Well. Good morning, everyone, i hope you are able to get caffeine i ys good morning, everyone. Ms,t i do want to acknowledge all of the media that has been with us for the last four days, we really appreciate all of your coverage and everything you guys have done for us so thank you guys for being here. Moderating this discussion will be renie nguyen, former cio of nasa. Our featured speaker for this conversation on the road ahead are dave frederick, assistant w director for china, National Security agency. Everett goldstein, executive director for Cyber Security, retired Lieutenant General steven fogarty. Senior executive advisor, luda allen, and her marketers, advisor of cardio technologies, formerly ceo cia and dave richardson, vp of product endpoint security, lookout. Please join me in applause in welcoming our speakers. Wow good morning, everybody. I hope you have shaken off the glaze of being here all week and finally being able to talk to people. We are in a Cyber Security conference. That is always a good thing, right . So, good morning, everybody. It is great to see you. Given the Rapid Advances in technology and the ever shifting Political Economic and environmental landscape, the future of cyber threat world is sure to change. This group of experts will explore how this feature will likely impact Cyber Security and things to think about in order to keep up and we might go back to some of those Old Fashioned human factor problems that will lie ahead in the future as they are here with us, today. So gentlemen, everybody gets to answer. Hopefully, you will sort yourself out and if not, i will help you if it is necessary. Looking beyond Cyber Security, what big shifts are happening in the world that will change how we should be thinking about the Digital World and protect it . Who would like to start . I will just run the board. First of all, it is a pleasure to be here at the conference with this group of professionals. I think as we look at the way ahead, i am forecasting out a little bit. The things that concern me the most, democratic shifts, particularly in the global south, loss of opportunity but lots of challenges. I think supply chains are increasingly becoming an issue. If you think about restrictions that we place on transfer of technology to the prc, there is going to be a fortat and i think we have had the opportunity to purchase a lot of raw material from them. Things that are very vital for everything from moving to electric vehicles to building cell phones. So those supply chains are going to have to be reconstituted. That is going to require a significant investment as we move forward. And then i think that the combination of things we cannot predict, social economic political and cultural factors that are really going to drive this but we have to watch it. And i think this is where you go back to and newbergers comments earlier this morning. The key is partnerships. So it is foreign partners, interagency partners within the Us Government, commercial partners, partnership with academia that give us early warning. We never seem to predict these things exactly right but that is going to be the critical aspect of getting through this. Thank you andy . To steves answer, i think one of the things that we should look at what is happening in sort of realtime is we are watching a digitally enabled army take on an analog army. And we are seeing the digital army, we dont know how this is going to end. The overwhelming force they went out in the end that i think theres a lot of lessons here beyond battlefield lesson about what a 21stcentury capability can do against clearly a 20th century capability. And beyond us improving and becoming better, i think there are others who are paying attention to this and seeing that david can take on goliath and maybe win. And so i think it pertains to the defense thing and the National Security dynamic as people watch this unfold. It is wonderful to be here. It is a privilege to be on this stage. If we look at the Cyber Security ecosystem, i think at this point, we can fairly say it is defined by a constellation of actors who seek, share goals, share norms and cyberspace. And some entities that seek the inverse. And then there is the middle. And that there are organizations and countries that are as yet undecided about what the future of the internet, the Global Digital comments should look like and so one of our broad challenges that apply to Cyber Security but not only Cyber Security is how we in the United States can create a positive and affirmative message of technologies as being an ecosystem that enables growth, enables prosperity, enables freedom of expression and the Cyber Security is the enabler of that affirmative vision because there are two main places around the world and we mentioned the issue of supply chain where there are countries attempting to make inroads in entering into commercial agreements, and to supply chain dominance at a way that undermines the collective global entrance and seeking a world where Democratic Values are the norm and are enabled by security scale and it is up to all of us in this community to convey Cyber Security not only as they approach protection but as that positive vision to advance the value that we all see . He represents the Critical Infrastructure agency. I think those were important remarks. Based on the interconnectedness and the electricity and clean water. It is great to be back. When i was here last year, i was the executive director and now a new role focused on china. Eric and i did not coordinate on our comments but i really want to build out on a few key points that he made and starting with the focus on the prc, we really assess the prc and the competition between the prc and the United States and our partners, it is going to be the defining issue for our generation and what we are seeing happened today with the prc, they are exploring a digital model designed to support authoritarianism and to increase the global influence so i think that is an area where our partners will have to work hard at to counter and provide some positive options especially in the global south and other regions. Another area where i think the competition is going to be critically important is technology standards. The technology is the main battlefield, the official statement and we got to work very closely in close cooperation with our foreign partners to effectively engage in standards. Cyber Security Standards but we need to be thinking about emerging issues in Artificial Intelligence and other emerging technologies. We are sort of in a trade war of sorts with china and what does that mean for the supply chain that we are also accustomed to having on the lessexpensive side so we are talking about a huge Economic Impact both on the Positive Side and the negative side. Very thoughtful remarks. I want to build on what we were talking about. Obviously, there has been a lot of discussion around Artificial Intelligence. That is essentially lowering the skill gap. It become so simple these days to generate compelling automated attacks whether that is fishing websites and those kinds of things or sophisticated , those kinds of things where that used to be something that required a highly skilled individual to be put into a very dedicated effort. You can buy online very easily but it is becoming even simpler than that with the rise of Artificial Intelligence. The flipside, this is also a tool that can be used for good, can be used for sorting through massive amounts of data, something that needs to be embraced by organizations. As it was mentioned earlier, an attacker only needs to be right once and the defender, you have to be right all the time in order to successfully defend your organization. Artificial intelligence, that is a big one. The other when i would say close quantum inscription. Whether you think about a world that is four years away or five years away, a month away. There will be encrypted data stores given enough time and money. Every source can be broken. The Organization Needs to think about where the data lives and who has access to it even if it is encrypted because there is a clock on that and someday, someone will be able to get access to that data. We are preparing and you had mentioned there was probably a pretty important vulnerability out there that our audience may benefit from hearing about. If you have not seen the news late last night, citizens lab sent out a vulnerability disclosure around called blast past and it affects pretty much every apple device out there. And this is a pretty scary exploit. What can happen is someone can send you through imessage what is called a pass kit file which is basically like your boarding pass, for your flight later or Something Like that. And your phone automatically parses that when it arrives to generate an image and the act can exploit your device remotely. So you could receive an iphone message from an unknown number. You dont even have to open it, see it, know that it happened and your device can become compromised remotely and infected with advanced spirals like pegasus and this is found in the wild. Apple put out a patch last night for all apple devices. You should get that updated as soon as possible. These other modern threats that exist these days. And it is now compromised and the attacker deletes the text message and dilutes the notification and you dont even know what happened. Somebody has been living in your phone, watching everything that is happening in their. Thank you so much. And remember, a friend is not going to send your tickets to taylor swift. So just keep that straight. This is audience participation. Not until we are done in 27 minutes and 47 seconds. Dont do the update. Pay attention to these guys. There seems to be an emerging conflict between developing Technology Focused on decentralization and traditional political and economic entities wanting to Leverage Technology for control. How does this play out . Steve . This is nothing new. This is a constant. Particularly for those who have been on the government side, have worked the government side. Have flipped to the commercial side, it is actually a very interesting viewpoint. What you realize is youre working toward the same thing but the value systems of the value change may be a little different. But i think a lot of people would look at, web three block chain. So that becomes this popular discussion and i kind of follow on the molly white viewpoint which is it is a bunch of scammers, a bunch of hucksters, people that are out there and what is the Value Proposition . And so, that is one example of where you can be. I think there are other examples. You said ai. Certainly, ai, generative ai. Quantum either computing for power or encryption. So the technologies will come and go. I think you said it very well. In 2018, the issues, the concerns they were facing, they are not the same ones that they are facing today and part of that is change in technology. So where i am at on this right now, that tension can be useful. And i think it is not just government, not just big business. The little guy out there, there are a variety of factors well beyond the technology and sometimes, you can jump right into the technology. I think it is important to look at some of those other factors. There are social factors, economic factors, political factors. Cultural factors. If discussions we are having in the u. S. Or that you might have in the european union, you might have in other places in the world may be very different than the discussion you are going to have in china or in russia. And so, this tension between freedom and oversight or compliance or regulation actually, i think, is very valuable. Because some people are going to be pushing the limits and sometimes they get themselves in trouble very quickly. They always either want to look for someone to build them out or there is another group that are exploiting gaps in regulation and oversight in compliance. So there is a role for both the government to be involved in this space, there is a role on the commercial side. And certainly, there is going to be a very round, increasingly more political role in this. And so, i think where we have to be at the end of this, clear communication, very Good Partnership between people deploying the technologies, the government who can provide some oversight. I think the challenge frankly for the government is getting expertise to understand the technologies, understanding the second and third order effects. Most recently, chat and some of the other ai language models just create this firestorm. And i am sure in the big companies, they probably did not receive with that reaction, that visceral reaction was going to be. And the government is still trying to swear out, what is the role of government in this space. And so, the question outcome, tension is always going to be there and that is actually okay is what i am saying. Eric . We are in the middle of an interesting and dangerous period in the cyber Threat Landscape and i characterize as a deepening and a broadening of Cyber Security risk. And the broadening, we are talking about the democratization of Cyber Capabilities manifested most tangibly by the ransomware system where you are able to rent functionally rent structure without any training and launch attacks on victims of your choosing and even leveraging access brokers to gain access to victims in order to execute malicious intent. If we combine an ecosystem of that nature with increasing ubiquity of generative ai, we are further reducing the floor to launch damaging intrusions. We are further democratizing the availability, capabilities to actors who have malicious intent but no capability. Now, really all you need is the intent and a little bit of money. Combine with what we also see which is the deepening maturation and sophistication of some of our adversaries and i will call out the advisory released on prc living off the land techniques which is extraordinarily challenging trendline where instead of using traditional malware, traditional infrastructure that is detectable by these Cyber Security tools that we all know and love, that is not going to work anymore. And you actually need to understand the activity on your network to such a greater degree that you can detect anomaly that indicates adversaries using legitimate tools, Network Management tools by your administrators but from malicious intent and to gain. You see this as an intersection, democratization and advancing. What does that mean . It is a focus on resilience. The fact that if our goal is to respond in every context, we will never succeed because we are never going to keep every adversary out of every Network Every time. What we can do is make investments to make sure that whenever adversaries gain access, we limit their ability to cause harm on American Organization and the american people. That is a bit of a cultural shift because it takes us out of the box and becomes much more of a business issue and Business Continuity issue but that is where we need to be. What we encourage, we are little bit preaching to the converted but lets try to get out into the broader world and speak with the Business Community about how we can join these disciplines and make investments. Thank you so much, eric. How about you, dave . I think the part i would reinforce, one is a trend that has been very positive is the relationship, the partnership between the government and the private sector. I think there is still a lot of room to get better but when i kind of reflect back and when i first came out of the intelligence side, focusing on cyber and Cyber Security around 2016 timeframe, it isnt improved so much. Continuing to work on that, the private sector with Cyber Security and with government support, i think it is going to be critical to deal with these trend. The other piece i would like to way through, how do we have an effective conversation with Business Leaders about investment size Cyber Security. There is the risk of folks pulling back on investments so how can Cyber Security community have an effective conversation about risk . Make sure we are not too much in the mode where we are trying to make the case and trying to keep the foot on the gas in terms of deeper improvements to network and hygiene. The resiliency through zero trust. Recognizing that this is ofttimes the call center. How do we get for that . I dont live in that world. I dont envy the folks that have to make those cases. I do think the work like we are doing in the government with the advisories is helpful in the sense that we are trying to communicate some of these risks to broad audiences. We are not just keeping advice in the family anymore and i see that is a major chain across the interagency and with our foreign partners. It has been very positive for the whole community. I just want to remind folks as we talk about our external threats, you might want to think your internal threat and the more complex environments these are, your Insider Threat is as complex and hard to catch and monitor but some of these things that we just talked about can be turned inside to find anomalous behaviors downloading it at 3 00 a. M when you are on the east coast and they did not just have a newborn. As we move toward energy sources, the need to attach Digital Space opens more area of attack. More surface area. How do we think better about security at the edge . Eric, i will start with you. It is a truism that securing an enterprise environment is just getting more complex by the day. Whether it is bring your own device, whether it is mobility, whether it is hybrid. It is really challenging and for a small organization, it is practically impossible. We have the need to really focus as a community, how do we help organizations simplify . How do we help organizations prioritize . And we have seen really exciting work in the Vulnerability Management space to say, if you try to address every vulnerability or misconfiguration on your network, you are not going to succeed. If you focus on critical high vulnerabilities, you are allocated resources. How can we help you identify the smallest number of our abilities to focus on, the smallest number of controls to deploy a test, to achieve the broadest benefit . Here are 200 controls and 10,000 vulnerabilities. So we are looking at this in a few ways. First of all, we focus on our performance as being succinct steps. And also help the organizations focus on what are those with boulder abilities that are being exploited. Lets start there and build out but it is reasonable to note that mature organizations have a Vulnerability Management program where they are able to triage and prioritize the risk the vast majority of organizations dont. So how can we make their lives easier . I can we relieve them of the burden . I think that is an excellent point. Those that are closest to it can also time management. Should there be a freeze on your Network Updates for missions since i worked at nasa watches and stuff like that. We know then also when you can do it, not just if you can do it and when. Sometimes when is just as important. Dr, we are talking about at the edge. I actually first one to build on that Vulnerability Management point. These types of owner abilities, when they first come out, they are nationstate level. Actors know how to exploit them. Months later, anyone knows how to exploit them so there are time limits on the vulnerabilities. Prior webkit exploit called trident that had been used to infect devices with pegasus and malware. It was a series of three exploits and webkit to compromise the device. That same exploit chain is how if you look up a Youtube Video or how to jailbreak your nintendo switch, it is the same. That export went from nation state to script kiddie to literal kids using it to pirate games on the nintendo switch. In the course of nine months. So it is important that you also think about the timeline on vulnerabilities and getting those patched and understanding what needs to be done day zero, what needs to be done day 30 and all of these things that are remotely exportable, they need to get caught up and they need to get patched. On the point of edge coming back to that, security has always been the pendulum that kind of swings to secure the networks, secure edge, centralize kind of swings back and forth. I think the right answer is of course all of the above. Good best practices that we all know and they talk about this idea of Cyber Security architecture, the idea that these things need to be in communication with one another, your edge devices need to understand their own stay but you also need to understand from your network and if you are thinking about renewable energy, these modern sources, you need data centers on wheels, right . They probably have more in common. It is like a tablet that drives your card. They have more in common with ipad than they do with Combustion Engine vehicle that you would have bought a decade ago. So it is a completely different model these days and you need to think about how do i secure that device . Just a workforce type that i heard in here about the nintendo switch. If the thirdgraders go phishing , sign them up. Good. All right. Ai and Machine Learning. They appear to be creating a new environment for such things as over Trusting Technology and increased potential for deception and misinformation. What are some of the implications your seat as ai begins to reach its full potential . I just want to remind you guys that ai and ml are already on mars and the rovers that are of there, right now. So we have already put it on another planet. Lets talk about how we can really capitalize on ai. So dave, why dont you get us started. First of all, i was a little worried once dave brought up the export that we were going to lose the whole audience. I was glad after hanging in there for 27 minutes, i was getting ready to run out the door. So i am sure for folks who have attended this conference the whole week, they heard a lot about ai. I pivoted back to my main focus which is the prc with both an example, a recent example and kind of a look to the future. As one example in 2022, on a major usled, and able to run a basically complete fake news entity through a number of ai generated videos called wolf news. Surprisingly, it was pro China Communist Party i think as an example, if we have an adversary that is able to take advantage of a major usled for some period of time, that is kind of the tip of the iceberg on where this is going to go. The work in the future our regulatory framework, the u. S. , how is the u. S. Going to look at setting some standards on dealing with the fake media . Certainly, innovation and detection. But i think it is going to open up a whole range of challenges. It will enable both malign information, it is also going to enable our adversaries to do propaganda more effectively across multiple language barriers. If you think about chinas efforts to really shake information globally, certainly expect many nations to take advantage of these capabilities to be more effective in their propaganda campaigns. We will be watching that closely. I think theres a lot of work ahead for the community on really grappling with this challenge of ai and getting the right framework in place to strengthen and follow our values that gives boundaries for the technology to the extent that we can. An east . To build on that, the cia, we spent a lot of time and effort trying to understand soviet denial and deception. And they were very good at. But that is childs play compared to what exists today. So that is going to be an enormous effort. The idea to be able to tell real fun fake. But when you are making National Security decisions based on information that you have got to be able to tell real fun fake, you are in a different ballpark. Analysts, whether they are your favorite three letter agency, right . Trying to make sense of the world for policymakers, what we use for the longest time was to be a sieve. We put a bunch of information in there and checked around and it would allow me to look at stuff that i needed to see so that i could help form a policymaker. That doesnt work anymore because that leaves a mountain of information. Now i have to rely on something that i dont understand which is true for most people to draw conclusions and show me the conclusions so that i can figure out how to make sense of the world. So that puts someone who is doing this trying to make sense of the world for a policymaker to understand how that thing works. Otherwise, do you trusted or not trusted. At the same time, you have an adversary who is trying to fill it by inserting information. And offering it up to you. So it becomes this spy versus spy game with an everchanging environment and a constant reason to keep turning on ai. Your ai has got to get better and as someone who is trying to make sense of the world, you are going to be able to Say Something is wrong with this ai. Something is not working right. First of all, it is going to take over really smart people believe this is going to take over. I just dont see that ever happening. But it is a very valuable tool. And i dont think we can go forward without using it as a tool. It is sort of saying, you know, i dont trust this thing called an automobile so i will continue to ride my horse. It is not going to work for very long so we have to move this ai enabled world but i think it is going to require almost an Education Campaign for people to understand what it can do and what it cannot do. What its propensities are and it opens up a whole another realm for people to understand as they try to make sense of the world. Thank you for that. Is another factor that people need to think about when it comes to the available degenerative ai tool, how are they training this data and is it trending on your data . Is it training on your organizations data . Do you have the right policy to keep things in place to make sure that you are not accidentally feeding information that it is learning on and continuing to get better on that it is actually proprietary information. That is one factor that you should think about. A world we are where you dont trust anything. You can accuse evidence of being fake. Whether there is an audio phone call video, of you committing a crime or Something Like that, it is all fake. It can be fake. I think the authenticity verification, like we are going to need tools to build authentic , verifiable to video, authentics verifiable photos that this came from a legitimate source which is going to mean more metadata, more Additional Details and other factors that are adversaries also try to fake and try to fill all of this in to try to get us to a place where we can try to sift out what is real and what is fake. I am also worried about that flipside where anything can be accused of being fake at the end of the day. That is an excellent point. We are coming to the end which i thought went incredibly rapidly and there were so many nuggets including the spelling opportunity for you provided here and a psa for your apple product which you can do upon conclusion of this event, right . But i want to summarize what i think are some of the key points in our connected world and that is resilience, being resilient is deeper, now, and for more broad than it was even just a couple of years ago. Partnerships are key whether it is a partnership with cyber professionals, your mission or your business entity, partnerships with your board and other in the private sector, partnerships between the private sector and the United States government in terms of keeping this awesome country safe. Cyber is an enabler. It is not a prevention. It is here to protect you. It enables the business and it helps you address risk. You dont want to be that apple product that just interrupted your phone that you live by and that supply chain is far more complex than it was and if we go toward renewable energy, those materials that we need, there is a geocomplexity associated with the modern world and the world that is about to come. Ai announces great opportunities. People like me will still have jobs. Thank you, andy. It is still going to stay in the loop. It is on other planets. We have already done that. If they find water, we will definitely see what happens. And it is being protected in a postquantum encryption world. That is definitely coming in 24 and beyond. So remember, the frat actors, the big apex hunters are still out there, the sharks and the lions but the emerging actors, it is a lot easier to get into the game and attack you, your business, and your government. With that, remember to update your apple products for a safe journey. F anel a fantastic panel. It is becoming increasingly obvious that the Cyber Defenses can be better informed by leveraging those who are taking a more proactive approach to countering the threat. In our next session, how full spectrum Cyber Operations enable each other. We hope to offer ways in which the Us Government is working to enable direct interaction between the two groups. Rendered office, senior vice president. Joining him on stage for this discussion is timothy vance, senior director cyber offense defense expert to raytheon. Andy board, former director for the center for Cyber Intelligence cia and nicholas hold, deputy to the commander Cyber InternationalMission Force. Please join me in welcoming this panel to the stage. Thanks to our panelists who are still here and things to those here friday morning. A quick shout out to your mom, my husband. Just a great discussion to have around fullspectrum. So i wanted to start with a statement, a hypothesis statement that is going to undergird our discussion today and i will read it. It is to prevail in conflict, competition, the whole of our Community Must execute full spectrum Cyber Operations softer and more effectively. That is sort of the hypothesis. You can imagine when we all got together on the phone, one of the first work, lets define fullspectrum. This conversation can go a lot of ways it shouldnt and isnt allowed to so the panel to mean the full capabilities and partnership required to address all of the threats across the full spectrum of National Power. It is a pretty borrowed broad definition. Jumping into things, and the National Cyber strategy, we have identified the need for more integration to disrupt and dismantle thread actors. Military, kinetic, nonkinetic, intel, Law Enforcement so i wanted to start the first set of questions. I just want to get your point of view on how we are thinking about these requirements. When you think about what is in motion today and the department of defense and the Intelligence Community to achieve this vision laid out, where are we . How are we thinking about those requirements . I would like to start with you. Great. First off, thanks much to the great team here for having us and giving me the opportunity to talk about the great work the men and women are doing every day as we persistently engage. I think it is really about partnerships. When we look at the scope and the scale of the threats we face in all domains but particularly in cyberspace, you cannot do it alone. It takes strong partnerships between the department of defense, the Intelligence Community, other arms of the rest government and industry. Industry maintains billions and networks all around the worlds. And that is where the threat surfaces and that is where the attack services. So how do we Work Together with industry to take what we know and what we are doing in the government, share it with industry, learn from what they are doing from best practices and share intelligence back and forth so that together, we can really confront and defeat the adversaries. So i like to use them metaphor on how we executed the war on terrorism since 9 11. Sometimes we look at cyber as a new environment and in a lot of ways, it is not. It took a couple of years to get u. S. Government Community Integrated in a sense that is relevant. When it all started, Intel Community, special Ops Community and regular military were kind of all doing their own thing but we integrated. I think we are much farther along on that than we were 23 years ago on the ct fight where the Intel Community, the title siebel Cyber Command are well integrated. Prior to and you made reference to the cyber strategies, disrupt and dismantle, again, in a very different context. Vastly different than disrupting and dismantling a terrorist threat. But a lot of the same instruments and National Power apply. Five, building an International Partnership to defeat this threat. Something at least in the context of the cia we have been doing since 1947, Building International partnerships but sharing. Sometimes the cia has better access and we sure that across theboard when it comes to Cyber Threats with the state department and the rest of the Intel Community and sips has an International Portfolio but not as many folks overseas so we do integrate that entire community. You made reference to the private sector. I think that is the one thing that is vastly different than the counterterrorism. The private sector owns the industry, cyberinfrastructure and so we have to integrate that and that is the major difference. Is really a partnership and the underlying tone and these responses, we are focused on mission. The more that industry can understand the missions and the things, we dont do this for sport. We are developing capabilities, operational use and conflict and other uses. We want to make sure that the more we are closely partnered with the government, the better we are able to develop those capabilities. We will come back to the capabilities in a minute. First i wanted to take the conversation we are having and put it through the lens of what we have seen the conflict in ukraine. From your point of view, what is the conflict taught us about the integration of defensive and offensive cyber and its role during wartime . If that is an operational example of the strategy we are talking about, we collect intelligence along with other elements of the Intelligence Community that then inform operational decisions. We cannot do that alone. We made reference to the private sector but we cannot do it alone. We need our International Partners and we have had some ukrainian officials in the conference this week and they have done an extraordinary job utilizing the tools and power they have in ukraine to defend against the russian envelope. We have integral in that. The first day of this conference referencing utilizing intelligence ensuring that intelligence across the nato partnership but also with ukrainians, i think that has been decisive. But what has also been decisive is the engagement from american cant denise companies. Not just since 2022 but 2017 where the ukrainians learned a great deal on how to protect their Critical Infrastructure and protect the government systems. I think we in the United States and across the world should learn from our ukrainian allies and the enormous capacity they have built since 2017 and prior to that. And the human capitol that they built to defend their own networks. None of that can be accomplished without the integration that we have had across our communities from the Us Government side and our International Partners. Let me ask you through the lens of Cyber Commands. Looking at ukraine, looking at the role of offensive and defensive side, what is your outlook . A couple of things. We had on the ground in ukraine and right up until the very last days, working alongside ukrainian partners to defend ukrainian networks against Cyber Attacks and to discover threats, new and novel threats that we are seeing, bring those back, share them with Network Defenders inside the United States across the government and across industry to really learn about how we can defend together against these threats and learn how we can optimize both Government Allied partner systems and privatesector systems to defend against the threats and share information bidirectionally. We found networks that we shared within industry, enriched data to defend networks here at home and share that information back with you. The other thing we learned is that partnerships are built on trust. You have to build trust by working together, by working sidebyside advance common goals. It is really in building those partnerships and deploying teams to defend forward with allies. And the Amazing Things that we can accomplish when we work with our allies backed by industry and backed by the rest of the government. This has been the real big lesson that we have learned from ukraine. If i could add on, i find myself explaining what cyber does across the spectrum, some of my colleagues less familiar with that may say we have an allied partner who really needs help getting their act together and defending their network. Need to hire a company to help them do that. I say we already have that in the Us Government. So that gets to your point on how we integrate. I honestly think that the tenants were one of the greatest tools that we have in our arsenal on the Cyber Defense front and building that trust and partnership across the globe, i could not say more about your teams. That is really the great thing about it, it is a combined action against common threats. It is not a Training Service that we provide. It is sort of a qualified contractor. It is really our operators learning how to Work Together to identify and defeat common threats. Just a little bit in the light of what we have learned, talk a little bit about, the department of defense, the Intelligence Community have the right mechanism, the right capacity, the right partnerships in the right data to be inoperable. I heard you say more advanced today, we are making a little progress that we truly have those . Or are there areas we are still working on and trying to advance . I think we do. I think that the problem we have is that there is so much data. There is so much data, the attack surface is growing every day. Our adversaries are adapt to. The Threat Landscape is changing. So where we used to hunt for tools and look for indicators of compromise with highend malware, now we are seeing prc actors. Native windows commands and heideman regular networks to operate and that is really hard to unpack because if you dont know what your network looks like at a very granular level, you are never going to see that novelists cavity and you cannot run Antivirus Program to find it because there is no virus. So i think the challenge that we have whether there is an opportunity for defensive adaptation of ai in mission learning, two baseline networks, to make sense of the data and the normal behaviors on the networks and to help identify what is truly anomalous. What really doesnt it. Even as we look to a casual observer or a practice. What is something that would look normal . And i think that is the challenge we are confronting, now. The data, we are swimming in threat data and we have two very different systems. We have an enterprise system at the level that doesnt connect the data on some of the Cyber Threats, the private sector has, integrating those for the Intel Community, at least. But i do think the Security Director has given us a roadmap over the past five or six years. In my opinion, the Intel Community outside should follow that model on how we can securely integrate those two streams of data in a classified sector because if we dont, we will miss a major portion of the picture. Industry partners have been in the full spectrum for a while. When you think about and you mentioned capabilities earlier, when you think about the solutions to capabilities brought to the government either from industry or on the smt Community Five years ago. How do you think about and how should we think about the rate right way to achieve speed, agility, operability from a solution standpoint. Maybe we can talk a little bit about with the Government Point of view and we will start with you. It is really two pieces from a technical perspective. We want our offensive and defensive to believe they are at the top of their game. Having those teams Work Together and play off of one another and inform the solutions that each of them are developing are critical. The attacks are standing daily so we need to be thinking about these problems and developing new systems with that kind of nationstate level adversary in my and going into the design of the systems. I think for industry, to answer the second part of your question, i think we can look at those things from a contractual point of view. We talked about speed and agility, iqs, industry and government both go faster to get these capabilities to mission more quickly and i think government needs to hold industry accountable in terms of the contract vehicles. Theres a lot of kind of level of effort and contracting done in this space. We need to get more of a results spaced model so the industry is held accountable to actually deliver capability. They said we are not doing this for support. We want these to be operational and our government partners succeed so we want to make sure we are supporting that. You are shaking your head. The private sector leaders are presented here. Who i have been speaking with throughout this conference, i think they understand thoroughly, Intel Community authority requirements. The talent pool and a number of the Companies Represented is explored every. As a telepool in the government, we just dont have enough. We need to make more of them. But as far as integration, i think across the board, we are fully integrated. My workforce as a result oriented. I do think for the most part, the private sector, as long as they adhere to that, that makes it easier to integrate the mission because if everyone is dedicated to the mission and the intended results of the mission, and everyone has the same job. It is a willingness to put a lot of effort and i think we are there for the most part. Nicholas i think it is al ou so i think it t is partneall partnerships. It is about Building Trust through common goals, common object lives. Setting those objectives together and building habitual relationships. We talk about the collaboration center, Cyber Command has a program called under advisement where we collaborate with Cyber Security companies in an exchange of information where n exchange of information where we bring things we learn from our interaction with other government partners. And bounds things in real time off of cybersecurity professionals on a really collaborative basis, where we look at data and go off and use the data to defend our networks. Moderator we have a little bit of time left. Look at full Spectrum Operations , if you could wave a magic wand and create new capability, new partnership, what would that be . If you would be able to prioritize one thing that would help the full spectrum operational success, what would that be . Andrew if i had a magic wand, i would be more fun at parties. Nicholas as we look at cyber actors increasingly live enough the land using native commands to do their exploitation, there is tremendous opportunity there for smarter tools that cannot query across commercial data and classified data. To get those pooled together in a way we can really find these threats together, because it is not just Government Networks being threatened. It is allied networks, partner networks. The other thing is as we increasingly defend forward, our Allies Networks are getting more complicated as well. Our tools need to keep pace with the evolving Threat Landscape and increasingly complex networks. That is about integrating Machine Learning at the front end, so rather than just collect them at the front and and pushing it forward, we can do more advanced processing to find these more advanced techniques at the front end. And initiate Immediate Response action rather than having a delay. I gave you two things. Moderator that is fine. Andrew if i had a magic wand, we would have 10 ats of the human medical Human Capital coming out of schools with the skill set we need. We would higher extraordinary people, computer scientists, electrical engineers, but not just that. People who have an understanding of technology, but may be humanities majors and can write and translate technology into operationally relevant discussions at the director cia level. We have a Phenomenal Group of people, but not enough. I think we have the academic programs to develop, but i do think we need to do a better job in the u. S. Government of marketing the opportunities in the u. S. Government for people with stem degrees. With an nonstem degrees but an interest in cyber technology, because if we do not, we are not going to have enough human beings to deal with this. Timothy i would say our industry has always been shortstaffed. I do not see it changing but we are trying to come up with innovative ways to solve the problem. Get better Training Programs that are more action oriented around exercises and better preparing people for this career field, but also creating an environment where people want to come to work every day and try to solve problems that are not necessarily meant to be solved. We have to create that environment to attract and retain talent. The second piece is leverage the new technology, whether it is automation or ai to better the workforce we have to be more effective. If i had a magic wand, until we can solve the problem, if we could simplify this problem. There are 15 steps or whatever it is, if we could have 14 steps and focus better on the 14, i think we as a collective industry could be more effective. Moderator thank you all. Any Closing Remarks . Nicholas thanks for hosting us. We have to figure out how we can attract and bring out the best in every part of american society. Bring in, get them the training they need, give them the meaningful work they deserve. And figure out how do we let people go and bring them back . Part of being a good partner is learning what your organization looks like from the outside and learning how other Government Agencies work. One of the things were thinking about in Cyber Command is how do we leverage our Alumni Networks and make it easier for people to come back, how do we leverage the tremendous talent that exists in the National Guard and the reserve components. It is really great to see that happen and to see the couple of 1000 young people we have in the Cyber NationalMission Force come to work every day. Andrew i would just say thank you again. Having a venue like the billington summit to get our message out, for many years the cia in particular is kind of a black hole. We have been doing this in other venues as well trying to get the message out that the cia should be considered an employer of choice for technologists. We just have to keep getting the message of across. So that we can get a healthy cycle coming out of school directly or in the private sector already who want to spend some time in the National Security arena. We are trying to accelerate security clearance process to enable that. We are not there yet. We are getting there. It is critical or we are not going to get where we need to be. Timothy i would just say thank you. It has been an honor to share the stage with you. The theme that has come out of this panel is the message of partnership, whether it is government to government or industry to government. This problem is not getting any easier. It is going to take all of us working together to solve it. There is a lot of opportunity in front of us. Moderator thank you all for the time and thank you to our audience. [applause] every day, thousands of cyber personnel work to ensure our nation is secure. With our next panel, emerging cyber leaders, we wanted to provide you with the uptick of what this looks like at operational level. Our panelists make decisions every day based on the real world events they are addressing every day. Moderating this panel will be byron love, associate director for Program Management at raytheon. Joining him on stage are lakshmi raman, director of ai, cia. Kenneth chew, unit chief cyber division, fbi. Jay bhalodia, microsoft federal. And Lieutenant Colonel stephen, joint task force commander, Cyber NationalMission Force. Please join me in applause in welcoming our speakers to the stage. [applause] good morning, everyone. My name is byron love and i am the Cybersecurity Program director at raytheon. I had been looking forward to this conversation all week. As you have heard, there has been many great speakers here at the billington conference. Cybersecurity looks different from the trenches. This morning we will have the opportunity to hear unique perspective on leadership from Law Enforcement, the Intelligence Community, the military and from industry. A great way to start is with introductions. I would like for lt. Col. Stephen hudak to begin. Lt. Col. Stephen hudak, United States army, Cyber Workforce officer. Ive been in the army for 16 years now. I have been serving in the Cyber NationalMission Force. Masters degree in computer science. Getting to do the job i love in the army. In the Cyber NationalMission Force, lead the team up 150 individuals across the army and navy to help defend the nation. Jay bhalodia, managing director for Customer Success at microsoft. I lead a team of amazing technologists that help our federal customers achieve security outcomes with microsoft solutions. I have supported some form of regulated industry throughout my entire career. Focus on the federal government in a lot of different capacities, including operating programs. The mission is what calls to me and it is what i try to instill in my team as well. Really thankful for this panel. Really excited about being on stage with these amazing speakers. Director of ai at the cia. Started at 21 years old. Feels like yesterday. Work my way through is the developer, program manager. I ran Enterprise Data science until i moved into this great job which is about driving ai strategy and strategic implementation across the enterprise. [indiscernible] who did not hear me . [laughter] do i need to do it again . Director of ai at the cia. Started 21 years ago as a developer. Move my way through Program Management, running enterprise i. T. Projects. Enterprise data science to include the entire management of the data science cadre. And finally into my current position as the first director of ai for the agency, which is about driving the ai strategy and strategic implementation. My name is kenneth chew. I am a unit chief in the fbis cyber division. I have been with the fbi for 18 years. I have supported a couple of missions. The counterterrorism division. I moved to support the fbis Cyber Security mission in 2016. I am really happy to be on this panel to talk about things. We have some great experience and talent on this panel today. Lets get started with our first topic, cyber challenges. Cybersecurity environments face many challenges, from Personnel Shortages to tools fatigue. What are the Biggest Challenges you face when it comes to meeting the requirements for your job . Who would like to go first . I will start it off. I think cyber is an inherently challenging domain. What you will probably hear is challenges across the entire Cyber Enterprise are not too dissimilar. When i think about advances in the last decade, it is a rapidly evolving environment, not just for us, but for adversaries as well. At the Cyber NationalMission Force, no shortage of people. A lot of people who want to join , want to be a part of the mission and defend the mission. Training those people and retaining them is an opportunity for us. Getting people to stay at, getting them exposed to the mission is something we are able to do and help drive people to stay. Same thing for me. It is a humane challenge. There is a challenge of shortage. When we build our organization, we hire for adding to our culture. We hire people that are passionate about the craft, the industry, customer outcomes. When we have a situation where we have less capacity than we have demand, it creates a tense situation. When you have passionate individuals, we are not going to let the past us. Let capacities stop us. Shortage and capacity was good yesterdays problem is exhaustion. That is a big area. I think recognizing our people, but managers get exhausted too. I agree with that, we are all running at 1000 miles per hour. It is important that we are thinking about the people who work for us and their wellness and how we can support them, but also get the most for our mission. When i think about the ai cyber nexus, where thinking about Data Availability and quality. Working with industry partners, how are we going to integrate any potential solution they might have been to our systems, which are very unique from a security requirements perspective. We also need the right talent. Like everybody in this room, we are all trying to find those Artificial Intelligence practitioners who know how to do this work. And we need to be able to do it with ethics and legal implications in mind. Trying to pull all of that in place takes time. I cannot agree more with everything. Human Resource Management is a real challenge. In the fbi, we are always trying to focus on over the horizon threats. Anticipatory intelligence means trying to do more with the same amount of resources. While also paying attention to our consumers, which includes high levels of government of the private sector and also the public in our messaging. With that in mind, burnout is a real concern. I tried to take into account that if my people want to build their career, i want to help them. The fbi has a wide mission set and i will support them because it tends to keep them on my team longer, building the expertise wider. It seems the cybersecurity challenges are around people and we have heard a lot about the shortage of personnel that have the talent to operate in cyber, opening up paths for individuals to come into cyber. And taking care of them once they are there. The positive work culture of making cybersecurity a place where people want to work. The pace of cybersecurity threats is overwhelming. Threat actors are now using ai. How do you build a positive work culture during stressful times when our Technical Resources are short and you have more need that money to get things done . I am happy to start. In the fbi, we try to focus on the mission. In order to keep my people focused on the mission, they have to feel like they are involved. Last year, i had the opportunity to deploy one of my intelligence analysts to albania in response to a cyber attack. In the world of Cyber Intelligence, and to explain to them so that anyone could understand it. She had the opportunity to brief National Security council, high levels of u. S. Government, and it is those opportunities that keep people coming back because they are exciting, they are new and they are career building. I also think when you are leaving an organization, the people are looking to you to create that culture. It is important that you were communicating your values and your ethos to them and then you are living it. Not only talking about it, but you are acting it out and they see it. I also think that the people in your Organization Need to feel valued. They need to feel that what they are doing matters and they need to feel rewarded. If they are seeing the fruits of their labor, that starts to build the positive work culture. I will build on that. It is the same thing. It is three things for me. First, it begins with communications. That means listening to what your team has to say. A means communicating transparently. When you do those two things and they see you are acting on what you told them, a builds trust. You are executing on what we told you and you are honest with us. Think about leaders you followed where you felt supported. You could run through a brick wall for that person. Clarity, you mentioned shared purpose. There is clarity for the individual as to what role they play in the mission, but there was also clarity for how that fits into the overall organization. And then recognition. I would love to say i have infinite pockets of money where i can give out rewards, but you also want to recognize for impact. You want to recognize when there is positive impact. On my team, we commissioned a coin and our Leadership Team gave out a coin to a bunch of people on our team. It lets the entire team see what you value. I got a call from one of my team members a month later. They said i want to get one of those coins. There are different ways you can motivate your team through recognition. When i think about building a positive culture, those are the types of things that come to mind, having a unit identity, coins, something that people can rally behind and help them identify their mission set to give more credence to what they are doing. People first, mission always. It is more than just words. We care about the people. As long as you take care of the people in your organization, than the mission will follow. Before we talked about the challenge of overwork. There is also the challenge of under work. I dont hands sometimes can drive a bit i dont hands can sometimes drive a bad culture. I am retired air force myself and we learned Integrity First and excellence in all we do. That is current with me throughout my career because leadership becomes a part of our pattern of life that our adversaries leadership as part of our pattern of life as well and it is observable. I applaud you all for setting those examples for people who follow you. You all are effective leaders which is the next topic. Each of you represent different sectors. As a result, you bring a unique perspective to cybersecurity leadership. What is one positive thing you believe has helped you to become an effective leader. I am going to lead from the front. It is the way i am wired. Whenever i started my career, i wanted to do every phase. When i began my role in security, i wanted to do the jobs. Ed is being able to engage with the team at every step of the process, but not take away from them. Helping guide and direct, set the guardrails for are we still achieving our purpose . That is the thing for me. This is extended into the team culture a little bit. I have this phrase i say. This phrase upset in the seat. Of sat in the seat. Whether it is someone who has performed that capability, it builds residence. We are a Customer Service organization so having the perspective has become a part of our culture. I love what he said about you guide and direct. I think the ability to know how to build the team and bring the right people to your team that can fill your gaps. None of us can do this on our own. So the team you build is so important. To help you fill the right gaps, both from a subject matter expertise perspective and from a culture perspective because you wanted to be a positive place to work. What helps every leader is just having a Current Society curiosity. Being interested in what you are doing is positive so that you yourself are building some acumen and leveraging your team in the spaces you need to. The importance of having team identity. It is important so they understand what their role is in the mission. In that, identify what a winning team looks like. Identifying what type of personnel you need to fill those gaps. So that you can build a team that volunteers for more things and take on career opportunities. I do not think i would have been in this position if i had said no to a lot of opportunities. I said yes to a lot of things i was not prepared for, but it has been beneficial. It is important to bring that spirit to the teambuilding aspect. I have two things i want to talk about. The first positive thing is having had leaders who allowed me to fail, to try Different Things and not be upset when they did not work. They trusted i could get past the initial failure. If we did not fail, we probably were not trying hard enough. I appreciated that as a positive aspect. The other is when i was starting up my career, learning the value of teamwork and what is capable. When i was given jobs, i could easily accomplish those tasks, but i had a leader say the success of the unit is not whether or not you accomplish your tasks, it is whether everybody does. Now being a leader, looking to the junior members and helping them field the team can do better when we Work Together, and having them believe in that concept. The trust that you mentioned, that has be earned. You have to listen to your people and take action on that. You want team leaders that are supporting us to have the same type of values. I like what you said about the delegation part of it. I had a general teach us a group of young officers that if something comes across your desk that is fun, than it is not for you to do. I agree. Everybody needs a chance to shine. They have to have their opportunity space. Absolutely. We talked about the one thing we would do in a positive perspective. What one thing that you did while perhaps not overly positive so helped shape how you make decisions. I think the thing that helps me make decisions are the diversity of experiences i have had. I think it is really important. I tell people who ask me, how do you do what you do . You have to build your toolbox. You have to get that diversity of experience because at a certain point you are making decisions with limited data points. And you are going to be called on to make those decisions. What fills in that data are the experiences you have had. I think it is important to have that diversity of experience to help inform your decisionmaking. For me, absolute clarity on what this one is. When i first moved into management, i really wanted to be successful. I wanted my team to be successful. What i found is that there is a difference between being accountable for your team success and empowering them to be accountable for their own success. It was a hard lesson because it started off with, i was hoping making sure our team achieved the objective and the best way they could. It took a mentor of mine punching me in the gut to tell me you are spending more time helping than they are spending working. That was a big lesson for me. It is rolled into how to lead my team right now. I will set early deadlines because, not to stress them out, but to get ideas on the table early. So that you can be accountable for your own success, not i am fixing something at the end. A lesson for me, i was recruited into the Cyber NationalMission Force after winning a hacking competition. When i first showed up, i was a little bit arrogant. I had some Senior Leaders who helped me realize the value of being humble and did it in a positive way. I viewed it on a negative on myself. I was bragging about these things and there are a lot of people like that. The opportunity for mentorship there and the value of remaining humble. Whether it is your people on your team, staying true to what you are actually doing. I think it is so important to understand my role on the team. Understand my role on the team. He talked about being punched in the gut. Listening from different perspectives. Even though it might be hard to hear, it tends to make the team better. It is a natural part of organizations to have conflict. How do we motivate, the next topic. What are the key motivators for you, your team and your people as you strive to serve in your everyday job . I came to this question and i did not really have a premium for it. Frame for a. The analogy i look at is our team is like an orchestra and we are like the conductor. What that means is understanding each individuals unique passion , what makes them tick. Our role is to align their passion to our organizations objective to the mission and the community and the people we serve. That is our role. I love to say this is like the lego movie, but everything is not all some always and there is some general discord. What happens in those situations is there are a couple of people who mention this. Really focusing on that persons passion. Finding a way to get them to move to their passion. Sometimes that means you take the pillar of your organization and move them to Something Else they are passionate about. That is kind of scary. What ive seen when we do that is they get so much energy and motivation, they bring it to the mission and the other people they work with feed off of that. My sixyearold is always watching me. Other people see you are willing to invest in your people and find them an opportunity to do what they love. That is retention. Knowing your people and genuinely knowing what motivates them. It is different for a lot of people. There are people i work with that Cyber Command and just seeing the facilities is motivating on its own. One example, i had a Young Software developer working in a room developing software for the Cyber NationalMission Force, and he never got to see it used. Bringing him on the mission to see when it was used motivated that individual. He got to be a part of the team and it got him to stick around a lot longer than he planned to. He got to see firsthand the impacts. People cared about his role in the organization. I could not agree more about personal motivations, understanding your team, figuring out what they like, whether it is travel, getting up in front of a crowd to brief, sitting sidebyside with the mission partner, you can start to map peoples personal motivations to things that will reward the organization. I also feel like i get a weirdly free pass for motivators. The motivation of mission is threaded through every officer that works there. What motivates is the mission. People in National Security feel like they are a part of something bigger than themselves. It is very special. I think giving people the opportunity to solve unique problems is a really powerful motivator. They want to come work for us because we have cool problems. That you cannot talk about. Passion and motivation is key in the fbi too. Getting to know my people, if they want to work on ai, if they want to work more private sector, it all feeds into the mission. Just like in the cia, people want to join the fbi from a very early age. It helps that we have a lot of tv shows that motivate people. It sells itself. Getting them to understand the impact of their work. To see the product that was briefed at the National Security council or briefed by the president. That is really inspiring. We are getting close to the end of time here. I will take 30 seconds and talk about driving production productive change innovation. What does it take to drive productive change and innovation . I touch on it a little bit. Not being afraid to fail and not accepting no for an answer. When you are working something for the first time i might be scary to hire leadership. Settling those fears and talking through it and why do you need to innovate to work the mission. The risktaking. I am hyper passionate about this one. Our adversary is creative. When we find ways to mitigate them, they find ways around that. We need to be innovative to combat that. We need more diversity. It is when we bring many voices together, listen to those voices that we get the best ideas and bet creates innovation. And that creates innovation. I think it is i agree with all of those perspectives. It is a convergence of top down and bottom up. It is the people who are boots on the ground who understand the problems to be able to innovate against those problems. From the top down, we need to give them the space and the ability and the resources to perform that innovation. It is important that those two things converge. Discipline is key. It is always scary to upend the apple card and try a new skill. It is important to understand your team. It is not just my unit or my division. It is pulling together resources so we know what all of our options are. As the general said, at the end of the day, leadership matters. These emerging leaders before you hear matter to the mission of Cyber Defense. I want to thank you for your commitment and contributing to this conference. Please joining join me in giving these leaders a round of applause. [applause]