Agenda

Friday, June 19th, 2020

0715 - 0800

Continental Breakfast

0800 - 0815

Welcome and Overview

LTG John R. (Bob) Wood, USA (Ret.) (confirmed)
Executive Vice President
AFCEA International

0815 - 0845

Opening Keynote

TBD

0845 - 0945

Panel: Supply Chain of What?

Moderator:
TBD

Panelists:
TBD

Overview:

It’s important to expand the definition of supply chain as extending from product design through product retirement. In this case, ‘product’ is not always tangible goods and services, but often can be intellectual property, analytic outcomes, or something in between, such as a vote. Thus there are elements the producer, the intermediary, and the user can/should address:
 
  • products (hardware, software, intellectual property)
  • systems, networks, sources 
  • services (from close support/professional services to 5G bandwidth)
  • other (one could even consider information/identity (e.g., influence operations and the weaponization of social media) part of a supply chain!)

Focus Questions:

  • How do we define supply chain in meaningful ways?
  • How do we better imagine and understand attack surfaces?
  • How do we better describe risk mitigation or risk management in terms of known knowns, unknown knowns, known unknowns, and unknown unknowns?
 

0945 - 1000

Networking Break

1000 - 1100

Panel: Against What Threat?

Moderator:
TBD

Panelists:
TBD

Overview:

Multiple perspectives from multiple communities can help identify threats, threat actors, and threat risk to help steer conversations and inform the audience. Not all threats are equal or carry equal risk. Does this create strategies for mitigation, prioritization, and counter operations?

Focus Questions:

  • Who are specific threat actors
  • What are specific types of activity: confidentiality, integrity, accessibility of information and operations
  • Using what technologies?
  • To achieve what ends?
1100 - 1145

Panel: What Are We Doing about It?

Moderator:
TBD

Panelists:
TBD

Overview:

What does ‘securing’ the supply chain mean in practice? What should you do about it within your organization?
  • Validation/attestation of integrity of functions (‘do it’)
  • Validation of provenance (trusted/known suppliers), integrity in transit, during installation and use
  • There are elements of both ‘do it’ (secure integrity) and ‘prove it’ (verify) that organizations can do as either producers, customers, regulators (in the case of Government)

Focus Questions:

  • One size fits all vs. customization of standards and approaches
  • Does a ‘perfectly secure’ supply chain exist?
  • What constitutes due diligence?

1145 - 1330

Networking Lunch

1330 - 1415

Panel: Using What Approach?

 

Moderator:
TBD

Panelists:
Allan Friedman (invited)
Director of Cybersecurity Initiatives, National Telecommunications and Information Administration

Ginger Wright (invited)
Energy Cyber Portfolio Manager, Idaho National Lab

Overview:

Approaches include:
  • ‘secure by design’/secure bill of lading
  • There are efforts underway to focus on trustworthy operations using untrustworthy components
  • Hands-on testing (from function testing to ‘fingerprinting’ components to looking for signs of tampering)
  • due diligence on ownership and control of component suppliers
  • standards/legislation (ranging from NIST/ISO to the Cybersecurity Maturity Model Certification initiative)
  • Best practices and innovative approaches 

Focus Questions:

  • One size fits all vs. customization of standards and approaches
  • Does a ‘perfectly secure’ supply chain exist?
  • What constitutes due diligence?
1415 - 1445

Keynote

TBD

1445 - 1500

Networking Break

1500 - 1600

Panel: What's Next?

 

Moderator:
TBD

Panelists:
TBD

Overview:

TBD

Focus Questions:

TBD

1600 - 1615

Wrap-up/Closing Remarks

Jim Richberg (confirmed)
Field CISO, Fortinet
Member, AFCEA Cyber Committee