 Today we've brought together three wonderful people who I'm so excited to have sharing the same stage because it's been a Pleasure and an honor to get to know each of them individually through my various travels through the cyber security world We've got Molly Souter who is a research affiliate at the Berkman Center for Internet and Society Harvard Law School as well as a doctoral student at McGill And also an affiliate researcher at the Center for Civic Media at the Media Lab at MIT Her research is broadly focused on Hacker culture digital activism and depictions of technology in the media And she's the author of the coming swarm Which is a great analysis of the history and development of active of activists distributed denial service actions We've then got Lieutenant General Edward Cardone who's commanding general of US Army cyber command He served his nation for over three decades since his commissioning as an engineer officer from West Point 1982 and part of what he brings to this role is an incredibly diverse set of experiences Multiple tours in places like Iraq and Bosnia as well as time on the strategy side in the Pentagon As well as in the schoolhouse, which is I think we first connected it out at Fort Leavenworth And now in his role as commanding general leading all Army cyber resources and personnel And then finally we've got Nate Fick CEO at Endgame Nate was a graduate of Dartmouth who then joined the Marine Corps and infantry officer Served in Afghanistan and Iraq and experience that he captured in the powerful book one bullet away He received his MBA in Master in Public Policy at Harvard and then made the mistake of Joining my field as a profession Joining a think tank becoming the CEO of Center for New American Security and three years ago He saw the light and left the think tank field And became CEO of Endgame, which is a cyber security solutions provider So I'm gonna ping them with questions for the first half and then move on to open up to you And the first question is I really want to hit we've got up here folks with expertise and the hacktivist community the military as well as the business world maybe first frame for us the culture How do you how would you just find and describe the human culture within each of these sectors and how it connects to The sense of finding the personnel finding the people Molly, why don't you go first? Well more so than I think in the national defense sector or in the private defense sector Hacktivism when we talk about it is mostly a suite of tools and tactics that can be picked up and used by really anybody So when we talk about who are the hacktivists who are sitting on the behind the keyboard sort of on the ground you can really be talking about Virtually anyone of any sort of political slant of any sort of national or regional identity of origin but I think for the most part we're talking about people who are operating in either loosely organized small groups when you're talking about hacktivists who are developing and deploying tools or Very large more culturally oriented groups when you're talking about Less technically challenging more disruptive types of activism But we're still talking about primarily people in the West primarily people who use English as a Sort of language of currency between them that at least that's the type of people that we would deal with most sort of For our national interests and on our shores Different countries have their own different profiles for hacktivists and they tend to stay mostly involved with their own national politics So it's difficult given given illustration of how that differs across countries in So much as any hacktivist population will differ Depending on the national origin each region and each nation will have their own set of priorities that different hacktivists are concerned with And so different hacktivist populations can vary greatly between nations I'm an hacktivist profile in the Middle East will be different than an hacktivist profile in China For instance and will be different than an hacktivist profile in Ferguson, Missouri general So people are the name of the game here for us without questions So if you look at cyber cyber grew really out of two communities across the services It grew out of either the intelligence service or out of the communication services But what's become increasingly clear if you believe cyber is a domain and there was a panel on that earlier is That you need a full combined what we'd say a combined arms approach you need all of the disciplines organized in this space So that's my first point the second point is there's no way to know all the technology And so you have to have this incredible passion to learn and to Have a passion I describe it as to win either win like I can absolutely solve this problem We're going to throw ourselves against it until we do or I'm absolutely not going to let this happen And we're going to make sure it doesn't The next piece is the ability to be a team player and I normally define this as no one knows all code No one knows all hardware and so rarely do you see it be solely one person But it's your ability to interact as part of a team and then my boss at my Rogers was up here earlier And there's a character piece of this and the character piece of this is We allow you to do a lot of very interesting things But you must operate inside of the legal framework and we have to know that you'll do that when no one's looking So Nate you've in many ways traveled between Worlds we could say how do you both describe what you see as the corporate culture when it comes to cyber security But maybe also how you see it differing from say when you were on the public policy side or Serving in the Marine Corps sure I would just say being here today. I'm glad I'm not on the public policy side anymore because you guys are formidable competitor This is a great event Peter My observation fundamentally would be that the security community really is a community to a greater extent than most industries and Yeah, the competition on the business side is cutthroat and intense, but there's an enormous amount of collaboration And sharing on the technical side and the threat intelligence side so you have this this interesting juxtaposition of kind of hard fought competition with Genuine spirited collaboration and you need to find the right balance if you're going to recruit and retain the right people We try to infuse our values into everything we do and they can't just be something you paint on the wall They have to be something you live in an organization And trust that over time that's going to infuse the DNA of a team in a way That's going to allow you to continue recruiting and then retaining the right people because I think any of us Recognize in human organizations the DNA self replicates if you get it right it replicates the right way and it gets better And if you get it wrong it replicates the wrong way and it gets worse. So for us those values are very straightforward It's integrity boldness speed openness and responsibility and And try to push those values into everything you do and every decision you make So that people in the organization can make decisions on their own without guidance and as long as they're acting in accordance with The values they're probably going to be right More concretely though in terms of thinking about talent and the culture of talent in this space I guess I think of it in terms of what do people? Want that is why do people join a team and what do people hate? Why do people quit a team and try to maximize what they want minimize what they hate and What people want there's there's I mean a fair amount of data on this people want three things They want mastery. They want the ability to develop a skill and exercise it. They want autonomy They don't want to be screwed with and everything they're doing and they want purpose They want to know that what they're doing matters. So if you can maximize Nastery autonomy and purpose while minimizing the things people don't want And I think there are at least two of them People don't want to feel disconnected from the mission of the place Everybody has to understand why they wake up in the morning and come in and pour their life force into what it is They're doing so you need to connect them with the overall mission at an individual level And people want to work with and for good people. So people quit because they don't like their boss I mean that's sort of a fundamental truth in a lot of organizations So again back to DNA get the DNA right make sure you have it self-replicating the right way And and it goes a long way in terms of contrast I would just say the big difference in in the corporate world relative to I think the military and public policy Although we all deal with this to some extent is it's just such a mobile workforce if the you know The average job tenure of a baby boomer was about 10 years the average tenure of a gen X or my generation is about 4-5 and the average tenure for a millennial which is most of our employees is to So it's a highly mobile workforce So we were talking earlier about your day-to-day Running your company and you said a huge amount of your day is spent on Recruiting because you're in essence you're hiring a person Is it one one a week or one a day about one a week one a week? So walk us through the recruiting process that is How you find the talent and how do you draw them in yeah I'm gonna ask the same question in essence of each of you sort of in the different parts of the ecosystem that you're within So I mean a nice thing is the the world's our oyster right there. No you can sort of go anywhere Within within reason and I guess they're basically three steps first is you got to find the role that you're looking to fill Because you know, I've certainly learned by heart experience just hiring great people and throwing them into the mix and trusting them to figure it out Isn't always a recipe for success. So figure out what the problem is you're trying to solve and then you know, I believe very strongly in in In the sort of wisdom of crowds in in in hiring I don't think that individuals make better hiring decisions than small groups. So We try to get a small group of people together Cross-functional different levels of seniority in the company Essentially a 360 degree interview And then the third piece of it is a piece that is too often forgotten. It's the onboarding You can spend a lot of money and go to a lot of expense and time and energy in recruiting But if you mess up the person's first day first couple of weeks first 90 days Then it was all for not so you've got to be just as rigorous. I think in me on boarding as you are in the actual recruiting General you your organization the essence has gone from zero to I think you know a year ago We met and it's two functional units to now 35 25 The recruiting the the pipeline of how do you how are you drawing people in? How is that? Yeah, so It's just a couple ways. So first the one thing that the army has done recently They've created a branch so much like we have infantry and armor and fill the chili now We have a cyber branch. So for the officer side We have Roughly 300 spaces if I have my number right there We had over 1,100 applicants for the first 30% that we were onboarding and so there's tremendous interest Which gives us a lot of why do you think there's that interest? I think there's a lot of interest in cyber and I think there's a lot of people that have degrees in the force or See the feature here in this We and this is coming from across all of those other 17 branches. So you want to push you on that way the future of it This is the future of war This is the future of my profession This is the future for me when I exit the force and get a great paying job I actually think there's components of all three planning those I think there's some that actually see this as It's a different way of looking at operations and they want to be in the forefront of this You know some describe it, you know as the start of the airplane, right? There's others of course that are looking this will make me more more competitive We can normally find them fairly easily, but I think a lot of them are excited about the future mission Now for the soldiers. Oh, and so and this also goes to the academy so we've got 15 cadets from West Point being directly commissioned in the cyber and 15 from the reserve officer training corps, but the demand is huge We could take a lot more free head spaces for them for the soldiers specifically For the high-end operators they have a six-year enlistment to show you the interest in this you must have a really high what we Technical score first and then we'll give you another test to see if you have a propensity for this space because you don't have to have a hard degree in this and For the army we filled 75% of our positions in the first quarter So the rate no incentives no waivers It's just straight and I think that's because They see this as an again a huge opportunity and then finally it's the civilians and So 30% of the force will be civilians and this is much more challenging But I think what you're going to see the army develop Within the next year will be its own cyber career field for civilians because we have to have a way to Manage the talent and work the leader development in this space and what will be the key elements of it having a career field I mean, there's a lot of folks in this room who don't come from the military DOD background What is distinct about it being a career field? You mean for the civilians? Yeah Well, let me kind of go at this a different way So here's here's a challenge in the way the government's organized, right? But you cannot be working at the NSA and come work the farming cyber Because those personnel systems don't interact if Nate wanted to come work for army cyber for a year There's no way for me to really do it. We're not set up that way the whole system is not set up that way Yet you could see that if you get the right civilians the first one I think we need we need a better government private partnership in this space I think we could absolutely get people from private industry into army cyber for two years And then they want to go back out. They don't want to stay in there forever but for those two years they can make a real difference and What they're doing and so right now because when you come in you're hired against a very specific position With a very specific well-defined route and that's not really what we need in the space I can't tell you what that's gonna look like five years from now so in many ways the question for The activism part of the ecosystem is not as you know process oriented. It's possibly not as top down When a network forms when the network of what is the spark that allows it to form and then What allows people to go out and recruit others to join in when it becomes more directed as opposed to just a spark So this is actually one of the key questions in social movement studies in general is what causes Movements to form and be successful where there has been a long-standing grievance and one Current example of this is the Ferguson protests. There have been there's been an anti-police brutality movement in this country for decades for Nearly all of the last century There's been a nascent movement and the question is what is it about the Ferguson moment that coalesce that movement into a strong powerful vocal and influential movement and This is why social movements that exist because we don't have necessarily an answer to that online You sort of have a similar thing as you have long-standing cultural level grievances where people are coming together in these online communities and talking about These problems and questions that they have and then there's always an inciting event Something happens a law is passed or a law is not passed Someone is arrested Someone dies someone is convicted of a crime and that's when you get this spark and things start to congeal very rapidly So one example of that was the sopa peeper protests We had been so the activist community has been pushing Activism against so peeper for as long as they had been aware of it And it wasn't until the corporation stepped in and you had you know Wikipedia and Google and Facebook step in and say we're willing to take apart in this protest that it sort of made the jump from Just something people who cared about the internet talked about to something that everybody was talking about do you see This same obviously it differs by topic But is there often a core group that sort of moves over from topic to topic another way of asking this is And I'll ping back to you all is is there even though it seems to be a Network that's self-selecting. Is there actually a hierarchy that plays out or at least of critical nodes or people who go out and recruit We need this particular kind of talent for this particular operation. Oh This was someone I linked back with on Ferguson. Let's bring them into this. Yeah There are always core organizers and often different actions and movements will share those Organizers because people who are excited about being civically involved tend to be excited about being civically involved in a lot of things And so it's not it's it's not quite so mercenary is that you're not necessarily just saying like we'll pull you from movement to movement But people are organically moving from action to action movement to movement because they genuinely care about all of these issues and similarly to on the street activism you have an an Organizing core of people who have the experience who have the knowledge who have the energy and willingness to Put a huge parts of their lives on hold while they engage in necessary political organizing and activism And it's often and that's a very small core and are we seeing an evolution in the type of organization that is What's working well in one situation versus another? Oh that the particular way we organized around this topic Didn't succeed. So let's jettison that or do we see a legacy effect in many ways? It's a different way of asking do we see Bureaucracy within what seemingly a flat space. Yes, there's always bureaucracy in these types of organizations You often can't see it often the media isn't super interested in covering sort of the gears of organization It's much more exciting to have Pictures of street protests and marches and things being on fire that it is to actually talk to the people who are behind the Organizations and similarly to online actions It's much more exciting to talk about a d-dust sometimes than it is to talk about how these organizations Function at a basic level and so we often what we think of as grass roots Organizations and aggressively horizontal organizations have leadership structures just like any other organization that we would think of so general It's been said of the current space of warfare that it's highly networked and then as General Stama crystal described it takes a network to defeat a network Except there's no more Hierarchical organization than the military How are you approaching this blend of? Organizing something new but also in essence You're stuck with old legacies and structures that you're not going to be able to come out when you're building these units What's new? What's different and what's what what are you bringing in from before? So I think I think we have an advantage here from the wars and rock in Afghanistan because a lot of those structures got broken down Because you had to operate flat you had to create a network to fight a network now It doesn't mean we don't have hierarchies, but the formal and informal structures that develop from the wars and You know those things like the Baghdad fusion cells some of these kind of innovations that just flattened everything and it was more Unity of effort not even unity of command to accomplish specific missions. I see that as a characteristic in this space Had discussions recently with the senior leadership on maybe maybe the word command in the space is not right maybe it's the way that we Organize against very specific missions and that is your leadership Opportunities and then what are the skills and attributes that we need to be able to do that and that includes not just what's in the Military, but how do you bring in other governmental agencies and in some cases the private industry side? And so I think that that we're going to have to have a network to work against this because I don't think one person will be able to Have the wherewithal to even You might get it on the right azimuth, but going to each plan a bit of crowdsourcing on this, you know But how do you do that with? How do you deal with factors like unit cohesion if the networks constantly forming deforming? How do you carry through tradition? So you know as an example you have cyber army cyber man, but you also have second army which dates back How do you how do you balance so we're I'd say I'm still wrestling We are still wrestling as a command with how to do this because the traditional structure that they live in is not the way They're working So the structure they live in their teams are actually the their teams are the real structure that they work in day-to-day But those are not the companies betines and brigades that they live in so we're already Dealing with this and who does what really is what this comes down to and how do you make it in a way that? maybe maybe those traditional structures aren't right and In a way, you know, we're looking maybe this whole thing needs to be managed differently Maybe it's maybe it's more like a special operations Approach where there you have small teams and you keep together as teams and you call them teams and you keep this teams That's not the traditional way though army organizers, but We're only four and a half years old and we know just got at the point where obviously Exponential growth over the last several months. So we're still working our way through on that. I do know though that The importance of mission That you working on Understanding that how important that is the people you're around the technologies you get to work with that is a really compelling factor That helps us in the military. So Nate on the business side How does the cyber security business organize and how might it be different than a business in the technology? Sector in general and then outside that sector So I can really only speak for us But the the the big division really is between product companies and services companies And we are a product company. We're building software products overwhelmingly relatively small part of our businesses services and on the Product business side if you let's let's carve all the normal business functions out for a minute that everybody's familiar with Kind of finance and BD and all these things and talk only about the technology I think you can you can sort of break it into quarters the first half would be between the Between the people who are building the products and the people who are building the fuel for the products are mixing the fuel For the products and then you can break each of those in half again. So you have on the product side The back-end developers who are essentially figuring out, okay, how do we how do we ingest the data? How do we store it? How do we correlate it? How do we search it in the front-end developers who are thinking about how do we visualize it? How do we build an intuitive interface for real human beings? I mean something that's plagued I think the security community is you've needed for too long a Carnegie Mellon PhD to figure out how these things work I mean, it's crazy and we're all talking about this talent shortage all the time. Well, there are two ways to deal with that Right on you can hit it on the supply side of the demand side Yes, we need to invest in STEM education. Yes We need to increase the number of people with basic fluency in this field But I think at the same time we can also make the tools easier to use and thereby expand the base of people who can use them effectively so Front-end and back-end developers on the software side and then on the on the fuel side. That's really the data side data scientists who are by-and-large mathematicians who are writing algorithms and And then the threat intel and Kind of adversary research security researcher types who have a deep understanding of the adversary and together they're Essentially mixing the fuel that powers the products And and I think that that basic division is probably common across most Security product companies so I'm going to ask each of you to Peer a little bit into the future. So what does your part of the cyber security field look like? Ten years from now. So Molly if we're looking at the realm of hack-a-bism What does it look like in the future? How will it be the same or different from where we are right now? Well, I think there are three major Pathways that hack-a-bism is going to be evolving in in the future. One of them is information exfiltration. So we're going to see more Classified and otherwise secret information being extracted out of secret systems and published for wider use and analysis general. Sorry The second is alternative infrastructure construction We're going right now. We are subject to massive network effects that keep us locked into systems like Google and Facebook and these Exploitative corporate and or government systems that are open to surveillance that in many cases allow and encourage Surveillance for various reasons. And so I think one thing we're going to be seeing is the construction of alternative Activist oriented network systems and programs that people can move into where they have more control over their data and more control over Their privacy and their own safety and then I think we're going to see more disruptive activism We're going to be see more things like distributed denial of service actions We're going to see more things where people are engaging with systems in an effort to disrupt the functioning of that system in order to Divert conversations or cause conversations that aren't happening to be occurring and Will there be you started off by saying it had been mostly not completely mostly a Western field Obviously that describes the internet itself What happens as and you're not in your head so it seems will also see hack-a-bism go more and more global How does that change it other than just being more global in its scope? Well, you're gonna see I think you're gonna see more people in different countries and in different cultures picking up sort of the Bucket of hacktivist tools and then deploying them for their own political and social gains And this could be something like the Arab Spring v2.0 where we see a much more technologically based Tool of revolution being used and deployed or it could be something like a group like Isis using more and more Internet and online and technologically based tools for their ends. These are just tactics and strategies. They're not necessarily They don't come with built-in ethics. They don't come with a built-in morality. They can be picked up and used by anybody So while we see these tools getting distributed, they're going to be used by various actors for various aims And I'm not sure I'm not sure we can predict what those are at this point So general, what is the what is the command? What is your role look like in this future? so You know, I think we're in the middle of the information technology revolution So I'm even hesitant to say what this will look like three years from now But let me just offer a few options. I think based on What is going on today a Territorian authoritarian regimes are going to lock down their populations even tighter than ever Because they're going to be able to use these tools and bend it against their own populations. I believe that and I think the democratic Institutions will pursue this and it's going to become a very interesting struggle. That's one piece Ten years from now. I think we're going to have challenges from machine on machine in autonomous systems operating in this space And what that means? I can't really tell you but I know it's going to be a factor because that work is already ongoing The third thing is is I think as the Often we talk a lot about cyber. We don't talk about the data And in a way that data is more important than the actual cyber and what what I mean by this is When you talk about the extraction of secret, I don't I think there's a greater challenge Which is the correlation of open data using algorithms kind of So I the example I use is if you read like Manage's report on advanced precision threat and you look at that That's a very sophisticated document that would have been an intelligence document 10 years ago today It's open source published for everybody to use. I think that's going to challenge this and finally I think for the operators themselves I see much more of a gamer mentality being used here and what do I mean by that? I think the tools are being simplified the tool vulnerabilities are rapidly being reverse engineered now and attacks Weapons on the internet and so what I'm starting to see is you have the offense and defense It's really who can get the tool fastest to play it, you know And so this is going to look more like a operations in game than actual tool developers, etc That's going to challenge us when we start operating at those kind of speeds And how about for someone who'll be sitting in your job? What what will be different for them than what you face now? And what might be different training that they bring to bear than you brought to the job? Well, I think That's a really good question. I I think you have to be very operationally focused, but I think you're going to have to have a degree of curiosity and The ability to follow leading trends Both in intelligence and not and being able to try and position the force in a way that you're not too far behind or Hopefully ahead of where it's going Generally we would say we would grow that up in the operations world, you know multiple problems and so You know you and I talked earlier about a enters game type model You know, maybe maybe we might have to start looking at something like that in cyber where you're just constantly working in the space But not so much that you become narrow But in a way it can we broaden you out so that as you look at problems You avoid strategic surprise which forms, you know dysfunctionality and paralysis at the worst that you can Operate the speed that I think we're going to have to operate So Nate other than highly profitable, what does the business look like? I'll see but you that assumption is so problematic Everybody I talked to says to me essentially so how can you possibly screw this business up, right? There are lots of ways but I'd put my money on a few trends First of all, just I think we should recognize and look in the space I operate at the intersection of venture capital technology and security. It's a highly abnormal labor market It's a really bizarre market. It is it is so male. It is so white. It is it is not a diverse talent pool That I think contributes to suboptimal performance I think that needs to change and I think it will change over over the decade to come So the the talent pool and the people side of things need to change On the product side, I think there's going to be consolidation There it's such a highly fragmented field right now You know you talked to Fortune 100 companies that have in some cases literally hundreds of security products deployed Like that's just crazy I think Bruce Schneier said earlier that complexity is the enemy of security. So This is a space that is characterized by features masquerading as products products masquerading as companies and companies masquerading as businesses and and they're going to they're going to come together And they need to come together It's a space bizarrely that only has a very small handful of big public companies, you know that too is weird So I think there's there's going to be consolidation I think you're also going to you know also at the same time see, you know a larger number of big players And then on the market side I think the market's going to expand almost indefinitely the like the great lesson and we heard this on the stage earlier today The great lesson of the dev ops revolution in the last decade is Don't write any software don't write and maintain any software yourself that you can just Outsource so everybody's sending stuff to the cloud as they should putting the security responsibility on the vendor And what that means is to some extent every company is a technology company every company every private law firm and dental practice and and Everything you know home depot doesn't just sell hammers like every company is a technology company So the market is going to get bigger and bigger and bigger And at the same time there's this convergence happening between the federal and commercial spaces and in my view because the threat landscapes have almost Totally converged. We're dealing with the same threats The old days of states attacking states and companies spying on companies like that's very quaint and that's not today We're all dealing with essentially the same the same threat actors and the architectures have converged So when the intelligence community signs a six hundred million dollar deal with Amazon web services All of a sudden we you know, we really do see most enterprises have similar architecture Challenges and so the check that the architectures converge the threats converge. So I think the solutions converge and You know, those are all trends that that you know, I've been on well now we're going to open it up to you in the audience again wait for the mic to come and Identify yourself and right back there Peter Dixon second-front systems In World War one when the French Mobilized they did so so quickly that their industry had trouble because so many of the key players had actually Gone to the front and they had to go and find those guys and then send them back to get industry restarted to support the war effort So three-part question for for each of you Given the premise that there is a Catastrophic cyber attack on the US which is not a one-off, but is the opening salvo in a sustained fight General, how do you mobilize the experts in sort of a similar type of Engagement effort to pull those people in to defend the nation Molly, how do you leverage the activist groups that previously didn't see government service Sort of in their future, but now that the nation's been attacked are looking to rally to the flag and Nate, how do you make sure that given how interwoven the private and the public sector are? That similar to the French you're not cutting too deep into the folks who are holding up the private sector as you also now try To defend the nation itself so I think I thought a lot about this What would this really look like and I think the first thing is it's not solely going to be a doD problem DoD is going to provide its component But you're gonna have Homeland Security FBI clearly and private industry because it's truly that big there's no way the Department of Defense is going to be able To do this without having some sort of an interrelationship with government and private The only way that we have right now to organize inside this is You know we have the reserve component the army and all those services have a reserve and some have a National Guard I think that has to be leveraged as well, but to think that The Department of Defense is going to be able to provide everything to work across an entire sector of Critical infrastructure without taking into account the tremendous experts already working in that critical infrastructure Who know their networks better than we do anyways we come in we always have a start point and I Where you have to get familiar with the network to begin with so I think in the Eventually where we're gonna have to get to is a much closer relationship between government and private for these True World War one type of that Civilian activist populations go where their passions are that's what makes them different than employees or members of the armed services So if there was a situation of the type that you describe of I would like to argue with you about that hypothetical, but I won't If there's space for them, they'll be there if there's something for them to do they'll be there This may be a situation where something needs to be developed for non professional individuals That's more reminiscent of victory gardens than anything else Right now there isn't a space for a lot of activists in a lot of Modern civic life. That's not inherently confrontational. We have things like like civic hack days, but those aren't really well understood They're not very well deployed and they're not terribly effective. So Space needs to be made on the part of the state Incorporations that is non-threatening non exploitative and worthy of people's time I'm gonna ping in a question for both of you on this because there's been recent discussion of a Essentially online community hacktivism targeting ISIS social media and You know, so we are it we will have a debate as to whether we are physically at war But we're definitely carrying out conventional military operations. We have concern about them recruiting I'm sure it's something you deal with general So what's your take on this is an illustration of that? It's not the full-out grand scale war But it's definitely playing a role in the battle space and the question back to you general is what's your take on when you see? hacktivism operating against one of your foes It's an interesting step in sort of the informational warfare. That's always been present this is sort of another an interestingly civilian moderated form of counter-propaganda and Sort of emotional and affective Fighting in that way. I'm interested to see where it develops. I don't know a whole lot about it right now But it's certainly very fascinating So what separates this from the earlier conversation is this is overseas right and so that we did the rules are a lot different now we have and We have x-words we have policy of framework by which we conduct these operations so to me the challenge here is so here you have a Hacktivist community that's not connected in a way to what we're trying to overall do and this goes to the constructs How do we stitch this together? How do we create that space? That doesn't exist right now and This might be a good discussion for me to have internally with the with the team, but it is I Think it's something we have to account for especially for something. That's really large like this I think It's not solely a government problem. I mean they're recruiting our young men and women off the streets And and you heard the other part about the when I was with secretary Johnson to say the lone wolf problem And these are being created so the this problem is here now We're just not sure we have the right frameworks for this kind of it for this type of information Confrontation that we're seeing now so Nate all out war Good or bad for business. Oh man. I mean look terrible, right terrible like it's Easy easy easy to say that bad headlines are good for these businesses, but at the end of the day I mean, we're all you know citizens first so That that's not a not a good outcome I think that I wish that I would under that scenario as a citizen Wish that I would have a hard time hanging on to my people because they'd all be fleeing to work for General Cardone, but for the reason that you described earlier. It's very hard for him to take them so I think you know it would be a question of how do you support in place and That in my view kind of comes back to the whole point of Security community being a community and the importance of sharing information and intelligence. I think that And we've seen this repeatedly at you know sort of smaller scale, but you know an immediate willingness a bias to share a bias to engage a bias to Collaborate not sit around and say I wish we could help, but there's no contract vehicle in place So I know that the bias is always to engage in the biases to share are you a supporter of the so we have our model of National Guard and reserves and then both of you have identified sort of a gap between Do you have an alternative model that Estonia has of their? cyber defense league that Allows it fills that space in the middle. It's almost like a militia or civil air patrol Now some business doesn't like that because it actually becomes more directly competitive With contracts just coming from the communal side. What's your take on these alternative models? Yeah I'm not a not a big military personnel expert, but but having lived it for a few years as junior officer I can tell you that after a couple of combat tours. I was eager to go to grad school and try to understand You know it had a from a broader perspective what this was that I've been a part of early on in Afghanistan and Iraq and that Opportunity didn't exist for me in the Marines. And so you know ultimately for a whole bunch of reasons I decided that it was time for me to get out and go to something else I think the military and by extension the nation would be Well-served to have a much more flexible career path kind of across the board We should have opportunities for we the military should have opportunities for sabbaticals more creative on ramps and off ramps exchanges with industry Of the the sort that the general mentioned I think there are a lot of things we could do to modernize that whole system and result in Increased ability to marshal all of our national power. Yeah, let's take another question right over here. Let's get a mic to them Yeah, hi So my name is Morgan I'm the director of security at first look media and you brought up an interesting point which was About the security community So when I I wonder where where we can find the next generation of cyber warriors I actually think about the community acting as a community And about a blog post that was written a while back By Jeff Moss who's the founder of Defconn and black hat the u.s. Is most well-known Security industry conferences and the title of that blog post was feds. We need some time apart and it was sort of about the actions of sort of u.s. Cyber Command and the NSA towards u.s. citizens and so I guess what I wanted to ask is Do you not feel that there's actually been this sort of reputational impact with Security industry is probably less eager to work together with government and military than they were in the wake of 9-11 So the whole Rallying behind the flag is actually significantly less likely to happen today than it would have been 10 years ago Any takers on that? Well, I'll I'll echo Admiral Rogers coming this clearly a trust issue right, but at the same time in So I'll use it like this on the 10th of September when I was working in the Pentagon that the world was one way and the next day it was another way and The way that people thought about things was dramatically different and so I think it depends on the situation one But to me out we shouldn't have to wait for some big coalescent event. I think we need to sort out how we create us a Security fabric cyber security fabric and I like to use that word You know between government Private that that's gonna work And I don't think we'll always agree, but we could at least have a framework by which if something happened We're not starting from scratch You know, so the 10 days after 9-11 to me when you go back and look at those days they were quite fascinating to me because there's a lot of talk about how do we stitch this together and And I don't think we can afford to wait that long I think here we should think about how exactly would we You know, what what's how do you on ramp an activist community? How do we do that? And I was just when you said that I was thinking okay, this is a fusion cell concept Okay, here's the problem everybody that wants anything to help in any way come here, right? So it's a voluntary. It's not we direct you to come here These sort of things I think have to be looked at Let's do another question from anyone in the back. They're actually right right over here Hi, Sean Ling is with Federal Computer Week General Cardone Can you talk a little bit about the cyber protection teams that Army CIO Ferrell has recently Tasked I think you to set up What are your goals for those? When will they be accomplished and can you also in your answer? Hopefully mention the challenge the specific challenge to army on cyber as opposed to other services. Yeah So I'll start with your last question first the problem with the army is Maybe two-fold one and and I think the Marines have the same issue. Although they're smaller One is the army's the one service has not yet fully collapsed all of its networks as opposed to the other services At the same time the army is a distributed organization. So it's always going to have a wide Diverse network and so that that's that piece so the So we're standing up Army Cyber Command is standing up these teams They There's a model by which we're all growing them all the services are growing in the same as we're working our way through how we're using them You know, we've identified for example, we have to out of these teams. We're using them in ways. We hadn't really thought of I think that's a good thing right now, but We are still I'd say in the exploratory stage before we start changing them. Maybe we shouldn't change too quick yet because Most of my teams are less than a year old And so what we've done is when we run against specific problems We just organize internally create a little task force and then use that task force to accomplish them There's not a feel constrained by an organizational Construct we have a mission that we organize accordingly to accomplish that There's going to be 20 plus for active and then there'll be 21 in the garden reserve as well And the first one for the Army National Guard is already on active duty And we're learning a lot about how to do that as well I Just want to say that all the people on these teams are going to be trained to a common standard So the teams from the Marines Navy Air Force Army will all be interchangeable Which I think is really really important So roughly half the teams that are being built are in this vein and I think it's really really important Some say you know we need to do a lot more work on the defense and this is a manifestation of Organization and resources to go against that Okay, let's get another question right over here Hi, my question is about the government's relationship with open source I was as learning the code. I found that the open source community was very very helpful in teaching me skills Understanding how to code in a way that's readable and such but is that I mean is that a community that can be tapped into? I know that Goldman Sachs for instance They had a huge problem with Sergey Lenikov who is using open source coding to help him create algorithms and models for there are high frequency trading and then Got arrested by the FBI for supposedly stealing secrets that he didn't actually steal so if there isn't a relationship that the government can have with like that open source community is there a public-private partnership with a company like Mr. Fix that could You know bridge that gap. So let's frame it this way How would you describe each part of the ecosystem's relationship an attitude towards open source? and more broadly Self-training how is that viewed? So, you know, let's walk through each of the parts of the system All for it This is it's an activist development system essentially sort of no matter which way you slice it whether you're doing it in Companies it's still a way to make that information open and accessible to people outside or whether you're doing it sort of within within the activist population itself And as a result that makes it very threatening to most businesses to I think many sectors of the government And I think it's an uphill battle to get those sectors of our society to accept it, which makes me sad General open source this year army research lab put a whole code set I can't remember the name out for open source development. So I think we're starting to look at this It's not like it was before now what that looks like down the road I can't tell you but right now. I think we're starting to look at open source is another option It's essential we but it's a two-way street. We consume from it and we contribute to it And I wouldn't be able to recruit and retain the kind of people I need to if we didn't Let's get a question from someone in the back Yeah, right there. Hi, I'm with Stanford University cyber initiative I was wondering what you all identify as the gaps in the education profiles of the talent pools that you each see Oh, are there gaps in education? That's an interesting question because the population pool is so diverse But what I would say is there's universally a gap in support coming in coming into the activist sector There's a huge problem and there has been a huge problem in sort of activist populations where there's an expectation that you will sacrifice huge parts of your life in order to engage in this type of political activism and That leads to burnout and that leads to people fleeing the sector and giving up and Going and hiding in the mountains and not dealing with this anymore because it depresses them And that's really sad and so while I wouldn't say there's an education gap I will say that there is an outside support gap and there needs to be a broader understanding within what the activist community at large and within broader society that people who engage in this type of Civil service and this type of civil activism are doing it at great cost to themselves And that shouldn't actually be part of the life cycle of activists one of the things you bring to this is a multidisciplinary approach Do you see that as? Rare in this space or not? I don't think it's necessarily rare. I think it's rarer in academia It's rare for academics to be approaching this type of research from a multidisciplinary angle And I sort of stumbled into that because comms departments is where they put the internet these days No matter what you're doing and so But the activists themselves tend to be very multidisciplinary disciplinary they come from all over They come from all sorts of disciplines and educational and personal backgrounds and that's to the benefit of the work that they're doing So I won't call them unmet needs, but two of the less met needs from my perspective are Technology leaders, so they're great technologists. They're great business leaders There's an insatiable demand for technology leaders and translators people who can translate Between the technical community and the non-technical community between public policy and business To the public is at large. I would identify technology leaders and translators as two places that maybe university initiatives can contribute hugely We've been thinking about this a lot because we consume so what what disciplines need to be brought in and More and more we're thinking you need a basic degree so you understand how things work We can teach you the skills how to put stuff on top of it so in other words Computer science degrees a little bit better than I'm a master in Python because Python might not be what we're using three four years But if you understand how computers work You understand how the code in so this is what we're not I don't want to think we've figured this out So we're trying to figure out what is what are the disciplines that we have to be in and I'll take your point This is multi-discipline. I mean we made now we're talking earlier. You have operators You have to have analysts we now we have this whole data component how we What are the basic disciplines for each one of those and then how do we get the people that can put it all together and Then there's an innovative portion of this and there's ones that operated at scale So I want more work to be done here So I want to end by asking each of you a question more about yourself than the field How do you train yourself what sources of information do you turn to to stay on top of your particular Sectors each of you are up here on stage have given us great comments Experts lead organizations give us insight into how you prep yourself in that role And I'll we'll just go in order again. So this is an awkward career time to ask that question because I'm reading for my comprehensive exams right now So I'm prepping by going back Rather far back into the history of disruptive Activism in the history of both the act the actions and movements, but also the theory because I there's this debate in Social movement theory and social movement studies about whether we need a whole new theory of activism to deal with the internet or whether we can adapt addition Theories that already exist and clearly I'm falling more on the let's look back at what we've already discovered And what we've already talked about and see how that can be applied to what's going on on the internet And I think we it's really helpful to go back to even movements as far back as you know Machine-breaking in England in the 16 and 1500s to look at how people dealt with technology then technology that was coming into their lives and Causing problems for them and for their families and how that theory can be taken to how people are dealing with Disruptive technology in the present day how Disruptive activism sort of talks backwards through time and also forwards through time So Peter maybe For ideas one is I think you have to carve time out each day for some sort of self-study to try and stay current and It's fairly diverse and what that means depending on what I'm having to work on Second is you know relationship for how much of that is open source in the other meaning versus Pulled within the network class because I do this in my own time. I tend to do that at my house, right? Which means it's not classified so I Get enough of that at work. I have a sense where that's moving But I would say the relationships with industry other government agencies and academia are really important to try and stay current you know, so Basing some of the larger companies having wide-ranging discussions always creates a lot of ideas actually the challenge is to implement the ideas You get lots of ideas, but you have to neck it down into what you can actually deliver But I think this in a way trying to create a fabric Right that generates a sense of cost constant learning, but not learning just for me It's learning for the organization, right? It's connecting the organization to all of that Well, both you Peter and Molly are represented on my bookshelf. So that's that's a start I Spent a lot of time talking to our customers And you know, it's a luxury to be able to walk in and say you know in the context of doing business Tell me about your problems. Tell me what's going on that you see and I don't And then I get to do the same thing with our team So having daily access to dozens and dozens of technologies So if I walk up and say please get me smart on x they'll actually do it sometimes is Is a is a huge, you know again luxury, right? Well, please join me in thanking a three great panelists for