The Cybersecurity Coalition and the Cyber Threat Alliance hosted the annual CyberNext DC Conference on Dec. 12. The day-long event featured keynote speakers from industry and government, and panel sessions that focused on strengthening cybersecurity, promoting regulatory harmonization, and enhancing digital resilience. 

Additionally, the conference explored initiatives and new strategies for cybersecurity in anticipation of the upcoming political transition across the U.S. government. Below are recaps of each of the sessions.

Fireside Chat:

• Gary Steele, President, Go-to-Market, Cisco; GM, Splunk, Cisco
• Ari Schwartz, Coordinator, Cybersecurity Coalition 

Schwartz hosted a fireside chat with Steele where they discussed evolving cybersecurity policy advice in light of a new administration and Congress. Steele noted the need for the new administration to continue to focus on the importance of cybersecurity and to consider driving digital resilience more broadly.  

Regarding the fundamentals of digital resilience, Steele explained that ensuring updated, fully patched and secure digital systems are critical. He highlighted the potential transformational aspect of AI within cybersecurity, and said that the industry as a whole must step up to ensure the delivery of capabilities necessary to withstand threat actors leveraging AI and emerging technologies in attacks. Steele said that he is “encouraged by the opportunity to leverage AI more broadly to better defend and protect against threats,” stating that AI is the catalyst that enables more predictive and preventative strategies to address disruptions.  

Steele concluded by calling upon industry and government to collaborate closely and openly share information, which he said could better protect various organizations and individuals to respond more efficiently to threat actors and cyber attacks. 

Panel: Cyber Luminaries

• Sam Curry, VP & Chief Information Officer, Zscaler (Moderator) 
• Jaya Baloo, COO, Stealth Startup AI & Cybersecurity
• Wendy Nather, Strategist, Research Director, Former Industry Analyst & Former CISO
• Josh Corman, Executive in Residence for Public Safety & Resilience, Institute for Security and Technology (IST)

This panel featured a discussion on the pressing challenges facing cybersecurity, particularly insufficient resilience and continuity of operations. Corman said that the nation’s critical infrastructure needs greater resilience so that residents can have access to water, food, and healthcare. There needs to be a greater focus on enabling risk management professionals to ensure communities are prepared for potential critical infrastructure cyber attacks.  

Baloo emphasized the need to upgrade out-of-date technology while anticipating and staying vigilant to emerging quantum threats. She called for proactive preparation and encouraged vendors and suppliers to incorporate this consideration into their Software Bill of Materials (SBOM), as well as to implement a Cryptographic Bill of Materials to safeguard against future risks. Curry underscored the importance of migrating to quantum-resistant algorithms and centralizing the issue through crypto libraries to help ensure a seamless approach when disruptions arise.  

The panel also addressed the role of engaging communities often overlooked in cybersecurity discussions, to which Nather urged policymakers and security professionals to consider underserved populations below what she referred to as the “cyber poverty line.” She explained that these communities represent a significant proportion of the cyber ecosystem, and their failures and vulnerabilities have a ripple effect that impacts all. 

Panel: Simplifying Security: Transatlantic Regulatory Alignment/Cooperation

• Alex Botting, Venable LLP (Moderator)
• Hubert Han, Senior Tech Policy Advisor, Singapore’s Ministry of Digital Development and Information (MDDI)
• Vincent Barras, First Secretary for Political Affairs, Embassy of Switzerland
• Sabeen Malik, VP, Global Government Affairs & Public Policy, Rapid7
• Trevor Rudolph, VP for Global Digital Policy & Regulation, Schneider Electric

The panel highlighted the importance of cooperation and facilitating harmonization across the international cyber landscape regarding cyber regulation and policy. Malik emphasized a need for a multistakeholder approach as well as more conversations between the public and private sector in order to establish forward progression, explaining that there is current fragmentation in these conversations. 

Internationally, Han noted that a fragmented landscape in cybersecurity allows for more issues to slip through the gaps, and said that mutual recognition and “sharing the burden” with other countries regarding cyber threats and attacks is essential. He explained that emphasizing commonality, such as through counter ransomware or digital trade initiatives, is key in terms of facilitating bilateral agreements. Barras noted Switzerland’s interest in facilitating harmonization in critical infrastructure security as well as privacy. 

From a U.S. perspective, Rudolph recommended that the new administration place a moratorium on new cyber regulations until examining potential impacts, establishing a more thoughtful approach where the bar must be high to produce new regulations.

Keynote: Jeff Greene

• Jeff Greene, Executive Assistant Director, Cybersecurity and Infrastructure Security (CISA)

In his address, Greene outlined CISA’s efforts to enhance and operate effective incident response and prevalence checks to help federal agencies remediate cyber attacks and security breaches. He explained that CISA has strong mechanisms in place to work with its partners in government and the private sector to stay abreast of a threat as well as raise awareness and security posture. 

He noted that CISA is focused on secure-by-design which is an issue that remains front and center in conversations with policymakers and the private sector. He is “confident this issue is not going away with the change [in administration] in 2025.” Greene described the importance of resilience and improved capacity to manage adversarial threats and security compromises.  

Panel: Looking Back, Looking Forward – Reviewing the Biden Administration and Expectations for the Next Administration

• Ari Schwartz, Coordinator, Cybersecurity Coalition (Moderator) 
• Michael Daniel, President & CEO, Cyber Threat Alliance (Moderator) Matt Hayden, VP of Cyber & Emerging Threats, General Dynamics Information Technology (GDIT) 
• Nick Leiserson, Assistant National Cyber Director for Cyber Policy and Programs, Office of the National Cyber Director (ONCD)
• Drenan Dudley, Director for Long-Term Community Recovery and Rebuilding, White House
• Frank Cilluffo, Director, Auburn University’s Charles D. McCrary Institute for Cyber & Critical Infrastructure Security

This panel described the Biden administration’s efforts to enhance U.S. cybersecurity and regulatory actions, as well as the future direction of cybersecurity policy under the incoming administration. The purpose of this panel was to provide an overview of the Biden administration’s key priorities over the last four years and highlight ongoing and emerging threats within the cybersecurity ecosystem that require attention. 

Leiserson outlined the Biden administration’s “all of the above” approach to cybersecurity, focusing on the use of federal procurement power, secure by design, and embracing public-private sector partnership. He noted a need to further examine and stabilize the cyber insurance market as well as software liability. 

Dudley highlighted the importance of partnership with state, local, and tribal governments to ensure that federal efforts align with their needs, and emphasized the necessity of building out the regional workforce to support the administration’s cybersecurity mission and strengthen local capabilities. 

Looking toward the future of cybersecurity, Hayden and Cilluffo discussed a need for strong repercussions and deterrence measures, imposing some costs and consequences against adversaries in the cybersecurity space. The panelists stated that regulatory harmonization and strong public-private partnership are essential to advancing U.S. cybersecurity efforts.  

Panel: ONCD Roles and Responsibilities

• Inés Jordan-Zoob, Venable LLP (Moderator) 
• Philip Stupak, Assistant National Cyber Director for Government, ONCD
• Mark Montgomery, Senior Director, Center on Cyber & Technology Innovation 
• Julie Klein, Senior Director, Public Policy & Government Affairs Team, Palo Alto Networks
• Steve Kelly, Chief Trust Officer, Institute for Security and Technology (IST)

This panel focused on the establishment of Office of the National Cyber Director (ONCD) and its mission, exploring the challenges it faces in light of a new administration, and delving into its relationship with the National Security Council (NSC) in shaping U.S. cybersecurity strategy. Building off of the Center for Cybersecurity Policy and Law’s report, “Through the Looking Glass: An Updated Vision for the Office of the National Cyber Director,” the panel aimed to examine how ONCD and the NSC could partner to tackle the evolving cyber threat landscape and discuss methods to enhance ONCD’s role in shaping cybersecurity policy. 

With a new administration, the panel highlighted challenges posed by staff reductions at ONCD and the importance of bolstering the office with senior personnel. Several panelists emphasized a need for clarifying the distinct roles and responsibilities of ONCD and the NSC, explaining that ONCD is best equipped to handle cyber incidents, with cyber response groups falling under its responsibility, while larger incidents that extend beyond cyber concerns should be managed by the NSC. 

Montgomery suggested a review and rewrite of the National Security Memorandum 22 (NSM-22) and updating the Presidential Policy Directive 41 (PPD-41) in the next administration. Kelly stated that the next administration must have ONCD and the NSC’s roles and responsibilities regarding cyber incidents “baked into” the system to avoid confusion.  

Panel:  Generative AI: Myths, Realities, and Defenses 

• Chelsea Conrad, Joint Analytic Report Lead, Cyber Threat Alliance (Moderator) 
• Abhishek Karnik, Threat Research & Intelligence Lead, McAfee
• David Beabout, Security & Trust Office Lead, NTT Security Holdings
• Mike Silverman, Chief Strategy & Innovation Officer, FS-ISAC

The last panel discussed the emergence and rise in generative AI usage in defense strategy and fraud determination, the workforce, attack techniques, and emphasized the importance of a “human in the loop” approach when adopting AI systems as well as responsible and safe implementation.  

In discussing the necessity of red teaming, Karnik said that every organization should have its own red team to ensure robust security and implement additional “technology checks.” Beabout added that red teaming and a “human in the loop” approach can help ensure “good decisions” are made when using data for AI systems and mitigate the risk of data leakage. 

In the workplace, Beabout explained that even with the widespread adoption of AI, human oversight remains essential to ensure the technology runs smoothly. Silverman also recommended incorporating human judgment, cautioning against allowing AI systems to advise on matters without human determination.

Policy-wise, Karnik argued that legislation surrounding AI should not take a “blanket policy” approach and must be tailored to the specific needs of various sectors. Silverman pointed out that whether there is policy in place or not, the financial services industry is already developing guidelines for AI. He stated that organizations should not wait for formal legislation but should instead take the initiative in creating their own recommendations regarding AI. 

The Full CyberNext DC 2024 Conference can be viewed here and here.