of us ensure that our city thrives in the long run. >> that's great. we did hear about some specific strategy. gina maybe you talk about what are you seeing as the effective strategies that are proving most popular, most effective in fostering adaptability across the space? >> yeah. i think one of the biggest challenges is to deal with communities have been left behind and there are many. we talked about this a little bit. mayor, you and others have great strategies to try to engage communities more effectively. and treat people with both a sensitivity and encouragement that they need to understand that there are opportunities for them. you talk about it speedy more live coverage of the u.s. conference of mayors in tampa now with the conversation on federal cybersecurity support

and how potential funding cuts will affect cities. [inaudible conversations] [inaudible conversations] [inaudible conversations] [inaudible] >> good morning everybody. great to see you all. thanks for joining us for this conversation. i am andy ginther. how to not only serve as mayor of columbus but president of the conference of mayors. like to welcome everyone in the

room to the session titled cybersecurity strategies for cities. before we get started i want to first acknowledge and thank this session spotter deloitte. let's give them a round of applause for helping to pull us together. [applause] we are very fortunate to have been present before the ohio mayors alliance, and there's a great chance for me to meet mike hear about some of the work they're doing i do water to make sure wish i get with mayors from around the country and not just ohio. and i know mayor watson will take credit for everything mike has got to say because he's from -- [laughing] >> before you jump in with some opening comments could go around the room and have mayors at the table introduce themselves. i will start with mayor watson. >> thank you mr. president kirk watson cupbearer of austin, texas,. >> that i am the mayor of austin, texas. >> dennis cluff mayor of

westlake, ohio. >> mayor of north carolina colorado. >> westmeath,. [inaudible] >> good morning. mayor of the city of easter, michigan. >> good morning. one gonzález. [inaudible] >> good morning. lincoln, nebraska,. >> good morning. mayor for the city of kent washington. >> phoenix. >> good morning. mayor city of casey south carolina. [inaudible] >> good morning everybody. john mitchell from new bedford massachusetts. >> thank you all for joining us.

mayor -- >> good morning. >> no worries. [inaudible] [laughing] >> tried to radically. >> thank you for joining us. i don't think it's a surprise to anyone just how significant the issue of cybersecurity is for our cities. many cities are unprepared and underresourced. these factors have a cities attractive target for four actors particularly russia in china. there's much to be done to improve the security posture of our cities, and many resources are available. i'm hopeful some of the conversations and the speakers today can lead us to a more secure future i want to take if humans before we get into our discussion today to share some changes to the cybersecurity landscape, especially at the federal level and how that is impacting the cities we lead. since president trump was inaugurated in january that have

been many significant changes to the federal governments approach to cybersecurity. the department of government efficiency in february and march canceled the contracts that supported the congressionally authorized elections interference elections infrastructure information sharing and analysis -- that's a mouthful -- otherwise know as isac. and the multistate information sharing and analysis center. these are crucial networks of support for cities providing not only information sharing but also technical assistance and resources for preventing and responding to threats. without federal support citizens state governments will be responsible for covering nearly $8 million in operating costs. as a side our technology and

innovation standing committee yesterday passed a resolution i cosponsored with committee chair set a which calls for restoring the full funding of those. in addition to the doge cuts, the federal workforce reductions have particularly affected cisa. administration has remove most probationary employees though side with the last two years have launched a program to hire additional employees who could provide technical assistance to cities and states which is now largely gone. today, cisa remains without a permanent director. sean planck he was nominated to serve as director of march 10 but has not been confirmed by the senate yet the hearings was scheduled for june 5 at was missed and it's unclear where that stands right now. president trump's also cites

multiple executive orders on cybersecurity including one as recently as this week that make changes our software developers can validate whether the software meets security standards. all of this comes at a time when global tensions are very high and cyber warfare is a new normal. city cupboards are easy targets by many outside actors and emerging technologies like artificial intelligence can both increase threats and also can be used for prevention. it's a very challenging and complicated world. so with that i want to jump into our discussion. we endured i think we shared this at our session at the winter beating i think we were told that our expertise with cyber attacks. with very serious cyber attack about a year ago and what i discovered is that we're not alone. 150 cities have been attacked, i

think in 18 months. very common. and so i think my thought and goal is to continue to raise cybersecurity for cities as as a major issue for the u.s. conference of mayors i continued to advocate for a federal national strategy to support our work on the front line. we will kick things off. we are so glad to have two austin residents mayor kirk watson and my quiet with deloitte. mayor, tell us livid about what your team looks like in austin and set the stage for us and how your city is organized in terms of prevention. >> thank you and thanks voted for being here and i'm honored i get to be a part of this. what also say thank you to the president of the conference of mayors for focusing on this because i think it is that important particularly when you hear the way you lay that out.

the context we're all working in i can't emphasize how serious that context really is. we talk about things like this but it is particularly serious because the world seems to be going one way when the federal government right now is going the other way when it comes to cybersecurity. i will talk briefly about austin, texas. we are taking very seriously in austin. i think part of that when i put things in context it's also probably because we fancy ourselves a tech city, a tech savvy place a place that wants to pay attention. one of the things i say weekly if i don't say daily is that i want our local government to be competitive to the private sector when it comes to how we address and deal with technology how we deal with

innovation and creativity. and, of course, this is one of those areas. so we are organized and redye way around and primarily around having an information security office. so we have a focal point if you will in city hall, in city government. that deals with three primary that office deals with three primary things. you're not going to be surprised by them. one is cybersecurity governance. who's in charge, if you will, who are the people that we need to turn to for the expertise and who is going to tell people in different parts of the government what we need to be doing? so cybersecurity governance is a key part of that. second is of course privacy oversight. how do we keep things private and make sure they are private? i will say i received a notice

every day for the past eight days i guess because today's noticed he was that my passport expires in two days. and i can hear him talk to cybersecurity and i have whined about that this morning. [laughing] but anyway, but that is the office staff responsible for privacy oversight. the third arguably a supposed been bored and that is resilience planning. resilience planning. so with governance, privacy oversight but importantly resilience planning. what does that mean? very quickly what it means is being proactive. what it means is that are continually, we are continually seeing evolving threats and changing threats so we have this focal point that's paying attention and trying to be proactive. that means real-time monitoring, paying attention in real time about what's going on. it means taking proactive steps

to try to mitigate or eliminate vulnerabilities we might have in our system. it means training. training people like the mayor could changes password. it also means that on an annual basis we require everybody to go through cybersecurity training. sometimes it's one of those things where it may just be a refresher but we see that as important. and that office of information security is responsible as part of the resilience planning to up us build up our architecture. because again things are always evolving and that requires us to do that. iso is responsible for all city departments. they have authority that cuts across all city departments. they also are required to engage in best practices. federal best practices and otherwise.

and we work very hard to make sure that is a collaborative office where they're always chewing information always sharing intelligence, resources and different responses. the managers office is in charge of the iso but what we do is our audit and finance committee urges a a committee created under our charter amendment audit and finance committee that i have mayor serves as chair of the audit and finance committee also spends lots of time in executive session with the people better engage in on cybersecurity resiliency programs and things of that nature so we make sure there's oversight. that's kind of how we're set up. >> one of our great past presidents and mayor of rochester michigan has joined us good to see you. thanks for being here. i'm intrigued by more recent development, mayor i think effort austin tice refer to

often as a lubricant a bowl of tomato soup. >> i've heard that. [laughing] >> so given the nature of texas politics i think many of us are surprised to learn about texas cyber command being a true partnership between the state and local governments governor the side -- texas have committed this along with the regional security operations centers plays a key role in protecting city government. talk how you work with the governor in the complex political landscape we are in to focus on this to get this done. >> i guess i start with old friends the enemy of my enemy is my friend, right? if were all come to the sum of its were all together, right? if were going to do right by our constituents who are in many instances the same constituents, and i'm pleased to say that this

is one of those areas that does seem to get into the partisanship come to seem to get in to the politics, and so, so far that has been a very good relationship. public safety and cybersecurity is just one of those areas that we seem to work well together on. to talk about they shared needs i guess is a way you focus that. you focus on shared needs and shared outcomes. cybersecurity commands you just referenced is really i think going to be a very innovative good way to approach things. for us in central texas it's important because you're the university of texas primarily university of texas san antonio that is involved in this but you

also have the department of information resources at the state level. when i was and a prior life i served in the texas senate for 131 half years. one of the things i actually got to see up close and personal was what we call dir that department information resources which is very involved in cybersecurity. you also have as you mentioned from a local standpoint of the austin regional intelligence center that focuses on our local area. all of that is coming together to create a uniform approach. i'll talk about couple things. one of the things that that is really being worked on right now in particular is currently building out the technical foundation so we will have the right interaction when it comes to security. it's broken down, this command is going to be broken down into

four big areas. again, you're not going to be surprised but it's nice to have that level of focus is what i would say about it. first is a threat intelligence center. when i say intelligence, what that's about is making sure we have information that is shared that it's only has intelligence about potential cybersecurity issues that information gets shared. it also works together so that you can entertain weaknesses, test weaknesses in different programs and it creates a united approach. the second big area for the command is going to be an incident response unit. again, very important. that's going to be run primarily by the department of information resources, the department of the state that i was just talking about. that's going to be really helpful because it's going to get fast help during attacks.

if you're going to have a resource that gets fast help. i will make him another thing as part of that and that is a texas volunteer incident response team. okay i'll let you talk more about that. what i'll say about that is that's one of those things when your volunteer you think all they're not spending, not doing what they need to do, that's been with money not doing those things. help somebody shows up and volunteers to help. that's really not the case. very sophisticated let you talk more about that but it's actually written into texas code about how this volunteer response team will work. the third is for the command is training and education. speaks for itself. and the fourth is a digital forensics lab extensor talk about cities, austin has its own forensic lab so will probably

not be as involved in that because that would probably be duplicating services but this is one of those things where states when you state government to step up and provide an important role and are doing that. we're working with them. so we may be that blueberry in that tomato soup but this one those areas where government seems to be working very well together and i think we will continue because we need the shared approach. >> great. >> mike, welcome. so excited to have you as an agent before. mike and the deloitte team came to ohio mayors allies meeting and shared some great information with us and really excited to have been here to share this with other mayors. talk a little bit about your background mike, and how deloitte approaches this deeply

sophistication cybersecurity. talk lovette about that. one question i pose to you and for mayor watson for consideration as well is that every city around this table is the size of austin. so what do mayors who don't have huge i.t. departments and relationships around cybersecurity, where do they get started? where should the focus? >> i was really taken by your comments with the only make about focusing on restoration and recovery, that there's only so much you can do. there are some things clearly that we can do almost a movement and a focus in the restoration and recovery that i think would be good for mayors from different sized cities to hear about. >> thanks so much. although bit of background. i'm a fourth-generation texas from lubbock and i've been in

austin -- >> deep west austin. [laughing] >> but in austin since identity six of an information security and privacy -- since 1996. now with private security since about that time. i've had the privilege of helping states recover from very serious cyber attacks and in south carolina with governor haley. so there's a lot of lessons learned having lived at this is incidents. unfortunately, unless you've been through one of these it's very tough to know how to properly prepare and respond for these kinds of events. from a size perspective and you ask me about how we think about at deloitte, you know, historical cybersecurity is focus on the loss of information. information. how many breach notices have

had? a up and at 'em. in fact, there is some concern that there's a fatigue with the breach notices and so forth. that's not what is scary now. the adversaries are getting into critical infrastructure what is critical infrastructure? right in the cities. we have city -- to have their water tower compromise by a nationstate actor and they caused it to a little and it could have caused a lot more damage had human that was alert intervened to address that. a few things that we think about is is one is we want to help cities and governments preserved and improve it. there's a lot of move especially postcoital. these are great opportunities to also improve cybersecurity. too often cybersecurity

professionals have been doctor no. let me to the 17 reasons why you can't do this. you had a mission to deliver to constituents and residents. and so one of the things that we do when we work with the cities and other governmental entities is to coach the security teams on how to talk about these things in enterprise risk terms. don't talk about how many attacks we got hit today or yesterday. all the statistics. it's really needs to be described in enterprise terms and with anything of risk you to make trade-off because of constraints whether it's tollett or budget, time and so helping prioritize what to do now later, highest and best use of scarce resources and creative ways to tap in to resources so you don't have to pay everything from general appropriations. that's how we find out.

it's -- it's an honor to be part of an organization with 35,000 35,000 professionals that work on this globally. our state government practice, i used to do commercial work. i don't do that. it's mission driven to help governments. i'm proud to lead doublets team and do today to talk about these topics. >> so, calling for national strategy prevents harvester debates on some information i shared it seems like there's a great deal of uncertainty or unknown, happening at the federal level. ..

executive director and former state, nancy. therefore site spent a real game changer. i heard yesterday about the impact and in the discussion between cities and government it's one the end is that provides cities and counties in their area and there are two more so these centers provide

cost-effective if not please ... many are not highly populated and can't afford to do things in austin but monitoring and workforce development programs so the legislature like that and one reason it wasn't just about the interest policy and prevention, it's workforce development so this adopted another state and getting together particular should service model is one thing that highly recommend.

they are thinking along the same lines is real opportunity to collaborate on neural funding. >> look around the room we are going to get to your you and i so think of questions or thoughts you may have. i guess from their fair self they are doing this well that we ought to look at. >> across michigan and indiana

together or buying power in arizona you got a structure there there are good examples coalitions and want to go back to the previous question in places that may not have the resources and what mike is saying it's all about sharing

and all starts on their own resources and the resources with cybersecurity to ask for it and look to counsel already set up in the city and in the region it would do a couple things we've seen. and it creates partnerships like

an elevate what you might be doing or someone else in working together it's bigger than the component. then it creates a better coalition go to the local or nearby education institution. as they are teaching the next generation. the are all being asked daily that improves government services through digital government.

when we are doing those it is the perfect time to improve things related to cybersecurity. take advantage of the moment and you work with the regional coalition and they are doing that at the same time and impute data centers in our communities. talk about what the data centers are descent of infrastructures for how we should contemplate.

>> if an adversary wanted one thing that makes infrastructure so hard is systems are quite old and getting connected to the internet and they were never designed from the security perspective so as we look and prove infrastructure with the ability to needs some thought given how to secure it to get

those supports and think it applies to the traffic control systems and so forth so the systems that run the city get attention. >> i'll just echo thoughts your city has ever been subject malware attack, it's an enormously disrupting. i don't wish it on anybody. my question has to do with personnel practices. many of the tax happen through fishing experts human being who

opens up a castle date and we get e-mails from the king of nigeria and others who want to help. [laughter] i was looking up nigeria we have to have modules in place that

run them through semi- annually or maybe annually. there are some number of people who pull it off and follow-up with the department head have to have consequences with shutting off the buddy system the mayor has to make sure but i just want your thoughts about best practices encouraging the behavior. >> unfortunately even with the

best anti- phishing training, there's about 4% of the people who will always win. humans are humans and they want to be helpful and serve so it is important to do that training in addition investing in tooling to mitigate the risk of those events causing harm so good and response is foundational so like antivirus better. even when something happens the tools can detect it and lock it

down. i cannot tell you how important because they've got well-written english no spelling errors in now that looks legitimate so it's necessary but insufficient. i want to look at the people and process first. >> you have to have the senses, but again we are in an arms

race in countries that were not exactly front so a human has to make a decision. the first strike. >> you are asking the question the way you are because you realize how hard that is. [laughter] i came here for insight my guess is wouldn't be asking that if he didn't realize how hard it is but let's say in the private sector that happens. many of us have been involved in

private sector businesses were there are consequences to that occurring. you are not paying attention to the policy. it's harder in government but there's a whole lot at risk where decisions have to be made and none of us are going to be wanting to be the ones making those decisions but you're talking about such enormous risk that people have to understand there are consequences. one of the things particularly good about the training we do is an up about the consequences of you doing what you're doing because people fail to

understand how bad it could be and we need to up that. if you want to use the fishing protocol i got a guy in town that sends me e-mails you don't answer my e-mails. he says, i thought those were fishing things. [laughter] so that worked really well. [laughter] >> the only thing i disagree is recognition that there could be any best practice out of the state of michigan. [laughter] >> you can only dodge the irs for so long. they will keep going last month

i think about this five years ago and i don't think the conference has cybersecurity. two things that strike me, cybersecurity is one thing unless you are in the field there's a lot of words difficult to understand. we need another consultant and another layer of protection and i remember a moment with the team presented our staff pick the city hall like your house and 1.1 billion for funding everyday about 98% of them to

help realize the challenge of what we are trying to do and if i asked you your it budget and the security detail and what you've done the last five years because it's probably coming up in terms of overall it and it indicates priorities and if you don't know you probably should go back and pulled out talk

about how much security you should talk how can you present resources to help them be put better prepared? >> we talk about the ability to convene so how mayors convene in this environment. >> i mentioned earlier the surprising thing having to be

involved the relationship that they had in the community they got oversubscribed because of the relationships. they all know each other and that is so important because you have shared organizations. >> is not much to add other than what i was saying and playing a leadership in doing that limiting it to the government

but today into higher education and finding out what departments are doing and you might not know with regard to cybersecurity and i would look at major employers also doing things and making that the convening so you hear from them because there may be some easy things that the private sector can teach you. >> we did introductions earlier and i wanted to acknowledge you joining us as well. it's good to see you.

little go here and then to mayor mayor. >> i very much appreciate mayors inspected that government needs to be competitive with the private sector and corresponding means we do need to shut off access. not really a question what we need to do, it would be useful for this committee as a whole will provide practices that are little bit more nuanced a little more beyond what i could to get online. what is a best practice and how much i should be spending cybersecurity?

so offensive to deliver over and over at little cost it captures and it would be really useful. and there are corporate it doesn't get any government

sector. those are my comments and questions. it is available at a low cost. going through the simulation

attack to personally invoke. to go practice we know there is no perfect security. to be vigilant we need to be able to deduct when go. you can recover from it and got this critical oftentimes there is prevention and

underinvestment so as you are asking where are you investing? need that recovery. ransomware not touch it for months so backups in the leave alone one day wake up, it's contaminated so on technology make sure they are clean. there are some notes which ones are mission where that is located because you don't have enough protection equally they

are. it's not a good use of taxpayer dollars anyway. it's understanding assets and data showing forth his hilarious developer and the only way to do that is practiced. >> i want to make sure we get to the last question. somebody grew up the price through the well before you need to learn while the president

said in his opening it's not disagreement there's two things going on under serious threat in regard to what's happening in my view not for good reason when executive order signed by the president went out guidance as part of the executive order. i believe cities will be left vulnerable if they are not laying the role that quality playing. so.

>> so my sister organization. >> a couple comments register myself under the bus alliance not to undergo make sure you have a printed version of your plan because say our driver shared drive we don't have access you talk about another session to request we talked about is the electric infrastructure there are conversations going on and

anything her cities could do if there was a power outage might be a good way to understand supply contacts so a little bit on the north and others awareness because we heard a lot infrastructure. i'm not aware of discussions that the state level. we talked about the so there are some interesting things given

the nature on how this will work but i think it will be a very hot topic moving forward. >> thank you clearly have a lot more doom and some great ideas forward with. thank youthe u.s. conference of

mayors meeting in tampa is on break. we will return live 11th of the five a.m. eastern is how mayors and state leaders have alliances between one another. >> of our districts this year is to encourage and