|
0715 - 0800 |
Continental Breakfast
|
|
0800 - 0815
|
Welcome and Overview
LTG John R. (Bob) Wood, USA (Ret.) (confirmed)
Executive Vice President
AFCEA International
|
|
0815 - 0845
|
Opening Keynote
TBD
|
|
0845 - 0945
|
Panel: Supply Chain of What?
Moderator:
TBD
Panelists:
TBD
Overview:
It’s important to expand the definition of supply chain as extending from product design through product retirement. In this case, ‘product’ is not always tangible goods and services, but often can be intellectual property, analytic outcomes, or something in between, such as a vote. Thus there are elements the producer, the intermediary, and the user can/should address:
-
products (hardware, software, intellectual property)
-
systems, networks, sources
-
services (from close support/professional services to 5G bandwidth)
-
other (one could even consider information/identity (e.g., influence operations and the weaponization of social media) part of a supply chain!)
Focus Questions:
-
How do we define supply chain in meaningful ways?
-
How do we better imagine and understand attack surfaces?
-
How do we better describe risk mitigation or risk management in terms of known knowns, unknown knowns, known unknowns, and unknown unknowns?
|
|
0945 - 1000
|
Networking Break
|
|
1000 - 1100
|
Panel: Against What Threat?
Moderator:
TBD
Panelists:
TBD
Overview:
Multiple perspectives from multiple communities can help identify threats, threat actors, and threat risk to help steer conversations and inform the audience. Not all threats are equal or carry equal risk. Does this create strategies for mitigation, prioritization, and counter operations?
Focus Questions:
-
Who are specific threat actors
-
What are specific types of activity: confidentiality, integrity, accessibility of information and operations
-
Using what technologies?
-
To achieve what ends?
|
|
1100 - 1145 |
Panel: What Are We Doing about It?
Moderator:
TBD
Panelists:
TBD
Overview:
What does ‘securing’ the supply chain mean in practice? What should you do about it within your organization?
-
Validation/attestation of integrity of functions (‘do it’)
-
Validation of provenance (trusted/known suppliers), integrity in transit, during installation and use
-
There are elements of both ‘do it’ (secure integrity) and ‘prove it’ (verify) that organizations can do as either producers, customers, regulators (in the case of Government)
Focus Questions:
-
One size fits all vs. customization of standards and approaches
-
Does a ‘perfectly secure’ supply chain exist?
-
What constitutes due diligence?
|
|
1145 - 1330
|
Networking Lunch
|
|
1330 - 1415 |
Panel: Using What Approach?
Moderator:
TBD
Panelists:
Allan Friedman (invited)
Director of Cybersecurity Initiatives, National Telecommunications and Information Administration
Ginger Wright (invited)
Energy Cyber Portfolio Manager, Idaho National Lab
Overview:
Approaches include:
-
‘secure by design’/secure bill of lading
-
There are efforts underway to focus on trustworthy operations using untrustworthy components
-
Hands-on testing (from function testing to ‘fingerprinting’ components to looking for signs of tampering)
-
due diligence on ownership and control of component suppliers
-
standards/legislation (ranging from NIST/ISO to the Cybersecurity Maturity Model Certification initiative)
-
Best practices and innovative approaches
Focus Questions:
-
One size fits all vs. customization of standards and approaches
-
Does a ‘perfectly secure’ supply chain exist?
-
What constitutes due diligence?
|
|
1415 - 1445 |
Keynote
TBD
|
|
1445 - 1500
|
Networking Break
|
|
1500 - 1600
|
Panel: What's Next?
Moderator:
TBD
Panelists:
TBD
Overview:
TBD
Focus Questions:
TBD
|
|
1600 - 1615
|
Wrap-up/Closing Remarks
Jim Richberg (confirmed)
Field CISO, Fortinet
Member, AFCEA Cyber Committee
|
