>> now, national cyber director chris inglis discusses u.s. cyber infrastructure and resiliency, hosted by the center on cyber and technology innovation at the foundation for defense of democracies. it is about one hour. >> heckle or heckle? >> definitely. samantha: hello, i am samantha ravich, chair at the center of the foundation for defense of democracies. thank you for joining us. for more than a decade, report after report has documented the growing number of unfilled cyber suspicions, in the u.s. government and nationwide, while offering strategies and recommendations to address the shortfall that often goes north. the secretary of defense stated that the pentagon is in desperate need, desperately short of people with cyber skills in all services, and we have to address this. that was in 2010, and that was the secretary of defense robert gates. that was one year after amazon had a workforce total totaling already 4003rd last year, amazon had a workforce of 1.6 million people -- totaling 34,000. amazon had a workforce of 1.6 million people last year. a white paper was published on the cyber workforce in september 2020, identifying systemic barriers that worst i.e. mean existing workforce -- that were stymieing existing workforce barriers, including a lack of leadership, insufficient coordination across the government, a nonexistent federal strategy to guide priorities and resources, and ineffective organizational structure, which combined to limit the potential of the very programs designed to strengthen and diversify the federal and national workforce. no clear vocal port for interagency coordination existed at the time of the commission's report, but the july 2021 confirmation of the first-ever national cyber director or ncd, has created a new opportunity to overcome these barriers. looking to continue and build upon the work of the commission, the commissioners recently established cfc 2.0. they published a thorough report looking at how the national cyber director could lead the federal department and agencies in growing and strengthening the federal cyber workforce. the report notes that in many cases, the ncd will need legislative support so it also recommends actions that congress can take to support federal efforts to grow the cyber workforce. these actions include extending the federal cyber workforce data collection at, establishing a federal cyber workforce development institute, and authorizing a federal accepted cyber service. while these recommendations focus on the federal cyber workforce, the federal national workforce is also drawing from the same community of professionals, so the approaches must address those. the report outlines actions that private sector leaders can take to support national cyber workforce development more generally. we are fortunate today to have two very relevant leaders and experts on that exact issue. first, i am pleased to introduce chris inglis, the inaugural national cyber director. he was confirmed less than one year ago and came from teaching at the u.s. naval academy and serving as a fellow commissioner on the cyber space solarium commission. prior, he was a security leader, rising to the deputy director of nsa. he also flew c-130s and retired in the air force reserve. we also have mark montgomery, one of the authors of the report i mentioned on cyber workforce issues. he is a senior director of the center on cyber and technology innovation at fdd and served as executive director for the past three years. prior to that, he worked for senator john mccain on the armed services committee and served in the navy for 32 years, retiring as an admiral. a few quick words about fdd before we start. fdd is a nonpartisan research institute, exclusively focused on national security and foreign policy. fdd houses three centers on american power that promote the use of all instruments of american power and produce actionable research and develop policy options to strengthen u.s. national security. fdd proudly accepts no funds from foreign governments or corporations. for more information on our work, visit our website at fdd.org. you can also follow us on twitter at fdd. the csc 2.0 project on the workforce paper is available at cyber space solarium -- cyberspacecsolarium.org. chris, it is great you are here. since you left to become national cyber director, it has been about 11 months since you started. you are probably running a startup in the white house. maybe take a few minutes and tell us how that is going. chris: in a word, good. there is a joke that goes with that, and i will not completed, but it has been about 11 months. first, let me say how grateful i am for this venue or for the cyber space solarium commission 2.0. i am a fan of 1.0. you might say i am a byproduct of 1.0. that foundation has been extremely useful to us. in terms of how is it going, i am a big fan that form should follow function. in this case, we stuck the form in place and try to figure out what with that form do? what with the national cyber director do? so we have been working hard the last year to establish principles that you would underpin that. first and foremost, i think we, and when i say that, the federal government, and a growing consortium between federal government, state, local and private sector, i think we can say that we agree cyber is more than technology. the fact we are having a discussion about the people component today reflects it far more than technology. there are three dimensions, technology, but there are rules and responsibilities. solarium addresses a lot of that, but we have been working within that -- working on that. and then there is the people please. think about those in the reverse order, and when we think about the creation of the national cyber director, we are giving due to the technology piece, but focusing on the latter two pieces. having said that, we began to put life forces in play and how do we get a better definition of responsibilities? that is what i am accountable for, getting the roles and responsibilities right, not just across the federal government the larger ecosystem. finally, how do we get those doctrines and those roles and responsibilities properly supported by the people piece of that? that i think is a work in progress. i am delighted to discuss that today. we established a solid foundation of roles and responsibilities. we need to make sure we fill those roles and responsibilities of people whose skills are up to speed. in that regard, i sent you a preview of my own remarks, which i think we should be concerned about the jobs that have cyber i.t. that go unfilled. there was a lot of focus on that, only 550,000 within the u.s. we should be equally and perhaps more concerned with is everybody who plays a role in cybersecurity, everybody, does everybody have the skills they need to take full advantage of cyberspace? the vast majority of us are not digital natives but apt natives, and we need to make sure we have the skills necessary to take full advantage of the positive aspects of cyberspace. that is an all problem, and we have to make sure everyone has the skills necessary while we focus on filling the jobs that have cyber i.t. in the title. how is it going? i think well. those are problems that only we can share and solve, as opposed to pointing to some poor soul in the corner and saying they have got to solve that. samantha: just to follow up, at the office of the national cyber director, how are you doing on staffing? chris: in a word, good. i remember some reporter, a really good reporter, and i won't mention them by name, but was poking me pretty hard, saying, how many people do you have, what authorities do have, and what have you done today? literally the first week i was there. we were were not appropriated and the money showed up in november. i would rather talk about where we are going. we are going to double it, double it again, and we will be eight at that time. they said, how many is that now? i said, do the math. but we are not 40. we are on the high-end of 95 to 100. in a cyber world where you do operations, that is a small organization, that's not our job. you're the coach, not the quarterback. we are not micromanaging cyber operations. we are making sure that roles complement one another, that all those parties have the resources they need to do the proper job on the field. within the white house, and organization of 90, 95 people is going to be huge. and we have given reality to that. we have a workforce education initiative that comprises 1/5 of this organization. we have a focus on software, supply change, all those things that you would say are the foundational building blocks necessary to ensure that the roles are proper, that we properly have the pieces in that system, and our principal modality is to work with them. i think we are in a really good place that way. samantha: let's turn to the issue at hand, the workforce reports, the challenges that the federal workforce in cyberspace is paired mark, you wrote a terrific report about the challenges of recruiting find talent, of training, developing, retaining. give us a sense of the challenges and the size of them. mark: thanks. first, i want to acknowledge the core writer of this and was a terrific part of the csc 2.0 and 1.0 teams, and i am happy she moved onto the department of treasury, where she helps the government more directly. this is a challenging problem. i could go all the way back to 1999, when i worked for dick clark on the national security council and we wrote a national is for structure insurance plan and laid out -- and national infrastructure insurance plan and laid out big tasks. the government solidly achieved three out of 10 and 22 years, and even at the most progressive schools, 30 is not a passing grade, so the government has a lot of work to do. and they are working hard. there is a group with technology and commerce, and, you know, they are doing great work trying to figure out code jobs and what skill sets go with what jobs and they have done a great job with that. there is a great team at the national science foundation, which i am sure we will talk about. there are good people working in education and training areas. and good people at opm, although they are drowning slightly, and there are good people sprinkled throughout the federal government. the reality is, the overall progress, that is not enough to overcome the barriers we are facing. the number one barrier that we identified is the lack of data. government cannot make good decisions without good data. we all understand that. despite the fact that we actually have a legal, you know, a statute saying collect the data, we do not have good data. and there are a lot of things responsible for that, the provisions are not written perfectly, and even as written, it is being ignored or carried out inconsistently among the 101 federal agencies. so that lack of data is critical. and normally, any military person would say it is a lack of leadership, but if you don't have data, it does not matter if you have leadership. once you have that data, you need strategic leadership. someone at the white house has to be the head, and not as the hand of god. chris: i think that makes me god, so i have to be very careful. mark: the national cyber director will talk about that, but -- and he is the coach, to use his own analogy. the next thing we are missing is a quarterback. we don't have coronation among the federal agencies, and that coordination should be led by opm, much like i think chris called them his quarterback for federal cyber workforce is going to be at opm, and it is not there. there was no one there standing. there is more likely hi nikki there than brady -- there's more likely heinicke than brady. the federal government cannot get its head around that sometimes a job is about experience and not about masters degrees and bachelors. so understanding that the person you need may not have a bachelors degree, but they need to be a gs 12 or 13 as you hire them. those kind of barriers really hit, and the final thing is, it will all lead into a diversity traffic jam. what i mean by that is there is a significant diversity problem in our workforce. the most egregious example is among women, where there are only 21 to 24% -- 24% to 20% of our federal cyber workforce and only 11% to 15% of our federal cyber workforce leaders. those numbers are unacceptable as we look forward. i think that is the big challenge that chris or whoever is the hand of god is going to face in this. chris: as the right hand of god. mark: right hand of god. samantha: mark put a lot on your plate. first of all, do you see the challenges the way that mark and the report laid out? chris: i broadly agree with his framing. i would start with there are impressive pieces and components, at least of -- not least in the private sector, but what mark cited in the federal government. you have the national institute of cyber education, nice, the national science foundation, cyber core for service, the senators for academic excellence, cyber talent management system, all are pretty interesting. they could make an even higher kind of leveraged difference if they were connected to some larger strategy. what we think is not so much of the piece parts. there is more to be done there. what is missing is the strategy. we would use that strategy to figure out how to use them and amplify their efforts, not within the stovepipes but broader across the federal government and joint arm in arm with the federal sectors of the government can solve its end of the problem. you cannot filter one out of the pole but you have to solve the national problem. if not, something even bigger. in that regard i would do two things. first, actually have a strategy that defines what is missing. then have to make use of the parts already there and connect us to that strategy. in the next strategy needs to be driven by data, by someone accountable for using that data to define the strategy and then driving that execution across all those parts. i think if we were to do that, we could make rapid progress and find ourselves re-examining everything. i don't think we have appeal to a broad enough population. i don't think we have a diverse enough talent pool thinking, can i play a role in this? we have not balanced that aspiration to the destination eye tracking people along that progress. we have misspecified the destination. sometimes you require about first-degree when what is really required our critical thinking skills, not that they are divorced from one another. but let's think creatively about what we need and more broadly about where we can get that and manage the space in the middle with all the excellent programs. strategy and data are going to be that thing that connects all of us together. samantha: so, mark, i mean, you guys cut right to the chase with the title of the report, workforce development agenda for the national cyber director. when we look back on the reports that have been written and the people who have been involved in this for decades, many of the pieces have been there for decades, and people are very frustrated that the problem is growing and staggering, and people want things done. you cut right to the chase with your title, workforce development agenda for the national cyber director, what do you think that national cyber director specifically should be doing? mark: first, i would like to acknowledge the napa team and karen for excellent report. there is a lot of violent agreement on what is wrong. i want to agree with everything chris said about how he sees his job, data and strategy. if you left it there, that would be a success. i would add in budget oversight, which is, i am hoping, the relationships that the national cyber director built with the office of management and budget, where chris is so counted as an national cyber director, as well, that they will have the opportunity to look at the individual agency budgets in a lot of ways. one is, are you spending enough on your workforce? there is no surprise, the answer is going to be, if you don't have cyber in the name of your agency, it is likely that the answer to are you spending enough is no. and i will exempt the department of defense because they have unlimited pockets, but for the 101 federal civilian departments of agencies, the vast majority, when it comes to budget crunch time, and does the department of agriculture buy more food inspectors? they buy the food inspectors because that is in their job jar that the cabinet member sees, so it takes omb, and by extension with omb, them over siding them. i would add that in, but i agree on the strategy. i will assume for a moment that the national cyber director writes the national cyber strategy. and then we will say there should be annexes, and one would be this workforce and expect goes right in there, and say, because as you said, chris, there are three legs to this tripod to success, technology, adopting policy, and personnel, so having an annex on personnel or a national workforce for federal cyber security workforce strategy would be really helpful. i am excited. those are recommendations. chris: this reminds me of why i missed working alongside you so much. let me give the larger context for the office of national cyber director. we put out a statement of intent in october and it was more about the workforce, but the workforce is at the core. it laid four broad responsibilities for the national cyber director by mutual agreement of all the parties who are involved in this. first and foremost, to drive it within the federal government between the federal government and stakeholders in the larger cyber ecosystem, so private-public collaboration and natural extensions of that. two, to focus on future resilience, which is about inherent resilience in people, doctrine and technology, and i think likely in that order has got to be the priority. we can defend technology to our purpose if we get those roles right. if you don't know your responsibilities, and people don't have well-defined skills, it is a full gerund to try to get that alone right, -- it is a fool's errand to try to get that alone right. it is about getting the rest of the events. we can do that if we think through the properties of the system and what they should be, and the people properties. the third responsibility is performance assessment. we need to understand that all of the applications of the time and material and roles and responsibilities are stuck in the middle and delivering results we find acceptable or preferable, and it will take a fairly broad brush to that. i consider the roles and responsibilities and skills that people have are up to snuff and then use that, not simply to make reports for vicarious purposes, but to then drive the implementations of our budgets, time, and attention to get that closer. there has been a fourth piece, which we will be accountable for, which is the details of implementation to oversee the roles and responsibilities, but when you add them up and you consider the people are at the core of two of the three dimensions of cyberspace, doctrine and literal people skills, that gives a context in which we can define strategy, whether it is called strategy or it is the implementation of broad and we can make the progress necessary to have the data and to have the kind of material necessary to make use of all those good parts. samantha: there is another actor involved in making all this work, congress. mark, you and laura's report calls out specific legislative and potential recommendations for congress, maybe you could summarize some. mark: thanks. one of the successes, 1.0 was successful broadly, and one reason was that we wrote legislation early on. some of our congressional leaders, presented of langevin and gallagher, and senator king, you know, told us, hey, we do not want recommendations, we want legislative provisions that are tied to recommendations, and i think that -- i think you two as commissioners would agree that that was really critical to our success. and so, one of the things we try to do in this report is continue that tradition in csc 2.0. we've done some water provisions recently, and in this one, we have some workforce provisions. so we do have some recommendations for congress. we have three specific legislative provisions. they're -- one's reasonably easy, two will be hard, and then we have some appropriations recommendations. but in the legislative provisions, the first one, the one that really has to be done is we have to extend and amend the federal cybersecurity workforce assessment act. that's the one that directs data collection. it will actually sunset soon, and then our poor data collection will dribble down to a zero data collection if we're not careful. at least, you know, legally dictated data collection. and i think we can help the national cyber director in his role as a coach if we can amend -- if we can extend that, i think at least out to 2027, and probably have to extend it again after that. but also amend it because one of the things that's missing is any kind of forethought. it doesn't say what are you going to need three to five years from now or two to three years from now in your federal cybersecurity workforce. and as we all know, things like the national science foundation scholarship for service aren't hiring this year's workers, they are hiring three years from now workers, right. and most of our programs, and hiring programs take two, three, four years so we really need to understand that. so the first thing is amend and extend that provision. the second is one where we have to figure out how to -- i used to say how you go from apprentice to journeymen but now i think the right terminology in the government is how do you go from entry-level to mid-career? and it can't be that we're poaching people, you know, from other agencies or from the private sector. that doesn't work for us. we need to grow our people, and to grow our people we need to have a training environment to do that in. and so, we recommend a federal cyber development institute, it's not brick and mortar, it's where you go while you're working for the government to get job skillsets and to get certifications to move on. and i think that -- that's probably harder than the extend and amend of the previous act but it's probably doable. the third one is the rosetta stone, if we can crack this we're really going to understand the -- the system. and that's -- that we -- we really do have to come up with a new hiring mechanism. we're recommending a cyber excepted service, we give three different options to the national cyber director to work on, obviously, he can go off of that sheet and come up with a fourth or fifth. but the one that'll really make the most difference, the one that's really helped dod is having a cyber excepted service. this'll be tough, there will be people who fight this both in congress and in, you know, federal government organizations. and it's going to cost money, but i think no one ever thought fixing federal cybersecurity workforce was going to be a cheap endeavor. and i think having a federal cyber excepted service is probably the key. i do want to mention a couple of appropriations, we do need to bump up the national science foundation's scholarship for service program. right now it's cruising in around 55 to 65 million every year over the last two to three years. that's producing about 400 workers a year. and they're popular, i know they're popular because at the fair -- at the matching fairs that they do in the spring nsa and cia are -- are the two organizations taking the most people. and they can hire anybody and they come and hire these kids, so i know they're the right ones. but we got to get that scholarship for service up to about 1,000 graduates a year, it's currently at 82 colleges, universities, and community colleges. it needs to be spread to a few more. nsa's identified i think 370 schools through the cae program. so we know there's schools to go to. and i really strongly push this rotc-like program over other initiatives. there's one in congress now on a cyber defense -- digital cyber academy or digital service academy. i think 11 this is a real -- i think this is a real mistake. first of all, a brick-and-mortar institute is going to take us years to build and suck money but second, it's not going to contribute to the private sector, right. when we run these scholarship service programs, rotc-like ones at 80 to 100 to 120 private universities, many more than our graduates -- than the people we take into the federal service are benefiting from the professors we fund at those schools. you know, we're producing two- or three-fold numbers of workers going directly into the private workforce. so we really have to kill this idea of a digital service academy and move forward with full funding for the scholarship for service program. and there's a few other appropriations i'd do and they're in the report, but i think those are the big ones. samantha: yeah, that's fantastic. and the level of specificity that mark and laura put into the report, can really show you why cyberspace solarium, csc 1.0 was as successful as it was. because it's based on the specificity of making real the recommendation. so chris, let me get you to comment at least on a couple of some of the recommendations that mark just spoke about. specifically, the cyber workforce development institute, and the government-wide excepted cyber service, and any of the other ones that you'd like to comment on. chris: i'll talk about those things specifically, but let me just talk more generally though about what i think are three broad aspects that underpin mark's remarks, all of which i think have some sensible and actionable recommendations inside of those. there are three kind of stretches where initiatives go to die. first is this kind of stretch that i call aspiration to destination, we all know how many jobs we'd like to fill but there aren't any vehicles or many vehicles that essentially would take that aspiration in essentially meaningful -- meaningfully assist folks to get from that, hey, i'd sure like to vie for one of those jobs, to get them into one of those jobs. people who show up today at the front door of a government organization with a bachelor of science in computer science but no experience in hand typically are turned away. because we stayed, you've got to have the experience, we need to figure out how do we actually do the internships, the co-ops, right, the cyber clinics to get them that experience, to get them from aspiration to destination. so more flexibility, and more investment in that actual stretch along that first kind of part of the highway. second, once they get in the game is not over right? , we have all this poaching going on, so we don't have career tracking where we continue to make the investments in those people. and continue to make them feel like they're part of a larger community of interest. and so, we need to bring those barriers down between the various kind of entities that would hire these people. and we need to also kind of make sure we're investing in them not just to get them to that initial job but throughout their careers. i worked at nsa for 28 years, i had what looked from the outside world to be nine very different jobs, but i was always an nsa employee. i always felt like i was along a single career track. so how do we take computer kind of personnel, i.t. personnel, cyber personnel and give them that sense that they have a very rich career field in front of them and they're not being poached from job to job but rather they're being progressed from job to job and getting all the stronger as they make their way from one responsibility to the next? and so in that regard, something that actually cuts horizontally across the federal government, i think will be extremely valuable. finally, to mark's point about, you know, these institutions that might then assist in that regard, we have to make sure that those institutions, whether it's a service academy that i was a benefit from, need to have a parent -- they need to have a parent service that says, "i'm the person or the party that will kind of ensure that i have a sense as to what the standards and the requirements are for whatever this service is set up to do and i will then employ, right, what then becomes of that." if you lack either of those two dimensions, it's probably a good idea in the corner, that lacking the parent that would actually define the requirements or then accept and employ, right, the beneficiaries who kind of derive kind of the education for that institution, they'll fail. rotc programs essentially do something that's magic in the middle, which is they actually kind of take the resources from a parent that says, "hey, if you make these investments, i will hire the result. i'll just be that instrument in the middle," but they've solved the problem by actually marrying that aspiration to destination. we need to make sure that we do that. samantha: mark, if i'm not mistaken, the deficit shortfall in the federal cyber workforce kind of tracks with what we're seeing, you know, in the private sector cyber workforce. i'm wondering if you learned anything during the research for the writing of this report on the federal stuff that is actually -- can illuminate, you know, a way forward on the private sector side? mark: you know, you're exactly right. i mean, it's this -- it's the -- it's mathematically very similar problem. about 70% of the jobs are filled , about 30% or 35% of the jobs are empty by the cyberseek, which -- while the numbers may not be exactly right, i think the general trends are correct in that data. and they're struggling too. there's a lot of poaching going on in the private sector. this failure to develop from entry level to mid-career really exists just as heavily there. and so we've got to figure out how to incentivize the movement, you know, of people from entry-level to mid-career. chris talked about incentivizing, getting them right. in the entry level, i think that's true too with the apprenticeships. i want to give a shout out -- microsoft's got a good program they're working with community colleges. they advertise a pretty big number, like maybe $20 billion with it, i suspect that that's a lot of intellectual property being counted a few times. but they're certainly sharing a ton of curriculum and data with 80,000 community colleges. i cannot tell you how important -- with a thousand community colleges. i cannot tell you how important this is. and there are other programs doing this. you know, there's other opportunities out there for certification and job training programs that specifically target entry-level cyber skills and the movement from entry-level to mid-career, when you've gotten the experience, and we needed to acknowledge those, -- need to acknowledge those, support them, and ensure that they are being replicated throughout the country. ibm's got a program they're working with historically black colleges and universities -- i think it's successful as well. but we've got to get it so that at particularly at the community college level, kids are leaving, graduates are leaving with the certificates they need and experience from an internship, which is -- or a work study program that would be -- you know, that would be highly useful in transitioning into a full time job. so i think they're the same problems, i think they probably have a little more flexibility around pay and hiring than the federal government does. i mean, who doesn't have more flexibility in hiring than the federal government? but i think they still face the same challenges. samantha: yeah, they may also have a little bit more flexibility in terms of where they get their workforce from -- all due respect to -- to mr. musk, i think people aren't going back to the office as much in the private sector, in this space. they can get now people from around the world to fill their employee roles. so maybe maybe it'll open up more ability for the federal government to recruit since the private sector can recruit from a larger pool, but we shall see. look, before we turn it over to the audience to ask their questions, i wanted to ask chris about an issue that is near and dear to my heart. on the cyberspace solarium commission, we recommended and it was approved in the national defense -- 2021 national defense authorization act -- which is continuity of the economy planning, or cote -- continuity of the economy planning -- which looks at how do we prepare for and recover from a major cyber attack that rolls across our economy, not just targeting one organization, one sector, but multiple at the same time. so how is it going? the act -- you know, legislated, as you know, that the administration was providing a plan by the end of 2022, which is rapidly approaching. chris: yeah, so i must admit that my horizons have been expanded a bit since i was on the solarium commission. now, when i first thought about that continuity of the economy assignment, i thought about it almost entirely through the cyber lens. of course, there are many hazards that kind of hold an economy at risk -- or many resources, both materiel and often digital infrastructure and virtual that are required to actually make a kind of an economy run smoothly. and so you have to actually have a broader kind of lens to look at that through than cyber or -- cyber alone. so it's not something that has fallen naturally to the office of the national cyber director. it falls more naturally to the cybersecurity and infrastructure security agency, working hand in glove with what's called pound resilience, but the national security council component that worries broadly about societal functions. and so they've now got that and are working their way through that to try to determine how do you actually cut across all of those critical activities that constitute a viable, running economy? i think when we're all done, you'll look at that and say, "that was about far more than cyber, about what it takes to get that done, and it's frankly more about the horizontal than it is about any particular vertical." samantha: well, we will stand by to see what is rolled out. so i think we're going to take some questions from the audience. yes? >> that's correct. we will have a question-and-answer period right now. if you will raise your hand, we'll identify you and then ask you to stand up, introduce yourself, and then ask the question. >> thanks. sam visner with mitre and the space isac. always good to see you, chris, mark, samantha. an observation not so much as a question, but whatever can be done to bring good, young people into government and give them something meaningful to do. as you know, i am an adjunct at georgetown. i've sent my students to the executive branch, to the military, to the ic and to the hill. and it's pretty much a dog's breakfast. occasionally, they will come back and say, "you know, i've had something interesting to do." some have come back and said, "it's a toxic work environment, i don't want to stay there a moment longer." one left the federal government to take a job for more in the $60,000 private sector but would have stayed in the government for the mission if the work environment had been suitable. what can we do to provide an environment in which these people are not locked into "well, it's -- you're a gs-7, gs-8 for the next few years, you have to do something meaningful before we decide -- meaningless before you can something worth your time?" these are people who are highly motivated, they want the mission, they want to contribute to the mission, they want to be part of something larger than themselves, and they don't essentially want to be locked in the basement eating gray meatloaf as a gs-8 for the first four years of their careers. so hopefully we can find a way not only to develop the workforce by getting these people on board, but to develop the workforce by giving them something meaningful to do so that they stay on board and continue to contribute. thank you. chris: i'll take the first point, ok, just -- only because, sam, you had. chris: a lot to say about it because i don't like gray meatloaf any more than mark does, all right? mark: yes. the -- first, you did have a student come work for us here at fdd, hopefully they came back with positive thoughts. >> they did. mark: ok, good. so look, agreed that it's tough -- it's -- you see this in the military, you've entered -- you don't enter as a lieutenant colonel, you enter as an ensign or second lieutenant. and you have the -- chris: a few ensigns become lieutenant colonels. mark: yes, there you go, that's true, fair enough, yes. and then maybe the space force someday. but i would say that the key to this is having what chris described as nine jobs within nsa that felt different, i felt the same way in the navy -- i was a navy officer, had about 14 assignments, only one or two were the same. they were vastly different every time. we're starting to see that. there is a cyber workforce, there's an act has just passed that's going to allow some movement between agencies. i think that's the beginning of it. there are different ways in the federal government to get job satisfaction and to get that psychic pay that covers down for the slight loss in physical pay that you might experience as a federal government employee, but i think having some movement between jobs will be good for the government employee, but also be good for the agencies as you get cross-pollination of ideas between different agencies. so i'm hoping we're going to tackle that. it's certainly a concern, and whether there's a toxic work environment is probably point by point and that should be solved at the place it's at. but the idea of having some flexibility in your job movement is a good one and one that congress has started, and we're going to have to see how this pilot program goes and see if we could push it fully into the federal workforce. chris: i subscribe to your general thesis, which is that culture should be our principal focus as opposed to being beholden to the administrative aspects of it. we're always going to follow the law, we're always going to follow administrative procedures within the extent of the law. but i have never been in an organization where i was compelled to essentially bend, right, to the strictures of a particular kind of role assignment or the strictures of some gradations. i've always been in an organization which had the authority to install culture and to hire not employees but owners, to give them a full piece of that responsibility on day one, to let them make a difference on day one. and frankly at nsa, which -- that's the majority of my work life experience -- we never had a problem with retention of the kind that is broadly described across cyber circles now. our retention was on average about three and a half percent to 5% attrition meaning , everybody else stayed, which was unnaturally low for an organization that has to turn over every 20 to 25 years. why was that? it wasn't because we had swell parking we did not. , it wasn't because we had the best color in the world, we had lurid green inside of our hallways. it wasn't because we had this wonderful pay system, we were gs kind of pay. it was because we gave people feedback and said you can make a difference on your first day. here's the feedback associated with that, and when we did that, those people would come and stay and stay and stay. so i take the point that it's about the culture that should not be beholden or subordinate to the administrative system. ultimately that form should follow the function, but we need to drive the function first. >> hi, there. sean lyngaas with cnn. thanks for doing this. chris, i wanted to get your response, as you know, general nakasone, this week, confirmed that cyber command has taken the full spectrum operations in support of ukraine. i'm wondering a couple things. first of all, have you all seen any response from russia in cyberspace to that activity? and more broadly, are you concerned at all that the russians might see rightly or wrongly those activities as escalatory, given we've seen everyone and their mother participate in cyber operations in ukraine. there's been hactivists, there's been people using u.s. infrastructure that might be -- opens up the door to misattribution. what can -- what's being done to make sure that isn't misinterpreted? thanks. chris: yeah, i can't speak to any russian reaction associated with those remarks. or for that matter, any operations that may or may not be taking place in cyberspace. but let me address what paul nakasone -- what general nakasone said. the white house affirmed those remarks i think as recently as yesterday, in saying he's correct in what he said, which was not in any way, shape or form breathless. it was just a statement of fact. the statement of fact was that cyber is an instrument of power. and to the degree that we're applying many instruments of power to assist in the defense of ukraine, cyber is one of those instruments of power used in our -- from our perspective in a defensive kind of modality. meaning that while they might impose affects or have kind of -- might make a difference to the receiving end of that, whether it's financial sanctions, whether it's lethal materiel applied kind of in military ways across the ukraine, what we're trying to do is to assist the defense of the ukrainian people, right. and i think that cyber then, as an instrument of power, can and should play a role in that. that's what i heard paul nakasone say. and i haven't heard anything that -- from that day forward. a couple days ago i would say it's been provocative. most people that i think understand the nature of this domain have said that makes sense and anything less that that wouldn't. mark: if i could pick up on that, it reminds us that this cyber capacity building, which we're effectively now doing -- apparently doing after the war starts, it's also something that we should focus on left of boom, you know, before the crisis and, you know, in ukraine specifically like we had usaid run a program for four years doing cyber capacity building, about $39 million. there's fingerprints of cybercom doing, maybe not defend forward operations, but support to the ukrainians and the time leading up to the conflict, which now has been acknowledge by general nakasone. so, it's those efforts -- that cyber capacity building for our key allies and partners who can't afford it themselves. so, probably not for the u.k., but for countries like ukraine, georgia, taiwan, you know, that we should be thinking about these things left of boom and making those deterrent investments at the same time we that we make the ones right of boom. >> next question. >> yes, hi. i'm derek johnson with sc media. mark, you mentioned a law that we're going to need to extend and reform, i didn't catch it, in order to kind of address this problem. mark: yes. >> and you said that you expect pushback in congress and from some of the bureaucracy about that. can you talk about that a little bit more in terms of what kind of pushback you're expecting? and then, if you or chris, can just talk about how you kind of navigate this issue, where you're trying to stump for elevating the importance of cyber hiring while kind of dealing with all these agencies who -- you know, without diminishing the roles or jobs that kind of others do we think are also important -- how are you all sort of navigating that issue? mark: sure. so, i'd probably mush together a couple of laws there, i mean, because i don't think the extend and amend of the federal cybersecurity workforce assessment act will get too much pushback. it's just getting it and finding the right vehicle to get it done. sometimes the problem isn't anyone opposes it, it's that the process is cumbersome to do something like that. so, we have to find the right vehicle, you know, whether it's the ndaa, national defense authorization act or another one. so, i'm hoping that will get done. some of the other ones, the digital, having a digital workforce institute or cyber workforce developmental institute or having a cyber excepted service, those will get pushback. the way we'll work -- that this should be worked -- is through the appropriate congressional committees. and i'd say, this one of these interesting things. jim langevin used to always tell the three of us, like, we need -- my big issues is we need one cyber committee in the house and the senate. and everybody kind of roll their heads. but, after a while he got senator king on board, but all the rest of would roll our heads back, like you're never going to get this off. i said, i will say, we put an amendment in, a floor amendment in and it was killed in 30 minutes, which was a record -- speed record for killing a floor amendment. you know the -- but the idea of one cyber committee would make this easy. we don't have one cyber committee. but, i would start in house oversight and in senate homeland security and government affairs, hsgac. in the house oversight, congress maloney, who was critical to getting the national cyber director done with the support of jim langevin and i think also gerry connolly has done a great job working on opm and federal workforce issues in general. and john katko from the republican side, on the committee of homeland security, you get those kind of voices talking about this -- we might be able to get those second two pieces of legislation done. in the senate, senators peters and portman have been very bipartisan on how they tackle things. so, if this can get on their agenda, i think they'll deal with it. the problem is, they have a long agenda of things to get done in cyber this summer and fall. and you can imagine, there are not too many legislative vehicles moving through town. and so, if we can't get it prioritized and into the national defense authorization act, it will kick a year. that extension cannot kick a year. we need to extend and amend that act this year. and so, that's the one you'll probably see the biggest push on from those kind of leaders. and it's really bipartisan, bicameral, that this is not an issue that should be subjected to any kind of partisanship. chris: i would just add to that, you've asked how do you get that on the kind of the agenda, the radar screens of the decision makers. i think you have to establish, you know, broadly two things. first and foremost, that cyber is neither delegable nor discretionary, right. it's not something you can kind of hand off to the technologist, or the folks who have i.t. and cyber in their name and say, this is your problem, this is your job. it's like the motor pool, just make the thing work. it is therefore not delegable, it's not discretionary. and why do we say not discretionary? if jeff moss were, he's the guy that kind of heads up defcon and black hat fame, he would ask this question up front of the cyber talk, why do race cars have bigger brakes? so they can go faster. why do we have cyber? not for its own sake, but so that we can do those things that individuals, organizations, societies chose to do with digital infrastructure. so, it's not discretionary. if you establish that, then you get to the second question of, what is it? how do i actually have cyber resilience? i think broadly you need to make sure that you have inherent resilience in your doctrine roles and responsibilities. do we know who's accountable for what? your people skills. we've had a long discussion about that today, appropriately. and, of course, technology it needs be inherently resilient and robust. to mark's point, we need to get left of the event. this needs to be a capital expenditure, not an operational expenditure. so, we need to make those investments in the formative phase, right, of these kind of systems that we build and deploy for the purposes that we use them for. and finally, what will result in that, i mean, this is not going to be an inherently secure, perfectly secure system. that would be lovely. but, none of these systems are. they always have some frailties, some kind of fraught nature attended to that. not least of which is because 19 -- because people are inside of them making choices all day. so, what results is going to encounter the occasional problem. and our response to that can't be a division of effort where you defend your side of this, i'll defend my side of that, as if we're in this sailboat and if the hole's in your side of the boat, good luck to you. it needs to be that we have a collaborative, collective defense. those two things -- resilience by design across technology, people and systems, kind of the doctrine, and the kind of collective, collaborative defense -- can make a dramatic change in our fortunes in cyberspace, but only if leaders first and foremost say that it's their responsibility to deliver that and no longer assume that this is delegable or discretionary to some population in the corner that happens to have it or cyber in their job titles. >> over to sara. >> sara friedman, inside cybersecurity. we're coming up over a year since the cyber executive order was put out and now we're coming into the implementation phase. i wanted to find out how -- chris inglis, how you're involved in that and how you see that moving forward and to helping the government become more secure? chris: so first, i think you're talking about executive order 14028, which i think was issued on or about the 11th of may, 2021, so it's been just over a year now. and i think that that has been, in a word, boldly successful. why? because it actually declared that the federal government was going to make a -- kind of a fairly significant commitment to the foundational attributes that any digital infrastructure should have to achieve some degree of inherent resilience and robustness. now, the execution of that, in terms of the percentages of systems that have met the specified kind of requirements of everyone has to have multi-factor authentication, every system has to attend to encryption for data at rest or in transit, and so on and so forth -- there's a whole bunch of other technical mechanisms in there -- we've made significant progress in that regard. we are not at 100%. why? because 100% might not be the right goal, it might be that some of these systems actually don't warrant that, they don't have a public facing attack surface, or it might be that some of those systems have compensating controls, right, that are a proper substitute for that, that we don't use those in ways that are security relevant. but that being said, the first and foremost goal was to say, "we fundamentally commit to doing these things so that we have an inherently resilient and robust architecture," and it's the department heads and the deputy department agency heads that are accountable for that. my role in that is to oversee the further execution of it, right, to ensure that we're tracking those statistics and that we drive those to a proper conclusion, which in some cases the knee of the curve might be less than 100% but entirely appropriate, given the needs of the system and the -- kind of the threat that we're up against. kind of a preview is that we won't be tracking executive order 14028 forever because we've actually got something already on the street that will supersede that. it's called the zero trust architecture. we've asked all the agencies and departments to say, "using executive order 14028 as the foundation, that first cut of what right looks like, now let's go further and let's have a zero trust architecture which has some very specifically assigned attributes associated with it and plan across the fiscal cycle, which goes two, three years richly into the future, in terms of some detail, tell us how you're planning associated with that, tell us how you're budgeting associated with that, and we will then begin to track that, which is a super kind of set of the things that show up in the executive order. " samantha: we have time for one more quick question before we -- some wrap up comments perhaps? >> hey. adam janofsky from the record by recorded future. thank you both for your time today. i wanted to ask about -- a lot of attention has been given to russia and cybercrime but it's not the only threat. yesterday, fbi director wray talked about the threat from chinese hackers and said that that country's cyber operations were bigger than all other countries combined -- i assume not including the u.s. -- but i wanted to ask if the u.s. government has seen an increase in cyber threats from china, especially in relationship to taiwan, or any sort of posturing in that area? and if so, what's being done about that? chris: well, first, i would say, with respect to china -- >> just one more question to add to that. >> thank you. katrina manson at bloomberg. i know you've spoken before about the review of nspm-13. i was very keen of an update to understand where that is coming out. and also, just a follow up on general nakasone's remarks and your response to them, when you talk about cyber as an instrument of power in ukraine, are you seeing those operations as solely taking place on ukrainian networks or are they going further afield into third party countries or russian networks? and is that the same argument that you put forward as instrument of power, given it may be americans with their fingers on those particular cyber tools? thank you. chris: there can be a lot of choices. that's like eight questions. but all good questions. let me start with the first question. the denominator, right -- when you're talking about anything china, the denominator's large, right? and so, you know, given a population of in excess of a billion, then any commitment of some portion of that population to the use of cyber as an instrument of power on behalf of that country, it's going to be big. i don't think that we've seen any significant diminishment in their aspirations to use cyber as an instrument of power. i can't speak specifically about any particular application of that, not least of which taiwan, but to say that we do remain concerned about china's use of cyber as an instrument of power in disinformation, right, in kind of the surveillance that they would do for non -- you know, for purposes that we would find non-security relevant -- that is, you know, not those things that actually aid and abet stability of nations or the interaction of various nations. we are very concerned about that. and so therefore, while we're focused on the clear and present danger that is kind of obvious in the ukraine, we have to keep our eye on that larger set of activities, and certainly china remains kind of in that. nspm-13, i think the administration's on record of saying, "we did review that." it's now, what, four, five years hence -- its -- its original introduction, four years hence, and therefore, kind of a proper kind of system would say, "let's take a look at that to make sure that, in terms of what its purposes are and what its kind of implementation, kind of what its sops would be, is it still kind of doing what we expect the way we expect?" and they've made some adjustments, none of which i would say are significant in terms of the intention of why nspm-13 was created and none of which i think kind of, in any way, shape or form, diminish the value of the work that would take place according to the processes defined by nspm-13. the internals of that, of course, are classified and i can't say anything -- any more -- i wouldn't say any more to that, but we're largely in a place, we say, it still works, it's still viable, and it -- and it's still efficient and effective. both of those properties are important. the last bit of your question? >> russia -- ? chris: it's a bit of a -- you know, intelligence community's great secrets. not so good at mysteries. and it's a bit of a mystery as to why we haven't seen more, right, vis-a-vis cyber and the ukrainian kind of situation. why haven't the russians been more successful in using cyber against the ukrainians? why haven't they perhaps kind of at least visibly done more kind of outside of that against all the predictions that they would use not just disinformation but cyber broadly to hold not just the ukrainian society at risk but any of those who would aid and abet them? and i think that there are many kind of reasons why we might imagine that it hasn't been what we expected. one of those that comes foremost to mind is the ukrainians are actually quite good at cyber defense. they've been trained richly by a partner just to the north of them for the last eight years to be good at cyber defense. it turns out they are. it turns out that the kind of activities of the private sector and the public sector combined has created a more resilient kind of infrastructure, both in terms of it's inherently more resilient and robust, and when we find a flaw in it, we can add scope and scale, deploy patches, or interdict those threats on the fly. it turns out the russians have not been as aggressive in holding things outside of ukraine at risk, using what we might call cyber kind of offensive methods, as we might have expected. i can only surmise that, you know, some of that is because they're busy, some of that is because they kind of understand that there are thresholds -- they don't know quite where those thresholds are and they don't want to cross those -- but i'll leave that to the fullness of time, in terms of how to properly understand that. the situation for us remains we -- us remains, we need to make sure that we are resilient and robust by design, that we do that in the largest possible domain of interest, the international domain. we have allies. we need to make sure that we're doing capacity building and that we're defending common kind of resources, the internet being one of those, using the common assets that we all bring to bear. and that, for the moment, if the ukrainian people need our further assistance to defend themselves, as they have the right to do, that we bring the full resources to bear within the limits of the law, right, to do that. now, you've asked about whether kind of something beyond that, kind of a self-organized militia that might be kind of described as a group of vigilantes, whether that's appropriate or authorized -- it is neither, right? it might be, at the moment, useful but it is not appropriate or authorized, right, to have individuals stand in the role of governments. we need to make sure that we do that in the proper channels, using the proper modalities, which i think have been richly deployed. samantha: well, we've run up and over the hour. i think you can all see why we are so proud to call him one of our own on the commission. national cyber director inglis, brigadier general inglis, chris, thank you so much for taking your time to be here. it was a fascinating discussion. there's a lot more to dig into on the report that rear admiral mark montgomery and laura bate wrote. i encourage you all to take a look at it on cybersolarium.org, fdd.org. and with that, i wish you a good afternoon. thank you. chris: thank you. [applause] [captioning performed by the national captioning institute, which is responsible for its caption content and accuracy. visit ncicap.org] [background chatter] over two and a half hours. -- 2.5 hours. >> i recognize myself to give an opening statement. -- in the way that we send and receive money. the early stages of innovation in this round are revealing the clear risk up -- associated with some cryptocurrencies, including significant volatility and even so-called stable points. despite their