IATC - Public Service Journeys (To and From Hacking Culture)

uh so come on come on up uh aan Islam and Spanky now yay all clap now I am going to on purpose not introduce them very much because what they are going to talk about is going to function as their introduction and if I if I get into it I'll just wreck it all so I don't I don't to do that I don't they they've got a great story that they need to share and please pay attention because I think you will learn important things so let me turn on your mics no uh no pressure no pressure under pressure I think I'm on well awesome so you made it to the last presentation of the first day nice

work and thanks for being here certainly appreciate your time some friendly faces in the room on top of that so um my name is Steve lazinski and I am so excited to be here with my friend aan and getting to be a part of this thank you Josh for gently prodding us into this good idea which uh the more we did it we're like yeah this is cool and uh absolutely getting to share uh our experiences so the whole idea of Public Service Journeys uh that are bringing all of you here and I don't think that's a surprise that's what this whole track is about exact and that's what we're you know things that we have done and being

able to share that um I know so we were thinking back on and and we'll get into how we know Josh Bo others in the Cavalry and the things the Cavalry has done but my first exposure was uh a 10-minute lightning talk sharing the stage with Mr Bots over here Carolyn Wong and do you remember what year that was s 2017 exactly and Bo giving me the opportunity and whatever half-ass talk that I gave and he still lets me come back so this is actually my third time getting to be here so I'm very excited about that uh especially on this 10th year so yeah and it's uh special for me because especially on the

10th year U my journey actually started in 2017 um when uh I also similarly met uh Josh and Bo as an intern which you likely heard that multiple times this morning I I am that intern the intern movie yet to be made and to come out shortly just FYI but so and the beautiful thing is that that's how I was brought into this community and learned about I am the calvary besides Las Vegas as well as Defcon so it was um very much in open arms and learning indepthly about what what is a hack Community what they're all about and also what your needs are and how we could also do a uh a service in in Bridging the Gap between

your technical expertise and bringing that to the the policy leaders decision makers and uh uh the the wonks that tend to also be live and breathe in Washington DC and also in other parts of the nation and the world yeah and I think the good part too that I've grown to appreciate seeing it and the different things that Ian will talk about and share with you is I I Define hacking personally there's what I would say a lot of you all that are the incredibly technical level that I listen to because I'm at least smart enough to know what I don't know and to go to that expertise but then there's the hacking which is like

an Insurgency you work around the system you know the system and you can get things done so there's just as much of that and that's that's some of what we'll share today so if you want to start off with intro introductions after all of that absolutely so hi everyone uh my name is aan Islam and uh first and foremost starting off with where I am today I and then I'll work a little bit backwards but I currently work at the office of a national cyber director um as a director of cyber Workforce uh within the Executive Office of the President so I have the good pleasure of working for for the people and uh recently last week we launched the

national cyber Workforce and education strategy um looking at how do we increase the Talent Pipeline and address the quote unquote shortage that keeps being discussed when the reality is there are a lot of good folks myself included back in the day we're trying to figure out how to break into this field there are a lot of folks who are very interested but don't have the access to the information or the knowledge or the opportunities to understand like what are the career Pathways what are the opportunities and also how to you know get into the very sh same shoes that you are and become your colleagues to to work side by side with you and um serve

you know the great the great cause so but then to rewind how I got here is uh starting off with an internship at the well backtrack a cyber 912 student challenge that happened at the Atlantic counil um I was a graduate student uh at uh in law school and saw that there was an opportunity to have a better understanding and and an opportunity to learn more about cyber security policy and what does that mean in terms of the application of it uh through that experience and having to see firsthand how it's not an easy job it's actually like a team sport um there are also individual players who are extremely smart but at the same time at the end of

the day um uh it requires also a lot of Hands-On deck so uh from there on then that's where it led me to uh an internship and that's that's also where I uh had the internship uh and being The Graduate intern uh having uh a great chance to also support and learn about the healthc care cyber security issues that are um happening across the board and the attacks on uh our uh hospitals our health healthc care providers um and uh and as well as um schools uh small businesses it's not just you know we we heard the presentations earlier today regarding the water and wastewater systems and as well as um the electric grid it's just like there's so much

interconnectivity in our lives uh that I just felt that there was like this Mission oriented aspect where I could help and serve and give back and so that's that's where my sort of path into the the hacking Community occurred and then also having the great opportunity of supporting uh the first ever DC to Defcon where uh uh I'm the Cav brought over uh representative herd and LAN to understand and meet you know um the hacker community and to to say you know it's it's it's less of you hearing it through news articles you are creating crucial laws that are really making a difference in how uh folks do their day-to-day jobs and operate um why don't

you actually like listen to these technical subject matter experts and understand how you can better create these laws without um duplic effort or giving them additional burdens so yeah and not it that's not have to do the full I have to do the full thing oh okay okay okay thought I could like share a little bit later on that and like sprinkle it in so as a result of interning uh at the Atlantic Council and having that opportunity of working on a lot of cyber security policy papers I was then able to leverage all of that experience and um transfer that over into the Department of Homeland Security and this is PRI isza the national

programs and protection directorate uh yeah so MBD so having having a chance early on to see how uh the agency that had the a lot of responsibility of serving as a nation's technical adviser um but nobody really understood that they had a lot of the responsibility of both uh CR cyber security as well as physical security and the infrastructure security side of the house as well as um looking at the risks and determining what are the ways that uh both providers as well as um uh well not only just domestically but also internationally how it is all interconnected um not only through our Technologies but as well as the supply chain the business element the also the

social elements how that impacts our um uh living and our Public Safety and Security uh so the skills that I again had learned early on through uh the exposure uh through the hacker Community I was able to bring that thinking that mindset and Ethos into the work and to help serve as a bridge builder I I realized that similar to what Spanky just said earlier um that I know what I know but also at the same time my ability to have an opportunity to speak to decision makers and seite folks who may not realize there is a business element there a reputational risk there's also bottom line if you need to speak the language that will like

trigger them and realize oh this is this is what's going to impact me then how do I take what you yourselves do on a day-to-day basis and frame it to them not using fear and certainty and doubt no fud whatsoever but just giving them the critical bottom line of saying you know this is how it's going to help not only yourself but the business at large the organization and this is how it's going to help the constituents and the customers bottom line um so I had the opportunity of uh leveraging that experience working with so so many smart people which I see like a lot of uh uh sza colleagues in the room and then also

um having to take that experience and work very closely with Stak stakeholders in the private sector as well um and there's also that opportunity where I got to meet Spanky through the um Aviation side of the house too like uh early early on so there is that Nexus that I didn't mention that um leave uh Spanky to talk about about how we I did mention earlier about the paper um which I supported uh Pete Cooper uh who is the author of the aviation uh cyber security white paper and then there was a subsequent one there after but having that experience then also opened up many doors for me where folks were like oh you you you wrote you helped you know

research and um analyze and support the development of white paper oh great like we need that experience experience too uh so I um say that all to say that all of these like layered on experiences It ultimately serve the opportunity for me to take what you're sharing on a day-to-day basis the realization that I can only also do as much and as great if I'm constantly staying in loop with all the great presentations that come out here through uh I'm the Cavalry track as well as bsides and Defcon and other places um and taking that back digesting it and sharing that with others to say hey if you're looking for a subject matter expert I saw this great talk or I

saw online or I heard from somebody else that these are you know this means to go talk to and get the ground truth awesome yeah

so this background as we're sharing with you is on purpose just because of all the intersection SE and that's what we're going to focus on and and I know it's hard to talk about yourself I on the other hand so my name is Steve lazinski Steve Spanky any of those work just fine um I spent uh 24 years in Air Force flying so hence the talk about myself and wave my hands and tell airplane stories later on uh but I had a great time doing that um in the time that I was in the Air Force I had the opportunity to go off from flying assignments and getting into cyber security doing things with the

Navy back before there was a cyber command and then working my last three years at the Pentagon my Penance for all the good times I had prior to that uh was where in government in the Pentagon seeing how government works seeing it from both the dod side as well as all the rest of government and things like that so before I go too far how many folks in here have never worked in government so we're kind of jealous in some respects so that's awesome and then how many have it worked in government at some point so yeah good mix so awesome this is this is perfect um so that that exposure that I got and the things that

going on there and then they're like oh you came from a flying background oh and now you're in cyber security and I had enough knowledge to be dangerous but being able to talk to the technical folks and translate across to the policy makers and understand what was going on and hanging out with Tom Mal in the back row meetings and uh the things that we got to see and work on and that's where I got into the aviation cyber security side of things and like Guan said that intersection the first time working with the Atlantic council meeting Pete Cooper at a cyber 912 in uh New York City which was awesome and then Bo with the good

idea machine of you know there's this report and Pete's writing the report and the things that got rolled out talking about it publicly so again these things coming together uh but then after that uh when I was in the private sector as a chief information security officer getting to see that but the fun part in my day job paying the bills was getting to hang out and help be a part of what is the aviation Village and now is the Aerospace Village so again the intersection that uh aan talked about um going back then with the opportunity to join siza so I jumped on that train going back into government now and working on the coid task force so we're

going to talk about the village and the things that the cavalary helped establish and then also our shared time on that task force uh and again where the Cavalry comes into all of that and and then my current day job is as a consultant I'm happy to give you all kinds of good ideas and advice with critical infrastructure security and a number of other things that I work on but really the village is that's the big exciting thing and that's the fun time of being out here so uh and and if you need some PowerPoint I got some skills you can ask Josh so not to brag but there you go so all right how about uh when we first

started working with the village yeah no when we started work uh started working with the village I was um at the time with siza and uh there was a rebranding and a and a need to have a relaunch of the aviation cyber initiative which uh is now a uh Tri departmental task force it's with uh Department of Homeland Security Department of Defense and Department of Transportation um and uh current L TSA is chair and representing uh the the DHS on that front um and while uh FAA is representing uh Department of Transportation but at the time um TSA did not have a cyber security office and equities so uh the responsibility initially was with siza

with TSA being a very very close second counter Counterpoint and and um and lead and you know secondary co-lead in that respect so uh there was a lot of opportunities and seeing that similar to also the the current theme with I'm the I'm the calvary government needed to have a better understanding of what security researchers were doing and thinking and what they were seeing and what vulnerabilities or um uh potential issues were facing the community but come to find out security research were also having a hard time connecting with the very manufacturers um and uh uh uh software providers to essentially share the vulnerabilities that they had been discovering um and so the uh wonderful

beauty of also serving as part of the task force and one of those initiatives was how do we create a paradigm shift how do we change the thinking of you know we don't understand this community there and since we don't understand we're not going to communicate with them and that's like that's not the case um and so with that bearing in mind uh siza um took it upon themselves seeing that there already was um an pre-existing coordinated vulnerability disclosure program and an opportunity where security researches come in and and have essentially a a third party IE government serve as a neutral individual and arbiter to help facilitate the conversations um between themselves and the um private entity that they were

trying to communicate and share this information with uh so there were um back in the day like a number of presentations uh one specific to a uh uh satellite Communications U uh regarding um a particular manufacturers um uh uh you know if you think think back 2014 15 16 different things being published what the media is reporting black hat talk I remember Defcon 22 there was a huge presentation of this is why you cannot do this on airplanes with companies and pilots and talking so it was that was the the context of the things that I saw in the Pentagon that eventually Ian's working on and where it's grown to today but that was the situation at the time

of what wasn't really being talked about and why having that Atlantic Council report and the work that Pete and Bo and others have done to start that pee rolling down the mountain that turns into a snowball of goodness today so yeah yeah and and essentially sharing um or dispelling myths and preconceptions um and uh of of who uh what you know communities were and stuff like there was distrust on the uh towards government of course there was distrust towards private sector there's distrust towards Acro Community there's just distrust all around and so the question was okay how do we um undo the these these roadblocks um and better communicate and understand how we we're all looking to you know address the same

issue um but then at the same time um find trusted partners that could serve as a voice that could bring us all together so um thankfully that's that's where uh bringing those those thinking and the mindset helped also Foster multiple conversations AC cross cross the board where we could then turn around and say wait Aerospace Village is now being stood up and there's an also an opportunity to further engage with the community learn from the community receive inputs um ensure that we're not uh stepping on each other's Toes or duplicating efforts or inadvertently um you know shun maybe making you feel shunn when you shouldn't be so um that's that's where uh you know the the con the

constant conversations and and and being a part of commun communities like this that are very organic helped and and the uh you know building on what Ian said what I got to see in the Pentagon right sometimes government talks to each other sometimes it doesn't then it's trying to talk to Industry that doesn't always go well but at least we both hate talking to those hackers over there there's our common enemy we can dislike them so getting past that like watching that firsthand going this I've read about this isn't a stereotype this really what happens so the fact that in that context when the idea of the aviation Village that's what we were in 2019

right so I know Pete Bo roro Alex Romero Katie there's uh jenel there's a whole crowd and I know I'm missing names but that crowd getting this thing going getting past that reluctance of yeah now you got two groups that don't really want to talk to those people at that crazy conference but when you have an agency coming in like Ian said that but before it was called siza but say is much easier to pronounce so uh when Chris Krebs is rolling in going what's up I'm here in the aviation Village we're like thank you and helping that conversation and helping get over those obstacles and when you have the government and I'm just going to keep pointing as A's

government coming in being able to say yeah you got a disclosure let's talk about it again if you remember 2019 uh rapid 7 researcher Patrick Kylie had found a canbus vulnerability built a plywood cockpit to demonstrate what that vulnerability looked like because he' already coordinated it through sisa and revealed it and did all the right responsible coordinated uh disclosure and that was the beauty of these groups coming together getting past these things so talk about the cavalry's idea of taking diverse back backgrounds and groups and coming together to do good there you go that is a hacker approach to getting things done that you had not seen in the aviation example until that time so again a

testament to the the great work of getting that going and and I won't go into the details too much but yeah there was some industry that's looking at like what are y'all doing there we don't think that's cool just a little bit of hesitation and on any given day there may still be some of that but if you come by and see our village at Defcon Friday Saturday and Sunday uh you will see a lot of that has gotten passed and being able to bring these groups in and bring these agencies and the things that we're having is a tremendous change and shift over time um I used Defcon as example of course it's the coolest event

that's why we're all here between bsides and all these other things this week um but what that has afforded us is now we can engage with an audience the sandboxes at RSA that business crowd has no clue in many respects of what these Villages are and what they're doing and why would I want to talk to these folks but they come in and they learn from either the partners that we as a village bring in the fact that I'm up there on stage talking with a dude from FAA about what the FAA really does beyond being being a regulator and in the cyber security world so it's teaching a different audience the other things we've been able to do is whether

it's bides uh uh patagon uh patagon had a conference in uh Argentina we're able to speak with that unfortunately it was virtual instead of in person but that Outreach and things of getting this community of people who want to talk about this again you know the pee rolling down the mountain turning into a snowball and don't ask me why it's a pee and why it works but just that visual of the growth of this little idea and the big things that it's been uh having today so we're it's awesome it is very cool to see and when the TSA administrator is going to come in and talk in the village 3:00 on Friday that is again in showing you the value of

what's Happening from there so we're excited to be able to do those kinds of things so yeah and there's been also a lot of work also within government and not to make it sound like as if though they came along willingly too right there had to be a number of uh various players uh uh Steve's one and then there's I see a number of you also in the room that had to also like continuously share and uh beat the drum about how it is important to come into these very spaces and and listen to others that aren't a Fed essentially um or may not be you know sorry quote unquote like uh the the perceived uh

shape and lens of a uh a professional that they uh normally are customed to engaging with it's like no step out of your discomfort Zone and realize that um you have to talk to a diverse set of groups you have to talk to a diverse set of communities to hear all the voices and otherwise this is also a national security issue um you're missing critical information that can help make a difference so that's that's also where you know also uh uh having to also like work internally to convince you know our peers across government Regulators to say that um if you really want to develop best practices if you really want to make solid security directives

and you know similar to also engaging with key constituents you also have to sure that it is very diverse representative otherwise you're going to have to go back um and and rewrite some documents which also take time uh policym and writing regulations or even laws is is not an easy thing and takes forever to undo so while it may be quick to create it takes forever to amend um and Josh is laughing because he's experienced that many many times those painful points so um but at least the positive point is is that you know to have TSA um actually even like within bides like tomorrow well we're going to have a conversation uh with TSA NASA and

Veteran Affairs um and myself with representing oncd to talk about the benefits of working government and how we want um more hackers to to be a part of the our community and to also help create and shape change and make things also a better safer Place 11:30 in Higher Ground I feel like I get to do these good commercials so um yeah and the conversation changing again the fact that these entities are here and it seems intrusive that government's here and maybe that's not a good thing but the value of seeing that like aan said and and what's coming out of it is great so um and you can also career change I mean the one thing I didn't even yeah we

the proof that's that's exactly being able to go back and forth yeah like a number of you um raised your hand about being you know both sides and so you then have both perspectives and then you're able to help dispel the myths and you know share what the other side may not be thinking and be like you may not realize but this I used to be a government and this is what I used to see and this is how they didn't understand you just as much as we didn't understand you and vice versa uh so you know there is an opportunity to sort of help connect uh the the bridges and um and and obviously you know do do greater

good um I will say that the the reason why I didn't also mention this because I had a very short stint nine months uh between siza and oncd um being in a thing tank um uh looking you know serving as a deputy uh director for uh cyber security threats and policy over at R Street Institute and it was so refreshing let me tell you so refreshing to constructively critique what was happening government so for the first time ever I'm like oo the things that I wanted to say out loud and may have not been able to sneak into various briefing memos in the past I'm now aable to do it in white papers again and work very closely with a

number of fellows who also are looking at a myriad of issues across the board um and uh one of and one of the points that we also looked at was um uh whether it was uh you know cyber security data and the potential establishment of a cyber uh Bureau of Statistics to then also the uh new cyber security uh critical infrastructure incident reporting law um looking also across the board of okay you know are folks really having pragmatic conversations when we're talking about water security or also Health Care security so it was a great chance for me to like take all the network and the connections and the experience from siza from as well as the

internship experience at the Atlantic Council and also being a part of this community then say let's have honest dialogue let's all get in a room and even if it's recorded that's great cuz then we can share it along with others in our community and others who are not a part of the community to expose them and share that there is a way for them to also partake in um in this effort yeah so I I teased before in the sense of uh working in government and I told you left the military went into the private sector and then I went back to government uh the offer was at the time right around when things were kind of going south in

early 2020 like hey do you want to come over to siza and work on Aviation cyber yes I like doing that that'd be great to do as a full-time job and then I uh this was from director cribs at the time and I describe it as the old bait and switch it was like what do you know about Co I'm like you know I know zero uh but that was at the time and you've heard Josh and others Bo I'm sure has talked about it here and other places uh developing the coid task force and the reason the disc the offroad to me was you're an old guy you know know how to do leadership things team things you

know how to deal with government you have that experience and we need somebody to kind of lead overall when you have these outside experts Bo and Josh uh I can't even remember I remember Michelle and just all their different backgrounds doctors and all the things they could do and then you had the gobbies over here and then helping to Bridge and make all that work so Josh can concentrate on getting things done I deal with the grind and getting through and how do you make things happen in that sense and then very shortly hadan join the team but again that was the example of this diverse group coming together and the value of doing that

again things that the Cavalry folks are like well of course that's how you do things like that's Cutting Edge in some areas tends to be in government not all government but in this case it was um and so then the idea is well why would you ever go back and do that it was a sense of mission I enjoyed I'm like yeah okay you know we kind of need this going on but really selfishly yeah and Bo's here and Josh is here and you get to work with these guys I'm like well that's kind of cool I like those guys let's go hang out um virtually and never see each other in person but all right

close enough um so it was uh it was quite the challenge but yeah that is what again in this whole back and forth in and out of government yes I will go back and do that um because I saw value in that and you know the joy of doing that the joy of doing that uh but uh that again is where Ian and I got to work together and there's kind of two parts that we'll share as far as the Coalition of the willing I think she got to experience and the Coalition of the unwilling that I got to deal with so I'll turn it over you no appreciate you saying that um so in in the transition

from Aviation so uh was supporting the aviation uh cyber initiative and uh as I mentioned earlier the uh chair position was with S at the time now right before the pandemic started there was a lot of conversations of migrating that role and responsibility to TSA and moving the project over there making them chair particularly because there was uh a a a a strong leadership support to uh develop an internal uh cyber security policy team and to have um TSA take the the helm so uh in that respect there this was a very very great and fortun opportunity because personally I really like all the the work and the the variety of projects and programs that I

could do not that I wasn't interested in moving into TSA but I just felt that the experiences that I still had potentially in front of me were still there in siza and so I wanted to explore that and pull the thread a a little bit more and lo and behold I uh I get a phone call in an email from both Josh and Steve talking about how they're joining siza and um that they're uh tasked with building the sza co task force working very closely with Department of Defense and US Health and uh Human Services Department to um support operation warp speed um and just for the record and just background operation uh War speed was at the time

like a um uh whole of government initiative to quickly ensure the uh secure the as of the supply chain the distribution and the logistics of uh vaccine and Therapeutics um to battle against coid 19 uh so to me that was a huge honor that I was being asked to come and not only work again with um folks that I highly respect in the community but also to be given a very special position to serve as liaison to from the task force within sza to and represent sza to DOD and HHS and talk about what are we doing um as as an agency to offer cyber security as well as and this is the other awesome thing that I thought that

about was that it was going to open the aperture a little bit more to see also how the infrastructure security the side of the house worked and where were the the linkages between the two um and how we can ensure that there's greater cross communication cross functional communication between divisions between teams also on the regional side of the house um and being much more further connected with our various Federal partners and agencies on the ground such as uh uh FBI and then multiple parts of HHS and and DOD and then and seeing the very local connections to companies to the Distributors to hospital um um um and um uh uh delivery organiz Healthcare delivery organizations and ensuring that

any information that was happening locally on the ground was being then also transmitted up to HQ um that being Al that being primarily you know the operation Warf speed folks um and sharing that this is what we're seeing with our boots on the ground across the space um and I loved when uh my colleagues would tell me that uh God bless me for hurting what quote unquote cats and I tell them luckily for you guys I like cats I think each cat is a cool cat with a different set of personalities and do I have to tackle you individually so be it yes it's okay but it's that sort of like optimistic lens and framing that like helped get

through the of the Willing with what is it like I think 200 folks every other day for like a daily sing to talk about Army yeah Army staff meetings and we were very thankful cuz I had that role momentarily I'm like thank you Ian for so happily taking this on yes I was very appreciative yes yes and that's and that's the other thing though too is it was fostering a lot of uh uh uh coordination and collaboration um as you as you can imagine right um uh there there's uh different organizations and you probably also you know also uh anywhere in any field in any discipline in any organization there's going to be Turf Force there's going to be that

sense of wait I talk to these people all the time why are you now having to talk to them I have these relationships and it's like well because in this specific instance this is within our mission set our Authority now granted we still need to work closely with you because yes you may have a closer working relationship and this is where we'll negotiate right so there were instances where having to talk with various uh Regional representatives to understand okay who had the more long-standing relationship and whoever had the most long-standing relationship would serve as the lead um because in truth we didn't want to fracture pre-existing relationships instead use as an opportunity to Foster introductions build new relationships

for others who may have not had it before but again leading with the trusted partner leading with that voice who can bring even even within government other agencies to the room to the to the teleconference to the zoom and or WebEx or teams whatever the virtual conference the platform was at the time so and U I know for some of you that have heard Josh talk before and I cannot do it justice but the ball bearing idea again the diversity of the folks that came up with that that that did the work behind it and then putting it into action right again just another example of taking that different mentality things that folks who are not used to working

differently they have certain things that they have to worry about and bringing in that outside talent and that diverse experience and getting to see that firsthand Ian's happy optimism which brings me joy to hear it again and it certainly did at the time and I mentioned before the Coalition of the Willing the folks who were really focused on that and what she described as WP speed warp speed was a massive effort and it was still one part of what this entire task force was was trying to get a handle on and deal with the other part of it uh if you know Si's mission is you've got your regions and siza delivers cyber security services and so

how do you how do you get a company that has amazing cyber security because they got all kinds of money and all kinds of ability to hire talent to take services from the government and they don't realize there's some really good stuff out there okay you don't need some of these other things but this other stuff's really good and you do benefit from it it is worth your time right exact and it's free but then there's also these lower end companies are like why are you calling me I don't even know who you are I've got one dude man managing this router he bought from the store what's the big deal well in that ball bearing analogy you're the one

making the thing that everybody else needs so please let us help you um and so talking to those companies was quite an experience what I got to deal with was the side of it and it wasn't necessarily I did get to talk to the companies directly and use those examples of dude big company I'm telling you there's value here and then uh you know talking to the little ones also but really the example is uh when I say the Coalition of the unwilling coming in from the outside looking at what folks are doing look at all the stuff they have to deal with oh and we're in a crisis and remember this is also in the this is

towards the end of 2020 so you've got they're already worried about the election there's a little bit of turmoil at siza at the time based on some Twitter posts and then you had early and 21 right so people are busy there's a lot there is Mayhem and we're all separated trying to do this with Co on top of that and so when it comes to hey folks uh you have your expertise I know people have expertise but I'm here talking to you and we're going to we're going to try to do more to get these Services out there that's not how we do it like direct quotes it was the that's not how we do

it here and I'm like oh man I've heard this as stories people tell but actually hearing that like okay I get that but what if we tried something new because this is your success rate offering and getting somebody to an accept a service and well but that's not how we do it and there's just again this friction in some cases outright push back and most cases just a lack of understanding because here's this this dude coming in and here's these other folks and here's all these other things they're dealing with so in those conversations seeing some of the folks absolutely like this is great we can't wait whatever help you can give us we're willing to do

it and there was the other end of the spectrum that's like I'm tired of hearing you talk to us I know you're in charge uh but I don't care this is how we do things over in my little piece of the world and then there's in the middle that took some convincing and went either way um but it was interesting in the sense that I don't think that's a government thing it was interesting to be backend government trying to work on that it's a natural human thing believe it don't believe it convince and so having the opportunity to go okay let me bring in BO who's actually been a product manager who knows how to do these things who

knows how to convince people how this stuff works and and you know all of that and the other folks that we had there Tom sitting here in the audience he was a part of our group Josh was a part of that reaching out doing stuff yes you have to admit you were a part of that yes did nothing it's on your resume I put it on your LinkedIn so those are the kinds of things that we got to see and it was interesting because again using these approaches and the things that uh I know uh when I thought about this talk and in the calvary I'm like oh this is easy because of course that's what you

do of course we do these things that we're here talking about but that is not always the of course part of it so being a being able to bring that in some folks just needed kind of that little shake to go oh yeah we should try something different others you're never going to change okay I get that that's fine and again that's anywhere uh but it was just really interesting to see that and experience it and especially succeeding to change those Minds so uh that was uh it was kind of fun yeah to say the least yeah but at least the good thing was is that the the knowledge and the resources that yourself Josh and Bo and others

brought in from what was perceived as the outside right as private sector really helped also bring in uh and we saw that also too with a lot of teams right with those that experienced reluctance eventually then you know bought into it some bought immediately wholesale but then those that were reluctant at first like when they bought into it they saw the benefits of oh wait this is what product management experience leads means and what it translates into my role and how I offer these services or even similar to a sales engineer like how do I how do I showcase that my agency has these services that are free but also recognizing that you know depending on

an organization's cyber security maturity and their posture that they may not you know um have to go all the way out for the uh special high-grade uh six-month red teaming and Pen testing no that maybe fundamentally everyone needs to start off with these free yeah like these free H hygiene services like let's offer like the web scanning and and recognizing that folks may have already have their own internal monitoring tools but if you layer that with another one that's free it might help you know give you a letter better visibility of your your you know um uh Network and your and your landscape and your assets and and and it and we saw also on the on the you

know organizations that took advantage of that that they also appreciated because it either validated what they already seeing or it helped address like the gaps that they didn't realize were missing in some of the tools uh that they thought were going to cover the ba the basis for everything so um it was a lot of yeah a lot of convincing but taking that knowledge and bringing it into government super helpful and we got a question or a point we we haven't opened it up the questions yet like we got I'd like to open the floor to questions Tom so um I'd like to lead the witness what uh what did we learn during the co task

force because I found this to be extraordinarily interesting and I'd love to hear your I I'd love to hear you put it in your own words what did we learn about the makeup of all the different organizations that turned out to be critical infrastructure especially maybe the the ones that weren't obvious because you did mention operation warp speed was all about trying to deliver R&D for the vaccine manufacturing the vaccine and delivering Therapeutics and Diagnostics but I think there was there was a lot more that we learned in the ball bearings exercise right so I think it might be beneficial like maybe to talk about some of the organizations that were some of the unusual

suspects that we ran into the the friends we met along the way appreciate that Leen so no kidding yes we're done jabbering in the sense of please questions that you all have um I know one of the things so I'll use an example as a sizo that I think will resonate in the sense of identify your high value assets right what are the things in your organization from a security point of view if that thing blows up we are not this company does not exist the company the utility the whatever or people get hurt and don't exist so you know those are the two priorities um and to me the ball bearing effort was those are the high value a

assets and what was missed is well of course fizer and madna those are high value because they're the only four companies or whatever at the time that are manufacturing what we need that's true but if that company can't deliver that vaccine without that needle and that vial and there's two companies that make those things and the other one the other good one that and and again I I get to pile on what Josh has talked about many times is Cold Storage early on we all remember that and the fact of how many places make enough of the dry ice to hold the temperatures the right way there's not many and when you look at it from the very big and obvious and

there's many many thousands when you really get down to yeah that's cool and all but what's my most high value Asset that analysis really opened my eyes and how uh when you get down to it some of those simple things are the more important things and and then you have to look at it very different backgrounds the different expertise that we had to go yeah okay that's a big deal yeah to to tack on to that there was also through the ball bearings analysis which is essentially also a supply chain and distribution analysis um uh which by the way is extremely phenomenal like I I I I wish everyone could see the document it's it's it's it's the work of art and

to say the least slid the slides are out there though too but um in addition to yeah like the the distribution right and the logistics with the dry ice what was also very fascinating to see was that there were a number of startups on the R&D side that had this one particular ingredient that without it would totally impact the ability to even produce the vaccines or even the respective Therapeutics um and just that one company maybe you know based in this one state or this other and just with this was like literally the ball bearing the Lynch pen um that could impact it all uh then there was also um similarly with the chemical Manufacturing in the

facility side of the house where you have that one ingredient but then if there's an impact to the processing in that chemical facility then that literally shut it down so the best analogy I could think of was Sim uh similar to the um um baby formula you know uh distribution and the like like you you you have like one company that's making one thing that makes up entire product and this is something that's created domestically within the US it's not something that we can get shipped abroad especially since Logistics was a whole another you know issue in itself that that would totally set us back and you know uh have that Public Safety impact so it literally was

a you know a lot of times a matter of life and death for a lot of folks Tom did you have something else to throw out there did you have anything else cardboard what was the cardboard you got a better memory oh is it the packaging there you go that's right how how quickly we forget CU there was Tom did not have any Trauma from that whole experience clearly yes sir really appreciating the opportunity to hear uh a viewpoints from what I consider it sounds like inside the Beltway and and I say it that way because I'm from Silicon Valley and so much of what we hear it's like in the news it's you know three time zones away

and in some senses a world away and I wonder if you could take a moment to talk a little bit about the perceptions from where you live of the culture and activity that happens with the 40 million people in California and add another 10 20 million up in Seattle uh how in the in the context of all you've been talking about and I may just add at the tail end of it you there's this new thing that's getting discussed especially the last year I think you know the initials AI and uh how that's being perceived haven't heard any talk about that so the second one if there's time but the first one I'm really interested in the

perceptions from where you live you want to start off yes so appreciate that um so I'm thinking about it in multiple ways because perception from the government perspective is that engaging with regional Partners helps us keep a pulse on what's happening within that Community right as you say um a number of us is particularly also with headquarters tend to fall within the Beltway the DC Maryland Virginia right the DMV um and so there is also a recognition that we have to have multiple offices Across the Nation to like have closer ties uh to the various communities that also influence shape and are respective to the sectors that we're also serving and also overseeing and regulating uh so in that respect

that's where having close relationships uh with multiple agencies that each of them having like a stakeholder engagement office and or even you know like a very localized programmatic office is is is critical to then not only having that department agency function the way they do but then also to cross share that information now could we do a much better job like sharing that information and understanding absolutely um but there there is also the recognition that like you said not everything gets portrayed in in the news and there's all not only different time zones but there's there's also happening like you know all within Central America and in the South and and other places within the US that um uh

the the the synergies of the work happen a lot behind the scenes which is also why we felt it was important to like have this talk and share from our perspective our Public Service journey and how engaging with communities back and forth helps you know create that two-way communication Lane now when we're also talking about you know like you said with AI and and what's happening I will um just share that uh the White House obviously has a lot of initiatives happening in that area and have even po pointed to the AI Village that's happening in Defcon um and so uh if there's further interest I would highly recommend that you check out the village and see what they're about to to

share um uh seeing that there is a keen interest in ethical responsible safe use of not just AI but machine learning and these large language models and recognizing that we have to also talk about the data how how it's being used and um is the technology also being used responsibly and last but not least in the people aspect so like with my with my day job um it's also having to have convers ations of um the awareness piece how do we just educate and share awareness of the various skills um not just respective to one technology but across the board but then also it's like okay if you're interested in getting the field how do you get into the field and

ensuring that there's diverse inclusive accessible representation for all so yeah I I love the I think of what you asked as like the stereo type we hit on that a little bit the panel tomorrow at 11:30 in Higher Ground uh it's a bunch of guies and the idea is what is the reality of working in government and I say bunch of guies having been one um not just to be I don't mean it to be derogatory but the idea and i' I've talked about this before when I've used the example of the village that the perception of this is what government industry does Right the dude in the white T-shirt and it's an old white guy

that's me I'm like well that's the government bureaucracy I'm like well no let me tell you yeah there's some of those but let me tell about all the other people I know in their backgrounds and then the same thing if I'm talking to a different audience it's like well this is what those those hackers look like o and yeah that's what they look like and let me tell you the talent they have and why you want to talk to them so I think similarly uh like getting past those stereotypes well you all in silic you're just trying to make money and you're a bunch of started you know blah blah blah the same way you would look at

government it's being able to go there are some crazy smart people who really want to get done and they really want to fix things and government if Government other you know you name the group if you don't talk to them and Ian mentioned it before if you don't engage them early you're going to make all these mistakes that you could have brought in these different backgrounds get to know them before a crisis so while you're working here when things are nice and normal or when there's a crisis you can go I don't know but I can Callan cuz I know where she works and she knows where I work and we've had at least an introduction if not a full

relationship of working together um so I I don't think you'll ever get past that and I'm not going to say oh yeah it's all good it's not it's humans and it's always work to do that and these examples that we've used I think what I like seeing is and I use the village as an example the engagement that happens the fact that spot the FED at Defcon is not very hard right it's it's and and BR had a great Twitter Bryson Bor if you know him had a great Twitter post he's like how about we spot not the FED uh that's getting more difficult but it's it's the fact that this is where the talent is this is where the smart people

with good ideas are let's go talk to them and The Villages like will help you talk to them and I'm sure the other Villages are too and so the policy Village is another one of those it's great to see so I think it's at least working to get past that so quick quick question so long time listen the first time caller and I'm getting the BDI from Josh um so you've talked about lots of different perspectives lots of different groups things like that and there's been lots of lessons that have been called out from Co task force and all that effort there but from a sort of root cause analysis sort of double Loop learning how do we fix the root causes

of a whole bunch of these issues each one of those groups you're talking about does that at a different clock rate through a different perspective Co was a really good moment in time for pulling all of those groups together in a crisis now there isn't a crisis do you still see that urgency across all of those groups to go hey let's get to the root cause of not being in this position again how do you how do you tackle that and in that one minute you have left how do we how do we get there the the uh I I'll throw out one of the best things in my most trying why the hell did I do this uh jump back in

it's okay that it's frustrating and it's okay because it is planting the seed in their minds and something's going to change and the couple of people that our group made a difference with they will be the little seed the snow PE at the top of the hill and start rolling down and they'll get somebody else at their agency to change their minds and then they'll start looking at it different and it'll slowly grow and that's like the little bit of hope you know the little kid at the end of the Star Wars movie and he's got his his little Insignia ring hidden away I'm like I I hope I created did one of those to get those ideas

going yeah um it's really interesting how depending on the sector some of the changes that it took a long time to finally create are now sticking and improving and scaling and moving forward um such as you know the aviation Aerospace industry like before there was a lot of um uh there was a huge divide and even you know talking to different communities and uncertainty yeah um and in other sectors there's there's a fine finally right there's there's a a a stern look at uh sectors such as health care and um uh water and wastewater systems and um uh understand that food is next agriculture is next but the the truth is is that that's also still that's still

going to take time and work and this is where having the patience and recognizing izing that it's a marathon and there's it's going you're in it for the long fight it's you're in it knowing that you know you you're going to you're going to be doing this for a long time as long as you have the passion it's there but also know that you're not alone and this is the other reason why I I decided also to shift into the workforce and education side was because there was a point in time when I was working SZ and I and and work and addressing also and serving alongside a lot of colleagues with the lck for J response I like also

started feeling the burnout and I realized oh my gosh like we we need to have more folks like more colleagues more Partners so that way when one of us needs to tag out tap like you know get a a a break and also spend time not only to recharge for ourselves but also be with friends and family that you know at least we know that the the fight is still happening and that there will be certain battles I'll be won but this is this is a a long time War so I think it's that perspective and knowing that you you're going to have to also be strategic and picking and choosing as well like you know is this is this is

this the one am I targeting this am I talking to the right person I'll keep going eventually there is going to be someone who's listening and seeing this right um and and so that's that's where um it's it's it's a message of where I say keep going there's a lot of folks that are listening and observing serving um there's also uh a a keen interest also with my colleagues um uh not only you know within the office of national cyber director but across also um the White House and um across federal government where we're watching we're listening and and recognizing that there are a lot of things that we also can't do by ourselves we have to like work

closely and leverage the communities who own also as well these um um just wanted to tack on to his point I mean the honest answer is when the cister co task force ended a lot of people were thrilled to go back to normal but Krabs asked us to break glass and to find common cause and common purpose so the disheartening part is people did go back to silos in a lot of cases the heartening part is people like Aon who intrin intrinsically believe in boundary spanning and cross sector and cross agency they're in the seats now in the white house they don't have to be convinced that multi-party multi-talent team Avengers is is valuable they're not

just singing the song they're adding to the music so I'm a little it's like two steps back maybe five steps forward but it's been uh that's why I'm so thrilled to see her in that role and so many others in on CD thank you thank you