discussed each of the incidents that occurred, we did so in an integrated manner on the National Security Council. We didn’t have a cyber-only discussion. We had a cyber and individual country or region discussion to ensure we were understanding, as we talk about the “us” factor and the “them” factor, how we build our resilience and how we shape adversaries’ perceptions of what’s acceptable in their cyber activity and what we find unacceptable in that cyber activity. And that’s really the critical factor we’re using in shaping our national security thinking about cyber and overall use of technology today and in the future.
James Andrew Lewis: I’m glad to hear you say shape opponent perceptions because I think that’s really crucial.
Well, the second to the last question, real quick, how does cyber fit into the emerging technologies part of your portfolio? How do you see making them fit together?
Anne Neuberger: Absolutely. So, you know, partially, the reason we are where we are in cyber is because, as I mentioned, you know, the technology of yesterday and today is not necessarily built securely. So with emerging technologies, first, we have the opportunity to shape those security standards and use incentives policy to drive them being built securely.
The second aspect is we have some key technologies coming online, from quantum to AI, that offer promise and real concerns. For example, a potential quantum computer can undermine the core encryption that underpins cybersecurity, right, that underpins asymmetric encryption.
So, certainly, being aware of those technologies and thinking about how they can bring value. Artificial intelligence – they can, potentially, more rapidly help us identify and block malicious activity by understanding what is routine on a network and what is, potentially, malicious, anomalous. But you also have the concern that artificial intelligence could generate disinformation at scale in a way that brings real concern. So that is a – you know, that’s a core aspect of an effective national cyber program is thinking carefully about how we reap the benefits of emerging technology, and carefully and thoughtfully manage the risks.
James Andrew Lewis: OK. The last question is kind of – we did get a question about is legislation needed. I think one of the attractive parts of using the acquisition regs is it limits the need to go into Congress. But what did we miss? What did we leave out? What are you going to do next in making this thing work? So tell us what – tell us what we should be thinking about.
Anne Neuberger: Absolutely. So, you know, we work to push the authorities to the reaches possible with an executive order to achieve rapid progress on these urgent issues. That, certainly, does not replace the critical role of the legislative branch and what the Hill can accomplish on legislation. And there’s a – you know, one can only look to the Cyberspace Solarium Commission and the workload of the Commission and the work it has done in legislation for the impact of – for the impact the Hill has had and is having.
So I know that there are a number of issues being discussed on the Hill. I’ll give an example. In the executive order, we require companies doing business with the U.S. government to share incidents, and we set the scale – critical incidents and the – you know, in a particular timeframe because we do want to focus on critical incidents.
There’s certainly discussion on the Hill of a broader data-breach notification that exceeds just those companies. Similarly, as we look at critical-infrastructure protection, you know, in the United States right now, they’re largely voluntary. The Pipeline Security Directive is the first setting some clearer guidelines. And I know on the Hill there is certainly discussion, and consideration of it is more needed to have confidence that critical infrastructure is as secure as it needs to be.
So I know those discussions are occurring on the Hill, and we look forward to engaging with the legislative branch to see their proposals and share our – share input at the appropriate time.
James Andrew Lewis: So I know you tend to work long days, so I don’t want to add to your burden. Any final thoughts you’d like to leave the audience with on the executive order? This is your big chance. (Laughs.)
Anne Neuberger: Thank you, Jim.
First, I want to thank you personally for all the input over the last few weeks, which was very helpful in our drafting the executive order.
And to the broader audience – I see you have almost 400 participants here – I would say three things. One is, cybersecurity really – we need to shift our mindset, as I said, to requiring things to be built more securely. There may be individuals here who build technology, who sell technology, or who consume technology. All of us have a key role in a digital ecosystem we can have confidence and trust in, so that we can use technology effectively and safely.
So I look forward to certainly – across the government, across the private sector, this is a – requires not only a national partnership but a global partnership. I have a lot of confidence that we’ve made good progress with the executive order. There’s more to follow. And we look forward to the partnership and participation of everyone here in getting there quickly and effectively.
James Andrew Lewis: Well, Anne, thank you for your time. Congratulations on the EO. It’s a major step for cybersecurity in the U.S. And, of course, I think everyone watching or almost everyone watching will be ready to support your work as we move forward. So thanks. And we’ll go to the panel now.
Anne Neuberger: Excellent. I look forward to hearing the panel’s thoughts.
Be well, Jim.
James Andrew Lewis: Thank you. See you soon.
Great. So that was good. Let me introduce quickly our panel. We have their full bios on the website. As always, with so distinguished a group, the bios – reading the bios alone would take up all their time. But our panelists include Tom Fanning, chairman, president and CEO of Southern Company, and one of the true national leaders on cybersecurity even before the Solarium Commission. So, Tom, thank you for doing this.
Kelly Bissell, Global Security Lead, Accenture; also a long-term national leader. Kelly, thank you for doing this.
Bill O’Hern, Global Chief Security Officer, AT&T. Having visited Bill up in New Jersey, I know how much work you do and how good AT&T is at this. So thank you, again, for doing it.
And finally, I hope Jeff Greene, who is the acting senior director for cybersecurity at the NSC, a longtime friend and someone who comes out of Symantec at NIST.
So with that, let’s turn to the panel. And I think we were going to talk about how this – how the EO will change things, how the EO will affect business.
So maybe, Tom, we can start with you. When you look at the EO, how is this going to change your business? What does this mean for Southern?
Tom Fanning: So I think the EO is foundational to what we need to do across America, you know. And I think the EO was structured really to start with impacts that the federal government can effect themselves. It is clear, however, that something like 85, 87 percent of the systemically important critical infrastructure in America is owned by the private sector. And so this start by the federal government is terrific and is required and is directionally 100 percent appropriate. So, you know, when I look at folks like Anne Neuberger – I’ve had a chance to work with her – I think she is a true patriot.
But I think the bigger impact is to kind of reimagine national security in the sense of the – you know, when Solarium was originally invented, I guess it was President Eisenhower had the Soviet Union in the East and he had NATO on the West, and the imagination of the conflict was a tank battle on the plains of Poland.
Today the conflict knows no geographic barrier. There’s no oceans that protect us. And right now the battlefield is our telecom networks, our electricity grids, our financial systems, you name it. And so what we have to do is take, as a private sector, take the lead of the government in all these issues. And I’ve kind of noted down seven of them or so. All of them are consistent with what we’re trying to do at the Solarium Commission, and expand that and reimagine this joining of our security interests as a nation to bring together the public and private sectors to make America safer.
James Andrew Lewis: Do you want to tell us what those seven are, or do you want to save it for later?
Tom Fanning: Oh, no, no, no. It’s quick. It’s easy.
Information sharing. You know, my aspiration – Chris Inglis and I have been really working hard, I think, even before the Solarium Commission, to essentially obviate, to kind of take away the notion of sharing and, at the most important sense, to create a real-time awareness on our networks as to the threats that are facing us. That really needs to happen. So that’s a joining of responsibility of the intelligence community, our sector-specific agencies, the private sector, and those that will hold the bad guys accountable, whether that’s DOD, FBI, Secret Service, U.S. Cyber Command, et cetera. So remove barriers to information sharing. That’s good, but it’s not sufficient to where this nation needs to go.
The second is to strengthen cyber standards; of course, easy said, not done. We really need to do that as well in the private sector.
Improve the software supply-chain process. Anne, I thought, did a nice job of that. You know, you get this kind of whiteboard-blackboard-gray-board concept as to what’s effective out there. When we think about certifying software, it isn’t about saying that the widget works on day one. We really need to certify the process in which they will assure that software or that asset or what have you is maintained over time and there’s an expectation, not only of its cyber resistance in day one, but how it will be maintained going forward.
The next one is a safety review board. That’s a good thing to do. In our industry, we birthed kind of a cyber mutual-assistance group. So I’ve helped lead the Electricity Subsector Coordinating Council, one of the 16 segments put in place by Homeland Security. So we govern electricity. We do that voluntarily and we help each other. But this notion of modeling after NTSB on an after-event effect is really helpful.
Creating a playbook for responsible response to cyber events is a big deal. That’s helpful, although the playbook – there’s no one cyberattack that, you know, at the existential level, really has been drilled particularly well or that will be repeatable. My sense is it’s almost like the old – what are they – ‘60s lava lamps. The attack vectors move and change. And so the issue isn’t kind of creating a playbook to what we know today. It’s the old Wayne Gretzky skate to where the puck will be. That’s really what we need to be about in terms of (readying ?).
Two last things, quickly: improve detection; and then the last one, improve kind of this idea of investigation and remediation. All of those are critical.
James Andrew Lewis: Great. That’s a good list.
Kelly, let me ask you, what does the EO mean for business? You’ve got sort of a broad view across the economy. So tell us what you think it means. What’ll change as a result of it?
Kelly Bissell: Yeah. Thanks, Jim.
And, you know, from my perspective, looking at 9,000 projects across the last year, across banking, utilities, retail, health care, government and so forth, you know, I think it really changes the way we look at it. So, one, it sets the bar so that we’re prescriptive and we know exactly what we should work on. That’s one.
The second thing is we really have to drill into these seven or eight things in the EO that Tom went through, but really refine those things; like, roll up our sleeves and try to figure out how. What does it mean for reporting incidents? Which ones – all of them, or just big ones? How do we do it from a systematic standpoint?
So from a business standpoint, I think that all the industries that we’ve talked to, 12 of them, they’re welcoming this as a really good thing. But now we’ve got to roll up our sleeves and get into the how. How are we going to make this effective, and then how are we going to band together? Kind of like what Tom was talking about, how do we band together as groups, as industries, to be able to share more together?
So that’s how I’d see the businesses across the market.
James Andrew Lewis: Bill, let me turn to you. You’re in one of the sectors – AT&T has done a great job on this all along. And too, you’re in one of the sectors that’s already really regulated. What do you see it affecting in how you do business? What’s AT&T – does AT&T need to do something different? What do you think your fellow phone companies will do? What’s the future look like for the network business?
Bill O’Hern: Yeah, thanks.
You know, I’m not sure what the fellow companies will do. But, you know, at AT&T, you know, I think it’s really important to grasp hold of this public-private partnership, right, because when we talk about, you know, investing in national infrastructure and modernizing the federal IT space, right, it’s really important for us to think about how we embed security in our networks.
And, you know, from my vantage point, you know, we really have a global view here. Cybersecurity is more important than ever. And I give Ann Neuberger and her team at the National Security Council just huge kudos for getting this EO through. We look at what happened even with COVID-19, the pandemic. And as more individuals are relying on our networks for connectivity, we also see, you know, a string of these ransomware attacks and public cyber incidents; you know, as we mentioned, SolarWinds, Microsoft, Colonial. But those are only the ones that are in the headlines. We’re seeing these attacks every single day. And, you know, it is a constant barrage and pressure.
And so, you know, as we go about this, we really need to think about the measures that we’re going to deploy, not only in secure software, but in secure networking, secure Cloud. I think the things that they put in the EO around encryption – and probably the one that I personally believe is the top priority to help not only protect American consumers, but businesses, is around stronger authentication. To me, that is the number one thing. We see credential harvesting, phishing, is an easy access into these platforms. And I think there are ways out there today that we can get some early wins, some measurable wins, to try to push a stronger authentication and identity proofing.
So I’m looking forward to – it’s about time, right? We know we’ve been here for a while. And this administration has really put the stake in the ground; so very supportive of the efforts here and look forward to working with – you know, with the federal groups on these.
James Andrew Lewis: Hey, Bill –
Tom Fanning: Speaking – go ahead, Bill.
James Andrew Lewis: Tom, I’m sorry. Go ahead, Tom.
Tom Fanning: Yeah, if I could just add a few things. This idea of aspirational thinking – you know, there’s two levels, I think, of what we have to concern ourselves with right now.
My first concern is to prevent the existential threat from coming to America; that is, really interrupting in a significant way our economic way of life, our potential loss of life, our ability to see, to listen, to defend ourselves. That is a very serious threat. And I tend to focus a lot on that and not so much on the punks, thugs, and criminals. They are important, and we need to deal with them. But for those things which could represent an existential threat, I think the idea of sharing is already passe. And I know that’s a little bit provocative. But we must realize, in the private sector, we have as much of a stake in the national security of our country as does the intelligence community and our sector-specific agencies.
And so we need to think differently. We need to reimagine the relationship on those very important issues. You know, and I know it’s true with AT&T and others. Look, companies like mine get attacked millions of times a day. Now, a lot of those are punks, thugs, and criminals. But we also know that the state-sponsored activity is out there all the time.
You know, I’ve heard people refer to this Colonial thing as a wakeup call. If that was a wakeup call, you truly have been asleep. This has been going on for a long time, and it’s now just reaching the national consciousness. And I think it’s incumbent upon the private sector to work with government folks like Anne Neuberger to make us better.
Bill O’Hern: Yeah, I would totally agree with that. And I think if you go back to every one of these issues, you know, that’s made the press, almost in every case when you look at it forensically there are warning signs, right? We just didn’t piece it together. We just are not collaborating in a way that’s allowing us in real time to respond to this.
Look, I mean, when we talk about national infrastructure and digital national infrastructure, you know, this isn’t like you strap a helmet on grandpa and send him up on the roof, you know, with a rifle to look for incoming, right? (Laughs.) We’ve got federal forces – the Army and the Navy, right – defense measures to protect the American people. But in this case, these networks are run by private companies whether it’s, you know, cloud services, network providers, core infrastructure, right? So this is a different beast, and we’ve got to come to the realization that we have to work together.
And I really believe this EO and what Anne’s doing here, she’s driving at it. And Tom, the Solarium – you know, the foundational work that you guys have done, you know, this is all right in step. But I agree, anybody who’s just waking up now has really missed it because this has – this has been going on for a while.
James Andrew Lewis: Yeah. If you’ve been in cybersecurity, you kind of feel like –
Tom Fanning: One last – one last addition.
James Andrew Lewis: Let me get – let me get Jeff, Tom, before we do it because Jeff has joined us.
Tom Fanning: OK.
James Andrew Lewis: Thanks for making time.
If you’ve been in cybersecurity for a while, you do feel like the lookout on the Titanic. But you’re managing two processes, really. You’re managing an – at NSC – an interagency process where you’ve got NIST and CISA and others. That’s very important, all the agencies. You’ve also got a private-sector process. Tell us where you think the intersection points are. Tell us how you think you’re going to make the two processes work together.
Jeffrey Greene: So let’s not forget OMB because they’re a key part of us making this all work too. You know, implementation is going to be the key. We went to sleep on I don’t know what day of the week it was very excited that the EO had been signed and was out, and woke up the next morning and realized that now is when the real work started. And a lot of that goes out to the agencies.
So, Jim, to your question of the intersection, it depends on the different pieces. Obviously, in the public-private partnership around software security, NIST is going to be the front piece of that through the workshops that they’ve already advertised. And I understand the response to them has been extraordinary, both the submissions they’ve received and the registrations. But we hope other federal agencies will be part of that as well because we really want that to be as robust a collaboration as possible that hopefully will develop some tools, some processes, some ideas that will drive – frankly, the way we are talking about it internally is drive innovation in the secure software development piece of it.
But you know, listening to Tom and Bill, the partnership has to happen at both the formal and the informal level. At one point in my career I was looking generally at how the security apparatus worked generally, and you know, is it structure or is it people. And I think the answer is both. It’s going to depend on the situation.
You know, Colonial was an example of everyone kicking into gear quickly on a weekend, and some things worked well internally because of people who knew people. Same thing with their public-private partnership. But when I think about, you know, there’s been a lot of questions – and we got into it – about whether the breach notification, the incident notification requirements that are going to be part of Section 2 of the executive order, that’s an area where we have our own ideas. There’s going to be a public notice-and-comment process as part of the FAR rule, to get nerdy again. But I think that’s a place where it’s going to be essential that we get the input from the private sector because we need to find a balance where every company doesn’t feel like they have to report every phishing email but by the same token it cannot rise to the level of, oh, by the way, we’re completely (owned ?). That’s not good for the company and that’s not good for the government. We don’t want to be inundated with information we can’t use. We don’t want to have information that comes too late for it to be useful to defend the companies – other companies or ourselves.
James Andrew Lewis: So let me ask a question that came up when I was talking to Anne in the prep call. And I’ll ask all four panelists, maybe starting with Tom. She said to make this sustainable, to make this EO work, you need to bring the market in. So what advice would you say to bring the market in, get the market behind what we want out of this EO on more secure software and better cyber hygiene? Tom, do you want to start? Or, Jeff, do you want to start? It’s up to –
Tom Fanning: Yeah. I mean, I’ll just throw a quick comment out and turn it over to my buddies on the panel.
But value is a function of risk and return. And we ignore at our peril the risk of not being protected, either internally in all of our enterprises but also as we operate with our vendor contacts, with our employees in the broadest sense, and with our partnership with the federal government. So we must require as a matter of value creation and preservation a different way to think about what we’re doing.
The last comment I’ll just make, I mean, that’s the market, but in some ways national security is not a function of the market. It’s a function of all of the powers of government, whether it’s Commerce or Treasury or State or Defense or our sector-specific agencies. All of that must be brought together in a – in a collaboration, not cooperation, with the private sector to protect America.
James Andrew Lewis: Jeff.
Jeffrey Greene: Jim, if I could jump in, you know, thinking back to when you and I first started talking about cyber – 2009 and ’10 – one of the questions was the market for security. And then my sense – my hope was that we could create market demand for secure products, and I was generally disappointed that the demand in the market – and I’m not one that ascribes to the market is broken, because the market does what it does – but there was not significant demand for security in products. When I came back to the – or came to the NSC a few months ago and we were having that conversation, my immediate reaction was, well, no, the market doesn’t do that. And then I realized that I hadn’t changed my thinking much since 2009 and ’10.
So I do think that the EO has created an opportunity to have a market drive for secure products for two reasons. One, as Anne talked about, we are using the power of federal purchasing power. So if we’re going to require companies to build more securely they’re unlikely to build two different versions of their product, one less secure for the public and one more secure for the government. And that will, hopefully, create some good copycat effect.
The second is we’re in a different place. You know, as Tom was saying, if you’re waking up now you’ve really been asleep. So I think in general both industry and individuals are much more attuned to cyber as a risk to their wallet and their privacy, so I think there is much more of an opportunity to create that market demand. And the visibility pieces of the EO that, you know, frankly, Anne pushed really hard on have an opportunity to create market demand that will help drive security.
Kelly Bissell: Jim, if I could just add to that, the problem is for the last 30 years we’ve had an incentive for a minimum viable product, just like what Jeff was talking about: Get the product out the door and then let your users find all the defects. I mean, that’s really what the software market has been driven for the last 30-something years.
And so if we’re going to change the incentive, which is what this EO does – meaning if you produce secure products, then the federal government will buy it. But it doesn’t stop at the federal government. It will bleed very, very quickly into the private sector because of what Jeff just said. You’re not going to have two different versions of the product.
So, to me, that is the most impactful thing in this EO that will change behavior, and now we got to just follow through with it. The problem is, you know, we’ve head EOs since – I remember since the Clinton administration. So what’s the – what’s the difference of this EO versus all the rest that have been put out for cybersecurity? And I think it’s how – how we implement it.
Because – and this is where – Tom was talking about it, I think. He said, you know, 87 percent of the – of the U.S. is really the private sector, which is true. We’ve got to bring the private sector in with CISA so that we can actually create a practical sort of real-time, bidirectional, systematic sort of process to make this EO work. Because if we don’t – if it – if it falls into an audit mentality – then we’ve lost an opportunity.
James Andrew Lewis: That’s really helpful. I think that everyone wants to avoid the audit-and-compliance model, so we all agree on that. How we avoid it is another matter.
Bill, you’re in one of the industries where cybersecurity is – it’s an incentive. It’s a market differentiator for you. How do you see bringing the market in? How do you get market forces not only in the telecom sector, but broadly?
Bill O’Hern: Yeah. I see the market’s going to evolve here, right? Security can’t continue to be a bolt-on capability, right? It has to be embedded. It has to be when you buy a service you’re not just buying a service; you’re buying quality, reliability, and security as an element of that. And now, in the EO, I see that’s what really is driving from a procurement perspective, and that’s really going to help drive industry to start to include security as that third leg of the stool, you know, as we think about secure products.
There are a few challenges here, right? And I sit squarely in, you know, as a network provider, 5G as a platform, and I can see the data and the trends that’s occurring. And that’s delivering massive, massive IOT connectivity. I think IOT is going to be a challenging space for us to collectively figure out how do you establish some level of standard in those IOT devices where they’re very difficult to, you know, do a software update to or, you know, configure, right? And it’s kind of like when you go to the store and you buy a light bulb. You can screw it in and be pretty sure it’s not going to burn down your house because it’s got the little UL, right – Underwriters Laboratory – on it. But IOT devices, I think we need some element in that space that’s very consistent so that customers don’t have to be, you know, doctor – system administrators to manage their home environment.
So there are some challenges in the – in the complexity that I see, but I think there’s opportunity here in the – in the way we’re going about the EO.
James Andrew Lewis: Whatever you guys have been saying has clearly inflamed the audience because we’ve got 15 questions, so I’ll try and summarize some of them. We won’t hit them all, of course, but we’ll try.
We got one that I think is interesting from our old friend Joe Weiss on industrial control systems. And, Jeff, I know you and I have talked about this. But what are the implications of the EO for industrial control systems? Where do you think we’re going forward?
And all of you, since you’ve all touched this deeply, everyone jump in. But I don’t know who wants to start. Jeff?
Jeffrey Greene: Sure. So, first, Joe, thank you for that question and thank you for your leadership on this issue over the years. I know it’s something that has been near and dear to you and you have pursued.
So I would say that two areas – so the EO is, obviously, not directed at control systems. There are two areas that I think it will help us.
First is in the IT space. If you look at the Colonial Pipeline incident, that was a, as we know now or currently understand it, a purely IT event that caused a shutdown on the OT side because of a legitimate concern that the threat could jump. So the development of more secure software on the IT side will help security on the control-systems side.
But certainly, the United States government runs control systems. We buy SCADA software. So that software is going to have to be built to the security standards that we put out there, generally speaking. So I think this will help. In the same timeline that it helps IT security, it’ll help control-systems software security.
Last piece that I would say is we are separately very aggressively working on different parts of the control-system world, the critical-infrastructure world. The president has announced the industrial control systems cybersecurity initiative. The electricity subsector effort is underway. We have some parallel efforts that we’re working on behind the scenes here which will come out in the coming weeks and months. It is something that we are very aware of, and I would say that a significant amount of my personal time since the EO was signed has shifted to working on those efforts and keeping them driving forward. But there’s a great team here behind the scenes who’s working on that as well.
James Andrew Lewis: Tom, you’ve certainly done –
Tom Fanning: When I was – (inaudible) – working with Anne on those things.
James Andrew Lewis: Good.
Tom Fanning: You know, at the end of the day it’s hard to separate them because I always view this thing as a beachhead. OT is kind of the enemy that has reached the beach and doing something operational. The IT side can do a lot in the ocean to prevent the guys from reaching the beach.
There’s a whole lot of interesting work going on to secure both spaces in a way that’s totally different than what we’ve done in the past. And again, I’ll applaud the NSC here, and Anne and her leadership. Moving out on the OT side is probably a really smart thing to do. We’ve got to follow it with the IT side and link those things together as a unified defense.
James Andrew Lewis: So while you were talking we got a bunch more questions. Again, I’ll do a couple of them.
One of them was on the concept of zero trust, which is popular to talk about these days. It’s in the executive order. I don’t know who wants to start. Kelly, do you want to talk about zero trust, where you see it going?
Kelly Bissell: Yeah. I think that zero trust is the right way to look at it because you have to assume – it is what it says. It said don’t trust any of the transactions inside the company. So we have to interrogate all of those transactions for all the employees, but even, you know, other users like contractors or even vendors that are in our ecosystem of our network. So I think that’s the way to detect better bad things that are occurring, whether it’s regular fraud, if you will, or really bad actors in your network trying to do things they shouldn’t. So that zero trust takes layers of not only the user-access function, but even the business transactions that occur. And then what – based on what their user profile is, what they should or should not be doing.
And so zero trust is something that we have to really dig in deep on the inside, but before we even get to zero trust I think we still got to get better – be brilliant at the basics, if you will, because most of these ransomware attacks is really elementary stuff that they’ve gotten through. So I actually think the companies need to change their mindset, too, to not a risk-based approach but a thoroughness and effectiveness approach. And I think that we got to really rethink about how we approach these security controls outlined in the EO and apply zero trust inside the company.
James Andrew Lewis: You know, it couldn’t be an event on cybersecurity in 2021 without mentioning the word “ransomware,” and so we’ve received quite a few questions on ransomware. I have mixed views on it. In some ways, you know, a defensive crouch isn’t going to fix it. We need to think of ways that penalize the people who are doing it. We need to think, maybe, about ways to interfere with their command-and-control infrastructure. But let me invite all four of you, if you have thoughts on ransomware you’d like to share with the audience. It’s clearly – it’s a – it’s a topic of interest to them.
Kelly Bissell: Maybe since I brought it up I’ll start and then I’ll keep it really short.
But you know, I think the rise of cryptocurrency has actually fueled the ability for ransomware to thrive. And our willingness to pay the ransom to unlock the systems is also fueling that capability to drive more ransomware attacks. And so I think, as companies, what we have to do is think about how do we – how do we solve this problem.
It might be some more transparency around cryptocurrency payments so we can track that through law enforcement. Or it might be how do we really look at our own infrastructure that is allowing ransomware and increasing our ability to actually stand up, quickly rebuild our environment so we don’t have to pay. So I think we have to change the equation here on ransomware.
Bill O’Hern: Yeah, I would agree, if I can jump in. You know, when we think about this, I think – and you kind of talking about zero trust. I think, Kelly, you’re right on, right? You don’t just jump to that model. There’s elements that we can do today that are really, really important.
And so, you know, I start back with authentication. And we really need to improve our authentication across the board. Multi-factor is great, but I even think there are way to add attributes to that that will even improve it.
I think the other is we need to think a little bit more about micro-segmentation, right, so these ransomware attacks don’t have the ability to propagate. And we can do that with tools and technology that we have today – software-defined networking, ways we can really shrink-wrap security around the core jewels and elements within your environment. Don’t try to just put everything behind one big firewall, right, and you know, then you’ve got to poke 50 holes in that firewall for every service behind it, right? Architecturally and design-wise we need to take a different approach and really use the tools that are available today.
And that leads you down the path toward zero trust. But it’s in measured steps that we can take.
James Andrew Lewis: Great.
Tom Fanning: And I’ll just add one more thing. Strategically, the way Solarium is conceived is based on three big principles.
One is to shape behavior in cyberspace. So we use all the tools of state – again, State Department, Treasury, Commerce, Department of Defense, et cetera – to make sure that we understand what the right way to behave in this new world should be.
Second is to impose cost, this idea of persistent engagement. We’ve got to be out there. If we’re left in the mode of, hey, somebody’s attacking Southern Company, I call somebody else, and you go try and do something, that’s not good enough. It’s too slow and it’s inefficient.
The third is, as I think a lot of the commentary here is dwelling on, is to deny the benefits – create a regime inside your company that hardens it, that understands a sense of priority, and everything else.
But those three things, taken together – shape behavior, impose cost, deny benefits – is the way to really start to reduce the threat in the cyberspace threshold. And wouldn’t it be great that if somebody tried to extort Southern on a particular critical piece of infrastructure that they were taken out almost immediately by one of the folks that holds the bad guys accountable. These are the kind of behaviors that we need to shape in our own country.
James Andrew Lewis: Amen to that. That would be good to do, and I think that would make a big difference.
I promised Jeff I wouldn’t ask him this, but we’ve got a couple people who’ve raised it. So I’ll – let me ask him a question, which is how does the EO link to the other actions we see the White House thinking about, such as in the infrastructure plan? If you want to dodge that and just answer it as a yes or no question, feel free. But where does this fit in with the larger approach that the White House is taking?
Jeffrey Greene: I think the – I don’t know if it was you or Anne; someone used the word down payment or first step. So they all – I’m going to – I’m hitting the cliché button. They all both build and interconnect. The software pieces I talked about, the control-system software or IT software, that is going to help us on the critical-infrastructure side.
When we move into specific critical-infrastructure sectors, the partnerships that we build both in development of the EO and in the rollout are going to help us find the right balance of detailed descriptions, but also understanding that we can’t get too in the weeds of thou shalt do X and Y or we’re creating – even if we were to create a solution for today, it wouldn’t exist into tomorrow.
I do want to raise – touch on one point that Bill said that I really want to drill down on, the authentication piece, and this does bridge to some degree. So I’m going to view this as a partial answer to this question as well.
So if you look at the EO where we talked about ZTA, about zero trust architecture, we discuss it in two places. There are two ways. One, build towards ZTA. As you make decisions today for the long term, it should be towards having that architecture in place in the future. But then we step back and say, and look at what technologies you can deploy today that will have a significant impact, develop a plan and a timeline to deploy them, and authentication is one of the ones, frankly, I had in my mind – both device and personal individual authentication.
So there are things that can be done now out of the EO and we can model that behavior in the government, hopefully, as we look towards the private sector, whether critical infrastructure through control systems, critical infrastructure in the IT and financial world as well.
James Andrew Lewis: Great. We have time for a couple more questions. Not a lot of time. But let me ask one to the private sector members of the panel first. Jeff, you can jump in, of course. But what would you want from Congress? What do you think Congress needs to do next? And, Tom, maybe we should start with you since you’ve done such a good job steering the Solarium Commission. What should Congress do next?
Tom Fanning: Yeah, the Solarium Commission, it’s a full team effort. I haven’t been steering hardly anything. But I’ll say this.
James Andrew Lewis: (Laughs.) Well, you’ve been (helping ?), at least.
Tom Fanning: As a part – we were talking about this before we went live – most commissions in America kind of rise and fall and nobody really notes their existence, and they become a dusty book on some dusty shelf.
Fully half of the Solarium recommendations are already in the law. We’re working very hard and we’re very, I think, excited about the possibility of getting the vast majority of the Solarium Commission’s thorough report put into place.
You know, I walk the halls of Congress all the time. I make it my business to know the folks in the administration. And my sense is, you know, working with those folks, talking about cyber, they all get it, but it’s, like, you invite Jim out on a beach and I say, hey, Jim, look out over the ocean. There’s this violent submarine warfare going on, and all we see are the waves, and the only time we ever see cyber evidence itself is when something cataclysmic happens.
So people get it’s a big deal. Nobody knows what to do about it. In my own existence, I was a CIO for some period of time. Most days I thought that stood for career is over. That’s a hard job. (Laughter.) The Solarium Commission report provides America a playbook in which to make America safer and it does reimagine the relationship between the private sector and our national security elements, including the Department of Defense, et al.
So faithfully using that structure, improving on it where people have good ideas, and implementing that into law is something that is happening and will continue to happen, and I would just recommend anybody that hasn’t read the executive summary, it’s pretty digestible. Take a look at it. It’s something we should do.
James Andrew Lewis: Kelly?
Kelly Bissell: Yeah, look, to be provocative a little bit, I just don’t think Congress is equipped to address the cybersecurity issues that we’re talking about. Maybe the best thing to do is to empower CISA so they can actually drive change, not only with the federal government or government as a whole but also the private sector, in line with the regulatory bodies that affect them. So in Tom’s world, you know, NERC, CIP, and DOE and others. But if you’re in a bank, it’s the FFIEC, the Federal Reserve Board, the OCC.
So I think maybe what we do is we empower CISA to work with the regulators so we have consistency and practicality to those regulations, not Congress.
James Andrew Lewis: OK, Bill, any thoughts on Congress?
Bill O’Hern: Yeah, yeah. I would align with Kelly on this one; not necessarily Congress. I like the idea of empowering CISA and really driving it through there.
I would bring up, though, that I think we all collectively have one big challenge, and that is the cybersecurity skill set, trying to staff and get people into these jobs, the diversity of candidates. I think collectively as a nation we need to invest more in the talent development, the skill set of cybersecurity. I know we’re starting to see it more now as an accredited, you know, college, university. But I have to tell you, it’s tough to get really good candidates. And we bring them in and we train them. But the market’s hot and it’s hard to retain them.
So I think that the skill set is something as a nation we need to think about as a core skill set that we need, right along when you think of the STEM type of approach.
James Andrew Lewis: We’re still getting questions. We got one on CMMC and the relationship to the cyber maturity model that DOD has put up. I don’t think we have time to go into it, which is unfortunate, but if any of you want to jump in.
Let me ask you one that’s a little broader, though. And this is for all the panelists. What do we do next? What’s your priority list for cyber? What do you think we should do right off the bat, after the EO? And then maybe, if there’s time, what should the next EO look at? What should the next EO do? So what do we do now? What do we do later?
Bill, you’re still on the screen. Do you want to start?
Bill O’Hern: Yeah, sure. So, I mean, digesting the EO, there’s a lot of initiatives packed into this thing. And so, you know, it’s – you can’t do it all at once, but there are obviously solutions in place today that we can go and implement. And we’ve got to get behind this thing. We need to support it as an industry. It’s really good work. It’s great work that they got it out so quick.
So, you know, from our perspective, we’ve got good standard bodies, the NIST and 3GPP. We’ve got to leverage those. And again, I like the idea of empowering CISA here. But there’s a lot of opportunity for all of us here.
James Andrew Lewis: Great.
Kelly Bissell: Yeah, I would say, look, I am super glad that this EO has come out, because I do think it’s going to make an impactful change, especially if we can band together in the private sector and work with CISA on it.
But what’s the next five years? You know, I think we should be skating to the puck, like Tom was talking about, where, you know, what about smart cities? What about wearables? What about Edge computing and connected car and all these other things? We’ve got to really move as quickly as we can on a similar ICS or OT EO, I believe, so we can also set the direction. And then I think that we’ve got to look ahead, because right now innovation is outpacing our ability to secure it. So if we can actually embed security in the design phase of all new innovations and move away from MVP and a mobile product, then I think we’ve got a chance to look really good five years from now.
James Andrew Lewis: Jeff, let me ask you. You can dodge this one because it’s – everyone would love to know what you’re planning for your next move, but you may want to dodge it. But what do you think we should do next?
Jeffrey Greene: So we need to focus on implementation. When I think about within Four Corners and the many different pieces of EO, implementation and a little bit of patience, because the good things that the EO will hopefully do are going to take time, first, to roll out in terms of getting the impacts. And then getting that security benefit into the community is going to take time. It’s not immediate.
So an article in six months that says the EO failed is an article that was written way too soon. If someone does an analysis four years from now and says, look, we didn’t get more secure software, then that would be a fair analysis. But a little bit of patience.
I would echo what Kelly said. Looking at critical infrastructure from Oldsmar to Colonial to, frankly, even, you know, the Texas shutdowns, we’ve seen what we should have known, the reliance we have on critical infrastructure.
But I think the other thing that we need to be working on now that we’ll see the benefits three to five years from now is that zero-trust architecture. As companies start up or companies move to new networks or the federal government upgrades, ZTA has to be a core concept.
And I’ll do a quick plug for my home agency, NIST, and my home office at the National Cybersecurity Center of Excellence. They are in the build phase now of a really significant ZTA project that will be applicable for the public and private sector; many different looks at how you can install all or parts of ZTA to add security.
And the goal – this is really important – the goal is not to create the perfectly secure network, because there’s no such thing. The goal is to create the network that makes it really hard for the adversary, first, to get on, and then, second, to be able to move around. And that is what ZTA, when we get there, will really move us to.
James Andrew Lewis: We got more than 20 questions, so you people were inspirational. But we didn’t have time to get to them. I apologize to those who we didn’t get to.
But let me ask Tom if he has the final word here on what we should do next.
Tom Fanning: Well, look, the final word is there’s a whole set of comprehensive actions. But I think it is – America needs to reimagine the relationship for national security between the public and private sectors. I’ve said that a lot. And that’s a pretty full answer.
But let me say this as a closing comment, if I could, Jim. Very happy with the Biden administration’s approach so far. Part of getting a good approach is getting great people. And when you think about Anne Neuberger, you think about Chris Inglis, you think about Jen Easterly, these people are patriots. They are giving way more than they’re taking in this enterprise. And I think it will make us all better as a nation. So thanks to them.
James Andrew Lewis: Well, I’d throw Jeff into that too. It’s a really great team that they’ve pulled together pretty quickly.
Tom Fanning, Kelly Bissell, Bill O’Hern and Jeff Greene, thank you very much for doing this panel. And I’ll talk to you soon. Thank you.