Breaking Down the 2024 Cyber Summit

On June 6, the Ritz-Carlton, Pentagon City was packed with over 300 knowledgeable cybersecurity experts and government contracting industry professionals for the Potomac Officers Club’s 2024 Cyber Summit. It was a full day of fast-paced networking, in-depth speeches and exciting panel discussions.

Below you’ll find highlights worth remembering from the day’s sessions.

To browse a list of upcoming POC-hosted events, click here. Be sure to save your spot now for one of POC’s most anticipated upcoming events: the 2024 Intel Summit on September 19. Intelligence Advanced Research Projects Activity Director Richard Muller will be delivering a keynote address.

Opening keynote: David McKeown, Deputy Chief Information Officer for Cybersecurity and Senior Information Security Officer at the Department of Defense

Primary takeaways:

• DOD’s top 10 cyber priorities:

1. Zero trust
2. Defense industrial base and IT product/supply chain risk management
3. Critical infrastructure & weapons systems
4. Secure application development
5. Risk management
6. Cybersecurity culture & cyber workforce
7. Encryption
8. Insider threat awareness
9. Cloud
10. Artificial intelligence

• ZT implementation has brought very little resistance, as opposed to CMMC, which gets a lot of pushback
• Not prescriptive about how DOD components get to ZT
  • Gave them a strategy book and let them go from there
• OUSD(A&S) was “in a rush” to get CMMC 1.0 out, deviated from NIST SP 800-171
  • 2.0 remedies this, adheres closer to 171
• CMMC 2.0 doesn’t put same financial burdens on companies not dealing with very sensitive CUI
  • Also reduces complexity from 5 levels to 3
• “AI can turbocharge just about everything you want to do”
• GovCon Wire coverage

Panel: “Leadership in the Age of AI and Data Analytics: The Evolution of Cyber Protection”

Participants: Joshua Black (DOD Cyber Crime Center), Christopher Cleary (ManTech), Roselyn Richardson (Air Force Research Laboratory) and moderator Bill Geimer (ECS)

Primary takeaways:

• Data needs to be high quality for AI to be effective
• Richardson: AFRL struggles with poorly tagged & organized data
• Geimer: AI = Catch-22 from security perspective, because systems need to learn from outside data + you don’t want your data exposed.
• Cleary: tech like AI has given advantage to more junior members on staffs because of their digital native status.
  • In some cases they have more to teach senior officials than vice-versa
• Deep fakes are example of how AI already being used for ill by adversaries
• Black: DOD C3 created a Cyber Training Academy in wake of Covid-19
• Richardson: Similarly, AFRL created digital capability instructor to deal with digital transformation efforts
  • “We’ve created a flat organization at the tactical level of the organization so that we could have these cross-functional teams to work all the aspects from architecture to data to AI to cloud, to whatever it could be. And so we’re trying to mesh all that together.”
  • Focused on upskilling and digital skilling

• ExecutiveBiz coverage

Panel: “Improve Cyber Threat Response With Collaborative and Secure Information Sharing”

Participants: Moderator James Donolon (Oracle), Jeanette McMillian (Office of the Director of National Intelligence), Michael Molinari (Accenture Federal Services), Vu Nguyen (U.S. Department of Justice) and Sarah Nur (U.S. Department of the Treasury)

Primary takeaways:

• Nur: As more tech is procured from industry, all users (including gov) need to be vigilant about risk education
  • Industry needs to notify gov ahead of time when risky situations develop
• McMillian: Embrace of commercial tech has increased surface area of cyber risk
• Molinari: Public-private partnerships provide pathway for educating on + building better cyber hygiene practices
• Nguyen: In future with AI, looking to integrate across operational and compliance data, look at operational risks, use modern tech to address
• McMillian: 5 technologies to focus on to maintain advantage: AI, quantum, biosecurity, autonomous vehicles, semiconductors
• Nur: Today’s challenge with AI/cybersecurity = detecting “tiny hairs” of malicious activity
• McMillian: industry can make software safer by supporting federal CISOs
• GovCon Wire coverage

Panel: “Third Party Cyber Risk in Public Sector Supply Chain”

Participants: Amy Foy (Nightwing), moderator Renee Wynn (RP Wynn Consulting LLC), Brian Peretti (U.S. Department of the Treasury) and Kanitra Tyler (NASA)

Primary takeaways:

• Foy: Supply chain people not always popular, because they slow processes down
  • “Sometimes we have to slow down to speed up”
  • Close communication, explaining benefits of compliance is key
• Peretti: Pushing back on the vendor to make a patch when a vulnerability is exposed is key
• Foy: “Supply chain needs to have a seat at the table as soon as the opportunity’s identified.”
  • Often when a GovCon is looking at an opp, most other departments are involved but not SC
• Tyler: With help of White House + OMB, “we are hot and heavy into meeting the requirements of memorandums M-22-18 and M-23-16 with the secure software development self-attestation.”
  • “Hello my software publishers, I’m your best friend”
  • NASA “imminently” releasing a memo co-signed by its deputy chief acquisition officer + administrator for procurement; want to include all partners and software publishers to ensure success for NASA and the gov.
• Tyler: Emphasized the everything bill of materials a.k.a. XBOM.
  • “When something changes in what you’re delivering, we want to know about it…hopefully will be part of that FAR rule that, hey, it’s not just what you delivered today, but if you’re going to change it down the road, we need to know about that change.”

Panel: “Implementing and Managing AI in Government”

Participants: David Carroll (Cybersecurity and Infrastructure Security Agency), Shane Barney (U.S. Citizenship and Immigration Services), Dan Kent (Red River Technology) and moderator John Dvorak (Red Hat)

Primary takeaways:

• Carroll: AI = critical in making leap from data to decision.
  • “Data must become information, information must become action”
• Carroll: CISA’s superpower = give reliable answers, can’t do that without AI
• Barney: USCIS increasing funding for AI security
• Barney: When quantum becomes part of AI discussion, it’ll be entirely an new technology
• Kent: U.S. shouldn’t put too many controls on AI, risk falling behind other nations
• Barney: AI policy should be driven by fluid nature of how quickly threat environment is evolving
• GovCon Wire coverage

Panel: “CMMC: Is Your Company Cybersecurity Ready?”

Participants: Yasmine Abdillahi (Comcast Business), Derrick Davis (DOD Office of Small Business Programs), Karen Evans (Cyber Readiness Institute), Kelley Kiernan (Defense Acquisition University) and moderator Edward Tuorinsky (DTS)

Primary takeaways:

• Programs helping businesses with cyber hygiene & cybersecurity:
  • DOD’s Project Spectrum
  • Defense Acquisition University
  • Cyber Readiness Institute
• Kiernan: NIST SP 800-171 not just for companies working w/ fed gov. Instead, national standard that all companies should implement.
  • Helps protect intellectual property
• 80% of U.S. small businesses have less than 20 employees, which likely means they don’t have an IT person
  • Kiernan: businesses need to have IT professionals who can help implement cybersecurity
• Abdillahi: Businesses need to cultivate a cyber culture at most foundational levels so that cyber hygiene is elevated holistically
• Evans: Need cyber leaders, but they may not need to be “cyber professionals” — they need to deeply understand the organization’s mission

Panel: “How Important Is Network Security in a Zero Trust World?”

Participants: Dr. Curtis Arnold (Core4ce), Lt. Col. Frank Jamerson (U.S. Air Force), Kathryn Knerler (Office of the Director of National Intelligence) and moderator Bill Nystrom (Telos Corporation)

Primary takeaways:

• Knerler: IC taking all-encompassing, “all-means-all” approach to zero trust adoption
  • But ZT also = learning process, aims to bring people along
  • “Zero trust is about integration”
• Jamerson: Coalition partners need to be baked into CJADC2 concept early, figure out how you do that with ZT
  • Integrating ZT with CJADC2 is a “puzzle”
• Jamerson: PEO C3BM discussing how to keep in mind potential performance tradeoffs with mission impact; AI = force multiplier
• Arnold: ZT = pivot to data-centric approach, need to make sure users are trained and versed in it.
  • As adoption spreads, becoming closer to creating a risk standard across organizations.

• GovCon Wire coverage

Afternoon keynote: Capt. Michael Cribbs, Deputy Commander of U.S. Coast Guard Cyber Command

Primary takeaways:

• CGCYBER has 3 main lines of effort: defend, protect, operate.
• Defend = primarily safeguarding USCG IT enterprise, a.k.a. Coast Guard Enterprise Mission Platform. Mix of physical and cyber/cloud endpoints.
  • Field and maintain network computing devices
  • Zero trust implementation also key
• Protect
  • Protect Marine Transportation System from cyberthreats
  • Cyber risk management
  • New cyber strategy
  • Approaching maritime cyber risks from same paradigm used in physical domain
• MTS = “indispensable part of U.S. economy”; supports $5.4 trillion or 25% of nation’s economic activity.
  • Hacks against MTS executed every 39 seconds; average impact of $3.86 million per hack.
• In response to a Feb. Executive Order, CG began developing cybersecurity regulations for facilities & vessels Coast Guard regulates
• Operate
  • USCG is continuing to field more capable ships, aircraft & unmanned systems

• GovCon Wire coverage

Closing keynote: RADM Christopher Bartz, Deputy Chief Information Officer of Department of Homeland Security

Primary takeaways:

• Secretary Mayorkas pushing for DHS to be “non-DOD AI leader”

Steps it’s taking to get there:

• CIO Eric Hysen tapped to be first-ever chief AI officer at DHS
  • CAIO will develop DHS AI internal policies; set strategic priorities for AI deployments; & coordinate AI-related efforts in partnership with DHS components
• New AI governance board
  • Had first meeting in May
• DHS released its first AI roadmap in March
• DHS AI Corps
  • Announced in February; DHS aims to hire 50 AI experts
  • 7 members thus far
• GovCon Wire coverage