Good morning It's great to see so many folks Great see so many folks here standing room only in the back. So we're here from the government and we're here to help

My name is Jonathan Mayer, I'm chief technologist for the Federal Communications Commission's Enforcement Bureau, I'm joined by wonderful colleagues throughout the federal government. We have Laurie Cranor who's chief technologist of the Federal Trade Commission Eric mill who's a senior engineer at 18f in the General Services Administration

And Alan Friedman who's director of cybersecurity initiatives at the National Telecommunications and Information Administration All right. Let me try a little louder and with apologies to the folks who were near speakers And Alan Friedman down at the far end who's director of cybersecurity initiatives at NTIA

Within the Department of Commerce and so it's a great cross-section of different technology policy roles within the federal government we have Working on cybersecurity in the main component of the executive branch. We have delivering services throughout the government

We have an independent agency working on security and privacy issues real thought leader within the government and then we've got the FCC So I'm going to ask each of our participants to say a few words about their agency And what the agency has been working on in technology policy and the role in the agency

And then for the most part this is going to be an extended Q&A session. It's up to you to lead the conversation There are microphones the left and the right of the room. Please line up and have your questions ready And my game plan is to just alternate and and we'll do our best answer Okay, so Laurie could you start hi good morning?

so the the Federal Trade Commission focuses on consumer protection and In the security and privacy space. We're very much interested in protecting consumers from having their private information breached and leaked

Were we're interested in protecting them from unfair and deceptive practices scams fraud Also spam robo calls. These are all things that we are very interested in Investigating and in finding ways to protect consumers we also do outreach to consumers about how they can protect themselves and

Avoid falling for some of these scams We are very interested in talking to researchers and if you come to our session at 1 p.m We will get into more detail about that But we we would like to work with the researcher and hacker community to identify

Vulnerabilities that we need to be aware of to identify tools that we can use that consumers can use And so we encourage you to come talk to us We've also set up an email address research at FTC gov

Where you can send us The things that you've discovered that that you would like us to know about We also have a number of events that are coming up this fall that we are Gonna be interested in having researchers attend. They're going to be open to the public as well as webcast

So we have a workshop coming up on drones. We have one coming up on smart TVs We have one coming up on Disclosures so privacy notices are one form of disclosure, but other kinds of disclosures as well

A bunch of things and then in January we will have our privacy con event You can read about all of these things at FTC gov slash tech. Thank you I'm I'm Eric mill and I'm with a group relatively new group in the federal government called 18f

it's like one eight F and We're about two years old and we're housed in the most excitingly named agency in the federal government the General Services Administration And we so we're about a couple of hundred people mostly not in DC and we are Trying to do technology right in the federal government

So we actually have dozens of engineers product people UX people design folks Security people and we are trying to make sure the government can do well for itself on technology and that That it to make sure the government can do things the way that we all want to do things We can embrace the cloud use open source do agile development

We can bake in privacy and security from the beginning of the of the development process. So we we try to lead through implementation and delivery We do some of the things that are maybe most relevant to this crowd So we're currently working and getting a bug bounty program started on our on a number of our public facing systems

Shout out to DoD who just did the first government bug bounty program fairly recently hacked the Pentagon definitely learned a lot from them we're also Trying to hire and you know, the government does in fact employ information security professionals We're trying to do a little bit differently and hire People that are senior technical implementers that don't require security clearance and put them at work on

variety of government-wide systems That that make the country work better and then in particular Part of my work there is focused a lot on on encryption and in particular 18f has been a really animating force on web encryption on HTTPS in particular There actually is a federal policy mandate right now in the executive branch to move everything to HTTPS only with strict transport

That's something that our organization has animated and put a lot of energy and do something I personally work my tail off on and that's gotten me the chance to meet a lot of a lot of the good folks here and Hopefully we're trying to hopefully we're making the government a better place

I'm Alan Friedman I'm with the US Department of Commerce in the National Telecommunications and Information Administration We're part of the administration. We are the president's advisor on telecom and internet policy You may have heard of my boss assistant Secretary Larry Strickling who's trying to

Keep the internet free and open with the ICANN IANA transition And thank you And in fact, that's a large part of what our organization does is represent the equities of a free and open internet both inside government discussions

As we sort through policy as a giant complex government and also across the private sector In fact, we take this notion of multi-stakeholder engagement quite seriously Too often there are policy issues where if we wait around for legislation

it's going to take too long and it may not be great because there's going to be lots of complexities and legislation a pretty big hammer Regulation also takes a while and when Jonathan isn't writing it himself. It's not always optimal So what's the tool we have left and

Our tool is we try to get the right people in the room and say guys, let's solve this Among ourselves with the right engineers in the room from all the different relevant stakeholders So that we can demonstrate that this is a solution that can be solved by coordination collaboration rather than waiting around

for you know long Drawn out legal processes or regulation we have two ongoing initiatives that might be of interest to you guys right now One is on everyone's favorite topic vulnerability disclosure We know that this is not a new issue But on the other hand the cliche that everything everyone is now a software vendor really is true

And there are a lot of organizations that have never had to work with researchers before So we're bringing together security researchers vendors middlemen everyone possible and saying hey, how can we equip? Companies and organizations around the country and even around the world to know what to do when someone knocks on their door and says hey

There's a big problem in your system and we can help you solve it How do we get people along that path the second initiative which we've just announced is around everyone's buzzword favorite IOT security

It's sort of universally recognized that one everything is going to be connected sooner or later and to Security is a giant flaw. No one's really building it in right now. How do we start that process? How can the government promote a better marketplace for that? So we're starting with a small debate and say hey

Patching seems like an important issue But there isn't really a universal definition for what it means to be patchable So let's get tech engineers people who make products consumer representatives Security researchers in a room and say what are the different dimensions of patch ability?

Here are all of the the the technical details. Here's the user experience. Here's the connectivity issues Let's build a taxonomy and then try to collapse that down to a small set of definitions. There is no one-size-fits-all and From those definitions have a couple of words that we can tell consumers don't buy a smart widget without this on the box

Voluntarily, this isn't the government saying don't do this This would be consumer reports or Mudge or someone else saying hey look for these words, but these words are backed by a couple of paragraphs of technical specifications and By the way, if you lie about what's in your box

We have some colleagues in government who know how to take care of that So if you're interested in talking about IOT security or vulnerabilities closure We're very happy to have you engage and we hope you do because when we mean it we say it's multi-stakeholder Whoever shows up gets a voice to weigh in and make sure that everyone else can hear what you have to say

Thanks So let me touch on the FCC briefly and then again open it up for questions from the microphones So the FCC is the federal regulatory agency for communications infrastructure and services And that includes communications security and privacy So in the US legal system, the FTC is sort of the closest we have to a catch-all data regulator

But there's a lot of sector specific regulation So for instance our colleagues at the Department of Health and Human Services deal with medical security and privacy FCC does communication security and privacy And it's an independent agency in two senses The first is we're not within one of the cabinet departments

And the second is the commissioners are nominated by the president and confirmed by the Senate But they don't report to the president So if the president wants to provide input on an FCC proceeding he writes a comment to the agency Just like any of you can So so the independence is very real

the FCC's core function is Independently proposing enacting and enforcing rules. So it's a little bit of a blend of the three branches of government we say here's what we think the law should be on this issue and then put it out for comment and And and any of you can write in and say why we're right or wrong

Then the FCC finalizes those rules and then ultimately it becomes a job for where I sit Primarily the enforcement bureau to make sure those rules are followed So the FCC's authority and communications covers a range of technologies radio and all sorts of RF emissions

a television Whether broadcast or cable or satellite or fiber or whatever is next Telephone, of course and the agency's recent focus has been especially on broadband internet So you may have seen the term net neutrality somewhere other I'm just gonna guess this crowds heard that one before

So the FCC proposed strong rules to protect the the open internet And just a month and a half ago the DC Circuit concluded that Those rules were consistent with federal law and net neutrality is the law of the land So much of the net neutrality proceeding focused on

the kind of economics of innovation online But at the time the Commission said we know we're gonna come back and look at security and privacy do more rules on security and privacy have left that open for another day and so Earlier this year the Commission proposed rules for ISP security and privacy Saying that ISP should be transparent about their practices should have reasonable security protections in place for your data

and And that you should usually have choice and opt-in choice if your ISP wants to repurpose your data for advertising or anything else We've also been vigorously enforcing security and privacy protections that are already on the books So for instance earlier this year

We settled with Verizon for tampering with their customers internet traffic to insert unique identifiers that made them trackable online There was a over a million dollar fine, but more importantly Verizon agreed to make the practice opt-in For for any of these headers going out to third-party businesses We've also done data breach cases against AT&T and Cox

And just earlier this week you may have seen we reached a settlement with TP link a router vendor Over selling some routers that could be modified to create radio interference But an important part of that settlement was TP link committing to working with the open source community and chipset manufacturers Towards bringing Linux support custom firmware support under their routers

So even when we're kind of operating in one of our kind of classic areas We're trying to make sure to promote innovation And make sure that sort of the freedom to tinker is protected the freedom to lawfully tinker my boss likes to point out Let Me close by touching on some of the exciting work in progress we have so just recently the Commission set up

The sort of licensing infrastructure for upper microwave spectrum now upper microwave spectrum I knew nothing about before coming to the agency Turns out the technology is now there to make this very useful spectrum And it's widely believed to be an important component of 5g wireless technologies

So the Commission set out its security expectations for for for the spectrum And plans to address 5g more fully soon Those those expectations include that there be a routing security and for a voice in voice calls and text messages community

security from one communications device to another communications device We think that's what we think that's what the use of the spectrum should look like and if you'd like to hear more about It one of my colleagues Admiral Simpson is going to be doing a presentation at the Internet of Things workshop here at DEFCON We've also done quite a lot of work recently to address robo calls the chairman sent out letters to the major telecom firms

Saying he expects immediate action AT&T has taken up the charge. They're leading a new multi-industry working group to deliver actionable results including New deployments of call authentication standards new efforts to make sure phone numbers like the IRS mainline can't be easily spoofed and efforts to build

Compatibility in our faces so folks can bring filtering like spam button technology into the phone system And then I mentioned earlier the agency has been working on security and privacy rules for ISPs We proposed those in March the comment period closed recently and so that that remains work in progress

So that covers what I want to cover for the FCC. And again, this is this is your session It's gonna be mainly Q&A. So there's a microphone there and a microphone there Line up and we'll take your questions. Thanks. All right start over here

Yes, I imagine this is for the FCC. I'm wondering what is your time frame for the telecoms to harden their system 7 vulnerabilities? So

We work closely with the telecoms to implement better protections across their networks including SS 7 The Commission hasn't put out a firm timeline on that particular issue But an important part of the 5g Communications work that the Commission's doing is saying here's the way we think the world has to look going forward

You know, obviously we're not going to tell companies how to build their their networks But we're gonna set expectations and we're gonna work with them to make sure they meet those expectations And for now, that's that's an ongoing conversation But the Commission does have regulatory authority and can always be firmer if that becomes necessary

Over on the right Hi, this question is for the FCC. What are some bits of advice you can give to private citizens so that we can be Impactful during the request for comment stage lately. It's becoming an increasingly politicized event with large corporations lobbying excessively hard and we don't have the monetary resources to have our voices heard and

We as technologists know that some of the things that they're doing have led to stagnation of broadband in rural areas increasingly nasty Behaviors like with Cox trying to do the opt-in service for additional privacy

And it's just it seems that it's getting worse in some ways. How can we have our voices heard? Thank you So let me start with the FCC a component of this then I'm gonna hand it off to Alan and Eric to address Getting your voices heard in the processes. They work on

So the FCC's usual process for for doing a rulemaking is we issue something called an NPRM a notice of proposed rulemaking Where we say here's what we think the law should be on this area in this area and then there is a usually about 30 45 day a comment period than another Equally long reply comment period

Then there's some period of internal decision-making stakeholders can continue to come in and meet with the Commission continue to write letters to the Commission and then ultimately the Commission proposes final rules then usually someone sues and And then finally after judicial review the matter is settled

So that's that's the process As for making sure your voices are heard We'll have to be careful not to comment on any Ongoing proceeding. I think it's fair to say that I've been really heartened to see how the process works

being in the agency smart comments get noticed and If you come to the conversation with something new to say and especially if you have some real data to bring to bear It gets noticed and so Sort of the the the best advice I can give on how to kind of contribute to the debate is make sure that

What you write is, you know not duplicative You know ideally doesn't use curse words at us And and gives us some real really constructive input

They get saying those comments get singled out Let me also add just as a purely procedural matter make sure you're commenting on the right proceeding Every so often folks will file comments in the wrong place And and the system at FCC has recently gotten a lot better for filing comments. We have a whole new online comment filing system

But make sure you file in the right right docket and make sure the issue you're writing in about it is appropriate for that But it's just not germane to the specific issue in front of the agency by all means call that to our attention feel free to

Kind of reach out to who you think is the appropriate contact at the agency But it's easy for it to get buried in a docket if it's not germane because someone will review the comments It just doesn't bear on this particular proceeding. So that's a kind of procedural note. Okay, so now over to Ellen and then Eric

so as an example of a comment process that Impressed me how effective it was a few months after I joined the Department of Commerce last year I get a call from one of my colleagues in a different part of Commerce called the Bureau of Industry and Security He says hey, we're about to release a proposed rule

Based on this arms control agreement known as Vassana So we had some discussions and we helped Prepare them for the fact that they were going to get some strong responses and We did get a lot of responses and many of those were really helpful

This was a case where industry and the security community were on the same side But they brought two very different perspectives. That was very helpful It's challenging because often People were commenting based on news stories that were based on other news stories

And so by the time they filed their comments It wasn't something that was directly related to the regulation because a lot of this stuff is quite technical So as Jonathan said, you know, make sure have as much preparation as you can but this is an area where we got the comments and

They were overwhelmingly negative, I think there was one comment in favor Out of over 200 and so the US Department of Commerce worked with our government colleagues and has gone back to Vassana to try to renegotiate and so that I think is an example of Feedback from the security community driving policy in the direction that it should

and so as You are preparing to engage It helps to talk to other people if you have colleagues or friends who are engaged in the Policy Network They'll be able to give you a little bit of background if you're curious at least in our case I don't know if the FCC can do it

But in commerce we'll talk to you about what we're looking for so that you can tailor your feedback To give us the insight that we need to make good decisions there are lots of organizations out there that are engaged in a lot of these issues whether it's EFF or I am the cavalry We need more advocates for security as as a unique value

So please try to engage and learn as much as you can and then give us as many feedback as much feedback as possible So I'll just briefly add on it's actually a bit of an outside perspective So I'm not in a regulatory agency now at GSA Before this I was at an NGO a nonprofit called the Sunlight Foundation that did open government does open government and transparency work

For about five years and I worked a lot on Trying to make the regulatory process more accessible to people because I watched many different times People leave the opportunity on the table to come and comment on a regulation And I'll tell you that like the people who will always comment on a regulation that affects them are like affected businesses or the private sector

Not very often Comparably, do you get like real public constructive input on things? And it's it's not always well known that like and this is distinguishing from a lot of other countries in the world that in the u.s.

Like executive agencies that are that are issuing regulations must respond to every unique comment They get they have to at least acknowledge it in some way and I've read many final regulations that address that went down and addressed all the different groups and and notable comments that they got and You know change their minds on small and large things as they went you don't always get your way

But when you participate you showing up really does matter and that was my personal experience experience as an advocate and like open government Lobbyists sometimes working on these issues that showing up is is everything so I really do encourage you to you know Literally, I mean the Federal Register if you go to federal register gov They actually have added in the last few years a number of like really great alerting and feeds

Systems for you to follow things more easily. It's actually a really great team that built federal register gov They were invited by OFR to do it after they did an app contest as an outside group of developers trying to reimagine what federal Regulation and commenting should look like and that is so and there are other services that will help you do that

I just strongly encourage you to take that seriously I'll just add that at the FTC We we often are looking for public input Usually when we announce that we're having a workshop there are opportunities to comment both before

And potentially get on the agenda as well as after the workshop and we are very much interested in people who bring us data You know, we want data. We want we want empirical results, you know, not not just You know the opinions which are nice too, but but if you are a researcher who can bring us data That's something that we are going to be very interested in seeing

Let me amplify that point before moving on to the next question. We hear a lot from lawyers in the government We don't hear so much from technical experts. And so Those that sort of input is incredibly valuable and it gets noticed

So you mentioned that the DoD now has a bug bounty but for sort of an opposite perspective One of the things that I do is run census.io and other scanning for security things and five years ago when we started the DoD Sent us a very strongly worded email saying you'd better stop scanning us. That means we can't participate them with them

We can't tell them about vulnerable TLS implementations. So how do you engage with the DoD beyond just submitting to their bug bounty? That's a difficult question given that none of us are from the DoD We're probably not gonna be able to give you the answer that you're looking for But you know in general The closer you get to communicating with subject matter experts inside different agencies

The more you get answers that make sense and and creative solutions to different problems The the defense the DoD hack the Pentagon program was started by the Department of Defense digital service Which is a relatively new team inside DoD. It's part of the US digital service, which is a White House initiative

that has created digital service teams in a few different agencies and But that's about the best I'm gonna hire. Maybe anybody here is gonna be able to give an answer to that I think just Large organizations are not monolithic And so the

As we said, you know the closer you can get to the people who engage the better in the private sector You know there we work with large companies Inside our process on vulnerability disclosure who are trying to figure out How can we work with researchers even as you know?

Their general counsel's office is writing comments about how we need to bring back DMCA controls on on their products. So The trick is to find the allies in any organization that you can I think this panel probably is a great way to start to find the right people and So good luck and thank you for reaching out. Yeah, and thank you also for running census.io

So I at GSA 18 F uses that data in our work all the time I personally use it in my work to Understand the government surface area and to report things to other agencies as necessary and To tell people when they're falling down something and then to work with them to fix it

So really like big thank you to big thank you to you for that So I'm a student who's going into my senior year at high school And I was just wondering how did you guys get into the federal government and how could a prospective student also get in? Thank you

That's so one I Think there I'm going to speak for everyone is that we desperately need smart passionate technically aware people in government desperately and You know the advice I would give is it is fairly easy right now to go from the technical world into a policy track

My background is in computer science wasn't very good at it. So I have my PhD in policy and when you're meeting So Paul's it means I'm a mediocre economist and a mediocre coder and when you're mediocre that many things you end up in, Washington

And and You know, I was a academic and then someone talked me in but I think the advice I would give is stay on the technical side as much as possible, but engage in policy in your spare time and Eventually, you'll find an issue where you can find the right person and weigh in and they'll say we need you on your on our

team Yeah, I mean so as somebody who went primarily my background in software engineering I have a CS degree but I work a ton on policy day-to-day now and It's really as simple as becoming an expert in something and being willing to talk about it publicly Privately leadership without fear and have confidence in what you say and really develop your skills as a communicator

alright, so like being a good writer is Just a universal skill that will make you more effective at bringing people into your way of thinking Projecting that you know what you're talking about and that's something that you know

even even if it's not going to be for for You know even if you don't end up working on policy for some amount of years like take take the time to keep Exercising those muscles to to keep writing and to keep getting feedback on that and to keep becoming a good communicator Yeah, so I started my career working in AT&T and

was doing research on privacy mostly and I actually Presented research to the FTC 20 years ago. I went to their workshops and when FTC staff said Can someone explain again how third-party cookies work? I would, you know take time from my day to call them back and to explain it yet again

Right and and basically became known to them as someone who is willing to explain these technical concepts in in plain language I then became a professor at Carnegie Mellon and have steered my students and their research to trying to make our research relevant to some of the policy needs and

Submitting our results to government agencies. And so right now I'm actually on leave from Carnegie Mellon and The chief technologist position at the FTC tends to be an academic who comes in for for a year or two

the other point I want to make for our high school student friend is that If you know that you're interested in government service, there are scholarship opportunities for you So scholarship for service if you basically if you are a US citizen and and have technical interests You can get the government to basically pay your tuition in exchange for you then

Committing to do some work for the government. And so it's a great opportunity To amplify something Laurie said it's about explaining things to other people I mean the community that we're all a part of here that this conference is tremendously huge Even just this room is filled with people. This is a large amazing community and you could spend years

You can spend your entire career communicating to and within this community and go very far but there are certain kinds of things and certain kind of kinds of impacts that require you to speak outside this community and to make your work accessible and approachable to a larger set of people because the

Even a lot of people who aren't professional Information security folks Rational privacy folks have an interest in that aren't dumb like can can like and are Intellectually curious and are willing to apply and integrate that stuff into their work So it's something to remember to that even though it you know You may not ever have to you may never be confronted in your life with a time when you have to communicate

To the broader community like it's that there are certain kinds of work that you really should do that So I'm also a loner from academia, I'm on loan to the FCC from Stanford

We can't all go to school at a country club So So I'm at a different stage of my career from Laurie, of course I hope to be faculty in the not too distant future But I'm I'm just writing rotating out from grad school

and so I Want to note there are opportunities absolutely at that stage of your your career coming out of academia If you don't know what you want to do next, you're gonna take a little gap from between what what you're doing In academia and whatever comes next the government has great roles there Um, there are a bunch of great opportunities straight out of college straight out of grad school

There are there are programs to support that More programs are coming online all the time They're also wonderful internship and fellowship opportunities to explore Even even with you know, six month or one year stint in government. You can have a tremendous amount of impact Or a summer internship, which we actually have three summer interns at the FTC in technology roles this summer

And I really want to emphasize Eric's point about communicating with folks in government. I think I'm having worked on both sides and I guess I should come clean. I'm also a lawyer The way in which folks communicate in the hacker community is very different from the way folks communicate in government and

You know better for better for worse but I Learning how to sort of speak Washingtonese is really really important That's something you can learn in advance of coming to the government and it's a great skill set You can pick up if you spend some time inside the government

Yeah, great. Thanks Dan Tynan for the Guardian. I have a question for all the panel members and it's kind of a general one There's been a lot of speculation lately given the hacks for the DNC and Hillary Clinton's campaign That the actual election could be hacked in particular by a certain nation-state whose name begins with R

So I'm going to ask you to rate on a scale of one to ten one being Not a big deal ten being holy shit How worried you are about this happening and if so, what worries you most So remember when I was talking about learning how to speak Washingtonese

Yeah, I mean I don't think it's not really any of our my area of expertise here And so I'm gonna I'm gonna use this as a is a pivot which is the other aspect of engagement policy is to know when

To say that's a great question But I don't know Let's bring in actual experts and fortunately Since 2000 there's been a lot of great research on security of electronic voting machines

and I don't know where some of obvious people here By there a couple of great professors out there The other lesson I would take away that's highly policy relevant is if you really are interested in this Go and volunteer for your local elections board. You will be the only person there under 70

The 70 year olds are wonderful And it is a great way to learn how complex the technology and the bureaucracy And the ideal high-level goals of democracy all work together So if you are interested in understanding the security of the election system get some on-the-ground experience

While you're hacking your election device as well. Yeah I've been an election judge in Pittsburgh for the past 10 years and it's a really interesting and eye-opening experience I definitely recommend that

First off. Thank you all for coming here today I can't imagine it's exciting to be told you're gonna be at DEFCON is representing the feds, but thank you for coming Appreciate that and that being said I did two questions mainly for the FTC Where do you see the breach industry breach insurance industry going and you see that's going to drive private sector? Upping their cybersecurity game because we know legislation ain't gonna do it. And is that a growing stagnating industry?

So that's my first question The second question is you said a minute ago you want smart and passionate people but the government culture tends to Bring out a least performance necessary attitude. Is there anything being done at the executive level to change that culture?

Yeah, so on breach insurance Yeah, once again, I'm going to say that I'm not an expert in breach insurance, and I'm not really sure On on the on the issue of getting Smart people to want to come to government. I I think that

The you know, the administration has made a number of pronouncements about wanting to do this saying that like you can wear t-shirts and jeans to Work, you know, it's a good start, but that's not enough. You know, just just along those lines I I think that you know within our agency we're an agency that's mostly attorneys and

It's set up for to work the way attorneys work and as we are hiring more technical people We're saying wait we may need to do things a little bit differently for our technical folks so that this becomes the kind of place that they want to work and where they can thrive and I think the Leadership is very much open to that. I Want to add something on the culture change. So 18f is a new office

We're about two years old in the GSA and one of our missions there and the rest of the government is to work on That cultural problem to attract people to government and also to make it a great place to work for people I'm actually I really enjoyed my job at GSA. It's actually the nicest most humane place I've ever worked in terms of remote work terms of you know

having being in the cloud for email and docs and calendar for having really nice people to work around me to have Computers to deploy things to etc. And that is that's that's a really valuable thing There's there's something that's really dangerous though that I know we have encountered and I've encountered is that it's very tempting to talk about

Culture change as people change and to talk about problems that you perceive in the government as problems with the people that it's It's it's really not the case and the government turns out to be filled with a lot of really smart well-meaning people In some really terrible incentive structures with a lot of fear that drives

executive level decisions like fear of being criticized fear of being punished fear of being hauled in front of whoever and That is it's it's that thing that you have to attack through transparency through a little bit of courage Through changing incentive structures is necessary to re to reinterpreting or rewiring rules around hiring all those things

And yes, those things are all being worked on at the executive level and at the rank-and-file level in different ways It is just a big problem. The US government is the largest organization in the history of mankind And it's very decentralized, but it is being worked on all over the Only thing I would add to this is somebody's who's quite new to government is some advice that was given to me

when I was first approached is Your first boss is really helpful and I'm lucky and I think many of us are lucky to have fantastic supervisors who recognize that Doing meet the feds and something like that is really important to the missions of the policy that we're trying to change

And so if you are contemplating joining government Think a lot about your supervisor and and what that relationship is going to look like because a great supervisor Just makes your job a lot more fun Hey, my question is what kind of metrics or data points do you guys capture to make sure that your organization is safe?

Or secure or on the right track? Yeah, so what kind of metrics or data points do you guys capture to make sure that your organization is safe I'll let you guys are on the right track

Yeah, sure, so I mean it so it varies right so in terms of monitoring your own systems People use all sorts of different scanning tools People use all sorts of different metrics about at the kind of costs that are incurred on those systems

I know that so one of the things I work on is measuring encryption presence and quality Around the government and around 18 F's and GSA's systems Especially and you know using all the same tools that you all probably use things that are pasted libcurl things that are based in SSL eyes Use data from IPV sit from Z map scans of the internet

You know, we're running in Unix based environments and doing that same sort of work And so, you know, we we use the same tools that you all do and and use that to improve our work So I believe we're getting the signal from the goons that it's time to wrap up So, thank you all for your questions. We're gonna stick around for a few minutes to allow additional questions outside

Please go exit door on that side of the room. All right. Thanks again