Walk This Way: What Run DMC & Aerosmith Can Teach On Future of Cybersec
This is a modal window.
Das Video konnte nicht geladen werden, da entweder ein Server- oder Netzwerkfehler auftrat oder das Format nicht unterstützt wird.
Formale Metadaten
| Titel |
| |
| Serientitel | ||
| Anzahl der Teile | 85 | |
| Autor | ||
| Mitwirkende | ||
| Lizenz | CC-Namensnennung 3.0 Unported: Sie dürfen das Werk bzw. den Inhalt zu jedem legalen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen. | |
| Identifikatoren | 10.5446/62214 (DOI) | |
| Herausgeber | ||
| Erscheinungsjahr | ||
| Sprache |
Inhaltliche Metadaten
| Fachgebiet | ||
| Genre | ||
| Abstract |
|
00:00
AnalysisBaum <Mathematik>ComputerschachComputerspielDatenverwaltungInformationMathematikOrdnung <Mathematik>PerspektiveRückkopplungSelbst organisierendes SystemSoftwareSpieltheorieStabProgrammierungExpertensystemHackerInformationsmanagerFrequenzTypentheorieGebäude <Mathematik>Produkt <Mathematik>BildschirmfensterMittelwertProgrammverifikationRekursiv aufzählbare MengeEntscheidungstheoriePhysikalischer EffektGesetz <Physik>BereichsschätzungÄquivalenzklasseAggregatzustandAnalytische FortsetzungAnalytische MengeArithmetisches MittelBitEinfach zusammenhängender RaumErwartungswertGeradeGruppenoperationIntelKomplex <Algebra>KoordinatenLeistung <Physik>MereologiePhysikalisches SystemQuantisierung <Physik>SpeicherabzugStellenringSymmetriebrechungTabelleTermVirtuelle MaschineZahlenbereichFastringQuick-SortOvalSystemaufrufVersionsverwaltungGüte der AnpassungExogene VariableAutomatische HandlungsplanungNichtlinearer OperatorCoprozessorCASE <Informatik>Prozess <Informatik>Strategisches SpielZusammenhängender GraphPunktspektrumSystemverwaltungMetropolitan area networkCyberspaceEnergiedichteDatenfeldComputersicherheitAlgorithmische ProgrammierungGemeinsamer SpeicherFächer <Mathematik>PunktDokumentenverwaltungssystemQuotientAutomatische DifferentiationGeschlecht <Mathematik>KontrollstrukturSchnittmengeArithmetische FolgeWort <Informatik>BaumechanikUmsetzung <Informatik>Regulator <Mathematik>FirewallReverse EngineeringMetadatenFokalpunktt-TestVollständiger VerbandSchnitt <Mathematik>VerkehrsinformationTurnier <Mathematik>QuellcodeEuler-WinkelPlastikkarteJensen-MaßEreignishorizontKanalkapazitätWhiteboardWeb SiteSchreib-Lese-KopfEndliche ModelltheorieDifferenteKontrast <Statistik>AutorisierungPatch <Software>Neuroinformatikp-BlockSystemplattformMalwareWechselseitige InformationAlgorithmische Lerntheoriesinc-FunktionKlassische PhysikMinimalgradEinfache GenauigkeitEvoluteMultiplikationsoperatorCybersexSchlussregelSoftwareschwachstelleStandardabweichungKollaboration <Informatik>Minkowski-MetrikRechter WinkelDienst <Informatik>NetzbetriebssystemOffice-PaketOrtsoperatorIdentitätsverwaltungYouTubeTangente <Mathematik>Twitter <Softwareplattform>Design by ContractBesprechung/Interview
Transkript: Englisch(automatisch erzeugt)
00:00
So we have a pretty interesting talk today. We have Jen Easterly and our own Dark Tangent. They're gonna give us a little discussion about how Aerosmith and RunDMC can tell us about the future of cybersecurity. So, enjoy. Okay, hi, thanks for coming to our talk and I'm gonna reveal our agenda.
00:23
This is what we'll be covering. It's blank, because this is gonna be a more unscripted conversation between Jen and myself. And we have a couple things we wanna cover, but really we wanted to have a sort of an authentic conversation, not a scripted thing where I have to make sure I ask a specific question
00:41
and so on and so forth. So, it might not be totally smooth, but it'll be totally interesting. And then at some point, we're gonna start involving the audience with some questions. And so you can listen to us, maybe work through some of your questions. And before we get started, I have to deconflict myself. I actually am on the CISA advisory board
01:03
and so I'm gonna be repping my Keep CISA Weird shirt. So, just to remind the director that just because it's government doesn't mean it has to be boring. Love it. I should've brought mine, now I feel kinda guilty.
01:21
Yeah, look at that. In the Blade Runner font, for those of you wondering what that font is. You should show them the back. I can't read that. What does that say? It says, how about a nice game of chess? Yes, a nice game of chess. Which, Kenneth Gears, is running the chess competition at DEF CON in case you wanna have a nice game of chess?
01:42
All right, let's kick it off. Why are you here? Yeah, well, let's see a show of hands. How many people know what CISA is? Wow. Oh, that's pretty good. How many of you work for CISA? Yeah. No.
02:00
Well, maybe I can leave. My job is done here. Yeah, we've converted them all to employees. So, as you know, CISA is the newest agency in the federal government, founded by our mutual friend, Chris Krebs, about three and a half years ago. And I think events like this, especially with the folks who are here,
02:22
are so important for us to develop trusted partnerships with. And so, you and I, before I was confirmed, had a great conversation about the importance of this community. And certainly, from my past in the Army, at the NSA, and even at Morgan Stanley, where we sent folks here,
02:41
realized that this is such an important community for us to connect to. So, I was excited to come hang out with you. Yeah. And have some fun. You're all important. We're gonna talk about that, I think, a little bit. It's interesting, because when I started with DEF CON, and it was all about the technical,
03:01
and it was all about the party, and it was all about the hack, and the social grew up around it. And we'd always talk about keeping true to the core of DEF CON meant that you had to stay kind of hacker. And all the things that weren't hacker, that's fine, too. But if you lost that core, you might drift, right?
03:20
And then you're not quite sure what your identity is. And one of the things we do with DEF CON now is when we're reviewing papers, is we say, we're not an infosec conference, we're a hacking conference. And there's difference. Here, it's maybe the joy of discovery, spontaneous learning. Infosec may be advancing your career, or honing a technique that will help you in your job.
03:42
Have you ever really thought through, what is the core of CISA? Like, what is your guiding stone, where everything else kind of orients? So we've had 30 years to figure it out, and you've had a year and a half, plus what Chris had. Well, a year and a couple weeks, anyway. Yeah, yeah. Well, it's a good question,
04:00
because one of the first things that I looked at when I got there is, you know, what's our culture? What are our core values? What do we expect from each other, and what do we aspire to be as an organization? And because we were built off the back of a staff element, we really didn't have any of that. I was curious, if you can share the numbers,
04:21
like, what's average turnover in like a government agency or in CISA? What's retention even like in that? Yeah, I mean, it's actually pretty good. Retention, our turnover, our attrition, and I separate attrition from regretted attrition, because not all attrition is necessarily a bad thing
04:40
for the organization. But it's under probably like 10%, so, you know, maybe in some case under 5%, but it's low. Compared to, say, Amazon at 40%, not looking so bad. Yeah, but I have a different philosophy. I mean, so attracting and retaining talent is really predicated on developing a great culture,
05:02
and that's why we've laid out what the core values of CITs are, what our core principles are, but if somebody wants to come in to defend the nation for a period of time and then go back out to a critical infrastructure owner or operator, you become part of the collective defense of the nation, so I'm totally cool with that.
05:20
You know, come learn what it's like to work in the federal government. We are probably as much like the private sector as any place in the federal government, and so I think it's about building the capability for the nation. I remember when I was spending time in D.C., there was always like the politicos,
05:40
the full-time employees, and the contractors, and there were these three communities, and they're all working at the same agency, but you know, they're different, and they have different interests and different motivations and everything, and originally at big DHS, they had quite a large number of contractors, and I remember having a conversation with some leadership back in the day
06:00
saying if like 60% of your workforce are contractors, that means the remaining 40% have to be really good at managing contractors, right? You have to have expert skills, but if your 40% is just like those 60%, so does it mean that because you're building that culture, you have to have the culture of managing contractors, or is it you treat everybody
06:24
identically, knowing you have to have different skill sets for the, you know, how do you, it's not like managing corporate America. For me, we are just riffing here, so it's just, for me, I really don't see a distinction, I mean, there is a distinction
06:41
in terms of certain rules, a way a contract is handed, so for example, you know, I'm a big mental health advocate, so we made 2022 the year of mental health and employee wellbeing, but really everybody wellbeing, obviously, if you contribute to the mission of CISA, but one of the things that we did was we got Headspace, the mindfulness app,
07:01
do you use that? Okay, I don't use it, but yeah. I recommend it to you. So it's good for meditation and mindfulness, but so we got that for all of our employees, we couldn't get it for the contractors, so there's certain like legal things, there's training that we offer that we can ask contractors company to offer to them,
07:21
if we give days off, we can work with that vendor, but otherwise, I just see, you know, everybody is part of Team CISA, same values, collaboration, innovation, service, accountability, all of us same principles, and we have a culture council that we stood up to make sure that we are guarding our culture
07:41
and embracing it. So the people in other agencies looking at you like, what the hell is Jen doing? Or are they like, that's awesome, we want to imitate that. That. That, okay. I don't know. I think people see that we're having a lot of success with bringing in talent. Yeah. And so that's good, I mean, partially that is the culture that we're building,
08:00
but it's also because we were uniquely given authorities as America's cyber defense agency. I mean, the Congress went all in on us. They gave us more money, more authorities. They gave us something called the cyber talent management system, which allows us to hire much more agilely and pay more. Like one thing that always drove me bananas was,
08:22
you know, you have to have a bachelor's degree or a master's degree or a PhD. I mean, and then you get a PhD and come in as like a GS-11 or something. Right, doing malware analysis. Exactly, like I don't really care whether you have a college degree or not. My most technical person at Morgan Stanley, my head of cyber analytics had no college degree.
08:41
And so I think it's really about aptitude and attitude. And that's why I think the culture piece is so important because you might be the most technical person in the world, but if you're an asshole, like that's not gonna be good for the culture that we're trying to build. And so, you know, aptitude and attitude
09:01
is what we need to do. And the CTMS takes us there. It also helps us pay closer to market, not what I paid the guys at Morgan Stanley, but closer. The CTMS she's mentioning. Oh yeah, you started that, right? Well, like eight years ago or more, we did some recommendations on hiring in DHS and how to retain, attract.
09:21
We were really big on this concept of verification of talent. So you have to prove your skills. Demonstration of skill, I think, is what we called it. And then that way you would hire, doesn't matter what your education is, if you can demonstrate the skill, then you're qualified. And it was a good report.
09:41
People agreed with it, and then nothing for, until just last year, seven years. And so, speed of government. But now that it's happened, now you can run with it. And so, yeah, it's like slow, fast. In our world, in hacking, you expect things to happen very quickly,
10:00
but in government world, sometimes things are slow. And I kind of use that to balance both sides of my personality, right? But it's a bureaucracy. People ask often, what keeps you up at night? You know, the adversaries are out there, and they're really sophisticated and increasingly complex threat landscape.
10:20
But for me, it's battling the bureaucracy, both so we can attract and retain good talent, but also be able to do the mission. We have to be able to move at the speed of cyber and not at the speed of bureaucracy. You can't get a PhD in bureaucracy, can you? Or government. Yeah, or government, yeah. And so, that's the thing that I worry the most about, and that's the thing that we're fighting against,
10:42
is how can we do things much more like the private sector and battle the government bureaucracy? And we're starting to have a lot of good success. And part of it is, what we've been talking about since over a year ago, is how do you build those trusted partnerships since this whole talk predicated on unlikely but powerful partnerships,
11:02
Run DMC and Aerosmith 1986 walked this way. I like the DMC, I'll take that, that'd be good. One of the things, I think we talked about this, is that, and I'm curious, by show of hands, how many people trust an organization
11:22
versus trust an individual? Like, you don't trust, say, the FBI, you trust your buddy at FBI, or you don't trust Microsoft, you trust your buddy. So, show of hands, who would trust the organization and who would trust an individual that you have a relationship with?
11:40
Right, and so I think knowing that, trust no one. Trust no one. Yeah, and so I think that means that we have to organize, right, you have to build a way for people to build those relationships with your organization and then maybe over time, they trust the organization more and more and more, but yeah,
12:00
until you have that kind of continuity of trust, because I think when the shit hits the fan, they're gonna call up their buddy. They're not gonna call the switchboard. No, I mean, that answers your question, right? I mean, that's why I'm here. And that's why I spend so much time engaging with people and on the road and going to various events to meet people. Right, but behind you, you have to have a team
12:22
or a group of people or. Yeah, I've got an awesome team. A lot of them, as you know. A lot of them are here. But no, you and I talked about this, right? And I just came from a discussion around elections. And the word, the operative word for all of this is trust at the end of the day. And so the question is,
12:41
how do you actually build trusted partnerships between the federal government and all of the partners that we need to work with? Because we're a voluntary agency, we're not a regulator. And our job is to defend critical infrastructure. And we don't own the vast majority of critical infrastructure. So you have to have trusted partnerships so we can work together to make sure
13:01
that everybody has the guidance and the resources and the tools to be able to defend the nation. And so again, it's about trust. And again, what we talked about, what we've been trying to do through the Joint Cyber Defense Collaborative, as you know, through our Cybersecurity Advisory Council, through the Technical Advisory Council,
13:21
and I really want you to talk about that, through the CSRB, the Cyber Safety Review Board that you and Rob Silvers and Heather Atkins talked about, is creating trust between the federal government and all of the stakeholders to include industry. And I see the most important things is you got to approach it with, first of all, humility.
13:42
We certainly can't solve this problem as a government. We don't have all the answers. And so humility, I think, is truly important. I think vulnerability is something that's so, it's interesting, right? Because vulnerabilities are such a negative word in our technical community, but I think vulnerability is an incredibly important thing when you're talking about building a trusted relationship.
14:02
I think transparency, something we always talk about, transparency builds trust, and that's huge for me. And then finally, like gratitude, bringing together the community and sort of figuring out how we can appreciate what every side is bringing to the table. So you mentioned a couple words that really resonate with me, right?
14:22
One is transparency, just because DEF CON, we've done so much work trying to build, you were the first conference to use like a transparency report to try to tell people what happened. That's a little painful because you don't like revealing the bad things that happen, but the good that comes out of it outweighs the bad, right?
14:42
And the other thing I think is this is a global game now, and so things you do are setting a standard or an expectation with all the partners and allies and frankly, you know, opponents. And so it's almost like if you could set up your organization to play,
15:01
so what is team rule of law's strengths? It's transparency, it's accountability, team authoritarian doesn't want to be transparent, they don't want to be accountable. So it's like the more we can emphasize and highlight that contrast between both sides, team undecided in the middle,
15:21
they can make a more informed decision of which team they maybe want to associate with. And so I think the more that you or I or any of our organizations can operate in a transparent or an accountable way, it makes it that much harder for your opponents to say, oh, well, we're transparent too. Oh, look how accountable we are. No, we might have other things that are similar,
15:40
but draw the contrast. And it might be hard for a government to do that because you're so used to not, or the liability of being transparent, right? You might have laws against it. It's really interesting. So I spent the first 27 years of my career in the army, a good portion at the National Security Agency.
16:02
I was at the White House under the Bush administration, then under the Obama administration, then went off to Morgan Stanley for four and a half years. And when you think about the first half of that, being in the intelligence community, it was a little bit counterintuitive to say, okay, we want to be really transparent with everything.
16:22
Not because we didn't believe in transparency, but because there's always a fear of sources and methods getting compromised and then not being able to do the mission for the nation. But I think increasingly, and this was after 2013, there was a real embrace of transparency
16:42
because ultimately government has to be accountable to the American people. And so I've seen a very good evolution in the embrace of transparency. And frankly, at CISA, because we are such an outward facing agency, every day is working with private sector or state and local election officials.
17:02
It is about, we know that unless we're transparent, unless people can understand why we're doing what we're doing, the products are going out, we're asking for feedback from them, unless we're being completely transparent, the model breaks down. I don't have a badge where I can show up, I don't have like subpoena power.
17:20
And so it's all about, okay, why should you trust CISA because we add value, because we're responsive, because we have great expertise. So it's the all kids, all carrots, no sticks kind of. Not really. I mean, we have very, very small regulatory power on the chemical facilities, anti-terrorism side,
17:41
there's a physical security. So it has to be voluntary. But it's all voluntary, which is like, frankly, I embrace because I think if we were a regulator, we would not be able to create the trusted partnerships. You'd be in court like every other minute, you wouldn't get anything done. When I was in finance, it's not like,
18:00
hey, let's go rush to tell the regulators when things have happened. When we discovered something, yeah. Yeah, and for the stuff that we talk about, you guys did some great work, and I really want you to talk about this on coordinated vulnerability disclosure. You have to have a relationship where you can have that trust with the researchers and then ultimately be able to put information out
18:23
that people are gonna have confidence in, believe it, understand it, be able to mitigate vulnerabilities. And it's just incredibly important. So can you talk a little bit about the TAC? Yeah, so, okay. So Jen constituted a security advisory committee
18:41
for a system. And it looks at, I think we have what, seven or? Oh, yeah, probably seven big things. It's about how do you build the agency? How do you evolve America's cyber defense agency? So it's a very eclectic group. But I really want, and not everybody's technical, right?
19:01
Some people come from. Yeah, and you're doing infrastructure and energy and misinformation. You know, we have different. Finance, energy, exactly. Yeah, finance. And so out of that spectrum of subgroups, I'm chairing a technical advisory committee. And the part that was really cool is I can bring people in from other countries. Clearances aren't necessary.
19:20
All of our reports become public, and we just published two reports, one on threat intelligence and one on vulnerability disclosure. And we'll be producing more reports in the future. And so I had a lot of leeway to attract a diverse group of people. And yeah, it's been really amazing
19:42
because unlike the big HSAC reports that would take a long time and be very large and there was no immediate impact, we delivered our first reports. They were voted on by the overall committee. They were approved by the director. And two weeks later, we're having calls with people inside CISSA from those teams
20:01
and threat intel digesting a report, excited that we've given recommendations, already making changes inside the organization. Like, what's going on here? I'm not used to that. It's not your daddy's government. No, and they're excited. And they're like, wow, you gave us a great idea. And that reinforces this other thinking
20:21
that we need to tie a connection between just not the threat intel, we need to start enriching it with metadata because the people in OT, they wanna know, do I really have to turn off my vaccine processor to patch this or can I just put in a firewall rule?
20:41
Like, yes, you said this is a critical nine, but what does that mean to me, right? And so we wanna create, one of our recommendations was essentially creating a way to enrich these with metadata in a community portal where people, the other vaccine manufacturers can say, no, no, no, we're running that Philips gear, just do this other thing. And then we're missing that.
21:03
And what that does is without that metadata, people are frozen within decision and they're running all these risks, right? So we can speed up that loop, making the threat intel more valuable faster. And so there's other interesting recommendations like that,
21:20
but just the speed at which they got it and they wanted to implement it. And so I think for the rest of the technical advisory committee that have never interacted really with government before, there's a lot of them, this is their first chance ever being on an advisory committee. It's really empowering to them. They're really excited, like they listened to us.
21:41
They did something like this is not how it's supposed to be. And I'm hoping that through this experience, more and more people want to get involved. And so for example, we would interview 20 different people on a report. So even though you're not on the tech, if you're a subject matter expert in something we're looking at, we might call you up
22:01
and you might come in and give us your opinion. And because of that, we get people across the whole industry, small manufacturers and energy giant Southern corporation style, huge companies. And we're really focused on diversity of opinion, because what we're finding too is there's no one single use case,
22:21
especially in vulnerability disclosure. There's some people that are out of business. Companies are out of business, but they're widely adopted. How do you disclose that to the manufacturer if they're gone? Who can bless that it's okay for you to reveal that publicly? There's no law, there's no... So you can run into these thorny issues
22:41
and CISA acting as sort of a governance mediator, I argue that they should take on more of a coordination role and get between sometimes between the researcher and the company, because a lot of researchers, we don't wanna spend the rest of our lives
23:01
arguing with the company, we found the bug, we want the right thing done, but I'm not willing to sacrifice three months of pain. Yeah, and that's exactly what we're doing. We have the platform and recently we did this for elections, actually. Folks might've seen a report we did working with a researcher and working with Dominion
23:22
and that was a really complicated coordinated vulnerability disclosure and so we spent a lot of rigor, very deliberate efforts to do that and sometimes it's hard to necessarily mediate the middle of that, but it's really important. And the interesting thing is people say, well, what's the role of government?
23:41
And it seems like role of government is to get involved in these sticky issues that don't have a clear business solution, right? It's like a conflict between sort of commercial and civil society and you need a disinterested third party to make those hard calls on some of them. Yeah, and disinterested is an important word
24:02
because we are only, I mean, our north star is defense, which is kind of pure to me, like having been on the offense side, I actually liked the defense better and I think defense is the new offense, but it's a pure mission and so I think that's really important
24:21
when you think about we are only in it to defend the nation, but I wanted to pick up on something you said because this morning I got to just chat with some of the researchers that we built relationships with over the past six months and it's kind of funny, the one was Jags, if you know Jags and then Silas Cutler.
24:41
Yeah, Silas is always fun. Yeah, and then I saw Marcus over at the EFF poker tournament with Kurt, so that was fun too, but I met those two guys because they reached out to me on Twitter, like actually with some critical, like Jags had some, he was unhappy about something that we, decisions we had made
25:00
and he just sends me this DM and I said, well, let me give you a call. What's your phone number? I didn't know who he was. You didn't know who he was? He like talked it out and actually he was, we talked through it and he was the one said, well, you know, cause it started out with ignite the hackers. He's like, no, what you really need is this technical advisory council.
25:21
I said, well, I've got, you know, Jeff Moss. He's like, well, he's fabulous. I said, yes, I know, but you know, I am such a fan of the incredible power of researchers. Yeah, the community. The power on the government side, but on the private sector side, I mean, we are really leaning into working with everybody who wants to be part of this community
25:41
and, you know, Silas worked with us on the Maui ransomware report that we did doing some fantastic reverse engineering. Jags worked with us on the hermetic wiper stuff for Ukraine and so these types of collaborations are just so absolutely critical and I think we're making some really good progress.
26:01
So talk a little bit, like I'm always curious on, since it's a global nature, like when you're talking to our partners or others, how do they, do they come up and say, hey, how's this working? Are they lessons that can be imitated or is there, you know, society so different that it's, we're kind of like a unicorn, like.
26:21
Yeah, other feds, you mean? Yeah, or other countries like Australia, UK, anywhere European, like, you know, I saw you signing an MOU with Ukraine. Victor was here. So what is the MOU? Like how do they see CISA in the US government? It's not an MOU with FBI or NSA, right? It's the defensive agency.
26:41
All defense, but that's the beauty of it, right? Because every country has different things on encryption, different things in terms of authorities they can do on the offensive side, different things that they're doing on the foreign intelligence side, but defense is pretty much the same around the world. And so we have fantastic relationships with over 100 CERTs
27:02
because we're US CERT and ICS CERT. We have what's called the International Watch and Warning Network, which is 16 nations across the country, really terrific information sharing partnerships. And then of course, we're very, very close with all of our Five Eyes partners. And so the international piece is fantastic.
27:21
You know, whenever we talk about the JCDC, we lean into the private sector part, but the JCDC includes all of our international relationships to include Ukraine. And we had this terrific, as you said, meeting with the sort of four different agencies across Ukraine, we did this memorandum of cooperation, which is really about capacity building,
27:41
as well as ways to more agilely share information. Is there like the equivalent of a, if you see something, say something, sort of like we're the US government, we see something, we're gonna say something to the UK or Ukraine, is there sort of that kind of- Yeah, like 100%. Yeah. So we see, obviously, if there's an imminent threat,
28:00
you know, we will, whether it's private sector or whatever, we have an obligation to ensure that we are getting that information out, but sometimes it's just dots, right? Suspicious activity. Only in hindsight, yeah. And so we will always lean forward because we think- So it's a bias toward- It's always a bias towards action.
28:22
We'd much rather be in the proactive space than in the reactive space because left of boom is better than right of boom, which is why the name of the game is resilience. But, you know, a great example is, you know, Albania, right, the whole thing happened, that came out,
28:41
and we have a good relationship with their cert and so we were able to help them based on researchers that came in to work with the JCDC to do some malware analysis and to give back some really important information to them. And so it's really, you know,
29:01
this community coming together for the global defense. Well, that was, gosh, there's so much to talk about. Man, we could have beers, we could have beer all night. We have to ask questions. Did you say beers? I wish we had some beers. Yeah, because I can drink. I don't know if you're technically on duty, but I don't know. Yeah, I stopped drinking in 2021, which I think was a bad idea.
29:24
Yeah, that's good. Let's go for a question or two. And then, but I wanted to get back to your North Star. You said that core principle, right? You're like, we're a hackathon. This is a defense organization. And you are what? Defend today, protect the... Well, Chris and I talk about this.
29:41
It started out defend today, secure tomorrow. Secure tomorrow, to sort of show, put out today's fires. Yeah, and secure the future. But think longer term. Sure, I mean, the emerging tech piece is, we do the quantum piece, as you know, a lot of work on that with NSA and NIST, and focus on 6G, focus on security of smart cities.
30:02
And so we're working... So there's this longer term perspective. You're not just a firefighting agency. No, and we don't want to be. We want to actually ensure that all of our partners are building resilience into their systems. And that's one thing, from a tech perspective. We've talked about this at the Cybersecurity Advisory Committee.
30:22
I spend a lot of time talking about things like multi-factor authentication, more than a password, and all the basics. But what I think we need to do is ensure that the big technology companies are actually taking accountability for baking security into their systems, so users don't have to actually
30:40
ultimately worry about it. The people I think most responsible are the people closest to the levers of power. And if you're the manufacturer, you're Microsoft, not to beat on them, they do a great job. But if you're Microsoft, you are in the best position to make the correction, not a third-party piece of software you have to run on top of your operating system. And so I think there's that responsibility there.
31:01
And they've been acknowledging it in Apple and Google, but I really think that the more that can be done at close to where the problem is, that frees us up to do... 100%. And I think they're recognizing that as well. I mean, part of the executive order last year was to signal that use of the government's purchasing power. So if you have contracts with the government,
31:21
some of these requirements will become necessary to do business. You must be this tall to sell to the government. Sort of, exactly. So we're getting there. And then your other point about the federal partners. I think the other really cool thing about the JCDC is it's the only federal cyber entity that by law brings in CISA, NSA, FBI, DOD, DOJ, ODNI,
31:46
the National Cyber Directors Secret Service. So by law, all on one platform. So we stood this thing up. Different than a fusion center, right? Exactly. We stood this thing up, but it's not CISA's. It's a platform where government, where industry can come to government and not have to have that PhD in government
32:03
to figure out how to interact. Right, right. Okay, let's go for some questions, guys. Who's got a question? Does CISA influence how Congress appropriates money to go to state and locals for cybersecurity? Can I repeat the question?
32:20
Yeah, the question, can we influence how money goes to state and locals? And certainly, I have to say, we have been really blessed in terms of our engagement with the Congress. Cybersecurity, happily, is still a very bipartisan issue.
32:40
And so when I go up on the Hill, whether it's to talk about my budget, whether it's to testify, just an update on what we're doing, the questions that I routinely get from the House and the Senate are, what more can we do for you? Which is not the question that you will always get from Congress. And so that's actually really, really encouraging.
33:01
And one of the things that I talk about the most are the importance of us being able to work closely with state and local to do all kinds of security, but a lot of focus on election security. And so we are always advocating for state and local. And the grant program that we're about to do, the NOFO, the Notice of Funding Opportunity,
33:23
I think will be really, really important for state and local. I thought it was great. That was in the last package, a billion dollars, 200 million this year, hugely important. And the other thing is, two other things. So we are, over the next few years, really growing our field force,
33:40
which is one of the things I'm most excited about, to have more folks out all across the nation. Out of the Beltway. Yeah, exactly. It's where I love to be, out of the Beltway. Working with state and local, we've got cybersecurity coordinators working with every state CISO, state CIO. And so we're really gonna dig into that.
34:01
I've got my cybersecurity advisor for Region 9, which is based out of California, Joe Oregon, I think he's in here, and David Rosado heads that. But we are totally leaning in on that. So please continue to give us feedback. The other thing, we're trying to be creative in terms of, first, how we help small businesses.
34:23
Because they are really, as Josh Corman would say, often in the space of being target rich, resource poor. And so we've done a lot of work in terms of how do we break things down to make it simple for a small business to be able to protect itself, knowing that the median side of a small business is 10 people, and so small businesses
34:42
are out in everybody's jurisdiction. And then also trying to be creative. We were, as part of the committee, working this really cool pilot, like a town gown, right? It's awesome. This town gown pilot in Austin with Mayor Steve Adler and Bobby Chesney, who they're both on our board, to try and-
35:00
Bobby made these shirts, so I blame him. Yeah, Bobby made the shirts. And so what we're trying to do is, Austin has this 311, so people can call, and if they've got an issue, somebody's on the other end of the phone to help them. They turned out to get a lot of calls about cyber stuff. And so now we're gonna have students on the other end who are gonna be trained to how to respond to things,
35:21
and then that will also help them get- It's the Cyber 9-11, and so our 811, 611, you can call 311, and get some help. Exactly. So creative ways to build the bench throughout the nation and to raise skills. One of the things, lots of acronyms at DHS, but one of the things I like
35:41
is it's a ground-up organization, grassroots. It comes state, local. But there's an acronym, SLTT, State, Local, Tribal, and Territorial, because we are more than a nation of states, right? And I always respected that because it was always the SLTT. SLTT. Because you never hear people talk about the tribes and the territories.
36:01
I mean, some presidents don't even know that we have territories. And so, it's confusing, I understand. But yeah, so it's really nice to see that DHS really recognize that, no, it's all Americans. This gentleman here, and then we'll go over to this gentleman here.
36:36
Cyber security tools, whether it's software, services,
36:40
software for service, we don't have our own fire department. We don't have our own police department. We don't have our own army. Yet we now have, so my question to you is, has there been discussions about what will government play, whether it's federal or at the state and local?
37:00
I think you gave some great examples. But where it's security as a service, almost like a tax dollar-funded provided service that a company can sign up for where the government is watching for them and notifying the small and medium-sized business. Yep, yep. So if you are a critical infrastructure,
37:22
and I don't know if, there are actually some small entities that are critical infrastructure, that is part of our core mission. We are working with businesses large and small as part of critical infrastructure to ensure that they have tools and services. And frankly, a lot of our stuff is free, which is a great four-letter word.
37:42
So you think about, and I would invite you to take a look at our website because a lot of that information is there. And we just updated what we call a small business cybersecurity action plan because we wanted to break it down as simple as possible and then provide all of our no-cost services. Some of this stuff is pro bono provided
38:01
from our industry JCDC partners. So we realize that small businesses and small entities don't have the wherewithal to create these huge security teams like I had at Morgan Stanley. And so we're spending a lot of time, again, trying to make sure that the resources are out there and broken down in a way that all businesses can avail themselves.
38:22
And so I would say follow up with us because I'm really interested in particular in feedback on what we're doing with small businesses because the other part of critical infrastructure is now it's also a blurry line because just given the interdependencies on the supply chain, you might not be the classic member
38:41
of critical infrastructure, but you can very well be a vendor for that critical infrastructure. So what we're really trying to do is have a very large blanket across the country as we continue to grow our own capability as America's cyber defense agency. This gentleman over here. Repeat the question.
39:14
All right. He asked, Chris Krebs at Black Hat was talking about several different things that could be improvements and one of the suggestions he's had
39:22
was potentially separating CISA and creating its own standalone. The question is what are the pros? What are the cons? Yeah. I think over the last two decades when I think about federal cybersecurity, there's probably two big things that happened that have really helped to change the landscape
39:40
in terms of America's capability. One was on the offensive side and that's when we stood up US Cyber Command. So that was Paul Nakasone, TJ White working with Keith Alexander, Chris Inglis and I think that was a really important capability that now 10 years on is making a real difference. And I think the most important thing
40:02
to happen in the last five years was the establishment of CISA in 2018, which really proved that a name change and more money and more authorities can make a real difference. I still have NPPDs. NPPD, right. There's no infrastructure in there or even cyber. And so building a cyber and infrastructure security agency,
40:23
I think was critical. And then following onto that, there were actually organizational changes and more authorities that came with the NDAA 2021 out of the cyberspace solarium. One of the things was, it was called the Joint Cyber Planning Office, but JICPO sounded like a disease and a horrible acronym,
40:42
which is why JCDC, because it sounds like ACDC. So- Who can argue with ACDC? Who can argue with ACDC, exactly, right. So many really important things have happened. And my job, Tommy, is to make sure that I am all in on what we are doing now.
41:01
And I don't- Well, if you split it off, it's unclear what the benefits are immediately. So I can see the turmoil and the bureaucratic churn and the fighting for budgets and turf. And even the concern would be, oh, well, we've got an agency for that. They're in charge now.
41:21
Oh, I'm, you know, OMB, I don't have to do that. That's their problem. And so it's like, okay, well, if we put up with all that churn, but there better be a really big golden egg at the end of that. And I don't know what the golden egg would be. I think, Sisa, I feel like we're a golden egg. You are, right. So, and the other thing is,
41:41
there are benefits to us being part of DHS in terms of having that connection to my friend Dave Pekoske, TSA, right, from an aviation security, Deanne Criswell from a FEMA perspective. So they're important connectivity secret service that we've got there to have these colleagues around the table as fellow components.
42:02
So, but you know, I am like laser focused on building America's cyber defense agency to be the agency that America deserves. And that's like no small endeavor as you know, given your role. So, yeah, so I'm not sure, it's not clear to me,
42:21
it sounds like it's not clear to Jen what the benefit would be. I just see economic, I mean, I just see bureaucratic churn, but I like the big thinking, but I don't, if it is the time, it's not the time now, I don't think. I think it's gentlemen in the back and then in the front.
42:50
The FBI problem, we'll listen but never talk. What can the nation hold beyond DMs and Twitter?
43:05
Yeah, first of all, thank you for asking that question because I think it's exactly the right question we should be asking, what can we do to help and what can you do to help us? So, you know, I think the DMs and Twitter is emblematic of what folks probably thought,
43:23
you know, about the federal government. Hey, you know, these are just people kind of making decisions and- But honestly, it's pretty cool. Do you DM the head of the FBI and get a response? Yeah. I noticed an organized crime group down the block. He's not- I think his DMs probably are not open. Yeah, they're not open.
43:42
But what we have done to build on that is really leaning into this new thing that we stood up, which is the Joint Cyber Defense Collaborative, which is working with all of the researchers that wanna come to the table with us, working with every company that wants to be a partner. I just met with like the ESET guys this morning.
44:02
So we are really open for collaboration, open for business. And I would just say, if you wanna be part of the collective cyber defense of the nation, which it sounds like you do, reach out to us. You don't have to just come to the director. Everybody, I think, is in fact approaching
44:22
the collaboration with the humility, the vulnerability, the transparency, and the gratitude. And frankly, something that I think is important, and that's assume noble intent and treat feedback as a gift, right? I mean, that's like my operating principles in life. And as an agency director, you gotta do that.
44:42
This gentleman in the front.
45:09
I've seen some of your talks, and it's been, like you mentioned, three years.
45:20
So what's the next three years gonna look like? How are you gonna hire more security and just people to help you? I know there are people who are even willing to take pay cuts to good meaningful work, especially out of college. Right. Do you wanna come work for us? Cause you can let's talk after this.
45:42
All right. No, I know. This feels like a congressional hearing, actually. But yeah, that's good. That's good. What's your name? Jason. Jason, thank you for that question. Yeah, man. Part of this is like dealing with bureaucracy and slaying the dragons of bureaucracy.
46:01
I mean, it's a good thing that we have the CTMS system, but we just started it, and it's rolling out. We are- So you see that's like a year or two. How long does it take to digest something like that? Well, we're almost to the end of, I mean, it started last November, and putting a system in place, which is not even on the GS scale.
46:20
It's a completely different scale. It's a completely different way of hiring, completely different way of paying. So it's a little rocky getting these things stood up, but to Jason's point, we are also reforming all of our HR processes. It's one of the reasons why we're, I'm hiring a chief people officer. We don't have those in government,
46:40
but I felt like we actually need somebody to lead our human capital strategy to ensure that we can build a talent, like a true talent management system, not just get people in the door, but bring people in the door more at entry level, because we're a very senior agency, and I just think that's, first of all,
47:01
that's a strategic risk to be so senior, but I also really believe in creating career paths and ladders, and we are kind of starting from, not scratch, but we are starting from a place where I am very aggressively trying to reshape the organization. So we're bringing in more junior people.
47:21
We're doing career ladders. We're doing mentoring and coaching. It's part of the gift of having a startup agency and the burden of having a startup agency, but if you are talented, we are gonna get you in the door. So let's, actually, I'd like to talk after this, but the other thing I'd say, there are things that you can do
47:41
to contribute to the collective defense of the nation without, while you're waiting to come join the team, and so if you talk to JAGs, or if you talk to Silas, people like that, who have made a real contribution to the products that we're doing, the advisories that are being used around the world, I think that's one way you can contribute in the near term,
48:02
but I'm working to solve that problem. So you're going for the hire the B team and turn them into the A team, not try to hire the A team, because that's how one, you can't- Yeah, no, I agree with that, but I don't like A and B. I mean, I'm using it as an example if you don't have this law, like, I'll just hire the best. It's like, it doesn't work that way. You can't build a good culture
48:23
if you're only trying to get A personality general type alphas. No, 100%. I mean, you need to, what I want to do coming up is a ton of recruiting at schools around the country, so you can bring in the energy. Well, like, what is it, the NSA has the 20 centers of university? Yeah, it's NSA DHS.
48:41
Right, yeah, so you've got to- NSA DHS as well. The centers of academic excellence. So what I'm trying to do is go visit all of the minority serving institutions around the country, because we're also trying to aggressively diversify, which I think is not just a national, not just a moral imperative, but a national security imperative
49:02
when you think about the importance of- Diversity of perspective. Yeah, diversity of perspective, diversity of thought, that's how we solve problems, whether it's neuro diversity, diversity of gender identity, sexual preference, race, national origin, all of that equals diversity of thought. And that's not where the government, it's like the administration is leaning into that,
49:22
but that's not necessarily where the government started out. So we got work to do, but it's all high, my two priorities, people, partnerships. Because I'm facing this way, I'm getting all these people, is anybody over here? This is the question that I'm just not in my line of sight. Okay, so I'll go back over here. Oh, in the middle, middle, okay.
49:41
Middle. Where are you? Oh, behind the camera.
50:01
Has CISA considered partnering with high schools around the nation to- Advance their computers. Oh, advance computers. Sort of like the high school version of the NCDC, the National Collegiate Cyber Defense Challenge. There is a high school version of that, but maybe a broader engagement.
50:21
We absolutely have. These are all part of what, I'm talking about building this talent management system. We're partnering with high schools. We brought in our first high school intern, partnering with organizations like NPower, partnering with Girls Who Code, partnering with Girl Scout.
50:41
So we are doing these things entrepreneurially, which is cool, right? But what I'm trying to do is to ensure we can do them systematically and at scale. So if there are great ideas about how we can partner, because I know there's probably a lot of great folks who are doing things like this,
51:01
please come and work with us on it. Okay, time for one last question and then we've gotta call a wrap on this. If you're interested in policy type questions- Oh yeah, we're doing some afterwards. Yeah, after this, in the policy track, we're doing a little policy meet and greet with some beer.
51:22
And so hopefully we'll continue conversations that you have, not just with Jen, but with other people in the policy community. JAG's probably be there. So let's take the last question. Gentleman in the blue.
52:02
It's not from the government. It relates to something you said earlier about Windows companies and Microsoft, for example. I'm not from anybody, I don't work for anyone. But Microsoft, at least, declares
52:22
that it's not competing with its customers, it just provides them IT. While we know other companies tend to become competitors with their own customers. Like, you won't see a bank that Microsoft will build, you might see it in other companies that provide everybody IT.
52:41
That's one thing to think about that's a danger to look out for. Another lecture which was interesting by Professor Amnon Shashua from Mobileye is learning only machine learning AI, et cetera.
53:01
He's a professor, not just in Mobileye, but here or from there. And he said that he published some research that from the dangers of AI, so the machine learning. So it's not just supervised machine learning, et cetera, but we have to also moderate it afterwards.
53:21
You can give the machine learning in general good growth. Right, so I think- And make everybody happy. I think that- You have to get everybody happy, so make them stupid, so stupid, you know, no brainer, happy. Well, I think- The machine learning, if you put it into execution, in a big scale, might become like,
53:42
making everybody stupid, unproductive, and it's a great danger for the future. I'm convinced that machine learning is used for all these algorithmically-generated YouTube videos that are just pursuing maximum clicks, which probably do produce a high stupidity quotient that maybe one day will rise
54:01
to a national security threat. But that sounds like there's, you know, the AI and the quantum, there seems to be these larger, bigger things out there on the horizon, and sometimes private sector's not equipped to deal with them, and that's where I think, again, role of government plays a role. So, you get the last word in.
54:24
Gratitude. Thank you. Thank you for having me. Thank you for the great questions and the time, and you know, if you want to learn more about CISA, if you want to work with us, if you want to be part of us, please reach out, and for those of you who use our products, please continue to give us feedback.
54:41
We really want to make sure that those are as helpful as possible, and so we are really leaning forward into responsiveness and value added. So, thanks very much, everybody. Thank you.