>> now, national cyber director chris inglis discusses u.s. cyber infrastructure and resiliency, hosted by the center on cyber and technology innovation at the foundation for defense of democracies. it is about one hour. >> heckle or heckle? >> definitely. samantha: hello, i am samantha ravich, chair at the center of the foundation for defense of democracies. thank you for joining us. for more than a decade, report after report has documented the growing number of unfilled cyber suspicions, in the u.s. government and nationwide, while offering strategies and recommendations to address the shortfall that often goes north. the secretary of defense stated that the pentagon is in desperate need, desperately short of people with cyber skills in all services, and we have to address this. that was in 2010, and that was the secretary of defense robert gates. that was one year after amazon had a workforce total totaling already 4003rd last year, amazon had a workforce of 1.6 million people -- totaling 34,000. amazon had a workforce of 1.6 million people last year. a white paper was published on the cyber workforce in september 2020, identifying systemic barriers that worst i.e. mean existing workforce -- that were stymieing existing workforce barriers, including a lack of leadership, insufficient coordination across the government, a nonexistent federal strategy to guide priorities and resources, and ineffective organizational structure, which combined to limit the potential of the very programs designed to strengthen and diversify the federal and national workforce. no clear vocal port for interagency coordination existed at the time of the commission's report, but the july 2021 confirmation of the first-ever national cyber director or ncd, has created a new opportunity to overcome these barriers. looking to continue and build upon the work of the commission, the commissioners recently established cfc 2.0. they published a thorough report looking at how the national cyber director could lead the federal department and agencies in growing and strengthening the federal cyber workforce. the report notes that in many cases, the ncd will need legislative support so it also recommends actions that congress can take to support federal efforts to grow the cyber workforce. these actions include extending the federal cyber workforce data collection at, establishing a federal cyber workforce development institute, and authorizing a federal accepted cyber service. while these recommendations focus on the federal cyber workforce, the federal national workforce is also drawing from the same community of professionals, so the approaches must address those. the report outlines actions that private sector leaders can take to support national cyber workforce development more generally. we are fortunate today to have two very relevant leaders and experts on that exact issue. first, i am pleased to introduce chris inglis, the inaugural national cyber director. he was confirmed less than one year ago and came from teaching at the u.s. naval academy and serving as a fellow commissioner on the cyber space solarium commission. prior, he was a security leader, rising to the deputy director of nsa. he also flew c-130s and retired in the air force reserve. we also have mark montgomery, one of the authors of the report i mentioned on cyber workforce issues. he is a senior director of the center on cyber and technology innovation at fdd and served as executive director for the past three years. prior to that, he worked for senator john mccain on the armed services committee and served in the navy for 32 years, retiring as an admiral. a few quick words about fdd before we start. fdd is a nonpartisan research institute, exclusively focused on national security and foreign policy. fdd houses three centers on american power that promote the use of all instruments of american power and produce actionable research and develop policy options to strengthen u.s. national security. fdd proudly accepts no funds from foreign governments or corporations. for more information on our work, visit our website at fdd.org. you can also follow us on twitter at fdd. the csc 2.0 project on the workforce paper is available at cyber space solarium -- cyberspacecsolarium.org. chris, it is great you are here. since you left to become national cyber director, it has been about 11 months since you started. you are probably running a startup in the white house. maybe take a few minutes and tell us how that is going. chris: in a word, good. there is a joke that goes with that, and i will not completed, but it has been about 11 months. first, let me say how grateful i am for this venue or for the cyber space solarium commission 2.0. i am a fan of 1.0. you might say i am a byproduct of 1.0. that foundation has been extremely useful to us. in terms of how is it going, i am a big fan that form should follow function. in this case, we stuck the form in place and try to figure out what with that form do? what with the national cyber director do? so we have been working hard the last year to establish principles that you would underpin that. first and foremost, i think we, and when i say that, the federal government, and a growing consortium between federal government, state, local and private sector, i think we can say that we agree cyber is more than technology. the fact we are having a discussion about the people component today reflects it far more than technology. there are three dimensions, technology, but there are rules and responsibilities. solarium addresses a lot of that, but we have been working within that -- working on that. and then there is the people please. think about those in the reverse order, and when we think about the creation of the national cyber director, we are giving due to the technology piece, but focusing on the latter two pieces. having said that, we began to put life forces in play and how do we get a better definition of responsibilities? that is what i am accountable for, getting the roles and responsibilities right, not just across the federal government the larger ecosystem. finally, how do we get those doctrines and those roles and responsibilities properly supported by the people piece of that? that i think is a work in progress. i am delighted to discuss that today. we established a solid foundation of roles and responsibilities. we need to make sure we fill those roles and responsibilities of people whose skills are up to speed. in that regard, i sent you a preview of my own remarks, which i think we should be concerned about the jobs that have cyber i.t. that go unfilled. there was a lot of focus on that, only 550,000 within the u.s. we should be equally and perhaps more concerned with is everybody who plays a role in cybersecurity, everybody, does everybody have the skills they need to take full advantage of cyberspace? the vast majority of us are not digital natives but apt natives, and we need to make sure we have the skills necessary to take full advantage of the positive aspects of cyberspace. that is an all problem, and we have to make sure everyone has the skills necessary while we focus on filling the jobs that have cyber i.t. in the title. how is it going? i think well. those are problems that only we can share and solve, as opposed to pointing to some poor soul in the corner and saying they have got to solve that. samantha: just to follow up, at the office of the national cyber director, how are you doing on staffing? chris: in a word, good. i remember some reporter, a really good reporter, and i won't mention them by name, but was poking me pretty hard, saying, how many people do you have, what authorities do have, and what have you done today? literally the first week i was there. we were were not appropriated and the money showed up in november. i would rather talk about where we are going. we are going to double it, double it again, and we will be eight at that time. they said, how many is that now? i said, do the math. but we are not 40. we are on the high-end of 95 to 100. in a cyber world where you do operations, that is a small organization, that's not our job. you're the coach, not the quarterback. we are not micromanaging cyber operations. we are making sure that roles complement one another, that all those parties have the resources they need to do the proper job on the field. within the white house, and organization of 90, 95 people is going to be huge. and we have given reality to that. we have a workforce education initiative that comprises 1/5 of this organization. we have a focus on software, supply change, all those things that you would say are the foundational building blocks necessary to ensure that the roles are proper, that we properly have the pieces in that system, and our principal modality is to work with them. i think we are in a really good place that way. samantha: let's turn to the issue at hand, the workforce reports, the challenges that the federal workforce in cyberspace is paired mark, you wrote a terrific report about the challenges of recruiting find talent, of training, developing, retaining. give us a sense of the challenges and the size of them. mark: thanks. first, i want to acknowledge the core writer of this and was a terrific part of the csc 2.0 and 1.0 teams, and i am happy she moved onto the department of treasury, where she helps the government more directly. this is a challenging problem. i could go all the way back to 1999, when i worked for dick clark on the national security council and we wrote a national is for structure insurance plan and laid out -- and national infrastructure insurance plan and laid out big tasks. the government solidly achieved three out of 10 and 22 years, and even at the most progressive schools, 30 is not a passing grade, so the government has a lot of work to do. and they are working hard. there is a group with technology and commerce, and, you know, they are doing great work trying to figure out code jobs and what skill sets go with what jobs and they have done a great job with that. there is a great team at the national science foundation, which i am sure we will talk about. there are good people working in education and training areas. and good people at opm, although they are drowning slightly, and there are good people sprinkled throughout the federal government. the reality is, the overall progress, that is not enough to overcome the barriers we are facing. the number one barrier that we identified is the lack of data. government cannot make good decisions without good data. we all understand that. despite the fact that we actually have a legal, you know, a statute saying collect the data, we do not have good data. and there are a lot of things responsible for that, the provisions are not written perfectly, and even as written, it is being ignored or carried out inconsistently among the 101 federal agencies. so that lack of data is critical. and normally, any military person would say it is a lack of leadership, but if you don't have data, it does not matter if you have leadership. once you have that data, you need strategic leadership. someone at the white house has to be the head, and not as the hand of god. chris: i think that makes me god, so i have to be very careful. mark: the national cyber director will talk about that, but -- and he is the coach, to use his own analogy. the next thing we are missing is a quarterback. we don't have coronation among the federal agencies, and that coordination should be led by opm, much like i think chris called them his quarterback for federal cyber workforce is going to be at opm, and it is not there. there was no one there standing. there is more likely hi nikki there than brady -- there's more likely heinicke than brady. the federal government cannot get its head around that sometimes a job is about experience and not about masters degrees and bachelors. so understanding that the person you need may not have a bachelors degree, but they need to be a gs 12 or 13 as you hire them. those kind of barriers really hit, and the final thing is, it will all lead into a diversity traffic jam. what i mean by that is there is a significant diversity problem in our workforce. the most egregious example is among women, where there are only 21 to 24% -- 24% to 20% of our federal cyber workforce and only 11% to 15% of our federal cyber workforce leaders. those numbers are unacceptable as we look forward. i think that is the big challenge that chris or whoever is the hand of god is going to face in this. chris: as the right hand of god. mark: right hand of god. samantha: mark put a lot on your plate. first of all, do you see the challenges the way that mark and the report laid out? chris: i broadly agree with his framing. i would start with there are impressive pieces and components, at least of -- not least in the private sector, but what mark cited in the federal government. you have the national institute of cyber education, nice, the national science foundation, cyber core for service, the senators for academic excellence, cyber talent management system, all are pretty interesting. they could make an even higher kind of leveraged difference if they were connected to some larger strategy. what we think is not so much of the piece parts. there is more to be done there. what is missing is the strategy. we would use that strategy to figure out how to use them and amplify their efforts, not within the stovepipes but broader across the federal government and joint arm in arm with the federal sectors of the government can solve its end of the problem. you cannot filter one out of the pole but you have to solve the national problem. if not, something even bigger. in that regard i would do two things. first, actually have a strategy that defines what is missing. then have to make use of the parts already there and connect us to that strategy. in the next strategy needs to be driven by data, by someone accountable for using that data to define the strategy and then driving that execution across all those parts. i think if we were to do that, we could make rapid progress and find ourselves re-examining everything. i don't think we have appeal to a broad enough population. i don't think we have a diverse enough talent pool thinking, can i play a role in this? we have not balanced that aspiration to the destination eye tracking people along that progress. we have misspecified the destination. sometimes you require about first-degree when what is really required our critical thinking skills, not that they are divorced from one another. but let's think creatively about what we need and more broadly about where we can get that and manage the space in the middle with all the excellent programs. strategy and data are going to be that thing that connects all of us together. samantha: so, mark, i mean, you guys cut right to the chase with the title of the report, workforce development agenda for the national cyber director. when we look back on the reports that have been written and the people who have been involved in this for decades, many of the pieces have been there for decades, and people are very frustrated that the problem is growing and staggering, and people want things done. you cut right to the chase with your title, workforce development agenda for the national cyber director, what do you think that national cyber director specifically should be doing? mark: first, i would like to acknowledge the napa team and karen for excellent report. there is a lot of violent agreement on what is wrong. i want to agree with everything chris said about how he sees his job, data and strategy. if you left it there, that would be a success. i would add in budget oversight, which is, i am hoping, the relationships that the national cyber director built with the office of management and budget, where chris is so counted as an national cyber director, as well, that they will have the opportunity to look at the individual agency budgets in a lot of ways. one is, are you spending enough on your workforce? there is no surprise, the answer is going to be, if you don't have cyber in the name of your agency, it is likely that the answer to are you spending enough is no. and i will exempt the department of defense because they have unlimited pockets, but for the 101 federal civilian departments of agencies, the vast majority, when it comes to budget crunch time, and does the department of agriculture buy more food inspectors? they buy the food inspectors because that is in their job jar that the cabinet member sees, so it takes omb, and by extension with omb, them over siding them. i would add that in, but i agree on the strategy. i will assume for a moment that the national cyber director writes the national cyber strategy. and then we will say there should be annexes, and one would be this workforce and expect goes right in there, and say, because as you said, chris, there are three legs to this tripod to success, technology, adopting policy, and personnel, so having an annex on personnel or a national workforce for federal cyber security workforce strategy would be really helpful. i am excited. those are recommendations. chris: this reminds me of why i missed working alongside you so much. let me give the larger context for the office of national cyber director. we put out a statement of intent in october and it was more about the workforce, but the workforce is at the core. it laid four broad responsibilities for the national cyber director by mutual agreement of all the parties who are involved in this. first and foremost, to drive it within the federal government between the federal government and stakeholders in the larger cyber ecosystem, so private-public collaboration and natural extensions of that. two, to focus on future resilience, which is about inherent resilience in people, doctrine and technology, and i think likely in that order has got to be the priority. we can defend technology to our purpose if we get those roles right. if you don't know your responsibilities, and people don't have well-defined skills, it is a full gerund to try to get that alone right, -- it is a fool's errand to try to get that alone right. it is about getting the rest of the events. we can do that if we think through the properties of the system and what they should be, and the people properties. the third responsibility is performance assessment. we need to understand that all of the applications of the time and material and roles and responsibilities are stuck in the middle and delivering results we find acceptable or preferable, and it will take a fairly broad brush to that. i consider the roles and responsibilities and skills that people have are up to snuff and then use that, not simply to make reports for vicarious purposes, but to then drive the implementations of our budgets, time, and attention to get that closer. there has been a fourth piece, which we will be accountable for, which is the details of implementation to oversee the roles and responsibilities, but when you add them up and you consider the people are at the core of two of the three dimensions of cyberspace, doctrine and literal people skills, that gives a context in which we can define strategy, whether it is called strategy or it is the implementation of broad and we can make the progress necessary to have the data and to have the kind of material necessary to make use of all those good parts. samantha: there is another actor involved in making all this work, congress. mark, you and laura's report calls out specific legislative and potential recommendations for congress, maybe you could summarize some. mark: thanks. one of the successes, 1.0 was successful broadly, and one reason was that we wrote legislation early on. some of our congressional leaders, presented of langevin