IATC - A Hacker’s Guide for Changing The World (and Where do we go from Here?)

all right we are heading into the final installation of our conference I am the calvalry track 2023 bide zv we don't know everything that is going to happen in the next two hours but it will be very exciting so I would like the honor of presenting to you Mr Josh Corman and miss Mr Bo Woods who have been on this adventure uh for the last 10 years and c and um we're going to have a little free flowing Workshop experience that is going to cover a number of different topics I encourage you to stay engaged keep an open mind ask questions be inquisitive if you need to question the the assertion politely um and we'll have

we'll have a good dialogue over to you okay we may have a special altruistic lubricant um on its way um so a couple years ago spam and M Mr glass and maybe somebody maybe Banshee somebody found that there is a a Cavalry bourbon oh AI found it but it was not in our part of the country so Mr glass delivered it so we had open Cavalry bourbon it was okay I couldn't find Cavalry bourbon this time so I have horse Soldier never had it costs a lot more than Cavalry bourbon but we'd like you to partake if you're so inclined um so people can at any time they want come up and take a little

poor uh not shots this is a sipping bourbon but uh and it's my first taste right now I'll wait for both um we called this session a hacker's guide to changing the world parenthesis and where do we go from here um oh here we go here we go sipping not shooting it's change in the world change in the world change in the

world tasting not um vanilla old oak saddle leather I know what you're doing okay so um there's not going to be a lot of slides but there'll be a couple Maybe visuals in some particular order but um welcome thank you for sticking this out um we turned 10 years old on Tuesday of last week and since I had never met this crazy guy before that means my friendship romance started with this guy 10 years ago last Tuesday so a decades a long time and I think we felt every mile of that journey and then some uh and maybe we'll we'll reflect on some of those things but um we had joked throughout this crazy Journey

involving a cast of thousands um everyone chooses their own level of involvement uh some uh helped on a project one day some people advocated with a sticker some people dedicated three to five years of their life Bo and Jen 10 years of their life to this um so we've had varying levels of participation but um hopefully if you've seen any of the content like the keynote yesterday or any of what happened in this room um we did things we did not think were possible but one of the refrains that we used a lot is we have no idea what we're doing but it seems to be working and we joked that if there was a book that would be the at

least the working title and of course you know 10 years later we have a pretty damn good idea of what we're doing um doesn't mean we figured it all out and there's one path to success but we tried a lot of things and when Nick Boko and I were launching we said we're going to be like hackers and fuzz the chain of influence we're going to try a lot of things we're going to iterate we're not going to take 10 years to fail we're going to try you know do things in parallel um so whether you like the idea of fuzzing the chain of influence or trial and error or radical experimentation I think the phrase we

used on the slide was UN radically uncomfortable experimentation um some of the core principles that show that that really came through we wanted to at least name them for you there's a reason for that because on the half where we shift I don't know if it be exactly half but when we shift to where do we go from here I've been trying to answer since January okay it's been a decade uh do we end it uh we should be very proud of what we've done uh do we transform it there were things missing in the world 10 years ago the world's different now what's missing now uh do we combine it with other initiatives to get to critical mass uh

and have you know more wood behind fewer arrows and I've struggled to answer that question I have some very damn good answers but it didn't feel right to answer them without the community that helped build Mission Vision goals for the last 10 years and new people I didn't even know this guy so I couldn't Bank on boow Woods doing the tireless work he's done and I I might have other people reveal uh their contributions for the next 10 years so uh part of this is naming some of the differen makers uh if you could imagine what if we made a boot camp for changing the world what if we made a incubator accelerator for 20 new cavalries we've

mentored incredible groups like The Light Collective uh Andrea is going to be at Defcon several times actually we're going to be on the Do no harm panel she's in the Privacy Village uh not the Privacy Village the dis information Village um she came to us what 6 years ago and said can the Cavalry pick up this issue Facebook's you know violating privacy of patient advocacy groups um and I said well we're really a safety organization but I love what you're doing I'll help you but I don't think it's Cavalry thing but and she's now got you know an incredibly large and growing nonprofit initiative uh for pre-cancer survivors and other patient advocacy groups to have trusted

safe conversations uh they've elicited the support of um um uh the Robert Wood Johnson Foundation others and we're like maybe the path forward to scale the Cavalry isn't just 10 more years of trying these things but maybe um parallel uh world changing events and that means that a lot of the work we did didn't work and just like we can point out what did work maybe we can save others time on things that may not be as fruitful so this is not the definitive you know we have uh some confidence in some methods but we're not so arrogant as to think that these are the way they might even be wildly inferior ways but I think even the last

two days we've heard some significant reinforcement from the the British or coming panel from Suzanne just now about at least what our teammates thought worked so you'll hear a few of those but we want this to be somewhat interactive Bo do you have anything before we start you know what really doesn't work doing nothing correct uh or or shouting into the echo chamber or you know some of the things that um I had done before getting involved in uh trying some of the things that did work the radical radically uncomfortable experimentation um and I think that uh you know from where I was then I was just frustrated and wanted to uh was open to trying new things um

because I knew that what uh what I was Trust frustrated with could be changeable I think that there are things now that are changeable by taking the right approach by getting the right people together um by uh being able to convince the right people of something who are in a position to change make change uh and I think that today as opposed to 10 years ago the world's a lot more ready for us to step up and and do something together uh I doing a lot some of this by feel um but a couple years ago um Bob Dylan's son Jesse Dylan met us through I think it was the Congressional task force report he was at a healthcare

conference and he cares a ton about health has done a lot with scripts Institute and different cancer research centers and he offered to make us a video a really high production video so I haven't watched it in a while but it's going to take us less than three minutes so here is the product of what we looked like I think six years ago I think it was a year four probably okay so here we go security oops all this soft I shaved my head for cancer research please excuse my appearance cyber security all this software and connectivity that's defining modern culture is a pretty concerning thing when you add software to something you make it hackable and when you connect it

to other things you make it exposed Vehicles medical devices hospitals highspeed rail a iation power plants our dependence on connected technology has grown faster than our ability to secure it particularly in areas affecting National Security human life and Public Safety Global GDP in the economy these are not merely theoretical we've actually now seen some types of cyber attacks that have had profound impact W to cry and Petra and what we've recently seen with the ransomware it compromised an entire ecosystem I had thought naively that if I can get as high and deep as I could to the decision makers in government that they would just fix our problems the Cavalry isn't coming I'm the cavales of Grassroots

volunteer organization we brought together hackers and regulators and device makers industry and government towards the outcome of policy reform or smarter engineering choices before you have high consequence failures if you just say you're a hacker it resonates deep inside people as a negative if you say you're an information security researcher it's a bit different either way you're doing the same work I think there are more hackers out there intending to do good and to help we share information a lot we share techniques a lot our focus is on things that are going to impact human life Public Safety our heaviest Focus has been Healthcare followed by connected vehicles but we have projects on Maritime hacking you can spoof GPS and

divert ships into piracy shipping lanes there's positive train control vulnerability we're also looking at factors which could affect the global food supply it involves both a reactive and proactive approach the reactive approach is making sure your infrastructure is as secure as it can be the proactive approach is doing threat hunting we had a lot of medical device hackers and one's a diabetic and he hacked his own insulin pump he found he could give a lethal dose of insulin without authentication the manufactur went public with the research to make sure that people were aware that there was security vulnerability in that device and how they could protect themselves against it this is not going to be two hackers in a basement trying

to change the world this is going to be a community effort working with I am the calvalry helps bring that cohesiveness to the ecosystem which hadn't been there in the past it's not just a us thing anymore there's people that live in Europe in Asia in Latin America it holds the most promise working among those different stakeholder groups to be safer sooner together I haven't seen that in a while we look different a little bit okay um thank you for for that um couple foundational Concepts I'm not I'm going to spend like maybe one minute on one of these and maybe 10 minutes on another one of these but at least for what was advertised and this is not the

definitive list here um I can't believe it it worked doing this once a day helped me sink from 205 to 126 I I I too can't believe it worked now you've got 35 tabs open okay here we go that's gone okay okay so um here we'll just do uh empathy uh some sort of thematic image here I should have used uh one of your generative AI things um part of what and I'm not going to rehash everything um from yesterday but part of the idea to do this is I was emotionally shattered from the loss of my mom and the grieving process and I felt broken and I didn't think I can keep working in security because I just felt

like I wasn't going to be the same I couldn't go back to seeing things or feeling things and part of that's just the grief process but what I thought was a weakness to be healed I started to realize as I came out of that Haze I lik it to being hit like as a boxer just getting your clock you know Bell rung like sight was blurry and sound was blurry but slowly your senses come back to you and as I was coming out of it I realized wait this is not a weakness to be healed like I'm having the most authentic conversations of my entire life right now like when you drop the fear the pretense or the

impostor syndrome you're just talking to someone as a real human like no one's a villain in their Own Story everybody's got a partial truth but very few people if any will have the complete truth and I think generally if you can find common cause common purpose figure out what someone wants needs and fears meet them where they are not where you want them to be but meet them where they are then you can try to close the gap or you can Elevate you're going to learn something from them that you didn't know they're going to learn something from you didn't know and if there's enough compatibility there in common ground I think hackers often look for what's

wrong in something we're really good at it it's one of our core competencies it's a gift but I wanted us to try let's look for what's right in it little tiny spark a little Ember you can foster into a flame into a roaring fire into a a forest fire right like you can you can find a tiny piece of good and you can make it better and hearing the testimonies from some of our collaborators from the UK this morning from Suzanne and her amazing team and FDA she used the word empathy like we just listened to each other B directionally we tried to find common ground so I said let's uh let's be a helping hand instead of a pointing

finger and I think empathy was our core first principle and a lot of things subordinated to that um before I say like Stone super Psy empathy is good empathy feels good um but you know like a lot of uh technical people uh it uh took some time for me to develop that to practice it uh it's not something you just turn on overnight um it can be learned it can be practiced uh and it can have a a transformative way or a transformative effect on how you go about um collaborating working with people uh kind of getting the best out of them yourself and anything you throw yourself into uh on our first birthday here we

had a double PhD Psychology person that Andre mcian introduced us to and her body of work was on x alism the letter X extreme alism and she did a study in how this category she named had like six of the same eight markers as a sociopath this um and the key difference is where they differ where um one has zero empathy and one had extreme empathy could feel the pain of the world so I I resemble the latter um but also uh because that empathy can burn you out they had a wolverine like healing capacity Andor um support network that would heal them if they exhausted and depleted themselves we talk about introverts and extroverts like you'd be shocked to know

that Bo is not an extrovert though he is so prolific and profound so it you know it takes time to recharge those batteries so um but also I worked we at one point early on we went we worked with a woman who who works with profoundly gifted and talented children and there's quite a few profoundly gifted and talented people in this room in this community we're drawn to it where's two one or two standard deviations from the norm but a a byproduct of profoundly gifted and talented people is they never really develop empathy and she likened it to a muscle so we can be empathy weaklings but you can go to the empathy gym and build that

muscle and I'm not going to recreate the entire Workshop but if this resonates with you uh she said essentially children learn empathy by mirroring their peers and being mirrored by their peers but if you're special gifted different neuro Divergent you don't have peers so just from an early start we just never develop that muscle but when you do when you try I think we call the workshop Excavating empathy oh is this a superpower right and I think social Engineers can fake it and we have a lot of great social Engineers but I think it's been the Difference Maker so I'm not going to do a lesson on empathy other than thumbnailing that this has been every

success we've had has started in some way with leveraging our empathy muscles okay remember this can be interactive and there's bourbon that has a horse Soldier on it okay all right and we do want some story time from you guys okay all right second building block in no particular order um I forgot about this until I was looking at some early notes has anyone read Stone Soup does anybody want to summarize what stone stone soup was about cheers oh here we go who's going to do it it's participation sport no no you I will good once upon a time a person was traveling and he came he or she came we'll make it to sheep she came into a

town she was hungry and she approached a villager and said you know what I have a fantastic idea for dinner all we need is one thing villager person all we need is carrots I'm making this fabulous soup all we need from you villager person is carrots so the Villager person said oh I can help you they ran off and fetched some carrots then she went to another villager and said this soup is just about perfect oh it is it's going to be really good all I need one potato just one potato and the soup is perfection goes to the next person you know what this vegetable soup is super good all I need is a a a rack of lamb

and it will be perfect and on it goes so the traveler with nothing working with the Villagers came up with this delightful Feast that they all enjoyed okay so what I don't like about Stone suit is there's a little bit of Deceit in here uh but the person has a cauldron and a stone and stone water wouldn't have been very delicious so there's a little bit of Leaning into this but the vision that we can have a delicious soup and I'm going to help make a delicious soup created individual ingredients that would be really boring on their own and by the time they were done they had a delicious soup um and I think part of what we have

come to appreciate whether you like The Avengers right Earth's Mightiest Heroes brought together for complimentary skills to fight the the fights that we can't fight and win on our own whether you like the idea that it took many ingredients and many contributions some of them more subsi than others but we described an end state that was attractive and delicious and we made people salivate for it and hunger for it and we manifested it through many small contributions uh some of our biggest contributors did one and only one thing but it was a vital one and only one thing so um I know it's a children's story but I can't shake that there's something in here that was part of the

success just want ask a question um on the mic hi Russ question um how I I imagine some people who you approached who you would have liked to have part of the Cavalry or some support instead of responding to the stone soup ethos positively looked at at it with scorn and derision and you know this is the weakest of all weak sauces and you're coming to me with this how could you possibly and were you born yesterday and how stupid can you be and so I wonder if you could tell some stories about how you encountered people like that how you navigated with them around them did you convert any of them um because I think a lot of us who

would want to go on this path or think about paths like this in random conversations you're going to feel like instead of having something that can manifest to great things is nothing but uh you know soaked wonderbrad and got nothing to it interes reaction um yeah I mean especially when I'm the calv first started we had a lot of people who were like yeah this this isn't a big deal or or I've tried it before you're going to fail or uh the only thing that you're going to get is um you know you're going to have to do a lot of lobbying and take millions of dollars and um uh or people who you know outright

mocked us I remember all the Twitter memes that was not fun we are the artillery yes that was one uh somebody confessed that they own that one to me yeah um and apologize and apologize yeah yeah so uh yeah I mean it in a lot of cases uh they're they were right in the way that they were thinking about it um some a lot of people had tried this I mean if you remember uh The Loft supper the the Congressional testimony in 1998 where the Loft went to the Senate um and you know weren't saying anything that most people in this room would not have known at the time um so a lot of people did try but you

know the timing maybe wasn't right or maybe the people who were in those positions at that time weren't open to listening or you know so uh maybe it was worth trying again or uh you know the mental model that they had for what it takes to actually get access to a Congressional staff for to go talk to them was that you had to be a lobbyist to get time with the the senator themselves or the member of Congress themselves which might be the case but it turns out a lot of Congressional staffers are also very awesome and they do a lot of the um research and authoring work that uh goes into their boss's briefing packets and they're the

front line they're the ones who take those meetings and like literally I've had several conversations with staffers where like they didn't know me but they kind of had to take the meeting cuz like that's what they do and for like the first five or six minutes of the the conversation they were like all right yes what are your talking points like I I don't have any talking points I mean like look there's nothing nothing up my sleeves nothing in my hand but like hey let's have a conversation your boss put out a bill or you know there's this there's this thing that's happening and wanted to uh give you the opportunity to like chat about what some of the impacts

are consequences could be and once they flip from seeing you as a uh something to be endured to a resource to be tapped into uh it completely changes the conversation um I sort of love your question and it's baiting me you might have to ask it again in a little bit uh cuz it's baiting me into some things that I realized in real time yesterday during my keyot like for the first time in the prep um which is uh I'll hint at a negative um some of the Gatekeepers some so I have five PS for so first of all when I talked to this was a breakthrough moment with Suzanne in the FDA by the way I don't think it

was for Suzanne I think it was for buul but um we had a piece Summit we we flew people in from all over the country on their own dime to go meet with the FDA on their Turf and there were some angry researchers and they were angry because no one was listening and it's broken they need to fix this and they didn't want to go and I said maybe you were right maybe you were early like give it one last try for me we're going to meet them on Turf everyone's going to get to he their grievances no one can listen until they've first been heard so you're going to get five minutes to say what you want

need and fear all of us are they're going to get their time to educate us and once we have some common ground let's see if there's anything we can do together um so there's a mix there of maybe you're right maybe you're early it's a Bose timing point I actually think Loft did incredibly important work I don't think they were early I think they did what was needed at the time they did it and in fact I just read space for rogue's loft book it's phenomenal and uh made me smile the entire time except for two points um and uh I'll get the space brg again in a second so some of this is timing but

some of this is um you go back 10 years and you had to have permission to do something you I mean Biz was born because people couldn't break into their first talk the blackout they couldn't get through the the cfp process Ian that's why bsides was born um um so some of this is the gatekeeping was suffocating we weren't getting new ideas or we had really great oday dropped or really seminal research done but it was done by one person or one Duo and the world doesn't need one or two people who own that topic they need 200 we need college courses and disciplines and and certifications around these things if we want to serve

the needs of an increasingly connected Society so one of the lessons with buul back to that at that meeting is even though we sent all morning establishing some neutral common ground and being heard a brand new guy from FDA came in scowling at us the entire time he's looking at us like we're evil and we we have since befriended him don't worry I'm not vilifying the guy but he just looked pissed off and what we were supposed to do on the agenda was say how does a bill become a law for a researcher so Billy Rios one of those previously very popular well obviously still popular prolific guys was going to outline here's how I I decide which

equipment to go get this is how I buy it off eBay this is how I put it in my kitchen with my wife killing me this is how I do the research this is how I document the research this is how I try and none of it was being heard just the cool looked more and more mad the further we went and I stopped in my tracks I looked at Mike Murray we had like a 90-minute conversation with no words in the course of 3 seconds and I decided to abandon the plan and I said are we upsetting you and he said yes yes you are I said is it is it what we're saying

or is it the words like we should we should take a moment here and he said what's wrong with you I want to know why you do it I don't care how you do it I want to know why you do it these are life-saving Technologies you're endangering The public's trust in these things what do you want Mone you know he just didn't get why we did it I'm like oh okay so what I tended to say was something like this hacking is not good or evil It's Magic you've got bad wizards but thank goodness you have gandf and Hermione and Harry to fight the darkness so we're the good guys and beyond that we're not all even all

motivated the same way so I use the 5ps we have them on the website but there's protectors that want to make the world safer puzzlers that want to take something apart put it back together solve the Rubik's Cube make something do something it wasn't supposed to do Prestige be the first be the best win the white jacket own the topic profit do it you know for personal or professional advancement for you or your company and then we depending on who we're talking to we say uh Pro uh patriotism or protest for or against an ideology so most of us major in one minor in another but what you have here is mostly protectors we would lose sleep

if we didn't feel we did everything we could to alert you of something that could have hurt people and he's like oh we make your job really hard don't we but but um but then I think he was unstuck and and he ended up becoming an incredibly good Ally and he's the one who did the what entrepreneur residence that b and and and Andy kravos did so um you triggered some of those stories and I went outside the lines to tell them but I think part of this is they were right they were right but they were early part of this is we have a fairly toxic culture which Still Remains where certain people think

they're better than everybody else or they deserve their props or no one else can contribute and I I looked at the world very differently I think everyone can contribute and I think part of what I was rebelling against a little bit in my remarks yesterday is I was damaged enough and raw enough I didn't care about impostor syndrome until I did again and we showed that nobody's without you know you don't mean permission and nobody's can have pretty amazing results so yes we took slings and arrows um I think in an apt Instinct we had a bit of a pre-populated launch party where space Rog from Loft was a day one architect like we had been talking for

months um about how his cold dead heart was grew three sizes that day at Thon if you didn't see the picture of him drinking the the beer that was with Andrea mition and and Jericho and Jericho and I had worked on the anonymous research for four years and he was horrible to me when I started this and we had a dim suum on the Oney year anniversary and he's like I still don't get it what's wrong with you what's wrong with you and I don't remember how we got here but the punchline was I said something just right he goes oh you're playing the long game he's like we're good and he called off the hounds

right um you know but you're not s you don't you don't have as much anger and rage as he does if you don't care right the opposite of love is not hate it's apathy he cares he tried a a lot in unfavorable conditions and once he saw what we were doing no but I can't tell you it's all roses so I'm going to tie this off here but some of our early collaborators I people kept hugging me this week and tearing my stitches and like oh what happened what happened I'm like well I had a a lump remove but I kind of felt in my soul like no that's that's the reminder of the backstabbing that

happened um we had some severe sabotage and we still are encountering some severe sabotage um and I'm not going to make this a pity party for Josh and Bo but like something that someone came up to me reminded me yesterday was when Bo and I answered the call during the pandemic to try to protect hospitals for everybody you love for really shitty pay and a ton of bureaucracy every two weeks or so we'd be called Nazis or baby killers by people that come to these conferences not just one mostly one but you know so I think part of this is you have to steal yourself to not you know not care there's a line in um a song from the 9s

called uh from uh Everclear it says we're possessed by a power bigger than pain so you're not doing this to be popular you're not doing it Prestige if you're really doing it to protect if you're you got your North Star you're going to win some people you're going to lose some people but you know if you're focused on the mission then you kind of Shake It Off thank you both for doing this and then specifically Josh for bringing up that point i' like to hear a little bit more about that experience um you know as we've experienced over the past five six years politics has become both polarizing and very personal uh in communities and this is

no different than the other communities and so I'd like to hear more about that thought process um and that risk assessment of going into government and having to reconcile what it means to either work for a person or work for an Administration that people may not support um and then also realizing that it goes the other way as well and that's just sort of where we are and I don't personally think that there's going to be an end to that kind of polarization anytime

soon that's a that's a deep question um as I mentioned earlier I was at the FDA for a year and I was at siza um and both of them were under the same Administration uh I I would like to think that um those positions were so low down that there was no political error about them you know capital P political um because there really wasn't like they weren't at all political uh but at the same time like in you know a decade ago I didn't really know how government worked and so I'm sure there's a lot of people do we yet in our community no um there's a lot of people in our community who still don't know and

they've got uh very core trained understanding and so maybe some people think that any work in government is political unless you're uh you know a career civil servant um and I know that uh you have probably faced some pretty severe uh stuff because of also what you were doing and I think that was that was our case you know going into work with sizza and people who don't understand that like other parts of government don't get more money when you do a good job in a different part of government like just basic misunderstandings about about how these things function um and you know maybe that's part of the uh educational aspect of what we can do to

help this community better is to to do more um unraveling of government and public policy and I'll put in a plug for uh policy at Defcon if you're going out there we've got uh three fantastic days with four rooms that are just going to be heaving with talks uh as well as a bunch of mainstage stuff um so if you're interested in that learning more about it uh come on out and and maybe uh get a finer grained understanding of how government works and how public policy works and uh what is actually effective at uh at shifting things um rapid fire answer um at a macro level I think this is ending but cyber has remained a fairly

nonpartisan bipartisan issue so far um I do think this is starting to unravel but we have enjoyed some sort of uh neutral Turf um we thanks to our world now world famous intern uh we brought a Republican and a Democrat to Defcon 25 in the first DC to Defcon the following year we had several elected officials um but it was Will herd from Texas who's now's a now a presidential candidate uh and uh recently retired Jim Lan of Rh Island um they had so much common ground on this stuff like there was no daylight among partisan issues they made agree on other topics but no daylight between the two um on Cyber support the salarium commission that drove and

fueled the advancement of sisa bipartisan uh so at a macro level it we have not allowed politics to completely divide people on Cyber yet point two um I know several Cavalry people were offered White House jobs under different administrations and some of them turned it down for different reasons not that they don't want to serve they were willing to help but didn't necessarily want to be labeled a d or an R um third um when Andre went um and Downing came to us um early on people wanted us to do some other cyber is privacy type things and I tried at least early on to be very very very Focus not that we don't care about

privacy but that I want to be very very focused on areas that where no one was doing anything and there were quite a few Advocates already but also things that would not break un partisan lines and Public Safety you know life and death stuff is I felt would be future proof even when cyber became partisan these topics may not so I chose safer topics um and then you know you've met several feds in the last couple days um these are lifelong public servants you know they have the heart of a servant they want to make the world safer they're going to see lots of political administrations come and go so they're there to do that job and tend to keep

their personal politics out of that job that lasts longer than an elected official um so I don't think that's going to stay that way forever um and we already took some some slings and arrows but when I had to make my own decision of do I do the sis aov task force I didn't see how I could possibly say know I felt like this moment was exactly what my life had been trending towards and I couldn't see on someone else doing it um so I decided if I take some heat for this that's okay um everyone chooses their own level involvement um but generally speaking we just made it a decade without being political so it's possible and hopefully

for a bit longer did I answer Maurice's question where did Maurice go oh there did I answer your question okay I think it's going to get harder on certain topics but but we do take steps in our lexicon to specifically avoid those so we measured twice cut once on how we frame something which will get we're going to actually touch on framing in a little bit all right may I move to the Golden Circle okay if you haven't seen this it's worth your 18 minutes there's two versions like one's like 12 minutes someone trimmed it down watch the whole watch the longer one Simon sin or cynic uh gave a transformational TED talk before Ted was all glitzy at Puget Sound

um based on a book he says called start with why but it's the Golden Circle I'm not going to do the whole lesson it's it's a really he's amazing speaker it's not just what he says it's the it's his oration capabilities um but he essentially says most companies can tell you what they do some of them can tell you how they do what they do but the ones that change the world tell you why they do what they do and he'll use examples like apple say you know think different uh and so versus like we make an MP3 player um but he also talks about like Martin Luther King Jr he didn't say I have a plan he

said I have a dream right people didn't go to the Million Man March because they cared about him it's because they valued what he valued so to especially in our demographic we focus on what and how like this is what I broke this is how I broke it I think we really flourished because we gave that North Star or the the the the raison Detra or the why it matters Jen Alice yesterday gave us a video address on how they really wanted to protect hacker rights and decriminalized hackers through dig dmca reform and CFA reform and they didn't get very far initially they were trying to say what the hackers wanted but we became immediate teammates because I

could go to the same Judiciary Committee talk about my concerns over actable medical devices and like oh my God oh my God how do we help we said well one for one there's a chilling effect on good faith research because they fear of legal reprisal you know cfaa can be used to punish good faith contributions like oh my god well we have to figure out a way to help you same exact destination but we made we spoke to something they cared about so that's partly empathy and partly talking about public safety of their constituents instead of something that we wanted we can still get the same outcome so um often when I Mentor brand new

speakers we one of the things we try to do at all the different events or villages we do we try to get brand new blood brand new speakers to add their voice to the choir kind of a rebellion against gatekeeping right the opposite of gatekeeping and some of them have really good knowledge but they need a little policy so we found we kind of made a curriculum for public speaking um and there have been some of our best voices because they have experiences none of us would have had otherwise but this is part of that curriculum the the Golden Circle that one's a short one just watch it it's easy [Music] um one of those is called Kurt mon gets

the shape of story um a lot of people talk but they don't necessarily know what the experience for audience will be and he just walks through most of the stories you've ever heard and diagrams on an XY axis and it's hilarious and funny I think it takes 10 minutes but um this isn't just about our presentations it's that when we go to brief a senator or when we have to have a hard conversation when someone adversarial we should know what's the right tool for the job here you know do we have one point to make do we have an Inception to make that will come back and plant that seed and water it later um but I do

think this was more a trigger for me not to say that this is the only form of Storytelling Joseph Campbell has the hero's journey and but um I think a huge difference maker is we have attracted storytellers a lot of us could not find what Billy Rios by the way I got to stop using Billy Billy's a phenomenal presenter so that's probably the worst example I could have picked but some researchers are incredibly good at finding the thing but they're incredibly terrible at telling someone why it matters or if it matters so we realize we might have to have a chain a relay race where the ones that find it aren't the ones who communicate impact and they

may not that person that second person may not be the one that goes on the news they may not have media skills it may be someone else entirely that develops the proposed remediations because Breakers aren't necessarily fixers that stack hacker is elusive um but what we did find is some of the most important breakthroughs with Suzanne with with the White House with Congress have been powerful storytelling um I just I did get to testify to Congress a couple times and next time you see a congressional hearing watch the oral remarks um 99% of them will read something um they'll just read Center can read um it was really important to me as I got a little better at this that

I just wanted to look them in the eye and make the point for them at the moment I want to look at the one I need to talk to on the point I need to talk to to make a connection which means you're not going to be reading your script so storytelling shape of story oration skills are fantastic and to that end um if that's something you're interested in this part of the boot camp would have things like listening to George Carlin tell why he was one of the most important there's a great interview between John a very young John Stewart and a very late career George Carlin where he says I don't sing I don't oh

here's the the preview uh he said they're like why are you so good you're just so Cathy people hang on your every word he said my father who I never met was a Carnegie award-winning orator so part of it DNA like you know he just had really good oration skills from a father he never met but also is like I don't say my joke jokes I sing my jokes Da Da Da Da Da Da Da Da Da Da Da Da Da Da so there there is neurolinguistic programming and oration skills and Pregnant pauses and change in Pace that really change your ability to communicate to somebody else and some of us are good at some of those tricks and some of us are

good at more of those tricks um but these are tricks just like empathy where those muscles can be built so this was just a reminder that storytelling shape of story and having a consistent story and repeating the story uh can help a lot anything to add stories are fantastic and phenomenal and they they grab somebody's attention and if you only have five minutes with somebody a single story that weaves in a bunch of elements uh can make the difference between you getting uh thanked for coming in to talk to them or another 15 or 20 minutes with them while they explore the story that You' just told um and you know we've seen that happen several times where uh somebody

initially is just like yeah I don't know why I should care about this but like let's hear it and you give them something compelling that they can tune into that they can relate to um and it doesn't have to be perfect it just has to to Captivate them not everybody is going to be captivated by the same thing uh but then what started out as just you know somebody doing a favor and making an intro can become a meaningful relationship um and the same is true with with analogies uh they're also really really powerful ways for people to understand things and to gravitate towards them and one of the things that I've learned is that it's not about

having the Perfect Analogy everybody's like no no your analogy is wrong it's like well all analogies are wrong you know with with apologies to to what is been said about models all analogies are wrong but some are useful and at the right time the right analogy can be really useful and what I find is that uh especially as I lose some of my technical skills the more analogies I can stack up and become really comfortable flipping among them I can still get the point of a lot of technical uh conversations just by doing that uh and I've seen that the a similar thing is true with a lot of um a lot of other people who you know cyber SEC

isn't their thing hacking isn't their thing but if they've got five analogies loaded up and they can just flip back and forth between them then all of a sudden like they can get it and then they can start to apply some of their other domain learning knowledge education what works there what doesn't work there to this one in a way that can be way more powerful than if I just try and make something up from Whole cloth um part of orations skills as well I mean love analogies love metaphors and I think we've been pretty apt at those um people like short lists they like odd-numbered lists they like uh consonants in alliteration like five PS uh they they like something they

can remember there's clever turns of phrase that have some contrast and mirroring like Target Rich cyber poor um some of this is just it's a mind virus like you try a bunch of these things and when you hear the Secretary of Homeland Security say Target cyber poor in a testimony you're like all right I'm going to keep using that one you got to him and then you hear Jen easterly use it and then you hear Chris engl use it and then and now it's in the Consciousness and now they're singing your song and they don't even know it and but they're not just singing your song they're adding to the music because they're improvising you're

it's like if you saw the movie Inception you're planting a really simple idea deep in their Consciousness that has big profound ripples so some of this is you have to have sticky language uh it's not just sticky language like protectors puzzlers Prestige profit protest like they want to remember what's that fifth one even if they don't remember it they'll try to figure out what that fifth one was um so one of the smart things we did on our first birthday is we made a five-star cyber safety framework for connected Vehicles like just five-star Automotive they already have something like that it's in their Consciousness is in their value set oh what do you mean by safety cyber

safety like how do you test the five stars but so we we hacked and pivoted a little bit but we had fancy language like secure by Design third party coordin um coordination but even after we had the flowery language that someone can read the technical document and the bullets and the meat on those bones I could say it in one breath of oxygen basically all systems fail we want to know how you avoid failure take help avoid avoiding failure without suing the helper capture study and learn from failure contain an isolate failure and inoculate against future failure and they're not necessarily going to remember that but those five things this is why I wanted Dave Rogers

those five things and their mapping exercise for Public Policy things that they could justify their code of practice which then became a mandatory three things in legislation blessed by the queen with going into Ru making soon as we learned this morning they made law of the land so remember on stage I said we passed two laws make that three it wasn't us alone it takes a village to raise these children but if you look at this document which cites Cavalry work many of the references in here cite Cavalry work like we've sort of incepted Japan Ana FDA ntia but we didn't do it maliciously we kept things freaking simple and one of the guys that went to

Ford me with us in that Avengers photo David etu he was at an ions event and one of the other faculty members it was doing an iot session and someone said hey what about the fivestar automotive cybery framework from the Cavalry and the guy made fun of it trashed it and David said what's your problem with wanting to patch things like these cars have none of these five things what's what's the issue he goes they're so basic they're so simple he said that's the point like we can want all these different things but it's taken 10 years to get even some of these five like we had to start somewhere and it wasn't to settle for less than we need but these

are we also wanted them to be Evergreen so part of the lesson here is really small lists somebody latched on a two of them somebody else latched on a different two of them but these things in almost the same language show up in different different countries different governments different Regulators different best practices because we played Johnny apple seed and we seed a handful of small ideas from odd numbered lists that are memorable and can fit within a cohesive elevator pitch so um I encourage you to look at iotc mapping. comom it's not comprehensive but in the world of iot um they made a mind map that you can cross navigate and say okay this notion of

coordinated vulnerability disclosure programs what are all the documents that relate to it what are all the things that support it and they could show a critical mass of support to push something and I hope no one ever really figures out exactly how many of those dots we pushed um but probably a couple points baked into that but that's an oration skill is a consonant alliteration small numbers memorable

metaphors okay there's others on the list on the agenda I'm happy happening to get to the tab called the goal has anyone read the goal raise your hand has anyone read the Phoenix project a few more do you know the Phoenix project is the goal for it uh I had a mentor at IBM who made me read this awful book uh it's not an awful it's a it's a it a fictional novel of a failing manufacturing plant in Ohio I think and it's used to introduce What's called the theory of constraints um whether caliber members and teammates of the last 10 years know this or not I use the theory of constraints every single day and it's

it's both a blessing and a curse if you understand the theory of constraints you can't unsee it did it go away I didn't do that apparently you can unsee it okay so uh Elia gold Rat uh came up with a theory constraints it's important to read the book it basically tells you the same thing over and over and over iteratively until you kind of get it but without doing the entire story or the entire Theory basically us manufacturing was dying and this guy saved it he' saved it through this badly written it's it's it's well written I'm being a little Koy this it's not flowery language is what I meant to say um but this book is

transformative for most people that read it uh and essentially the US manufacturing was dying and our economy was suffering and we were doing the wrong things the wrong way so when robots came into manufacturing lines to replace people they cost a lot of money so people said I bought this robot we better use it all the time and Manufacturing is a series of stations on a snake and they wanted to use it all the time so they kept making and pumping out parts for that station and it was faster than the people before it or after it and these businesses were going out of business and they they found themselves in a hole and they started digging

faster so this Mentor figure comes to this guy whose plants closing and his marriage is falling apart and he says what is the goal of every company and socratically he eventually gets them to well it's to make money well how do you make money well you fulfill orders customers well how do you fulfill orders to customers and he just keeps going down and asking all these questions and what it eventually reveals is that every system flow has a constraint a bottl so somewhere on that line of 20 stations there's a bottleneck and your job if you're trying to optimize for making money which is fulfilling orders then you have to actually finish the Good inste Ship the

order and Bill it so your job is to find the constraint exploit the constraint which will create a new constraint and then you inant repeat and what that really meant is if you optimize before a constraint you create excess Surplus inventory and you go out of business which is what they were all doing because their measurement they're measuring the wrong thing they're measuring the productivity level of the expensive robots instead of flow if you optimize after the constraint it gets you nothing so it's a lot of work and maybe you did something that could eventually be good later but you get no yield so again all systems are a snake they all have a constraint

if you optimize before the constraint you create Surplus inventory and go to business if you optimize after the constraint you get nothing in return and there will always be a constraint so once you've solved for that one find the next one um some people don't know why I changed my focus so many times but once you see a constraint if you want to have impact you have to flood to the constraint you can get some parallel action but this goal concept is transformative they even have a graphic novel version if you don't want to read the bad thing I got it for Christmas from my lovely wife um and the Phoenix project Jean Kim and I bonded after

already being friends um when I said I read this terrible book that my mentor made me read he goes oh my God because as he was telling me the story of the Phoenix project I'm like are you writing the goal he's like you know the goal so he wrote the goal for it and quickly if you haven't read the goal uh in the the Phoenix project it's a failing manufacturing online auto parts thing whose it is the constraint and he relives some of these principles but he adds three cuz in the devops cicd world or continuous integration delivery three ways in it is number one visualize how work flows from left to right throughout the

organization number two create and amplify feedback loops and instrumentation and number three create a culture of continuous experimentation and learning so he built on the base bottom line of the constraints with that visualization but then suggested greater levels sampling rates and experimentation so um you will both thank me and scream at me at some point in your career when you notice um the goal in action but I will tell you that if you caught the sis task force Lessons Learned panel of the lovely ladies from sisa Co task force like Lisa young and Michelle hulco and Kendra Martin all National Treasures we use the theory constraints every single day during the pandemic and we prevented

a Mass waste and spoilage of the first fiser vaccines because we could see that we did not have enough dry ice or Ultra cold stain storage so never in my wildest imagination did I think that e theory constraints would save lives but we did spot poor assumptions about the availability of dry ice and Ultra cold Refrigeration during operation warp speed um and given how many elderly people were dying at that point every lost pallet was extra dead people so um the area constraints is critically important at least to the way I do Target selection and if someone does want to change the world part of that boot camp is we're going to help them understand dynamically watching for

new constraints one way to put this differently is head wins and Tailwinds I didn't set out to um have such an outsized focus on medical devices in fact we started with um Automotive there's only 20 automakers that we were going to have to win over that seems easy there were 10,000 there are 10,000 medical device makers of those 10,000 the average employee count is what 11 or something like that but of those 10,000 100 of them are large and 10 of them are huge and at least at least that was the count a couple years ago but we figured let's not bother with medical yet but the reasons we did is we had such an incredible Ally immediately

with common cause common purpose so we saw an opportunity in Tailwinds and we took advantage of that one philosophy could have been let's spend 10% of our team on Healthcare 10% of our team on auto 10 on Maritime we could have spread the penicillin dust across all the sick patients and cured none of them but at some point we could recognize the movements and we saw that Suzanne was willing to go further faster and then we had to adapt and say this is an Exemplar if we invest in an Exemplar we can then cross-pollinate this proven recipe Jessica in energy and took that and she's like wait a second I'm responsible for healthcare and I'm

responsible for auto Healthcare is embracing hackers Oto isn't doing anything so we pulled together a a round table and said hey uh hackers are working with Suzanne really nicely we like this you're not doing this you should do that on your own or we'll make you do it something along those lines I'm paraphrasing but we couldn't hold up pressure on the auto Regulators until we had a sucess story with Suzanne so that's not necessarily theory of constraints but we also have to kind of like watch the bio rhythm of where we have resistance and where we have permission and in hindsight I can't imagine doing any other way but um but we are unevenly distributed it's like

that William Gibson quote I always use for the esbon meetings the future is here already just not evenly distributed so but by virtue of having something that worked David Rogers a copper horse in the UK could put this in the iot code of practice uh when you do approve for concept or Pilot for healthcare es bomb someone can't say it's it can't be done because they did it when Schneider Electric has 4,000 s bombs and counting on programmable logic controllers you don't get to make the excuse anymore that no one could do it in OT they they've done 4,000 times so I think part of this lesson is um reading the system Dynamic and watching the flow

which sometimes is related to theory of constraints maybe I beat a dead horse on that one but suffer through the book how we do on time how long are it supposed to go I don't know we're going to go all night we are the new Rat Pack no okay um we hit most of the things that I advertised and we do want to Pivot a little bit to what's the future um part of the boot camp what's that okay part of the boot camp if we have a boot camp is going to be how the heck does government work um I'm not going to do the whole thing now but I'm going to show you what

it will look like if you want to remind me later hey Josh I want to see that thing later um so remember Schoolhouse Rocks who's old enough to remember Schoolhouse Rocks okay the part they leave off is even when you pass a freaking law it has to go through Ru making and sometimes they just choose not to do it but they're doing the iot one finally um okay do you if you were in the keynote you saw these I'm not going to do all of them but um the Lexicon it's daunting it took me many years to figure out what the heck the public private partnership meant or what the heck is a GCC versus an SEC or what

the heck these things do and some of this is about to be Rewritten or at least heavily reformed thanks to a lot of these visuals and people's realizing the old methods don't work I'm not going to do all of them but what's the public sector can someone answer me what the public sector isy someone who gets paid by PX money what's the private sector okay so um nonpr yeah yeah there's different definitions and I won't do this socratically the whole time um oh Steve you were a public servant uh do you have a definition public sector versus private sector governments yeah yeah yeah there's yeah non nonprofits and ngos are a little different um one

one way an economist looks at this is and this is why it's confusing by the way uh private there's public goods and private Goods when you talk to an economist right there what's right for me is a private good or my company my shareholders is a local Optimum and what's good for the public good is a global Optimum right so take Colonial pipeline their choices optimized for their shareholders and their billing but the consequence was Eastern seab boards without fuel for a while so the private good trumped public good and that's what we call a failed Market in economic terms I'm not going to be Eon economist Economist 101 here but generally speaking just public

interests which is everybody and private interests which are more local yet we call it publicly traded companies so private for-profit we call publicly traded so it gets really confusing um I could use some more bur um so the public private partnership is that there should be some healthy tension between what's right for you as a company and what's right for the country well the way the US government def find critical infrastructure in fact I believe the primary author is going to be Defcon because I think he's on my panel um during the Obama Administration there was a presidential policy directive 21 built on with 41 built on with this thing called the nurp doesn't matter a

bunch of acronym soup but if you don't know how the government works in the three three branches of government and checks and balances and what some of these governing philosophies are then you can waste years barking up the wrong tree um this is not to demean the people who ask Suzanne's team te some questions Suzanne's got regulatory authorities for medical devices and some of the questions that were thrown at her were how do you fix hospitals she doesn't have any jurisdiction over hospitals so navigating and mapping who has authorities for which things how does a bill become a it's different in the UK I didn't even know until today the Queen's consent Queen's the Royal Ascent is the final

straw yeah okay now the king's King's uh at the end is the final fin fin final signing the bill into law um and and things start with the speech right the Queen's speech which sets the agenda so I learned things about different governments across the country but at least in the US without being exhaustive presidential policy directive 21 set up 16 critical infrastructure sectors these are the 16 it's things like water and wastewater food and egg uh each one has a custodian uh an agency or plural agencies that are responsible for the national critical functions within that critical infrastructure sector they're very siloed and risk does not fit neatly within those but that's how we chose to

do it so in the case of healthcare and public health it's HHS are healthy human services uh in the case of energy it's Department of energy in the case of water and wastewater it's EPA the Environmental Protection Agency many of them are quite territorial when we were in government they told us to stay out of your Lane St out of our lane you're in our lane and they didn't understand that Sis's role was to be horizontal across all the lanes but um that's a different story but before sisa uh there's a GCC or government coining Council and an SEC a sector coining Council you probably heard of this financial services sector coing Council Healthcare sector coing

Council and they have a special privilege relationships they get CPAC protected conversations and they can negotiate more directly without lobbying rules and etc etc and that's how it tends to work then CA was born because they started to realize two things one is they were competing for Workforce from a finite resource pool uh for physical security Talent cyber security Talent so do you need a an a healthcare specific incident response team or can you have Assist a bench of incident responders that HHS can call upon and there's a shareed responsibilities it's not that clean but the second reason is it's not easy to manage risk across these things some things touch plural sectors so the sisa

became the nation's Risk Management Center and could identify and buy down risks on things like provide medical care sounds like a HHS thing but it needs water from EPA electricity from doe Transportation Etc and I'm not going to show more more of that but I'm going to go really fast to the end because um we're trying to change those rules and something I didn't show on the screen was uh oh by the way um look at that beautiful software build materials graphic um this notion that you have a final goods SAR like a medical device that Suzanne's team does premarket and postmarket regulation of that gets sold into hospitals and it's either a safe device or an unsafe device and it can

either be okay right now or hacked later but that final goods assembler is 95% open source and those open source Parts have other open source parts and it's Turtles on Turtles all the way down so that tree you're going to see it in a second patchak made that much easier and the president recently came out with his National cyber security strategy through the office of national cyber director and National Security Council and one of the major people just retired from that and spoke to us yesterday and there's five pillars in there but they're essentially saying the public private partnership needs a rebalancing that um voluntary alone free market forces only take you so far there's a time and a

place to use government power that time is now we need to preserve the trust and safety of the public for designated critical infrastructure I'm going to put these together in a really ugly unified field Theory um go back to this because people get confused so here we go ugly ugly ugly slides and we'll do more later if you ever do a boot camp but the kind of things in the these ugly models where some models are wrong all of them are useful no all ofs are wrong some are useful this is those 16 sectors I'll get to you in a second sir this is the 16 sectors um who's heard of the N cyber security framework who has done all 400

pages okay so the N cyers secur framework is voluntary when I was at Fort me with the story of The Avengers that I told you about um with an newberger um the uh the Chamber of Commerce and the private sector did not want one of the laws to pass there was a Rockefeller snow bill there was a liberman McCain bill they did not want regulation so the grand bargain was let's do a voluntary thing and let's have NIS do it so NIS came up with this NIS cyber security framework written by the private sector for the private sector and it was a framework not a standard you know all that so the blue here is all 16 sectors

can voluntarily apply those 400 pages of controls all of them and that little punet square up there says there's the Hales and the have knots we have none yet but there there's basically a push to should we converge and harmonize to a point I made to the UK group do we harmonize internationally and collapse all these standards into something simpler assuming we've we've done it all well we just need to streamline it or do we have to diverge to make sector specific things that are fit for

purpose right and one of the lines that got me in trouble with Nest even though they couldn't disagree with it was at the end of my Senate testimony last year I said they they said well what about niss and I said well um we have a decade of voluntary NIS cyber security framework and a recent survey from shows that most critical infrastructure owners and operators have volunteered to ignore it um it's not that it's a bad list it's that voluntarily takes you so far all right so that's the blue every single one of these operational environments could do the n cyers framework click well what about the have knots so there's the the Hales that go

to isacs that are well funded and there's a have knots that don't so the the White House asks sisa to come up with these cross- sector harmonized cyber performance goals you might have heard of them there's 36 38 controls that are the crawl stage of crawl walk run so it is the niss framework but it's like if you haven't started anywhere start here so this yellow is going to be the N SE security framework goals and then they ask the sector coordinating councils and the public private Partnerships you should layer some sector specific things on that and then the White House National cyber security strategy I think an's idea was where there's existing regulatory authorities you should use

them and whether you lack them you should ask for them because we need to have some minimum standards and the nudge was start with the cpgs at a little flourish and then you can get a subset of the notal inness cyber security framework and then it says well that's a lot on The Operators but we also talked about maybe we need to shift the liability from the victims to the suppliers that put them In Harm's Way in the first place so is there minimum hygiene so there's some stuff like there that's where you say what about Asom well each of those operational environments buy a series of supplies from suppliers medical devices are about to be safer

from suzan's team so each of those has a supply chain roots to the tree and this is where things like software liability has been floated like as a final goods assembler should you be responsible for known defects and known exploited vulnerabilities you pass Downstream without disclosing them and things like log for J when there's a log for J do we know immediately which of those sub sectors are hit and how badly so that Regulators can warn so there's stuff like that now now that was much more detailed in these super official Stone Soup and there's lots more there but like it took me a decade to sort of maybe understand he a how it's intended

to work B where it doesn't work and as a result PPD 21 is being heavily Rewritten right now it's not going to be thrown out we'll still have sectors and we'll still have Subs sectors but the notion that these National critical functions can be driven by one and only one sector risk management agency been that that bubble has been burst we hope but if you're trying to pass a LW or something and you're pushing on the wrong agency entirely um then you could waste a lot of time so part of the Cyber civics lesson will be what are the fastest paths do you want to start in Congress do you want to start with a regulator is

this something you want to do from the private sector first um it completely depends on which sector we have a really strong regulator at the FDA we are missing Regulators for some of these sectors entirely uh we have a really good ISAC in many of these sectors there was no ISAC for food until recently so knowing those constraints and where there's head wins and tailwins might be the Difference Maker for example trans Transportation on the road do Transportation on the railway TSA so sometimes even the transportation of food can take on slightly different um overlapping jurisdictions I spent more time on that than I meant to but like it is a labyrinth and I'm sure half the

stuff I just said is wrong even though I tested it with white house they seem to like it so um but this is um you can get lost really easily you can talk to the wrong Committee of jurisdiction in Congress and spend all your time convincing somebody who has no authority to push that forward it's different in the Senate than it is in the house okay I'm I'm going to kill that thread anything to add B no all right so any other audience comments before we say more yes you you were very patient yesterday during the water discussion brought up a point because there's no way to thank you yesterday during the water discussion we

the problem came up of what do you do about all the uh City own you know public util water utilities and and wastewater treatment systems and they only have one person uh and and how do we get them uh first of all to comply how do we get them the resources they need to comply and we kind of all generally nodded in the direction of it's a problem is that an an area for future Focus because are you familiar with the everybody nobody Somebody poem no I'll send it to you um but basically everybody knew that somebody should do something but nobody wanted to do that and so on uh we seem to be in that

situation where there's a whole bunch of things going on out there in critical infrastructure where you look at all of those lines and arrows and boxes and at the bottom of it it's yeah but it's either you can't get them to care or they don't have the resources and maybe that's an area to try and tease out of it so should take you on the road with me cuz I did was looking for the best pivot to the other half of where do we do where we go from here um I have cognitive dissonance and if there was an easy answer of what to do with the cavalary I would have put it in the keynote yesterday I've struggled

every single day since January 12th when I woke up and realized it was a decade from the death like I just said okay I have to make a decision what are we doing mission accomplished so remember at the top level there's end it we've done a bunch of great work people can study it we'll document it whatever transform it to be what's missing now instead of what was missing then read the room organize accordingly or combine with other groups to get critical mass because we are in many ways forc divided right now with we have we have an embarrassment of riches with volunteerism on projects um but I am starting to feel and see evidence that

it's shifting from uh impact to activity not everywhere um but some of the policy makers feel good because they talk to a hacker and may not have been the right hacker or to depth or to action but but the engagement is there that's good but the follow-through and the campaign is not um or they only have a limited attention span and you can't throw all the issues at them so um and it's not up to me like people can do whatever they want to do but at least for my contributions for the next period of time and the people we organize um I want to be thoughtful and deliberate um so I wasn't going to say

this but um also for people that want to start something to change the world like Bo and I have a couple nonprofits we had buys or sit on that aren't even the Cavalry right um what you got you had the IC Village Aerospace Village we're on a board for the 501c3 for the Cyber meded Summit how you do your paperwork if you pick a c 3 or a C4 or a C6 have hugely different legal and tax implications and if you don't know you might start the wrong one um so some of this boot camp would involve people we that we don't have the expertise but we could we we've come to find the people who do have set

expertise so some of this is just like your basic architectural Mission Vision goals operating structure could be helpful so the target rich cyberport I I will do probably one minute elevator pitch on a couple ideas I had for the Cavalry but I don't think it's up to me I think it's up to the Coalition of the wiing that reveal themselves because when we launched here we said join us in eight weeks at derbycon where we're going to have a constitutional Congress established our Mission Vision goals with the people that show up so we didn't know the final in fact we didn't really finalize it till shukan following spring we finalized it no I guess we didn't finalize it

touche so um you know part of what I was saying yesterday is reveal yourself that someone wants to fix a problem and we will talk about it um Steve had a great idea that he wants to sell me on later at the bar okay so Target Rich cyber poor is kind of where my heart was going after I left sisa what I realized is for those 16 sectors if they have an isack and a sector coining Council and not all of them do and if they're effective and not all of them are they tend to have the well-funded top 15 hospitals top 15% hospitals the MCS the fisers and if you're in financial services the biggest banks are

the most important players but in most of the other sectors the risk is diffuse it's either bipolar or geographically separated for water and wastewater it matters where it's delivered not just how big the city is because then you have a soci demographic inequality problem so a deep concern I have is most of the public private Partnerships have participation and advancement for the interest of those who join and without malice they very skewed to the haves not the Have Nots so I think the reason I was trying to incept the federal government with Target Rich cyber PO is they at least try to dampen that bias and some of cis's programs are looking at K through2

schools small medium rural hospitals um municipalities waste water and waste water so in their annual strategy alignments there is more paid there one of the reasons the White House pushed so hard on shifting liability responsibilities is because the cost is being push to those who cannot bear it it's also not economically efficient it's not just about means it's also inefficient markets so that I had built this deck that had the The Schoolhouse Rocks to show I'll just jump to that picture I thought the thesis for the next stage of the Cavalry was not all cyber physical systems but rather the time sensitive latency sensitive subset of the 55 National critical functions that if you shut them off for 24 to 48 hours people

die not everything kills people right if you shut them off for 24 to 48 hours the people die is there a crisis of confidence in the public to trust the government to govern it doesn't fix the banks it doesn't fix intellectual property it's not the only lens but you could have somebody focused on that so I wanted to look can the Cavalry look at the Target Rich cyber poor for water and wastewater which was in yesterday's lineup small medium electrical co-ops in yesterday's lineup the food supply in yesterday's lineup and emergency care and I think we could be plenty busy finding ways to give actionable advice free technology Stacks crisis management plans at scale to Target Rich cyber poor

basic human needs at the bottom of maw's hierarchy that was a little bit longer than a minute CU I had to find the right slide that is an idea that we could go forward with number two if you saw my visual that we've had 200 rural Hospital closures in the last several years the reason I was so proud of the patch Act is better devices help large medium small and Rural hospitals everybody benefits but because the average deployed lifespan of a device is 15 years you have to actually still be a hospital long enough to enjoy the fruits of that and if we're having 700 ransoms a year with a six plus week disruption to income when you have four weeks cash

on hand we could see a whole lot more lost rural hospitals so part of me said I can't do this spread myself to thingin across four sectors there isn't much of a public private partnership in food nag yet Water and Wastewater is suing the regulator right now for daring to ask about cpgs I can't spend 10 more years building a trust relationship like Suzanne right there's not a lot of suzan out there we can try to find them but will that get there so what a thesis to is go really really deep keep on finishing the job for hospitals because you got to keep people alive and then I got overwhelmed because that's not enough I can't do these

sectors serially so idea three maybe we need 20 cavalries which gets to that incubator accelerator boot camp notion of the first half of this chat you know Bo and Jen and Josh cannot and will not do two day jobs for another 10 years but could we have advisers mentors into these new change agents so if there's five of you with five different ideas we could have five parallel movements or whatever the heck you want to call it it has less prone typos for where they killed Jesus of Nazareth um You can call it whatever you want um but could we have some way to get scale and parallelism by both assisting in times of Crisis advising training

mentoring uh I also think it would have the additional benefit that donators people who are philanthropic they don't want to waste their money they're willing to give it to the public good but they don't want to squandered on somebody who gives up a year later so sometimes they're more confident in the private sector investing in someone who's in a team that helps each other they may be more confident that Cavalry Academy initiatives do better so let's give money to people that are willing to join the Cavalry Academy you know that's not the name but you know hey be careful that's what you said 10 years ago about the Gathering okay one sec there's more than just those three

ideas sorry to just direct it at you I should be making eye contact with others we talked last year about what the Michigan cyberp is we did a lot at the federal level or the country level there are certain things that are much better done at the local level and you could have 50 state experiment we could have cyber core of engineers we could have incident response as long as we have legal protections right because that gets touchy we could have incident response or professional I mean lawyers built into their profession have pro bono work you're expected to do and encouraged to do pro bono work could we have public good cyber security Talent pools aan Islam who was here yesterday

our intern now in the white house she's in charge of the oncd workforce strategy so there there are some Concepts here where we could have a much more Federated Fran franchised blueprint or even parallel experimentation like you've done and if you want to see that talk from last year fantastic Arizona is doing something different Colorado's doing something different Boston's doing something different so there's a number of good ideas but I like the idea of channeling someone's instinct to make the world the safer place and giving some parallel action I have fears though that there is a finite pool of resources a finite number of tracks at Defcon and black hat and here and we are whether we mean to or

not we're kind of zero some competing for finite resources and what's worse is for some of the policy makers is uh they're getting a little overwhelmed on who to listen to and what to listen to Because when everything's important nothing's important so there was an effort before the pandemic that Eli Sugarman put together to try to see if we can have some unified platform across all the different philanthropic that he had funded that meeting didn't go very well but not because it was a bad idea it's just um I don't think we were ready yet to try to find a common platform or a common agenda yet and then the pandemic happened all right so

Russ uh I rise in favor of the Cavalry Academy oh uh seriously um but I want to invite and this is me volunteering by the way I want to invite elevating the vision for it so boot camp and and the way you've talked about it has a very kind of rustic and somebody throw together a slide deck and give me a gif for this and we'll have an animal act and people will come away charged up um I don't know how many graduate schools of public policy there are in the United States but there's a lot how many graduate schools are there of Public Health how many graduate schools of management are there there is

a large established pool pool an Institutional framework for graduate education about how to make change and and we'll call it make the world a better place but in the discipline of administration and public policy and organization policy I think there is a huge opportunity to take the Lessons Learned General and specific from the last 10 years and boil them down in a different way not in a public consumption way but in an acade mic way in a theoretical way in a rigorous way so I would like to see not the the Breezy popular book about the I am Academy I want to see 500 page textbook that's theory in practice in case studies that goes into great levels

of detail that puts those people who in those graduate programs who going to make this their career that they learn from this because what you guys have done you guys collectively is incredibly valuable beyond what you've done Beyond The Three Laws beyond the actual activity there's a pool of knowledge here that if we can crystallize it in I mean use a fancy word reify it make it concrete and and tangible in an education sense could take your idea of federation to a whole new level and I think I can help with that you said you're volunteering does that mean you're going to write the 500 page book maybe I think I may have some time on my

hands 5 Years From thing I know I know I am a man of many [Laughter] words any other visal reactions or completely different ideas and don't forget the bourbon uh I think I'm probably a little bit biased based on where I come from but I'd also so my my visal reaction is strongly in favor of the academy SL boot camp SL higher education uh whatever um just because I feel like uh that scales or it it seems to me that that would scale better to uh solving this issue as a at a worldwide level I personally am not uh you know American I I live elsewhere and I I feel like um this is a problem that other

countries are are going to encounter and I think a lot of PL places even if they aren't gaining from the specific knowledge of like the Ines of the the E government and how it works I think a lot of the lessons are of how to talk to diplomats how to talk to people in government are likely to be applicable across multiple uh countries and by by scaling out that way I feel like the impact could be a lot more and help a lot more people thank you um I think morce had to leave but um can you explain the program morce went through uh yeah so there's there's a program called Tech Congress who's heard of Tech

Congress a couple of people okay so Tech Congress is a pretty awesome program um I think our first year we had uh Travis we founded it come second year and talk about it uh and I I probably won't do it justice but um basically if you're a technologist who wants to do stuff in public policy uh they have a program where you can sign up um go through a vetting process application all that and you get at the end of that uh placed with a congressional office for one year with pay with a boot camp I think right they run like a two we boot camp um and it has produced some incredibly effective technologists who have become

uh public policy powerhouses like Maurice who is here who's awesome um like several other people uh and there's a couple of other programs that are kind of similar uh and they they teach some of the policy theory and practice um but I don't think they teach like empathy I don't think they teach you know the uh theory of constraints and uh things like that so I think that there's um even with some of those programs which are starting to get more um there are opportunities to to do more with that oh uh incidentally uh part of the boot camp even though I can't make them on my own yet these these things are called wle Maps they are amazing in the

hands of someone that knows them Simon wardley and cre created the concept and I only use the vertical axis they're even better when you use the horizontal axis um but systems thinking is one of the things we want to teach and I I I spent about nine months figuring out can you teach systems thinking or do you have to be you know attuned to be a systems thinker and I found some people that absolutely believe you can teach it um but the reason I brought the Maurice thing is I'll get to you in a second um I was very defeated during hack the capital who's who knows the IC Village and so Bryson's group also runs a conference in

DC called hack the capital different than the hackers on the hill sometimes complated but hack the capital is a pretty decent conference he had almost the same track we did last year but six months later with gobbies that are that can drive there so a fairly compatible um focal area and I was demoralized because I felt like the patch act passing in a law on a bipartisan way against millions of dollars of lobbyists against it was evidence that we had a window of bipartisan support that this is a public safety issue and even if private CER doesn't want it we're going to do it anyhow so we had bipartisan House and Senate get that far in parallel we had

oncd and NSC with an and Chris engl is saying we need to rebalance public private Partnerships and ask more and do more so you had executive branch support and Congressional support and life and death stuff evidence of harm and I watched during that conference a ton of the right people in the room and it felt like they were going to blow it like we were still getting lawsuits from the EPA we're losing our political will we spent every piece of energy we had to get the stuff on the table and we didn't have enough energy to see it through and I was pretty depressed about that and talking to Casey John Ellis and Carl and

others I realized that we had about a dozen friends in oncd and NC in the white house and they were Junior staffers when we met them and back to that antidote to gatekeeping part of our attitude is we invested in every single person that wanted to work with us everyone we didn't it wasn't a permission thing it wasn't a skills thing if you wanted to work with us we invested in you and what I said to Casey is I think we're going to miss this Overton's window and we might not get another one for 10 years but the heartening part was if we have 12 people in the corridors of power who know our song and are adding to it maybe 10 years

from now we can have 50 you know we can have we can Farm suzan instead of looking for them and look Jessica's in I wish I could clone her no um no no no no so Jessica was um said like two hours ago uh I was I was Junior staffer right now she's in FDA doing amazing work and was one of the first people to pioner of the oncd the office of national cyber director leam was our intern and now she's in oncd running something Nick lerson was a staffer for land event and he's one of the leadership figures in oncd so we we have that part I don't think it's going to be enough to

cross the finish line right now in this window we worked so hard to create and I think the world will stay more dangerous but when I think longer or generational then we should be investing in tons of students and tons of Junior staffers and tons of first year public servants and that's the part that gives me hope is the generational investment so that might be very compatible with your Amendment it might be doubling down on Tech Congress Travis started there could be all of the above approach but we we're going to have to look about what does the world need 10 years from now and I think that's usually going to be inform Inspire influence and

educate uh couple of quick thoughts one is you might uh Advocate with the nice people at the tech Congress to give you some of that sweet sweet space for their little boot cap and provide some education because that's that's an ongoing program it exists burrow into it um with respect to going the academic route that's cool I it's it's good um and it's probably like for people who are younger than me so I can play the agism card I'm old enough to do that um I I think it would be fabulous to maintain uh some level of Outreach say at bsides um for those who are who for whatever reason at their stage of Life

they're not going to go into grad school it's not going to happen Okay because I don't got the time I don't got the money but we can do stuff like this also that's all thank you well uh you heard from Spanky yesterday he's not in going to grad school uh and he's found his third wind of Public Service uh stepped up hugely during the pandemic big bigly he stepped up bigly um and he makes a mean slide deck all right anyone else we didn't know where this was going to go I really loved the UK stuff this morning I wish I wish I had pulled up more of your content Steve Steve who are you what did you

just do and what are you doing now I'm Steve Kelly I'm now at IST U as the chief trust officer was at the White House was at FBI I'm inspired by this conversation and um I was interestingly I've been doing public policy for a decade now and I was going to be the naysayer on on thrusting towards more public policy but actually I think I'm convinced that you've got to keep the pressure on and and educate the next generation of folks to keep the pressure on policy makers to infiltrate places like onc and NSC to make sure that people that have uh uh received the gospel uh continue to move the ball forward but the piece that I wanted to

advocate for here is uh the first point you made in terms of your three options which was to uh focus on time sensitive latency sensitive systems across the hinterland in this in the Cyber in the uh Target Rich cyber poor environment places uh you know rural cooperatives electricity uh small hospitals there's parts of the country where they're just not capable of getting the job done but we have people everywhere you've got universities cranking out people with computer science and and cyber security degrees we've got uh people with you know like like ISC squared with with folks that have certifications that do have some expectations for public uh Service uh built in uh you've got uh in

all these places you've got Congressional offices you've got FBI Secret Service folks you've got uh State you know National Guard units all the ingredients are all over the country to team up to engage in those areas where there's a gap and I think that it's worthwhile talking about the big and lofty and moving things ahead that solve ecosystem risk issues like like that happened with the patch act and with some of the stuff from the national cyber strategy but someone's got to be on the ground doing the work uh and uh and you know not with standing the liability issue which I think maybe you can put that on the public policy list of can we have kind of the uh

uh a Good Samaritan exception to make sure that the folks that are engaging in that way providing advice or even providing Services can get some sort of uh uh liability protection I think that that you could create a nationwide movement of folks that not only are thinking in the big way and maybe attending the the boot camp and getting more educated on what you just described uh but that are committed to public service and will actually go on the ground and help to make sure that that rural school or that rural hospital or that water utility that serves 100 people uh is secure and the Playbook on how to do that can be generated and

promulgated across the country side so I think that there's room for both the policy side and the operational side but I agree it needs to be quite focused and it's a lot to Wrangle so I don't know the full solution don't leave yet thank you for that um one thing I held back but I'm not going into because you said it is one of our good friends from the oncd Rob Kaki said cyber has got to stop being a philanthropy stop being what a philanthropy like we're not going to scale it as long as it's Falls to volunteers and Goodwill and someone choosing I'm not sure he's right or not but it rang true to me um and a fear I

have always had is I am the cavalary who was supposed to be a personal commitment from anyone who felt called to the mission and and while we love it when someone says I love what you and Bo and Jan are doing or I love what you've done or you guys are great thank you for saying that when you do uh we want you to participate right so we get scale from the number many hands make for light work that said Eli sugerman once told us there are things that the private sector the public sector can't do but the private sector won't do and for those things it falls so philanthropy and altruism and things like I in the Cavalry and I always loved

that uh I loved it less over last 10 years not just because it's exhausting and S I've scars to prove it uh it's because at what point did we identify an unhandled exception and bring it to someone who can properly own it and at what point do we become a crutch and whatever we do next we would need to have a social contract or an operating model where this is what we will do within what which extent for how long with the purpose toward getting it a home yeah and since you've been in the highest power quarters of power in the White House and cyber do you have any other than acknowledging yes what you just said as a problem uh do you

have an instinct as to how we could be the the trampoline but not the hammock you know can we can we help make sure things don't fall on the floor but don't own it and I don't mean we Josh I mean we the coalition of the volunteers yeah I think somehow the model needs to be for instance if if if this volunteer course shows up in some place in rural Minnesota and and helps a co-op get up and running that that needs to be then kind of a surge to right as opposed to that that will continue forever that that uh um I I don't know how exactly you get there but that needs to be the

expectation and then there can be some and also a piece of that on the reactive side in a national emerc having these groups of people that know each other and are effective and they know the owners and operators in their area you know that's that's a capability that can be engaged um but but I totally agree with you this should not become a hammock I don't know I have to ponder that more yeah you you might have some insight you run one well thank you Steve so um my name is Ray Davidson I well until recently ran the Michigan cyber civilian Corps but we we did some of the we addressed some of the issues

that you talked about we got some people working together and established some rules for how they work together the the thing that I see though is that the problem is so deep and wide I mean the the approach that Josh has taken is like it we have to think of this as uh not that the problem is too big but the opportunities are vast I mean whatever you want to work on whatever floats your boat you know there's there's other people probably who are just not standing up to the microphone they're sitting out there in the audience so if you stand up to the microphone they'll they'll follow along they'll do it you know you drop drop a little thought in

front of it we're all the squirrel right so you dropped a little thought you're going to have people following you and that that is how it works in Michigan we got a bunch of people together people that came like to black hat and Defcon and they would go home or they would go to derbycon uh which was closer for us and they come home and they they were like we last week we were hacking we're bored this week what are we going to do and we'd get together and we'd figure out you know what was fun and we were all white hat you know we didn't want to be not naughty or anything we wanted to

help our neighbors and I live in a small town kalamazo Michigan you know it's it's a really nice not it's not a small town I grew up in Jason aline's small town so it's not that kind of small town but anyway we all like each other you know we're all neighbor neighborhood we're like Mr Rogers so there's people out there that will do it but I trying to organize it in a top down fashion where you have a regulatory group that's going to cover all Community cyber defense you know it ain't it ain't going to work morean uh it it's got to be top down and bottom up and one of the things that I'm excited

about is the uh Center for long-term security uh cyber security and um El Craig Newark has funded uh uh cyber cyber civil defense initiatives and I know Google just gave some money for the creation of uh cyber clinics cyber security clinics and UNLV has one where their computer science students go out and help as I understand it local governments and small and medium businesses who can't afford cyber security resources so there are solutions coming sorry to steal but so um I like the affirmative phrasing uh look at all the opportuni space right um an embarrassment of riches of things to go fix uh and we tend to get excited what was the phrase you used AI this

morning like with the with the kids that grew up saying were really really in the dinosaurs and the trains in trains okay happy to talk to other yes um so we have a lot of passion we have a lot of skill um I'm so grateful this bides community has the heart of a servant or the desire to do something bigger than themselves put things into the world instead of just be live within it and uh you can see these are hard trade-offs and hard choices but um uh I just some of you know this on a personal level um I ended my uh private sector employment last Friday I intend to just have you find me quietly uh

overtly I want to talk to some other thing tanks I'm going to talk to some academic institutions I'm going to talk to some current and former gues and really wrestle through based on who reveals themselves to want to go solve some problems and sometimes the work is chosen by the by the volunteers so um going to be open to possibility space and one thing that's for sure uh in the last 10 years not just the mission but like we've had what we went into the Atlantic Council put my the private sector on hold to go to the nonprofit think tank for a bit you went into the FDA for a bit I had a awful

Blindside divorce for a bit I had had some surgery um we went into emergency Federal service but most of that last 10 years has been having a full-time day job and a full-time volunteer job and I feel like these problems are big enough that I would like to at least for myself have one unified Mission so I'm going to at least give the next one three months to answer that that's on me not your responsibilities but some of you seem like you've heard the call a little bit and we should talk about it um so if you haven't had bourbon yet or if you had some and you liked it and you're 21 years old um or whatever the

law is here uh please come have a little toast and um thank you for your time thank you for your contributions over the last decade had no idea if any of this would work but look at what we were able to accomplish together Cheers [Applause] Cheers