 All right. Good afternoon. Welcome to Policy at Defcon. My name is Will Loomis and I'm a goon here. This talk is going to be Cyber Policy Adrift Chartering a Path Forward for International Maritime Cyber Security. And we'll have a great panel of four people here. I'll introduce them all in a second. But before I do so, just a couple of quick announcements. First of all, this talk was going to be hosted on the record. Cell phones is a courtesy to our speaker and audience. We ask that you check to make sure your cell phones are set to silent at this time. If the speakers allow questions at the end, if we have time, please use the standing mic over there so that everyone can hear you. Make sure to point the mic towards your face so that everyone can actually hear you. As a reminder, the Defcon Photo Policy prohibits taking pictures without the explicit permission of everyone in the frame. So please keep that in mind. With that, let's get started. I'm going to welcome our four speakers here. First, our moderator, Nina Collers, our kitty hegemon here, associate professor at the Cyber and Innovation Policy Institute at the U.S. Naval War College. And then our three panelists. We have Josh Reiter, deputy PCA at the Department of the Navy. We have Blake Benson, industrial control system and cyber security practice lead at ABS. And we have Cliff Neve, director for Mad Maritime at Mad Security. Welcome all and thanks for joining us today. Over to Nina. Okay, good. I want to ask a question. We prepared for this. All right. So I'll start just by introducing myself briefly. And then I'll let my colleagues do so as well. But I want to talk a little bit about what I thought the what the logic was about building a panel that looked like this or thought about this. And the thing that I wanted to kind of dig underneath is that despite the fact that the oceans are a shared space, both legally and in terms of the resources we use, the entities that are allowed to govern or required to operate upon it actually have very different perspectives on what it is they're getting to get up to what the problem actually is and how we solve it. And so I wanted to make sure that we had a rep who could speak to us about what the Navy sees when they see the maritime industry and cyber security, what the private sector sees when they think about this question, what the Coast Guard thinks. So I wanted to make sure we got that on the table. So if that doesn't come out by the end of the talk, by the end of our talking to each other, please press us a little bit on that. I am recently out of the office of the Under Secretary of Defense for Research and Engineering, which is inside the Pentagon. And I have just returned back to the US Naval War College where we'll work on things like defense, critical infrastructure, but also thinking about how we go from everyday operations, cargo shipping to leisure cruises, all the way up to high-end conflict where the Navy is thinking about warheads on foreheads and that kind of question, right? So that's all fair game here. So if I'm going to step back for a second and let my colleagues introduce themselves. Sure. My name is Cliff Neve. I'm with MAD Security. I'm a retired Coast Guard officer. My last duty assignment was as deputy commander at Coast Guard Cyber Command. And I was kind of like there when it happened, as far as the Coast Guard standing up cyber security and starting to implement cyber security into the maritime Transportation Security Act type of elements. And that's my background. Yeah, Blake Benson. First things first. I mean, I'm a washed up cyber operator by trade. I was doing title 10 OCO and DCO at the Air Force and was specialized in kind of non-traditional vulnerability assessments of combat weapon systems, which included airframes at the time and started an OT cyber risk practice. And I guess it's been about four years ago with the American Bureau of Shipping. And so kind of was grandfathered into the maritime industry, but turns out ships are just kind of really slow planes in a lot of ways. So it translated pretty well. And and now we we support various we support the Coast Guard, we support Navy non combatant ships. We've got a tremendous amount of like OT specific industrial control systems, specific risk assessment work that we've done on floating platforms out there. So hi, I'm Josh writer on the deputy principal cyber advisor on the secretary of the Navy staff. I'm a former merchant marine officer spent about five and a half years at sea. I was the IT manager for the port of Austin for three years. So I know the the waterfront and the shipboard side. And then I spent way too long at the Office of Naval Intelligence about 17 years looking mostly at civil maritime issues. And now I also work at the Pentagon. Again, it's the deputy principal cyber advisor. All right, so thank all three of you in advance. And I'm at my problems. I'm still sort of on shift as a goon. And then when I when I leave today, I'll come off shift. So I'm still wearing my goon wear. But I'm sure you'll forgive me. So let's start with just a top line question. And so as you start to answer whoever answers first gets to be the original one, what I'm gonna ask you to be to do is not say the same thing that anybody else has said already. And so I'm going to start here, which is why should we care about the fact that we are still building policy? Why do we care about this for the maritime domain? If you're speaking DoD. So first one to answer, why should we care? And then we'll go just in time delivery. It's one of our greatest strengths. And it's one of our greatest vulnerabilities. You've all undoubtedly been affected by strikes in the Port of LA Long Beach, prices going up, goods not available. And those are all just routine, non attack disruptions within the maritime industry. Now imagine something in the maritime industry on the order of a colonial pipeline, where things are shut down deliberately, where we lack resilience to get them back online quickly. And container ships pile up outside of ports can't offload goods are not delivered, food doesn't get where it needs to be goods don't get where it needs to be. And the economic might of the United States is at risk. Well, you may have heard the term you can't regulate you can't regulate to security but you can regulate to compliance. And one of the most interesting things about maritime is especially when you look at the port environment and ships are one thing and we'll talk quite a bit about the policies and and various kind of governing bodies that regulate ships. And really they don't regulate at all. They provide recommendations in a lot of cases like IMO. For example, it's not a legal requirement. But it becomes a pseudo requirement because you can't get insured without that without that policy in place. And so that's a little bit different than like a federal regulator that says you have to do this they make recommendations. And then people adopt it. But in the in the port infrastructure space, the amount of stakeholders that are at any given port is so desperate. I mean, there is a you could have a an oil and gas refinery there you could have a food and bev like chemical additives, critical infrastructure there. And what applies to them is very different from a regulatory perspective. And that's where the Coast Guard comes into play. That's where DHS chemical facility anti terrorism standards come into play. And so we need to have more, I guess, kind of consolidated policy but consistent policy and how we approach this. And with the amount of federal stakeholders that are providing regulatory guidance in this space, we need to be aligned in what it is that that we're telling stakeholders to do because they share a common environment. And that's the really unique part about Marathon. So public and private partnerships is kind of an interesting dance in that the United States, you know, our government is responsible for making sure that our critical infrastructure is secure. And typically it's private government private elements that are that are doing that. And so one of the big things from the Coast Guard perspective was when 9 11 happened, the Maritime Transportation Security Act of 2002 was established. And that basically defined that certain critical infrastructure ports and facilities offshore rigs in some cases had to be secure for the US interest. And so the Coast Guard worked with public, you know, with the private sector to try to make sure that those physical security controls were met. And words matter. And we'll talk about that in policy, I'm sure a lot. And the word cyber was not in the Maritime Transportation Security Act of 2002, which caused me an endless amount of problems as an active duty Coast Guard officer trying to get cybersecurity taken taken more seriously across the board. But so in 2020, my birthday, ironically, the Coast Guard did publish a navoc that said yes, cybersecurity is included in the Maritime Transportation Security Act of 2002. That was only 21 years later, or only 18 years later for those counting. But as a result, you know, policies are important. And words do matter. And one of the things that that struck me as I was kind of preparing for this is that, you know, when you're working with policy, things take a long time. And policies take seemingly forever to get through. And perfection is the enemy of good enough. But you have to be good enough. And so we have to make sure from a policy perspective, that we're moving forward in a way that's going to be helpful to the private sector, and help preserve our way of life and the way things go from a critical infrastructure perspective. But we also have to make sure that the policies that we develop are holistic, are achievable, and and are good enough, and are going to stand the test of time. All right, so I have a question. So so we're talking, we're talking in somewhat in the abstract, right? So we're talking about some fuzzy idea of governance and some fuzzy idea of who's responsible and meeting standards and compliance. And that's great. But I'm curious, for each one of you, what is the what does it that keep what scenario keeps you up at night? What what when you go to bed, you're like, Oh, man, I really hope this particular alignment, he's already like, what is it? What is it that keeps you up? And, you know, speak from your from your from your positional perspective, but also just kind of what keeps you up at night? What scares you about this space? It's not not well regulated. We have not done the hard work from the industry side or the federal side to decompose the functions and systems that support the most critical pieces of our infrastructure countrywide ports are a huge emphasis of that 90 was it 90 percent of consumer goods go through the shipping industry. So you know, the Coast Guard has done great modeling on the secondary if you want to talk like risk as a as a framework. You know, they've done a tremendous amount of work on determining what the secondary and tertiary economic impacts of a cyber incident might be at any given port. Because that similar to the same anti-terrorism models that they've been building since 2005, which is a really, I think distinct thing we should hone in on that those models, although were they were built for anti-terrorism, still capture consequence pretty well in the port environment. And so, you know, you might say, well, we know Blake or, you know, anybody at this panel, you you just said there's models that are built that show us what our biggest consequence is scenario that keeps us up at night. But the issue is, there's no context for the functions that that support those ports. And so supply chain on cranes that were developed and shipped over and are now in new port and some other places that had intentional backdoors on cranes that have open DDV vulnerabilities, because the control system on the gantry cranes are built by basically buttons tied to it's open Excel, which is kind of interesting. There's things like that. And so my worst case scenario is we didn't do the what keeps me up at night is as ports continue continually kind of become more integrated and more digitized, we haven't isolated the functions that really make them tick. Like we haven't figured out what's really important in the in the port environment from a digital perspective to isolate in the military, we call it cyber key terrain. But we haven't defined the cyber key terrain in these port environments to a to a point where our government stakeholders or even industry stakeholders understand where they fit in the system. And so there are scenarios, I'm sure that they exist. And, you know, we've done great research on maybe maybe we're college research is that everybody does research on it. But I'm sure there's a scenario where something so benign like a like a terminal operating system, for example. Or when we move to port electrification, for example, a battery storage site is going to have a vulnerability that shuts the port down for a week that no one captured anywhere wasn't in a risk model anywhere. So defining what those functions are, and we kind of what's critical in a port environment is the first step to figuring that out. And we just haven't there's not been a whole lot of joint work done on that subject. For various reasons. What keeps me up at night? And what concerns me the most is, I think a lack of leadership, and a lack of leadership understanding of cybersecurity risk. And I'm not saying lack of leadership from from any from any one thing. But no, no, from what I've seen. So I've been to lots and lots and lots of ports. And we've worked with a lot of organizations. And so what we see is when I say lack of leadership, it's the fact that at the CEO level at the sea level, nobody, nobody integrates cyber risk in their overall business plans. I teach a class at the University of New Haven at the graduate level called cyber risk, cyber risk management. And the very first question on the very first quiz of my semester is true or false? Cyber security risk should be separate from all other risks because it's so specialized. False. And it's a 100 point quiz. And that's the only question on that quiz. Because because so frequently you go to these places and you see ports with, you know, physical security is just they've got tons of police cars, you know, one East Coast port has, you know, all these police cars and a gate, somebody escorted us to the to the facility. They had a badge thing that everything else. And then the CIO says, Yeah, I can't get money for a sock. I can't get money to monitor our network. And it's like this, what is wrong here for like my leadership perspective? What's what's going on? And Gary Kessler just at the at the last meeting, you know, he brought up a really interesting point, he said, the answer to solving the cybersecurity problem is to take computer scientists out of it. And and because frequently, they're not able to articulate the risk. And it's it's a business and a mission area that the C level personnel abdicate almost entirely throughout the board to their IT guy or gal. And the IT guy or gal doesn't always understand the mission risk is unable articulate. And if the C level folks aren't paying attention to it, it's not going to get the attention it deserves. And, you know, even governmental organizations very frequently, the component leads are like, Well, talk to my CIO talk to my, you know, no, this is a this is a mission area, just like any other risk. And so I think that it's there's a problem with visibility at the leadership level. And and and and maybe that will change as the digital natives ascend to these positions. And they understand what an IP address is, because when they grew up, they actually had a computer as opposed to a lot of those component commanders don't have, you know, were introduced to that later in life. So I'm hopeful that that that some of that's going to change. All right, so we're going to go to Josh now and see if he wants to lose his job. I am less than three years from retirement. But but I'm going to actually amplify two of your points. The first is when we talk about policy, right? So this is a, this is not a strategy form, this is a policy form. But policy is the bridge between strategy and execution. And if for no other reason, then I would like to keep my job. I'm not going to highlight a lack of leadership, I'm going to highlight a lack of coherent strategy. Right? So in order to get to execution, you have to have a policy that determines what that execution is going to look like. And you have to know why you're doing what you're doing and what you're and how. And we're lacking really coherent strategy. There was a maritime cybersecurity act on the previous administration. It was like 10 pages, you know, you know, so so it's not that there is no strategy. It's just clearly not getting us enough where we need to be. And the other part that that you touched on and I'm not even sure you realize you touched on it is the liveware. Right? We talk about hardware, we talk about software, we talk about how we do our critical infrastructure. What we don't spend a lot of time talking about, although we are now on the DoD side and the national cyber director is is the people. And the fact that there are technical people that you're your CIO is in your CSOs in the ports is great because a lot of cybersecurity jobs are just completely vacant. So it's not even a matter of having people who understand. It's a matter of having people at and I'm concerned you know what keeps me up at night is that we're not creating the workforce of the future right we're still we're still generating the workforce of the past for the jobs of the future. I feel like Tyson Meadows is in the audience I think he's spoken about this a few times did you want to go ahead and well I wanted to clarify that when I said lack of leadership I didn't mean of I mean lack of leadership lack of leadership in organizations in general lack of yeah lack of you know lack of the CEO being responsible so just want to clarify there. So I'm gonna I'm gonna exercise the moderate is prerogative and monologue a little bit as well because I watch this space all the time and my job by the way is not to sort of think about specific policies at a federal level kind of research we do at the War College as we look at you know sort of how do you how do you put a bunch of bunch of folks on to a tin ship that's loaded with computers and then send them into the line of fire and like you know hope it all works out and so the thing that the thing that's been hard for me to wrap my head around and I think that I think that everything everyone said gets at it the thing this leadership and being able to articulate the problem is huge so if you haven't been paying attention the United States has been in a period of in theory right not actual active maritime combat for 70 years or so and so so active maritime combat is a certain kind of skill and so we haven't been doing it and in the meantime we went into a period of peace the end of the Cold War and we privatized everything everything right so all the way down to how how the Navy gets its stuff with very few exceptions important exceptions but very few exceptions the Navy is reliant upon the private sector to deliver its stuff and it's by the sea so can you imagine what that might look like if we decide that okay there's gonna be a there's gonna be a great power war we're worried about it what what happens right so we have made it cheap we have made shipping monstrously cheap and then we have no money for cybersecurity because it's monstrously cheap and then I need to be reliant upon that system to be available in a high-end war that's right it's terrifying right trying to in trying to wrap my mind around how do I even get back to something that I can control so that I can resupply maintain right again don't want to not super excited about it don't want there to be a high-end war but if there's gonna I need there to be stuff and so this is what keeps me up at nine ports whose operating ships how many ships we have all of that it's terrifying anyway moderators brother I got a little dark there anybody else we good all right so what are the challenges what is what is the primary challenge so it has lack of leadership but in real terms somebody you know somebody really needs to X someone has got to X to quote a ship Hellism this is recorded but I'm gonna punch down on my own people a little bit including myself here traditional cybersecurity experts don't know how to communicate risk at all I'm gonna say that again traditional cybersecurity experts enterprise cybersecurity experts doesn't matter what environment they come from don't know how to communicate risk and what I mean by that is what the problems that we've just discussed our safety problem like capital S safety right and they fund those things they will upgrade a refinery they will upgrade a food and add like a sugar processing or boiler operation for sugar refinement or or what how they'll upgrade a ship no problem we upgrade ships all the time because the safety environmental management system on board of the safety management system says oh you're you've got an issue here and work Silla is quick to quick to give a quote back to the Navy right or or what have you we have not figured out as an industry and it again again this is kind of an industrial control systems and OT focus thing but it's like the nexus between physical process safety and just safety in general and how these systems that are digitally enabled help provide and support those functions to make the mission happen has not like we don't know how to communicate that and there's not models for it like bow time models are really great for it but we don't really use those in the U.S. very much which is strange to me but everywhere else when you go to the EU like they communicate cyber risk and in the form of a bow time model all the time but it's like we're just not we haven't figured it out yet and until we figure that out the budget challenges that we've just talked about won't be solved because it's not we can't translate cyber risk into operational risk yet I mean we can in some situations but few and few and far between so that's a huge huge challenge in my mind so some of the self-improvement gurus will say that a good way to reframe things when you say I don't have enough time to do something is to say instead that's not a priority for me right so when you say like I you know I don't have time to eat right I don't have time to exercise I don't have time to be healthy instead say it's not a priority to me to be helpful healthy so I would say that from an industry perspective we have a similar paradigm every time someone says I don't have enough money for cybersecurity in fact what they're saying is cybersecurity is not a priority and once we face that once we take a good hard look at that things will hopefully improve and then the second half of that going back to the people is the you know the elephant in the room that OT is not IT and that you can't send somebody to you know Microsoft training for your industrial control system you know unless it happens to be you know Microsoft product and when you hire a CIO you're generally hiring an IT person who looks at things with keyboards and screens and that circuit board that controls a pressure relief valve on a gas main is really not in their their wheelhouse and we have to change that if you look online for you know vendor training for OT there's like three orders of magnitude more stuff for you know your standard desktop computer than there is for an industrial control system and as much as I might be upset if my home computer crashed I'd be a lot more upset if the power company crashed and I didn't have power to anything in my house so I think that that isn't that is an industry both both public sector and private sector we need to increase capacity and training for the OT side one of the challenges is definitely resources and I think that one of the one of the ways that that the government has succeeded recently between the Coast Guard and SZA is I see a lot of value add to the to the private sector and you know I know SZA does offers free scans offers free you know the Coast Guard has cyber protection teams that go out and do free assessments to critical ports and waterways and I think that that one of the big challenges is getting people to do cybersecurity the right way and we see examples every day of people doing cybersecurity dumb right and you know example is some of these port security grant program things that come along and in the in the Atlanta Council actually did a nice paper talking about how the Coast Guard could be could be inserted into that process you know I've heard of port grants being approved for ports going out and buying a sim it's like okay great so you bought a sim who's gonna operate the sim okay you bought tanium really what are you gonna do okay you have two people on your IT staff yeah we're gonna learn tanium and we're gonna figure it out and then we're gonna learn Splunk and we're gonna deploy it that's not a smart use of resources so how can we work together to share resources to share knowledge to to figure out how to do joint socks you know security operations they're expensive I own one I own a security operation center in Huntsville they're expensive they're hard to set up and even if you do it full time it's a challenge a port just doesn't have the resources or shouldn't have the resources to necessarily most of them unless they're the giant ones to stand up all those resources on their own I think one of the challenges is is figuring out how to break down those barriers between governmental organizations and between private and public and using those funds instead of just saying yeah here's $40,000 for this here's $40,000 for this here's $120,000 for this thing hey here's a million dollars and we're gonna service everybody and so I think that getting people to break down those five thumbs and again that's a leadership problem it's not a technical problem it's a leadership problem of people giving up their control over their five thumbs and that is a an extraordinarily difficult challenge to face if you've never been slow rolled by some somebody on your IT staff then you know then you've never known but if you think of that at the component level it's even it's even more difficult but I think that that's one of the biggest challenges is using the right resources in the right way and breaking down those barriers I want to be respectful of I want to be respectful of that people's time because I want to give you an opportunity to ask questions at any level that you want to ask and so I just wanted to do a little bit more of prodding just sort of so say something nice what is working what is actually working or what has promised that you think this is working two years ago we did a pretty comprehensive or actually it's been almost three years ago now we did a pretty comprehensive study for one of the DHS centers of excellence the Stevens Institute on the maritime industry as a whole and we went back and reassessed like some change we wanted to see owner operator we commonly refer to like ports as a whole as owner operators and it's like okay if you go to the port of Savannah I mean we surveyed on in 2018 here's the results that they had based on C2M2 which is a maturity model for cyber security we're like you know stack up against this and it's pretty lightweight and so we had those results and we went back and one of the things they couldn't answer back then was who do you call when you have a cyber incident like who do you call and they would say oh infra garden and it's like okay that's an option yeah call the FBI that one works or they would say well I'm supposed to call CISA but I actually call provider X whoever their security provider is who hopefully knows where they're supposed to report up to in some cases they would say I'm gonna call DOE like for oil and gas cause of the of CISA right and so CISA has done a great job CERCIA the new infrastructure reporting act that's that's in I think still in notice for proposed rule making status right I think don't hold me on that but is re kind of reestablishing themselves as the critical critical focal point for all cyber reporting for incidents and so that's huge because it helps streamline the process because often times what happens in an incident is when you have multiple federal stakeholders involved they all end up in a like Spider-Man exercise of pointing at each other like here's how we're gonna transfer the risk and so it's like if you cut the systems back on and it's still broken it's your fault and you have to fix it or it's your fault and you have to fix it and so yeah I think CISA has done a really good job trying to centralize the reporting effort and we've seen that in policy and in you know legislation as a response to some of the executive orders that have come out in the national security memorandums and things like that so pat on the back for CISA. So I think one of the biggest things I saw out of the Coast Guard is that they've resourced maritime transportation security specialists cyber at each of the 36 I think it is now sectors and each district and each area and so there are cyber security specialists now in each of those areas and each of those sectors has an area maritime security committee and I'm on the cyber subworking group at the St. Petersburg one in Florida and there is a very very strong Coast Guard and CISA presence very strong very respected. They bring a lot to the table industry is responding all the ports come to the meetings they're always informative and I think that it many cases you know you have the high level policy but then you have that organic you know local because you're always going to have the good old boys that you know that kind of thing. But I've seen a lot of a lot of really positives out of the sectors where they have a strong area maritime security committee with CISA and Coast Guard leadership and presence being involved doing exercises when you do those exercises start to figure out in a hurry who you're supposed to call who's responsible for what. And so I think that where the Coast Guard and CISA have done particularly well is by investing in those positions at those sectors to actually embed and work with industry in those areas. So on the public sector side actually really encouraged and down right proud of the the latest workforce documents that have come out where we're establishing real work roles and training qualification standards and it's not just like the IT person you know where people actually have to professionalize you know what they're doing and I'm hoping that lead to a greater lash up with that IT versus OT problem. On the public sector side I'm encouraged by the greater emphasis on H bomb and S bomb and the default result of that will be to put a greater emphasis on components made by adversaries not getting into our critical infrastructure or at least being aware of them you know. I look today and you know I think that I think anybody who's working on critical infrastructure should have to watch the pilot episode of the Battlestar Galactic Review like did you learn nothing you know you should be able to run these things disconnected if you have to because Cylons so those are the things that I'm encouraged by. That took a turn. All right so that's great so I wanted to give the audience an opportunity to step forward and ask any questions whether down on the weeds or higher up and so I'm just gonna sort of stand by and I'll we do have microphones or you can just yell go ahead. Hey my name is Don Moss I'm a former Air Force now Space Force Defensive Cyber O's shout out yeah in my experience some of our organizational leaders don't see cyber security they see it more as a check box you know just to take and not and they don't really prioritize the robustness or the performance of their cyber security posture so do you think or in your experience do you share the same sentiment or and then is there is ways around the policy or can we rewrite the policy toward that they care about the performance of their cyber security or cyber posture. I'll take first crack that so only speaking for the Department of Navy we've we've very declaratively started a shift from a culture of compliance to a culture of readiness having a three year ATO that that was not accurate the day it was signed because it you know each individual piece of paper was a snapshot in time is not protecting our stuff and saying okay now I've got an ATO bags down feet up I'll wait three years before I do it again that's not working for anybody so there's a greater emphasis on on true risk management and I'm not I'm not going to blow smoke here and tell you yeah we got this solved man we're you know we're all over it but we've we've kind of done the Babe Ruth you know we're pointing at where we're going to hit the ball and and we've acknowledged that that culture of compliance is not serving us and needs to change performance based standards is all the rage right now if you if you look at CISA cyber performance goals right the CPG's that just came out there's more iterations coming for the sector specific goals which are a subset of the cyber performance goals they're all performance based TSA security directed for pipeline first time it went out TSA administrator was at a talk earlier this morning he was like it was terrible we did a 180 and the second one was performance based and so there's two federal organizations that are really hot and heavy on the performance based standards now and so I think to your point yes performance based standards as a policy will help you get to security better than it will to compliance and you know if I had my druthers I would like to burn RMF to the ground but the reality is we can't do that it's the nature of the beast in a lot of situations and so you know adapt and overcome yeah so we talked a little bit about you know what happens when the next colonial pipeline happens on a port right and so that that sort of leads me to think like well I guess to solicit your insight into whether or not a policy or set of policies that outline the sort of requisite conditions for a vulnerability found within vulnerability research programs to be disclosed to the vendor rather than kept for the next Stuxnet right it occurs to me that transparency there might be helpful to the greater community and it feels as though it makes me a little nervous to say oh well let's just trust you all to sort of decide when something should be patched and when something should be you know weaponized for next what I'm here from the government and I'm here to help no vulnerability disclosure what were you guys on this one well I mean that perspective first okay Josh no comment all your buddy yeah so I was in that boat again like I used to be the dude that was doing that feds call it capability development in a lot of situations and so I was in that position and I think we need to do a better job of establishing who you can go to it came up again this morning like I just talked about TSA administrators call someone asked the same question in that talk and he was like call the FBI and I was like I don't know any I wouldn't call the FBI the FBI doesn't know what to do with cyber charges like I'm gonna catch a charge if I call the FBI and disclose the vulnerability they don't know what I'm doing or who I work for you know like that's kind of out of scope right and who do you know so it's like I think we need to be there are people within the federal community who are responsible for liaising those things I think we need to have more resources available for people to understand who they need to contact in that space I don't think that we do that very well at all coming from being in your shoes right I had a program that I communicated through and there were people designated to help me with that specific slice I was working on right in reporting that and getting it out and disclosing it it's one of the big reasons that big providers in this in the OT space like drago's don't do attribution because they want to be able to put everything out right they want to anonymize things suit my things right so yeah that that's a really good a really good one that needs more work so thank you yeah I want to just to follow up on that you don't stand as a whole time but a bit the there's walking around on the floor here is a goon named Silas Cutler who has long made an argument for what we call a single front door for voting reporting whether that's the Department of Defense or if that's the federal government I think frankly the federal government's the right answer there is no single front door for us but a really disclosure for for threats the United States in particular there is a patchwork of networks of friendies back office phone calls and so one shop will receive a report and they'll call somebody they know from another office because it's not my slice and so there is this conversation that has slowed over time but probably needs to be picked up again so yeah Silas Cutler is the person to talk to about that but yeah thanks for bringing that up you all have identified that there's a general lack of concern and the executive level for most of the organizations you've supported being a policy based talk and knowing that industry doesn't tend to do something out of pure goodwill is there any stick to or carrot approach that is taken particularly in the you know ABS view of the world like we're not going to get a vessel certification if you don't do cyber right or yeah I'll step in front of that one it's going to go down to insurance carriers right because so insurance carriers tend to worry about exposure to data breach not in general liability of people and personnel insurance carriers I submit are concerned with anything that they could end up paying out on sure so there is a tie to the insurance I go back to my colleagues point of that as as a professional cadre cyber security professionals are not good at expressing risk so so coming from the Merchant Arena Street one of the questions on the Coast Guard exam is you know in like two and a half inch white letters on a red handle in the lifeboat what does it actually say on the handle sure now I could say danger lever releases the hooks danger lever does any number of things what it actually says is danger lever drops boat right now mechanically it's releasing the things that are holding the boat in and apparently it used to say you know hey if you pull this handle these hooks will let go people go okay why do I care because the boat will fall and you were in the boat if you're holding on to the handle because there's no other way to move the handle unless you're in the boat and you're only supposed to do that when you're in the water I submit we as a cyber security cadre need to be better at explaining lever drops boat as opposed to cyber security risk murmur ransomware murmur and you know and people go yeah okay whatever and we need to be we need to be better as my colleagues of articulating risk so I give this my very individual perspective unaffiliated I would say that we also need to figure out incentives in addition to the stick and you know we've been talking about defars and CMMC for those who are familiar with DOD contracting and DOD rules so that that came out in 2013 that folks are supposed to be doing that and here we are ten years later we would we put a man on the moon in that time in the 60s but we haven't gotten defars and CMMC across the line so you could fix a lot of those problems tomorrow by just saying okay look any contract that has controlled on classified information in it 20 percent or 15 percent of the weighted evaluation for winning the contractor criteria will be cyber security and what is your cyber security stance and what is your cyber security posture that will then incentivize people to actually go out and do cyber security instead of going alright what box do I need to check they would they would then be incentivized to invest because right now the probability of win is unimpacted by cyber security it's a cost it's a cost center that you get no investment out of towards your probability of winning a contract or your bottom line so I would I would submit the figuring out ways to incent in addition to policies is a way to do it and I think that we haven't been able to crack that not as effectively as we as we'd like to get with five minutes left and so unless you're burning we want to get the stone yeah good afternoon I had a real quick question about that specific a cyber policy because you were talking about earlier about how there's only a pseudo policy for vessels and technically because of SMS and all those things there's no actual policy and you're talking about to like how we can't let the fact that there's no perfect solution for that not get to good enough so I just wanted to ask in terms of cyber policy for vessels in terms of kind of like preventing like cyber incidents like what does good enough for that actually look like we yeah there's and it actually was what I would answer the gentleman's question before you as well with which is the international association of classification societies which is a really long thing just developed to these unified requirements ABS my parent company American Bureau of Shipping is a classification society so is DNV so is Lloyds register German Lloyds amongst others and so the international association of class puts rules in that we have to follow is class societies that's what allows us to maintain our nonprofit status not for profit status as a class society they just did cyber this year for new ships well they've been working on since 2018 but new ships that have a request for essentially the date for the ship to be built we call it an RFC after January 1 2024 have to abide with roughly 70% more controls and some of them are really technical they want you to do monitoring on board ships to for hardening of material isn't as an option not that you have to do monitoring but it's the easiest path of resistance if you want to comply with it in some cases and so how do we do that what do we work on well the standards based performance for IAX is based in ISA IEC 62443 not next and that's a big deal like from a practitioners perspective I can find you a bunch of people that can do this date 153 I can find you a lot less people that can do an ISA IEC 6244 62443 attestation so that's a big that's a big leap that I'm really excited for you know it's going to be part of class so it's a requirement you can't you can't get a vessel certified after this year without it so if it's if it started construction on that day two minutes hey all thank you for joining today one question on my side obviously a lot of challenges in terms of like the public plop private collaboration on the US side but inherently the maritime transportation sector is very international and the way that it operates and functions I would love to hear from folks a little bit about how kind of collaboration harmonization can look on across the international spectrum and potentially like some challenges and opportunities in that space big question not a two minute question yeah so unfortunately the biggest thing I see there is challenge I really like to be a glass half full kind of guy but in this in this particular case I'm thirsty and there's not a lot there because the reality is we're in international competition not just with adversaries and competitors but with their own allies in a free market to who can do a cheaper and you know more security does not equal cheaper that that equation generally doesn't balance so the more we we increase regulation we have to be mindful in terms of US federal regulation that has to apply on every ship that calls on the United States not just US shipping or we're going to hurt ourselves and and you know the US merchant is already at a kind of historic low point of capacity we need to be mindful while we try to increase security that we don't make that worse just from a sort of guns and bombs perspective the the pace and the the kinds of technologies in the pace in which we purchased them and the kinds of things we're trying to do means we're outrunning most of our partners and allies in the process and so the yet doesn't look this doesn't look good it's not looking good for harmonization in part because of the way in which at least from the military perspective the way in which the United States thinks about technology and its role in conflict and so it's always the biggest the faster the further shooting which means we're outrunning all of our allies who can barely afford those kinds of things and so the harmonization is I think from a from a military perspective I think is quite far off sorry say something yeah wait in on high note pal so so with that I want to ask the audience to be very kind to sort of give my my colleagues a round of applause about this is that we all leave it through the same door and so please pull us aside and ask more specific questions if you'd like to we're very excited to engage thank you