IATC - Hacking the Pentagon: How a Rebel Alliance Shifts Culture to Protect National Security - Bret

all right good morning everyone this is besides Las Vegas is the I am the cavalry track and this is hacking the Pentagon how a Rebel Alliance shifts culture to protect national security and we have Bret and Harlan talking today a couple quick announcements if you could go ahead and hold your questions till the end of the talk we'll go ahead and pass a microphone around to you and make sure that you are able to be heard online when you ask your question so just raise your hand and we'll come to you please go ahead and silence your cellphone's now again we are streaming online so we really appreciate if you go ahead and silence your phones now so

they're not interrupting the speaker we'd like to thank our sponsors especially our inner circle sponsors which are critical stack and Valley Mail and our stellar sponsors that includes silence Microsoft and Robin Hood just to name a few there sport along with our other sponsors donors and the volunteers they make this event possible and we really appreciate all of them and if you have any questions again please hold them till the end without further ado thank you very much great good morning everyone so I'm Brett Goldstein I'm the director of the Defense digital service and I work at the Pentagon and now I'm in Vegas so thanks for having me this is my friend Harlan he's an engineer on our

team and we're going to tell you a whole bunch of stuff over the next hour so it's a story that will essentially have three parts I'm gonna give you my background it's kind of weird and sort of like hopefully that'll be sort of morning fun and then I'm going to talk about DDS and why we aren't what you think we are and how its completely weird that we are in the middle of the Pentagon and then three are let's go walk through some projects which are pretty cool so thanks for coming so you know let me sort of start and be like you know how in life there's certain things you just know like like to be

honest with you I know I will be a Red Sox fan forever okay so that's a given that's how we roll up there on there are also other things that I I thought I knew one was I would never move to Washington DC okay so I knew that right - I'd never be a full-time federal employee okay those are two really important things and well I'm still a Red Sox fan so in that parts going for me now okay so where do we start so where do I come from I'm a computer scientist right I was one of people no opentable yep so I was one of the dudes who built that so in the late

90s where a bunch of idiots in the basement and we thought that there was a better way to do that and we went up against a restaurant industry right and we wrote horrible software and all the maitre d's out there hated us like it was like we have our big reservation book and it's amazing and I'm like there's this thing called the computer and that could be really amazing as well on so I spent seven years of my life building that company and so along the way on 9/11 happened and you know opentable have been going for a couple years at that point and I was traveling on 9/11 and so I was evacuated off a

plane I was in the terminal watching the tower go down and it was just it was horrific to me and I'm sitting there and I'm like so I'm helping rich people make dinner reservations and I'm watching people do some really important things on the screen so on my way home because but you know for those of you that remember the flights were grounded for a while so I just gave up I went home to my wife and you know I'm like when I'm done with this open table nonsense I need to do something that's more meaningful so okay so what is it so originally my plan was I was going to do volunteer work right I was in Chicago

and it's if you haven't heard she goes a little chilly in the winter and I was going to go do checks on folks and do that and that was got scratchy edge but then a couple years later there was an article in The New York Times and The New York Times talked about how big city police departments were recruiting white-collar professionals to do work in the counterterrorism space and I'm like oh I'm a white color professional maybe I can do something that would be in tactful so you know Along Came the Chicago Police exam and I really like to take tests and so so I went and I'm like okay the test is gonna be fun so I got

to go to this big Stadium the United Center a man here from Chicago okay well I guess okay we got one um so you know the United Center I go the United Center and I'm with like 14,000 people and I take a test and I did really well on the test and that was great okay so and over the next couple years I continued to take these tests right you going to take a physical test I learned how to do sit-ups those were exciting you know go for a little run in a circle I took a psych test I had a medical exam they did a background check on me where they came and they're like do you really

want to be the police I'm like yeah it wasn't me New York Times and they're like oh New York Times great so you know after at this point open tables multinational like I had been open markets and we built it and the data center was grade and everything was wonderful and you know I get this letter it said report to the Chicago Police Academy and I'm like in two weeks well I go okay so that seemed so I'm like it's time for me to get out of OpenTable and then do something that has some meaning so I actually went to the police academy so I went in as a 31 year old recruit and so 31 is important

because I was 10 years older than everyone in the recruit class and they had actually been so I'd figured out that whole sit-up thing yeah they're big on push-ups and that was something that was new to me and that 10 year thing made it fun so I have great cop stories I spent six years in the Academy I got out and then I was a valedictorian which meant I got to pick where I got sent remember I'm good at tests and I went and I worked on the west side of Chicago for those of you that don't know Chicago their tour is which are unfortunately the most violent the west and the south side of Chicago and then I learned about

the real world and I spent my first year in a bit as a beat cop out there and then on you know there's just so which I learned about the challenges that are out there and then overnight the department I guess our old computer cut up and it's a graduate degree in computer science on you know the whole open table nonsense and all that I got transferred overnight back to headquarters and the Chief of Police assigned me to use data and ml to better identify where and when homicides would occur so I went from being a beat cop to my secret was out it so I spent the next four years developing techniques to identify where and when homicide would

occur in Chicago I lived in Bree is that how do we every day prevent where violence would occur part of it was computer science and data science but part of it was we would actually go and feel with interdiction units to prevent people from being killed and this was one of those fascinating things where on you know everyone said you can't change a big bureaucracy and you know CPD's been doing it this way for a hundred years they'll never change but you know what when you have an opportunity to make a business smarter and change the way they're doing it and your measurement is how many lives you save you go up against the Machine and so I

lived and breathed all I did was homicide for a while okay I I got a government after you know I did well it ended up being seven years I said five years separate story I was in the private sector for a while and academia and financial services and then I was so done with government my family had moved to northern Wisconsin middle nowhere key point homicide rate is zero and that was really really nice because I needed a timeout from homicide so a year ago I'm you know I'm just doing my thing and I get this note and it's like can you come over to the Pentagon and I'm like huh like the Pentagon all right that's in DC never been there

don't know how to get there but I'm like who turns down I'm going to the Pentagon so I come over to the Pentagon and on yeah you know they're like you need to leave your devices outside I'm like why would I do that because I don't know anything so I leave my devices outside and then they're like can you be a special advisor to the DoD on technology and data science and stuff like that so over the past for a year I was this part-time advisor where I had this completely normal life and I started to get involved in everything from working with op nav in the Navy to the Marines - I actually went to Afghanistan now keep

in mind you know my background was Chicago and OpenTable in Silicon Valley and academia and then I'm on a blackhawk in Afghanistan that is not an experience I ever thought I would have and then a few months ago I started to learn about this team the defense digital service okay and I didn't know that they even existed on and I'm going through the Pentagon I'm gonna have to do a briefing and you know the Pentagon is kind of a formal place you go and how many people like I like to ask questions how many people have been to a Pentagon okay so you probably see a lot of people that look like how I'm dressed now right no

no they're there in uniforms and they're in suits and ties and like serious types not white ties and and then it's very like people walked very appropriately and it's it's it's you know it's that whole bit and I'm going there and I was catching up with my friend Chris Lynch oh I know new from I was on the board of Code for America for a number of years and so Chris runs this defense digital service thing and I'm like what is this because I'm in the Pentagon and I'm like I'm giving people advice but I'm like we need to raise a bar we need the best in technology how do we solve problems because at the end of the day what what

do I care about in the space the technology should never get in the way of the mission national defense and how do we get like I found it completely enlightening I'm like how is it that I have the very best that I'm seeing out in Silicon Valley but I'm not seeing the very best when I'm at DoD and that just perks because at the end today the criticality of that is important so you know Chris comes yeah I meet him and then we go into this office and there's a sign that says Rebel Alliance and I'm like alright what unit is Rebel Alliance and I walk in and it was like walking into Silicon Valley and it turns out that we have

this bastion of talent at the defense digital service that on we bring in some of the very best and we're gonna be talking about that on but what's fascinating about this and so art I guess we should tell the end of the story a few months ago Chris had decided that it was time to move on to his next gig and the Secretary of Defense asked me to take that over so it gets this was the first time I'd ever seen a job in DC which would get me remember northern Wisconsin zero homicide three small children like move everyone to the DC and go back to I am now gonna be a full-time federal employee so let me

tell you about the Defense digital service because we're part of USGS many of you may know that would you SDS came out of the healthcare.gov interesting activities on but what do we care about we care about work that matters now okay this is a lovely chart so one of the things when you go into government and you go into places like the DoD you sometimes realize that the technical bar may not be as high as you might hope now we came across this diagram which is part of a textbook people so how can we have excellence in technology if this is a type of supporting material that you have the bar needs to be raised

so the Defense digital service so let's talk about what it is so I have about 70 folks Heartland one of them I'm another one of them about 40 of them were civilians about 30 of them are active duty folks and the civilians come from like all the places you'd know and they're people who say I have expertise I am like Harlan's an engineer or I'm a product person I'm a designer I'm a security engineer and I want to serve and what do we do we bring people in on a two-year appointment it's a two-year tour of duty you have the ability to extend for an additional two years and you come in and you work on things that

you can't even imagine they're all over the spectrum and then what we do because I think it is critical that we also have active duty folks in so those are folks in uniform people for you know out in whatever service it is and they bring a couple things to the table one there are there's amazing talent in the surface in the services like you have people who have gone out and they have learned how to code they have learned how to architect they've done all this and they're saying they're at night and they're like I'm learning all this stuff what do I do with it how do I grow how do I get better and those are folks were

always looking for and then you have other folks who have been trained by the services and they have the bones and how do we make them better how do we give them the right mentor like how many of us in the room the reason we've grown is because we have the right people teaching us like if I didn't have the right mentors I'd be I don't have a good answer to that it's because I've learned really well from folks so we've put together this team on who are people you won't expect coming out of the civilian sector who have said I want to do something different or we have people coming out of the services who are

looking to grow and looking to work on a mission and the the core sort of types of projects that we do so one we're firefighters okay at the end of the day the defense digital service if there is a technical heater which is just absolutely horrific we are going to be the people you call because I will we'll say all day long that my team has the very best in technical talent anywhere in the DoD my folks are amazing and they can solve problems and they will go wheels up in hours to anywhere in the world to fix a problem and that is amazing on two we will advise on projects so say there is a big

enterprise initiative we're the best and technical advisors there are really stupid ways to do procurements and we could pick the worst in tech so if you don't put the nerds in the room how are we ever going to do this right like for those of you that sort of have some history here you know you go back to when did we like the idea of having security in the boardroom like there is a day long before that I remember in the early days of open table having to sit down with the board and justify cybersecurity expenditures and they're like why would we spend on that I'd be like oh cuz this nonsense is gonna be

hacked yo and you know but the world has changed so how can we do massive procurements without having that expertise in the room then there are things that are more mission related so as I mentioned I've been Afghanistan three times we're working on a project for force protection there so we go wheels up we go into combat zones it's a voluntary activity for the team I've done three over and it's it's one of those things where you work on like I've worked on a lot of projects but it's the type of projects and you go to bed at night and you're like I made a difference because what are the types of themes here one we do things to make

active service on folks life better great example is a project called move dot mil like every few years service folks have to change their station it is from a technology heat perspective an absolute nightmare why would you do that to them that's that feels awfully rude so we intervened and we've made that better or two how do we save our folks lives what can we do to save lives that's this type of stuff that helps me sleep and that's the type of stuff that the team works on now what architectural e makes us super unique is who's my boss I work directly for the Secretary of Defense so I am a direct report my team is all like the 70 folks

go to me I go to SEC def now for those of you who are less familiar with the military that's really weird okay we have all sorts of deputy secretaries and then chiefs of staff of the services and the Joint Chiefs and all those things the Secretary of Defense has determined that having a team like this is critical to our national defense and we have that ability so when someone gets in our way for doing the right thing that is who is callate to and it's a pretty remarkable type of team now we look different than your service folks so this was an example of you know a couple months ago we got together to talk about sort of

you know DDS has been in play for a few years now we've done some amazing things how do we grow more on but this is my team and we have folks all over the place and there's certain areas we're growing in right now security engineers feels kind of important right on real focus note blue band security engineers on data scientists um that's an area like you know I know it's a little sort of out of scope on but data science everyone's talking about AI ml analytics magic dust all of those different things and we need to be really smart about how we do it because for the people who have some depth in this area you know like

with many things you can do it really well or you can actually do it really poorly when the stakes are this high we need to make sure that we do it really really well and again nerds in the room on this is our life and this is that the types of missions we do on you have you know if you're familiar with the Open Skies program on you can google it at your leisure you know this is Jeff on the team part of the Open Skies initiative this is a team that's working on a project we call saber on which is improving the background investigation process on my BFF Owen we're in Afghanistan together this is me saying

oh my god I have gone from OpenTable to a blackhawk in Afghanistan and it's actually it's really comfortable like you just first settle in you just make sure those straps are on really tightly you'll be hearing from Harlan in a minute who's really doing something interesting there which I'll defer damn to talk about but we also try and bring a lot of the spirit to the Pentagon I'm not sure how many stormtroopers you've actually seen walking in the e-ring of the Pentagon but we have quite a few pretty wild pictures there now one of the reasons we're here is part of our portfolio which I didn't mention before is what we call the hack the portfolio

now I strongly adhered to the concept of check your work now I can build or write the most amazing software in the world I still need it to be checked I can tell everyone in this room I did my best to secure a system but it still needs to be checked now historically on you know in in government we haven't done the best job of security that's that's a bummer okay so during my tenure as director it is absolutely critical that every day we raise the bar on this and this is from writing secure software from day one like when someone says to me all will check the security once it's the apps done that just I have that sort of well

what's I don't feel very good about that you know the concepts of secure engineering from day one and it's a continuous process it's not a checkbox process but also the concept of embracing the security researcher community and checking our work so it started as we had hacked the Pentagon so hack the website great we found lots of stuff and it raised the bar now we have things like hack the Air Force hack the army we have all sorts of different things we actually have a hack the event going on at DEFCON we have a rather big presence at the aviation village for those of you who want to play with an f-35 simulator and you can

see my mad skills flying no not true you know we'll be over there but there's a concept that DoD needs to embrace and I will advocate all day long we need to embrace the security community we need to check our work both for public and protected types of entities and be able to raise the security bar you are our friends we need to build that trust between the two of us so we do our job better and by we we have a series of partners for these bounty events and that has allowed us to do it so we for the public pieces we have a great process for things that are more secure they help us to manage the security

researchers have a secure method in but at the same time that allows for anonymity so everyone here can do their part you have the anonymity we raise our bar we both win so you're gonna find that within the DDS portfolio this is super important every day we're doing this battle Harlan's going to spend a few time a few minutes talking about a couple of our different projects we have going and then as we wind this up on we're looking for smart people to help us think about this on whether it's joining some of the efforts for on doing bounties to learning more about what we're doing so you are the folks we want to work with we're the Nerds that you'll

like at the Pentagon so it can be a really great relationship but any held let me turn it over to Harlan and [Applause] Wow all this applause and I haven't even said anything yet so Brett talk to you a little bit about kind of what we do and why we do it and having I just finished my second year here and renewed another term and I've done some work you know my my background is a little hilarious we're working in the government I was for our security architect but I also worked in the foreign industry which is an interesting transition to the federal government so I've done a lot of work that I never thought I would things like this where

we built up this project involved electrical engineers and mechanical engineers designing a custom board with an amplifier for troops to carry that will help them deal with people dropping grenades on them from from small drones this involved doing just a tremendous amount of complicated engineering work reverse engineering RF protocol designing the board's designing the case testing it in the field just a huge amount of really cool work right and yes you will get to do cool things working for DDS there is cool work to do but that's not what I'm here to talk to you about when here to talk to you about is what happens when we're not in the room but I'm here to talk to you about is

this this is a visitor management system for a major DoD installation the idea being you have a guest you want to let them into the office they get escorted into the building they go through security this is the system that manages that this system covers two major facilities one of which is one of the largest DoD installations in the US and the other one is one of the most sensitive and most protected facilities in the US this system went live about a year ago now and in the months going up to it being live there were all these signs everywhere over the building saying remember April 15th you need to register your visitors in advance

hey remember we're gonna not turn them away if you don't register them so the night it went live I had some visitors coming the next week and knowing that obviously all government IT programs work great I decided it was probably a good idea to register them a little bit early so I went I created a visit and you know you have all the kind of general information that you might expect some weird things that I think are worth pointing out there's a the line this visitor needs to bring a firearm not something you see on most kind of visitor management systems it seemed a little odd to me or how about the visitor is a non-us person how

many people here know the citizenship of all of their friends is just like a matter of course it's like a little weird but okay sure I can I can deal with that and then I want you to pay attention to this little box over here it says guests find a guest this will display all guests that you previously invited I hadn't previously invited anyone right but cool box you know I wonder if they like imported people that I've visited in the past right so but in the name and get a result cool name email and then if you click it it pre fills their information and it just reuses the last investigation that they had again right and refreshes

whatever the data was in between perfect makes total sense saves me time saves them time everything's great but something weird happened when I entered names in there I noticed that it was it was returning names I didn't recognize like just random people I'd never heard of so I I asked around the team like hey is anyone recognized you know Billy Bob and they were like no no idea who that is ha that's weird so I tried a couple of things and it very quickly became apparent the what this box was actually doing was not listing this all guests that I have that I previously invited but rather was listing all guests that anyone had previously invited okay somebody forgot

to wear claws whatever so I started looking people up right who's visited the Pentagon that might be interesting well you know Eric Schmidt he does work all right this is an email in there yep it is another weird thing about the way that the government works is that the DoD and every other part of the government they all run their ID cards separately so if you have a DoD badge and you're White House employee congratulations you're a visitor right so you'll notice here this person OMB etiopia gov that's the president's office this is somebody who worked out of the Office of the President okay cool right so being a responsible federal employee and an engineer I did probably

what I think most of the people in this room would do popped up the network terminal and said okay well can I scrape all of this data right see it's cool right so you know I look at it it's like you know it's the kind of standard as you type in it's sending its HR requests great right so what's the search string oh it's literally just the search string okay seems easy right so I can just do a a and then I just start scraping and then I can work my way through the alphabet no problem second thing I noticed huh you know even when you're getting you know a handful of responses think there was like 20

responses in here 9.3 kilobytes for a name in an email address that doesn't seem right that's really weird what's going on here before I advance to the next slide I should say for the record that the data that you are ought to see is all synthetic and I just generated it yesterday from scratch because it looks like this you'll see some interesting things in here right so first of all you've got name okay that a UUID good yeah these are great you've got update time UTC which is a string of slash date and then the unix time okay that's a little gross whatever you've got there first and last name again okay middle name name suffix great

social security number huh that's not good investigation oh great investigator four nine seven nine did this investigation and this person was approved okay so now instead of scraping this to get the records of all the people who visited the Pentagon I get records all the people who visit the Pentagon and couldn't visit the Pentagon okay still a little interesting right what about this here's another person visited the Pentagon oh what's this the rejected recent arrest for assault with a deadly weapon huh okay so instead I have this this application that is giving me their name their email their social right okay but also like I can just look up at the criminal history of anyone who's visited the Pentagon in the

last however long it was right okay so this is a problem so we I called my director Chris at the time and said hey we've got a little bit of a problem we ended up calling the people who own the system I got to say a phrase that I previously thought had only been said in the movies when they said they didn't know how to shut the system down I said well go to the back of the computer and pull the chords out of it that should do the trick the thing that I want to emphasize here though is that the people who built this system the government people who built this system I'm not so sure about the

quality of the engineers who built it they did everything right they did everything by the books in fact when I talk to them later I found out that this system had actually been supposed to been launched about six months earlier but it had been delayed because they needed more time to run security audits on it in fact this application had gone through about a year of security audits it generated tens and hundreds of pages of audit data of security processes where they had to document how there were no non-us citizens who had access to commit code to the code base because God forbid they could put something into the database that would get you to give

the records out to that person and that would be really bad I supposed to you know giving it to anyone who used the website at all this process is how the government does security right now today right so this visitor management system for a Maitre D' the installation when I say the stakes aren't that high here what I want you to understand and what I want you to feel in your heart of hearts that when I say leaking the name socials and criminal backgrounds of everyone who had visited one of the DoD's largest installations isn't that big of a deal it's not that big of a deal comparatively it's a huge deal one on one but comparatively this is small

stakes and this is what the government does on a regular basis not because the people who are involved are stupid not because the people who are involved don't care some of the most brilliant people I met our federal employees struggling in this system that treats them badly gives them no resources and spends exorbitant amounts of money and time for very little result right the process here is what's broken the process here is what's needs fixing and the people like that offense digital service like the United States digital service like 18f there are people who are trying to do the right thing but we need help we need help from people like you both to come and stand

where I'm standing to do this work to give your time to serve but also to help us engage the community at large right now the DoD did a thing that no one else in the federal government had done a couple of years ago thanks to the work of our team which is the DoD created a vulnerability disclosure program so anyone anywhere in the world if they find something in any duty system they can report it to us and as long as they abide by what the industry considers to be responsible disclosure practices the DoD will not press charges in fact they will thank you and that project is incredible we get reports from people in

all over the world who find vulnerabilities in DoD websites in DoD systems they find Duty data where it's not supposed to be including people in countries whose own governments would pay them very dearly for that information and instead they come to us so that we can fix it all right that is an awesome amount of responsibility on us and that is an awesome amount of power that we are putting out into the community to help the government be better to help us all be safer so that end hack the Pentagon both its sides of bug bounties and vulnerability disclosure are incredibly important program it's because no matter how big we grow dds right now it's 70 people

even if we double the team even if we triple the team and I hope we do Zod is one of the largest employers in the United States it spends a significant portion of the national economy just itself 100 people is not gonna cut it 200 people's not going to cut it right we need everyone be working to help here that's the only one we're gonna fix Earhart Zener our DS information from not being leaked yet to yet another unsuspecting website visitor thank you the folks have questions wait for the microphone come to you one second so do you have any plans or are is there anything in the works right now to work with the reservists another GEB

active duty folks working on it but it seems like our reservists would have a very good skill set to to help with this we do we have I think one or two reservists on staff right now there it can be because the reservists aren't in full time getting them activated to do work can be a little dicey sometimes because of the rules around reservists but yes it is definitely something that we're interested in and if you are or you know somebody who is a reservist and you might be interested please reach out we can we we can talk to your commands and see if we can come to an arrangement so in general like the I like we like to

meet amazing people who want to do things so I like to say if you're amazing reservist whatever you are then make it our problem like there's nothing that gives me greater joy than a challenge and I you know something like that to make it work hi thank you for the presentation was your guys's impression of companies like Kessel run or futures command do you interact with them like yeah we do you think their odds are for success it's Sara thank you so I was out at futures command last week so I met with the CG the commanding general and you know we sit down and he gets it it's just the thing that I'm always encouraging folks is the

problem is very large so let's just pick a couple and deliver on some real things fast on so I was impressed with futures command I think it's great what they've set up in Austin I met some of the what's an al army application lab and there are some good folks over there trying to you know tackle some interesting problems on so Kessel run is really interesting to me so will Roper who's the assistant secretary for acquisitions is out so he and I are doing DEFCON together on and Kessel run is in the portfolio on they are doing and so I am NOT going to question anyone for doing I think we should have a few

different approaches going and then always be willing to pull back and say how can we do it better but wherever it is we're going to help foster innovation and try and make it better but always it always can be made better how does the dds address DoD IT and ie policy deviations in a manner that can be replicated outside of the DDS like other DoD agencies mm-hmm so that is that's a really great question so I'm gonna give you two answers right I'm gonna answer the question you didn't ask which is how do we deal with it and then I'm gonna answer the question how do we spread that out so one of the unique

powers that DDS has is we have this giant hammer which is the Secretary of Defense has authorized DDS to waive any DoD policy or regulation that we see fit for the purpose of bringing technology to the Department of Defense so all the ia paperwork all the like [ __ ] 300-page RMF that does such great work we can just go across that stuff out the and we can and do exercise that that power for other agencies inside the department as well that's kind of bucket number one short-term bucket number two long-term so our partners in the government have started to understand hey there's a different way to do things that costs less and gets better results

like wow that's interesting so the air force is actually the ones leading this charge right now especially through some of the work that they're doing with us and Kessel run they are working on something called rapid ATO so this just came out about two or three months ago and the concept is that if you document if you're using an agile development methodology rather than like taking an artifact and then doing there are mfon that artifact applying to production doing a much more development and like we auditing oh now I've got version 1.3 and doing that work again instead what you approve is you approve the process you say I'm gonna audit what you have now and then the

process by which you're changing it and then I'm going to give you what's called a continuous ATO where you have an ATO for those of you who aren't have not been subjected to the brain damage of the federal government yet ATO authority to operate basically it's a piece of paper signed by somebody saying yes you are allowed to use a piece of software or you are allowed to launch this website or you are allowed to deploy this missile battery whatever it is needs an ATO that process is something that is definitely being worked on right now yeah hope that answers your question hi thank you both for coming here and for your presentation I'm a big fan of

Pentagon in the DDS and I share the world about everywhere I can I really appreciate that you are here at besides and at Def Con or Vegas generally two quick questions one I'm very curious about whether the visitor management system was accessible for persons outside of the Pentagon or did your wire internal network access to to view and conduct the research that you did second question is what is an all your attitude towards working with organizations and people outside of the United States for example from ally countries such as Israel where I come from thank you very much sure so the visitor management system that was described there was only accessible so there were two halves of

it there was the half that I screenshots of which is the sponsor side and that side was only ever accessible to authenticated due to users from inside of a do the Internet the and and I should say it's all been fixed it now actually only returns resulted they both no longer return the entire database record and they actually only give you the results for you they that they we did an audit with them to verify that no one had actually collected the information in the substantial way it was all clean yeah so that that part was there was not actually a data spill there thankfully we caught it early enough yeah so we're very open to working with external

partners so it's you know I just got back from Europe a couple weeks ago or as mean with a variety of folks and then we have we have you know as over a series of the embassies like we have a variety of relationships I think as a community we all want to do better and get smarter and find the right relationships okay thank you as well for for this great presentation I'm I'm curious you're competing with everybody for the shortage of skilled IT and security workers so I'm curious if you are looking at any non-traditional type job positions I'm thinking part time job sharing very short term maybe 90 day contract projects you know and those are

just some examples if if you have other things that you're doing I'd be curious you know how you're dealing with the shortage of skilled workers in the competitive environment so so I I'm not sure I completely agree so I find that when I'm like I believe in the I'm gonna go out to some hack night or made up or something like that and go talk to people and you know I did one in DC a couple weeks ago and last night it's like the best thing before you go you go to bed I get this LinkedIn message and dude was like your talk inspired me I want to come work and like I'm like okay I can sleep tonight that's

money and so I find that when we so look if when I was on the outside there's no way I could know about this amazing group like what are you gonna do go to USAJOBS and sort of poke around like like it just went when I sit down and I talk to folks and I'm like I work with the most amazing people in the room and there's Harlan you know in the back because I need to point out my folks I have RORO in the back and like in the shirt I've Claire in and all the way in the back over there I get to work with the most amazing people that you would find

anywhere in the Pentagon or in the DoD - when I tell people I'm like yeah did the whole OpenTable blah blah blah I gave everything up I moved my family to DC because this mission is so important and we need to bring in technical talent to do important things because you know like there are people at DoD every day trying their best like what Harlan was saying but until the Nerds join the party mm-hmm so I go out and like and people show up and so you know the core like the more I can do that the bigger our team gets and I've been so impressed and we do for extraordinary circumstances or something in the G

called an s GE special governmental employee where we are able to leverage like certain really niche expertise but between those two like we have amazing folks I just want to add one more piece on which is that there are many large companies now offer leave of absences to go do public service work so I know several of the big like fang companies now offer the ability to take a one or two year leave of absence from your job and you and be able to come and serve and you know it I think it's very important to emphasize that this is not a meant as a career I don't have enough hair left to survive another four years

five years in government right it's not gonna happen right so and the other side of that coin is that this not traditional government employment in terms of the hiring process right there's still many of the same unfortunately you will have to register for USAJOBS account I apologize to everyone in advance but I have no college degree right I did not finish college it dropped out I've worked in like the porn industry I've worked for all sorts of on reputable places and I'm standing here and I'm I'm in the government terms I'm I'm a gs-15 which is the most senior rank in the civil service that that would not happen anywhere outside of DDS right like yes

fifteen oh you have to have a masters or PhD and like ba ba ba ba ba so many of those rules we simply can remove some of them are trickier so short term contracts I'm working on the background check system right now for DDS sorry 90 days we're not there yet right now I think it's it's like six months so it's very hard for for very very short term contracts for us to get people cleared coming to the door can take a year for a full clearance less for the interims that we use for people to start so that that kind of 90 days is very very hard but some of our sister teams through you SDS will do terms of

shortest one year so it's it's an opportunity if you want to do something completely different which will be one of the hardest things you ever do for two years but you will get like I go back to the picture like not these pictures yeah like these are things you'll do and it'll be super hard but it'll be super awesome and that's just and you should only do it for tears and I can tell you I will only do it for two years and then I will go back to zero homicide land and have a time out what anymore or we we have time for just a one or two more questions hey how's it going so I feel personally like I filled

out a lot of DoD forms and I've put my social security number on a lot of the norms and forms that really didn't warrant it there's a spot where and you can't leave a bunch so anyway I feel like they've made a transition or started to use the DoD ID number a little more on those forms is that you think a viable method for at least reducing the sort of exposure that someone can again the damage that can personally be done to an individual or do you think it needs to be taken a step further or integrated more or what do you think is its solution sure so the DoD ID number theoretically on paper the

DoD has ordered that Social Security numbers aren't supposed to be used anymore using with UDID number so far in my two years in government somebody has asked me for at once I now have been trained to give my social security number to anyone who asks me I don't even know who they are you're just like oh I need your social for this I'm like here you go DoD ID ID numbers also can be interchanged with social security numbers there's a database that will just change them out for you so you ask it you give it a DI Pio which is the term for a DoD ID number it'll just give you back a social or vice-versa so like

it is good in that on the back of every single DoD ID and encoded into the barcode the social security nervous out there anymore go back 10 years that was the case so anyone who took a photo would have your social security number on it that part great in terms of like actually getting rid of the use of the social security number inside the department were not there yet does having dual citizenship or having someone in your family with dual citizenship for rent you from getting security clearance you might need no no we have time for one last question all right thank you very much thank you [Applause]