IATC - Day One Feedback Loop: What did we hear?

we can use this time however we like the original intent was um we had a long day of telling you how stuff is on fire how much has changed over the last two years imposed an open-ended question of how should the mission evolve now that stuff is on fire so we started by giving a high level overview of what things looked like nine years ago through now when we started this crazy Journey then we did a deep dive on the impact of Health Care and vaccine Supply chains and how this became quite urgent and really put a bright Spotlight on that most of these victims in critical infrastructure are cyber poor and we can't just give platitudes to

and then we went through a tour de force of how many things in critical infrastructure are on fire the water we drink the food we put on our table oil and gas pipelines schools municipalities And Timely access to Patient Care so we are messing with Maslow's hierarchy of needs and uh then gave a policy update on some of the things changing pretty much a heavy focus on the decriminalization research which is at Great risk we were in The Heading the wrong direction last when we first met here nine years ago but now that things are on fire and the public and public policy makers can see that um our original Mission was to let people know things were flammable and

that bad things could happen were they to catch fire and the question I had on one extreme is maybe it's mission accomplished and we should all pack up and go home and have a mission accomplished Banner probably not or um we could maybe keep doing a job that the private sector doesn't want in the public sector is often ill-equipped to do I don't think that's a great responsibility either um so we don't have an answer to our own question but part of it is how should our mission evolve and change so today was mostly stoking things that maybe you heard about from a distance maybe you um new one or two of the stories but not

all of them but now that you've been confronted all day this is our feedback session before tomorrow uh where you can ask things you didn't want to ask maybe in the larger group um and or start brainstorming because tomorrow we're going to try to shift into not the answer to the question but pieces of the answer to the question uh and as a preview a reminder of what tomorrow's agenda is we're going to have Lily hey Newman from wired uh and two other journalists talking about how media coverage is changing out of necessity and how we make sure um someone's focus on the public good and Public Safety instead of just selling products or fear-mongering

uh followed by a deep dive into s-bomb which is one of the biggest victories I think we've had come out of here for software trust and transparency in the executive order that was just mentioned but it's not merely about s-bomb it's that part of the s-bomb community decided that if something's missing from the private sector Market that we build free open source projects and tools to help people be safer so maybe for these Target rich side Rapport we're looking at pulling in more developers or more product designers or people that can nominate use cases that could help these Target Rich cyberpore that are underserved and under increasing attack um so tomorrow's kind of a dual thing

for s-bomb it's going to be showing you what they did to make this uh manifest sooner but also hopefully Inspire maybe there's a solution for wastewater treatment maybe there's a different set of solutions for uh under invested health care or for the food supply maybe somebody can say I'm I'm not happy that there's no food supply ISAC we should start one um or we should start some communities of Interest or special interest groups so tomorrow's stimulating some ideation of things that Cavalry hasn't tried and then we're going to Pivot into how to make uh OT and ICS things relevant to Business Leaders as opposed to technical people and one of the ones I'm really looking forward to is we have

Ray Davidson from Michigan who has a pilot in the state of Michigan for hackers collaborating with their state and we have the Cyber peace Institute looking at how they've studied many experiments like the Michigan experiment across the US and across the planet to see which things are working and there's other initiatives like the Cyber threat intelligence league so that's I lovingly call that the act locally act globally session because I think we're going to have to scale up and down and sideways um and Federate this model so it's a little less dependent on um 10 Central voices and and more on the 2000 plus that are growing in our assistance and I think it's going to be

pulling in new types of teammates and then we want to have a brainstorming session for like a good two hours to see what we might want to try because we may have some big decisions to make including hiring a professional staff which we've never taken a penny so that would be a scary move for us or um merging with some other existing initiatives or um there's a lot of options at the table but I want maybe the best option will come from you so right now is not so much to design them all but to hear uh Audi and some of the others know that I have a thing that every time I give a talk I don't want to

just hear hey that was a good talk I want to ask three basic questions what was the strongest thing the weakest thing and the key takeaway um so similarly whether it's that's too structured or whatnot like what surprised you today and I'm gonna stop flapping my gums here but I want to hear from you what was the most surprising part or I think I understood why you talked about water but I don't you never connected the pieces so maybe we missed the mark on our intended message but I really want to make sure that uh people understand that we we're starting to see a lot more harm manifest on the things we've been warning about

there's very few people willing and able to do anything about that and For Better or For Worse this community besides and on slack and on the two intertubes has been the voice of reason catalyzing safer outcomes sooner working with great teammates like Leonard and uh others in the executive branch and internationally and whatnot so I don't think the work is done but I am I carry a humility of not knowing what to do next and would like to hear from each of you what resonated the most the least and as we head into tomorrow it may help us emphasize or punctuate and refine the message so hey Jen we have a first question yeah there's a mic being passed around

strongest thing weakest thing you take away missing piece uh um I am not an unbiased third party but I will tell you what was stunning to me and here I'm staring very hard and a representative of the Department of Justice uh Market concentration I would suggest leads to the rich get richer and the poor get nothing as a general matter when two big forces joined together they write fancy words to the Department of Justice that says don't worry we are definitely going to we will help pricing for consumers there'll be no harm to Consumers those are the fancy words that are written as a matter of practice though I would suggest that in general what we see

is we see the top one percenters make a bucket of money the little people generally get a kick in the teeth but fundamentally the risk is concentrated into fewer and fewer larger and larger players that lead to uh uh a risk reward that ends up harming consumers um rather than turning this into an accidental q a for a gutty um can we do like a speed round of like feedback and once I hear some themes I'll I'll baby pose some questions to all of us yeah speed round speed round um first just submit general education like something we could probably talk about later is you know are you organized are you an actual non-profit or whatever your business

organization is second um the thing that I see is is somewhat similar to what you're saying David but I think the opportunity exists in the underuserved communities for an organization like this to do the greatest good um in fact you know cities and and things like Jackson Mississippi that's that's going through a terrible Water Crisis because they've been completely defunded um through an overall fault of their own but need all that support so that's that's what kind of my personal mission is you know the the big cities don't need the help it's a little it's a little guys that need to help okay I'm hearing some uh recognition of one of our themes of the cyberpore the

have-nots thank you um so I attend these conference as someone who's married to a technical person I went to the first Defcon for my first Defcon was four um I've been I'm a I'm more aligned with in the last seven years with what's going on politically in my local community and the one question that I always ask in any conference in any taught is who isn't in this room and we still see a bunch of older white men maybe some younger white men and a few women I saw like I counted today like four black people um I'm Native American I don't present brown but I'm always looking for the people that aren't here from

these underrepresented communities because I can tell you they don't even know what the hell is going on uh they don't even feel like they have any access if they own a computer they're like afraid to use it because they don't want to break it so um as a speech and debate coach I mean a former DOD employee but now a speech and debate coach um I am looking at ways to reach out to our community Through the youth I have so many parents that come to me when they're kid they see finally their child give a speech or they go to a tournament and they're just like overwhelmed and they're like I wish I could do that and

I could literally tell them give me two hours and I don't care if English is your first language so I see this access thing going on with there are a lot of problems out there there are a lot of Creative Solutions that nobody ever thought about because they haven't hung out with someone in the from Jackson Mississippi that is trying to work on their Water Crisis they haven't worked out on they haven't actually like been on the reservations where people are likely to have electricity I can tell you that Native American access to Internet is very low and I'm just assuming that a lot of poor rural communities it is so I've been working with my state and the FEDS trying to

make um get the idea out there that internet should be a public utility for one thing and therefore something that is funded by the government and accessible to all Americans the way that we started the um electric co-ops I believe in the 30s to get electricity to the rural communities so that's where I'm going with this is people need to know that this is even a thing and and it's the Outreach and I'm really excited about hearing about the group in Michigan I am because that's that's the kind of thing that I'm trying to push and then when they were talking today I thought about 10 different ways you could get in touch with your Congress

people and be effective so just saying that I think that um that you've all been focused on what's good and bad with the internet and I think that it needs to be accessible to a lot more people and I agree that these very very large companies a reminiscent reminiscent of Ma Bell of the 70s when they broke up the phone companies right um we're just back where we've always we always go we always like get the very very rich holding on to all of the stuff and I would like to see the communities taking some of the power back okay is this oh go ahead so hey so I've I've got some uh perspective as well

um for a long time I've said that every company is a tech company it's just most of them don't know it um from the conversation like today I think that every um every division of the government is a tech division they just don't know it so the I firmly believe that iot is an environmental issue that we actually the EPA should be regulating iot because the two people that are involved the purchaser and the manufacturer have no incentive to protect the internet like the it's cheaper to buy to buy a cheap video camera or or VCR than it is to buy one that's secure and the people making it are buying a budget like usually third party putting in things

with root access and back doors not even caring because they're just selling it for the most profit so like so this is literally like the Mariah Bots like Mariah botnet is an example of what comes when you pollute the internet but this is just one example right like we've any other like the Federal Trade Commission like any of those those all need to be tech savvy Because the Internet is creating the new framework for how we Define the world and if we allow these things to be built wrong then we have all these riddles with holes like you wouldn't let someone build a bridge where people kept driving off the sides all right that's that's my rant but uh I

work in a Fortune 500 company I care about these things yeah while you hand the mic one of the slides I skipped this morning because I took too long uh I said there's no Zeitgeist like you might have heard Christoph say the rugged software Manifesto from like I think it's 12 years ago now I don't know I can't remember when we did it but um I said what's the Zeitgeist or what's the Hippocratic Oath for software developers and I put up uh zuckerberger saying move fast to break things I'm like including democracy sometimes and then I also showed uh Reed Hoffman which is a lesser known for hackers but very popular for startups which is

um if you're not embarrassed by your your product the day you launched you waited too long and I showed the the Tacoma Narrows Bridge and I said imagine if the people who built our skyscrapers and our bridges said if you're not embarrassed by the riveting the day you open the bridge and we are we are creating digital infrastructure software developers are and hand in glove with security and risk management professionals or threat modelers we do a lot more to protect Enterprises and data than we do to protect infrastructure in humans and part of the Zeitgeist the Cavalry was to shift things to what is more important um I'm gonna try to shorten this to protect the innocent and give the mic to

the next person but um I gave a keynote in New York City about the the kova task force about two three weeks ago three weeks ago now I think and um the guy that came before me was talking about we need less focus on ransomware and this other stuff what we really need to focus on is data and intellectual property and and it was a vendor it was a vendor saying things that they can help with which is not in itself wrong but one of the analogies I used probably better than I'm going to say it right now is if you're walking down the streets after a show tonight and you get mugged and they say your wallet your

life I hope that you would prioritize properly but we don't and I said with HIPAA you have more incentive to have a corpse of their privacy intact there's no incentive to protect patient care there's only regulation to protect the data and then we give away for free anyhow when we relax things for the pandemic so I would like to see at least this community especially because we are bridge Builders and we're multi-disciplinary in nature to help people understand the consequences and the proportional dependence we should have um so something you just said really resonated with me which is If all we're doing is responding to bad indefensible unreliable infrastructure then we're never gonna change anything so that's why we really

push hard on software Bill and materials offer transparency threat modeling patchability according to disclosure we're trying to build an ecosystem that can anticipate and avoid failure respond quickly to failure remove any sort of chilling effect or disincentives there it doesn't mean we've got it all figured out but I think focusing on a few Primitives a more dependable trustworthy transparent maintainable digital infrastructure is a good instinct we just need better reach and and faster um all right uh I don't want to put everyone in the spot there's a couple I haven't spoken is anyone else have Ray you came in the room or um you're gonna speak tomorrow about ah okay the Zeitgeist for tomorrow yeah

all right any other feedback yeah um so my name is Maurice I work for the US government usaid uh the foreign assistance agency and so I missed the very beginning of your rant but it's very relevant and uh apropos to the work that we are doing as we are pushing digital Technologies around the world right uh what is the Do no harm or relevance there in terms of ensuring that what we're putting people's hands is secure or as secure as possible and it's something that we uh as an agency as an organization are getting smart about um my comments on uh or thoughts on kind of I'm the Cavalry and how it's evolving I'm really interested to understand the

appetite of membership on thinking uh critical infrastructure plus um so looking at um either spaces that are not traditional critical infrastructure so like Independent Media which is under assault around the world how do we work with media organizations to ensure their security or at least Independence um or thinking about uh Beyond just The Operators uh of CI is thinking about the users and the individuals kind of Downstream uh that may also be or are very security poor and not in the US but then around the world as well over anybody else so since since I was invited um the a thing that I have heard that I really like is the think globally act locally kind of kind of aspect and I

think one of the common themes that that I heard I have heard and I want to encourage is thinking of uh this is part of the Zeitgeist probably is thinking of the end user or the the individual human being that is affected and how they're affected and trying to make the link between the technology that we're that we're implementing and how it's going to affect people in their daily lives when they don't think about it because that's what we have to think about is I I loved the Apple Macintosh operating system when it came out back in 85 well that was when I got my first computer because it was the operating system that just worked and it really

did so we have to we have to make it people don't want to think about this stuff so if we think about it then then that's our job thank you anybody else hey I'm John boss I don't I probably haven't met most of the people in here although I've I'm sure I've probably seen your faces if you've seen mine even though you can't tell who I am right now uh I go by boss man online I've been going to Defcon Etc since I don't know sometime back in the Lexus Park maybe nine Defcon nine mostly CTF School of Road stuff like that um I still feel like I'm being up to speed with what you're doing and what you're

saying I like it every time I hear you talk or see you do something I think it's cool and I want to get more involved I just feel I don't really feel like I have a lot to add other than to say and like the movement and I like what you're doing and I'm and I'm trying to be involved I feel like I'm not the right com sales I don't know but uh I feel like I should at least tell you who I am since I'm sitting in here and why so if anybody like to talk to me about anything or if you have any questions I'd love to answer it but for now I'm

really just a spectator thank you and one of the things I think while we've done a lot right we we have not been creative on creating shovel ready jobs for everybody we we certainly want um a meritocracy and a stone soup and we've been delighted and surprised by people that bring something we never even thought of so we like to be open to those possibilities uh but there's a whole bunch of folks that do want to help and we haven't made it as easy as we could and I think that may include if we did invest in some back office or some professional staff I believe that would improve um Kendra for example if you were here

all day um from the ciscover task force I didn't know her at all when she joined the task force and uh she doesn't have a hacking background and she brought such organizational op Tempo and rigor and tenacity for getting around bureaucracies and almost a delight for hacking bureaucracies that it's like my kryptonite but like the more people we find like that they're good at the things we're bad at and we find that we are able to do new things um so that middle ground of people that are Avid supporters but don't yet know how to contribute um I'm sure we could uh invest in that and probably need to at this point to get better scale

um anybody else I'm gonna try to synthesize a few of these themes um just a couple other follow-ups um as a licensed professional engineer uh um certifications don't mean anything they're they're something you buy and you study for and you right there's no there's no legal backing to them there's no liability back into them there's probably no propensity or even a pathway to get to a licensed model but I think there's a lot of good things that come that can come from that organizations that you know the National Society of Professional Engineers that you know we evolved from it a long time ago and there was a better place for that but your your discussion around the

Tacoma's Bridge things like that you know as Professional Engineers we don't play in the money space we play in the qualification space right so you're not gonna you're not gonna lowball a number to build a building is going to be qualifications based so there might be something there I I it's it's more it's turned into such a legal mess now um I don't know but just throwing ideas out there um you know my my duty is to the public before it is to my even to my employer that's an oath that I signed right when I become a licensed professional engineer so um isn't there a ring that some Engineers wear yeah yeah order the engineer yep

um the other part was as just as a practitioner I'm I'm very concerned about the number of Point solutions that are out there and the the harm that that's going to cause a lot of my clients are buying stuff and they've already bought stuff that'll do what that does but that sales guy did a better job of selling that feature than the other guy did so I'm if there's something we can do around that that that would be huge because there's there's a lot of software out there that can do a lot of stuff if we know how to use it and uh and deploy it properly um on that last point I'm just going to

play jazz a little bit um I wanted to synthesize many themes but I I will forget this one if I don't say it right now um this is a partial thought I don't want to be crucified even on the streaming for saying this but I have increasingly even when I started this thing even when before it with the rugged idea I felt that there was really two cybers there was the commercial low consequence private interest local harm and then the public good and I I always felt that what's right for the private good is not what's right for the public good and even if you just truncate the public good for a minute um a lot of my prior rate uh ranting and

advocacy was you know I said like Tron I fight for the user uh and I felt like most vendors were trying to trick cisos and separate them from their money or that we got our education on the bad stuff from the people selling you the anti-bad stuff so we already had perverse incentives at failed markets and whoever said incentives today give yourself a Pat in the back because this is an incentives problem we have Technical Solutions for a lot of these things we know how to eliminate SQL injection we have we haven't incentivized it right that we have some hard technical problems but right now the constraint is usually a lack of carrots and sticks

in fact we Define cyberpore the long definition of cyberpore when I put into policy stuff was uh one or more of the following deficiencies insufficient information and awareness and or insufficient carrots and sticks or incentives and or insufficient resources and many of these owners and operators are critical infrastructure that are really the government's job that have been delegated to the private sector um we this public prior Partnerships now got in the way because we've delegated the operations but the government's still responsible for public good so what happens when you have a fiduciary local responsibility to your shareholders that's in conflict with the public good of access to critical infrastructure so there's some uncomfortable conversations we had there

but back to this notion of do we have a tale of two cybers um I'm at I'm at this point I'm at hell yes and I don't know what to do about it well I knew what I do know is some of our best and most talented hackers researchers and innovators many of them didn't even get a college uh High School degree let alone a college degree so we are a bit there's a bit of an anti-intellectual anti-professionalism bent also where chaotic and rebellious and that's what makes it so special um it's part of our power and right not but and um I there have been a couple attempts in the UK and in Europe to add some

minimum professionalization requirements for certain things um and it causes convulsions amongst our friends but we are invited to participate in these conversations and an embryonic idea I've had is perhaps we should start to opt in have an opt-in consequential cyber security uh designation where if you want to pop off and rant and just try to sell your wares or sell your services you're perfectly fine to do it do that but if you want a different if someone wants to differentiate themselves as focused on public good or consequential cyber security then by opting into that verified error you know you may be more called upon by Congress or by committees or whatnot but but and you're opting into with

great celebrity comes great responsibility and perhaps we could opt into a professional conduct class where we're not just giving a hot take or giving a conference stock that you know precedes a sales pitch but um we can differentiate those focused on the private good versus the public good and sometimes it will be overlap but often some of our best traditional speakers and thought leaders and luminaries are giving increasingly horrible advice about Public Safety horrible and um I don't think they're bad people I think we should just be able to differentiate when a public policy maker is saying what should I do I'm hearing competing things we should have a way to distinguish what's good for the company

versus what's good for society I don't have the answer but I think we're increasingly coming to the point where there's not just one cyber industry hi Leonard hello Mr Corman um it's sort of an outsider I I do want to bring a question to you because I think you are used to thinking about impossible things and coming up with creative approaches one problem I see in the policy space in particular is um working in an area where there aren't any any metrics there are things that become your proxies for for metrics um you know whether you successfully promulgated a policy for example okay sorry but the um it seems that the the question really is are we safer

right that's the question we we need to be asking at the end of the day and sometimes the policy maybe would make us safer um sometimes it would have made us safer two years ago but it the lead time to get the policy actually you know enacted made it sort of more abund by the time it was and maybe it would never have made us safer but I've always struggled with the question at the end of the day are we are we safer now um and that seems to be the question we especially in this space need to be asking and I don't know how to answer it all right I I'm taking a leap here and

this might not be your intention um I'll give you the clinical protoscience answer and then I'll give you the personal answer and I'm smiling because I feel like maybe you're trolling me a little bit but um I don't think you are because you look because there's there's love here um we all want a science we all want metrics uh and you even heard Hoff you know mentioning some of that this morning if you oh you came late that's right so in the keynote we heard some of this you know we don't really have good metrics yet we're not good measurement and and some people like Alex Hutton and Sierra the Society of information risk into people

and people like Bob rudis or you know the data scientists that are in our field there's ways to measure anything but we just we were rushing so fast to do number based things we went from faith-based security to numerology you know faith in random numbers and we don't have good reliable consistent metrics for these things and I know that's not exactly what you're asking but but the more people get into that they quickly discovered Thomas Coons which is the structure of Scientific Revolution and you don't go from like chaos and Buddha and Witchcraft straight to you know NASA science there's things like protoscience in between and we do use proxies and we use indicators or confidence building

measures or these things strongly correlate to a better outcome so for example that's what I focused on with our hippocratical for connected medical devices and the five-star Automotive Safety framework was let's not write policy like the PCI standard for credit cards which is stale by the time the ink is dried but rather focus on Evergreen capabilities to handle and respond to failure so a device that is not patchable is less safe than when it is batchable forever not not like 10 years from now but forever things like a program that has a coordinated vulnerability disclosure a company that has according disclosure program is more likely to learn of faults from friendlies versus adversaries so that's

a confidence building measure things like um can you produce a software bill of materials if you can't that tells us something about the rigor of your design or your implementation and having one doesn't make you unhackable it just means you're in an Echelon now where you're more conscious and aware of managing these things so we're I think we're in that middle ground of we do not have confidence that we are quantitatively safer but we are trying to get to that produce past the voodoo and Witchcraft or high priestesses and Priests and you know sacrificial goats towards um confidence building measures and Primitives that allow us to be in the game now the reason I smiled on the

personal note is for some people that have known me before the Cavalry I gave a talk called are we getting better why we don't know and what we could do about it and that was before my mom got sick and my life changed but if you go back and watch it which it was focused on almost exactly your question you can see how the fertile soil for the Cavalry being born was already there I just needed the nudge um but even now a decade later uh it's very hard to answer are we getting better but the ways I tried to answer that are do we have more or fewer adversaries do we have larger or smaller harms do we

have um you know better or worse recovery times you know so there are some ways you could quantify and measure overall impact performance and consequence analysis even if you can't do the causal linkages between this security purchase leads to these better outcomes my general belief is we are incredibly prone we've been in uh prey and we survived at the appetite and activity of the Predator's discretion and that I think is exactly what's happening right it's not like critical infrastructure all of a sudden became unsafe it's that there has been more Brazen and aggressive activity uh with Advanced Revolution where the unavailability of anything can be monetized and this is where I said this morning maybe too quickly I think the

key dilemma here is the adversaries have found a way to monetize the Cyber poor defenders in the RSA or black hat have not figured out how to monetize a cyberpore and given incentives are purely Financial right now follow the money there's no money and actually I've actually heard VCS Turning Away innovators from this community that are trying to help the cyberport hospitals I said you should pick a different industry there's no money in it and that is the correct thing to do for shareholders it is not the correct thing to do for society and um so we need more public good cyber and we're not currently differentiating those speakers those thought leaders those initiatives for who's focused on

public good versus private good sometimes they're the same advice but oftentimes increasingly they're not so I it's not even a close answer to your question but it's um these are things I wrestle with because we aren't gonna make progress or strides unless we know what we're solving for whom we're for whom we're solving and and the whole Spirit of things like SOS and bad practices and the free system Services was to meet people where they are not giving platitudes and some of those things are hard right I recognize the contradiction I'm here I am saying let's meet people where they are where they have no resources and no staff and I'm saying by the way it's a

really bad dangerous negligent practice to run unsupported software what if you don't have enough money to do anything but unsupported Exchange Server I recognize that apparent contradiction but I'm sick of watching it happen and I said let's at least stimulate and force the hard conversations um little inside baseball I guess while I'm running on that thread my key inflection point to cause bad practices there was several reasons I wanted to do it but the key moment was when the Microsoft Exchange attacks were happening everywhere Bob root is Chief data scientist at the time at rapid seven scanned the whole internet and was looking for which versions of exchange were out there so we could see

you know if people were patching he wasn't looking for how bad is it out there he was just trying to see what are the patch rates by version and sisa Hill the public call saying uh with Microsoft saying here's the patches do you have any questions you know how much exploitation is there and when all this all the broadcasting was done and the question started rolling and people said well what am I going to get my patches and they said what do you mean we already went through that and they said well I'm running this version and Bob quickly looked in his data and the number one market share of exchange on the Internet is unsupported

it's not an edge case it's everywhere and I at the time made an emotional joke and said we almost needed child protective services that if you can't take care of exchange we'll take care of it for you by you know rolling you on to you know at least Office 365 or or Google Suite or something and we went to some of the well-funded hospitals I'm like you seem to be among these ranks that are running wildly unsupported you realize that if you're compromised or exchanged the whole Hospital's gone and they said Josh it would cost like a million dollars to migrate we're never gonna do that and it was sincere and I should have empathy for their resource

constraints and it's dangerous so what do you do when it's common and dangerous so this meeting people where they are thing um it's not going to be take a product designed for the fortune 50. that only the Fortune 50 can use and hope that eventually helps them down Market if you require an army of talented Engineers to operate it it's not it's not a solution set so I think the answer is going to be when you're over dependent on a Dependable things there's at least two parallel paths one is depend less upon them so wherever you can reduce your dependence and act attack surface we should and depend more uh demand more from your suppliers that these things are that are

maintained and operated I mean et cetera and then in the glue in the bridge in between I'm kind of hoping tomorrow reveals is can we make some open source projects that are designed for the cyberpore for people with limited staff for the internet attack surface because while anybody can get hacked most of these ransoms for critical infrastructure have not been targeted they've been wholesale you know Kill Everybody Harvest later who we're going to actually spring the trap on um and if you can maybe take yourself out of that low-hanging fruit pool it might be the difference between water or no water or Healthcare or no health care for a bit and that's not the end of the

journey it's the starting line but if you want to get people from here to there they cannot kind of do it like that we have to have a a crawl walk run right Jen uh it's part of Josh Corman Bingo cards um okay so that was a long improvisational stream of Consciousness trying to string together several things said here but I hope you heard that the cyberpore is where I I'm feeling more focused not just all critical infrastructure but the sad rapport uh and that they don't have the tools the education or the assistance required and perhaps we can help with that I would like sister to do that I would like HHS and EPA to do that I do not

perceive them to be willing and able to do that job at the scale required yet um so I'd like to help them get there versus do it for them or watch it fall and so perhaps we can be public good augmentation with initiatives like race that you're going to hear about tomorrow all right who else we have a little more time anybody oh before you go because you might want to comment on it I didn't want to completely respond to your first thing you said but there's an interesting dichotomy when I looked across the 16 critical infrastructure sectors if you take banking out of it with banking the biggest players are the most important the risk Aggregates

proportional to their size for the most part but for a lot of things like water it's very diffuse so what is it would you say 90 of the water in the country is done by 10 percent of the municipalities and it has a long tail for the um others same thing with hospitals you have the 15 that have a good staff of 50 people or more and then everybody else has zero people so um not every one of these critical infrastructures has cyberpore but there's a dichotomy with risk concentration because when you only have four meat packing facilities any one of them getting infected has an asymmetric impact on everybody else right uh the downside of all these diffuse

Federated Target recycler poor is that we don't really have a strategic leverage point to make broad improvements so uh channeling my inner Dan gear uh monocultures are bad and nature loves diversity but there can be too much diversity so I don't think we're gonna have a single TurnKey answer for this but in some cases consolidation is a is a good move in other cases we've gone too far with it and my real fear for healthcare specifically is that the financial solvency of hospitals has been further challenged by not having elective surgeries and things and by blowing all their r d money on Traveling Nursing budgets and bonuses so if we were already trending to Too

Much consolidation to too few it's about to get worse in the aftermath of the pandemic so we may see just economic survival the fittest kind of problems worsen the consolidation that you're referring to so I don't know that we want to do the mama Bell breakups and things like that but I think as a national resilience strategy for critical infrastructure specifically and for things that affect the public good we should have some deliberate first principles that guide what is healthy consolidation versus over consolidation and how to make sure that a resilient National critical function is one that is not has have excessive aggregated risk so it's I don't think it's a no aggregation I don't think it's

a pure Federation um I think in certain areas we have too much concentration of risk food supply is one that scares me and I think in other areas we're too diffuse we had the 10-minute Warning by the way um thanks for that it's a it's a hard problem right so uh there's there there is not really a silver bullet one of the things I wonder about is so when we think about water on my water guy left [Music] um we when we're still thinking about when we think about water we think about municipalities we think about States think about ciso what I'm wondering is can we get more people into the room and so here

I'm thinking about like MSI sac and in ciso to be able to share the share the information down into Biloxi Mississippi and small town from underserved State X to we we got a lot of different Frameworks and a lot of different players in the space but how can how can we be smarter about sharing really good information with what our historically the have-nots um I'm going to caveat this with I'm a bit jaded after my federal service but I found that the public-private partnership maybe with the best of intention places a lot of confidence that the ice acts and the sector according councils represent all their members but maybe by accident they tend to be very dominated by the

well-funded um they have cisos they have systems who can spend an hour a week or more on these committees and phone calls um so at least for most of the ones I interacted with um they'd probably in good faith believe that they're helping the Cyber poor but I had to keep helping and reminding them that they weren't um and I and I'm not there to do it every day anymore um so I believe we're gonna have to augment the current definition and scope of the public-private partnership although you did call out one of the best ones the MSI Sac the multi-state ice Act um which is operated by the CIS the center for Internet Security

um they and the election security you know wing of what happened there um out of necessity they tend to be more focused on what might look like cyberpore so I think they're more attuned to the mission of all the ice Acts um and as I indicated if you weren't in the room all day there is no food supply Isaac there's a it ISAC special interest group of a handful of players and that's it so um whereas most the ice acts meet weekly with their Federal Partners these there isn't one to meet annually so and there is as you presented in your session significant concentration of risk and if you combine concentration of risk of the entities with where they sit in

the overall supply chain take the ball bearings analysis that Michelle talked about and your Consolidated risk point and it makes me incredibly uncomfortable at your turn so I'd like to Pivot off of that slightly the going back to perverse incentives um if you look at the U.N the hum the human rights committee it's like entirely made up of countries that have horrible human rights records right like like almost uniformly like if you if you stack ranked it and inverted the stack rank you it would be like The Who's Who of like all the bad company other countries so in the same way we we don't have the right way like the people that care the most about an issue are the

ones that benefit from the issue and and most of the time that's going to be the wrong people so so we need to have like values-based positions and we need to have like was coming from those like perspectives we can't do it based on who's gonna profit because they're the people that do or almost always going to be the wrong ones um Goldman Sachs was recently in the news I believe for saying something about why are we trying to solve disease when we can just cure it kinda um you know if you heal people they don't come back so so keeping them dependent on you is the way to like keep making money and that's that's you know so it's like like

why would you make the infinite like light bulb when you can keep selling people new light bulbs right so I think that the government does have some reason to step in when it comes to the greater good when there's not a financial incentive because capitalism Etc et cetera um so so that's something where we do need to think about what is what is the policy we want and how does that help guide the the checks and balances and provide the incentives so that we say we know you're gonna like make insulin for cheap and like here's how we're gonna make it worthwhile to you to do it instead of charging a thousand dollars a shot

uh hand in the back fit we're in the five minute warning section but we can keep talking tomorrow and even at the bar tonight to answer the previous one I don't think that anybody can question whether or not our security is better because I remember back whenever we were just trying to get people to actually have a firewall and nobody even questions that now I also remember ciso's nobody even knew what the hell it was and you know now that now we're having questions as to whether or not they ought to be on the board or not you know so we're at least moving in the right direction whether or not it's enough is why you're having a hard time getting

the metrics because it's not are we making progress we are it's just isn't enough and that's that's a different question so that's that's one of the things to help with that but one of the things I'm listening to everybody it's culture we all know the number one thing that is difficult as hell to get anything to change is the culture because people hate change I had an argument with a guy whenever I first got into the Navy about whether or not people like change knows also 20 years old and wanted change so I thought change everybody wanted it no they don't and culture is what is holding us back I have dealt with a lot of HIPAA and uh

the problem with the medical areas is the culture you walk in the door and the first thing they do is ask you what your social is in front of a room full of people what's your name what's your social nobody the culture there has gotten us so that we are used to thinking about I got if I want my leg my leg broke you know my broke leg fixed I got to give out my social security number or else I got problems and that's a culture that that's just what they think about the the military has the same issue I can't go in and get anything from the military without starting off with my last four

which is the only random part of it and giving that the culture is is the problem and to your point whenever it comes to government being able to regulate stuff the fact is is that these the culture behind water it's not going to change because they literally have no incentive which is I think where you were going earlier they have no incentive to change unless somebody's going to go beat them up and give them money for it carrots and sticks or carrot shapes but you know whenever it comes down to it it's not just the money it's America we got we got money but the culture does not want us to change would you agree with that or I mean is

that it seems like yes I think it's culture I do think it's incentives and I think that's one of the reasons we brought a lot of heart and empathy to this instead of facts and figures I mean the tax figures come as well um and maybe just to end on a it's a hard pivot from what you're saying but maybe to pull some of these things together in a positive note when I ask what what did the world look like nine years ago and what does it look like now um we were training towards increased chilling effect on good faith research we're in training towards uh increased animosity uh between government Partners in the hacking

Community we were increasing our dependence on medical devices and cars that were hackable um and now you know the last nine years as we skim the Treetops from this morning um we have every Federal agency has has a coordinated disclosure program we have an exception the dmca for good faith research Leonard a a very bad oversimplification what he was saying is doj put out guidance to the State Attorney General saying please pass on Prosecuting good faith researchers um directionally similar to the dmca we have initiating catalyze the first ever set of safety Communications and recalls for medical devices with no Adverse Events or patients dying first so very left a boom we were called upon uh when

there was Congressional actions on things like Waste Water treatment on things like ICS Sprints and to help design and lead the cobit response for the pandemic for hospitals so I I think our level of Engagement is higher the level of trust is higher the level of Common Sense first principles to be patchable to avoid hard-coded passwords to get things in executive orders domestically and internationally we didn't talk enough about International Partners but sometimes when we hit an obstacle in the U.S we go to our UK Partners or our Japanese Partners or emea Partners or and and we're kind of flanking with a conspiracy of excellence and I would not say these victories are mission accomplished because in parallel

with those incredible breakthroughs we have seen unprecedented adversary activity and more Embrace and embolden so um I I said this in my Senate testimony along with it here um our adversaries have set the pace we gotta catch up right so yes we've done a lot of good things there's much much more to do and we need the political will and the courage to do so and that means we're gonna have to speak on a very human level a very multi-stakeholder level a very accessible level and we're gonna have to take people in uncomfortable areas because these are the moments in the Overton's window if you know that term where there is political will to do

something and get outside the comfort zone and challenge their conventional preferences and sometimes it takes really bad events to catalyze really good progress and I think we're on the cusp of that in some areas but how this community that started here nine years ago with parallel companion efforts and sister efforts um you know we have a lot more to do so I'm really really tired and I think a lot of you are as well and and let's finish the job so tomorrow bring your best ideas any game and let's let's figure out how to take this to the next level thank you for your time today all right thanks Josh uh and thanks everyone I found that personally uh

really fascinating and uh I'd like to thank Josh but also thank all you guys for your input because I am taking a lot away from uh from this but uh yeah make sure you are here tomorrow we're kicking off at 10 30. I believe uh in this room uh Meet the Press sub is pretty well now so gonna be another fascinating day so thank you all for coming thanks for your participation uh thank you Josh and uh we look forward to seeing you all tomorrow if not at the bar today