Cyber Security Dispatch

View Original

Keeping the Lights On - An Interview with Arthur House, Chief Risk Officer for The State of Connecticut.

Your browser doesn't support HTML5 audio

Keeping the Lights On An Interview with Arthur House, Chief Risk Officer for The State of Connecticut.

INTERVIEW WITH Arthur house, Chief Risk Officer for The State of Connecticut:

CYBER SECURITY DISPATCH: SEASON 01, EPISODE 10
 

Show Notes:
On today’s show we welcome Arthur House Chief Risk Officer for The State of Connecticut.
With the growing risk of cyber crime, it is not just businesses and privately owned enterprises
that are in danger. National security and state infrastructure also runs the risk of attack in this
world of cloak and daggers. Arthur House who heads up the state led defense against cyber
crime is here to tell us all about the groundbreaking working he and his team have conducted in
the past couple of years. The Connecticut model, as it has become known after its success,
really took national cyber defenses a step forward and Arthur is here to give us his insight into
this process as well as to look forward to what some may see as an uncertain future. During our
conversation, Arthur stresses the importance of collaboration and communication between all
parties involved in the battle against cyber attacks, and a key takeaway from the episode is the
idea of resilience to instances of danger rather than some false idea of prevention.

Key Points From This Episode:

  • Arthur’s background in International Relations and role in the Obama administration.
  • The new challenge that cyber security poses to the state commission.
  • Highlights from the important process of Connecticut cyber security report.
  • The meetings that followed this report process and what contributed to its success.
  • Differences between public utilities and the general business sector.
  • Responding to the ongoing and evolving challenge of cyber crime.
  • The idea of cyber resilience replacing that of security.
  • Better communication and cooperation across the board to aid this issue.
  • Responding the potential foreign threat and timely recovery to these.
  • And much more!

Links Mentioned in Today’s Episode:

Arthur House — https://csi.uconn.edu/cyberseed-speakers-2017/arthur-house/
Connecticut Cyber Security Report — http://portal.ct.gov/Office-of-the-Governor/Press-Room/Press-Releases/2017/07-2017/Gov-Malloy-Releases-Cybersecurity-Strategy-for-Connecticut
C2M2 — https://www.energy.gov/oe/cybersecurity-critical-energy-infrastructure/cybersecurity-capability-maturity-model-c2m2-program
Eversource — https://www.eversource.com/content/
Avangrid — https://www.avangrid.com
Connecticut Water — https://www.ctwater.com/
Aquarion — http://www.aquarion.com/CT/
Dr. Ron Ross — https://www.nist.gov/people/ronald-s-ross
NIST — https://www.nist.gov/
National Geospatial Intelligence Agency — https://www.nga.mil/Pages/Default.aspx
Belfer Center — https://www.belfercenter.org/

Introduction:

Welcome to another edition of Cyber Security Dispatch. This is your host Andy Anderson. In this episode, Keeping the Lights on, we talk to Art House, Chief Risk Officer for the State of Connecticut. After a career in the intelligence space Art was recruited to the State of Connecticut initially on the risks facing utilities; power, water, gas; the places where cyber can quickly become kinetic. His approach for bringing government and private sector together has become literally a model for collaboration worldwide. Now, onto Art to hear he tackled these interesting challenges.

TRANSCRIPT
[0:00:03.3] AA: We can cut stuff that isn't good for the podcast, but that way – sometimes I get talking and then I forget to turn it on and I'm like, “Shoot, we lost a bunch of good stuff.”
Well, awesome. I guess, a good place to start would just be you know for people who don't know your background and kind of how you ended up in this role, I'd love to just start there.
[0:00:28.0] AH: Sure. Well, my background is mainly in international relations, but I've done some corporate stuff and communications as well. My job in the early part of this this decade, I was with the intelligence community in the Obama Administration. I was with the Director of National Intelligence and then with one of the operational agencies, the National Geospatial Intelligence Agency.
The reason that's relevant is that I was appointed to come back to Connecticut which is where I’m from, to chair Connecticut's Public Utilities Regulatory Authority which is Connecticut's Public Utilities Commission. When I was leaving Washington, there were people in the intelligence community in Washington and also at the Energy Department who met with me and pointed out that there is a national interest in the cybersecurity issues related to critical infrastructure, meaning utilities.
So gas, natural gas, water, electricity and so forth are vulnerable to cyber-attack, and yet they are not for the distribution of those vital services, they are not under the purview of the federal government, they are state regulated just as for example the insurance industry is state regulated.
That was a matter of concern to people who are in the national security community because they are concerned about foreign entities, both nation-states and private entities penetrating our critical infrastructure distribution networks. They pointed out that the public utility commissions are not in shape to take on those threats, to regulate them for several reasons.
They noted that me going up to Connecticut to do this, but they asked if I might be interested in doing that given my background in the intelligence community, to look into cyber security and see if Connecticut could take some initiatives in that area. That's the background. There are a couple of reasons why utilities have difficulty getting into this and what happened in Connecticut, but that's a summary answer to your question.
[0:03:14.4] AA: Yeah. I think, I hadn't realized before I started poking around in this space the sort of divide between production and distribution, that the some of the sort of transmission lines and then production facilities are under federal control, or at least oversight, but then the local distribution isn't. That's just a historic – am I getting it right? That's just sort of historic when that was organized? 
[0:03:48.4] AH: That's exactly what it is. It's under state control. The regulators in the states have their hands full, Andy. There are, well let's see, a small Public Utilities Commission would be say there may be some that only have three or four people. They do go up to five or six or seven, but let's just using round numbers let's assume they're about five per state in 50 states, you got 250 regulators.
Of those when I came on only four had security clearances. Over those, I think most of them did not have top secret. They're just secret security clearances. They were not in a position to know about what all the threats were. Secondly most public utilities commissioners are lawyers or financial people or engineers, often they have worked in state government some are former state legislators and they have their hands full.
They regulate natural gas water electricity, sometimes telecommunications and sometimes other things such as they get into taxis or ferry boats or things. They do law, they do finance, they do engineering, they do mergers and acquisitions, rape cases, storm reviews, all that kind of thing. Their resources are limited and they do not have personnel in cybersecurity, so that as cybersecurity has risen as an issue, the state Public Utilities Commissions looked on this as a new challenge for which they had neither personnel nor budget resources.
It's been it's been difficult. I say that with great empathy for my colleagues and in that field. I mean this is a – you've already got more work than you can possibly handle across a broad array of both subject matters and technical dimensions and now the people are saying and what are you doing about this new challenge?
Yeah, it is very, very difficult for them to take a look at this. I had the whatever, either the disadvantage or advantage depending on how you look at it. I'm not an attorney. I'd done some finance work before, but I did not have the normal background for a public utilities commissioner and I was very concerned about cybersecurity having worked in that area when I was in Washington.
I talked to our governor, Governor Malloy here in Connecticut and pointed out that this is a very serious danger facing the states and recommended that we get involved in it and he was extremely supportive and said, “Go ahead.” That's what we did; we put together a strategy and then an action plan for Connecticut to become involved in cybersecurity threats to the critical infrastructure.
[0:06:50.6] AA: Yeah. I had a chance to review parts of that report, which were great. I mean it was sort of very my background and a lot of our listeners background is not sort of a deeply technical one. We're interested in the space, but we're not you know we're not writing code and reading code. It gave great history and some really interesting strategies for how to tackle it. We'll definitely link to that report if that's okay –
[0:07:24.6] AH: Sure. Please do.
[0:07:25.4] AA: - on the deficit, because I think it's a great place for people to start, but for those who haven't read it what are the highlights and top points that came out of that report and that process?
[0:07:36.3] AH: Sure, sure. Well, first of all I should say that every state has an Emergency Management Authority and they face different kinds of threats. In California you have to be ready to deal with forest fires and floods and so forth. In the Midwest you often get tornados to look at. On the East Coast, everybody on the East Coast occasionally gets a hurricane. I'm up in New England where we also get ice storms in the winter.
Emergency response here tends to be dealing with the outages of electricity from a hurricane or an ice storm or something like that. What do you do when that happens? Even before you get to that point, how do you prevent a cybersecurity attack or penetration from taking place? Well, in 2014 I completed a strategy to address cybersecurity defense and I'd shared that with the utilities and got – gave them the draft copies and said, “How would you change this?”
By the time it was completed in 2014 the utilities were basically supportive of the effort and had had a chance to weigh in. The governor announced it and that was a big deal, because there's a there's a difference between a regulator coming out with a strategy and a governor calling a press conference inviting legislative leadership and the CEOs of the major utilities and saying we are now going to take cyber security for our utilities very seriously and here is a strategy and I support it. That of course put it on a higher level than had I just done it on my own.
The strategy called for an action plan; given all these strategic points that are made in that document, what are we going to do about it? What we did do about it was we bargained with utilities. Now there are two ways in which you can get action in this area; one is the traditional way in which utilities and their regulators interact, which is a formal docket.
The witnesses are sworn in, it is recorded, public is invited, there are rulings from the bench, the ensuing decision is binding and it can have financial consequences and so forth. In other words, it is a formal legal process and it's called docket management and so on; that that's how it works.  That's usually how we got things done
In this instance, I offered the utilities to have an informal meeting. With this, we've never done this before. The utilities face cyber security challenges and the state has decided that it needs to do something about it. Now how would you like to proceed? We can have a formal docket and that's normally the way we do business, or if you'd like we can all sit around the table and decide how we're going to manage this in the future.
I had a strong preference for the informal negotiating process because we could be more candid it would move more quickly. The utilities agreed. We proceeded to have what we called technical meetings. They were serious. I mean, you put on a suit and tie that day and you went to work and you all respected each other, but it was not recorded, it was not given the legal procedures and so forth.
We bargained and we started with one session for all utilities, and then we had sessions for each individual utility area; water, gas, electricity, telecommunications. We came up with after a lot of work just to shorten all this, we came up with an agreement that three sectors agreed to. The three were natural gas transmission, electricity distribution and water distribution I should say for all three. Telecommunications, meaning broadband and cable decided not to participate and they just opted out, and so they were not included in the agreement. The agreement called for I would say four, five basic things.
One is that there would be an annual review of the cybersecurity defense capabilities of the major utility companies. Two, the companies could choose the standard by which they would be reviewed. They all picked the same one individually. It's called the cybersecurity capabilities maturity model, or it's known in the trade as C2M2, which is like a big take home exam in which you grade yourself on how you're doing.
Third, that there would be four state officials participating in these reviews. The companies could bring whoever they wanted and the lowered. That's going to be at the company headquarters. If you if you want to bring in a big staff or a small staff or external consultants, do whatever you'd like. Obviously, this was sensitive information and I was interested in bringing in several state authorities. The utilities all said, “This is really sensitive. We do not want a large audience.” We agreed there would be four state officials; two regulators and two emergency managers.
Fourth point was that it would be confidential, that the information that would be shared would not be disclosed publicly except for a final report of, in other words the utility said, “We’ll tell you what's going on, but you need to protect us because we don't want you to go out and make public what is very sensitive corporate information.” We thought that was that was a that was certainly fair.
Then finally, the fifth item was that the final report that was to be written on what we found would be agreed to by all the parties. It was a six-page report that was when it was finally done and was agreed on by everyone.
We finished – we wrapped that up and held the first set of meetings. We agreed on that in 2016. We had the first meetings last year in 2017. We met with the four Connecticut state authorities, met with each four different companies and I'll give you their names; Eversource, Avangrid, Connecticut Water and Aquarium.
In those meetings, we had long discussions. Sometimes they took half a day and I can talk more about how it went, but did a very thorough review of where they were strengths and weaknesses in their cybersecurity defense, as well as their recovery response and recovery capacities.
We finished the report and we issued it publicly in October of 2017. That got some national attention, because that was – I'm told that was the first time you had a structured review by state officials of the distribution capabilities of their public utilities. It came out then and we're doing it again. We're about to start the 2018 review.
I must say it was constructive. Once we went through all the negotiation to agree how to do this, then we all have the same thing. We all had a common objective which was to prove that by collaborating, we could get serious work done.
I think the state is interested in finding out what is the cybersecurity defense capability of the utilities and to make sure it's adequate. The utilities were interested in avoiding further regulation and having this communication and this understanding by voluntarily collaborating rather than by legislation and regulation. Now that's a mouthful I've just gone through. That's a long statement, but that's how we proceeded and that's how it's currently operating.
[0:16:13.8] AA: Having had a lot of conversations both in this, in thinking about regulated industry, as well as other spheres where there is concern of attack, whether that's corporate environments, or – I've actually had a lot of conversations around the electoral system and thinking through those.
I applaud you. The road to hell is paved with good intentions and there's a lot of easy ways to get off a path that's actually moving you forward. I think, the process as you described it is a really good one, because you've got multiple individuals and different entities providing some checks and balances. At the same time, you've not done it in such a public way that you might reveal sensitive information and willing to create a process that you can actually get stuff done. I don't know, if that's all your brainchild, you know hats off to you for sure. How did that come about that – was that discussion, or how did you guys come to this process?
[0:17:45.5] AH: Well, thank you for that comment. Yeah, I guess I was the architect, but I had a lot of help. Start off with the fact that neither the governor of Connecticut nor legislative leaders wanted to continue the status quo, which is what – they did not know what was going on in the utilities. If a constituent or someone were to stop our reporters, I mean and ask what is the state of cybersecurity in electric distribution, or natural gas, or water, they did not want to be in the position of saying, “I don't know.”
That just simply politically was no longer tolerable for them. They agreed to support and lend their weight to creating a new system, one. Secondly, I don't know. I worked in federal government and international affairs, my background and I realized that things that can be negotiated where everybody agrees on the outcome work better than things that are imposed.
If you pass laws, then you're going to have to do this then people will do them in a whim sometimes and they'll find a way to do just the minimum. In other words, to comply legally rather than having a cooperative working outcome. I got to hand it to the utilities as well. I thought they were – they took the appropriate approach to this. If we can get a working system that works for us the utilities, why not try it? They agreed to bargain and come up with something
It really was a process. Frankly, it worked. I should tell you a little side story on that. When I have gone on from that to do a cyber security strategy and action plan beyond just a critical infrastructure for the whole state, I’m now the cyber security risk officer for the state of Connecticut.
As such, I do some international work because our state has been out in front on some of this. I do some work for the state department, which is seeking to help other countries strengthen their cybersecurity strategies. I was at a meeting in the Black Sea region a couple months ago and when we were meeting with a number of countries to help them with their strategies and someone from the European Union was there speaking about ways to help the regulatory relationship with utilities.
The speaker referred to the Connecticut model. Well that got my attention, because I wasn't  sure exactly what he was talking about. As he proceeded to speak, he set it up as the collaboration model. In other words, if you can sit down and collaborate and agree on what the outcome is, that is one way to proceed. The other way to proceed obviously is legislation regulation.
I'm not sure how far we can take this or how far it will go, but so far at least we had a first successful year and we're about to start a second one. I think this entire relationship has a long way to go, and that 10, 20 years from now we will look back at the period of the mid-2000 teens and realize we were just at the beginning of coming to grips with cybersecurity. It probably will look quaint and rudimentary 10, 20 years from now. At least this I think is a positive start and is testing how far we can go by working together.
[0:21:33.9] AA: Yeah. I think, what I've been struck by in a lot of the conversations is, you know we always think that there's a lot of talk and think about sort of APT, Advanced Persistent Threat, like nation-state the scariest of and most advanced of attacks. Often, when you start digging into where companies are and what's going on, often even just the basics aren't being taken care of.
It's often sort of other – It's not because people are negligent, but there's often different pieces that are preventing them from actually moving forward across – to secure their environments, whether that's systems that are old and but still usable or other pieces. They're thoughtful, but every decision has been thoughtfully made, but it is a compromise. Putting a negotiation framework where you can have those honest conversations is really valuable.
[0:22:49.9] AH: Well, I think you're right and there's a big difference between public utilities and other business. In public utilities, if there is compromise and shutdown, which is possible. Now just to reference this, it has happened in Ukraine and I have been doing some work and I've been in Ukraine; I'm working with the people who were managing that system.
When you lose electricity in today's world, it's not an inconvenience, it's a matter of survival. This becomes not just a would like to have, but something that has to continue. You have to have electricity. That's just a major point.
They got their hands full, but the consequences of a shutdown are very significant for the whole – the business community covers a lot of different ground. Some are extremely serious. Suppose for example you had a bank that was shut down and the bank couldn't tell you whether you had any money or not, or you couldn't you couldn't use your debit card or things like that. I mean, obviously that could be disastrous. On the other hand, there are other forms of business where a cyber-attack would be an inconvenience but not the end of the world.
I mean if a convenience store got hacked or a real estate firm, it could really be a bad day for that firm, but the public might not undergo the kind of damage that would if it didn't have electricity or didn't have – or couldn't bank. Now how are we going to do this as a country? I think the public utilities model will probably nationally be some form of cooperation as we're trying in Connecticut and regulation as other states are doing, but how about business?
Business is just naturally suspicious of and resistant to regulation. They just don't want more regulation. On the other hand, what are they doing about it? Well, we found in Connecticut that half of all businesses in Connecticut have not done a risk assessment. The big ones have. I mean, here in Connecticut we have defense industries, we have a lot of insurance, financial services and healthcare, they obviously take cybersecurity very, very seriously, they have defenses and so.
If you get beyond them, especially small and medium-sized businesses, manufacturers, every dollar placed in cybersecurity is a dollar that does not go to product development or marketing or salaries or whatever. There is also a – while there’s recognition that this is a serious problem, there's also resistance to doing anything about it. Sometimes it's just hope that it won't strike me.
We're seeing that with ransom attacks, with all kinds of other penetrations that it is something a business needs to take seriously. We have not resolved that one yet. Businesses as I say, at least half of them haven't even done a risk assessment, do no training. Unfortunately, the consequences of being penetrated and hacked are very serious. You find out that a company that undergoes a hack loses customers, has more difficulty hiring employees, its stock price will fall, it is brand image is damaged. It has lingering and ongoing consequences afterwards. How do we get there? That's a future challenge, but one that I think we're going to have to respond to quite soon.
[0:26:45.9] AA: I mean, at the state level are you guys trying to – I mean, not from a regulatory perspective, but at least provide resources or guidance or anything, or is that do you think that there's enough out there from the private sector to do that? I'm curious at the state level. I want to say I saw something from New York City in the last few days where they were trying to provide some resources and training.
[0:27:12.8] AH: You probably did, Andy. Yeah, you probably saw that. Okay, let's just follow on. My last report that we – in 2017 we had our first cybersecurity review of public utilities in Connecticut. The governor turned around and said, “Okay House. You're no longer going to do public utilities regulation. You will do cyber security for the whole state.”
In the autumn of 2016, I got a new job which was to try to put together a strategy and an action plan for the whole state. We put together the strategy. It's available online and governor Malloy issued it in July of 2017. You and I are now speaking at the very end of March, it's almost April 2018 and we're about to put out an action plan, or probably do so within the next month.
It answers your question, because the governor said I'd like an action plan for five areas; state government, municipal government, private business, higher education and law enforcement. Well that covers a lot of ground. The answer is that no. Connecticut is not prepared in these areas nor is any other state. We're just at the starting point.
There are some very fundamental things that we need to do in these areas. I mean, some of them are very obvious; state government needs to look at its firewalls and look at its cyber hygiene. Are the systems patched? Does it have a good culture of cyber awareness? Does it have two-factor authentication where that needs to?
Municipalities, five years ago you would not have put cybersecurity in towns and cities in the same paragraph. Now you have to, because they are sitting on valuable information, tax records health, records and so forth. Fire departments and police departments have been hacked and have been ransomed, in higher education.
There is a nationwide shortage of about 350,000 cybersecurity warriors, in other words, people skilled in in defense of cybersecurity available for hire in the private sector. In Connecticut that gap is 4,000 and we need to look at the production of them, because we are not turning out nor is any state turning out an adequate number of graduates to go help the cybersecurity defenders for companies.
In law enforcement, we need to look at both strengthening our investigations capacity, the intelligence capacity to find out where the threats are, but also – Just think of it this way. If someone is trying to break into your home or your business, you call the police and they'll probably be there fairly quickly. I certainly hope they will. What do you do if you see attempts to penetrate your business online, or you're looking at people who are trying to get into your banking account, or you are hacked, what do you do?
Well, we have to as a society at the municipal level, at the state level look at who you call and who is available to help you. What are the cybercrimes? What are they? Are laws adequate? Do we have people within our police force who can help out, who can look after cyber criminals? I mean, so all of this is new terrain and we've got a lot of work to do.
I think in in Connecticut we're trying to get started. The last thing you ever want to say is that we are safe, or it's working, or things are okay, because I think anything can be penetrated today. Our intelligence agencies have been penetrated, our military has been penetrated, the White House has been penetrated, major corporations have. 
If somebody really wants to get into someone's computer system, they can do it. I think we need to recognize it and make it more difficult for them to do so and limit the damage that they can do. That's what we're trying to do and we'll have an action plan coming out within the next month or so that addresses some of those challenges.
[0:31:45.2] AA: Yeah. I mean, it was interesting, the conference that you spoke at last week. I was at Billington a day before on Wednesday, which is great. Actually, I'm due to interview Dr. Ross, you know Ron Ross from NIST?
[0:32:03.6] AH: Yeah. I heard of him.
[0:32:06.4] AA: They just came out with the new – it's not even standards yet, but we at that conference, particularly some of the guys from Department of Homeland Security were – they were talking about the shift in strategy and as you've seen things just the level of attacks increase, that they're almost beginning to leave behind the term cybersecurity and move to cyber resilience, right because –
[0:32:35.8] AH: Okay, good.
[0:32:37.9] AA: Which was interesting, because it was – maybe it's semantics to change the change the terms, but I'm particularly with your background working with utilities and where this conversation started in terms of thinking about emergency response. I was struck by the idea of maybe we should start thinking about how we live or prevent these types of attacks more the way we think about how we prepare for hurricanes.
That that we don't really talk about like stopping and no one thinks that they're going to completely stop hurricanes, but it's thinking about preparation and redundancies and backups and a response plan. The thought is more about the perimeter becomes less in the area where you're putting the majority of your focus, just stopping things, but really how you respond to them.
I'm curious your thoughts on that strategic shift, or as you – People are already talking about the Connecticut model. I think you guys have an opportunity to lead the conversation to well beyond the state potentially. What's your what's your feelings on that thoughts on that?
[0:34:13.8] AH: Yeah. It raise a really good issue and I have – All right, two thoughts; one is on the resilience. I like that term, but there has to be much greater cooperation in two ways; one is between the federal government and the states. The second is between private business and government.
A lot of the knowledge, the intelligence about what is coming in, what nation-states are doing, what international actors and so forth are doing is detected by our intelligence agencies naturally; they're in that business. There has to be some way in which they can share that information productively and that the states can work with a federal government, not only for detection, but also for management.
The FBI and the State Police and different states have to learn who's doing what, get to know each other and cooperate. That goes all the way down to the municipal level, so the federal and state cooperation. Secondly we need a cooperation – Is that in your line or my line?
[0:35:17.3] AA: Yeah, sorry it's a house phone.
[0:35:19.6] AH: Okay, that's fine. Secondly is between private business and the federal government, or between private business and government, both states and federal. If you look at the defense industry, they are the most advanced in cyber resilience. Why? Three reasons
One, they’ve always taken security seriously. If you make jet aircraft or nuclear submarines or any kind of a defense system, you have to take security very seriously. You always have. That's one. Secondly, you cooperate horizontally. There is an association of about 70 defense contractors that gets together and talks about what cyber threats they're finding. This is not collusion on product development or on marketing or anything, it is simply what do we find bad guys doing? What's happening? What are new forms of penetration? They share that information and that's healthy.
The third is they work with the federal government more extensively than in other sectors to determine what are the – through intelligence, what are the national threats, or coming from other nation states to try to penetrate? Now that model might have to be replicated for other sectors. That's one entire scope.
Secondly is as you said, managing the consequences. Yes, I think that a cyberattack we need to be as good as the cyberattack as we are at a flood, or a fire, or a hurricane, or something else. Now when a hurricane comes up the east coast of the United States and gets out of the Caribbean, hits Florida, North Carolina and comes up, we know what to expect. We've done it before. We know what a hurricane is. We just want to know how big it is and where it's going to be.
There is no reason for fearing unanticipated behavior. A hurricane does not turn around and come back and hit a second time or third time. A cyber-attack might. A hurricane is not controlled by a foreign power. When you have the word a cyber-attack and there is no electricity, you can find panic if you're not ready.
You have to communicate immediately. A governor needs to get out there immediately and say what he or she knows and does not know and what they're going to do about it. Public anxiety could be extremely high and communications have to be prepared. There are also contingencies. If this were the work of a foreign attack, there could also be a propaganda war, or disinformation that is put out. How do you handle that?
Your answers have to be written out ahead of time. You can't sit around saying here is a propaganda attack suggesting that all water in the state is now poisoned. Gee, what should we say about that? You have to think of that contingency, or any one of a number of other contingencies, write out a response and be ready, and so that when it happens it says, “We need to use paragraph 33 now,” and the answer is “Yeah. Go with it.” Not , “Would you please go back there and write paragraph 33 about this particular contingency?” You have to be ready for all kinds of things
The third thing is I think you need to use both social media and include reporters and editors in your rehearsals. A cyberattack ought to greet emergency managers the same way they greet other dangers. Okay we got a cyber-attack on our hands. It's not, “Oh, my goodness. Like Henny Penny, the sky is falling.” It should be, “We've rehearsed this. We know certain things to anticipate. We know what we're going to do next. We have lines of communications that are established.” You have to include the reporters and the editors, because their credibility in conveying the news would be absolutely essential.
For military, police, emergency managers, there is just a natural visceral hesitation to share emergency management procedures and news with the reporters. I mean, that’s not in their DNA. Yet, the public confidence will be so tested by a cyber-attack that you will need them as allies.
Now you guys set the ground rules for the rehearsals, we're going to have a test and we want you guys to understand what happens during a test, because if this were real you would have a patriotic national obligation duty to go out and do what reporters do, explain what's going on, explain what the truth is and what the truth is not and help put down rumors and help to communicate vital messages.
Yeah, I think this is an entire area in which we are presently not adequately prepared. A number of states are getting started now. I know Connecticut is. It's a new challenge and it's one that we have to be familiar with so that if there is a cyber-attack, we are not wondering for the very first time who to communicate with and what to do.
[0:40:54.9] AA: Yeah. I mean it's comforting I think from the outside we – I think a lot of the media spends a lot of time getting – whipping up sort of hysteria. I mean, it's what sells newspapers and keeps people glued to the TV and whatnot. It's nice to talk with someone who – you are clearly – you've been spending years doing this and thinking about it very logically and strategically. It's a tough challenge, because it hits on so many different levels; the technological level, the PR media level, the public consciousness.
It's not an easy problem, but it's nice to hear you thinking about it on that on so many different levels. I was down at a meeting where they were talking with the election commissioners and particularly this – the communication action plan was echoed. There was a document produced by the Belfer Center. I don't know if you guys – if you know them up at Harvard?
[0:42:18.0] AH: Sure. I heard of them.
[0:42:20.3] AA: They had two action plans; one on the technical side, but then the other on the communication side, which was quite well done walking through this, pre gaming game plan stuff. Nice to hear things are coming together and similar thoughts running through different verticals. I hate to do this, but I think I've got to run, because I've got to hop on this other call in about 10 minutes.
[0:42:48.7] AH: It’s okay.
[0:42:49.1] AA: This was great. I really enjoyed this. I mean, we’ll get this transcribed for you to review and whatnot. I didn't hear anything that wouldn't want to get out in the public sphere.
[0:43:07.9] AH: I didn't either. No, no. I mean, I do a little bit of this kind of conversations. No, I'm very comfortable with the way it went Andy. That's fine. Down the road if you have other things you want to talk about, you got my number. We need to communicate about this. It's very important. I welcome interest of people like you in all of these and thanks for calling me.
[0:43:29.6] AA: No, no, no. Thank you. .There is event in New York City, which maybe I have you – I'm not sure. I wanted to make sure it was on your radar screen, the Hack NYC Conference, which is all about critical infrastructure and thinking through defending and protecting it. Are you aware of that conference? Have you seen that? That one is coming up?
[0:43:51.9] AH: No. That one’s not on my radar screen, but it's certainly a busy field. You're absolutely right. There's an awful lot going on.
[0:44:00.1] AA: Where are you – are you up in Hartford where –
[0:44:03.7] AH: I'm in Hartford. I’m in Hartford, Connecticut.
[0:44:08.4] AA: I’ll make sure to throw you an invite to that. I know it's early in May. I want to say May 5th or 8th. I don't have the calendar in front of me, but I'll send that to you and if you get a chance, might be a good spot for you to be talking about this stuff. I mean, gosh – It would be great. 
Well, thanks so much. I’ll be in touch. Really appreciate it.
[0:44:31.5] AH: Thank you, Andy. Take care. Buh-bye.
[0:44:33.3] AA: You too. Bye.