This Atlantic Council event is about two hours. Director of the cybersecurity and if a Structure Agency at the u. S. Department of Homeland Security and principal associate Deputy Attorney general at the u. S. Department of justice. Going to go through some questions and we will have time to take questions for b i wonder if you could get us started. Talk through some key framing assumptions for the strategy. What were two or three places you wanted the team to focus on shifting the debate. To talk to you. Strategy. There are some fundamental shifts as you recognized in the strategy. First we have to start with what we wanted cyberspace to look like. What are we trying to achieve, what is our northstar . That is to have a defensible resilient Digital Ecosystem that is aligned with our values. That is what we are trying to achieve. At bottom our constituents are American People. How do we do this for in American People and at its core, it is reliant, significantly rely on collaboration and cooperation. As you can see here among departments and agencies. So there are two major shifts we articulate in the strategy to achieve the northstar of a defensible resilient Digital Ecosystem. One is that we needed to shift the cybersecurity risk burden from individuals from consumers from communities. List off of those individuals least capable of withstanding cybersecurity risk. Shifting it to entities and i include the federal government. Entities were capable of airing the cybersecurity risk to buy it down. We all know in this room you dont get to zero risk. It is all exercise in litigating risk. What you do with residual risk . We have to make sure it is resilient. That people in cyberspace are resilient. This strategy has five pillars. Will with an assortment of tools for us to achieve the northstar and i will probably talk about them in greater detail. There are two apis i hope we will talk about. We build an api for digital skills. Rebuild an api in the form of a full pillar because it is important for International Cooperation and collaboration. My buddy nate is going to talk about it. Those are the major shifts. I like the notion of an api on a strategy. Well be talking out the different networks. I want to follow on this. The idea of shifting the burden seems like one of the central points and strategy. The emphasis on the security of Cloud Computing. Picking about these services as being incredibly widely used in the actual adoption being a big part of the discussion about having to try how to drive down the ecosystem. Every one from the cia to walmart adapting the services. It seems like the security is a key part of the ongoing security conversations. Im curious for you, its in a couple examples of security failings the last couple years. Deputy testified about one such incident regarding solar winds in march of 2021. How does the strategy help encourage resilience in the largest Cloud Service providers. Great to be here with teammates and friends and kudos to kimba and chris and rob for the collaborative way you all work to develop the strategy in now we are team cyber in implementing it. Great question. One i know you have thought a lot about. So thanks for moderating the conversation. We know that Cloud Infrastructure is important and helpful for businesses of all types. Large and small. In particular, we are focused on these target cyber port entities. That do not have the resources or expertise to be able to effectively secure their data on premises to so for these types of entities it is even more important we think about this burden shifting concept. I think it is a brilliant Game Changing piece of this. In the context of cloud providers, the socalled shared responsibility model, that is not a onesizefitsall concept. For the vast majority of businesses, the preponderance of the security burden must be placed on those big cloud providers. That means raked in security by default. So msa by default. Robust security logs. Access controls like password complexity requirements. All baked in by default. Incredibly important they take the responsibility on. We know major corporations that put hundreds of millions of dollars into provisioning and managing the club they may want a certain degree of autonomy but for the 99. 9 of businesses which are Small Businesses in this country with a medium size of less than 20 they absolutely should not be very this burden. Not the bearing this burden. To your point on solar winds lastly i read this great report. Im going to read it again. Read broken trust. You are absolutely right. This was about solar winds and it was just as much about weaknesses in the cloud and limited visibility. One of the reasons why we did not detect impact on some of the departments and agencies is they could afford to pay for that visibility so they did not have the security logs. We are in robust conversations with our tech partners. We are hoping to make progress. Incredibly important those who can bear the burden bear the burden. We are about to release a product, with our federal partners and with Many International partners on principles and approaches to secure by design and secured by default. A lot of this is about pillar three. How do we shape the ecosystem for more resilience . It is rooted in three things. Vendors must on the security outcome for consumers. Vendors must provide. Consumers must demand radical transparency when it comes to security and limitation. Businesses at all levels and in particular Technology Manufacturers and software dividers need to embrace corp. Cyber responsibility. Need to own cyber risk as a matter of good governance. To the strategy which i would say is ambitious and audacious, i think it meets the moment. These are important things we have to make progress on. I like the notion of corporate cyber responsibility. I want to come to you. We have seen in the last year and a half some tremendous words. I was a summer intern here and in the summer of 1997 so a homecoming for me. I was in brussels on march 2 the Data Strategy was released. Really got a visceral sense of the hunger on the part of our nato allies and our colleagues across the you that you i felt i the entire day feeling insightful questions that come only from reading it closely and thinking deeply about it. Make no mistake our National Strategy is of great interest to allies and partners around the world. When we talk about capacity, let me take a step back and frame it in terms of how we think about this at the state department in terms of geopolitical competition. Its use Cloud Computing as an example. If we had been sitting here in 1993 30 years ago implicitly, we had a seemingly unassailable advantage in telecommunications technology. The United States, korea, japan, western europe had samsung and ericsson and nokia but we also had bell labs and motorola. This deep bench of companies. Most of them are going to those that remain are not what they used to be. We are fighting from behind in a lot of ways. It is worth thinking about the areas we currently have technology advantage. And what is required to sustain and defend that advantage. Like anything it is easier to defend it than it is to regain when you lose it. Cloud computing is a terrific example. It is no accident the top five Cloud Computing providers globally are american businesses. I would make the argument they are foundations of National Strength to Technology Innovation broadly will be a foundation of National Strength. More like demography or geography then like military capacity or gdp which are downstream of technologically debt of Technology Innovation. At the foundational letter for us, this is about building coalitions and defending strategic advantage in Technology Areas that are essential to the future of a free and oh global interoperable secure internet so we are not fighting from behind. One followup for you. As you are think about the way the strategy comes together, to what extent do you see consultation or more cooperation with these companies being a part of this process . Well have an exciting announcement next week. Someone from the unity known to probably all of you is going to join with us to work on strategy. My office is tasked in the ndaa with taking the lead in drafting the Cyber Strategy which is designed to snap into the National Strategy in a way that is congruent and derivative. It was engineered by design from the outset in a way i think is elegant and i think is going to be helpful. I think youre going to see some of the threads and themes continue. The demand for Capacity Building and literacy support around the world is overwhelming. And it takes a bunch of different forms. What i would when i would highly is we tend to think of it in terms of technology building. That is only a piece. One of the greatest areas of the sisters we can give allies and partners is in the conceptual arena. The cultural arena. The strategic arena. Sure, approaches have to be tailored to unique National Circumstances but a lot of what we have done across the different parts of the u. S. Government can in fact be customized. That is going to be a big piece of it. Lets not reinvent the wheel. Speaking with the api concept come a lot of good engineering learning going on here. I went to extend the allies question. Pillar two has the doj front and center. The department has been active with european allies in darknet forms. What do you see as the evolution of those kind of disruption activities the next two years until extent our allies playing in a different role in that how is that evolving . Thanks for welcoming me here. Allies are critical to every disruption, detection and dismantlement effort we engage in. The world gets smaller every day. Cybercrime, Cyber Threats are international in nature inherently. We need to make sure the borders get in the way of being to follow through on pillar two and disrupt and dismantle the threat actors that are out there. We have been working hard as a department to put together the kinds of coalitions we need to be effective. We do that at the fbi through its cyber a let program. We have dedicated and experienced an expert fbi agent in countries across the world in europe as you mentioned but also asia and australia. Up in canada and we have plans to expand that program. This could a clear important to have folks on the ground in those countries making those relationships stronger every day. We have our chip network. A group of prosecutors also out working day in and day out with partners around the world. Everything in washington needs a good acronym. We have our coil. This is a particular prosecutor in charge of our Cyber Operations internationally. She is our Cyber Operations international liaison. I thing works every day to submit those relationships and grow them. That is what has enabled us to be successful and on our front foot recently in bringing some of these disruption actions where you dont just have folks taking down servers and arresting bad actors in the United States. As to ways this week you have folks taking those kind of actions across the globe. All simultaneously and coordinated. That is how you are able to take the fight to cyber criminals and threat actors is by calling on those relationships which have to be built over many years before we are able to execute the kind of coordinated takedown that we did earlier this week. We do have plans to expand some of those programs. As you mentioned in pillar five. Nate mentioned earlier this is a big part of growing our capabilities and implementing the strategies. Deepening the relationships. One more thing wishes i think we have always ranged in the cyber world where when people experience Cyber Attacks whether it is companies, individuals, nationstates, they are at their most vulnerable and we as a government can help those folks at that moment, that is an incredible relationship living opportunity. The fbi has cyber action teams that are like go teams ready to move to any part of the globe to help an ally or partner and respond to an attack. We have successful in doing that in countries across the globe recently montenegro, costa rica. We have been able to help them when they are the most vulnerable and that is a great way to not only defend and disrupt but build alliances and relationships. I like the longterm thinking. We should be taking an arc that is more than just an immediate need. I want to come back to all of you. Think about your own trajectory, doing some interesting things that sums treating things at some cool agencies. This emphasis on more than Technical Skills but policy and governance skills in emphasizing skills over credentials. I wonder if each of you could reflect on how your career brought you to this place does give you coming out of brought you to this place. What is advice that you could give to anybody and it is from would like to be sitting up here in just a few short years. I come to this position really as a generalist, as a prosecutor. I grab as a prosecutor understanding how to bring federal criminal cases and then as threats evolve moving into the terrorism space when that was the emerging threat after 9 11 that our department of justice needed to move to be more effective in disrupt and deterring to the cyber threat. For me it was about onthejob training and using the skills ive built on the other aspects of what the department of justice did and learning what i needed to know on the cyber front to be able to add to that. We were lucky enough to have folks who were trained initially in cyber Technical Skills and move into the prosecution. For us we need both. We need folks who master the key prosecutorial and messy it of skills for our bureau and other Law Enforcement agencies and learn cyber to add to that skill set. You also need folks who come with the Technical Skills to make that team we need to be effective. I think from my perspective i have one piece of advice, it would be never to stop learning and looking from a career perspective what the next challenge is that faces your agency, the government, the country and growing to me it. As you said, i started in the ella terry. Engineering any the military. Engineering degree and masters degree in philosophy. When i found myself actually in iraq in 2006 as a brandnew lt. Col. As the chief of our cryptologic Services Crew with a mission to help enable and implement teams from nasa throughout iraq and operationalize new Hightech System known as regional gateway and it was the idea we would bring the power of the National Security agency to the troops. It had always been never say anything. No such agency. Keith alexander who was the director won it to make sure his west point classmate Dave Pretorius had what he needed to deal with a difficult situation in iraq. It was an opportunity to see at that point in time the power of technology, the power of imagination in using some of these Technology Capabilities to make a real difference on the ground in a significant way to help save lives. That to me was an epiphany about some of these capabilities and after that i was asked to stand up the army first cyber battalion and work on the stand up of Cyber Command and found myself in the private sector at Morgan Stanley and back here. I could never fail to take the opportunity to give a recruiting pitch. At cisa we are looking for technical experts but we are looking for people engaged in policy and communications and Human Resources and other Operational Risk management so we are doping a different type of agency. Something that is much more of a private collaborative where Building Trust and ensuring we are always adding value in being transparent and responsive is the name of the game. If people want to come join us, we provide flexibility. We have a great culture. I would say reach out to our teams and come join the defense of america. I started in uniform should i was marine infantry officer. I lantern action with the elegy it was banging the radio with a rock when it did not work. I got an mba. I was in a bunch of different leadership jobs. I started and grew a Small Technology company that became ape they company. I ran a chunk of the public Technology Company before coming back into public service. Whereby the way i skip into the office in the morning because it feels so good. The palpable sense of being part of something bigger than you and important, i felt it as a jr. Officer in the military. It is good to recapture here now. The comment i would make is i think in this area in particular , if you agree with the proposition i started with that Technology Innovation is likely to be the foundational source of National Power in the foreseeable future, then we need technology, Business People who are public minded and we need people in government who have commercial sensibility. The two things have to work together. I am a proponent of careers that work along that seem. Ideally what it can give you his binoculars vision rather than looking through the proverbial soda straw. You can see both. My advice is maybe try to weave back and forth. If you are building a private secretary private Sector Technology career, please do consider giving a portion of your time and energy back to public service. It really is fulfilling. I will start with the advice and give you my rundown. My advice is absolutely anyone that wants to do Cyber Security should do cybersecurity. Is not matter what your background is. We need all of your experience, all of your perspective in it. I read a book last year code girls that came out a few years ago. They recruited crypt colleges that were women because it was tedious for others. They recruited musicians for example because they could see patterns. My advice is it does not matter what your discipline is. It does not matter what your curiosities are bring all of that to cyber. There is space for you. I started off, i got my bachelors degree in Political Science after trying out Biomedical Engineering and realizing i did not like organic chemistry. I did that at hampton university. And went to princeton to get my masters in public affairs. Decided not to go to bosniaherzegovina in the mid90s and went to georgia and did developmental work. I wrote grants. Mostly related to microfinance. Focused on microfinance community development. Some conflict resolution. And then decided to come back to the United States to be in the headquarters of that nonprofit and focused on west africa. Over time i realized International Development works in hand with Macro Economic issues. Macro development issues. Development was now going to take hold well and less felt safe and secure. I decided to take the easy route. Instead of getting a phd in economics i went to law school at georgetown in the late 1990s. I cannot believe ive been here for that long. Turns out i was a pretty good lawyer and ended up clicking on the fifth circuit in louisiana. Practiced law at a white shoe law firm and decided to get back to my roots which was International Development. So i did that in the form of international trade. Did not like it jane elliott did as like organic chemistry. Went to another law firm and focused on National Security law. Did that for a while. Was one of those unicorns that applied on usa jobs for a job on the department of Homeland Security and got it. You are the one. I am the one. Went to Homeland Security in a variety of roles. Running what was then known as team telecom. Looking at National Security concerns on Foreign Investment in fcc licensing. Did a stint in cargo security and transportation security around the time we got bin laden. Then was the full on lawyer for jeh johnson. The cases that were most interesting where those related to cybersecurity. I ended up because i was bothering what was known as nppd then. I will not go through the acronym. Bothering them so much they said you should just come work for us. I went there as a lawyer focused on the Financial Sector and Critical Infrastructure sector. And energy. Those were two complex sectors. I understood how to read a balance sheet. They gave me a collateral duty on the side to focus on Election Security which is how ive met chris krebs and i was his lawyer then and in some ways still am. Election security and cybersecurity. And was recruited out of cisa to microsoft where they called and asked do you want to be the lawyer that defends democracy. Yes. There is no other answer to that. 2020 elections were deemed secure and microsoft asked me to stand up the Ransomware Program in the digital crimes unit which i didnt tell the white house called. That is a call you dont say no to. That is a long story but i thought since we have interns in the room we would go through the entire story to tell you cybersecurity was not a discipline when any of us were in school. Im so thrilled it is a discipline now so i can only imagine what amazing youre going to do in the future but bring your whole self. Bring all of your experiences. Had you asked me even five years ago was i going to end up in the white house as a National Cyber director i would have chuckled. My brother says i knew that was going to happen. But it is outstanding how much cyber i have no engineering in my background. No military experience. To be sure the space for technologists in this space but we need just as much work in the people part of cyberspace and the policy and process part of cyberspace. All of it requires us. It has been my mission to take cybersecurity out of the way ivory tower and distribute it to the rest of the world because it is everybodys business. It underpins everything we do these days. So just go for it. One thing that seems to bind all this together i think is the sense of mission i think you can get from the cybersecurity place but also from government service. I think it is the one item i think bonds although stories together and i think that is what makes working in this area so fruitful and rewarding. Getting to come to work everyday and go after cyber criminals and figure out how to dislodge botnets from networks and help victims gets everybody up in the morning and makes you skip to work as nate said. The mission piece is interesting. It is large and small. Some of these tactical specific engagements. These rod strategic efforts but i like the notion of distributed. The cybersecurity question is not just for you four. Thank god. One of the things we have heard a lot about from the strategy, from congress in the last two years is security of digital infrastructure. There is a tendency to make that a centralized elite politics topic but one of the issues we have been focused on here is the security infrastructure that is developed by communities. Thinking about open Source Software and trying to limit the harmful burden of either new bigler torrey approaches on them. Im curious if we can talk about where your organizations are interacting with his open Source Security problem. Cisa has announced it is hiring an open Source Security lead which made a number of us excited to can we expect to see more programmatic support for cisa in the future . Are you interested . Anybody who is interested, please reach out. Obviously open software and the entire ecosystem is important. The government is one of the largest users of that. We have a requisite investment in ensuring the security and resilience and sustainability of the open source ecosystem. We are hiring for a lead which we are excited about but were also doing a bunch of other things. If you had a chance to look at her planning agenda we had a whole project focused on how do we identify and mitigate risks in particular from open Source Software to industrial control systems. A huge focus on that across the board. In looking at prevalence of open source within the federal enterprise and tickle infrastructure. So we can assess and mitigate those risks. We are looking at ways to harden opensource ecosystems. Things Like Movement to memory safe code. We did a speech at Carnegie Mellon recently to talk about the importance of substantiating more memory safe programming into college curriculum. That is incredibly important for the opensource piece of this. Looking for things like coordinated Development Disclosure program. And then we are looking with we are working with omb and the open Software Security foundation. To try to move the ball on all of this given the incredible importance. We dont want to inhibit. We went to enable so we can continue to drive innovation through open source. One of the things we are trying to make progress on is Software Repositories and package managers. It is important when you think about how package managers, people can get their openSource Software in libraries. They have to be upgraded. There is still an ability to download vulnerable and malicious code from these. Making sure package managers mandated that maintainers have multifactor authentication. So that you can ensure that when you put libraries on, they are updated and upgraded with the latest security. That is incredibly important and something we are trying to move the ball on this year. This is a community. Like most things we deal with it is all about bringing together the power of the community. We dont have Law Enforcement or badges. We are not intel collectors. We are not a regulator. We are about how do we ate night the power of the community to advance securities for arguably one of the most important ecosystems we have to power the federal government and Critical Infrastructure. Really like the emphasis on communities. To your point, some broader Software Security challenges but areas where we can better resource of of these communities and support the kind of work they are doing. So many of these communities are global. Youre not strictly meant for particular boundaries. Im curious where you see opensource playing a role in some of those transatlantic conversations . The company i built was in openSource Security company and became the foundation for an openSource Security company. This offer has been downloaded more than a billion times globally. Im a big believer in this. I think there is a powerful democratizing element that makes sophisticated capability more accessible to people globally. And ultimately with the right controls in place over time i would put my security that on a community rather than a small team of engineers behind a wall and better how good the team is. At the philosophical level i do think this is the future. I think we are in the early stages of an open wave in technology broadly. We see it not only in the Security Software stack but we see it in telecommunications. The beginning of the popularization of open Radio Access Networks to this at a great to disaggregate the telco stacks and introduce innovation at every layer, maybe we can do the unimaginable and bring Venture Capital to telecommunications by breaking it apart in enough ways that you can actually fuel Technology Innovation at the different layers of the telco stack which would be extraordinarily good for users. Extraordinarily good for the security of the ecosystem and to get to your question, make all of this more accessible to broader groups around the world because we often talk about the asymmetry of cybersecurity in a way that is negative. We talk about the fact they relatively small number of nefarious actors can put the stick with the spokes of our complex enterprises. The inverse is also true paired relatively low investments in security capability can generate outsized capacity. That is a message i try to drive home around the world. Small countries, countries with relatively low budgets can indeed become net exporters of security. And opensource is a part of making that capability more accessible to them. The accessibility piece is interesting. The stick is going to stick in my mind. A really interesting proposal in the strategy to hold vendors of software liable for flaws in how they are building their code. Strategy does a nice job carving out seeing these burdens should not fall on opensource developers but those entities that fill the take reasonable precautions. We might imagine there is going to be pushed back to this from vendors who feel like they have gotten used to exercising less care over how they develop code. We had one gentleman who mentioned we should all be worried about flybynight companies. Do you want to set the table for the negotiations . We have done this before. We have done it in auto menu fracturing before. We cannot allow the end user to be held liable for flaws in code. It is that simple. In the auto manufacturing space in the early 1900s you could buy a car and something went wrong with it and you would go back to the car dealer and it was something wrong with your tire and they would say we are not responsible. As the tire dealer. Made it very complicated. At the end of the day we now have a regime where the final assembly or is held liable. We do the same thing in food. We have food safety measures. There might be some safe harbor where you can have a little bit of rat hair in your food. But that you are held liable if you have the whole rat. It is true. It is not easy. We have done this before. The ultimate idea and i think jen said it in one of her talks we cannot normalize patching all the time. We have the tuesday patch. That is not reasonable. That is not exercising a duty of care. It is going to take time to do this. We want to do it right. Want to be thoughtful about it. We have to think not just about duty of care and imposing liability but what are the safe harbor is going to look like in this space. I dont have the answer yet but im excited about this part of the strategy because i think this is one of those tools we have not leaned into that is bold that will actually make a difference. It is a multistakeholder multi your exercise. It is doable. We will get there. I just think this is so fundamentally important and something we have not talked about before. We have for years accepted software and technology that is insecure by design and why is that . Not because the Software Makers are bad people, they are incredibly innovative and smart and creative people. At the end of the day the incentives were misaligned. The incentives were about reducing cost and speed to market and cool features. They were not about safety and security. Because everything now has a technology backbone, all Critical Infrastructure is underpinned by technology whether that is informationtechnology or operational technology. We have to make this fundamental difference. I always go back to ralph naders book 1965. Unsafe at any speed and think about it unsafe at any cpu speed. That was 1965 should it took until 1983 to get legislation for seatbelts. We cannot wait that long for the technology we rely upon every hour of every day to be inherently unsafe. This is interesting because given the prominence of the issue and to your point i think the potential role for congress, i want to ask marshall about a program the strategy calls out the doj has in place to hold Companies Accountable specifically vendors to the federal government should i believe that is the civil fraud initiative. Old account entities or individuals that put u. S. Information or systems at risk by knowingly providing deficient cybersecuritys or services. I would be curious to know what would you need in terms of clarity on a standard or duty of care to use ccf i to start to hold companies venting to the federal government liable for defects in their product . In the next year youre already moving out in the civil fraud initiative. It was launched in october 2021. Has a lot in common with what we have been talking about during the last couple minutes which is the idea is to hold accountable those who are capable and have the resources to invest in protect and also take advantage of one elements of the federal governments power. Which of the values and all instruments of power to attack this problem. One is our procurement authorities and capabilities and being able to drive innovation and security through Holding Accountable those who come to the photo government and contract with the federal government or the end to the federal government. The idea of the initiative is using a very old law, a false claims act passed in the civil war era to ensure that anyone who had defrauded the government during that difficult time was held accountable and use it today in the 21st century america. That is the concept. We are already doing it. It is holding folks to requirements that are in some of the federal regulatory code already regarding having to disclose incidents and disclose areas of deficiency. And it also requires certain standards of care. All of that can be handled through this initiative through contracting power so we dont have to have we can set standards of care even if they are not universal. It is a tool but it is only one tool and it becomes part of the broader ecosystem of ways we need to address the problem should so maybe we start to see action in a phased way without having to wait for the Silver Bullet from congress. We are going to do two more questions and then we want to go to the room and for those of you online. Those of you here we have a microphone on the stage right side. We will take questions as we go. To this group before we wrap up, the national Cyber Strategy does exit does address the national proliferation of spyware. Have seen an executive order and a groundbreaking statement together with a number of international partners. The strategy highlights these tools and services and the president told us countering this proliferation was a fundamental National Security and Foreign Policy interest. To start with you, where does spyware fit into dojs disruption activities . How will the departmental approach to spyware change in response to the strategy . I think there are a couple ways we interact with spyware. On the Law Enforcement level. One is just by going after criminals who miss you spyware to target individuals and companies in nation states and break the law by using it to invade privacy, using it to steal pii to commit different forms of Identity Theft or cybercrime. That is one area we interact with. The other area is ensuring we as a Law Enforcement community and Intelligence Community which doj is also part live up to the a sick and suppose of the country and our commitment to ensuring we are not buying or licensing spyware products that cut against our values. That are used either by adversaries to engage in illegal or other kinds of activities that would run against our Core Principles or used in ways that actually cause a National Security risk to the country. That is the principle of it. We believe in it at the principal level and in terms the execution will play out as it goes into effect. One of the recurring species recurring pieces is the impact on technology users. Where do you see cisas work on secured by design playing a role in that debate . What im most excited about and it was announced last week is our work with high risk communities. We mentioned this in our planning agenda. And we announced it at the summit for democracy last week but we have a whole effort focused around Civil Society. We know Civil Society is targeted by authoritarian governments who want to stifle free speech and democratic values. One of the things we want to do through our joint Cyber Defense collaborative is work with Civil Society and government as well as Technology Companies to understand the threats Civil Society has to deal with from the things like spyware and cybersecurity rats and develop an improvement joint defense plans. We are already having conversations about the threats we face and the threats they face. We can do to mitigate them and how we can amplify best practices. For those of you who did not see the summit there is a great panel with my secretary, the dni but also citizen lab talking about this which i thought was fabulous. We are working with u. K. As part of the Strategic Dialogue and other likeminded partners. International cooperation to deal with the threats Civil Society and other vulnerable populations like cybersecurity researchers or journalists have to deal with so excited about that. Finally our Technology Council which is a subcommittee on our Advisory Board led by jeff moss is looking into this issue and making recommendations. We have fantastic experts on this. Theyre going to help us get this right. I think that initiative will be one of the areas we can make some great progress on working with the community. It is helpful to hear there is a domestic and international component. One final question before we go to the room. There is a growing amount of work in cybersecurity policy. The space has been more active in the last year than the last five. It has everybody keeping pace and struggling to do so. Uniting the strategy has helped to kick off an important set of debates amidst and on top of the mountain of work and recognizing that if you will get to see their efforts through. I am curious what is one piece of advice you would give to your successor about the way you are framing or prioritizing work under the strategy for maximum impact. I am just i am the recent successor. I think i would start with in heavily on with lean heavily on interagency partners, private sector, academia and Civil Society as you drive implementation. Understand that implementation is dynamic process and there is not an end. We are trying to make our system defensible and resilient and aligned with our values. That is an iterative process. In on interagency partners. O mcb in particular our superpower from my perspective are the people in our agencies. All leaders all in their own right. She misses on something but also doers. For my specific successor i would say lean on your power in your organization. Those are the three pieces. I think we need to frame on affirmative terms, further and attractive vision for whatever future can be. Build a coalition, the broadest possible around that, sustain and defend the areas of advantage that our wellsprings of our power in the area, and build the organizational capacity in our government to sustain what is likely to be a generational strategy. So, my plea to my successor will be maintained that internal focus too. Dont forget the need to continue modernizing our own institutions, attracting the kind of talent we need, promoting the kind of talent we need, pertaining the kind of talent we need, and changing the funding processes and organizational structures in order to ensure we can continue to adapt at the speed that these technologies are changing. Well, i think anybody who aspires to take this job has to fundamentally understand this job is about partnerships, and the most important currency is trust. Trust with your federal teammates, state and local, with industry, and you build trust through transparency, and through listening, and you build trust through trading feedback as a gift. It goes back to the people part of this. From a strategic perspective, i think we need a new approach thats sustainable. Were not in a world where we can continue to do what we are doing and the national Cyber Strategy reflects the two changes. What we are focused on in this year and the out years as the Technology Safety piece that we think is fundamental, ensuring the technology we rely upon is secured by design and secure by default, ensuring that businesses large and small and embrace corporate cybersecurity is good governance. Finally, catalyzing collaboration, transformation from Public Private partnership to realtime operational collaboration where you have a default to share, where you see the government and industry of coequal partners, with reciprocal responsibility for transparency and value added, and where you have the rights platform so you can share in realtime to be able to take advantage of data analysis. Were working through that as our joint cyber environment. These are the things i hope we can continue to sustain, to really make progress in a world where we dont worry so much about asymmetry as capability. We worry about asymmetry of ethics. The chinese and the russians, the iranians and north koreans will do things to our civilian and Critical Infrastructure that we would not do. Were singh that in ukraine right now. We dont have a lot of time to lose which is why implementation under the leadership of our fearless ncd is so important. I think the advice i would give is to innovate and me to the moment. At the doj, i think over the last couple of years we really try to rethink how we can use our tools and authorities, most effectively to be part of this interagency team, be part of this overall collaborative effort to attack the threat. That, for us, hazmat rethinking what was decades has been rethinking, decades of strategy of solving crime and prosecuting criminals and thinking about how to use our authorities and capabilities to take the fight to the adversary. To disrupt, deter, detect, and dismantle, rather than solve crimes after they have been committed. Thats required a whole new way of thinking, using lawful authorities, how to do so using relationships, how to better interact with the public, and better protect victims proactively. I think what we are starting to see, take ransomware for an example, is dated to reflect that the effort has resulted in increasing, although not high enough, increasing victim reporting, decreasing ransomware payment numbers. And we are starting to see that that effort to get on the front foot, take down actors, even if we cant necessarily put cuffs on them and bring them to justice in an american courtroom, working with our foreign partners abroad, we are taking actions to bring down infrastructure of our adversaries to make it a costlier business to do cyber crime. And to increase the ability of victims in the private sector to take steps working with Law Enforcement, to counteract that. We are looking forward to seeing all these efforts sink into the agencies but it is a credit to the team. Strategy has opened up the aperture of what we think as cyber policy conversations. I dont think we have seen a document that integrates the private sector more effectively thank you for that, and thank you to this group. To the floor. If i could ask, one you keep your questions brief and make sure theres a question mark at the end of it. Let us know your name and affiliation. Julianne, i am with i am the chief strategy advisor for the public sector. My question is, what can the panel talk about in terms of reducing or lowering the barriers from the industry side, to check the boxes, make it through the requirements that are on is for software, specifically for ramp. It can be costly, timeconsuming, to be wanting to do the right thing, to be a good corporate citizen, to have cyber responsibility and then waiting weeks, months, just for a response from the office that we submitted the package to. That is just one barrier to partnerships. Is there dialogue . Are there discussions ongoing to help industry, do the things that government is requiring us to do to be good partners . I can start. Ill start with a couple of comments. The strategy, i will make it short, we talk about using some of our Regulatory Authority to be able to shift this balance. We do it in three parts. They are coequal. One is to harmonize regulatory burden, sign find reciprocity where we can, find gaps where we are not using our Regulatory Authority to raise the Cyber Security for those that are not investing in cybersecurity. As we do that, doing it in full consultation with regulators and the industry that has the bear the burden, on fed ramps, i understand the challenges. Ive spoken to the administrator. Were working through that particular complication together, with the apos and the time i delay it takes. We acknowledge that. The more we hear from practitioners, the better we can serve. Practitioners. Weve heard it loud and clear, we are trying to find an opportunity. The other pet rock, its not just harmonizing regulations but harmonizing standards in general. There is work to be done. We invest properly in cybersecurity rather than compliance, or apos or whatever it is. Thank you very much. Sir. Thank you all for being here. My name is joseph, with Washington College of law. I was, full disclosure, recently described as having an healthy relationship with cisa. I dont want to preclude involvement from the rest of the panel. [laughter] i was curious, it was mentioned quite a bit in the strategy. It emphasizes using existing legal authorities to see this mission through. With some of the rapid advancements in ai technology, the in unforeseen ways they might be implemented both in Critical Infrastructure, but make your lives harder, to what degree do you feel, existing legal authorities are sufficient to realize the mission or the vision, articulated in the strategy . Im happy to start. Im happy to talk to you afterwards if you have your unhealthy obsession. We are just downscale. [laughter] ill take your question in a different direction. I think this is the piece of the Technology Conversation were having. You go back to the original sin of the wonderful internet. It was not created with security in mind. We went to software and the incentives were not about security or safety. So we created a multibilliondollar cybersecurity industry, to both on greater complexity bot on greater complexity. We had social media breaking things and breaking the Mental Health of our kids and then we rai. We are hurtling forward in a way that i think is not the right level of responsibility. Implementing ai capabilities and production, without any legal barriers, without any regulation, frankly, im not sure we are thinking about the downstream safety consequences of how fast this is moving, and how bad people, like the counterterrorism at the white house or cyber criminals or adversary nationstates can use these capabilities not for the Amazing Things they can do but for some really bad things that can happen. Weaponization of cyber, weaponization of genetic engineering, biotech. So, i have been trying hard to think about how we can implement certain controls around how this technology starts to proliferate in an accelerated way. This is the Biggest Issue that we are going to deal with in the century. If you think about the most powerful weapons, it was nuclear weapons, controlled by governments and there was no incentive to use them. It was a disincentive to use them. This is the most powerful Technological Capabilities of the century. We dont have the legal regimes to your question or the Regulatory Regime to be able to implement them safely and effectively. We need to figure that out in the nearterm. Can i just add . Yes to all of that. Im obsessed with cisa. You never really leave cisa. You jump in, and then yes you jump out. Ill to give you a framework to think about it as a law student. Ai. I think i look at cybersecurity, not just as a security issue but it is a Tech Innovation opportunity, social this opportunity social justice opportunity. Ai is divided into three pieces in my mind. Data, which fuels ai, and how do we think about data security, where we getting our data from, harlow we analyzing data, can we use encryption to do so or other encryption to analyze it without decrypting it or without putting people stayed at risk . Data fuels it. The, you power, how are we compute power, how are we thinking about quantum . Thinking about quantum. What do we think about compute power . How are we thinking about legislative boundaries . And than the intellectual operative piece of it, the algorithms piece of it. From my perspective, coming from my experience, the algorithm piece of it, what are we doing by with security by design . Its also a people issue, and how do we think about people who are developing algorithm, what are we training them . If you break it down and it is in its parts from a cybersecurity perspective, im sure there are other parts of it that im not thinking of from other perspectives. Then, you can start really thinking about what the Legal Framework should look like, around ai. I dont have the answer but i have a framework for thinking about it. Student note to be written. Sir . Thank you. David, i want to put in a plug for young people looking to build the platform. Come to as many think tank advances you can, including those of the Atlantic Council. Whether it is Atlantic Council or heritage, thats what you ought to do. Introduce yourself to as many people as you can. Accept me. [laughter] a strategy is only as good as the implementation and execution. You guys are working on the execution guidance. In line with the questions we have just had, how are you including the nongovernment people in that process are you developing the execution . Theres lots of hiccups that i have learned when i was in the government. I thought i understood. When i came out i realized i did not understand at all. How do include that . In that context, we tend to think of cybersecurity as nesting. At the middle is. Mil, then. Gov, etc. Wha no matter what your regulations are, whether you are buying fuel to refuel a ship, whether you are state department implementing partner operating countries where your only where your only telecom is huawei. You will be dealing with people, who will not want to comply with the standards you are setting. How do implement that into your execution . Who wants to take that . I can start. The last page of the strategy says they will lead the Implementation Planning process. But the Implementation Planning, we did not create the strategy in a bubble. We did that in full collaboration, full transportation transparency. The process is the same way. Were not doing this in a bubble. As a practical matter, the action items in the Implementation Plan are going to fall heavily to departments and agencies. Weve in collaborating with the department agencies. There is a lot that did not make it into the strategies, but it hit our Implementation Plans a spreadsheet. So we preserved all of those actions. Weve been working on it. Work for strategy, one of those pieces of implementation, we may publish our bias when necessary to help bring in industry support, as it relates to liability or regulatory harmonization. Engaging on a regular basis is part of the process. Its an iterative process. Well continued to make it iterative. It will be public and transparent. I want to give my colleagues a chance. Having to jump in there on aspects. Your point about multistakeholder is him, the state department, thats our buzz term for nongovernmental actors. Its essential here, for all the obvious regions reasons. The bulk of the attack surface, the Technology Innovation sits in the private sector. In are bilateral and multilateral dialogues are the world, by design, we have representatives from companies and Civil Society at the table. So, they cant be brought in late in the game to give a superficial wash or endorsement of policy development. They have to be there in the beginning at the formative stages. Thats the key pillar of everything we are trying to do. You put your finger on something that is essential and too little to discuss, the trustworthiness of infrastructure around the world. That really does get to a foundational issue. We be talking about security at the top layer, but if the architecture is fundamentally untrustworthy, then we obviously have a big problem. So, as we think about global ict infrastructure, ill tell you, to define it broadly, this is cable and fiber. Its also wireless networks, satellites and its data centers and Cloud Services. We have a diplomatic engagement strategy around the world to ensure that our closest partners and allies use only trustworthy infrastructure. Thats an uneven effort. It was telling that the cell tower on top of the host of the munich secure to counsel had huawei in it. Weve got a long way to go. We have a long way to go cross swaths of the developing world. We try to make our point that this is an inhibitor to information sharing, intelligence sharing and collaboration. Its a foundational piece of our bilateral and multilateral relationships. I will say that this gets back to the point of sustaining and defending advantage where we have it. We used to have the advantage here and we lost it, while we ran the table globally. Initially based on ip theft and decades of p. R. C. Subsidies of their business. That catalyzed indigenous innovation which is something that is a reality now that we are going to have to confront. We need to confront it not only against telco but other Technology Areas. Taking it back to ai, i would argue this is one of the very Top Priorities in terms of where we need to sustain current advantage, precisely because of its generative quality. Building a faster missile does not beget a faster missile. Building a capable ai system does not beget more capable systems. Early deficits compound. Cisa, which i am also obsessed with. [laughter] our mission is to lead the National Effort to understand management and reduce the list to the cyber and physical infrastructure americans rely on. The vast majority of the infrastructure is not owned by the federal government. So, everything that we do, i probably spend 80 of my time with the private sector or state and local, or nonprofits or Civil Society. And we are every day, day in and day out, working to get feedback, to ensure that as we develop standards and as we develop things like the cybersecurity performance goals, were doing that in a consultative way. Thats the way we plan to implement this. Frankly, this is not, where going to implement it then. We are in the strategy. Very quickly, from an implementation standpoint, were not starting at ground zero. A lot of what gets captured in these pillars, i will talk about the pillars, the doj is most involved in, pillar two, pillar five. When it comes to dismantling threat actors, the big picture item of pillar two, were engaged everyday with that process. Were leaning forward, being proactive, more disruptive than we have ever been as a department in government. So, if were going from zero to 60 we are not a zero. We are not a zero but we are not starting we are not at 60 but were not starting from zero. Yes, we need to Forge International partnerships but we have a lot to build on. That is true across all the pillars. Lets go back to you, sir. Good morning, thank you so much for sharing today. Im joseph, a professor at the National DefenseUniversity College of information in cyberspace. Im working on a framework for National Security cyber policy. The idea is to gather, then publish the most essential elements of cyber that strategy and policy makers need to understand. Id appreciate if you could share with me what your couple of most important elements that policy and strategists need to know about cyber. I think, again i would take it back to the two fundamental precepts that articulated in the strategy and what make it so Game Changing and groundbreaking. The burden of security needs to be placed on those most able to bear it. And that we have to make longterm investments in the safety and security and resilience of our ecosystem. Those sound like somewhat obvious things. But frankly, that is where the pillars derived from. And anybody who is thinking about cyber policy, Cyber Strategy, coming down to those very simple but powerful tenants is what anybody in your business would want to to use as a routing foundation. Helpful framing. I will give you three. I teach cybersecurity policy for graduate level course, a foundational course for cybersecurity risk managers. The three things i make sure that they leave the class with our simple. Yes, the two shifts articulated in our strategy. But, the three concepts i realize that they come to class, not quite understanding, these our graduate students, are cyberspace is not just the technology. Its technology, people and doctrine echoed through what that means, that is one framing piece. Moving away from the cia triad which is in the technology piece but in terms of thinking about the layers, that is one. I really need for people to understand what risk is. And that risk is looking at cybersecurity risk is an exercise of mitigating the risk. You dont get to zero but it is a marriage of you dont know what that is, vulnerability, intent, where you find the vulnerability and the consequences. Really, working that through. That is the second piece. The third piece is really focused on how we have constructed the strategy. That is that cybersecurity is subordinates everything else. Cybersecurity enables everything that we want our Digital Ecosystem to be able to do. Its an all of humanity issue, not just a National Security concern, which i know is your focus, but it is about Tech Innovation and economic development. At its core, it is to help communities thrive. I will give you the five pieces from the seed of the diplomat. And first is articulate positive, compelling attractive visions. This cannot just be antichina or antirussia. We need a more persuasive posture for middle ground stage to join us. Second, is build a coalition, bilaterally and multilaterally. In the long term, we want the greatest number of people, the greatest cumulative gdp, the greatest number of innovative companies, the most collective r d dollars, we need that on our collective side. Number three, is engage the u. S. Hard in the multilateral form where the norms and standards are set. Im sympathetic to the argument that the u. N. Is low in an efficient, that it might be better off if you cut the top half of the building. The problem is if the u. S. Does that unilaterally, all this means is that others fill the void. We have to engage hard, where these norms and standards get established. Fourth is be deliberate about sustaining a defending the areas that we currently have. This is widening the aperture on cybersecurity. Its about the enabling technologies, it about quantums science, artificial intelligence. Where do we have the advantage that we can sustain a defend . Fifth, build the capacity to sustain what we think is going to be a generational strategy. Its not about the people on the stage or the room, its not about our successors but it is about our successor successor successors. I appreciate that. What i would point you towards is looking at the authorities we have an thinking abid about whether they can meet to the moment. Whether they they need to be modernized, just through the way we approach them or through some sort of legislation. A good example, the process was created by the idea of a foreign country buying a brickandmortar business. Do we want them to buy that brickandmortar business . Is that your military base . That was the thought process. How can we use that process to get the real threat now . Data security, to take that, that is a critical part of what were talking about. Does the tool work . Can we make it work . If we cant, how do we modernize it . I think we can. I think we can think about that across all sorts of authorities that defend our National Security. We are running up on our last 15 minutes together. Why dont we take two questions at a time . Hi, chris, i am currently the president of the global forum on the cyber expertise at worldwide Capacity Building. Coordination group. I was a longtime u. S. Government person, i never made it to dhs. For three other agencies. I. The idea that people should going to government. You may never leave but, go away. On capacity, not on the cybersecurity part in particular, there is a huge demand for this. Countries, especially in the developing world are demanding this. The resources in priority do not match the demand. I appreciate the national society, i appreciate the support that both the state and cisa has been giving to the organization but this the resources do not demand. How can we mainstream this more to give this more priority and resources . Its foundational to the good things were trying to do. I think Capacity BuildingCapacity Building and then you sir. My question is in two parts to build on the resourcing thing. First part of the question, the marginal dollar within the government, where it is ago for the highest return it go for the highest return . Im building on some of marshalls comments. How much is created in the private sector . What would be the balance . How much within the government, within the private sector . Where with marginal dollar within the government go for the highest return . Who would want to start . All start with prioritizing investment. This is something were doing with respect to the federal civilian executive branch and. Gov. We we started einstein many years ago, all about protecting the perimeter. One of the big things we have been investing in is significant modernization of the infrastructure moving from government capability to commercial capability. There has been so much investment in the space to me. The services that we provide now, should take advantage of the ingenuity and innovation that the private sector put into them. As much as we can use those types of capabilities, that is what we are trying to move towards. You can see it in our marketplace, our services. Thats creating much greater visibility for us, to truly be able to manage the. Gov as a federal enterprise in a way we have never been able to do before. A lot of that is our transitional strategy to commercial. I will give you a quick answer to both questions. The first on Capacity Building. We are focused on Building Digital skills. So, the strategy calls for Cyber Workforce education strategy. We thought that in terms of skills, being a skilled builder, not just for those going to enter the Cyber Workforce, as i. T. Professionals but digital literacy, i heard nate mentioning, k12, rescaling, upscaling as we broadband out, when that across borders, finding the right taxonomy. On the resource piece, one of the brilliant pieces of our statute that congress facilitated for us was that we have a mandate to align budget and resources with the aspirations. Our Implementation Planning, Development Process is cochaired by two people on my staff. Weve also been we signed out cyber priority memos to inform how the departments manage the request, cyber funding. Signed out both by owens cd and omb. What chen was talking about in terms of moving away from the perimeter security, we have seen the fruits of the cyber priority guidance, called the spring guidance and the president s budget. There was a 3 increase, 15 billion of it is going towards the zero trust architecture. So, we are beginning we will do that for 2025 as well, cyber priorities, spring guidance, that is aligned to the strategy so that we do not have unfunded mandates. Theres a lot more there, but hopefully that helps to start answer your question. Can we go back to Capacity Building . I would add on the proverbial marginal dollar question. From where i sit and from where the doj is, it is about investing in our people. Its about retaining and recruiting the best people we can have, that to my mind is, if we could spend one more dollar, we would retain that one extra fantastic prosecutor or agent or bring that person in, or analyst. We dont have those people that have the skills, the training that we need to invest in. The Mission Oriented capability, were not going to be able to get where we need to go. Quick on Capacity Building. A lot of good work that is happening and lay the area, was started and nurtured by chris. Thank you for that. Three things that we are doing to try to close the gap that you identify. Global demand for Capacity Building, limited number of things we can do. First, we are making a push for dedicated cyber assistance funds. We did it after 9 11 for counterterrorism. We dont have the mechanisms in place for rapid dedicated response that would help a lot. I think their support for it on the hill. Second, we need to get beyond flying people around the world to deliver hands on Capacity Building. That is necessary but it is sufficient. The gentleman from strategic education knows about how to deliver scale Capacity Building, using online tools, that we do to complement in person delivery. We need to modernize our delivery mechanisms for basic cyber Capacity Building globally. Third, this is a lesson that we saw in ukraine, we have seen it in albania in the wake of the iranians attack, there is a large role for the private sector where we can play a brokering introduction kind of role. But they are not government dollars being used. We could bring a lot of private sector capacity. Coming into our five minute lightning round we will keep our answers short. My name is jay from radio free asia. Thank you for the talk. I would like to ask about malaysians actor, especially the actor north korea, russia, china, iran. How does the u. S. Government how will the u. S. Government respond . And how each agency is cooperating . Hi, i am stephanie, i work in strategic cybersecurity intelligence on the corporate side. Im wondering what are the challenges you see in government responding to quickly evolving an emerging threat, bad actor, and how have we become more resilient . How does the u. S. Strategy address some of those challenges . Actor specific and brazilians. Who wants to start . Im happy to take the first question on malicious actors. It is something that the doj, fbi, our intelligence communities, our Law Enforcement partners are relentlessly focused on. It is what we spend much of our day and night working on and worrying about. I think, here, as is consistent with the strategy, we need it is an all instruments of National Power approach. We as i mentioned earlier we have shifted our thinking from trying to figure out who did the last attack and bring them into a courtroom to, how are we going to use our tools to prevent the next attack and to find the malicious actors and disrupt them and dismantle their infrastructures. That is the way we are seeing it, we are trying to use every lawful tool in innovative ways to achieve that objective. So, that is how we are thinking about the malicious actors and how to pivot towards them. There was some groundbreaking legislation last year. The cyber Incident Reporting for Critical Infrastructure act, they have been trying to pass this for a decade and they finally got it. Says the Critical Infrastructure needs to report to cisa any significant events. This is incredibly important to so that we do, with our fbi partners to ensure that, this is not about naming or blaming or hurting anybodys reputation or stabbing the wounded. It is about helping the victim, rendering support, and importantly, being able to warm the community so they can get ahead of a potential intrusion. Another thing that came out was the joint ransomware act. Piccoli that with the fbi. W we colead that with the fbi. The warning pilot is designed to decrease the prevalence of Ransomware Attacks across the ecosystem. Then our preransom notification, we get tips from researchers and industry and are able to warn victims before that malware is activated. That has been fantastic in terms of detecting, disruption, working with our partners on that area. To the malicious actor, one thing we have not talked about, surprisingly in an hour and a half, is china. I think about russia as the hurricane. I think about china as climate change. This is, as we know, the preeminent of threat, that we have to deal with. Thats why we have been so focused on this idea of sustainable cybersecurity. Safe technology, corporate cyber responsibility, persistent collaboration. If be just read the assessment that came out from the Intel Community about china, you will see very clearly, chinas intent holds our Critical Infrastructure at risk in the event of some sort of conflict, like china blocking the taiwan straits or reunify taiwan. We absolutely need to be laser focused on being prepared for that, from a resilience and security perspective. I will just add a couple of things. They raised fantastic points. The point is we cant manage what you dont measure. Right now we are in a situation where we are not measuring the incidence of ransomware. When doj or fbi took down hive, they how to crypto key. It was mentioned, he saw only 20 of the victims actually reported. So we saw how Little People were reporting. Its hard to manage what we cannot measure. That is the point of cisa. On threat actor piece, the point is the Cyber Security strategy is not to allow threat actors to set our agenda. Its to have the affirmative vision of what we want cyberspace to look like. No matter who the threat actor is, whether it is a transactional organized crime, whether somebody was building faulty software, we remain resilient. Were prepared. The best way to defeat ransomwares not to get into the system. We appreciate everybodys time. Stay in your seats if you would. Well have a special conversation coming. Craig newmark, the founder of craigslist. Org, who is the creator of the defense initiative, will sit down with Graham Brookie at the Atlantic Council. To talk about what the Civil Society and Philanthropic Community should be thinking about, hopefully building about the strategy. I hope you quickly thanked me in joining our panel. We really appreciate it. [applause]