BsidesLV 2024 - IATC - Wednesday

[Music] he

[Applause] [Music] he hey hey hey hey hey

[Music] [Applause] [Music] he [Music] he

[Music]

[Music]

[Music]

[Music] track [Music] hey hey hey [Applause] [Music]

he hey hey hey hey hey [Applause] [Music] [Music]

[Music]

[Music]

[Music] [Applause] [Music]

[Music] [Applause] [Music]

[Music] [Music]

[Music] he [Music]

[Music] [Applause] [Music] he [Music]

[Music]

[Music] why

[Music] h [Music]

[Music] w oh [Music] [Applause] [Music] [Applause] [Music] [Applause] [Music] I'm just I'm just TR to give you something [Music] I'm just try to give you something I do I'm just TR to give you something [Music] w [Music] [Applause]

[Music]

[Music] [Music] I'm just to give to I'm just going to give you [Music] I'm just something I I'm just trying to give you something [Music] w

[Music]

oh [Music] [Music]

[Music] a

[Music]

[Music] [Applause]

[Music]

[Music] [Music]

[Applause]

n

[Music] a [Music]

[Music] [Music]

[Music] [Applause] [Music]

[Music] oh [Music]

[Music]

[Music]

is [Music] a [Music] [Applause] [Music]

[Music]

[Music] oh

[Music]

[Music] [Applause] [Music] hey hey hey [Music] [Applause] [Music] he [Music]

he

[Music]

[Music]

[Music]

[Music] track [Music] back

[Music] hey hey hey [Applause] [Music]

hey hey hey hey hey [Music]

[Music]

[Music] [Applause] [Music]

[Music] [Applause] [Music]

[Music] [Applause] [Music]

[Music]

he [Music]

[Music]

[Music] [Applause] [Music] about a minute or two late here but we were uh making our way down from a fantastic keynote you're going to hear from uh Dr Andrea mition in a bit but first we're going to recap um if this is your first time to the I Cavalry track we tend to run a pretty curated experience a two-day experience where many of the speeches and guests and discussants are building upon each other for a common theme so we're going to if how many of you were here yesterday short hands okay how many you here the the Cory who was not here yesterday okay and for those at home on video or streaming we're going to do a really

quick recap of where we are today so a tiny bit of summary from yesterday and then we'll outline what you should see today so I am Josh Corman I'm one of the founders of I amthe cavalry. org we founded right here upstairs at bsides Las Vegas in 2013 so give yourselves a round of applause for 11 years of Public Safety service all right that's a long time um last year we were at a bit of a Crossroads where we said okay it's been a decade in some ways we exceeded our wildest imagination on making the world a safer place where bits and bites meet Flesh and Blood uh and the world's getting worse faster so I pose to the

group to each of you uh into our ranks of volunteers across the world should we end it should we transform it into something new or should we combine it with other initiatives and we spent a good chunk of day two last year workshopping a few parallel possible Futures I told you all I'd take up to three months uh without working to try to make this hard decision and one year later those 3 months turned out to be a much harder decision so a couple things we said yesterday just says a level set if you zoom out even since last year and you look at our dependence on connected technology which was growing faster than our ability to secure it

which is how we founded in 2013 I've shifted to a slightly different way of saying this to policy makers and we're going to have to shift yet again I'll try to be a little quicker than um intended initially so let me just go to this what's becoming clear to me is that this isn't just about hacking and cyber this could be accidents or adversaries but we are essentially having our neighbors and our communities and AARP and the general public increasingly inheriting are overdependence on undependable things where even accidents and adversaries can have a profound impact on Public Safety economic and National Security so the issue is we depend upon these things but they're not dependable and we're going to go through

an adjustment period where this unwarranted Trust on dangerous technology connectivity is exposed us now eventually we're going to rightsize this and we're going to have a proportional dependence to dependability if you saw the executive order 14028 it was about in large part triggered by a response to solar winds but there's a line in the intro that I'm quite fond of uh it says in the end the trust we place in our digital infrastructure should be proportional to how trustworthy and transparent that infrastructure is and to the consequences we will incur if that trust is misplaced so really this is about balance are we over dependent on imp penible things are we over trusting untrustworthy things and how much harm

is this causing so I hope there's no lies detected when I say to you that when you look at disruptions not confidentiality not breach records but disruptions to Lifeline critical infrastructure we have had more disruptions larger disruptions longer disruptions and more life safety affecting disruptions sometimes this is change Health Care where instead of hacking a single hospital or Hospital group you hack the payment Gateway upon which they all depend and 75% or more of us hospitals and pharmacies are disrupted for months right so that one to many the systemically important entity where we put more eggs in fewer baskets amplifying the cost of harm so sometimes that's an over concentration of risk problem not a

cyber problem sometimes it's too easy to hack these and sometimes those come together now that was a hack Crow strike was not a hack and yet it did half a not Peta of global damage right naeta was about 10 billion in initial estimates this was about 5 billion so a security product without malicious intent did half the harm of the largest recorded Cyber attack from a nation state so because this overdependence and undependable things our communities are now noticing these failures so we've been on the right track for a while we've been saying right a lot of the right things we've been doing a lot of the right things the government is catching on too A lot of people in this

room helped cause the patch act to pass in law we celebrated that last year this requires all FDA approved medical devices have to be patchable have to have threat models have to have a coordinated disclosure program to work with helpful hackers without fear of Retribution have to have machine generated esoms or software building materials have to have a vulnerability management life cycle program all net new medical devices are going to be safer than their predecessors going forward it's just going to take 15 years for us to get rid of the really old bad ones and or longer in the secondary and tertiary markets so we have this period where we're over-dependent on undependable things we were prone and we

were prey but we lack Predator activity now we're in the messy middle on the way to some of these positive policy steps and incentive adjustments getting us to a more defensible dependable future future but in the middle is very very messy and it's going to get Messier so part of what we said is that we are over dependent on undependable things last year I floated maybe we shouldn't try to do everything where bits and bites meet Flesh and Blood we should focus on the areas that are most acutely harmful to basic human life the bottom of maa's hierarchy things like the water you drink the food you put on your table the access to timely act uh patient care

for Emer care and power to make Society run so the water the food the emergency care and the power are often own owned and operated by Target Rich cyber poor this last mile is neglected they don't participate in isacs they don't participate in sector coing councils they don't know what the 16 sectors are or cpgs or nist or whatever Frameworks they don't have a single qualified security person on staff but they're probably providing your family clean drinking water so we don't want to become Preppers but we're in a very exposed State uh David may end the day today talking about Victory Gardens so that's a little bit of an Easter egg but these bottom M things the water

the food the the fuel for our cars our homes and our supply chains Municipal Power the schools your children attend and federal agencies challenged State secrets and timely access to Patient Care with now proven mortal consequences so the other thing I had us reflect on yesterday is we knew during my keyote last year that we had seen out of the 7,000 hospitals that we used to track at the US level cross-continental uh land mass we knew there were about 7,000 and and I saw this study and tracking from rural Hospital associations of 200 closures and now when you talk to policy makers they say we have 6,000 hospitals some of that's murgers and Acquisitions some of that's closures and

conversions but we've lost about a th000 of the 7,000 across the country this one depicts 200 yesterday both myself and Dr Christian nef pointed out there's a recent study on the financial solvency of these hospitals and they expect another 700 plus are either at the risk of immediate closure or at the risk of closure uh the slightly less urgent so they don't have money a typical small medium rural hospital has four to six weeks of uh cash flow on hand in the reserves four to six weeks is their maximum contingency plan and with several hundred ransoms a year and even if it doesn't hit them it could hit change health care which upon which they

depend if a ransom can knock you out for 12 plus weeks or several months months you're not going to survive that you're either going to close or you're going to be weakened enough to be part of an acquisition and those Acquisitions only let you survive another day to be part of a much larger blast radius where a hack of a Ascension Health can hit plural States concurrently so we're kind of in a death spiral for your ability to get timely access to Patient Care and how many of those closures would have happened anyhow quite a few and people like us should maybe try to be a voice of reason to Advocate to do better than we have

but how many of them are exacerbated by our insecurity on our connected technology now the reason this got heavy yesterday and I'm going to ask you once again to get comfortable with discomfort just for one more day in this room we're going to have three uncomfortable conversations as as if this wasn't bad enough that trajectory line of more disruptions larger disruptions longer disruptions and more life safety disruptions have largely been accidents and financially motivated adversaries but we knew in January that the top four cyber Chiefs for us defense from NSA FBI sisa and Office of the national cyber director in unclassified briefings told Congress of volt typhoon an example of what they call pre-positioning where we

have found and evicted uh Chinese military actors from our own water and wastewater treatment facilities they're swiss cheese so it's not surprising they got in but unlike a ransom crew the goal would not be to monetize this this access they currently have but rather to do destructive work so why 2027 if you haven't seen the hearings please watch them and educate yourself we don't want hyperbole but um their leadership has announced publicly they have intentions regarding Taiwan as early as 2027 and part of this campaign is to make sure the US stays out of it so as a deterrent or maybe as a warning shot and brushback pitch were we to get to involved but potentially as well to

do pretty serious destruction and if you listen to anything yesterday we know no water means no hospital very quickly we know our concentration of risk on food supply is affected by these things so these four basic lifelines are more exposed than I'm comfortable with and more exposed than you should be comfortable with and whether you think the federal government's going to fix this or not we don't have a military to defend civilian infrastructure that's prone nor do we have time in the next 2 and 1/2 years to make these things unhackable but there are things we can do so whether it's China in 2027 28 29 or never you know the good news is we

have some time like we did with Y2K or like we did with the sis Co task force but the bad news is it we have two other conflicts on the world stage in Israel Gaza and in Ukraine so whether it's the Russians get pushed into a corner and wanted to disrupt our fragile infrastructure Iran like we saw with cyber Avengers or some sort of capability heck uh North Korea we're in a place where yes maybe we have a formidable Roman Empire but whether you attack the city or you attack the aqueducts you can do some pretty serious cascading harm and we heard some great things from Dean yesterday about water supply and cascading harm so we don't always get the time we want

and the resources we want but we do get creative in The Crucible of necessity so whether it's the Apollo 13 true story not the fictionalized whether it's what we marshaled for Y2K a success story not a false alarm that was how I started my career we have a lot of Target Rich cyber poor owners and operators of critical infrastructure in Rural America a lot they can't just do best practices so in one of the sessions I'm going to be joined by official from the White House office and National cyber director who was also part of the CIS Co task force prior to her assignment there and we did not have three years to just do Implement zero

trust or just do best practices when we found vulnerable weak links in the vaccine Supply chains and night trial gloves and mac and cold chain and cold storage for medical supplies we had about three months so if you can't do anything for three years what can you do in three months and the answer was a lot you just have to get really practical so we'll probably talk about some of these things together in the second block David etu and I gave a talk like this at RSA called getting serious you can watch the recording and in it we kind of had um some hi coup about this but this is mostly aimed at cisos and

corporate to see what assumptions do you have a lot of people say well if we had an act of War you know we have uh insurance for that and they all forget things like I don't know excl iions for acts of War um so some of our top controls and risk acceptance or risk transfer tend to be the assumptions of insurance and assur ability so if you're in your day jobs and you care about that stuff go watch that talk back to why we're here yesterday's thesis was let's get an update of how much more has happened in the last 12 months since we last gathered here in the desert so we had an update from on food supply hungry hungry

Hackers from sick codes um uh in LP and they talked about how little flaws can have a pronounced impact on the industry and how cascading failures on our overc concentration of risk can do so if you didn't see it please watch it that was followed by fantastic talk by Dean Ford are you here there's Dean Dean is a water engineer or an engineer who works in the water and waste waterer he's not a hacker but he's been coming here now for the third year he's a treasure and he's leaned into us and we've leaned into him and he helped us understand how vulnerable water is not just to shutting it off but maybe doing destructive longlasting

attacks and we walked us through some Socratic cascading failure exercises that were mind-blowing so make sure you get a chance to watch Dean we then heard from Dr Christian nef quati grew up going to hacker cons for the last 20 years and somewhere in the middle went to law school not law school med school and became a physician and helped us found cybermed summit.org where we do live ER hacking simulations and now he's working at UCSD on a cyber Center and arpa H Grant and he shared how over dependent we are in clinical Care on technology and there's no going back but that the trend lines are not good and a really impassionate and very

personal more personal I've ever seen him yesterday on where we have found ourselves and what we can do about that and then lastly for our four updates we had Dr Emma Stewart talking about power Emma's the uh Chief scientist for the grid and a lifelong uh expert on electricity and she helped walk us through two scenarios and tabletops she's trying to do for National Security and National capacity including a hard reboot of the grid with increasingly connected technology complicating that called a black start and we begged her to do her second scenario in the choose your adventure which was essentially a crowd strike crowd struck like scenario on all the inverters for all solar panels and

Junctions across the grid both of them are pretty terrifying so with those four we got updates of what's happened in the last 12 months but then we also asked to each of them if you saw a volt typhoon like destructive scenario what's our tolerance levels to that so that's what we walked through yesterday and then I announced a new initiative that I'll try to wrap up so I had a very hard time making decisions on behalf of a bunch of volunteers so the Cavalry can continue to act independently but I announced a new project for uh as of yesterday so let me tell you quickly about that um Craig Newark did not know what the Cavalry is Craig Newark of

Craigslist we met earlier this spring uh especially when I was prepping for the getting started workshops at the RSA conference and I'm going to give you the why the what the when the how of this pilot that Craig is funding through IST The Institute for societ uh security and technology so I've accepted um to run a project for onee pilot we hope to extend and I'll tell you how it was constructed as distinctly as possible the why as I started to tell you we are over-dependent on unmendable things and it's starting to be noticed by our families and our neighbors and our communities which means we are failing them it's not entirely our fault but on

our watch the conversations we've been having in Industry have not been enough the last five plus years of conversations we've been having that are fruitful with public private Partnerships with the government are not enough or rather they're going to take longer to manifest the intended yield and in the meantime in this messy middle this overdependence is rearing its ugly head in ways that none of us should be comfortable with so that's the why we need something new and creative the what it's going to be focused on if the the total project we focus on the water you drink the food you put on your table emergency care and access to it and power especially in Municipal

settings The Last Mile the grids are much more resilient than every individual community in which you live and we're not just looking at these in silos we're going to look at the cross sector dependencies and interdependencies so fail failur in any one of them can have Ripple effects to all of them so these basic lifelines are the what the when well we're adding some urgency whether it's exactly 2027 or just a great Catalyst to to innovate in whether it's volt typhoon type disruption more accidents like crowd strike if we have a war it will be a hybrid war and we know how vulnerable our infrastructure is so so we're adding essentially a forcing function to see what can we do prior to

2027 and working backwards and the how we're going to have to try some different things so I'm taking a page Andrew and I been talking since even before the Cavalry existed if you saw her fantastic keynote cyber terms and even resilience terms which is the right term of Art in our sector for these availability and continued access to Lifeline critical infrastructure servic these have no precedence in law per se they don't know what resilience is but they know what safety is they know what safety engineering is they know what Safety Science is our neighbors don't know what resilience is but they know what safety is you know when we said we're bits and bites meat Flesh and

Blood we were on to something but we are continuing to workshop and refine our language for average citizens so in this particular case we're going to take given the short time frame and the high consequences we're going to take a page out of disaster science and natural natural disasters and we're going to do what you might do for hurricanes so a hurricane is a natural disaster and we might not be able to stop it and it's going to make landfall but what we can do is inform influence Inspire what we have in our case are not natural disasters they're unnatural disasters and it's going to take us a while to work through them so they're

not identical but in the inform influence Inspire the more consequential a thing the more forthright we have to be and that doesn't mean talking amongst ourselves and doesn't doesn't mean talking to policy makers it means talking to the people who will bear the costs of those failures what that means is it is a sin to exaggerate and it's a sin to downplay so we got to say what we know say what we don't know and level with people so they can make informed RIS decisions where they are with what they have that's the inform the influence is give them the best possible corrective actions as we can see them with the available time and resources so ideally maybe it's not

Implement zero trust over the next 10 years for your water and waste facility maybe it's not Shields up maybe it's connections down and maybe if they can't do the ideal risk mitigation then we give them next best Alternatives and then on the Inspire we're going to have to stay in constant communication and update each other for what's working and what's not working and encourage that if we stay in tight communication and we act on the best available information we're going to be okay so inform influence Inspire and learn from disaster management disaster science and most importantly these are not technology issues these are hearts and minds and awareness issues so the bulk of this pilot from Craig new Mark

at IST that I'm going to lead is a creative arts budget we're going to do ab testing to find the love language to meet people where they are understand how they talk understand what they care about and make sure the the way we're approaching them the language we use whether it's explainer videos or propaganda from World War II memes or reality television shows we're going to put everything on the table to find a way to reach and inform influence Inspire the safest possible outcomes for these communities so this project is not required of Cavalry people but we knew that you would be one of the first and best here at bsides where it's the protectors and the puzzlers As We Gather

in the desert uh working title for this project announced yesterday is um undisrupted 27 so in the face of increasing disruptions more longer disruptions larger disruptions more life safety disruptions no matter what harms are thrust Upon Our critical infrastructure for food water urgent care and power can our communities do the best they can to be undisrupted or at least less disruptable so I'm asking each of you to consider what you can do to either help this new Mission but more importantly get really selfish for a minute are you prepared for your household and I don't mean become a prepper but is not a Herculean effort in the unlikely event of a water landing we know what to do every time we get an

airplane in the unlikely event of a water landing so similarly if we were to have some disruption even temporary disruption to water supply how have you taken steps in your own household to make sure that you are less of a drain on the community resources that are scarce and more importantly that you are willing and able and refreshed to help in the incident response with your natural skills so if this uh is interesting to you there's a slack group we're just getting started and I think there's going to be a lot more res sources here uh Craig seems very moved other Phil philanthropic groups seem very moved and we recognize we're gradually doing a lot

of the right things including Andrea's proposal for a new regulator of Last Resort but there's going to be a messy middle so again we're going from the over dependence on unal things to a maybe more proportional dependence state in the future the next few years are going to be bumpy so we're asking you to simmer in your discomfort today and tomorrow there'll be three uncomfortable conversations first with attrition building upon her fantastic keynote to show that we have not done a very good job professionalizing and we've been sewing anti professional that if we don't set standards or have normal citizens and Municipal leaders know how to spot the helpers then th these get toin for us so

I can't wait to see how provoking that conversation is the middle uncomfortable conversation will be about times up I'll be co- facilitating with White House n CD for a 2-hour block I believe they're here in their official capacity to look talk through some of the implications of campaigns light volt typhoon and making the top five list for SC magazine we're going to close out the day with Bo woods and Carl on Wars rumors of wars and what we can track tangibly do about it um through this exercise for the next couple hours so thank you for being in the room thank you for being openminded please be uncomfort be comfortable in your discomfort because there are things we

can do in the next couple years we just have to make sure that we're paying attention trying things and making sure our communities are as resilient as possible if your household is okay perhaps your city can be okay perhaps your county can be okay and perhaps we can share successful tabletops education mechanisms and Tech Solutions and we hope to tease those out for the rest of today so with that I'm going to wrap up but I look forward to working with you on this new project thank you [Applause] [Music]

[Music] for a very interesting and focused discussion with Professor Andrea who is well she's a multitude but in addition to being a multitude she is three very important things number one she is a pro Professor so that means she gets to teach people about things number two she is an engineer so that means she understands engineering not engineering not not I'm a professor in the engineering school not an engineer I not deserve that but a lawyer lawyer and psychologist and psychologist after which I will need some help so uh please join with me in welcoming Professor Andrea [Applause] okay can you hear me

okay all right we're going to reconfigure the tech here how's that okay excellent so I'm just going to plug this in here to share a few slides which are intended to just be vaguely conversation guiding not at all um dictatorial of the conversation um and with your permission I will that is not the right slide back same thing happened in the other room here we go yes

I think it's cycling through this happened in the other room too hopefully there will soon be something on the screen but basically the there we go okay so if you were kind enough to come to uh my keynote you know that in my list of four things that uh I think uh inevitably need to happen to advance progress in the next 25 years of the security industry and the economy um to make sure the bad things happen less uh one of those items is as Josh said to help clarify for peoples who for people who are not part of this community and who do not possess the sophisticated level of knowledge that all of you do in

this room who is it that they can actually trust on these matters of security and Technology safety the regular folks the normies really don't understand what to look for in terms of good sources of advice they fall victim increasingly the elderly in particular fall victim to scams on a regular basis that try to allegedly help them but they they can't really tell I I know from my own parents who are in their 80s I and they're relative ly suspicious of all things to their credit which is partially how I ended up being who I am we can give them credit for that um just because you're paranoid doesn't mean you're not right um they still

regularly send me descriptions of phone calls they've gotten or they send me forwards of communications from their Bank Etc and so okay and and I write back in all caps do not contact right but not everyone has that same access to someone who ostensibly has a relatively good read on whether something is is scammy and so part of building these infrastructures means starting with a trusted kernel of folks who can be an easy focal point of research and connection to build that Army of the trusted and and um this doesn't mean that one size fits all this doesn't mean that it needs to be a particular model and I wouldn't presume to tell the community how to

self-organize but what I can offer I think is various different models that different professional organizations Industries Affinity groups have used and help offer a few of the variables that differ across them and hopefully that will stimulate some conversation in this room and Beyond this room as to where those shared baselines of Interest commonality of concern overlap in possible steps forward exist and how that can be taken to some new level so why do professional organizations get created so the first is to tell your own story to brand yourself to present yourself to the world in the way that you want the world to perceive you there's a really powerful so this is the psychologist part of me saying this it's a really

powerful um self actualizing self efficacy um and uh human element to being able to tell the story of who we are as individuals and to change that story across time so in um as a Indulgence I'll tell you that the article that I'm finishing right now is basically raising that concern that hyper agregation leveraging and merger of databases paired with body devices that create live feeds are functionally generating this patina of hyper legitimacy for the technology and the data streams that could sit in direct contrast to how the person the human wants to tell their own story that is bad we need to have the freedom to self-express to build ourselves into the next generation of self not be limited

with the baggage of the past versions of self that we have worked hard to grow out of so it's very concerning if we're building a world and I haven't I have not yet fact check to this but I did see multiple publications of perhaps not great credibility I would appreciate a fact check if anyone can fact check me on this uh I saw an article yesterday that a supermarket chain in Japan was trialing a facial wreck body monitoring technology that allegedly was following 450 indicators to standardize The Smiling behavior of employees that's not the world I want to live in and it's not a world that is compatible in my understanding of what the founding generation wanted for this

country so we are reasserting baselines in very sort of boring ways we're traditionalists and just wanting these things of um having um spheres of um self expression per the First Amendment spheres of Freedom that are in law that are in ENT shined in the Constitution but when we see technology start to Chip Away consciously or unconsciously I'm not ascribing malicious intent even to any of the companies it's just things build on each other and the Venture Capital ecosystem Builds on itself and the incentives are strong and so what this group is really key to and what we all I think have a moral obligation to do as people who perhaps understand a little bit more of

what's under the hood of our society is to teach other people in ways they can relate to and to be the people to help pick up the pieces when things inevitably fall apart in one way or another so what this effort to self-organize in ways that are constructive in your mind would help it's preserving that self-narrative professionally for you but also helping to create those lines of Defense organizationally as to the the first set of folks to to turn to when things um are looking Bleak um so Industries when they mature they form professional societies partially for that kind of Baseline credibility maintenance because if everyone is viewed functionally interchangeably on the surface of things

and the normies can't tell people apart as to someone who is highly invested highly eal highly committed to certain um guiding principles in um never hurting with their special skills if you can't tell that person apart from someone who is a little more flexible let's call it in their ethical compass then you end up in uh baselines of not just safety functionally of the systems but also the emotional safety of the population crumbl and that's when civil andr happens so to preserve quiet functioning structures in our society preserve democracy keep everything just running along um it is very beneficial to lead here if you're willing in creating those Next Generation trusted uh kernels of experts

so that's the market quality High trustworthiness point the other thing that organizations tend to do is they create mentorship networks they create very structured points of entry for people who want to be like that person when they grow up and that's part of what this conference is all about and it already exists but there are a lot of different possible security roles that come out of this conference and so the next step when you graduate to being a full professional is to co-mentor each other so um I can tell you that both of my hats both the lawyer hat and the psychologist hat we have little friend that we talk about in our peer groups

and that's true in the security Community too but having the ability to formalize some of those groups around um the the extra uh credibility of a group saying something about a baseline of Ethics or conduct that protects each individual member from some of the individual level consequences perhaps if it's an unpopular but correct opinion there's a benefit to having that buffer an organizational buffer but also it lets other people come in and hold themselves to that higher standard there's a a risk of nihilism that Creeps in when um in many professions when Junior folks come in and they run into this senior person who is very helpful to them in some ways but who has seen

just a a little bit too much and kind of kicks the joy out of them you have to have a little joy in your life right so the primary Mentor may not be that Joy point but maybe this this organization however it's crafted that's most relevant to this person could offer some of that Joy you know even Good Humor on point you know the the magic XKCD that comes out that's directly speaking to the interest of the group little things like that it just makes people feel Not Alone um so there's also an interest in protecting shared interests so let's say that there is um a policy maker who is let's put it charitably suffering from a

fundamental misunderstanding about a key point of interest to your profession beliefs shared ethics Etc having a formal intervention from a group looks far more impressive because when the staffer sees that staffer doesn't know how many people are in that group staffer needs to go research and kind of figure it out but still that has more of an impact than a single individual voice also depending on how many people there are in a particular group there are other avenues like targeted lobbying which unfortunately is a reality in in DC um AARP such good lobbyists really good organization that represents people who need to be protected right you can also form alliances and you don't have to pay for

the lobbyists but if you share as an organization values with another organization they will share their existing lobbyists potentially and resources right so there's this possibility for Creative bridge building across communities and to then teach each other the language of the community so the goal is always to speak multiple languages the same way that it is um you know even if you're in in in London certain words are different right so if you want to be sure to get a uh a cookie if you say cookie you're going to get a very particular thing in London but if you want say uh more you know tea cookie kind of thing you're asking for a biscuit right so it's the same idea

slight variation different people use different words but you have to understand all those variations and then you can get in on that precision and you build that shared vocabulary organizations working together can do that but also you can create Community buffers so I know that there is um a concern especially now with uh some resets in some companies with volatility in employment for some folks so some of the professional and um uh other associations offer shared resource that serve as social buffers too and this community is is one with a history of helping each other so here's another way that you could create one of those structures to support each other in those times that someone may need a little

help okay so that's why it happens now I'm going to briefly share a story that if any of you were in my um Talk last year at we at uh Defcon policy Village apologies for the repeat I'll make this short some of you undoubtedly know this the history the success story of Hoover Dam uh you visited it it's an amazing engineering feat but you may not know what came before and so here we have the story of uh the St Francis Dam who that was very much the vision of one particular guy and this guy did not take advice William Holland did not take advice from uh experts who were warning him about certain design issues the

engineers who were on site working at the St Francis Dam saw damage they warned they were ignored cracks happened a flood at least 500 people were dead or missing initially the death total kept escalating and so this Dam just was not fit for purpose it was not suitable in the way that it was ultimately built changes happened and there was a lack of warning and lack of care in the way that uh the incident was the way the dam was built the way the incident was handled and the standards that had been used all along the way and so it was this incident it in uh this incident that was uh very influential in stimulating the

creation of engineering professional societies and shared values across Engineers so the formalization of the engineering profession happened partially because of this disaster and so it was arguably a perfect storm of factors but we all know that happens unfortunately frequently just slightly different perfect storms so the point is to have these contingency plans of distributed support not only for yourselves as professionals but also for society as Josh was referencing earlier um and there was a formal legal process and there was a finding of responsibility on the part of molland so a coroner inquest happened and um the there was a determination legally that the construction operation of the dam should never have been left to a single

person's judgment and by having more loud voices including through associations of professionals weigh in you help to push back against an imbalance in a policy process in a way that um each of us as individuals just doesn't have that same uh voice amplification so we got the code of engineering ethics partially because of this incident uh coming to that uh famous liberal Richard Nixon um he is to thank for the EPA and Josh tells this story I'm sure you've heard it the kyoga river with um a river literally on fire and so when we think about the resources that we protect uh be they social or individual organizations when we think about the uh the information the data the bits as

water um it flows it flows un predictably it can cause destruction it can give life it's a volatile commodity that can also be tainted as we know from some of the current challenges with um data quality and integrity issues that are showing up in training data sets right so things got so bad that ultimately a coalition of Grassroots folks got together multiple coalitions and some magic individuals who led them and just kept pushing and it was the the group effort across multiple formal organizations and all of these folks who finally convinced Congress and President Nixon that um we can't live in a world where the water is toxic and the air is toxic seems kind of intuitive um but

this threat to life was nevertheless not a sure thing for remedi um and so the way that Nixon thought about it was as a form of debt and so this is why I've been framing the conversation around security liability and safety problems as a form of legal Tech debt functionally equivalent to what Nixon saw in this environmental circumstance so that's how we got the Clean Water Act the Clean Air Act and the kayoga River has improved dramatically and so this is a success story but the counterveiling story is a story of fire and so we are going to be in a position and I think we are right now in making that choice between uh the kyoga story or this story

from Centralia Pennsylvania where you had certain engineering projects of an uh a decommissioned coal mine and a city dump and things were built in a way where they did not play well together so assuming no intent to hurt anyone on the part of the individual Builders even assuming that within the four corners of their Lane they made no mistakes using state-of-the-art of what existed at the time an emergent effect resulted in theim ation of that zip code the whole place being unfit for human life and with steam coming from underground fires that continue to burn this is not the only place in the US where underground coal fires are burning uncontrollably and we're not quite sure what to do

about it so this is a story where we didn't have a happy ending so sad endings are possible we have to choose toward the happy and hence my dumpster fire down the river um so back to the professionalization conversation having these vocal Focus points of expertise helps to ensure that we head toward the kyoga outcome and away from the Centralia outcome so let me tell you briefly the story of packages in the US Post Office so the post office goes back all the way to the founding Ben Franklin my favorite founder totally underappreciated fun fact as some of you and dly know we're on our second Constitution the first one they tried that's when Ben Franklin was in France

he wasn't around for that one they messed that one up Ben Franklin comes back sits in the room we've still got our second Constitution coincidence I think not so the post office was a benfranklin idea but they very consciously limited it to the conveyance of mail so letters Etc they weren't doing packages they instead allowed for private sector industry around packages distribution to to flourish and so there were private sector package conveyors and they uh service some parts of the country very well the problem is that they didn't feel like doing that last Mile in rural areas because that was more expensive it was more inconvenient and they didn't get the same return on investment for that so

the charges for package conveyance were dramatically unaffordable for some members of the public and it meant that certain kinds of Industries couldn't exist such as catalog sales which promptly emerged after the post office also started providing package service so by injecting a government uh light touch intervention to push private sector competition in ways that benefited the public you ended up with a more robust ecosystem system that allowed for the creation of a whole new generation of businesses around catalog sales and of course the catalog sales industry is the low-key predecessor to the internet and so all of our current wins and losses I guess are somewhat uh attributable to this Innovation nudge that came from the

public sector not from Private Industry there was this bottleneck where there were very clear losers among the public in ways that we looked at and we said hey you know that's not really fair everyone should have access to packages okay so this is one of the roles where um you again can have um a nudge from private sector organizations toward those light touch interventions that will make things better um the so the photo on the left is a whole house that was sold by Sears catalog and that was shipped through the post uh Postal Service um on the right we used to ship babies we don't do that anymore but that was a thing um so my point is that

Technologies evolve sometimes you're not serving rural communities sometimes you're shipping houses sometimes you are temporarily shipping babies which you rethink and you take a step back it's okay to have that Evolution happen but the point is to check in and make sure that we are building economies in ways that serve everyone okay so this is where my future homework is and so maybe I'll come back and chat with you all another time about this there were three kinds of bottom up um safety efforts that have slightly different histories the history of ambulance services the history of fire departments um and the history of police force development and they all evolved in slightly different ways but each of them was a Grassroots

effort where people got together worked out some Kinks and then uh end up formalizing into the structures that we take for granted today but they weren't a given um relatively recently in the case of ambulance services and when you look at say Mexico today you see a stage of competition among private sector ambulance services that for some folks um who are coming at this from uh default of uh certain uh uh transparent ambulance um behaviors and uh expectations um that are not quite aligned with what the defaults are in a different context um it can be surprising so um recognizing that we were in that same place not that long ago I think is is useful in

demonstrating that Evolution bottom up is just as important as Evolution top down um so just to wrap up here are some professions and industries of skill that each have slightly different self-regulatory models and so we can talk about particular uh models uh BD sorry stands for broker dealers um so broker dealers investment advisors both Financial Services professionals different models of self-regulation different duties of care so when you are stepping into a broader perspective where cosmetologists and tattoo artists are more regulated than the people who are ensuring that our critical infrastructure has trustworthiness in it uh and is free from major confidentiality integrity and availability issues one might argue that there's kind of an imbalance in in

oversight but you know there are still incidents that happen in cosmetology and te toing where there is public harm so it's not to say that that's necessarily in all cases overzealous some may be a little overzealous some may not but the absence of that second set of eyes the absence of that public conversation um is not the best of all possible worlds I think we can all agree we don't live in the best of all possible worlds right now so each of these societies has some of those factors that I mentioned before some have insurance programs some have um uh formal mentorship tracks some have apprenticeships with very tiered things some uh very tiered levels very tiered

skill set acquisition um some of them have minimum age requirements that are different from others um the actors The Screen Actors Guild um is broken down into various Subs Specialties that each approach things a little bit differently but um there's a very dramatic uh discussion in the Press of some of the ways that their internal court-like proceedings are carried out in um the case of one of their member acting in ways that the guild views as Unbecoming of a member of The Guild including uh in one case the people in the uh observing area stood up and turned their back on the member of The Guild who had transgressed and so the sanctions vary some of the them are symbolic sanctions

some of them are not symbolic sanctions you could some uh members uh can be kicked out of certain organizations relatively easily others have different probationary models but there's a formalization that has evolved across all of these different Industries um and there's a comfort a trustworthiness and a um self narration and and communication power to to all of it so here are some of those variables um that I'll just mention for you to all think about and then I'll ask some probing questions and I will stop talking and uh before I forget there are a bunch of stickers in the front of the room so you all obviously have earned a sticker by listening to me talk so uh please uh

partake they have three bears on them um who are very safe Bears they're wearing helmets and visors as they're working on their laptops um as one should okay so licensing requirements probably not something this community is ready for but just heads up it's one of those requirements that policy makers are very comfortable with in some ways so again some of what this conversation is intended to stimulate uncomfortably is getting ahead of the policy makers to write your own story so that they don't try to impose a story on you that might not fit through your um liability Frameworks and uh how there is a um Mutual vouching or Mutual calling out for egregious misconduct professional sanction could

be kicking out of the membership organization could be putting people on probation could be um creating a I know penalty box of some sort um limiting right to to work limiting right to use certain labels so Realtors are very aggressive about protecting who gets to use the word realtor to the point where they have had trademark litigation on this point and definitely uh enforce it zealously if someone who is not a member of their organization is holding themselves out as a realtor in the case of practicing law it is illegal it's a crime to hold yourself out as practicing law unless you have a license which means that you have completed certain educational requirements in Most states

and passed an exam so exams are another piece of of this um there are um exams that are General but they're also specialized exams think about doctors right you're not going to have a podiatrist show up to do your brain surgery why because both are different and hard and very different parts of the body they both have expertise you may need need any of the Specialties at any point in time but the point is you need a fit for circumstance the context matters uh character Fitness that's something that they do a check on when you are sitting for your bar exam for example um and that may not be something that um is viewed the same way in this community

and that's um entirely you know up to you what that means it it may mean just um acting in ways that are becoming of the Bas lines of Ethics that are shared um and then reviewing that if there's a report that someone is in continuing education requirements exist in many professions including law um apprenticeship tracks degree requirements which isn't necessarily going to be a thing here but maybe for some subs Specialties maybe there is a very targeted set of courses that if you are say doing nuclear safety and engineering that is reliant on high trust software deployment you know maybe there will be in 5 years uh a training program for that that the relevant

organization will say Hey you know everyone who's one of us has gone through that because this is such a dangerous place to make mistakes we want to be sure that um everyone who Bears our brand subscribes to that Baseline of of care and we want to offer a way for people who are looking for people with this skill set to be sure that this is a true possessor of that skill set not someone who had chat GPT WR a resume so resume lying is a big problem in every profession and the level of checking especially in a world where a lot of employers use automated tools this is the stakes are really high here this is not a great place to have u

a high degree of Trust on automated resume checking tools that may or may not M the ethics that are shared um malpractice and insurance are also part of some of these organizations um statements about client engagement and duties of care professionalism um objectivity personal references disclosure of conflicts some organizations require a sponsor for example to become a member of the Supreme Court bar you need to have at least two sponsors who are current members of the Supreme Court Court bar so it's a vouching so you build a network of known individuals that um again ensure for the um higher likelihood though nothing is foolproof of course higher likelihood that there's a shared Baseline of values and ethics

in the the group and then when you pair that with the mentorship opportunities and the pathways to entry you can make sure that it's not a case of oh we create our little ingroup here no instead you open it to everyone who is interested and hold out your hand and teach people how to enter and then you also Elevate the the most talented the most committed and give them that push into success um and we talked about specialization so these are some of the various different pieces that are used in um organizations unions have Union representatives for example they negotiate collectively that's probably one step more but there are Tech unions that are being formed in

various cases and so there are conversations happening around Tech unionization in certain circles I'm I don't get the sense that that's where we are here but that's you know that's all that's you all not me but the point is that Collective uh conversations where there's an entity and uh a person across the table um that come to terms in that discussion and a shared checklist of items for negotiation that formalization helps to move things along okay so here's my controversial suggestion maybe the place to start start is through building out a category of Chief technology safety officers so folks who are willing to get together and to say you know I've been doing the security thing a long time here are the

recurring mistakes that keep happening across the places I've worked here's how things are falling through the cracks this officer doesn't talk to this officer they have their little fif Dums they have their budgets this is what I keep seeing and so you create a shared sense of community around this notion of the relationship of the organization that you work for to the public and what that allows for is um you know Baseline ethics having the ability like lawyers to say to your bosses well I can't do that because that violates my ethical responsibilities as a professional do we really want me to put in writing that I have to violate my ethical duties as a

Prof professional because you're asking me to do that that would be really bad in Discovery if that comes out when the bad thing that I'm telling you is going to happen actually happens CU we all know I'm right and you're just trying to game out if you'll be gone to your next job before the bad thing happens which is of course uh sadly we all know a regular CEO problem where CEOs are timing their earn outs and their uh terms of contracts and sometimes leaving uh a liability in a closet somewhere under a carpet use your own metaphor for hiding things I was going to use a worse one but I'm going to try to be

nice and so timing out how long it's going to take for a litigation item to be fully resolved and building in appeal time if your CEO only has two years left on a clock your appeals for the bad thing will run probably 3 to 5 years they can run out the clock and so the CEO may be on to another job leaving the company holding the bag on whatever mess has resulted but this could be a type of officer that looks across the organization for these emergent effects be they operational in terms of conflicting priorities inside the organization or um particular officers okay so here are the questions what are the core shared values internally that you could see people

breaking themselves into an ascribing to what types of sub Specialties could there be common ground for in order to generate subsidiary codes of Ethics subsidiary commitments and how would self- policing work these are hard but think about the some of the various different models we've talked about um feel free to ask questions about any of those professions that I listed um or if you want to tell me what I get wrong about my Bureau of Technology safety proposal have at it and that's that's all I've got and I welcome thoughts questions discussion am I am I just completely wrong yes okay uh so we're going to enter into a time of interactivity and I see one question

coming up soon yes um all right immediately before your question let us give a round of applause for Professor Andrea thank you [Applause] professionalization certification verification who felt a little bit uncomfortable during this discussion you can raise your hand it's okay it's good okay so let us jump into

Q&A great talk I appreciate it um so for the the chief technology safety officer [Music] um I guess looking back at I guess maybe using history as a guide in terms of like uh like the bridges and and dams and things like that um would there need to be agreed upon safety rules or or check boxes or something for Tech like sometimes it's hard to imagine okay what what are the policies or high level things that we look at or so the beauty of approaching this from a self-regulatory organization standpoint is that you don't need to imagine things that aren't there so if say five of you get together and say let's have Beverages and tasty food and

let's share War stories about things that we have seen more than once you create that list of repeating problems and then you look for the common threats so I can tell you one thing that I have seen um in recurring unfortunate uh enforcement situations is over trusting contractors or just having papered over the relationships to make it look like you have all the policies in place but nobody's actually checking if any of them are enforced and nobody's actually checking if there are meaningful controls to say you know prevent a lone employee from pushing out a code update that could impact consumers dramatically I'm not I am not referencing anything necessarily in the news this is a recurring it it really is

it's a recurring problem that that I've seen in other context um so you know that's very efficient right so Friday or maybe you're taking a vacation so it could be a Monday I don't want to you know reference anything in particular but the point is there's a timeline that's pushed by something other than quality of the customer's interest and there is a known way inside the entity or at least among the contractors to leverage that Gap and then bad things happen and you know maybe there was one person who was supposed to be engaging in oversight but was too busy or maybe there was no one who was really engaging in oversight or the oversight needed to

be asked for there are lots of different ways that these things break but the point is there's a recurring theme there of internal control relationships with verifying the trustworthiness of contractor conduct that could have devastating Enterprise implications for an entity its customers and the public and so something around that idea and the relationship of these Chief technology safety officers as to how they would look at this and whether there's maybe a whistleblowing obligation maybe to be a member of your organization you have to promise that if you see a um a looming disaster coming that could endanger human life you will whistleblow to regulators there are formalized whistleblower programs at the SEC at the IRS doj has

one now they're going to be more so that's the example of the kind of shared Baseline that is entirely policy neutral other than valuing human life and valuing truth and not fraud on the market in the way that companies are communicating or organizations are communicating it could be a nonprofit could be a nonprofit that is acting in ways that will inevitably endanger of human life for example or cause harm or um have other negative outcomes that are not being accurately disclosed in whatever obligations exist at the time which will be a moving Target but if you set up broad enough principles you can move with that Target so you don't have to get super specific yeah I don't know which hand is

next let's go in the corner yeah oh sorry next wherever the I'm just trying to we're tracking order get the room is you are you tracking order okay thanks hey great talk thank you very much um you brought up the professional associations and certifications that path to professionalization and I guess based on your perspective how can this sort of professionalization and standardization resist what I think is a trend in information security towards commoditization of Professional Standards and membership that we see that is exorbitant keeps new entrance out and uh you know as speaking as a Canadian is prohibitively expensive yeah um and I was wondering if you know some of the orgs you looked at had you know

track records of preventing that from happening or alternative methods yeah so uh some organizations have um sort of graduated I'm going to give you one that that is sort of a quasi organization that I just joined so because because I'm writing an article that has a Hannah arent angle who was a secret technology theorist I joined the German studies Association and the German studies Association has an income based graduated fee structure so one way that you could create a uh an economic Justice component to the structure of the logistics of say a nonprofit model and so the the corporate model that you would choose would also be relevant here potentially um and then you could write in your

bylaws a blanket prohibition that is a core value of the organization that the following kinds of behaviors will not happen and so you get that first set of organizers in place who subscribe to that Baseline of principles and then you have your little group and this is what you stand for and if people want to be part of this group they have to agree that they will also hold these values and you don't have to sell anything ever but it is a formalized mutual support organization you could view it a little bit um like the model that some uh Credit Unions at least back in the day in um immigrant and minority communities used where it

was a community self help mechanism and they pulled resources and it wasn't really about making money for anyone it was just about helping the community grow together so you could play with these models in various different ways nothing says you have to have an organization whose goal is to make money and I think there's a you you know you can have lots of different organizations some of them make money some of them are about building Community some of them are about preserving certain Baseline values so um I think your point is well taken and I think that economic Justice component is really important to consider so this one's a bit of a ramble and I apologize for it but referencing

back to police cameras and the idea of subjective trust um is kind of a thing especially when we get into Information Security Professionals who may or may not be good and so apologize for reading some of this I was just jotting down my notes how does the average citizen know that a cyber security person is good and speaking from a topic they're actually qualified for so cissp has become a good coverall and we've seen professionals who are both great and limited in their understanding um how can we help when we're all acting inconsistently based on the risk appetite of the executives resupport yep so you've highlighted one of the key problems so one way to

approach this would be to create to five find five friends and create a very high trust mini organization that stands in contrast to a less focused organization and uh get the word out of its existence so that like-minded people can help grow um and then you'll be challenged with this question of how do you ensure the the level of people in your organization stay that way and that's the tough question so with lawyers we've been kicking people out the last few years there have been quite a few disarms in in the news we do that maybe some people would say not quickly enough um but nevertheless we do kick people out so that's a value

judgment that you and you can have different tiers of value judgments so even if you have a very specialized organization someone could for example be excluded from a very specific organization but still be a member of a general one it's about shifting expertise rather than um claiming expertise and everything but it's the podiatrist brain surgeon problem right so you don't want the podiatrist to to offer services in brain surgery because it's that's going to end badly nine times out of 10 let's let's give some credit to maybe some podiatrist out there who happen to also have that skill set but um you can structure these organizations as narrowly or as broadly as you wish and

there doesn't have to be just one there doesn't have to be just two there can be 14 the point is to have or more you the point is to have published shared values so that people can see them and see that the people who are a member of this organization subscribe to this list and if there's an experience where someone who is allegedly subscribing to that list of values professional behaviors Etc does not per um act in ways that are consonant does not perform up to those standards there's a mechanism of accountability so for lawyers you report us to the State Bar Association at some point there may be some sort of um local or uh

state regulatory structure that evolves right now they're isn't really one so it would be primary reporting to the membership organization to say to I use the nuclear Security Experts um models to say to the nuclear security computer Security Experts organization I had a negative experience with person X here's exactly what happened here's why I believe this was a problem and then you have a rotating panel of adjudicators for the organization that people elect mini democracy and you have uh back and forth so as I said Screen Actors Guild they actually have fake trials where people present sides and in Union situations there is Union Council that represents the interests of union members um in various

circumstances there are lots of different ways to structure this but the point is to figure out what works for the particular particular context that you're embedded in and to have these external signals and these internal Frameworks to create high trustworthiness enclaves of like-minded experts all right I have this gentleman then Dean then Christian but I lost track after that the good news is we have 40 minutes left um so you're you've been very patient so um my concern you you mentioned things like the bar association and and doctors and those are like you said mandated um my concern about about doing things like this is in order for it to to get Beyond this like five or eight like

actually grow there has to be an economic benefit to it but and and how do we get there I'm concerned me being a part of this group saying I'm required to whistleblow why would a company hire me if there's not uh like I mean so there's there's that that that balance of how do we get from where we are so the examples fair point so the the examples that I used were criminal acts right so for a public company that's engaged in known criminality that they may or may not be disclosing in their 10ks or in the world where we have reporting requirements for security incidents which we do right so you have a stronger case you

have the wind at your back around ensuring that the disclosures happen so what you are in this world where say and you you know you can have an association without a whistleblowing Duty right but if you wanted to have a whistleblowing duty what you could say is hey you know if you get to say in your SEC filings that you have hired someone who has a duty to whistleblow wow that's really trust worthy that's creating the impression to the market that you really care about safety about technology safety because you are willing to take feedback constructively from someone inside who's going to push you to do better and so the organization holds its members to those high

standards of doing better then the professional members hold their employers to doing better and there's a mutual reput ational win there so you start with a handful of companies that are maybe friendlies to this organization and to this community who might be willing to help set that bar and advertise it push it into the public I mean I think especially if you're talking about uh scenarios where physical harm is is likely if you get to say to the public We Care by by putting our money where our mouth is our CH our chief technology safety officer has your back is taking care of you there's a there's a marketing one there arguably and it's something that uh if nothing else uh a

general councel would say that is a really good fact for the organization in case of an event that there was someone who was professionally held to a higher standard of care who was doing their job job well who was watching things and who didn't catch whatever it was um but but look they're trying they even had an extra level of demonstrable uh Personnel that had Authority so what I've heard from cis's time in Memorial is that they have the title but they can't actually do much because they're not listened to inside the organization right so this kind of a role would be not limited in those ways this would be by design a role that is a

peer and by having this kind of a role exists you get to change the power relationship inside the organization away from let's spend all our extra money on marketing to hey how about that Tech debt that's going to end evitably really hurt someone are we doing that CU we have this consent over here that says that we should be doing that are we really doing that because you know I know there's this squabble over here between this department and this department there's something that's falling through the cracks here so to be able to have that kind of a structure I think there's something that could be added but that's up to you okay uh next is Dean one of

the speakers from yesterday uh who I believe has some bling on his ring ring fing not his pinky finger so you are a professional yeah all right so can you give us a glimpse into a non- haacker example I don't know about that um so as a professional engineer licensed in uh 25 States um which is it presents its own set of problems um there's a couple of things to think about and a a certified um automation professional which is a member Society certification I'm not a legal certification um there's a lot of nuances to all the words that that she's using so you got to kind of watch these things um the legal terms of Duty to

care means very specific things in legal Frameworks um and then we also have this Engineers ring um formed from a uh an accident in in uh Canada or a bridge collapsed because the designers weren't qualifi I I'd like you to think about this from a different perspective though it's it's easy to throw up roadblocks and say you know this is a terrible idea and this is never going to work for us and and it only going to hurt us um it it that's the human nature is to find the negative the positives in something like this is is it protects the profession right and and it keeps it weeds the Bad actors out um and yes

there's going to be some some Financial things that that are going to have to be dealt with but it's also going to provide you you know I don't know if anybody in your is there is there practitioners insurance for hackers has anybody even tried but you could create some exactly so you know for a lot of the work that I do I call the insurance company and say hey I'm about to do this job and they're like eh but when I call up my professional society and say hey I need coverage for this or like oh yeah is it this or this or this fill out this form here's your coverage um so those are things that you

know even sick codes yesterday talking about not getting not willing to sign off on disclosure and John Deere what and stuff and back and forth a lot of that stuff the legalities the legalities of a lot of the stuff just simply vanish because you are first you're going to go through a certification process to become a a legal entity and and go through the licensing process is going to take a lot of time uh I would also encourage you to do that at the federal level not at the state level because then you're going to end up with 50 very different programs and right now I spend about $10,000 a year maintaining only 25 licenses and

probably about total of a week's worth of time and all just to fill out the an entirely different form that asks all the same information across 25 different states um but to your point in order for me to practice Engineering in a state that I have a project in that I'm going to get revenue from a client that's based in that state I have to be licensed I have a duty to the public to protect the public first the client is like third down in that list the public is first that's part of what the ring is about is to remind me of that um not that I need it I just but I you know everything that we're

talking about today is this is this is CR um what I kind of some of the stuff Josh and I were talking about like how do you get organized how do you get real basically um to where you are respected and and and you're you're coming out of the Shadows um which is I don't know if I don't know if you've ever done the marketing research to determine you know what is your what do the what's a public think of a hacker it's probably not good but it's getting better and this would be a way to to help that uh we have the same problem in the automation profession we did a big study multi-year

study and we found out two things um the good was nobody knew or we the public didn't have a bad rep uh we they didn't think badly of us they didn't but the bad was they didn't know what the hell we did um and how we benefit Society so anyway I bet you'd get really positive reviews on Market testing technology safety

officer yeah I so I think part of what's challenging with some of the default uh framings of roles in this industry is that they're just a little weird sounding to to people who aren't insiders so translating The Insider knowledge in langu your points very well taken to to connect with what starts as um a communication bridge to in in instilling confidence and in Shifting the default of distrust toward a default of trust knowing that there's a safety net of professional promises okay I think the next one's in the back we have we have one over here too I don't know if there's a mic on that side I'll be super quick all right so uh I I really like

the analogy with the Medical Specialties uh it was a very long time coming from the medical space and there had to be a very deliberate over 50e effort that re involves many different levels so it was people were calling themselves doctors and maybe they learned from this person it very much the apprenticeship model it was all that um and then we went to like medical schools and then we had to credit Medical schools and say these are the standards you have to teach we want to make that national standards and then only certain spots you couldn't make some Rogue school because if you went to that med school uh you couldn't get a job or a medical license at the state

level so there was the state regulation of that and then even further than that say you just had a license you had to meet all these standards you still had to go and get a medical specialty from a board organization right if you got your medical degree and you want to go practice at a community hospital in a city if you don't have a medical specialty you can't so then it all these organizations that would come up um that had very high standards the federal government was subsidizing medical student education and graduate student education so it was like an alignment of not just the practitioners but the only reason why your brain surgeon has to go

through 20 years of school and three different certifications and do maintenance a certification every single year is because the states agreed to Reg it the federal government agreed to subsidize it and the most important thing at the end is that insurance companies wouldn't pay for care unless you had someone doing it at that standard so that alignment took 60 years and without it any one of those things if it didn't happen we wouldn't have that so I just would say and then the last thing I would say is it's like scale right we train out a [ __ ] ton of doctors we need a lot of medical professionals to do that work it is a

it's an issue almost like chicken or egg thing right to get to the uh momentum that you would need for a certification like this to be widely accepted standardized um a requirement you'd have to have a lot of them and that has been a that's going to be a problem as you gain momentum they can do that at scale for the National Health Care System but uh you know how many of these professionals do we do we need do we need one in every company do we need one in every large company until I think you we could figure out like how many folks could actually step into that role it'll be really hard to push the standards high

if you're only doing this for a handful of folks no that's fair enough and I mean for the idea of the chief technology safety officers I can probably name 20 people off the top of my head that I think would make great technology safety officers you know the O the OG people who've been doing this as long as I have are all a little tired all a little disgruntled and they want to have an impact on a broader scale or some people have you know fli flipped their company and they're looking for their next ACT and maybe they they want to just go in and do some policy hacking inside companies by encouraging people to do the right things and they can just

walk away if they feel like it but in the meantime maybe they can make the world a little bit better so you know the not all doctors are brain surgeons and estheticians are not brain surgeons that's a different level and structure and so it's not necessarily the the medical profession structures that work here so the goal is to think about the various different structures and that's kind of why I offered this whole list they all hit different inflection points on each of these different metrics some metrics may not apply some metrics May apply only to certain Subs Specialties but if you're holding yourself out as hypers skilled in a high impact high mass uh harm event scenario

circumstance I would hope that much like the brain surgeon you would have Baseline Plus in context now just that context so I don't want to go to a brain surgeon for my uh whatever Podiatry needs I might have and so Different Strokes different organizations it's all good Let It Bloom um but I think doing nothing is not the right course of action that's my big Point doing nothing we've done nothing for 25 years here uh or very little in the way of organization other than in particular this effort of likeminded folks which is very important but I mean in terms of formalizing Normy facing formal ation of um more traditional models of uh self-organization there's a power in it

that has not yet been fully harnessed and so having the same degree of I shouldn't say nothing that's I don't mean to be harsh so having the same degree of variability and quality for certain high-risk situations that is not a good path forward as the world becomes increasingly interdependent on uh inadequately resilient inadequately backed up fragile technology ecosystems with lots of tech debt so that's my plea yeah so um some thoughts here um and a question for you that I'm very curious about um so several months ago I had a surgery that pretty complex took 3 months to recover still recovering and um in that surgery board certified surgeon with an anesthesist and all that we used a robot I have no idea how

good that software quality of that robot was I have no idea if there's any certifications involved in the software that went into that robot the results for me were good but I could see at some point this robot was just doing very complex internal surgery on my pelvic area one bite of cod kind of thing and bad results would be there the the thing there is that um I feel like every society that we talk about was founded in blood you know the statement is you know every every regulation from building on up has been found in blood and what I'm very curious about is what at what point do you see Society coming along in saying we

are going to impose a requirement of a professional certification or a professional um organization on this industry and they better figure their [ __ ] out and the other thing I'd also bring in too is so the imposition of a standard of care and you better figure your [ __ ] out otherwise you can't hold this office whatever that office may be and the second thing is um people probably aren't aware of the role of the UN in things and I don't know if you are aware of UN resolution 155 but for those of you who aren't um it is um uniform Provisions concerning the approval of vehicles with regards to cyber security and cyber security

Management Systems I work for an automobile company and that is one of our big big things coming up there's a bunch of other regulations that California for example has put in place regarding labeling of batteries that it's like if we don't get our [ __ ] together governments are more than happy to impose their [ __ ] on our [ __ ] and I'm wondering like I don't know if you mentioned the UN stuff are you aware of the UN stuff there's a lot of stuff to be aware of but I wondering if you could talk about the you know the imposition of Standards because too much blood has been built no so your Point's

well taken so one of the reasons why I think we are missing a regulator is precisely for international harmonization issues so what I've heard from folks who have um been at the table negotiating with our peer oecd countries is that um we are not necessarily parallel in who we're sending into those negotiations and those conversations we pick an agency that is something plus Tech rather than a technology Minister a technology focused decisionmaker policy lead who has visibility across the economy who sees how the pieces fit together and that that puts us at a disadvantage the US uh For Better or Worse has not been always great about uniformly adopting un resolutions uh but European markets

certainly are more proactive about that and so some of this ends up being a market entry limiting variable that could work as a good nudge toward positive improvements um and the way that we craft our policy should hopefully be aligned with those directions so that as we move in uh greater Public Safety um stand standard uh preservation uh toward say a higher standard in Europe that we have that Runway rather than unwinding conflicts conflicts in various different um agencies uh framing of issues so unified framing on the federal level around all of Technology safety I think would be incredibly helpful precisely to more readily engage with International policymaking efforts to open more markets more simply for us companies

toward their entry with technology products um and to make foreign purchasers more comfortable with us products to be able to say hey it's functionally interchangeable and safety with your German products for example which to my eye and again not an automotive engineer by Stretch to my eye I think I drive a German car I trust German automation with my life um time check uh we nearing the tus 15 minute Mark and I'd like to leave a couple minutes to wrap up um so in the spirit of we don't always have as much time as you want Christian just pointed out it took 60 years we set this two-day track that we have two and a half years

to at least make ourselves visible to people who need help that we are the helpful so to compress how much time we might need versus how much time we might have I'd encourage can we try to do like a speed round of uh get more question questions in as we head over to lunch I know Ray's next but uh can people try to do or do you want a batch of questions that you can we should probably do a a a batch but I I do want to tell one quick story on the point of Medical professionalization in the case of medical standards there were also riots that happened where literally Alexander Hamilton was holding the door of

Columbia's medical school over cadavers being dug up and used and there are state laws on the point of caver use so there were multiple different context variables that were in play and some of them are arguably constraining and some of them are arguably facilitating because if you can create formal Pathways then it might actually solve some problems like the angry mob at the door of the medical school over the Cav problem so you've got a a list up here I all my degrees are in engineering so I got my EIT ring that I that I don't wear cuz I don't work it that way and I did pharmaceutical R&D for a bunch of years so I'm familiar with the idea of

Licensing and when I started doing cyber security I was amazed because you know people can die so you've got 20 um areas where there is some sort of Licensing or certification when you look at information security where are we in the life cycle once we've diagnosed that we have an illness how long is it going to take us to recover to the point of otheres I think it depends on which model you want to use well like he said took 16 years for medicine we only 25 years of doing I think that is the most complex model possible and for some aspects of security it may be the best fit but I think there are other aspects

of security that don't require the 60e cycle I think there can be a much quicker turnaround with using some of these models it just depends on how which points you have shared interest on in implementing and that's a question oh yeah I I was thinking like well it I mean I don't know if if so I may regret this later if 10 of you send over a shared list of values we could probably get something up and running in six months but um you know there's the Throwdown for you there's the challenge I'll help I mean I do have law students that would potentially be helpful hopefully at least you know but it depends entirely

on how sophisticated you want to set the Frameworks what the governance structure is how you want to run it and these are a lot of policy decisions that will be a fit for certain contexts and not a fit for other contexts so lots of moving pieces so I'm just trying to offer as many moving pieces as I can think of to feed the discussion Christian did you have another oh yeah just real quick I had this thought about I know sorry I know it's incredibly complex and I'm not going back to this to say that it's always going to be compared to something like a medical specialty but a lot of the competencies that folks have

to do to get certified in a specialty are very objective it's doe 25 gallbladder surgeries with another doctor and they watch you and they tell you when you suck and when you don't and then at the end if you've done 25 you that's one of the 160 things you have to do to become a board-certified surgeon right so one of the things that might be a challenge in this is is like the curriculum but the standardization and how much there's variance right like what would the competency be for something like that have you blown the whistle before and can you write a good whistleblowing report like how do you communicate to the SE Suite this cat

catastrophic Tech debt will like you were you good at that bad at that or mediocre at it will give you a c at communicating to the SE Suite it it's hard when you talk about like Competency Based assessments that are objective but let me flip that that's what the organization's for hey members here's a good form letter to communicate the existence of crippling Tech debt that will cause bad things to happen hey membership here's how you whistleblow here's the reference to an attorney that we have hired to work with you to protect your interests throughout your whistleblower process hey membership here's the insurance provider who's giving our members discounted rates and so the models they don't have to be such a

trial by fire as they are in law or in medicine I mean I I I'm I'm still blocking out parts of my bar exam because it was that stressful I remember walking in I remember having unkind thoughts about someone who's jiggling their leg down the table I'm still mad at that person it was very upsetting and then I remember walking out so but that's a trial by fire thing but like EMTs it's a different model and so the skills are slightly different and and I'm still digging into this history but from what I know of the history it was working with a smaller set of skills in particular to help economically Empower people who wanted to be productive and

didn't necessarily see that pathway and it was the work of a very small number of people one one doctor in particular who was transformative in that way and wrote the curriculum Etc so I think doctor EMT maybe different pieces of security require peering with different kinds of models yeah so as I understand it you know the goal is to make things better safer and the organization Guild model essentially is a proactive one where you say you know these are the expectations uh that we have you have the carot the stick you indemnify the people who um satisfy the expectations you punish those who don't and the difficulty of course as as you alluded to is

identifying those expectations and that is the absolutely most uh difficult part of this and it's where we aren't right now we aren't even able to do reactive well proactive is almost impossible but uh I think that a uh expecting a small group to to organically form those expectations is is probably not going to happen and perhaps a uh a supported effort to develop those expectations is more what we really need okay challenge accepted I'll uh I'll offer I'll think about that and offer some Avenues if people would like guided roundtables Etc I'd be happy to help facilitate that and even feed you thank you for the talk um one thing that I'm curious about is your

perspective on how this role would interact with like the chief risk officer for an organization because most organizations of the size who would have or be interested in this kind of role have um a chief risk officer and so how is this role differentiated from it and how would it interact with that role so that's a good question I think Chief risk officer ends up being somewhat idiosyncratically defined across organizations and so it may be a uh context specific determination maybe the chief risk officer gets who joins this group and gets certified as this too and it becomes a hybrid role that is elevated to have enough clout to be able to do that the question that I would

have is would the chief risk officer have the ability to functionally identify those crosscutting gaps in internal control and to say you know request or require stopping shipment of unsafe code so companies vary on that even General counsels can't necessarily stop the shipment of unsafe code in a lot of places and that's been something that's gone back and forth even in some of the biggest tech companies and there there's also been reversals around whether the security team can shop can stop shipment of unsafe code in some of the biggest tech companies um this is a position that in my mind would have that level of authority to say if we do this this will end badly no we we should not do this

um depends on how we build it so so I'm I've I spent a lot of my career in so standards land and so I really really loved a lot of what you said here um one of my concerns and I'm curious what you think the solution is though is where there's a a big difference in resource availability between the the the I guess private sector and whoever's developing the standards be it government standards organizations or these other organizations you run the risk of I'm can't think the right word except for regulatory capture but the equivalent of regulatory capture do you have any thoughts for where you've got this big asymmetry in resources how to address

that particular problem I think that the starting point is a bottomup effort of like-minded professionals who get together and say we all acknowledge there's problem here we've all been frustrated in the way these problems have been resolved there are from my perspective there are standards that are good a good idea even you know basic ISO standards around say vulnerability intake and management that if companies did them would facilitate the process a lot and other secure development process standards Etc they're just not being implemented so maybe the question around um adherence to a shared list of recognized standards in the organization as being the bare minimum of what safer uh product design shipment looks like that's one thing that the

organization could could do but I think it's going to be a bottom up thing um since I've already committed I'm happy to facilitate that with a series of roundtables and I don't do anything without food so I'll feed you all you just have to come up with the standards and then I'll ask annoying questions because that's what I do um so I I think some of this will organically crystallize as the the areas to fight it out and you know a neutral Arbiter can call the balls and strikes or whatever metaphor you want to use on asking the right questions to have people meet in the middle and create that that code and then you know you've

got a Little Seedling organization that will either grow or won't grow but you at least are marketing I should say marketing are informing a creating a public facing document of what your values are and what where kind of the stake and the ground is on what you subscribe to all right I'm going to give the last I saw three hands that have not spoken I'm going to give them 30 seconds each after all three just answer whatever you can and then I'll grab us up okay so I I haven't asked for you and those that might create such a Professional Organization to consider and include a role for those of us who have been practitioners for a long time

and are now at a point in our life where we are enjoying the future of our labors we are no longer practicing uh but we consider this important enough to expend our own resources to come to weeklong security conferences to maintain our certification and still want to contribute sounds like it might be good panel members for a adjudication body I'm in quality assurance which I like to call security adjacent which means I come to these conferences get the be Jesus scared out of me and then go take that back to my engineers and scare the B Jesus out of them um I think having a professional code of technical safety will really help us tell people how we want to be treated

tell people how to interact with us what they can expect from us us um how to what to come to us with um and that's really going to lay the foundation to start creating these relationships quickly having a professional code like this is a shortcut to trust and that's going to be so important to get adoption and um QA as your allies be nice to us we're here to help hi um one thing I kind of think about uh a parallel historic Al um that might be worth looking at is the railroad when it was developed um there was a lot of opportunity created kind of like as we techn you know technology progresses but it wasn't pretty when it

started and there's had to be a lot of safety regulations it's infrastructure it's supply chain it's just kind of I see I see parallels today like if you look back is that it those are my three yes you can you can synthesize yeah totally agree with the perils with railroad there was also a lot of financial fraud that happened with the railroads that um they're still in some cases cleaning up a little bit um QA I'm a big fan so I had a fascinating conversation with an ex QA engineer who is now a very highend chef and what he told me is that his QA skills are what led him to excel in three Michelin star dining situations so

the parall I absolutely see them and I think that the benefit of the safety language is precisely what you said it's a translatable language across organizations and different communities to build allies who can push together toward a safer public and a better tomorrow uh fun fact Chris IOP myself bunch of absc people all started in QA um so we agree um because we said this was uncomfortable conversation um I appreciate everyone leaning into this this is the start of it not the end of it and I'm going to make it a little bit harder in a minute here because while she's not coming to speak to this specifically our White House oncd person helped lead the strategy on Workforce

expansion so in your left hand we're talking about how do we make sure we separate the wheat from the chaff and the more trustworthy and how do we identify ourselves in a 2 and 1/2 year period to be useful to our communities on fire and disruption which might narrow the field and in my right hand we have so many unfilled jobs and the White House is currently looking for reducing barriers to entry and reducing college degree requirements I don't think these are inconsistent and incompatible but it's going to be hard so it's possible we could bleed some of this conversation over into how the White House is using their white their Workforce Development strategy but this is the time for the

hard stuff guys uh we when you all all you do is look for the low hanging fruit and the easy stuff you know what's left they're really really hard stuff so we're in the hard stuff adulting place and I appreciate you stirring the the pot here the pot a little bit and and I'll stir the pot a little bit more think about how much you want to keep it in the community in terms of this first steps of building versus engaging with the policy makers externally on this I I would my instinct is that maybe May and I'm happy to help maybe the first cut in an organized way on this stays in community fail

small I do think they I can see I don't know if any of you saw this but I felt like there was some concentric Rings here where the maybe the most Atomic nugget could be some shared values and then maybe some stratification and just to give credit where credits due before we launched I the Cavalry at besides August 1st 2013 one of our early collaborators in addition to Andrea was Tim kbec in Florida and he wanted to make a union like a blueco collar Union and trades and apprenticeship program for pen testing and things like that so there could be concentric Rings there could be stratification don't look for one size fits all just look for things

that can create common cause common purpose signal to other stakeholders and could be built upon later um thank you for both your keynote this morning and running this difficult conversation and we'll keep it going and I hope everyone has a nice lunch and comes back for White House and myself on the next session do you want the last word stickers there are stickers with bears on them please okay we're we're back here [Music]

[Music]

oh

[Music] w [Music] oh [Music] [Applause] [Music] [Applause] [Music] [Applause] [Music] I'm just tring get something it's okay I do you I'm just trying to give you [Music] something I'm just trying to give you something I do you I'm just trying to give you something [Music] he w

[Music]

[Music] [Music] I'm just TR to I I'm just [Music] to I'm just something do I'm just trying to give you something [Music] a [Music] w

[Music]

[Music]

[Music] [Music]

n [Music]

[Music]

[Music] be [Applause]

[Music]

[Music]

[Applause]

I

[Music]

[Music]

[Music] he [Music] oh

[Music] a [Music] oh [Music]

[Music]

[Music] [Music]

[Music] [Applause] w

[Music]

[Music]

[Music] a [Music] [Music] [Music] n [Music] [Applause] [Music]

[Music]

a [Music]

[Music]

[Applause] [Music] hey hey hey [Music] a [Music] [Applause] [Music]

[Music] he

d

[Music]

[Music]

[Music] track [Music] hey hey he [Applause] [Music]

hey hey hey hey hey hey [Applause] [Music]

he [Music]

[Music] [Applause] [Music]

[Music] [Applause] [Music]

[Music] [Applause] [Music]

[Music] [Music] [Music]

[Music] [Applause] [Music] he

[Music]

[Music]

oh

[Music] h

[Music]

[Music] oh [Music] [Applause] [Music] [Applause] [Music] [Applause] [Music] I'm just in something I I'm just dring in [Music] something I'm just I'm just tring to give you something [Music] a

[Music] oh [Music] [Applause]

[Music]

[Music] [Music] I'm just I'm just dring in [Music] something I'm just dring in something okay I do I'm just trying to give you something oh [Music] a [Music]

[Music] a

[Music]

[Music] [Music]

[Music]

oh

[Music]

[Music] [Applause]

[Music]

[Music] yeah a [Applause] [Music]

d

[Music]

[Music] oh [Music] a [Music]

a [Music] oh [Music]

[Music] [Music] [Music]

[Music]

[Music]

[Music] [Music] [Music] oh [Music]

[Music]

[Music] [Music] he

[Applause] [Music] hey hey hey hey hey

[Music] [Applause] [Music] he

he

[Music]

[Music]

[Music]

[Music] track [Music] hey hey hey hey [Applause] [Music]

hey hey hey hey [Applause] [Music] [Music] hey he [Music]

[Music]

[Music]

[Music] [Applause] [Music]

[Music] [Applause] [Music]

[Music]

[Music] [Music]

[Music] he [Applause] [Music]

[Music]

he

[Music] h [Music]

[Music] w a [Applause] [Music] [Applause] [Music] [Applause] [Music] I'm just TR I'm just trying to give you something [Music] I'm just try to give you something SMY I do I'm just try to give you something [Music] w [Music] [Applause]

[Music]

[Music] [Music] I'm just okay I to I'm just tring something [Music] I'm just string something okay I do I'm just trying to give you something [Music] w

[Music]

[Music]

[Music] [Music]

[Music]

[Music]

[Music] [Applause]

oh [Music]

[Music] [Music]

[Applause] [Music]

a

[Music]

[Music]

the [Music] a [Music] n [Music]

[Music] [Music] [Music]

[Music]

[Music]

[Music]

[Music] [Music] [Music]

[Music]

[Music] oh

[Music] a [Music] [Music]

[Applause] [Music] hey hey hey [Music] [Applause] [Music] he [Music] a [Music]

[Music]

[Music]

[Music]

[Music] track oh [Music] hey hey hey [Applause] [Music]

hey hey hey hey hey hey [Applause] [Music] [Music]

[Music]

[Music]

[Music] [Applause] [Music]

[Music] [Applause] [Music]

[Music] [Music] [Music]

[Music] [Applause] [Music] w [Music]

oh a

[Music] oh

[Music] a [Music] [Applause] [Music] [Applause] [Music] h

[Music] I'm just something I'm just [Music] something I'm just I'm just TR to give you something [Music] he [Music] w

[Music]

[Music] [Music] I'm just TR to I'm just dring [Music] something I'm just dring something [Music] I I'm just trying to give you something [Music] m [Music] w [Music]

[Music]

[Music]

[Music] [Music]

[Music]

he [Music]

[Music] [Applause]

oh [Music]

[Music] [Music]

[Applause] oh

[Music] oh [Music] he a [Music] a [Music]

[Music]

[Music] [Music]

[Music] he a [Music]

[Music]

[Music]

n

[Music] [Music]

[Music] [Applause] [Music]

[Music]

[Music]

[Music]

[Applause] [Music] hey [Applause] he [Music] [Applause] [Music] [Applause] [Music]

aah [Music]

he [Music]

[Music]

[Music] TR [Music] hey hey hey [Applause] [Music]

hey hey hey hey hey hey [Music] he

[Music]

[Music] [Applause] [Music]

[Music] [Applause] [Music]

[Music] [Applause] [Music]

[Music] [Music] oh

[Music] [Applause] [Music] oh [Music]

okay welcome back from lunch I hope you got some nourishment hackers like food okay so hopefully everybody knows me by now but I'm Josh Corman I'm going to be helping with this 2hour block of our second uncomfortable conversation for the day and joining me I'm so happy we I couldn't put it on the agenda because I wasn't certain we could pull this off but we have an official White House Office of national cyber director person thank you hi everybody appreciate it yes my name is aanne Isam I serve as the Director of cyber Workforce uh with the office of national cyber director but um prior to that uh did a short stint um at a think

tank as associate policy uh director for uh cyber policy and emerging threats and uh several years uh as a uh cyber security strategist and um having a multitude of roles between special projects in aviation cyber security and as well as um pandemic response which we will get into a little bit more as when uh share a number of our stories uh when it comes to our time together in sza so okay so I'm going to embarrass you a little bit um um the Cavalry has been now 11 years right we turned 11 years old on August 1st so if you weren't here in the private one private private meetings give yourself a happy birthday um one of our major Milestones was we

got the First Congressional Delegation to Defcon uh and it was bipartisan it was Will herd of Texas and Jim lman of Rhode Island uh who is the founder of the Cyber caucus in the house and the two of them were very influential on things like cyers space commission Etc and the person who cut through all that bureaucracy to make sure we could actually get two sitting congressmen to Def con okay like this is never going to happen and you're like hold my beer okay so um baracy hacking is a thing though like and a much needed skill so please please get yours too um so we we have had several hats we've worn in several forms

of collaboration and I was overjoyed to see how many Cavalry is people entered the inaugural office of national cyber director uh this is something from the cyberspace alarm commission that um the bipartisan commission made a bunch of recommendations and have been advancing the law and one of the things they put in the law was having a senate approved permanent role in the White House to do cyber coordination across the executive branch uh for strategy for policy and really really really excited at how many Kindred people are in there making sure it gets a solid footing and moves forward and these people have been coming to hacker cons and participating and advancing our causes for quite some

time so this is going to be a heavy topic I'm actually was going to pull it up just so I could make sure I remind us how to stay on track because the one after us sounds similar so let me pull up what you came here for so this uncomfortable conversation is called times up you have three years maybe three months maybe three weeks to protect your stuff what do you do right I think we were inspired by some movie and I forgot which one now but uh we're going to have a focus on really short-term measures that we could use to reduce risk so yesterday we talked about in the context of more disruptions

larger disruptions longer disruptions more life safety affecting disruptions from accidents and adversaries from crowd struck and and Criminal ransoms on change healthcare for the healthcare space this is increasingly disrupting our communities and our families it's not okay and it's about to get worse and it's uncomfortable to talk about how it's about to get worse with the Advent of hybrid Warfare but when uh myangelo said uh When someone tells you who they are believe them and the leader of uh superpower has declared intentions regarding Taiwan and marked on the calendar 2027 and as of this January and Declassified briefings to Congress the four heads of cyber for the US from uh Christopher Ray from FBI uh now moving moved aside or

replaced recently former director of NSA General nakason director Easter Le of sisa and your bosses your big boss uh Harry Coker from the office of national Li director all told Congress about um that we have both found and evicted a campaign known as Vol Typhoon from us critical infrastructure quite a few of the examples are about water and waste water so even before we knew about Vol typhoon if you go and watch last year's videos one of the Fantastic ones was you and Spanky uh Steve lazinski we had updates on those four Lifeline critical lar sectors of water we drink the food we put on our table oil and gas pipelines SL power let's just call it power power uh and

emergency medicine and all four have been disrupted and all four are going to be increasingly disrupted and yesterday we had updates from each of them and what's happened in the last 12 months but also challenged each of them to say if you had a destructive attack not a ransom not down for seven days or seven weeks but destructive attack what are the cascading effects on your family your community your country so instead of us just waxing poetic wanted what does the White House think about this and what was the White House National cyber security strategy that was published last spring and how are we doing on it and what has worked well and what has not worked well and

there'll be certain things an official spokesperson can say and there are other things that I will say um when we reach some of those limits uh but let's um let's bring the gravitas appropriate for this let's try to have the hard conversation simmer in that discomfort and um figure out what you can do so we're going to look for ways that we can left aoom and right aoom take reasonable steps to identify and buy down risk and it might not be Shields up and do this best best practices it might be connections down right if you can't afford to protect it maybe you can't afford to connect it and these are not recommendations from the

White House but I think given the finite amount of time we have less than two and a half years it won't be January 1st per se it could be later it could be never it might not be China it could be Russia it could be Iran IR be North Korea any but if there is a conflict the next conflict will be a hybrid conflict and we are very prone to disruption so um this is meant to be a discussion we'll have a couple framing remarks from the White House folks from me a little bit of back and forth and we do have some shared experience as well in that um when the pandemic was declared I got uh approached by the

first director of sisa to be the chief strategist for what became the sisa co Tas Force and we assembled a m massively multidisiplinary team of Physicians infectious disease experts hackers Logistics supply chain people quants um data scientists to try to identify and buy down risk on the nation's hospitals and on the vaccine Supply chains associated with operation warm speed and I had the privilege to have someone I knew and trusted before already at sisa willing to do our highs side work and we did not have infinite options on how to protect these soft targets so we we're going to show a few of those things the right moment on when we didn't have 3 years to harden the

targets we had 3 months so in this case 2 and half years is a lot better than three months I'd like to have 10 years but we have the time that we have and we can do smart things in different phases uh as individual citizens for our homes for our communities and maybe at the state level and I want to stay right up front in case this is not clear I am a really big fan of what the White House is doing what Congress is doing on Cyber what some of the executive branch is doing some are better than others they the the recognition of the problem is there it's bipartisan it's by Camal in the house which means so it's not

just executive branch it's also a legislative branch bamal means both the house and the Senate so it's bipartisan and bamal which is super rare there's some good parts in the White House strategy there's a lot of execution and accountability for the first time in a strategy there's a lot of progress being made all those things are great and the overwhelming majority of those will not make manifest protective benefits in the time hor Horizon we're speaking of so we have a period where we are overdependence on undependable things with increasing harm we have a period where a lot of what your teams are doing are on the right path we're rebalancing that we are more proportional on how

much dependence we have and how how Dependable things are this middle is very very messy so I expect the federal government and the Central and our allies abroad are going to do the right things and keep doing the right things and I think we have a role we can play in this messy middle so any opening Salos from you just to add the fact that um as you mentioned earlier the need for Investments now we're going to see the benefits not even within a year hopefully within two years time it will it will take work hard work and it will take Collective effort um and that's the purpose also of the national cyber security strategy and then on top of

that the national cyber Workforce and education strategy because my um just quick uh uh anecdote and story is that I decided to also take a lot of the experience that I had with training and Workforce Development uh recognizing that I had a sliver of a operational uh window of working in the vulnerability management uh side of siza and literally getting like for the first time ever learning what burnt out would be for log for Shell right and then the shoe was finally on the foot of foot to say oh my gosh this is what my colleagues are dealing with on the on the front lines and uh to have a greater appreciation of well how do we ensure

that we have enough folks so we're all fighting the good fight but also still having a healthy amount of you know energy to keep doing the good fight this is a long Marathon um and uh that that you know we still continue to stay passionate um with uh providing the service that we do regardless of where we are whether it's on the industry side academic or you know state and local to to Federal like they're they're different pieces and uh as a result we cannot do this alone we on the government side may come out with policies that are also informed by all of your work but it only will be successful if the uh documents that

we're creating and the engagements we're um a part of actually help create that trickle down effect and if there's that part in the middle that is working or there's a disconnect this is where it's helpful to have these conversations and spaces that um most of us are typically not at to all engage in so yeah all right so there's a number of ways we can slice this we're going to probably do we have an audio problem okay we're going to probably um put a few Primitives out there to seed the conversation but don't let us talk for too too long we want to start tasing the mics and if I don't know if you have a second mic Runner but if

someone wants to volunteer to be a second mic Runner I don't have a I don't have you don't have a second mic okay never mind okay um so we'll do our best to track the order in which people have comments one thing we did not do in the last discussion with Andrea was maybe this is too much time in Think Tank land but the one finger means I have a new topic and the two fingers means I'd like to remark on the topic we're currently discussing so that might allow us to play a little bit of real time judgment calls on who to call on uh and we like people to keep the remarks somewhat short so we can get to as many

people possible we had a significant demand last time also while I'm bringing that up um we talked about professionalization with the inter tuition and it was less spicy than I expected but very engaging um and one of the things that I will flag as a piece of tension that you may want to comment on today in our session here it's not so much about what we can do in the next for critical infrastructure hardening but it may be about how we best scale the talent we have available so one of the pieces of attenion if I could put my left hand in my right hand um if we try to professionalize and separate charlatans from you know

reputable trustworthy people um not to be gatekeeping but like it's harder and harder to tell who's living up to a standard of care like Professional Engineers or Physicians if we try to professionalize the market signals to the public how they can trust engagement with us what they can get from it how it's in our best interest that could narrow the field of talent absolutely and in our right and a lot of the great work done out of the office of national cyber director and you specifically you and your team specifically has been on Workforce Development how to scale it and that included recommendations for federal roles to drop the requirement for a four-year degree not to lower

quality but what is the fit forp purpose way to take the existing talent pool and maximize it while growing the overall talent pool strategically so our tactics you know could be intention and I think smart people can negotiate those tensions well so perhaps we get even better lens on that time permitting um from your published Workforce strategy yeah okay so with that aside um hopefully you guys can pay attention to whose hands come up first and when if it's one finger or two finger so the cavalary was focused on everywhere bits and might me flesh and blood but during my time on the C task force together we realized wow uh there's 16 critical infrastructure sectors but

they're not all equally critical um Financial Service does a great job because they got a lot of financial punishment and they adjusted really well and their public private partnership is awesome Department of energy is got some things done really really well have a good public private partnership on the bulk of power but maybe not on the small medium rural municipals yet right um Healthcare maybe would be third but I think healthcare is in very very bad shape very very bad shape on we're we're focusing more on your privacy than your life right we almost everything for Hippa less for patient safety and that is changing but it's pretty far behind but then there's like you know out of these 16 things

when everything's critical nothing's critical and one of the things we tried to say is out of the 55 National critical functions across these some of them are the bottom of M allows hierarchy needs so Angry Birds is it which is technically you know critical infrastructure but nobody dies if Angry Birds goes offline you shut off water for 24 48 Hours very bad thing starts to happen so with a stratification of M's hierarchy needs food Water Shelter the things that keep us from being lower the Flies last year we started making the pivot with the Cavalry not to exclude the other things but to highly prioritize what I uh what some people call Lifeline critical infrastructure so

that's water and waste water which is uh the public private partnership for that is the EPA Environmental Protection Agency Andrea mishan pointed out that the Burning River in kyoga uh triggered the Clean Water Act in the formation of the EPA which had been the newest Federal agency until sisa or this one in between um we we are going to talk about EPA so make sure please remind me yep because this was a great part of the president's National cyber security strategy that got rebuffed almost instantly so the EPA is in charge of the public private partnership uh Dean our fantastic speaker from yesterday is in that industry there's not a lot of trust in the public private partnership

there's not a lot of attaction yet in the public private partnership and yet all of us need water uh food supply um you heard yesterday sit code says there isn't really an an ISAC for uh for food people disagree about that there was a special interest group in the it ISAC which is a different sector mostly for Consumer packaged Goods which means the factory like Pepsi Co bottles potato chips canned things things once it hits the factory but from the farm to the factory very very very little participation and when we were pointing out to Congress that there is no food iack uh what would we do if we had actual intelligence to disseminate to key choke points in the hyper

concentration of risk across food supply uh the it ISAC just declared themselves the food ISAC so we have one in neem um it has very limited participation so far and I I believe we still need a more comprehensive representational dedicated ISAC information sharing analysis Center for food and we have had some attacks and you saw some of that yesterday if you missed it go watch code slides there's been a number of ransoms some of the more high-profile ones you might have seen could be JBS Meats which is like north of 30% of meat for the for the Americas um there was uh dole had some disruption there was Pilgrim's Pride there was a shortage during the pandemic

my daughter's noticed before I did of cream cheese for a bunch of reasons including some cyber stuff uh maybe you put this in food nag maybe you don't but the baby formula right so we have a heavy concentration risk increased digitization increased dis disruption from accidents and adversaries so the food supply is not so robust yet um the oil and gas pipelines for Colonial but let's talk Municipal so Depart of energy is a great sector risk management agency it works uh through Caesar and other things with their ISAC they have nerk and FK there's a lot of Engagement there's still room to grow there especially as we've increasingly move to solar and if you've heard um Dr Emma

Stewart yesterday uh she is currently the chief scientist for the grid for Idaho National Labs and prior to that she was uh at nreca which is what uh stands for National Rural Electric Coop National rural National Rural Electric Cooperative Association so all the smalls all the Last Mile and one of the unfortunate side effects of all these solar panels is all of the solar panels all of the inverters all of the batteries are made in China and many of them are be beoning back to China By Design so in the case of conflict which we hope we don't have in the unlikely event of a water landing uh we do not have alternative suppliers at the

moment um so Municipal Power is is a big issue so we have a big of a head start of public private partnership schools have been affected colleges have been affected federal agencies have been affected um but back to these lifelines um during the pandemic my team studied um a natural experiment a protracted pronounced disruption of healthc care delivery in the state of Vermont and we could see with another piece of analysis we did uh called uh we did some excess death analysis we could see that in the same state with the same population adjusting for Hospital type and size um the regions affected by Ransom achieve these excess death stress levels sooner and stay there longer than their peers

in the state so we can measure minimum maximum most likely loss of life connected to the protracted cyber disruption Dr Christian the maap yesterday has published several peer-review journals since then on the blast radius when someone like scripts goes out what effect does it have on the community that has to take the Overflow and more recently he studied shocking uh survivability rates for heart conditions during a ransom shocking um please watch that tomorrow but we now know that this is not just about our privacy this is about wor outcomes delayed degraded denied patient care affects mortality rates especially for time sensitive conditions like heart brain pulmonary trauma I mean we saw that with um the you know pharmaceutical

side of the house would change Healthcare and then how that had a trickle down effect and uh impacted patients ability right to to get life-saving prescriptions and drugs and this wasn't just through um you know insurers and general providers this was also impacting uh veterans who would get their medications through the VA and they're Downstream sources so yeah there's like un unforeseen consequences but that was at least also like one major news story that had like real people real effects that finally was connecting to the public the severity and seriousness of what a cyber incident could do Downstream to the patients and I hope to talk a little bit more about Healthcare later but I'm going to do a

very quick thing because we announced a project yesterday called dis uh un disruptable 27 if you haven't heard make ask dur a question we'll repeat it but undisrupted 27 is um realizes that we have excluded for too long citizens that bear the brunt of these failures owners and operators of critical infrastructure that are Target rich but cyber poor in these communities and Municipal leadership like we' had a good Federal approach and federal strategy and we' pushed it down some of them have pushed back but we've really excluded the people affected by our cyber security failures um for too long so I'm going to show an example of what inspired this project it's a tiny example that we came up with during the

pandemic but I put some ugly slides to you after the pandemic uh task force was stood down I don't think the pandemic's over no matter what people have said but um here we go um this is a modified version of what's called a wly map wly maps are really awesome and really confusing um so I only use the vertical the the horizontal still confounds me but you basically start with things and what depends on what things and whatnot so I'm going to make a dependency chain here in their love language because for many many years this group has done really good things with Healthcare but only recently we started making huge strides and it was because of this ugly graphic that

I'm going to animate H Health delivery organizations Health and Human Services which is the sector risk management Agency for healthare and Public Health in the US which is 20% of our GDP and every single one of you needs Healthcare and citizens we all want the same thing which is we want to keep people alive right theoretically that's what we want well one way you keep people alive is carrying capacity regionally so what is carrying capacity it's how many patients can you see in currently okay so when you talk whenever I would talk to people even during the pandemic about the cyber security I'm sorry um even during the pandemic when we had record high ransoms concurrent ransoms

very disruptive ransoms when you talk to hospital leadership and you say we want to give you a couple million dollars to to to to sh this up like if you gave us $100 million we would apply it to the three s's so their love language is the three s's so what do I mean by that in a carrying capacity they talk about space supplies and staff everything comes down to space supplies and staff so you might think a 100 bed hospital is your means because you have 100 beds means you have 100 beds of carrying capacity that's not true if you only have 80 staffed beds and you don't even have 80 staff beds capacity if you only have supplies

for 60 of those 80 staff beds so it's a constant theory of constraints what's the bottleneck for where do we apply our capital and at different times throughout the pandemic different things were stressed to different degrees so that's what they want to spend money on they said if you gave us a million dollars we wouldn't hire a security person we would hire more nurses we wouldn't buy an EDR solution we would buy another ambulance so they want space supplies and staff okay so I modified it in a couple ways because keeping people alive we were doing a very bad job at it at the one- year mark of the pandemic when all of you heard on

the news that we had 500,000 half a million citizens in the US who had perished from Co you had also heard that though they were mostly 85 years old or older and mostly with four or more comorbidities so while it was tragic and these were our grandparents our parents our loved ones a lot of the country was numb to other things and mostly said yep people are going to die what they weren't paying attention to is on that one year mark my team studied a constantly published piece of um performance measurement called excess deaths so the CDC Center for Disease Control tracks excess deaths which is a running multi-year average of the number of expected deaths versus actual deaths

by state by condition by month so if in Los if in Nevada you normally have a th heart attacks in the month of August as a running average it's expected and you have 1 12200 then you have 200 EXs deaths now what we notice in this number of EXs deaths which is a significant number I think it was 250,000 if I recall EXs deaths in the first year is that these were not older people these were primar the fastest growing demographic was 25 to 44 year olds and you've heard me say this in previous years but these were younger people not only younger people these were critical infrastructure aged workers that did the ports in LA to get our supply chains

that worked in water and Wastewater that worked in factories that worked um truck driving and as they succumb to sickness death disease alterations to Family Support structures more and more parts of society started to fall apart and as a hunch given our work on the Cavalry and cyber Med Summit I said I'll bet you these are heart conditions and Pulmonary where minutes or hours of different student life and death so it's not just keeping people alive our hypothesis was this is where minutes matter hours matter days matter heart brain pulmonary and it's true we out in the data so we said to our guidance to hospitals hey if you can prioritize the time sensitive conditions

get rid of elective surgeries that have the potential to put strain on your ICU or intensive care units please do so so we tried to say time sensitive matters the second thing we started to realize is they didn't care about these disruptions to hospital equipment or hacking or anything like that but I realized just telling them to care about something that wasn't the 3 s's didn't work and then we talked about medical technology so an a a Neo native intensive care unit for babies in 1990 a nurse could handle one acute patient at a time one to one in fact Bo has a great story of one of his first uh contracting jobs in in in cyber security

at a hospital helping the natal Intensive Care Unit fantastic story but armed with modern technology we now have nurse monitoring stations that can handle one to many maybe 3x maybe 5x the nurse the patient ratio safely why is that it's because medical technology is a force multiplier of your staff and it finally occurred to me that the unavailability of that technology is a force divider so you've got Circa 1990s capacity but 2020 level nurse dep patient ratios you went from a very safe to a very unsafe situation very very quickly and who suffers the the most are the time sensitive acute care like heartbrain pulmonary on the day that we published our excess death research same day October 1st I believe

it was the Wall Street turned on a front page story of an alleg a court case with an alleged victim the first alleged victim of ransomware which is a baby that lost their life in Alabama from 2019 please look up that story it's ongoing they had settled out of court and then they changed their mind and haven't so I don't know the current state of that but a modern ability to deliver care is we we're dependent on several connected Technologies and when they're not available to us for Imaging to know that there was an umbilical cord Raptor on the neck before the birth led to a more challenging birth but a successful one and then in the Intensive

Care Unit the lack of telemetry and remote monitoring affected the quality of care afterwards and doctors and nurses with messages to each other admitted that had their technology been working they never would this baby so while the baby was successfully born perished later and this is still going through the court SE your first named victim and on the same day we published the first statistical proof of loss of life so we hoped that that was the end of the debate of is this a privacy issue for Hippa or is this a public safety human life issue because when these Technologies fail as it's the patients that suffer so this is some of the data science we did and then while I thought

we put ourselves in the right path because we passed the patch act for medical devices so there's actual FDA authorities to to make really robust defensible maintainable cyber security programs like seat belts for cars um and we're in the midst of a hot debate over how to regulate minimum cyber hygiene for hospitals it can't come fast enough because just before this consequence last year St Margaret's Hospital shut its doors forever uh and it's not the first one to close its doors from Financial insolvency uh there have been over 200 of them in the last 5 years it's the first one to publicly admit that their Ransom was a key contributor to their financial ruin so we started digging into that and

over the last several years this particular Tracker out of University of North Carolina every one of those dots is a hospital that doesn't exist anymore it wasn't bought it wasn't even prayed upon by a private Equity takeover it wasn't Consolidated it's just gone so the only thing worse than being down for 6 weeks or 12 weeks in a ransom event for delayed degraded denied care is being down forever people who live in that community draw a radius around that if it's more than 4.4 minutes you may see elevated loss of life to heart attacks if it's more than an hour or few you might see elevated loss of life to strokes and as these hospitals close Dr

Mark Jarrett pointed out he's the head of the healthcare and public health sector courting Council that there's a corresponding drop in income to the region as well as families move away as industry moves away because if you need care and you can't get care what starts as a care desert turns into a desert desert and if this is one of the areas we do some of our con concentration of risk for food or some of our aquifers or some of our most vulnerable power and utilities um this is a Hales and a have kns Target Rich cyberport problem so we know Colonial pipeline did severe damage uh maybe not was the intention we know not pety did 10

billion dollars of damage this was a nation state attack from Russia against an intended target of Ukraine that escaped its blast radius and tensions and hit globally companies like MK and MC and ups and others MC Pharmaceuticals took about a billion alone so they had an office in Ukraine and it pivoted and did a billion dollars including cyber physical harm so we know these can be a nation state can without even intentions do damage long lasting damage to us critical infrastructure we mentioned change so even though we were focused on medical devices great success on the way to relief we're currently having a huge fight on Healthcare for hospitals great fight important fight on its way nobody

was paying attention to these ball bearings is what we called them but these are the term of Art in US policy is called siki or systemically important critical infrastructure or Si is the term that Jenny stly refers or systemically important entities and this is the idea that in any sector or any national critical function there's a handful of companies upon which too many people depend and if they're disrupted they have an outsized asymmetric impact so one of the jobs of these sector risk management agencies in consultation with sisa is to identify what these scky entities might be and maybe give them elevated assistance to identify buy down risk prioritize response in the case of A disruption we have an action plan

we've rehearsed it and change Healthcare um was one such entity where it's a common payment Gateway United Health Group um if got to something north of 75% of us hospitals uh for months which disrupted cash flow which made them not be able to payroll which made them have to take Emergency Loans there were Bridge loans from the US government and from chams themselves but this was harrowing this also affected pharmacies so certain patients couldn't get time sensitive treatments without paying out of pocket so the issue here is if we don't proactively identify our critical infrastructure our systemically important entities adversaries will reveal them for us while we burn for weeks and weeks and weeks so Congress is

really pissed off about this one and white house has put out the National Security memo 22 M which is trying to nudge better collaboration across the executive branch to make sure that these 16 sector risk management agencies help find them in a process that sisa helps to find and that sisa looks for cross sector cascading risk failures okay so one of the reasons I wanted the White House here sorry it took so long to get through that first first part was it's one thing when hackers try to do secondhand thirdhand national security stuff can what can you tell us about volt typhoon is a couple slides if you want right so um when I can quickly and

publicly share about uh Vol typhoon um if basically on like what's already been shared um on the Internet is essentially um as Josh had mentioned earlier Vol typhoon is a recognized and known campaign um coming out of uh China and uh has been targeting our critical infrastructure not only Across the Nation but particularly in Guam and so there was particular concern as to the fact that we have a nation state actor um with um you know uh a long lasting and multi-year campaign actually into multiple curc infrastructure sectors that are dependent on not only the that are dependent on by the locals but also as well our defense industrial base and so this is where it becomes a key um

also concern as to if there is a geop geopolitical uh regional conflict um with regards to the China Taiwan Straits what would that mean if our key part of our response in um the the the region um particularly out of Guam and out of other um uh countries then become impacted because of A disruption to our critical infrastructure and then we are now busy responding to what is happening in our backyard versus having the opportunity to like allow our military to do their mission set which is to respond and deploy accordingly um to the the the the mandates that they have um before them and also to protect our uh National interest assets as well so this

is this is also like a key piece where a lot of times um having conversations also publicly and sharing um and having that hearing in Congress to have our four leaders across various uh government agencies share and state that this is a huge concern um that that this this is something that should be addressed not only by government but that this is also going to be a whole of nation effort with regards to how do we collectively bolster our critical infrastructure in a way that is not only going to protect us but also protect our um uh you know our um National Mission sets and defense strategy RIT large so that was also like the culmination of uh a a number of also

reports put out by first and foremost um like uh private sector industry security researchers identifying the issue publ publ uh publicizing um in great detail uh what is now known as like living off the land techniques and writing in specificity how those techniques um actually are uh not as complicated sometimes as it can be and you utilizes a lot of uh commonly exploited vulnerabilities um that are constantly not only out in the wild but are still prevalent in a number of our Legacy system software and Hardware um so it then really begs a question of okay how are we are looking at those systems with large and having honest and candid conversations with the manufacturers plus the

developers on um you know having you know the requisite patching but most importantly um uh building in the mitigations that we would then need to look at infrastructures that have devices that are 30 plus years and that are also very expensive to you know rip and replace um sometimes just even adding the iot or like additional fancy new software on top of it you're adding like a virtual program like logic controller that's great but at the same time on the back end how are you resilient if you know your electricity goes off and then you don't have access to grids you have like the ability to do uh manual shut offs similar to um the uh

uh story and case that happened out of with uh the Water sector uh and I'm blanking out on the the locality uh in Florida oh uh szmer szmer szmer right and how it had to take uh a technician noticing the issues and then having to actually like manually uh alter the um the processes versus like being automated in so that's where a lot of the key uh critical pieces then really really come into play as to how do we um essentially ensure that we're looking at the broader sets collectively and not just looking at the vulnerabilities the threats Plus at the same time what mitigations we need to be putting in place but there's also a Workforce

component in terms of do we have the right Talent on the island do we have folks that are able to um come and support whenever and wherever necessary um there are all these like bolstering questions as to uh how does one ensure that our critical infrastructure entities which a lot of times are privately owned Andor State and locally owned do not have the funding or resources do not even have have the guidance or may not realize that um that there are these threats out there because they may not have like the intelligence you know capabilities and access to be prepared and have that as part of their overall decision-making process and most importantly that can

also help uh as Scizor or CIO to then also advise the board on why the budgets uh need to have certain security uh in budget increases uh whether it's for Tool capability or for people quick y that triggers anything yes so um essentially as Josh was mentioned earlier the um uh potential for China to invade Taiwan in 2027 later um is not also relatively new thing uh if we look at their history time and time again uh there's been uh constant tension as to uh Taiwan itself taipe having its own independence but Visa v as well as China actually claiming um right um to to the uh Geographic um significance of the country itself so and in short a potential invasion of

Taiwan would definitely have significant economic and political uh consequences but um as well as the attack similar to volt typhoon targeting private and public Technologies infrastructure um could also give China The Leverage and power uh that essentially we are trying to ensure from a global power dynamics perspective that there's that right size balance um and ensuring that our democracies continue to to thrive there might be one more and and I should be really clear these slides were made by myself and David etu for the RSA conference these are not official White House slides so I I just played slide roulette with unofficial I'm sorry um it's fine and I I quickly skim through this as well so

it's like at least the slides if you have it um and as also mentioned so the testimonies started in uh January 31st as Josh had mentioned with our for um you know uh government leaders um between uh cybercom NSA uh ow andcb to FBI as well as siza but um there have been numerous uh hearings actually that have subsequently occurred to then drill down to specific areas uh with looking at a either a specific sector to then looking at Key concerns as to what sort of uh other approaches should Congress be thinking about should it be considering uh you know grants or funds that could then trickle down from federal entities to support and help

state and local governments with uh bolstering their uh infrastructure and or even as well how do we get the funding to these Cal infrastructure entities to like then as well uh help modernize their infrastructure as much as possible uh to as well as how do we look at it from the people perspective um what sort of skills are going to be required and is it just a pay uh situation for bolstering salaries or are we actually looking at more holistically as to what are the root causes that may be preventing an individual from entering the field to thriving and um and being successful um and growing uh to as well as uh last but not least

wanting to stay um and uh if if anything be in that critical infrastructure uh organization knowing that um they're there for the mission um and that there's an opportunity to grow and at what point does that organization have that backfill ready to to come up and about yeah and um we do have some time based on the stated clock um we may even have more um even though he's a c guy Demetri alperovich one of the founder co-founders of crowd strike has written a book that's one of the leading books on on the brink of War it's been on all the morning shows so he's put in some time in the National Security Community with some co-authors so his opinion is

it's would likely be later uh than 2027 but reasonable people disagree on the timing I think it kind of depends on who's in who's in the white house and other factors geopolitically but one thing that my co-presenter at RSA said David etu and he's written a nice blog post um or oped on this as well um is part of the theory here isn't just to say hey we're at War let's go hurt us stuff you know it makes tactical sense in Guam right given the proximity but part of the game theory here which I don't know if the White House would agree with so I'm just speaking for the private sector people here is these are

rungs on an escalator escalatory ladder so I think they would prefer the US state out of it so as a deterrent hey we the term we have not used yet but probably should establish is called pre-positioning is the term they like I kind of hate that term but it's okay uh prepositioning so I think it sounds I explain why I don't like it in a minute so the prepositioning is they are there they're in the house they have the ability to activate if we so provoke them right so as a deterrent it's stay out of our business it could also be a brushback Pitch if you're a sports ball person which I'm not but you know it could be hey uh we

don't like what you're doing as a reminder here's a demonstration of capability in local a couple places just to say hey reminder what we could do hurt public support for our participation in a region there's hearts and Minds campaigns in every one of these complexs right Vietnam War lost support of the public it lost the ability to prosecute things overseas so it could just be a demonstration of force and it could be widespread chaos I think is I had a a clip uh teed up but the term used often in some of these briefings including Christopher A's at the first hearing was rain Chaos on us critical infrastructure which would be destructive in nature not

a ransom and I don't think he has a microphone but I'll repeat his answer so Dean if we were to do one of those water hammers you know raise the pressure aggressively on one us Water and Wastewater Community to the point where pipes are burst valves are broken what's the mean time to repair that are we talking a couple hours of downtime couple days of downtime how how long might it take to fix physical damage underground uh you got to locate it that's you know it's going to take a while it'll you're probably at days for a single a single uh hammer yeah um what if we bricked all the controllers well right then now you're

in a whole different ball game right so on a lot of these facilities we we have manual controls where we can go back to switches and stuff but we don't have anybody that's ever done that anymore so um this is where what people will tell you versus reality are two very different things and that's where the the heads are in the sand and that those people just don't exist anymore so back to my talk where it was all about the people you know we just don't train people to do this anymore we rely way too heavily on the technology um and then we don't really train the people in the technology either so it's kind of a vicious circle

um but yeah you're you're at days and then the cascading failures that we talked about if you're at days then the people that are required to work on this stuff are also fighting problems at home so do they actually report to work to get the stuff fixed and it starts to cycle right and I I want to I'm curious also just to follow up on Josh's question hypothetically um what would the impact be if let's say a state or region or whatever it may be um has also experienced first experienced a natural disaster there's recovery occurring there and then shortly thereafter a quick span recovery still not complete water's not back up and running maybe electricity at minimum or

or still not in certain pockets and areas what would the additional you know impact could be if uh a um uh adversary was still in the system lurking and decides to you know execute yeah if if somebody's in the system it's going to take us a long time to find it um that we just don't have the resources right none of these utilities have the resources even the big guys don't have the right people or the right Technologies in place to to flip the switch and kill everybody um kill every all the access um and it's back to the technology thing where we're you know we're dealing with technologies that are 40 years old all the way up through

something that was bought yesterday so there's no there's no compatibility Matrix that would we can just say oh yeah this piece is is what we got to deal with um yeah I mean that the more you pile on it it it doesn't just get worse it gets exponentially worse right I I think you know without leading the witness too much just to make sure we keep some of this flowing but I do want to get to some of these nuances as we start brainstorming in this session and and the next one we've been talking about volt typhoon let's you know what happened about I think it was like a month later um in response to some of

the unpleasantness between Israel and Gaza uh a hactivist group I'm going to say activist in scare quotes a activist group out of Iran uh punished a Israeli manufacturer of industrial equipment uh and by proxy its customers um so the Republic reporting was Pennsylvania I aware of much more than Pennsylvania um but people using this Israeli made Water and Wastewater device uh were hacked I'm use hacked in scare quotes because the hack was a password of 1111 and we might grown and we make you know dank memes and we might make fun of it and bring out the fail whale but that's the current state of play in this own privately owned and operated massively uh Federated Target Rich cyber poor

owners and operators of water and wastewater in the US and I think you said some sort of stat yesterday that if we pay $100 a month it probably cost $200 to deliver you that $100 a month so these are not they're not making money so I'm going to come back to Dean a few times but that was a activist group out of Iran and not in 2027 for some sort of Taiwan strategy but a a near realtime reaction to conflict with the US Ally we're also watching and helping from afar the Ukrainian situation with Putin and there are lines to get crossed that do or don't trigger um retaliation so we are able to be disrupted and it

shouldn't comfort you that we're just kind of waiting for someone to decide to disrupt and again I don't think someone's going to start a World War III with the US casually by just riging chaos on us critical infrastructure but if there is a conflict it will be a hybrid conflict and on the escalatory ladder somewhere north south of nuclear or tactical nukes but north of conventional include this especially for hearts and minds of the population to support such complex so um this is in the mix I hope this isn't too heavy I told you it was going to be heavy um okay so I just mentioned there are other countries at play that we might need to be concerned about and a

fantastic very fast read or Audi book is Ghost Fleet by August Cole and Peter W singer they've written a a sequel to this which is kind of better in certain ways but no one read it because it came out during the pandemic um called Burnin I think burn in somebody validate that um but this is the fictionalized telling of the next World War and it was so straightforward and so matter of fact and so plausible that this is now required at West Point and many parts of the four branches of military five branches now is uh space space for space force six right y all right sorry coard coard yes okay so we have uh this is a a

very quick read I'd encourage you read it because you're going to be reading it like this would never happen this would never happen oh my God this would totally happen so um you might find it a nice way to uh pass the time on a vacation or weekend okay and as a reminder Rome was sacked most mostly by disrupting the aqueducts the water and as we saw yesterday with some simple exercises the cascading failure of shutting off water even for a short amount of time can be pretty bad no water no hospital no air conditioning no cooling of data centers for cloud stuff no uh laboratory work no lots of things so Dr Christian MF is not here at the

moment but he's one of the co-founder he spoke yesterday he's also one of the co-founders of cyber Med Summit and a hacker named quati uh we ran an exercise and DC recently where we said if you shut off the water what what stops working first second third so an emergency disaster physan and um who runs the fellowship there scared me it's hard to scare me I know a lot I anticipate and know a lot of these things she scared me um because I knew about half the disruptions and the half the order and then she reminded me that no matter how bad the hospital gets to do its basic functioning and how quickly it's under a day it's basically

dysfunctional like most things don't work right I'm not going to gloss over that cuz I saw some faces no water no surgeries can't scrub in uh hospitals are filthy places no sanitation you need water to sanitation scrub so pathogen spread can't flush the toilets more than once can't do air conditioning can't do laboratory tests to tell what blood work you need done for what disease you have and how quickly can't feed your patients can't keep them hydrated so there was a pie chart put up there about I think you had one as well Dean about how much water is consumed for which purposes within a hospital you're they can go pretty well without power cuz they have generators on the

roof they do not have water towers on every roof and even if they did the water consumption rate is incredibly high so things start to fail and then if you're starting to feel like well maybe we could handle that we'll just go to another hospital in town well if the town's Out of Water they're not going to work maybe we'll go nearby well if it's something like a class break on all these shared pieces of equipment that's not going to help so I think water was the one that scared me the most we've had the least attack density compared to hospitals but you can take out more hospitals just by doing the water so back to this constraint and

this is where we're going to get into solutioning we want your ideas uh many of you saw the Apollo 13 movie but it's based on actual events right they were running out of oxygen they only had the thing the time they had before they passed out and the equipment they had on board to repurpose and we get really creative when we have to that was a really compressed timeline we had Y2K and if you haven't seen Whitney yet make sure you get your uh Y2K inspired uh stickers for the crowd strike um but this is an actual advertisement from Best Buy when I was working at my first job trying to prepare the systems that in inter

networking for background routers and switches could [ __ ] power plants or hospitals or whatnot and a lot of people think this is a nothing Burger but part of the reason it was a nothing Burger is cuz people did the hard work to prioritize to put the Cobalt programmers in the testing regiments and the scenarios and the tabletops together to make sure these things didn't happen so we had a date that we knew was coming and we marshaled resources and prioritized accordingly so similarly uh during the CIS Co task force we're not going to do too much storytelling backwards looking here when I got there everyone knew that operation warp speed had these uh candidates that were going to get

unprecedented amounts of money in protection and they were classified briefings and um you were one of the ones that did those for the teams Steve lazinski as well Spanky um bunch of civilians without clearances did the the low side stuff um but I was given a list of not just the operation warp speed candidates but 23 so the list grew but it was initially 23 supporting actors that we knew we had to protect as well but then I was given a list of a thousand tiny obscure suppliers that no one knew how to prioritize and a couple days uh infectious disease expert and a physician former Hospital CEO we made a little rubric called the ball bearings

thesis and we came up with not just 1,000 but 4,000 when we looked at their peers and we found 66 of them that I call ball bearings which were small unguarded weak links in the supply chain that have disrupted could lead to mass casualties or massive delays the bad news is whether it were hospitals we were trying to keep afloat during record high usage under record high ransoms or these ball bearings almost all of them were what we started calling Target rich and that they're interesting to our adversaries but cyber poor Target rich with cyber poor this is trying to use policy speak and Beltway speak for Wendy ether's pioneering work on the idea of the security poverty line living

below the security povery line so these are interesting targets and have no resources or talent to do anything so we had to get creative so my friend made this poster to make fun of us but um I said guys stop stop uttering best practices they don't have any security people stop talking about the N cyber security framework stop talking about implementing zero trust architectures screw best practices what are the bad practices so at cisa.gov right now you can go see cisa.gov bad practices there are three there were two on day one we made the third and the sentence structure goes like this the use of end of life unsupported operating systems in service of national critical functions

and critical infrastructure is dangerous and materially elevates risk to Public Safety economic and National Security this dangerous practice is especially egregious in Internet facing Technologies second one was the same sentence for hardcoded well-known default users passwords BL BL and then eventually we added one for single Factor remote Administration tools I believe the rumor was that Oldsmar was hit with default password of team viewer for example so bad practices if you can't do anything avoid the these negligent things now since I wouldn't call them negligent but they couldn't disagree with the idea that's a nation's risk management adviser that these are in fact dangerous so rest of regulators and Industry and insurers have now Incorporated these bad practices into

the way that they adjudicate second thing we did is I tried to publish get your [ __ ] off Showdown but you can't say [ __ ] in a government document apparently and you can't say showed in overtly that's just one so we said get your stuff off search so the SOS program sending out an SOS so the idea is your assets are showing see what your adversaries can see using free tools like Shodan CIO fful I think was the the third one so assess what your internet attack surface looks like number two reduce your elective attack surface shut off the stuff you don't need remote activity for number three Harden the things you do need and

what does that mean well a free daily nightly scan called cyber hygiene for anyone in crial infrastructure sends you a report of all the known cves on your network that are visible now oh we can't patch them all so what does that mean to harden it okay well they started whining and I don't mean whining I was empathetic to this but they started saying we can't patch them all and they couldn't so I said how about let's just focus on the C what is now known as the kevs the known exploited vulnerabilities so what can you do in 3 months right avoid the bad practices assess your internet attack surface shut off the things you don't need Harden the things

you do fix the kevs first the kevs are ones that have been known to hurt FB or the the government agencies so known victims known exploitation it's not comprehensive that out of a given calendar year of cbes less than 3% ever get uh exploited ever and these are much shorter list than that so this is the prioritize list of the prioritized list so some combination of get your stuff off search and kevs might help be the difference between getting roped up into a casual indiscriminate widespread initial access campaign well the White House liked this I can't remember if you were there yet or not um but there was presidential memorandum number five not Mambo Number Five but presidential

memorandum number five and they said to sisa we like these bad practices can you please build upon them we have this n cyber security framework with over 100 controls it's 10 years old and it was voluntary and the oig reports and other reports show that everyone's volunteered to ignore it office of Inspector General office of Inspector General so they said if that's too much and too hard can sisa look across all 16 sectors and come up with a cross- sector crawl stage of crawl walk run and they're not just like the Holy Roman Empire was not holy nor Roman nor an Empire uh the CIS cyber performance goals unfortunately are not cyber performance goals performance is a

number goals are outcomes but what they did do which is better than nothing is say out of the entire in this cybercity framework here's 38 controls that every single sector should do as an owner and operator of critical infrastructure this is the Baseline and the idea is yes you are all beautiful and unique snowflakes and all snowflakes have the same melting point so they didn't say that language but sisa came up with this and the the legislative intent or the executive intent ENT in this case was each of the sector risk management agencies should start with the CIS cpgs and then add their sector specific wisdom on top so you normally see like 38 from sisa and then say in electronic

records in healthcare play an outsize role in the harm to patients when disrupted so you would expect to see them add something like that and then in parallel we had the executive order 14028 which is a response to solar winds which introduced one of our creations of esom or software billing materials and said anything sold to the federal government should probably have a software Bill materials and that includes Veterans Affairs and military hospitals which are oneir and one third of all care for Americans so two-thirds of all care for Americans at a been a moment in the pat Jack passed in the law so when we try to say these things it's even without a budget even without a

siso even without a zero trust program can you avoid the bad practices remove remove your in attack surface that's elective Harden the stuff that is elective and if you can't do these things maybe you should disconnect right so on top of this and this is where I would love your help um some of this which was initially voluntary all these things were voluntary um including it said right there in the presidential memorandum to sisa this is a voluntary list of cross sector forance goals then President Biden came out with the the first ever through the office of national cyber director presidential National cyber security strategy with Five Pillars and if you haven't read it draw

your attention to pillars one and three you can read it all but one and three for this group one says starts with critical infrastructure every other presidential strategy for cyber was mostly focused on government networks government agencies so this said uh we need to preserve the trust and safety of the public in our critical infrastructure so there was a higher prioritization on those and then pill three was really scary for the private sector and I loved it uh it said uh we need to look at the incentives because it's not that we don't know what to do it's that we don't incentivize it so I think the one of the things Kemba said was voluntary free

market forces only take you so far there is a time in place to use government power that time is now uh we are going to use a light touch but no lighter than necessary to maintain the trust and safety of the public and that was scary but what they said whether it was office of national cyber director under acting director Kemba Walden and um under the National Security Council and an newberger the unified message was if you're a regulator with unused or underutilized regulatory authorities use them now and the general approach was start with assist of cpgs as the floor and add sector specific wisdom and uh if you are missing regulatory authorities we will help you

go to Congress and get them so this was the no kidding now I didn't know about Vault typhoon yet but it's possible the White House did and this approach was to say voluntary is over start using some of these things I see a hand um okay just to tie this thought off because I think this is important what was the first agency that week if you remember to exercise that strategic intent of asking for the sis cyber performance goals for their sector you remember I can't remember if it was HHS EPA oh EPA my bad right so what does what does EPA do EPA deals with water water and waste water so they probably did the minimum viable

product in my opinion real fast which was they didn't say our sector must Implement all 38 what they said is you do an annual sanitation survey required by law during your annual sanitation survey please inventory which of these 38 sis cyber performance goals you do didn't add any sector specific ones didn't say you must do these or that we're going to audit them we just want to know which are in place a data call do you remember what the response was from the sectors and from the states we sued your ass they said how dare you and there were several lawsuits faster than you can blink so I'm going to put this back into Focus before this

question NSA had published a very obtuse cryptic living off the land warning to the sector about a particular campaign unnamed on water and waste water and things like that and you should go read it again now that we know about Vol typhoon and the president's strategy is saying voluntary you only take you so far we time to act you have regulatory Authority go ahead and use it and we might see disruption with cascading failures across strategic military installations or as a escalatory rung on the ladder of War and the response from the private sector is how dare you I'm not I'm I'm certain we are not in our best possible resilience position so part of the reason we're

having this Workshop in these two days is and this new project of undisrupted 27 is if we don't find a way to to to an alternative way of a federal top down push from the White House the executive branch to inform influence Inspire our local communities we are going to stay as prone as we currently are right and also just to quickly just add a little um color and context to why the national cyber security strategy was formulate the way it was was because we've been hearing time and time again from Fighters like yourselves boost on the ground then also your leadership respectively owners and operators across the board and critical infrastructure saying we are trying the best that we

can with limited resources and also we don't have the time to go do a complete analysis to understand where our dependencies are and things of that nature and so um as uh Josh had rightly said like having government agencies like siza do the brunt of the work to do a complete sector analysis see where those cross functional interdependencies are then come out and say okay we understand now and hear you that you may not have time to implement the best practices because best practice may not be enough just tell us what the lwh hanging fruit are okay three bad practices can you at least do that because those are the things that keep happening time and time and time again

if we nip that then at least we can focus on the next big set of other three four problems and just build off of that iter iteratively um and then with the national cyber security strategy looking at it from a multi-prong approach how do we help owners and operators how do we help state and local how do we shift the dynamic incentivize those markets right um particularly the manufacturers and developers but um most importantly there was a call to finally say enough is enough um we are all consumers but we cannot expect the use end users to have also the solutions um we need to also tell the actors that are responsible for creating these products and also

shipping these products and servic out to do better and to be responsive so recognizing that uh you know it's not just the National Security and Homeland defense apparatus that we're trying to like tackle but addressing it from multiple areas the public safety Plus at the same time Economic Security what are the other levers that we should be considering and baking in because it is so intertwined into our day-to-day Society okay I think we had a question coming or comment a corant as opposed to a Corman rant hi so you're calling for more regulatory action in some ways but like Supreme Court just tore down the ability to do that the Chevron decision well the the

removal of the Chevron defs like how do you square those two things given oh how I wish and was aggressively anti-regulation that current Supreme Court is okay let me try to parse that I'm going to slightly reframe it not to distort it um and I could have a whole talk on this I wish Andre mition was still in the room because she will definitely speak with authority on the Chevron so first off you said we're we're calling for more regulation um I'm not saying that right now I'm not um I'm saying in part of the response from the pandemic from increased disruption to water food healthc Care Oil and Gas Colonial not Peta the US government

Central Federal approach both in Congress and then eventually in the white house where you serve said we have to preserve the trust and safety of the public they have had actions I have helped with some of those actions a lot of hackers in this room did table reads for that strategy in fact hackers on the hill which we do every year right before shukan last year we did a bonus one called hackers in the White House and 50 hackers went in and talked about these things before it published that's what they're going to do because legislators is going to legislate and executiv is going to execu you know Branch stuff um that's that's they that's what they do we're hackers we're

volunteers we're citizens we live here what I announced yesterday with this whole undestructible 27 project with with Craig Newark and IST is in recognition that those things are cool maybe they're they're going to screw some stuff up and make some stuff better but they're going to take a while and upon the revelation of this urgent time frame something has to be done in the middle it's going to be a messy middle what you're bringing up is fantastic and that's why I wish um Andre MRI was here and I'll try to have shorter answers so we can get through more questions but the chevron case anybody been watching this um it's really really bad and not as bad as you

think it'll be immediately very very bad though in my opinion so my casual I'm not a lawyer I'm not one on TV from just observing this is generally speaking when you make a law the regulator was given the benefit of the doubt when things were ambiguous so a vague law that can be interpreted by HHS or EPA or doe um defer deferral of judgment went to the expertise that worked for those Regulators they would hire and retain those it got a return recently at the Supreme Court in cases uh this has been a long-standing Doctrine what now says is um you're going to have to uh you can't do that um so now it has the

potentially go to court now when you go to court they are going to look at the expertise of the regulator that will be in play and admissible but court cases take a long time and people with a lot of money will use a lot of lawyers to lawyer you to death a not a Dos an elos a legal denial of service so that is not very efficient so in a world where we knew that Tai goes to the regulator onto the Chevron Doctrine Regulators passed laws that gave future proofing and deliberate valuable amb uity in their wording to allow for guidance to evolve over time so you don't have to go to Congress every single

time now that that's overturned it's on its head and all the laws that were written with deliberate ambiguity are now going to be challenged left right and sideways if Congress adapts that's a huge if and some of our friends in this room don't believe anything good can come out of Congress ever again there're sometimes Congressional staffers I still believe and I still work and this this movement has helped pass two you two laws too in the US um that said um you can write laws with less ambiguity they just become more brittle so think about this like a like a a hacker or a software engineer you don't want super specific and brittle which would be if they're

super specific then it's harder for the Chevron thing to hurt us anymore so you want to have as much specificity and everg greenness as you can and future laws unless this gets a happy Med will be more specific and prescriptive but therefore they will also be more brittle so I think we always had a tradeoff between valuable ambiguity and exploitable ambiguity and the rules just change so any laws passed under the assumption of Chevron are now way less effective and will be made way more litigious I don't know if you would agree with that assessment it's a very stute question you bring up so guess how comfortable I am that we have a 10year to 15year Horizon for this strategy to

actually bear fruit and I just told you that Vol typhoon's coming in two and a half years and not only do we have the Chevron Doctrine undermining any authorities we currently have makes us in a worse position but we're also having an election and we're we've already had political appointees leadership figures that were getting pretty good at their jobs already retire Eric goldstein's been fantastic and he's no longer at s right and there's more and more and no matter who takes the White House they you know political appointees serve at the pleasure of the president so different president might mean to LIF different political appointees and it takes a while to get them confirmed a while to

find the bathrooms a while to find their footing so we are going to have maybe a 2-year loss of momentum from political leadership no matter who takes the white house so I looked at this part of the reason we pushed for this project is once again the Cavalry isn't coming at least in the window that of which I'm referring to so I like a lot of these top on things some of the pushes are bad some of them are good but I think they're engaged so my my confidence building is that we have really talented really smart really connected people in the White House finally and they are engaged and they're willing and able to use the powers that

the elected the populist gave them they had been previously unwilling to do so they will get some things wrong they will get some things right but I think they're on the right trajectory I'm much more concerned about what we do during political turnover during Vault typhoon season under an unsustainable trajectory even if neither of those two things were happening and then yes it's made worse by Chevron Doctrine overturning I'm not going to let the Chevron getting overturn super hurt me and I am heartened a bit because one of the laws we worked on was the patch act and it's got some very specific things in it so it did say you have to be patchable have

a coordinate disclosure program have es bombs have threat models have a vulnerability Management program so that level of specificity means Chevron doesn't hurtt that one very much but other stuff it could hurt a lot that was maybe too long an answer I'm sorry I'll try to keep them shorter all right so you do you agree or disagree with any of that you you have a lawyer training as well true but at this point I'm um not a practicing employer and yeah and I not your official capacity I'm not official capacity so no comment okay so you talked about esom which is something formal enough to actually have an acronym um and it's you know internal software

dependency something I definitely think we need we haven't done enough of you also but vaguely mentioned things about maybe it's supply chain some other dependencies we have billing systems crowd strike obviously was one that you know we all we all found out what was dependent on that really quickly is there a formal structured methodology that we're considering similar to sbob for external dependencies for actually surfacing and and finding and making more transparent the things that we are dependent upon so we don't find out after the fact all right you could probably give better language on part of part of my answer um so there's a historical thing called section 9 that was classified for financial services

which identified the systemically important entities for financial services and functioning of the economy it wasn't super popular um but there was an intention the cyberspace salarium commission which is bipartisan uh with private sector collaboration came up with called systemic Al important critical infrastructure siky and again Jen e stle and others like calling it s instead systemically important entities I think sik is the program s is the entity within it there's been different things that Jay Healey really smart guy who was in and out of uh government in sis and CD he called them OC and pisy like big fish and little fish you know it's the big ones that are too big to fail kinds and

the little fish were the small unguarded Target Rich cyber poor that no one knew existed until somebody something really bad happens so generally speaking um the private sector hates this idea for a couple reasons one is they don't want to be on a list it might get them more accountable it might hurt their insurability they think it might obligate them at some slippery slope in the future so no one wants to be on the list even though that's their private good the government's there for the public good so it's a really important really necessary program that got a lot of lobbying pushed back a lot from every single sector um two um no one wants to work with sisa

initially sis is getting better it's young agency a little over 5 years old but when this was first introduced it was like a year old and um when you spend all your time and money with government Affairs and lobbyists trying to kiss up to HHS you don't want to have to also kiss up to another agency now and the and the siblings didn't want to work with s either like we've been here before you go away right this is our this is our lane get out of our Lane right so the legislative intent is that all 16 of those have a leader called the risk management agency they have a public private partnership with the sector

coordinating Council and they have an ISAC that's the design of those 16 but when cisa was introduced it's supposed to be a horizontal across all 16 as a national coordinator um to look at cross- sector risk things like that so that was a hot mess it remains a hot mess but the thing the White House recently did which I'm hoping you can give some more official language around is ppd2 was the organizing document from the Obama Administration presidential policy director 21 that established the 16 sectors and there was no sistera when it was born there was an nppd those 16 things uh had a lot of ambiguity as to how you do governance and risk

management after the C Co task force after action reports and a lot of advocacy we convinced them that it should not be a light rewrite or refresh it should be a heavy rewrite and they had a lot of courage and decided to change a lot of stuff to look at more cross- sector risk and after the inter agency squabbling it's it backed down to something much less aggressive um but that is now called NSM 22 and it's been published so Network National Security memorandum 22 replaces pbd 21 and it still has 16 sectors people thought we're going to add space uh and drop something else um so it's still fairly similar looking but in it it establishes sisa formally

it establishes them as the national coordinator across all 16 sectors and it gives obligations for each of those sector risk management agencies to do things including but not limied to nominating their systemically important entities within a framework with sisa and then sisa would operate cross sector cascading risk so I had floated an idea while there of a five tiered service disruption model that said no matter what your National critical function is we can map and model how many events per year they're cascading effects so imagine a level two outage of water caused six level five outages of hospitals so we wanted something where we could do that and by looking at those either retrospectively we could describe

what had revealed itself to be a systemically important entity like change has done so but proactively you could also just use a methodology to ask the community which top five top 10 top 15 things if shut off would lead to outsize harm and I can guess right now for example there is no siky list yet that's public for healthcare and after change Healthcare House and Senate Republicans and Democrats have been screaming at HHS there's a nasty letter from widens it placing the blame for what's happened at the feet of secretary Basera for HS did this happen on your watch we hold you responsible please prioritize coming up with this there's no published list but I can tell you

right now that epic and Cerner would have to be on it so I think we kind of know some of these bigger players that if disrupted would have a really really big harm but it's not been a lack of capability or technique or methodology it's been a lack of will so I I I tried to leverage the change Healthcare scenario to raise public outcry and support and Congressional will and white house will to to make this happen so I'm told that while there's no due dates in the National Security memorandum 22 the next document to drop for public comment is called the national plan and in that if they aren't giving them deadlines and scrutiny we can publicly comment to put

pressure on that so it's a unpopular idea for lobbyists and trade associations and a critically necessary thing for your family I don't know if I answered your question but NSM 22 is a good start and the national plan when it drops please read it is that close to correct yeah yep if anything also just um uh a lot of times when documents are also being refreshed and updated it is to provide additional Clarity and um and most and most importantly be very explicit as to the roles and responsibilities so in the past there even though there are multiple documents that actually stated who is responsible for what and and how the different efforts would happen cross functionally

across the board with uh government coordination there's still at times were conversations being had with regards to who really had the pen and the charge on certain issues so in in light of that this is where looking holistically the development of the NSM 22 was meant to help serve that to say okay at minimum let's be very clear as to who's owning what who is working with who how are these different government agencies going to be responsible not only for greater Federal coherence and coordination amongst ourselves but most importantly when we're out and about engaging with you as our stakeholders that you also have uh a keen understanding of how our systems work who you can talk to for what purposes

and how the collaboration may occur so if you find out that certain information that now is anonymized and is being shared for example with SIA it's more so to help with the broader landscape analysis to then say okay this is these are the critical areas you should be thinking of um and supporting the various sector risk management agencies with provide the technical guidance and advisement two more quick things just CU I'm getting all riled up on this again it has been years of debate on siki three more things gen um representative lamin a lion for help for cyber security Coach Co uh he he founded the uh cyber caucus in the house he's very bipartisan from day one he was the

co-chair of the the cyers space commission he was the first sitting Congressman to come to Defcon 25 because of your health with Will herd absolute Champion caused the office of national cyber director to be born uh his outgoing Amendment which is usually honored as a gimme was to give sisa the overt authority to come up with siki finally and it was killed faster than you could Blink by the trade associations they had a letter by many trade associations contradict themselves before it even hit the Federal Register and it was dead on so I thought that was frustrating and noteworthy but interesting and if you really want to get into it read the letter and you'll see how weak sauce it

is point two given the years we've been debating can this be done that's that's 4,000 vaccine supply chain entities down to 66 took us 10 days we had a methodology for number dependencies scarcity impact emission support it took us 10 days so in a crisis 10 days gave you something useful and usable could it be improved sure 10 days the third thing is there's debate on this but I don't believe you can do sikis for a sector I think the atomic unit of siki is a systemic is called a national critical function there's 55 of them and these are way more tractable so in a hospital in setting Healthcare and public health has four protect sensitive

information which in the the case of healthcare is Phi the second one is called maintain access to medical records so that's the availability of emrs and ehrs third one is called provide medical care which is do you get timely access to Patient Care when and where you need it and the fourth one is called support Public Health which is more like Regional capacity planning I think if you were to ask someone in healthcare what's the most important 10 players for each of those functions you would get answers immediately even if they're bad answers and Dean's been back there Dean if I had to ask you what's the most important you know suppliers or vendors don't answer it but if I had to

ask you manufacturers or suppliers Into Water and Wastewater you know for plc's for equipment for chemicals I bet you you can come up with a few yeah so it's not that we don't have a methodology it's not that we don't know it's that we haven't wanted to do it and I think while we fail to do it we burn when change Healthcare stuff happens all right we have 30 minutes left and we've had almost no questions so so it's I have I I suppose I have more comment than question hopefully that's allowed uh because I have the mic and I'm doing it um but I think to the to the point of incentivizing right people are in general more likely to do

something if there's a positive output or positive thing to them than than a smack right ensue legislation going to take however long it takes but there are other partners in this and I come from the disaster World um and and some of the partners we use for these things are accreditation bodies and um uh insurance and reinsurers yeah some of the ground the gains we have made in disaster preparedness and and in my mind this is all the same thing in my mind there's not a difference between the kind I don't care what caused the horrible thing to happen um in my mind there are actually no natural disasters they're all man-made disasters because we rely

on things that we shouldn't rely on and then either technology or Mother Nature smacks them and they break right um but I think that this idea of accreditation bodies so police departments fire departments 911 centers Health Care they are accredited and you start to push some of these things in there and now they have incentive hospitals have emergency preparedness people because ja says they have to do the first step was they had to have them the second the increment to that or the iter iteration of that was now they have to have qualified no one knows what that means but they have to have them to be accredited and they have to be accredited to continue to get CMS money

which is your insurance money right so there's a huge incentive for them to have that and it's not legislative in the common sense and insurance is the same way we see in people like homeowners taking action because they're their insurance company says hey if you want to have insurance you need to do these things you need to have this kind of roof or you need to trim all the bushes away from your house and people do that because they're easy metrics to meet for the most part and it lets them keep their insurance so I think that there's a piece of this incentive portion that that can happen in a much more much more quickly the insurance

companies are kind of a pain in the ass to deal with they have they have a very powerful Lobby and they don't like things until it benefits them financially and then they're all about it but these accreditation bodies have a huge pull and they they are sometimes very easy to work with as long as people can understand the problem because for the general like I call them the mom and pop organizations the small water companies the small Public Safety agencies they see these as somebody else's problem right these are things that happen in the big cities and why would anyone ever do anything bad to my water company out here in Podunk or to my Police Department I've had those

conversations they just there's this cognitive dissonance piece that clicks in and they're like yes bad things happen but they happened to you not me and so using these peer groups to put that pressure in there not just pressure but guidance um help I think could move that forward and much more quickly than the legislative pieces because takes forever and if I it's possible if I watch this I'll feel like we messed up in suggesting that these should be Federal I think I'm saying the federal stuff is not going to help us let me say it very overtly right now the federal stuff is not going to help in the next 2.5 year Horizon of which I speak you

will or we won't so we need to we need to manage the messy mdle I would love to get to know you better because so far some of our best new teammates are disaster science people or Emergency Management people and we're increasingly benefiting from listening to your experience there are a couple edge cases where they are different such as um every single one of your insurance policies has an exception for a of War of which volt typhoon would be um and yes there's natural disasters like hurricanes but we have a hurricane season in Hurricane alleys these things are coming 365 days a year so there's a lot we could borrow and learn and I want

to learn from you so I hope you get involved in that project um and please let's focus the next this is my fault next 20 minutes on what we can do for our household our city our community Etc so you I think you were next like but lus okay so and this is me being a little bit naive having been in Academia for a long time the thing that strikes me about everything you've said just now is that we need people we need people in desks or on and at the infrastructure working on this and we need them there quickly right more quickly than we can by regulation or by carrots and sticks and all that those people are out there I

mean you you look at any of the the young people sort of hacker aboard things people are having trouble finding you know people who know their stuff are having trouble finding work at the low level because entry level positions are problematic it it strikes me that supercharging this entry level these entry level positions to do this is one of our quickest ways of getting runs on the board but getting that money through by using carrots and sticks is just going to take too long what are ways it can be done maybe even at a federal level grants you know scholarships things like that where so we can get all of these I don't want to say kids but

you know I mean I've taught enough enough of them um you know into these jobs through these organizations that don't have the funds to do it for themselves they don't have the funds to run out the mentor programs they don't have the funds to do all that what can be done at the federal level to do that did you bribe him no this is in fact I actually want to talk to you later and learn more of your background because that is that was a great setup in the alute for me um especially mentioning earlier yeah that um as an extension of the national cyber security strategy um there is uh a mandate uh by the president that there

would be the development of a national cyber Workforce and education strategy to answer that very very same problem that we keep hearing time and time again how are we going to talk about having a safe secure digital a resilient digital ecosystem when we are missing a core fundamental piece of the larger problem we're constantly talking about processes we're talking about technology and yet we are missing the people that drive the rest of the tech the development of the technology and creating these Innovative processes services and tools to then also sustaining them maintaining them um also updating whenever possible and it's not just also the core cyber security technical expertise but then if you look at it concentrically like the

support networks that come around it the risk and compliance and governance aspect to then as well as well do you have the budget teams as well and your acquisition and procurement folks in alignment to your HR uh staff um and recognizing that they need to also work more closely with their hiring manager and um get trained up in what does it mean to be a tech recruiter we are having the very same problem in federal government when it comes to how do we recruit the best talent and yet at the same time we keep hearing time time and time again that there is a barrier to entry coincidentally we're also having problem with early career applicants um

we may say in generically most of the job descriptions particularly for the standard IT specialist in infosec the 2210 series that you um um it is preferable to have a degree but then at the same time if you have a degree but you don't have their requisite experience then how are you supposed to compete and be able to get a job conversely we have a number of phenomenal candidates career Changers um like myself and as well as um veterans and many others who have gone through non-traditional paths actually have a ton of work experience relevant work experience but because they do not meet the minimum education requirement and that is typically the focus and a

checklist for HR staff that have hundreds and thousands of times of resumés to go through and it's just a quick means of um screening it's it's we're missing the the opportunity to look at a person holistically and um and giving that growth opportunity so the rest of us as we progress get more senior decide to be a technical expert but with senior subject matter expertise or we decide to become a leader and a manager that who we have back fing and coming behind us at the same at the same time but then at the same time how are we equipping all everyone to also become more developed strong leaders to to back in so I say in

short we're um promoting a skill-based approach that is why um both our national cyber director as well as a number of government agencies have been promoting um the use and working closely with office of personnel management who uh the acting uh director right now Rob Shriver did say at an event earlier this year for a White House convening that their OPM is going to look closely at the 2210 series and removing the minimum education requirement so that way we can look at it from a skill-based approach which is by the way a mandate by the um Administration that we should be looking at all jobs across the board particularly for Mission critical areas on how do we bring that talent and to

answer some other questions there's the registered apprenticeship executive order that is a pathway in um not only for federal uh government entities but also for um owners and crical infrastructure owners and operators if they need the funds um those funds actually are typically doled out through their respective State uh Workforce Development agencies uh so having that close collaboration and this is where as Josh rightly said there's some things that we in federal government can do but really once the money goes out it's out in the in in the space and if you don't know who to go talk to then that becomes is a huge issue and problem of we have not done our jobs and then also

conversely um how are we then promoting and advertising that the money is out there but it needs to be applied for and um obtained to help get more uh Scholarships in place for students um whether it is the traditional pathway or even looking at community colleges which are doing a phenomenal job of turning candidates out and being Workforce ready all the things so um there are many opportunities but I would say if you want uh um quick plug check out um the white www.whiteh