 partners including our colleagues at Florida International University. And one of the things that does is allow us a platform to focus on the issues that we think are important and don't necessarily enough play within the policy conversation. It may seem odd to be talking about public-private partnerships in that context. A lot of people who follow this area very closely will probably feel that it's almost a cliche that we say that the answer to all of the problems in cybersecurity are public-private partnership. But our sense is that many of those conversations often hinge around information sharing either from the government to the private sector or from the private sector to the government. And yet there are a lot of other issues which may well be richer seams for collaboration that get pushed out of consideration. With the publication of the report of the Commission on Enhancing National Cyber Security and the proposal to establish down here a mid-Atlantic cyber center with which MITRE have been very involved, there are a number of reasons why we really need to start thinking more cleverly about how we get proper collaboration between government and the private sector. And when I say government, of course, I mean not just the federal government but state and local government as well. We have a fantastic team to look at this. I won't give their full bios, but just to run you down the team that we have here. Kirsten Todd, who was formerly the Executive Director of the aforementioned Commission on Enhancing National Cyber Security, now a managing partner of Liberty Ventures and also working with the Pittsburgh University. We have Gabe Galvin, who is the Executive Director for Global Initiatives at MITRE Corporation and other in his career very much involved in the establishment of the center up in Boston that MITRE run. We hit third down on the panel. We have Rick Howard, the Chief Security Officer of Palo Alto Networks, one of the leading cybersecurity companies in the US and globally. And finally Dave Weinstein, who is a great friend of the Cyber Security Initiative, one of our cybersecurity fellows and in his spare time also the CTO of the state of New Jersey. So, let us begin. And actually, before I sort of kick off the conversation, I should say that for those people who are following on the live stream or even in the room who want to tweet the at new AMCyber address is the one we use and we'll use the hashtag at new AMCyber just for this conversation. If you want to tweet in any questions or participate in the conversation, please let us know. So, I'm going to ask some questions of the panel. They're going to help us frame this discussion. Then I'll lead a moderated discussion and then we'll open it up to a question from the floor. So, please be thinking of the questions that you want to ask the guys and prompted hopefully by what they have to say. So, Kirsten, I said in my intro one of the reasons why this feels like an important discussion is the commission report that you helped create put a very heavy emphasis on public-private partnership, not just in the area of information sharing. That still provides a useful basis on which to frame our thinking about how we take forward issues inside policy and there is nothing to suggest that that's a less important issue, perhaps quite the opposite than it was when that was report was completed. So, could you just give us a sort of sense of what the thinking was behind what were the ideas in the report, what was the thinking, which are the ones you think potentially have most value going forward? Sure. And I think the key was this idea of public-private partnership was one that the commission actually was adamant about not defining in the report because it's such an overused term that it sort of lost its meaning. And I'll answer it first by addressing the issue of information sharing because we talk about information sharing as a destination. We talk about it as the goal of this effort is information sharing. We're all familiar with the ISACs, with the ISAUs, name your acronym that talks about information sharing. But one of the things that came up pretty early on in the commission is really that information sharing is actually a byproduct of trust. And if you trust, if you have those relationships between government and industry, and you build those, information sharing happens naturally. I'm much more likely to pick up the phone and call a colleague who I've been working with on something to share information, not thinking about the silos of the industry, the sectors, our roles. Then I would be if I were part of an organization that said, when you detect that malicious threat, you need to call these people in your organization or in your sector to share that information. And as a result, one of the key recommendations that came out of the commission was something that General Alexander brought forward, looking at pre-event collaboration. So taking a page kind of from the Pentagon playbook on deliberate planning, pre-event collaboration, talks about bringing together senior leaders from industry with senior leaders of government ahead of time to look at where the issues are, train, exercise, do these efforts on a regular basis that are not sort of the annual exercise, but something that brings these people together on a regular basis to be able to share that information so that when something does happen, those relationships are there. And I think that becomes one of the key elements to these efforts that has to continue to be reinforced. And looking at how government and industry are going to identify where the strengths come from. Because one of the other things that we talked a lot about was government knows nation-state activity and nation-state knowledge better than any industry. Industry will go deep. But if we're really looking at where the resources of government and industry come together, government can provide the activity, the knowledge, what the tools are that are being used by the malicious actors. And then that combined with the information that industry has before an event ultimately leads to more effective collaboration, pre, post, and during. The last thing that I'll say is government does incident response really well, but we don't focus enough on what happens before the event. Because at that point, we haven't developed those relationships. So just the primary one that came out from the commission report really looks at what we can do before an event so that when an event does happen, we have that thoughtful, those thoughtful relationships and engagement. Build trust with people that you don't like, right? That's really what it is, you know, people that you have an antagonistic relationship with. So that sounds good. Pre meetings and pre exercises, all that's great. Here's what it really means in practicality. Find reasons to get into a room together and drink beer together. Okay, that's what it really means because you start to know that person on a one to one basis, right? You start to own their families. And so that makes it much more easy to have that conversation. Well, the Reagan model, right? I mean, we talked a lot about me what President Reagan did. I mean, it was, you go to work, you go nine to five, and then at five o'clock, he's having drinks with the people that he's just been yelling at. And I think that's one of the things that we that I absolutely agree. And you can expect these people to come together in these artificial formats and be like, Oh, I'm going to tell you, you know, the most important thing in for my business. So I want to pick up on that later. But before we get there, Gabe, I want to come to you, you have spent a significant part of your career sort of helping foster these kind of relationships and providing a platform for that. My two works up in Boston and established a well established model, beginning to take that model to other parts of the country. What are the it's all very well saying, you need to get everyone together and sort of drink beer. But what are the lessons that you personally and MITRE have learned about how you practically get to the point where that works? Great. Thank you. So just as a note on the Boston Center. First, I was a student of what MITRE was doing at that center. And I've been involved for the last five years or so, trying to bring that to this Mid-Atlantic area, which now we have launched the Mid-Atlantic Cyber Center. What is important in terms of that lessons really starts on that foundation of trust and to be able to have that conversation and that relationship. And it needs to happen in the public private framework, but across various stakeholders. The commission report talked about the international aspect of country among and between countries, between federal government and state, between state and the local municipalities and the private sector. So we see that's very, very important. And we've also seen things such as in the presidential directive, the importance of infrastructure, critical infrastructure protection and making sure that we're using these sort of mechanisms. In terms of what that brings is the fact that we can really start in a nucleus of a trust relationship, bringing, and we believe through our experience and what our lessons are teaching us, that there's richness in cross sector pollination and bringing teams together that are from various industries, but are regionally close and local and can go have that beer and build that community of which that trust network starts building. And then you're able to do a lot of fascinating things. Certainly there's the basic information sharing that everybody talks about. But then you can look at things a little bit more critically too in terms of, for example, what can you do in terms of research and new technologies? And how does that get brought into the marketplace? And there's so many things out there that need to be analyzed and studied and understood to be able to be effective. So you start creating bridges to be able to do things perhaps in leveraged ways that mitigate risk and cost for the different participants. It's very important. Another thing that we learn is that this allows for real life experience in terms of what's happening. It allows you to define standards and inputs to standards that then can be communicated and help harmonize sort of the global common of what we need to go towards. Another thing that is very important is the fact that you, this is not a, this is not something that is done individually, at least where we are today with cybersecurity. It's a team sport. And it reminds us that it's a team sport and that there's a force multiplier by using the team broadly. So we're learning and taking kernels of our experiences in the Boston area where the Advanced Cyber Security Center, what we're establishing here in the Mid-Atlantic region and trying to open and improve upon many great efforts that already exist across industry, verticals and horizontals. But we think there's much more to do and we want to go there. And again, I want to drill down on some of those themes in due course, but Rick, you are not only sort of in the private sector, but you are in a bit of the private sector that sort of cuts across lots of different sectors. You will sometimes hear people in the industry say we don't need government. The best thing the government can do is get out of the way. I assume that that's not your position, but what is it that you think government can most usefully do to enable a productive relationship? And specifically, secondary question, you've been very engaged in the Cyber Threat Alliance. What opportunities might that create for sort of positive collaboration between government and private sector? So yes, I'll probably best explain what the Cyber Threat Alliance is. It is a group of security vendors who have agreed to share threat information with each other. So think about that for a second, because that's a new thing. Security vendors don't like to talk to each other, that trust model you were talking about, because that's usually a revenue source for many of the commercial companies like that. What the Cyber Threat Alliance says is we're tired of trying to compete on intelligence gathering. We're not going to compete on that anymore. We're going to share as much as we have with everybody in the Alliance and then compete on product instead. So that's a really interesting idea. And by the way, security vendors are probably the only group in the whole world that have the ability to automatically cross the last mile with threat intelligence. And what I mean by that is, let's say someone, this lovely lady here discovered some new piece of intelligence. She wants to get it out to the world. Most of the eyesight that you mentioned, most of the eye cells, those are people on those other end. So she sends the intelligence out. That other end has to read it, decide that it's important to her network, decide what to do about it, and then they have to do something about it. That usually takes days, weeks, months if they get around to it at all. Because security vendors have the ability to automatically update their own products with threat intelligence. At Palo Alto Networks we can take a new piece of intelligence and distribute new protection controls to 40,000 customers around the world in about five minutes. All the other Alliance members can do something similar. We are the only ones that have the ability to take new intelligence and distribute new protection controls around the world in a timely manner. So the network administrators don't have to do that. So I forgot what the question was. Where does government fit in? Where does government fit in? So government has lots of great intelligence. But they have to kind of meander if it's classified, do I want to give it out to the world, and how do I separate all that? Intelligence sharing organizations like the EyeSex have been waiting for the government to figure that out. What our Alliance has discovered is we'll let them figure out what they need to do. What we will make it easy for them when they decide to is to share it with the Alliance quickly so that we can protect the world in a timely manner. So I'm not going to worry about how the mechanizations they have to go through, but we'll give them a way to give us intelligence when they decide that it's important. Dave, it's very easy when we have these conversations to sort of revert to talking about the federal government. And often by that we mean the federal government. Increasingly as sort of cyber threats manifest themselves at lower and lower levels. The people who are going to be on the operational end of dealing with this are going to be state and city governments. So two questions. One, how are you in New Jersey and colleagues around the country working with the private sector for greater good? And secondly, what would you like to see from the federal government in order to enable that sort of collaboration? Sure. So first of all, it's a really exciting conversation because for the longest time, public-private partnerships have stopped at information sharing. The terms have been almost synonymous, right? So I'm exciting. It's exciting to move beyond that. I think in New Jersey, we've put some interesting pieces in place that the unique thing about state and local governments as it relates to public-private partnerships is that geography matters when it comes to public-private partnerships. And state and local governments, vis-a-vis the federal government, are actually closest to industry, right? Particularly in densely populated industrial states like New Jersey. Now, there is a correlation between successful public-private partnerships and a lot of industry. So maybe later on, we could talk about from a policy perspective, how we deal with public-private partnerships in areas where industry perhaps is not as dense or prevalent. But in New Jersey, we've started the conversation, like everywhere else, with information sharing. And we have the benefit of a lot of rich partners in the state, rich in terms of companies that have very valuable threat intelligence, that one fused with information that the state monitors and detects can actually be really helpful for public awareness. So most of our information sharing operations are geared not towards operational or tactical efforts, but to promote greater public awareness for John Pugh citizen about the general threats that are out there and what are generically adoptable best practices. Our audience is primarily the public, the public and small to medium-sized businesses. So states are uniquely positioned in that respect because they have a different audience and more intimately connected with industry. But I think the real exciting part that I hope this conversation gets to is what is kind of the next evolution of public part of the partnerships. And what we've started to see at the state and local level is that really any domain of cyber security is potentially fertile ground for cooperation between government and industry. And instead of just looking for what's kind of the low hanging fruit, in this case information sharing, we really need to examine those synergies between government and the industry. And by the way, those synergies change depending on what industry is in that particular locality. So you want to look at those synergies. I think there's really interesting opportunities in the realm of incident response, in the realm of identity management, as well as public awareness as we discussed. So let's dig right into that and just throw it open to the panel. Take information sharing out of the equation. We've had a number of suggestions, ID management, awareness, Kirsten mentioned sort of wargaming, sort of before incidents. Research has been mentioned as one of the topics. What, what are the sort of opportunities that we would like to see pursued? And what are the one or two things that either the government or the private sector needs to do in order to take that to the next level? Kirsten, do you want to start? It's, it's a good question because it goes to the research and development question that we've talked about. I think that there are a lot of areas. I mean, I want to pull on something that Rick said, which is, you know, the cyber threat alliance is going to do a great job in being able to work with an industry. But we do have to figure out what that mechanism is for government. We do have to kind of get at the cause of these issues. And I think it's, it's when you get there, then it kind of doesn't matter what the topic is, because I think all the ones that you've talked about, we have identity management. I also, I want to pull out small and medium sized business because one of the issues that we've learned is that small and medium sized businesses have more in common across sectors than they do within their sector. But the point is, if you get government to actually think about these issues with industry as a in a collaborative way, then they can take on. I mean, I think identity management is an important one. One of the things that we talked about in the commission with IDM was this idea that everyone's pushing for multi-factor authentication to strengthen authentication. Peter Lee, who's the head of research and development for Microsoft, pushed back on that vehemently and said, it's not about multi-factor. If you say multi-factor, you're putting a ceiling on innovation. It's about stronger authentication. And so there are, I can, for all the examples that you just gave me, identity management, research, there are these anecdotes around what happens. The key is what is that mechanism that has to be developed for government to work with industry? And whether it's grabbing the beer after work or it's looking at what that is, we have to do a better job. Government has failed on this piece up to this point. And, you know, to go a little bit hard right now on some of the efforts that are there, automated information sharing. So this is an effort by DHS to share information with industry. But the challenge that we continue to have from government is that bulky data being distributed in a fire hose without context, without the narrative, none of this is valuable. So once we figure out what that mechanism is, and that's why this, you know, whether it's the senior advisory board between leaders of industry and government, then all of those topics will flow. And I think that you've got to be able to look at that because if we piecemail it, we're never going to get there. So I'm going to appreciate a little bit harder. Yeah. We have a newish administration. Yep. What's the one area where you would push on? And what's the model that you would pilot for changing the way in which that conversation works? I mean that the one model that we saw in the last administration was the process by which the famous NIST framework was created, which turned out to be, I think, a better process than people ever imagined. But there are, that didn't sort of take on a momentum of its own. It seemed to sort of stop there. How do we practically begin the process of changing the way in which that conversation happens? So the reason why the NIST framework was so successful is because government identified a problem that everyone knew was out there, which was how do we secure our critical infrastructure. But everyone knows the statistic 85% of critical infrastructure is owned and operated by the private sector. So what NIST did was say, okay, then we as the government really shouldn't be telling you industry what to do. That process was so successful because we let industry lead it. We let industry identify where the key issues were and work with government. And it was interesting because one of the topics that came up last year was cyber insurance. And so when we're talking about identity management, this to me is another one because if you sit around the table with government and we're talking about what to do with cyber insurance, if we're looking for a government solution on cyber insurance by itself, we're never going to get there. We have to let industry lead some of these efforts with and use government as a convening authority. And I think that model can be very effective. The one that was called out in the commission report was a model off of the president's intelligence advisory board. So you take key leaders of industry working with key leaders of government. And from there, they can come up with the mechanisms and the efforts to have a NIST framework like approach, or I think in evolving that because I do think you make an important point, which is where the momentum comes from after something like that has been distributed. And I think industry then needs to be able to take it and to continue to work with government to evolve the model. So Rick, this doesn't seem too complicated. It's getting the right people around the table and everyone taking the appropriate roles. Why hasn't it worked? Why hasn't that model worked to date in as many areas as we think it should? I think it's working in a lot of little areas. What you were saying before is spot on. It's a lot of piecemeal activity with no kind of overriding vision. And what we've been talking about for the last year is creating a cyber moonshot. Now, everybody has a moonshot for whatever thing they're doing is. But if you think about what would you want it to be in 10 years? If you think about that, that's what we need the public private organization to start. We need kind of leadership in the government to allow us to have that conversation. Because you mentioned like five things that we could do. There's probably 25 things that we could do. So we can all come together and do the NIST idea the way they organized all that and saying we want to be here in 10 years. What would those things be? And then come to consensus and then let the government help us get there by leaving that group like the NIST framework. Just to build on that, I think that's a great point. We have a tendency in this country to, or at least in this city, government wants to be the driver of things. In public private partnerships, maybe we should call them private partnerships. Because I really think that government needs to play more of a role of incentivizing industry. But if this is really going to be successful, industry needs to drive it. The private sector needs to drive it. And by the way, that includes the academic and research community. But there, for government to be most constructive, as Kirsten said, government can be a convening authority at all levels of government, federal, state and local. But they got to think hard about what are the incentives, right? They got to put themselves in the shoes of Palo Alto Networks or the other folks at the Cyber Threat Alliance and really think hard about how do we incentivize the players with true capability who don't necessarily have the will at the moment to provide constructive contributions. I'm going to step on that, too, because it's not just the incremental step we're looking for, right? We want to take the exponential step, right? Not what is a little bit better. We want to make sure that it's way better in 10 years on the moonshot. And so what are those ideas? I'm pleased that that panel talked about sort of limiting the government's role a little bit here because it isn't the solution for everything. And I think we all recognize that the government has priorities that it's taxed on now. And this is a heavy one to add to it. So the idea of incentives is very important, the idea of trying to, I think, focus on what can the government do best? Pick, though, one or two things they can do best for this community. And we've touched the issue of the information sharing and how can we improve there needs to be improved with speed and a structure. And if it just focused on one or two themes like that, plus with some sort of the incentives, whether it's tax credit or other ways to stimulate. So Dave, don't tease it. Tell us what those few areas would be in your estimation. Well, my estimation, it clearly should be about how liberally the information gets shared. Speed, timing in terms of an organization to do that in such a way. Much of the information is perhaps not as sensitive people think it is, especially with time, it becomes moot. And yet the impact of knowing thread indicators and knowing things that are important to industry, to infrastructure and to the larger nation as a whole is important. And there has to be a conscious effort to close that time in that gap. That would be the first one. Can I just comment on that because I think it's not something I usually like to go deep into because I think it can go down different rabbit holes. But it's a really important point that Gabe made. I think one of the big challenges we have right now, there are two issues. We have to identify where the value of government is. And so that is policies. It's incentives. And as I said before, it's the knowledge that government has on nation state actors. It's understanding this piece of this. But the other part of it is we have to clean up the classification system because right now it appears that classification is used as an excuse just to protect information that government hasn't truly organized. Because to Gabe's point, by the time information gets conveyed to industry, they're like, I know this. I mean you look at people who have senior leaders of industry who have waited so long to get their clearances. And then they get into a briefing and they're like, and? They kind of wait for the curtain behind and as to show up and say, and then this is the holy grail. But the challenge isn't so much that this information needs to be protected. It's that we haven't figured out an efficient classification system that truly protects that which needs to be classified, but then organizes and segments that other information to allow it to get distributed more quickly. Because if you're an industry, the thing that we heard so much on the commission was industry, you've got to fix the classification system. We all need to have clearances. It's not that you need to have clearances. It's that the information actually needs to be classified or organized according to its true importance and then distributed more efficiently. I'll tell you what we've learned about that. When DHS rolled out its automated information sharing system, they were very concerned about inadvertently sharing PII personal identified information. So they took the minor sticks framework. Sticks is a framework to say, how do you share threat intelligence? And there's some 6,000 fields in that framework. So oh my god, 6,000 fields. That's awful. So what DHS did was reduce that down to about 300 fields. Anything that looked like PII, they took it out. Anything that if you squinted a little bit and turned your head, if it looked like PII, they came out. So down to 300 fields, when we were doing the cyber threat alliance, we took that down even further. Because we only want bad guy information. I don't want any information on you. I don't care if it's the Russians. I just want to know what they're doing so I can prevent it from happening on my customer's network. So we're down to 100 things. Oh, 100 fields out of the sticks framework. So less is more here. We can all look at 100 things and say, OK, I can agree to share that. That's not classified. It's just an IP address. So we're about half an hour into this conversation. And no one has mentioned, including myself, the executive order that this administration put out, which at least in theory, set out the strategy but ideas for how we take forward for this administration. What opportunities do you see in that executive order to piggyback off? And let's try and move away from information sharing to take this to other areas of private public corporation. And what are the things that are missing from that? We really need to sort of bang the drum with the White House and DHS and others. I'll start. The thing that's missing is more state and local emphasis. And we can talk more about that. Beginning with some of the positives and clearly in the workable iterations of the draft floating around, clearly the administration brought in folks from the private sector, which is very encouraging. And I think there's also a growing understanding that government has a role to play in setting standards. And I think this is something that the private sector has been asking government to do for a while. And NIST has developed a really good track record for that. So that was evident in the executive order. And I think we're moving further down that path. But for me, the big gaping hole was more emphasis on state and local cybersecurity. We need to kind of get away from this mindset that the government is just the federal government. In many respects, I've said this before, state and local governments are more target-rich environments than the federal government. In some cases, we have more valuable data than the federal government. And there's more of us, right? There's only one federal government. There's 50 state governments, countless cities. We have over 500 municipalities in the state of New Jersey. So if we're really going to take a national approach to cybersecurity, we need to move beyond just the federal government and consider state and local. And what would you like? What could the federal government do that would make it easier for you to work with private sector companies? Yeah. So funding would be nice. More funding is always good. But I think, you know, they would. Well, objectively, so, like I said, New Jersey is fortunate because we have a number of key players across major verticals in our backyard. But from a policy perspective, I think the federal government has a role to play as it relates to leveling the playing field a little bit across all 50 states, making sure that all 50 states are receiving the resources, commensurate with their threat and vulnerability profile. Today, the system for awarding federal grants to state and locals for the purpose of cybersecurity is a bit antiquated. It relies largely on the counterterrorism threat matrix. So naturally, those states that have a lower terrorism profile are going to receive less dollars for cybersecurity. So that needs some significant reform. I know folks at DHS have discussed that. But I think the federal government has a role to play in terms of leveling the playing field across all 50 states. And I would mention our own colleague here at New America, M.F.A. Garwood, has written about the sort of the gap for state and local in the EO. And I commend that to people who are interested. What else? What are the opportunities, challenges in the EO as it relates to how we get better relationships between? Yeah, I would flip that to the other side. We definitely need to get on the local state. But we need an international viewpoint of this, right? This is there's no boundaries on the internet. And the criminals, the spies, the terrorists, the hacktivists, that's not little teenagers in the basement firing those attacks and victims. These organizations have vast infrastructure that they built in lots of countries that we don't have law enforcement relationship with. That we can't easily go in and say, why don't you just unplug that because it's attacking everybody. So there needs to be a way that we can group the international community and agree that this is really bad stuff. We may disagree on this stuff, but we all know this is bad and we should prevent that from hitting everybody. I think it's lacking that. And what do you think? I mean, Gabe mentioned sort of geography matters. David sort of related that as well. How practically can we make public-private cooperation work in a sort of situation where we have multiple governments and even less trust with the private sector? Yeah, and I'm not saying we can solve this tomorrow, all right, because this is right, but we need to take the next step. I am sure that we can come up with three or four countries that can agree that what badness is. And we just need to start building that coalition over and over again, all right? Even the countries that we may be in cyberspace hitting with each other every day, even those countries can agree that this thing over here is mutually bad to everybody. So let's just start doing that. Gabe, executive order? Yeah, I think there's tremendous room for improvement in this area. And it's amazing how much information sharing and relationships are bilateral and exist throughout the world. And in some cases, multilateral. And it works very well. We may not know about it, but they're out there. So I think we need to kind of rebrand ourselves as a government a little bit in terms of how we do this and how we think it through. I also think that some of our particular agencies in the government, those that have very strong interests in cybersecurity and protecting the assets of the US and others, need to think about the branding of themselves and how they want to portray themselves in terms of not being an entity that might have subpoena power and things like that that frightens a community away. But think about how do they message themselves to be part of a community of cooperation. We have a lot of alliance and partners of the United States across the globe. Let's leverage that. Let's build on that. Kirsten, I want to put you on the spot and say, what are the things that were in the commission report that didn't make it into the EO that you were set to sort of see, particularly in relation to that? So to the earlier conversation, can I answer another question that I want to answer that I'll get to that? No, I mean, because this is, I think it's part of it. I do just want to make a quick point based on what Rick and Gabe said, which is one of the efforts that came up in the commission was it's coming together with like-minded economic power. So to your point, it's not always the people that we think of as our allies, but it's those who are, we're working together as trade partners, economic forces in the global economy. And I think that's really important. And then one other answer before I get to yours. I think that all in all, this executive order from a cybersecurity perspective is a demonstration of really thoughtful government action. I mean, what happened was the EO came out to Dave's point, there were a lot of drafts circulating and that was because industry was giving common and they were figuring out how to reconcile that. So if you look at the draft that came out in January and the draft that was released on May 11th, there was a tremendous amount of progress that reflected input on efforts that were underway. And I think when we look at government and we look at a new administration coming in, there's always this concern that we're gonna lose a lot of ground on all the efforts that we've worked on. And this EO really tried to not start at zero. It's tried to start and work off of those efforts that are working and also identify where efforts weren't working. And as a result, the theme of the EO was risk management. And I think that's a huge success. I mean, the fact that government is talking about cybersecurity in the context of risk management is quite a significant advancement. And so when you look at the strengths, I think that's a key one. Also, this identification of botnet mitigation, when you look at industry and everything that's been done on that front and how much of a struggle that was to put that out to say, hey, this is something, we've gotta get the ball rolling on this. And if we get the ball rolling on this with industry and government collaboration, other things will flow. I think those are big strengths. From the perspective of the commission report, we did have this discussion of the harmonization of regulations on an international front, which I think definitely needs to be addressed. And then this constituent of small and medium-sized businesses, we struggled with it on the framework. We struggled with it on the commission and the EO, it's how do we truly help small and medium-sized businesses? Because more and more, when you look at, particularly in an area of IoT, in the realm of IoT and interdependencies, the value chain of large industry depends on small and medium-sized businesses. And so there has to be a role that large industry is now playing to develop the best practices, the challenges, and figure out the distribution mechanism to its value chain. And that's, I think, a key starting place. IoT standards would be the other ones that I think we've really gotta be thinking about. We had a discussion and the commission early on in looking at the proliferation of IoT devices to say, we really need to be focusing on those IoT devices that are life-affecting, driverless cars, medical devices like pacemakers. And then September rolled around and Daimari happened and it was like, well, duh, it's interdependencies, it's actually not the life-affecting, it's anything that's connected because if we're looking at baby monitors as having a connection to critical infrastructure. So truly, to your earlier question around how can government and industry work together, being able to work together to develop standards around IoT devices, I think is something that we've gotta be thinking through. Security market is already becoming one of those phrases like public-private partnership, which is losing meaning, but it's really understanding what do we need to do to incentivize, where's government's role to incentivize security in the development of IoT devices so that we don't get to a place where it's an unwieldy environment of interconnected devices and we haven't baked the security in from the beginning. Okay, I'd like to add a little bit to that in the joke, something in my mind, which is the emphasis we're focused on with the Mid-Atlantic Cyber Center is to focus on a couple themes here that we think are very important and you've touched them, which is personalizing the members and from a diversification of what the members are, who they represent. There may be firms that are large that aren't mature yet in their cyber position and there might be firms that are mid and small-sized that are equally in that same boat with that large firm, for example. So we're looking very carefully at profiling our members and understanding what their position is, what their profile is, what their footprint from a cyber standpoint, what are they strong, what are they weak and trying to create the community with trust-building of like entities and then make sure that we bridge it to sort of a larger community for more effect in terms of lessons learned in helping one another. So I think this is very important in terms of the small, medium and what traditionally is supply chain focus, perhaps in a vertical, it goes beyond that. We have a lot to learn, a lot to gain. So this may be an unanswerable question, but over the last few years, what we've seen is the establishment of this concept called ISALs, which is sort of this idea of sort of bodies to share information and how that work best remains very unclear. Is it geographical? Is it sectoral? And a lot depends on, as Dave alluded to, where the density of industries. What have we begun to sort of conclude in terms of what works? In other words, if you're gonna be geographic, how big is that geography? Should it be a state? Should it be a number of states? Should it be a FEMA area? Should, which industries should be national or international? Are we beginning to get a sort of sense of what works and what doesn't work in this space? Or are we still flapping around? I think we're still learning quite a bit, to be honest. But I think we have some good indicators of what works well. We know from a trust standpoint of size that certain size number does not equal a community of trust. So smaller is generally better in building trust. That said, we also know that there's communities that are closely associated and it's important to figure out how to federate that and build that level of trust. So I think these are some of the things that we're learning. There's a lot of yeses to your question in terms of- I think part and parcel to this too, and the cyber federal alliance has said this, or at least advocated for this, you need to have a community of interest that can add value to the broader network, right? And that typically means being able to source valuable intelligence. And that's one of the reasons why I've long advocated for every state to have an ISAO. Some, in some cases, multiple ISAOs and potentially using the fusion center network, which already exists as an opportunity to house those ISAOs. One of the things about the ISAO development is, when ISACs came out, they were designed for critical infrastructure and vertical. All right, and there were like 15 of them. I forget the exact number. ISAOs are like, there's other kinds of groups that kind of form up naturally and they want to have the same kind of status and ability to share threat intelligence with their own community, with the government, and think, so this is a recognition that there are way other, there's lots of other kinds of information sharing groups. It doesn't have to be cyber, it can be physical, it can be lots of different things. This is a framework for them to get involved and do that sharing. And I should say ISAOs, information sharing and analysis organizations. And if I could just quickly add, the ISAO, the MAC, is the state of Virginia has specifically asked for that being to be stood up for their ISAO at first. So I'm gonna quickly just ask another question. Feel free to answer the question you wanted to answer when you get the question. We've already been doing that. I just can't about it. One error we also haven't discussed, but something we've been doing a fair amount of work on here at New America is workforce development. Something that did actually make it into the executive order. In part I think because of encouragement from industry. What role do the private sector have in sort of guiding a better, more appropriately trained and educated population on the one hand workforce on the other hand and how do we take that forward in a practical way? So I think I mean workforce is becoming quite a focus on the concentration and for all the drafts of the EO you saw it really not being mentioned and then having a pretty strong spotlight on it. We heard two things and I think there are two general approaches to workforce. The first is we have enough people in the workforce they just don't have the right training. So we have to do a better job of training and then we also hear we don't have enough people in the workforce. So how do we attract people into the cybersecurity workforce? And there are a couple of different ways to look at it. I do want to take some time just to highlight the educational component which is when you've got a first grader who's getting a Google Chrome to do their math they should be getting cyber education with that. We've got to start developing our cyber workforce organically through education and those other means. But from the private sector side it's looking at how do you take the efforts from the private sector and be able to share them with government and also looking at the cultural change. So one of the interesting things when we look at workforce it's how we're defining those positions. I mean as the executive director of the presidential commission I was considered an IT specialist by government jargon. I can assure you I am not an IT specialist but that's all that they had. And so when we look at developing workforce we're typically thinking in an IT department your human resources person needs to understand what cybersecurity is. This has to be integrated into position descriptions across the board. I'm even starting to push back a little bit on this boundary of cyber workforce because if you go down and grab a coffee around the corner they probably are using square and you're swiping your card through an iPad or something like that. So everybody is part of the cyber workforce and I think this starts to get into the individual accountability in the digital economy that we're creating. And that becomes a cultural you can take it as a microcosm in the cultures of industry to really start focusing on that education and awareness but understanding that you don't have a cyber workforce within your industry your workforce is your cyber workforce and we have to be doing a better job both from industry and government in understanding that and educating the workforce accordingly. And how do we operationalize that? To the education. So when you start a new job you get ethics training you get the briefing on your equipment you should have cyber training that should be part of your onboarding. I think it's too late by the way is way too late. This is part of that cyber moonshot idea. Where do you want to be in 10 years? And there's lots of still pipe efforts going on in the private sector in the public sector but there's no unifying effort to get it all going in the same direction. I'll give you an example. You're just talking about the shortage of personnel in our industry. But if you look at women in our industry and cyber security they make up 11% of the workforce for cyber security professionals. If you add a minority to that if you make it a black woman or a Hispanic woman it's less than 1%. And so if we're ever gonna fill the gap of this a million jobs that are unfilled right now it's clear that we have to go and hire a bucket load of women in minorities to get this done. So how do you get them educated? Because it's clear if you look at the data they start to drop off the STEM topics somewhere in high school. So we have to find ways to interject energy into those two women in minority so they pursue this as a career. Here's something we did at Palo Alto Networks to try to fix this and I think we can nationalize this idea. We just partnered with the Girl Scouts to build 18 merit badges for the two million Girl Scouts in cyber security roughly divided into safety online and network defender kind of principles. From K5 through 12. So for their entire academic career they're gonna be hit with cyber security education while they're in the Girl Scouts. That's an amazing way to do it and I would love to see a moonshot idea how do we do that in every organization that we have in our country? We'll come back to this moonshot idea but Dave, education, workables actually is driven in the United States much more at the state level than at the federal level. What do you need from private sector your colleagues in education to make this something real? Yeah, I think this is less of a public-private partnership issue in just an area where government needs to develop more of a core competency. I think we've been grossly delinquent and I'm broadly characterizing government at all levels in this area. I think you're okay with saying government is broadly delinquent. I think that's okay. But, in 10 years, government won't be able to hire any cyber professionals at this rate. There is enough supply and there's no incentive. So we need to have a moonshot idea in government to address what is a huge risk in the next five to 10 years. I mean, because consider obviously there's a lot of competition with the private sector but our needs, our human resource needs are ballooning at the same time and we're just not gonna be able to meet those needs. So I think it's gonna take some outside the box thinking. Money talks and right now there is no competition monetarily between government and the private sector. We need to start really doling out some cash on the public side in order to create some parity there. I think the private sector, generally speaking, is gonna be fine. I think curricula are starting to catch up to this. But where I see the huge crisis is public sector information security over the next five to 10 years. I think this is where industry can step in because this is one of the things that we, in looking at it, because industry recognizes that it gets value out of people in government who they can then have an exchange and a program. And there was a conversation that we'd heard which is this concern that if someone is trained in government they're gonna get poached by a private sector industry and we'll never see them again. But there are these exchange programs that some of the large industry companies are building with government. And the statistics on these preliminarily are not that we're losing, we're getting a huge brain drain out of government to go to these industries because you're getting the value in both places. And I think that industry has a role to help train and then they understand the value of getting somebody who's worked in the Navy, getting somebody who's worked in the IC community to play that. So there's gotta be this cooperation. And I love the idea, I mean it's the education idea. We've gotta start really young and change the culture around what it means to be a scientist and mathematician. I mean there are plenty of public service ads that talk about how girls don't look at themselves as mathematicians. But we have to be running two tracks. We have to be running the short term track which addresses where we are now and we've gotta be growing this organic workforce that identifies everybody as having the aptitudes and the talents in this field. I think industry has a real opportunity to offer community service in being able to do this that actually then pays back. MasterCard is doing something like this that's getting a lot of value. Uber, before a recent month of challenges was really leading in this space. I mean there are some large industries that are looking at this and I think if we can get those types of programs integrated into government around then we address some of these challenges immediately. You're talking about that too good. We've had this thought for years that in order to be a cyber security professional you had to have a computer science degree or a double E degree or some. And it's not that. Tier one entry level jobs, you need to have some basic understanding of some of the networking and how your computer works and how to work a tool and then you can work your way up. So it's not like it's a big problem we have to offer. And that goes to the HR issue. It's understanding what you're doing. My colleague, Laura Bate here at New America is doing some work on cyber security apprenticeship. So we're blending sort of private sector or even government experience and education at the same time. I think that is an interesting thing to explore. I'm gonna come out to the audience in a sec. So have your questions ready. But just to, so we go into that in a positive frame of mind. I'd like to ask for some examples of good practice in terms of public-private collaboration sort of outside of the information sharing area of where we can point to potentially just very small examples but things that we can build on, ideas that we can take forward. Dave, you may have some. Sure, so like I said, most of the work we're doing is in the information sharing space. We're having some interesting conversations with public and private universities in the area about how we can collaborate on incident response. I think one of those moonshot ideas is a public-private incident response model where you leverage the capabilities of the private sector and the incentives that the public sector could offer in order to actually scale incident response much like you scale other emergency services. And the other one is identity management. Now, I can't really point to too many concrete examples but it's getting a lot of play and release from a discussion standpoint. When you talk about a synergistic opportunity, I think that's probably the best opportunity. What does that mean for the citizen or the consumer? Well, think about it. I mean, at the end of the day, obviously everyone has an identity, every business, every government, every research university has an interest in establishing common standards for identity. And increasingly so, we've heard this before, the perimeter is the identity. It's not the firewall, it's not the router, it's the actual identity. So there's a lot of kind of enterprise from an IT perspective, interests involved that span the public and private sector. And could be an interesting opportunity to tackle. So one example I think is working is building relationships between the public and private sector and how do you do that? One positive example is something called the Joint Service Academy Cyber Security Summit. It's been doing about three years now. It rotates around the academies and it's a bunch of smart government people who've been in the space for a long time and C-level executives from the private sector who are academy graduates. And we throw all those people into a room and have them discuss Cyber Moonshot and big things and see what we can do. That seems to be working. I would add there's a couple come to mind. There's tens and hundreds of these great organizations out there doing wonderful things. The customization, the tuning of certification programs, community colleges, working with private sector, et cetera to put paths of sort of the trade school technical approach really is something that we need to really emphasize. And a great example is your girl scout from AirBatch too. One, another one is just in themes like veterans, right? And veterans are so important in terms of being a team that is sort of the fire team that goes and solves the problem. Northern Virginia Technology Council is a great example of veterans employment initiative that was put together with literally 1,000 member companies and the state of Virginia and others interested in figuring out how to help the veterans transition out of military into private sector jobs. And many of those are IT support and technology and cyber. And so that's just one example, there are many others. So how could these be tweaked and further tuned to hit this mark? I think that's part of our answer here. I think the curriculum revisement that we're starting to see the revision and with academic institutions working with government to say, you know, what do these degrees mean? Also to the point that it doesn't necessarily mean you have to have a degree to go into this workforce. So are there two year programs that, you know, coming out of high school? And I think there are a tremendous amount of efforts cyber patriot, which is working with high school kids where you start to understand the value of broader public service when a conversation that happened in the commission was this discussion that if you're a lawyer and you have a stint in government, that's a plum job and then you come into the private sector. Why don't we have that same type of approach for some of these other professions? And so the thing about cyber patriot, and I think some of these other high school programs is you get a sense of the bigger mission of what it means to serve in government. And there is again this cultural issue but cybersecurity as a function in government and being able to teach kids that and reward them and inspire them at a younger age, I think. And the role that government has played in the cyber patriot programs and others, I think has been very positive and productive. I'm gonna throw it open to the audience. Stick your hand up if you have a question. Please keep it nice and short and deal with the question mark. So we're gonna start on this side to confuse the, Mike Hawkins. Touches on a lot of different things and what it seems to do more though is commission reports about these different things. So I'm curious about what you're seeing in terms of that process. I mean, there's something like 13 different studies at commission. So is there enough engagement with the private sector in that process so that these reports are shaped and leading to something that's eventually actionable? And go ahead. I think it's a great question because I do think what we didn't highlight and I think one of the criticisms when people were constructive was the creation of additional reports from an EO. There has to be some level setting. We do know that there are multiple work streams that government and the interagency are working. What I don't know is how much industry is playing into that. You do hope that the approach that they took in drafting is continuing to be executed. But when you look at the American Technology Council, some of the Giuliani efforts that are cross sector, there are these other efforts that are underway. Whether or not they're informing the EO, we don't know that connection. But I think the point that Dave made, which is that there is, it's encouraging to look at the role industry has had up to this point. There's a lot of deadlines in there. They're either passed or rapidly approaching and many of the organizations have to do those reports. Still have not been appointed leadership. So I don't have a lot of hope that they're gonna get done in time. Which maybe actually, if you extend the deadline, it may provide more opportunity to go and engage and consult. But one thought that that question prompts is when we talk about the private sector, we're obviously talking about a massive variety of different organizations. To what extent do we think the private sector, writ large, is able to contribute its thoughts into government? And the NIST framework process was particularly long and exhaustive, partly because it had to engage so many different sectors. Do we think there is a good mechanism to get a good back and forth between government and the private sector, or is that something that we need to foster? Well, I think one way to organize it is sound like a broken record here, but at the state and local level because the bureaucracy is not as intimidating, right? And you have pockets of industry that can dictate the type of conversation. Seeing great things in Virginia as it relates to cooperation between the industries in Virginia and the government in Virginia. Like I said, in New Jersey, telecom and healthcare is big. So we do a lot of cooperation and partnerships with those industries. So I think depending on, breaking this up into jurisdictions is a useful way to organize our thinking, not just because it'll dictate the terms, but it's a little more manageable too. Do you feel your voice is heard, Rick? Yeah, I think there's ample opportunity to collaborate on these kinds of efforts. It takes a massive amount of resources though, right? So it would be nice if there was a, I'll go back to my thing I hit all the time, that single vision of what we're trying to do. It's kind of all over the map, but we have ample opportunity to participate in those things. Next question. With Quentin, then come back to John. Quentin Hodgson from Rand Corporation. It seems that lately the establishment of cyber centers of various kinds has become almost a cottage industry. And particularly when I think about small and medium-sized businesses that have often been left out in the conversation, it's a confusing landscape in terms of technology, solutions, but now also these people are there to help them. So what distinguishes them and how should they think about it? Is that something that government can help weed through? Is that something that independent organizations like New America can do? But what's the path forwards on this? Well, my sir, FFRDZ. I mean, is there a scope for consumer reports for cyber centers or how? I think there's room for a lot of those things. I thought that question was really for New America, but I think there's clearly room for a lot of improvement in this area. And I'm not sure we have the answer, but it's something that has to be looked at seriously and developed further. I think it's a march, it's a long march. One thing that we actually didn't touch on too much is the research and development agenda and how government and industry can actually work together to create that agenda. And I think that those centers, the centers that you're referring to, those would be great opportunities for execution on an agenda that says this is what government needs and or this is what industry is seeing and producing and coming together with that sort of focus prioritization. Because to your point, they're all over, but the focus, are they addressing the needs of the day? Are they truly addressing the future with under the strategic mission? Research and development doesn't have an obvious own, I mean it cuts across lots of different government departments. Who would you see taking the lead, sort of setting the incentives for that sort of? What I don't know is the status of the Office of Science and Technology Policy, which is what drove it in previous administrations. There is, it does exist, but I don't know what type of authority that type of entity will have. But I do think something like this, you want it driven out of the White House in collaboration with the agencies that have the different areas of expertise as it's worked effectively in the past. Okay. We also need to be careful of size here in terms of, and we're talking about small and medium. And so the solution has to be of a size and a magnitude that they can palette, they can bring on and they can digest. It can't be heavy. These companies and as everybody is in the business of doing something, it's not cyber per se, it's another activity. So we have to make sure that we think of a set of solutions here that allows those businesses to do what they want to do and need to do and that it's not a heavy load for them. We don't need to reinvent the wheel. So there's a lot of really mature institutions that exist, particularly chambers that serve small businesses, medium-sized businesses that are in the process of augmenting their own core competencies in this space and they can continue to support the small business community in that respect as well. John. So John Nicholson, British Embassy. I'd like to hear the panel explore international cooperation a bit more. So there's obviously lots of government-to-government engagement, but what would genuinely public-to-public private international collaboration look like and where might it be useful? Perhaps leading aside kind of law enforcement and information sharing as to the more obvious examples. I got to get one example I ran into last year. I was visiting Interpol in Singapore. Their Interpol's mission is to combat cyber crime. And I've been doing this stuff for a long time and I've been defending my networks against Chinese cyber espionage for 30 years. But across the table from me was a colonel from the Chinese Army whose job it is to fight cyber crime in China. So that was jarring to find that person across the table from me, right? But it's the point I was making before. There are areas that we can agree on internationally that we can cooperate on, all right? So having that discussion across the board is what I would like to see happen. So one area, sorry, we'll come back to you, but one area where there have been positive public-private cooperation and the administration would seem to suggest there's opportunity for more is around botnets. Is that something that we can build on and take forward or is this a misunderstanding of what we're actually dealing with? Botnets is part of the infrastructure that bad guys use, all right? So I would just say any infrastructure that they need to run their operation. And mostly it's extensive. It's not one guy in a basement attacking you. It's a bunch of stuff and servers all over the world. So infrastructure is what I would go for. Make it really hard to operate on the internet. I do think on the botnets one of those cases where we need to make sure our house is in order before we have an international discussion. It's not that they can't happen necessarily simultaneously, but that particular, one is interesting from global companies and those issues that we have to understand where we sit as a government, as an industry on those issues to be able to have a unified voice to be able to work. But I think having that engagement becomes critical. Standards and a lot of the international play with a lot of firms and in a particular industry vertical is as inputs into standards. I think we have a lot to learn in that to keep on that march for cyber. And I'll just add, this is an area where multinationals can really drive their conversation. So back to that private public and not the other way around, because oftentimes their interests transcend traditional geopolitical boundaries and alliances and things like that. So if multinationals drive it and they are the reason to create the incentive and government can come in and contribute as well. Good morning. My name is Maurice Turner. I have a question regarding harmonization. So I'd like to hear your thoughts on where you think the federal government should be playing a role in harmonizing cybersecurity-related regulations, because you have states like California and New York that have some pretty aggressive regulations, especially when it comes to issues like data breaches that seem to impact almost everyone in the country just given the populations that are in those states. And Maurice, just tell us what you're working. Congressional Innovation Fellow, working in Senate Homeland Security and Governmental Affairs Committee. Harmonizing regulations across all 50 states and territories. I think we definitely have to look at harmonization. I mean, that doesn't necessarily answer with a lot of granularity, but one of the things that we continue to hear, particularly with how our government is organized when you have state regulations, and to the point about the multilateral, the large governments, or the large industry, the global industries, they are really struggling operating in an international economy when they have all of them. And Rick can talk to this certainly better than I. But we do need to make an effort on the part of government, and it depends upon which avenue is it for state regulations, the harmonization of states, the harmonization of global regulations, but there is an abundance of them. And it was an interesting approach that was taken, I think in March when the president announced for every regulation that will be created, two or three or four more have to be taken away. I mean, everyone appreciates this is an issue. So I think having an initiative and an effort that looks at it across the territories, across the states, but then globally, to come up with effective policies necessary. Although it does seem that with the federal government sort of stepping back from regulation, some of the bigger states, New York on the financial side, California on the data protection side is sort of stepping, if you'll excuse the pun, into the breach. And are beginning to sort of set standards which will drive not even just national but international regulation. Is that where we're gonna see the action in the next few years? We might, I think for the wrong reasons, as you said, because there's not necessarily a whole lot of action at the federal level. A bunch of states are making some noise for good reasons, of course, but obviously some states have experienced a few bumps with the implementation just because it's kind of their first foray into this. I think we should be a little more reserved about states stepping in the breach, if you will. Not only are they relatively new at this, but it's only a matter of time, I think, until Congress gets their act together and starts to develop a national scheme for harmonizing all of these. I should point out that Dave doesn't live in Washington, so. So they make a counter-argument, right? The data breach laws, I think there's 47 of them now. That is a great example of being able to experiment locally with things that might or might not work and see what happens, right? So I think it's time that the U.S. have a harmonized law for that now because 47 states have one, right? But for all these things, Dave, for privacy and all the big issues, maybe it is something that locals can do and we can see what works and what doesn't. MFA. Good morning, MFA Gao in New America. I think you all mentioned the idea of a cyber moonshot, but we're not totally sure what that looks like. And I wonder if, even in the absence of having a vision of what that endpoint looks like even 10 years from now, we would know what it looks like as we're moving towards it. So along the way, if you have a sense of how we would know what the signposts are when we have our land home moment, we see it coming. Or on the negative side, do we know what it looks like when we have our like, this isn't going well moment in any arena of public-private partnership that you want to consider? You're right, we don't know what is in the moonshot. As many people in this room, there's an opinion about what should be there. So the only advice I would have is, we don't want to incrementally move, we want to take it to the next level. And it doesn't necessarily mean more things, but we need to have that conversation with all the smart people about the thing that takes the whole country and maybe the world to the next level. So Rick, one of the reasons why the moonshot got to the moon and back again was because people had a very clear idea about what they wanted to achieve. And question is, do you think, at least on the private sector side, there is enough consensus about what that goal might look like, quite apart from how you leverage the government to help deliver it? What I like about the moonshot idea is that we're talking about 10, 20 years down the road. So that is far enough away that anything we decide on is not going to impact everybody like right now. So I think it'll be easier to come to consensus on both sides of that argument. So the moonshot would clearly be a world where we wouldn't have the end users worried about cybersecurity on their devices. And the moonshot would be that the world has standards and that there's service providers that provide you that service without all the noise that we have at this level. So I'm just trying to visualize that future utopia. So I actually, I didn't talk about a moonshot because I think it's very difficult. To your point, Ian, to me a moonshot is a binary. You get the man on the moon or the woman or you don't. You solve cancer, you cure cancer or you don't. And I think if we looked at what the moonshot would have been 10 years ago, we would have talked about securing our critical infrastructure without any appreciation for now how we can't really define critical infrastructure because of interdependencies. And I do think moving security away from the end user, these are all issues that we're talking about today. But I think there's no way we can anticipate what the innovation and the technology when you start looking at where it's going at such a high pace to really identify what that binary goal is. I think we can have a series of goals that will take us that we believe now are lofty. But what technology and innovation and particularly in this space continue to show us is that we can't possibly get ahead of the innovation let alone the malicious actor. And so being able to think in that way, it's not to thwart innovation. We absolutely wanna innovate. But I think if we're doing it in a way that only creates one goal, we're gonna miss out on the opportunities that innovation and what we're creating will actually produce. Down on the front there and then clicking this on the back. Thank you. I'm Kathy Petruzzino from MITRE. I wanna just throw out a hypothetical and see what the response is. So my mother, she's not gonna get educated on cyber. I can tell you that right now. And she has one of those devices that if she falls, she pushes a button. So suppose a bad actor decides to compromise those devices and they are very compromisable. We know that. Whose responsibility is it to get to my mother and let her know that it's not working, that she needs to do something? Is that government? Is it industry? And especially if there is really a critical time element to it, how do we manage something like that? And is there anything officially in place or is it just a chaotic response? So as you answer that question, because I think I can predict the answer. Another question to think about is how do we get to the position where in that example and other similar examples, everybody involved knows their responsibilities. What's the process that we're gonna have to go through at various different levels of everyone feeling more comfortable about their responsibilities? So I didn't answer the moonshot question, but I really kind of think if there is a moonshot, it's centered on this problem, which is scaling essentially incident response for the average citizen or business, for that matter, who doesn't have the capabilities or the budget in some cases to actually respond. So I think about a lot of this and I hate analogies to kind of the physical world, but I do think about the EMS analogy and what we've built over the years in per fire, for medical, for first responders and adopting a similar model for cybersecurity. Of course, it's gonna have to leverage capabilities in the private sector and it's gonna vary based on geography, but I absolutely think it's the role of government and it's an area where government has also been delinquent, I would argue. The perfect public, private, private deal problem, because the industry has to set the standards for what we want those things to do and government needs to be able to enforce those standards that you can't put your thing on the internet unless it follows these standards and it's that perfect max, it's a perfect way for those two folks to get together. So I'd like to answer Cathy's question a little differently. I do know Cathy, I do not know your mother, but if your mother, but if your mother's like any other mother that I know, you're responsible for the fall and for the action of what worked and what didn't work. There'll be some of that joint responsibility. So I think what I'm trying to say here is twofold. There's the individual responsibility and then there's the awareness of the marketplace in the products and the market will tell us what is the right standard to go to, what product works, what doesn't. Ultimately, that's gonna be the final arbiter. I think what everyone said, I was actually just gonna move on to the next question, but what Gabe just said, this nutrition label that Mudge is developing, a research on how to create essentially a risk management tool on all devices. So you know where the strengths are, you know where the weaknesses are. I think the evolution of this, the consumer reports, energy guide, all of that for cyber security, I think can be a tool, but absolutely this model for public-private partnership. Our colleagues at the Atlantic Council, Josh Corman, Beau Woods, doing a lot of work in this area as well, and I think that's gonna be important. Final question. Ryan Richardson from LIDIS, excuse me. My mom is also not cyber educated, but she's in her fifties, so God help us, I guess, I don't know. She has time. That's right, yeah, maybe she will be. There, all right, right. We talked a lot about reforming the classification program and increasing information sharing among industry and government, but there have been so many recent high profile breaches by contractor personnel, particularly with TS clearances and above, that have shaken public trust in the classification system and in the work that private industry can do with government. How do we reconcile the desire by private industry and by cybersecurity professionals in government to increase information sharing and increase the amount of work we're doing together while balancing that with the need of internal security professionals within the government to make sure that contractors and private individuals aren't revealing classified information in nefarious ways. Can the private sector be trusted? A deduction, okay. Absolutely we can be trusted, all right? But I don't think everybody understands the rules of the game, all right? And so here's what we've decided, okay? Yes, we want to partner with the US government, but we have to be able to do our own thing. So we're gonna make it as easy as possible when the government decides they want to share information with us, allow that information to come in, all right, and then share everything back with them as fast as we can. Other than that, we're gonna have to rely on the government to help us figure out what they share. I don't think the issue is can industry be trusted? I mean, I would flip it right back, can government be trusted? Because that issue to me isn't about trust, that issue, that's cyber risk management. I mean, that's insider threat. That's basic 101 on how to manage the infrastructure of your company and how to secure it and ensure that those opportunities aren't available. I mean, there are individuals who can, who engineer the system and these are the anomalous situations, but you've gotta be looking at what your risk management approach is for those companies and it's the same for industry and government and arguably, industry has, probably not, no one's probably gonna argue me if it's too much on this, industry has better tools and a better approach for doing that and I think if we get caught up in the social argument around the trust because people aren't doing it right, it actually is a much more mechanical, functional risk management approach that needs to be addressed. So final wrap up question, conscious of time. We've spoken about lots of different things. We've spoken about aspirations, things we would like to see and we haven't really defined we very well. Put yourself in the shoes of Tom Bossett after all of the different reports have come in on the EO, you're going to the president, president is desperate for a sort of bipartisan kind of idea to take to Congress and get through. What is that one thing that you would like to see the administration and Congress get together, bringing in the private sector, getting the nation working on together, one each and we'll go down the line. So this is your wrap up thought. Yeah, we'll pass the information sharing, let that be the buzz word of the past, we'll continue to do the work, pick another one, pick another cyber domain, I pick identity management and that's what I really bring the private sector in to tackle. And what do you wanna see happen in that area? Standardized, single universal identities for the purpose of convenience, trust, security, cross all industries and sectors. Hey, so we keep hitting this drum but I would like to see a unified vision of the cyber moonshot idea, whatever form that takes, take all these stovepipe programs that we've been talking about this entire panel and get some cohesion around all that with a goal that we have in mind. I would love to see leadership and government doing that. Standards and I think identity is the top one. Last thought. Not too much pressure, short term I would say looking at IOT standards and I see identity management as a longer term because I do think, I mean if we're in the context of a moonshot that's something that we probably can't even truly configure right now what the solution looks like but we absolutely have to get there. A numerous amount of work, thank you very much to panel, Dave Weinstein, Rick Howard, Gabe Galvin, Kirsten Todd. There is clearly a lot of work to be done but there is also a lot of work for us in the think tank world to get ideas out there and we very much appreciate your help, your help bringing some of those to the surface and discussing them today so thank you very much.