 Now, our last panel before the break described lawyers as unsung heroes. So while we're printing the t-shirts, hats, and other merchandise with that slogan, we are fortunate to have a panel full of experienced, terrific attorneys to help us navigate the topic of harmonizing the regulatory efforts in cyber. There is a lot going on in this regulatory landscape, including the SEC's cyber disclosure rule attempts to regulate critical infrastructure, a new executive order on AI, and a new executive order on the prevention of preventing access to Americans' bulk sensitive personal data. To that end, I have the distinct pleasure of introducing our moderator, Mr. Allen Raul. Mr. Raul is a senior counsel at Sidley Austin and the founder of Sidley Austin's Privacy and Cybersecurity Practice. Allen also served in government as the vice chairman of the White House and now the Independent Privacy and Civil Liberties Oversight Board. He was the general counsel of the Office of Management and Budget, the general counsel of the U.S. Department of Agriculture, and associate counsel to the president. Allen, over to you. Thanks very much for the introduction and for the opportunity to be with you all today. It sounds like you've had a great conference so far, and I want one of those unsung hero t-shirts for sure, so if that comes to pass. So I'm going to be the moderator and also the kind of voice or perspective from the private sector. So I understand that means that I'm kind of moderator plus or minus, depending on how you think it goes. So my first privilege is going to be to introduce our esteemed government panelists. Then I'll make some introductory comments that will be, you can take them as the perspective perhaps from corporate America, since those are the clients that I typically represent, and they often ask the same questions that all of you are. What about these conflicting, duplicative, redundant, time-consuming and burdensome requirements and reporting obligations? But first introduction. So Spencer Fisher, to my immediate right, is the Chief Counsel for the Department of Homeland Security, Cyber Security, and Infrastructure Security Agency, affectionately known as CESA. We'll come back to acronyms later, all of you have lots of experience with acronyms, but we have a challenging one we're going to discuss later. Prior to joining CESA, Mr. Fisher, Spencer served as Chief Counsel with the Office of the Director of National Intelligence, ODNI. In 2019 to 2020, he was on a joint duty assignment as Deputy Legal Advisor at the National Security Council, where he provided legal counsel on national security and foreign relations issues related to cybersecurity and other issues. I also would like to note that Spencer served in the United States Marine Corps Reserve for over 22 years, and currently Chief Warren Officer for. He's going to explain that to me later, but he is assigned to the Marine Innovation Unit in New York. Mr. Fisher received his law degree from Georgetown University Law Center. Mike Buckwald from the Department of Justice National Security Division is at the end there, and he raised his hand to identify himself. He focuses on cybersecurity and other law and technology policy issues. He represents the Department in Policy Meetings with the White House National Security Council and a variety of other interagency and external meetings, including with the aforementioned private sector. Previously, Mike served as Counsel and Deputy Staff Director for the Oversight and Policy Issues on the U.S. Senate Select Committee on Intelligence. Sissy, I think, is the pronunciation of that acronym. He earned his law degree from the University of Virginia and his BA from Yale. So with that, I'll just give you a little bit of a perspective from the private sector. And we're very excited by an initiative from the White House, the Office of the National Cyber Directive, ONCD, which put out a request for information focused on harmonizing cybersecurity requirements. And as of now, the request for information is still pending. The deadline was extended till October of last year. No report issued yet. Maybe some news will be broken today. But in any event, no, nothing public. But the RFI, the request for information from the ONCD, is about harmonizing cybersecurity regulations, and I want to distinguish that from cybersecurity reporting of incidents or events or data breaches. So there's reporting, and there's requirements. The White House ONCD effort initiative is focused on the substantive requirements or regulations that would apply to cybersecurity. But it's worth focusing, for the purposes of this panel, on the fact that the RFI from the White House talks about harmonizing not only regulations and rules, but also assessments and audits of regulated entities. And the RFI expresses what the benefits and purposes of harmonization are. It's to avoid inconsistent, contradictory, duplicative regulations, which lead to a greater focus on compliance than security. So greater harmonization can, at least in theory, potentially lead to greater security at lower cost, rather than distraction with trying to achieve the same cybersecurity objectives with overlapping, redundant, and sometimes rules that require deconfliction. Some of the questions that were posed by the White House to the private sector are to provide examples of these conflicting requirements, of course, information on how entities in the private sector, for example, use third party cybersecurity frameworks like the NIST National Institute for Standards and Technology Cybersecurity Framework. I believe we'll probably hear a little bit more about that later. So a couple of quick perspectives. I think we're seeing a shift towards greater regulation, a mandatory regulation of cybersecurity as opposed to the here to for prevailing view that cybersecurity regulation, at least in the private sector, should be more in the nature of voluntary, more cooperative, collaborative. Definitely a shift. Shift towards greater accountability may be even liability. I hope we'll hear a little bit more about that later on software vulnerabilities. And there was a rather scathing report issued in the last week or so from the Cybersecurity Review Board that's part of the Department of Homeland Security, where CISA is located, on software vulnerabilities and insecurities that was really addressing Microsoft in particular. Also a shift towards cybersecurity events and incidents as opposed to data breaches that focus primarily on personal information. So a shift towards cybersecurity for IT systems, edge devices like virtual private networks, critical infrastructure, of course, operational technology, and internet-connected devices, Internet of Things, IoT. So again, looking at it from the private sector, what I see as conflicts and opportunities for beneficial harmonization, for example, comparing the Federal Trade Commission, which is an enforcement agency that sues my clients from the Federal Bureau of Investigation and the Department of Justice, which treats my clients like victims, the victims that they are, the victims of cybersecurity criminals or state-sponsored activities. We see conflicts between the Securities and Exchange Commission, for example, and the Department of Justice or FBI regarding the public notification of cybersecurity incidents under a very strict timeframe at the same time that maybe CISA, the FBI International Counterparts, are working with a company to fix, patch, remediate, or in any event deal with an incident in a framework of responsible disclosure as opposed to, let's say, breakneck disclosure to the public because of the SEC's imperative to provide information to investors. We see different conflicts as approaches to cyber disclosures from the banking agencies, for example, versus the Securities and Exchange Commission again. Also, US, Europe, EU, GDPR, the General Data Protection Regulation, very focused on privacy breaches, as you might imagine. So with that perspective, let me turn to Spencer Fisher from CISA, and maybe you could start out just explaining CISA's overall responsibility, who your counterparts are, that some in the audience will be most interested in at the Department of Defense and elsewhere. OK, well, thank you for that, Alan. I really appreciate it, and I appreciate the introduction. Also, just wanted to say thank you to the folks at Cyber Command for having me here today to speak about CISA and our mission. I have tuned into this many times virtually, but have never actually been here in person, so I'm happy to be here. And I know that the way it works virtually, so I will try to grab your attention because I know that people that are tuning in virtually are simultaneously multitasking, doing many other things, possibly still eating lunch. You will listen to me. So CISA's cybersecurity mission really falls into general categories. So one is the protection of the federal civilian executive branch network. Two, assisting non-federal entities, especially those involved in critical infrastructure protect their networks. So at a very high level, that is our mission in this space. On the FSEB. So the FSEB, which is the acronym for Federal Civilian Executive Branch, if you're not tracking that acronym, I'm happy to add a new one to your toolkit. That derives from FISMA, so Federal Information Security Modernization Act of 2014. Under FISMA, agency heads are responsible for the protection of their own networks, but the Secretary of DHS is responsible for administering implementation of agency information security policies and practices. FISMA specifically excludes national security systems, so Alan, you mentioned folks that we work with, so under the DHS Secretary's responsibilities, NSS is excluded, and those are systems which involve intelligence activities or military capabilities, so kind of like the world I came from before going to CISA. FISMA provides that the DNI, the Director of National Intelligence and the Secretary of Defense have authority equivalent to CISA for NSS. So that's the basic breakdown between the FSEB and then the subcomponent of the NSS. So FISMA additionally provides CISA with the authority to issue binding operational directives and emergency directives, folks in the room and virtually may have seen those that are binding on FSEB agencies. And DOD has a similar process that they've established under a national security memorandum. So how that works, so CISA and DOD in consultation with OMB established procedures for DOD and CISA to immediately share with each other, incident response orders or emergency directives or binding operational directives, EDs and BODs, applying to their respective information networks, so I know we're here to talk about information sharing, we're here to talk about harmonization, so that's one example of how things are harmonized in fact, so that information automatically is shared. The receiving agency is then required to evaluate whether to adopt any of the guidance contained in that order, directive issued by the other department, consistent with regulations concerning the sharing of classified information. And we've worked, so we, CISA have worked collaboratively to develop these procedures and regularly engage in this process with departments that work to carry out their respective missions to protect the FSEB and Department of Defense Networks. So I can go in further in the detail about the defense industrial base and some of those issues if you'd like, or we can stop there and move to different questions. And again, we're gonna leave time for questions from the audience, so if you do wanna talk about some of these topics in greater detail or topics that we've tried to avoid and therefore you wanna elicit from us through a hostile question from the audience, so we'll try to ignore you as well. Maybe we'll consider responding. Thanks for that, Spencer. Turning to the substantive frameworks where some of the requirements, be they mandatory or perhaps suggested, but there are various legislative and risk management frameworks for cybersecurity. Can you describe please, Spencer, the frameworks that you think are worth discussing and what you see is the issues where the opportunity for harmonization might be beneficial and where there are challenges on the substantive side? Yeah, and let me just say at the outset that in today's world of interconnectedness, the importance of harmonizing regulatory cybersecurity efforts can't be overstated. But I do wanna keep in mind the definition of harmony. Harmony means to me like an orchestra, right? So you've got, there's folks that play the tuba, there's folks that play the oboe, there's folks that play other musical stuff. I don't know these things. The director Easterly plays the guitar, but I don't personally have any musical talent. That doesn't mean everyone's playing the same instrument, right? It means that they're playing different instruments that work together, right? So I think that's an important thing to keep in mind because I do feel like some of the discussion about harmonization seems to imply that we as agencies of the U.S. government should all be doing the exact same thing, but we all have different authorities and frameworks. So I'll speak to you a little bit about some of those frameworks. And no doubt that we should both formally and informally coordinate. I've been part of, and I know Alan, you've been part of formal coordination networks that happen at the National Security Council and that happen at the Office of Management and Budget. There's a lot of informal coordination that happens among agencies as well, and that's equally, if not more important sometimes. But in overall comment, I'll drill down a little bit on cyber risk management. So at a general level, risk management framework allows organizations to assess the risk to their IT systems and then allows organizations to apply controls, safeguards, and achieve a level of protection that organizations believe is commensurate with the risk level. So there are provisions of FSMA, the NIST, as Alan mentioned at the outset, cyber security framework, CPGs, so this is cyber performance goals. But these, and going back to my harmony point, these frameworks are designed for different audiences and different risk tolerances. So these should be thought of as a continuum of approaches where FSMA contemplates specific controls and safeguards in response to levels of data and system sensitivity, the CSS, CSF, I'm sorry, emphasizes risk profiles and allows implementing organizations latitude to apply their own controls. And the CPGs focus on implementing a set of controls and safeguards that address a baseline level of risk and their voluntary, right? So all of these things working together, again, going back to the harmonization point, we've got different instruments that are playing different tunes, but they are working together in a continuum. I can go into more detail if you'd like about the OMB and FSMA, the NIST Cyber Security Framework CPGs, but I'll leave it there for now. Okay, maybe we can come back to the detail as the audience may be interested. But I really do want to emphasize the point for our audience here, that while there's a lot of commonality, there's no shortage of the different substantive standards that Spencer was referring to. There are lots of great requirements out there, but while harmonization would seem to be kind of a no-brainer, the fact is very much, as you said, that the different agencies have different missions, in addition to different sensitivities and risk tolerances, but literally different missions. And because of that, while there's this perception that because technology is kind of a general subject and cybersecurity is relevant to all technology, that cybersecurity can be readily harmonized and all of the differences can be suppressed or submerged, but I don't know that we're ever going to get there, but maybe we can try to before the end of our panel today. Mike, let me turn over to you. Would you describe please, at the Department of Justice, what are the roles on cyber for the National Security Division and your other counterpart units or agencies within the Department of Justice? Yeah, thanks, Alan, and thanks for the introduction and the invitation from Cyber Command to come down and speak. I, too, have dialed in in years past virtually and was watching yesterday, so thanks to the organizers for planning such a great conference. At the National Security Division, we're focused on what I call the big four cyber actors, and it's mostly the nation-state malicious cyber actors that you're all familiar with, Russia, China, North Korea, Iran, and then there's also some cyber activity from terrorist groups that our prosecutors go after. And the Criminal Division is separately focused on cyber criminal actors around the world and have brought those cases for decades now. National Security Division is newer and recently we stood up a National Security Cyber section that puts all those prosecutors together in one place to focus on those nation-state actors. So with the Criminal Division and the National Security Division, we follow up on FBI investigations, but also the particular focus these days is on disrupting cyber activity before it occurs because we have a focus on victims in the United States and protecting those victims before their businesses are hit with ransomware, before critical infrastructure is taken down, et cetera. So that's our focus. I work in a policy office that's focused a lot on these regulatory issues, and Alan mentioned the SEC new cyber incident reporting rule, for example, and he referred to the fact that there's a specific national security and public safety delay that allows businesses to come to DOJ and ask for time before they have to disclose these incidents publicly to their investors. The idea there is to make sure that systems can be as secure as possible before the bad guys know about these disclosures as well, whether their malicious activity has been successful or whether they can perhaps take a vulnerability that's disclosed publicly and that they didn't know about and use it to their advantage. So we're really focused on investigations, prosecution, but also disruptions these days in partnership with you all at Cyber Command and other departments and agencies and getting the word out through with our CISA partners to the private sector. I also wanna put a plug in though for the civil division at DOJ which has an initiative called the Cyber Civil Fraud Initiative. And it's relatively new, it was announced during this administration by the deputy attorney general to focus on those companies that contract with the government when they do not adhere to the cybersecurity obligations and they develop things such as insecure websites and other products that the government is spending a lot of money on as you know. And so they should be held accountable if they are putting insecure products out into the marketplace. So I made a note to talk about some specific examples, I'll limit it to one, but this one struck me as a particularly good example which was a company called Jelly Bean Communications Design. They were contracted with the state of Florida because Florida receives federal health insurance money and they were supposed to develop a website called healthykids.org and they failed to secure personal information on this website and it had to be shut down. So DOJ reached a settlement in March of 2023 with the company, they admitted that they've failed to properly maintain patch and update software systems. And so that's an example of where DOJ doesn't get into the regulatory world that we're talking about on this panel but there is an enforcement mechanism that we're using more and more to try to maintain those minimum cybersecurity standards and make sure that companies live up to any contractual obligations. From the standpoint of the private sector and companies that do business as contractors with the federal government, the possibility of being investigated for a contractual violation that could be considered a matter of defrauding the government is really kind of the interim effect of possible liability either civil, there's criminal dimension to false claims act and but the current initiative I believe is a civil cyber fraud. But there are potential criminal penalties and the possibility that failing to provide to the government that contract the cybersecurity commitments that are promised in accordance with the contract would be just a hellacious risk. That's the legal term for a company and would be taken really. It is a way to boost compliance. I'll certainly add that. I'm gonna adopt that in my lexicon clients. You are taking a hellacious risk. Hellacious risk, absolutely. Let me turn back to you if I may then censor. One of the most intractable and difficult harmonization problems that we're gonna solve in a minute here, there's a statute that was enacted by Congress in 2022, the Cyber Incident Reporting for Critical Infrastructure Act, C-I-R-C-I-A. Spencer, firstly, can you tell us as part of explaining what your harmonization mandate is and what the DHS report is all about regarding that, how do you pronounce the acronym? Good question, very good question. My folks are working on a memo on this, but we are hard on the Circea pronunciation. You will hear a Circea, I've heard Circea, we're very... And the director would pronounce it how, Mr. Fisher? I'm not gonna speak for the director, I will only say that she disagrees with me. Okay, all right, so already we've had a failure of harmonization, but tell us about the mandate that... That you have under the statute, which you'll pronounce Circea, it's correctly pronounced Circea, but okay. So tell us about the mandate, the DHS report, and where that all stands. Sure, so the mandate really, I was thinking about this, I knew that we were gonna talk about it, obviously. I mean, the mandate itself is really Congress intending to reduce duplicate reporting in this space, right? So we have critical infrastructure reporting, the intention by the congressional folks at the time was to reduce duplication, and actually as we get back to the harmonization point, create harmonization with regard to critical infrastructure. So the enactment of Circea marked an important milestone in improving cybersecurity. It requires Circea to develop and implement regulations requiring covered entities to report, covered cyber incidents and ransomware payments to Circea. These reports will allow Circea to rapidly deploy resources and render assistance to victims suffering attacks, analyze incoming reporting across sectors to spot trends, and quickly share that information with network defenders and warn potential victims. So to address the potential for duplication from other cyber incident reporting regimes, Circea, you almost got me. Circea established, one thing it established is the Cirque. I don't think there's any dispute about the Cirque, CIRC, and that is the Cyber Incident Reporting Council. So the Cirque is responsible for coordinating, deconflicting and harmonizing federal incident reporting requirements, including those issued through regulations. Circea actively participated in the Cirque's processes to help identify potential approaches to harmonizing federal cyber incident reporting requirements and supported the identification of best practices that could be considered by Circea and other federal departments and agencies as they develop or update cyber incident reporting regimes. Specifically, you know, Circea participated in various DHS-led working groups, identifying potential recommended practices, and considers the DHS report and its recommendations as we move forward to the extent practicable and consistent with the regulatory authority granted to Circea under Circea. So we're working with the Cirque, also working to implement with our other federal entities. I can speak a bit more about Circea if you'd like in more detail, but I'll do my best. Yeah, I'll do my disclaimer is just that the Circea NPRM, so notice proposed rulemaking, very recently went out on the street as it were. So I'm not in a position to answer substantive questions about Circea, but I'm happy to talk at a high level. We do encourage folks that have comments or questions to submit them through appropriate channels, regulations.gov, following the instructions that are laid out in the NPRM. But the most important thing, I think, is that I recommend everyone here read the NPRM. It is weighty. How many pages is it? It is somewhere near 500, but not quite at 500 pages. But I've read it several times, but it's one of those ones. You put it in your hand and you're like, this is like an A, right? A plus, feels like an A. But look, I would commend everyone to read it, because I think that there are many questions, but they are in there. The answers are in there for folks to read, and we, as I mentioned, the comment period is up in four comments and questions at this time. So I'll leave it there with Circea, but we can take questions about it later if you'd like. The, what was I gonna say? So I think we haven't quite got the acronym resolved, but the other report that I would also commend to your attention is the Department of Homeland Securities Harmonization Report. Even if you're not just interested- The Circea Report, did I mention you? Yeah. Even if you're not interested in the harmonization question specifically, the annexes in particular for any cybersecurity practitioner are very useful in providing an inventory or catalog of different cybersecurity statutes and regulations in, I'm not sure how many agencies it is. Yeah, quite a few. Quite a few. And that one's gonna bring you into about 60 pages. So if you're looking for a little lighter- It's a little lighter read, the people. A little weekend reading, the Circea Report. Yeah, our audience that's participating virtually has already started reading the 500 pages of the NPRM in lieu of listening- Let me know when you're done, pencil's down. So good job there in turning them on to a really exciting NPRM. Let me turn back over to Mike. We know that the White House National Cybersecurity Strategy and the Implementation Plan also focuses on harmonization of cybersecurity regulations. We mentioned earlier the ONCD report on harmonization, the RFI, that's pending. What are the interagency processes that the Department of Justice participates in these issues? Yeah, I went back and looked at where we are in this process. And Alan, that was a great introduction. I think you provided everyone on kind of where we currently are on looking at this challenge of how to harmonize all the regulation out there. And so to remind everyone, there's a Biden administration cybersecurity strategy came out about two years ago, and also there's public and implementation plan. That's version one of the implementation plan. Version two is coming out shortly, I believe, and the Office of National Cyber Director has done great work to put out these documents, keep everyone on track and solicit input on the work that's being done because if you don't make it public, no one knows about it out there. And I think what you saw from Congress with Sir Kea, Sir Sia was really a desire that they knew it would be a game-changing law in terms of requiring more cyber instant reporting. And they wanted to also focus the government on how to put out these regulatory requirements better so that as Alan said early on, the focus is more on securing their systems rather than just complying with the myriad of department agency requirements. So I wanted to get the name of this entity right, so I brought some of my notes with me from the calls that we've been having. The strategy refers to the Cybersecurity Forum for Independent and Executive Branch Regulators. And these are all the regulators, like I think it's chaired by the FCC. SEC has been involved in some past calls because of their recent reporting requirement. But the goal is for this forum, and I call it the forum, because it's a cool name, right? So the forum gets everyone together and CISA and DOJ are only advisory agencies because we don't have this independent regulatory authority. But the goal is to identify opportunities to harmonize baseline cybersecurity requirements. And in particular, they wanna focus on critical infrastructure. Now, a couple of quick points that I think are important to make because not a lot has been put out publicly about what this group's doing. But in some, we're trying to harmonize all the regulation out there. And it starts with, one, there's a growing body of regulatory law and process out there, the SEC rule, for example. Two, as Spencer mentioned, there are different missions, different statutory authorities, different cybersecurity regulatory maturity for the different departments and agencies. So the forum is a venue for understanding how to achieve a desired regulatory end without introducing unintended burden to the industry. And I think that's what Congress had in mind when they required the CERC report that we were referring to. So the forum is focused on how to define these common tenants and make recommendations to achieve the goal of more harmonization. And we're really focused on minimum baseline cybersecurity standards. Folks mentioned the NIST cybersecurity framework. And then Spencer also mentioned the cross-sector cybersecurity performance goals. So in some, if these different regulators are all speaking the same language as to what they are gonna require from the different sectors and industries, then at least the companies, the lawyers that hire like Allen know how to respond. And there's gonna be a point where maybe they don't have to respond to seven different agencies like send information to FBI, send information to CISA, send information to SEC and make things public. They can use the same body of work that they have after an incident, for example, or about how to secure their systems. And they can start to push that out to the departments and agencies simultaneously using some of the same terms that the CIRC report talked about a similar form, really. So maybe that's where we end up. This is in line with the CIRC report recommendations for streamlining, which is to come up with those definitions, establish comparable timelines and then adopt model incident reporting. So all of those things are in line with what the report ended up recommending in that space. And again, this report is very useful because it doesn't just state the ideal that there should be common lexicon and definitions and that timelines ought to be reconciled and rationalized. It actually recommends what those definitions should be, how notification requirements and reports should be templates. So model definitions, templates, possible timelines. The report acknowledges that some of its recommendations might require legislative action and not just regulatory. Picking up on what Mike said about this forum that you participate in, in my experience at least, it's fairly unusual that you get a body in the executive branch on a regulatory footing that includes the independent agencies like the Federal Trade Commission, the Securities and Exchange Commission, the Consumer Financial Protection Bureau and so on that have authorities that overlap with standard executive branch agencies like the Department of the Treasury, Department of Homeland Security and so on. So getting the independent agencies involved is actually in and of itself a harmonizing achievement because typically they see themselves, they're independent, they're part of the executive branch article two of the Constitution, but in fact they don't view themselves as directly under the supervision of the White House and Office of Management and Budget. So that in and of itself is a positive development. I'm not gonna go to questions from the audience just yet, but if you have a question, just raise your hand now so I can gauge how many questions there are so we leave enough time. So not that many. Okay. They're still reading the. They're still reading the report. We're gonna come back to us about the questions on the footnotes in the 500 page NPRM. So all right, so we can go a little longer but if you do have questions, feel free to ask them. I only see a couple right now. Let me add a quick point on what you mentioned about just those independent regulatory bodies getting together as an achievement. That's good to hear because I see it that way and in particular the CERC report that Spencer mentioned that 33 departments and agencies contributed to that report. So that's an achievement also to have that many departments and agencies come up with some of the recommendations together in a pretty concise report for the subject matter. But I think what's driving a lot of this behind the scenes is that we all know cybersecurity standards are incredibly complex and the overall goal of the government is to get compliance with them and to be able to share information about these incidents. And so we know that it's incredibly difficult for the private sector and certainly at DOJ we think about it in terms of when you're victimized, you don't want to have the next call from the government be 30 different agencies all requiring information from you that really needs to be the overall goal of making things easier so that information can move quicker back to the government. Great, thanks Mike. Spencer, let me ask you this and Mike if you'd like to comment on the harmonization front, are there any relevant distinctions that we would have in mind when the threat actor you're trying to protect against is a nation state as opposed to when it's a criminal organization? Look, I think in either case, defending the nascent against what are evolving cyber threats and attacks is really essential and it's at the core of CISA's mission. We offer advisories, alerts tools, resources, and all kinds of services and guidance on best practices to help network defenders and critical infrastructure implement, preventative measures, manage cyber risks, but the threat is real, right? And I come from a place where I looked at the threat quite a bit and there are nation states and sophisticated cyber actors that are looking to steal information, money and developing capabilities to destroy, disrupt and threaten the delivery of essential services. So defending against that is essential to maintaining the nation's security. It's part of the reason I wanted to work at CISA. And any cyber attack, whether it comes from a nation state or whether it comes from a private actor is a threat to national security and must be identified, managed and shut down. So cyberspace is, as Mike mentioned, particularly difficult to secure and there's an ability for malicious cyber actors to work from throughout the world. There are linkages between cyber systems and physical systems as we know in the water sector and others and the difficulty of reducing vulnerabilities and consequences and implementing safe best practices is paramount, but ultimately the best practices are going to apply to any threat actor of all types. And so while we need to be mindful of the ever-evolving landscape and kind of where these attacks are coming from, the requirements need to be evergreen in that regard and they need to be tailored so that we're mitigating the risk from whatever source. So Alan, let me make a quick plug here that originally our chief of staff, Brett Freeman, was scheduled to speak and the reason he wasn't able to come down is because negotiations were ongoing with FISA 702. So as we talk about the threat from nation state cyber actors, it's readily apparent that FISA 702 is an indispensable tool to develop the intelligence and lead toward the disruptions that we all need to keep our country safe. So I wanted to make sure to put that plug in to both explain why I ended up as your speaker but also on the importance of 702 currently being negotiated. Well, we're glad you're here but also hoping that 702 will yield ultimately a compromise. It sort of looks like it's heading in that direction. The editorials and all the newspapers today are very possible. We hope so. Here, here. Definitely an important legal authority, critical legal authority, honestly. So we have a number of other questions that we can address here but I think what I will do is go to the, I know there's one over here, if there are others we'll take it and then we can go back to our planned questions if there are no others. Go ahead, sir. Yeah, thank you. First and foremost, Spencer, there are other ways to solve insomnia than reading the 500 page. Am I working for you? Multiple times, multiple times. It must not be working. But so I'm with Boise State University and I'm a 30 year practitioner and one of the things that I would be really interested in understanding would be your perspective within the forum or individually, not necessarily the harmonizing of the regulatory effort from an incident reporting perspective but actually on the front end, the protection, the detection, the monitoring piece. In terms of the impact to, and specifically for this audience because I suspect there are a number of people from procurement here just as well as on a legal side, the impact of the CMMC, the impact to the DIB of the CMMC and other regulatory efforts placed upon industry from other entities. Do you see within these conversations the harmonizing of the actual control efforts and the type of, not just the reporting but the actual control efforts so that the impact, especially to the SMB space within the DIB, it's minimized because that seems to be the major challenge that I've seen from my vantage point within the university ecosystem working with the DIB itself. That's for me? Yeah? Yeah, I mean, so on the FAR piece, and I can't speak as much about the CMMC, familiar but not an expert. And while DHS and CISA are not members of the FAR council, CISA actively participates in the FAR council and provides subject matter expertise. The DFARS contains extensive cybersecurity requirements including the CMMC and CISA, I can point to a couple things that we've worked on. I mean, we've worked with the FAR council on rulemaking efforts. This came out of the cybersecurity EO14028 providing initial recommendations for contract language and the comment period for that recently closed. But we did work to get that out there and came up with reporting requirements for contractors on federal systems operated on behalf of the government. Requirements for S-bombs, so software bill of materials and then some very basic cyber hygiene requirements. So we are working in that space and we understand the piece that you're highlighting, the procurement piece and the importance of the FAR and the DFAR. I'd also point to our work with the FAR council on a proposed rule to require software vendors to attest to adherence to NIST software development standards. So you may have seen CISA developed a template form for those vendor attachments and that came out I think about three weeks ago. So CISA is active in this space and we fully understand the importance. Although I would say we're not a primary mover and that there's folks in this room that are probably eminently more familiar with the FAR and the DFAR than I would be or the CMMC. Okay, this may be the last question, sir. Yeah, hi, I'm Rich Geron, the legal council for the DoD Cyber Crime Center which executes the mandatory reporting from the defense industrial base since 2016 by contract. The first question I have and really relates to this comment about the complexity of cybersecurity, well to the extent that the government can sort of regulate cybersecurity standards with the critical infrastructure. It seems to me that the logical solution would be to work with the National Institute of Standards and Technology to keep their definitions up to date so that they can be incorporated by reference. I mean it will evolve, I mean even the standards that are being used now are constantly involving in subsequent issuances. The second question is even if you can get all of the harmonization of the reporting done, you've got a separate problem of sharing information. The information that the DoD gets has been available and is available now through Intel Share to everybody and it can be used for any lawful government purpose but a lot of people just don't know it's there and so you've got to come up with some kind of solution that can sort of push the data to whomever in government needs to have it over. Great question, quick responses from our two panelists and then I think we're gonna have to call it. Yeah, I'll just speak to the information sharing piece of your question. Do you say you're from DC3? Yeah, so very advanced SRMA with the Dib and obviously I know you understand the need for a mature approach to cyber security in that space. On the information sharing piece, I would just say that CISA has developed and implemented numerous sharing programs. Our automated information sharing comes from our CISA 2015 Act which is voluntary reporting but that information is shared automatically and then we do this with partnerships as well so we have the JCDC, the Joint Cyber Defense Collaborative where we unify cyber defenders to proactively gather, analyze and share actionable cyber risk information and we encourage and I'm always prompted to do this encourage folks to work with information sharing processes and form relationships with our folks at CISA and within our regional offices throughout the country but take the point on information sharing, it's near and dear to my heart. I worked on collection retention and dissemination for a very good part of my legal career and I think that it is all vital and has to be done the right way, obviously. That's why we're here. That's why I have a Chief Counsel's office at CISA. That's why, partly why we exist but take the point and I would just say we are working those processes at CISA and fully appreciate the point of your question. Let me just put in a last plug. I know I've got to turn it over immediately but the Cybersecurity Information Sharing Act of 2015 which is what Spencer's referring to with CISA 2015. Awkward that both the agency and that information sharing statute but those of you who are not familiar with the Information Sharing Act of 2015 should re-familiarize yourself with it. It is a very useful tool for sharing between public and private sector and any agency can avail itself of it and I believe the statute sunsets in 2025. So start working on it. Using it and promoting it. You are correct. I think we better turn it over and thank you, Spencer and Mike. Alan, Spencer, Mike, thank you so much for having us better understand the cyber regulatory landscape, the challenges we face in harmonizing those efforts and the importance of partnerships to get us closer to harmonization. On a less serious note, this panel perfectly demonstrates the necessity of public-private partnership in cataloging and understanding government acronyms and how do we avoid hellacious legal risk. So gentlemen, thank you. You managed to turn a panel on regulation into something both informative and entertaining, A+. So please join me in a round of applause. And we are on break until 235 Eastern Standard Time. The Cyber National Mission Force or CNMF is a joint command available to US Cyber Command to respond to its toughest challenges. 2024 marks the 10-year anniversary of the CNMF. US Cyber Command established CNMF in 2014, recognizing the need for a force agile enough to respond to any crisis at any time composed of highly trained and qualified cyber operators drawn from across the services. Today, the CNMF is composed of 39 joint cyber teams organized across six task forces consisting of soldiers, sailors, airmen, marines, coast guardmen, guardians, and NSA Air Force and DIA civilians. CNMF's mission is to plan, direct, and synchronize full spectrum cyberspace operations to deter, disrupt, and if necessary, defeat adversary cyber and malign influence actors. The CNMF conducts the full spectrum of cyberspace operations consisting of offensive, defensive, and information operations. CNMF supports US Cyber Command and national priorities such as election defense, counter ransomware, global cyber security threat hunt operations, and other operations of national importance. CNMF works closely with other partners in the US government. The CNMF routinely works with the FBI, DHS, NSA, and others to defend the nation. These partnerships are critical for this vital mission to defend the homeland. Each agency possesses differing authorities and capabilities. The ability to quickly share information to leverage the proper authorities at the appropriate time secures the nation and keeps our adversaries off guard, engaging them as far forward in cyberspace outside the United States. The CNMF is on the cutting edge of legal operations in the cyber domain. Since its inception, CNMF continues to drive the evolution of cyber operations. There has never been a better time to join the CNMF legal team. The Office of the Staff Judge Advocate, or OSJA, conducts the full range of legal operations primarily focused on operational law. However, the office continues to provide advice across the legal disciplines. Individuals that join the CNMF OSJA must have a strong background in fiscal law administrative law, international law, military justice, legal assistance, and of course, operational law. The CNMF needs attorneys that are creative enough to link the various authorities together and present creative solutions to our clients. As a plank holder in the CNMF OSJA, you will have an opportunity to advise on unique and novel issues that have a direct impact on national events. There are few other organizations in the government where you will be exposed to the type of issues that we see on a daily basis. If you are a motivated legal professional that can work independently with little guidance, we would love for you to apply to become a member of the Cyber National Mission Force. Ladies and gentlemen, welcome back. We can't talk about the power of partnerships without involving our international partners. We just had a panel discussion about the efforts within the United States to harmonize the regulatory efforts. So let's hear from some of our international partners about the friction points within their country and hopefully success stories of their partnering efforts both within their country and with other countries. I get to introduce Captain Promotable Ray Macias who I work with on a daily basis. He serves as a legal advisor in the office of the staff judge advocate with me in the plans, policy, and partnerships law division. So with that Ray, I'll hand it off to you. All right, thank you ma'am. Good afternoon everybody and welcome to our legal conference. It is such an honor and a pleasure to be joined here by this outstanding group of panelists and leaders from across the country who we are privileged to also call our partners. You know, it's a little hard to imagine any single one of us entering into a partnership without knowing some key information about the other party. For example, what's their history? What's their reputation? What are their capabilities? What's their intent? Can we even trust one another? Over the past day and a half, we've learned that so many of the challenges and opportunities that we face in cyberspace can be traced back to some law or policy or the lack thereof on, you know, fill in the blank. While the bulk of our discussion has certainly approached these issues through a US perspective, I assure you that this is not just a US phenomenon. I think I could say with a fair degree of confidence that our international partners are having these exact same conversations back home. And so, as we explore the power of partnerships, I think the question then becomes, how well do we know our international partners' challenges in cyberspace and the domestic legal frameworks from which they're trying to resolve those issues? And perhaps more importantly, what can we as cyber and cybersecurity law attorneys do to help our organizations identify those legal endpoints as we explore international partnerships so that we could be more effective and efficient in achieving our shared goals? Over the next 50 minutes or so, we're going to lean on this amazing group of individuals to help us better develop a common understanding of some of the different legal approaches to navigating our shared challenges in cyberspace. And so with no further ado, I'd like to introduce this amazing panel. Right here to my right, we have Ms. Chantel Peterson. Ms. Peterson has served as a national security law and defense advisor for 20 years. She currently serves as the Deputy General Counsel for Intelligence, Legislation, and Policy with the Australian Signals Directorate. In the middle, we have Lieutenant Colonel Nick Wobma that is a Wobma for those of us who speak American. Colonel Wobma brings over a decade of experience in national security and cyber law. He's a member of the Netherlands Royal Army and currently serves as the Deputy Law Branch Head and Legal Researcher at the NATO Cooperative Defense Center of Excellence. And last but certainly not least, we have on the far right, Ms. Greta Thumperer. She serves as a legal advisor to the Estonian Defense Forces Cyber Command. Her portfolio includes international and domestic cyber law and policy and she previously assisted in drafting the Estonian Cyber Security Act. Ladies and gentlemen, let's give a round of applause to our international partners on stage and to all of our international partners who are able to join us today. All right, so let's get to work. This is an open question for all of our panel members and that question is based on the following. So you all have had a chance to develop a better sense of the complex ecosystem of state and non-state actors involved in U.S. cyber defense. Who are some of the key national players in your countries and in what ways are your national cyber defense legal authorities or frameworks different from ours here in the United States? Ms. Peters, who would you like to take us off? I might just start with two points. I'm attending the panel in my personal capacity so please don't take what I say as representing either the Australian Signals Directorate or the Australian government. The next point is hello to all my Australian colleagues who have told me that they're dialing in on the Eastern Seaboard in Australia. It's about 4 a.m. in the morning. So thank you. So within the Australian ecosystem, the Australian Signals Directorate is responsible for cyber operations and for delivering innovative offensive cyber capabilities. So through Project Redspice, which was announced last year, this will triple our offensive cyber capabilities. And this is being used to support Project Aquila where ASD, so Australian Signals Directorate, and the Australian Federal Police conduct cyber operations to combat criminal assault and conduct criminal investigations and work towards prosecution and or disruption of cyber crime activities. So this operation focuses on the highest cyber security threats to Australia, driving both from national threats and internationally. In terms of how the frameworks differ, they definitely do. And so the Australian Signals Directorate operates under its own statute, the Intelligent Services Act, and that sets out our statutory functions which guide what we can and can't do and sets out the powers that underpin it, and the authorities that we need to seek to be able to conduct those activities. And so Ms. Peterson, is there sort of a constitutional framework that exists to support those authorities or the implementation of those cyber defensive capabilities? So under the Australian system, you have the Australian Constitution, which has powers that best in the federal government in relation to defence and national security, and we have a concept of executive power. And it's through the federal parliament that sets the legislation that gives us those powers to conduct the activities. Thank you very much. Anyone else? Shall I continue? So, hello everybody. Let me also start with a small disclaimer. I'm here today as representing the law branch of the Cyber Centre of Excellent, NATO CCD-COE. I have worked at NATO as a legal adviser and I have worked as a Dutch cyber command legal adviser, but these are experiences in the past, so I'm not current with that, but I will, however, when relevant, tap into my own experience in the past to help paint a picture of the question. So, about that picture. In Holland, the Netherlands, we have a so-called administrative legality principle, so that means in short, and this may sound similar to what you have, but this means in short that every government organ has a legal basis on which to build, a legal basis that tells them why are we here and what are the rules that govern us, this specific agency. So, there are many agencies and they all have their own specific task that is laid down in law, regulations or the Constitution. On the other side is civilians and by extension also private companies, they can do basically anything as long as it's not forbidden by any regulation or law. So, they operate all in a different way and have all their specific tasks and it comes with challenges and opportunities, which we probably talk about later. So, to go further deeper into that landscape who is doing cyberspace operations and then I'll keep it short to the ones that typically would focus outside of their own networks and not on the own networks, that would be, of course, law enforcement who have their own legal basis and legal framework built around suspicion of a crime and have the authorities and mandate to act upon it. Then we have the intelligence services, the general intelligence service and the military intelligence service with their own legal framework and on specific tasks within those laws. And then there is the armed forces who have a constitutional variety of constitutional tasks and among them would be not just to prepare for actual combat but also to engage in it and depending on the mission mandate, I'm probably not telling anything new here but depending on the mission mandate, they will get their own set of rules and regulation but that legal framework changes depending on the mission and there is no standing law that governs or there's some fragments but typically there is no standing law that says you have the ongoing mandate to engage in offensive sector. So to follow up on something you mentioned earlier, you said that there's a little bit more leverage or latitude for the private sector actors under the applicable domestic law. If a private sector technology company is hacked, can they hack back against the state actor? Well, there is a leeway for different actors. They have their own, as you said. However, if you are a piece of the government and you have a certain task, you cannot ask somebody else who has more leeway to do it for you because that would be out of the question really. However, it's a fact that private companies sometimes already have eyes on things that as a government actor you're still thinking about do I have the mandate or who do I call? So, and that can lead to situations that are beneficial from an intel perspective. Thank you very much. Ms. Tumpede. Sure, I'll continue. Is the mic on? Yes, hi. I'm sorry. This is new for me. I feel like a pop star. So, and I've never been live streamed before. So hi mom and all my fans out there but all jokes aside. Thank you, it's an honor to be here. And I will also be speaking on behalf of my own capacity and rely on my knowledge. So, turning to the question, then Estonia is also similarly to the Netherlands distinguishing civilian side and also the armed forces and military side of the networks and the parameters they are allowed to engage in. So, for the civilian sector, we have a separate cybersecurity act that defines the roles and also we have distinguished vital services and essential functions that have their own mandate and fall under the civilian information security authority who will conduct the cybersecurity part of it. And then of course, there's the military side with their own cyber defense mandate. And in addition, since we are a very small nation, only 1.3 million, then we need to be clever in organizing ourselves. So, we have a separate organization. It's still a public entity and it's called the Defense League which means that it gathers together various, I personally like to call them defense enthusiasts. They use their free time and spare time to allocate themselves and commit to training and exercising and under that Defense League, they also have a separate cyber defense unit which gathers together various cybersecurity specialists that on a daily basis work in different companies or even in a public sector and on their spare time, they exercise together and they are part of our reserve. So, in a way, this is an effort to reach out and gather as much potential as we have because we need to retain that capability set we have. I really like that. I think it's so interesting for us. The follow-on question to that is this volunteer group, are they putting military uniforms on at any point or are they completely in a civilian capacity? Depends on the function and depends on the assignment. We do exercises together and we do training together and that unit also has legal advisors in it so we are collectively teaming up at an upcoming exercise actually and they normally, most of them are our own reservists so they have uniform and they are obliged to wear it when they are coming to the exercises but that requires a formal request beforehand and they still maintain also their civilian capacity as well but in a way, they still feel like they have more to give and contribute and that's why they have formed this separate unit. Fascinating insights and I appreciate you sharing that which is actually a great segue to my next question for the group, also an open question and so Ms. Tumpade, you mentioned something about how Estonia is bridging the gap between the private sector, you know, private sector actors to help support some of these larger challenges. The question for the group is, you know, in a few words, can you describe some law and policy issues your nations are navigating to overcome some of those shared challenges and how have you resolved them to help bridge that gap? Anyone who's willing or interested to jump in, you're welcome to. Again, so talking about obstacles and opportunities. Well, given the different legal basis that I talked about before, they also function as kind of walls between the various agencies and that makes it sometimes hard to communicate. However, the opportunities also present themselves in the cooperation and think of developing common capabilities, think of we're all fishing in the same pond for cyber staff and we want to make it interesting without stealing each other's personnel. Think about gathering intel that can be useful for various operations under different mandates. These are opportunities. However, as long as you have the walls, you don't know what the other is doing and you may be inefficient or do things twice or three times or many times over. So I feel as legal advisors, first legal advisors, we try to look for the doors within these walls and try to open them so that communication can start. I heard the general say in the opening speech yesterday that you have LNOs at all the various agencies. I think that's wonderful and essential. Also, not just LNOs, but legal advisors having on the operational level but also on the senior leadership level forums where they engage on a regular basis, also having joint exercises or joint executions of that what we are talking about, intel gathering capability, building that kind of thing. That are all opportunities that work to more and lesser degree. There's been a lot of bureaucratic hiccups along the way but I'm happy to say that it is very much improving and that there are successful joint things come out of that. So let me see. Yeah, that's what I wanted to say. Very helpful. Ms. Peterson, would you like to share any insights? Absolutely. I might just talk first quickly about the relationship building that ASD is undertaking as part of its cybersecurity partnership program. So we run this, sorry, ASD runs this program. It has three tiers of membership, the network partners, business partners and home partners and those three levels of partnership have different levels of access to information and the key focus is on network partners where we share threat intelligence and engage in a range of other collaborative activities. Network partners include government agencies, private industry who maintain IT security personnel and are able to act on threat intelligence. They include cybersecurity specialist businesses who are able and willing to share their specialist expertise on a not-for-profit basis with that partnership community and also academia, research and other non-profit organizations who have that keen interest and dedication to cybersecurity. Now, obviously one of the challenges that has been spoken about on this conference is the willingness to share sensitive threat intelligence with industry and for industry to feel comfortable sharing information that might come close to their confidential business information. So the network partnership program is underpinned by non-disclosure agreements which helps build that trust. The partnership program has regular meetings, collaboration that's undertaken both virtually and in person through program officers that ASD runs in and across Australia. So that was one of the challenges that we've experienced and ASD has built up some really strong relationships with the private industry through this process. However, when it comes to cyber incident response, unsurprisingly, one of the first hurdles we faced was, I'm sorry, I'm not allowed to talk to you, my lawyer said so because there was a real concern that if they were sharing at that critical moment information that that information could then be passed on and used by regulatory or law enforcement agencies and escalate the legal liability that the company who's already suffered a cyber incident or a cyber attack might be liable to. And so under the Australian cybersecurity strategy which was also released last year, one of the mechanisms that the Australian government is bringing forward is a legislative limited use obligation on ASD and also Australia's cybersecurity coordinator to help industry feel a level of trust that they can share that information quickly with government so that they can get the support in responding to the incident at the speed of relevance not just at the speed of trust, without it then being handed over rapidly to regulatory and law enforcement. Now you would have heard the term safe harbour in one of the earlier sessions. This is not a safe harbour program. This does not provide them with absolute liability that may have arisen through their non-compliance with their obligations. There is still the ability for regulators to use their powers of investigation and apply regulatory sanctions where sanctions are required. So this is still in development so I can't tell you exactly what it looks like but it is one of those mechanisms that we're bringing forward to address obstacles to collaboration. Those are great insights and as we're talking about these issues, I'm hearing a number of parallels but different ways of approaching and navigating those challenges. Ms. Dupre, I wanted to start with you on the next question because I think this is a good way to transition. Earlier this morning we heard Director Coker talking about developing norms of cyber behaviour. Okay, so Estonia has a unique relationship with its private sector and it's a general population. You're a smaller country and so you were saying we have to find innovative ways of preparing ourselves for the worst, right? And so the question is how does your country or how do your all's countries approach reinforcing norms of responsible state cyber conduct by and through private parties or private sector partners? Well, that's an interesting approach. If we are thinking through the private companies then... Overall, I would say that we are very digital and also highly dependent on it, meaning most of our public services are available online except for two, you cannot marry online and register a person's death online. Other services are all available online so which means that private companies are facilitating those services because this is the most essential partnership aspect that where the private companies are stepping in because although those are public services they still run on the private networks and infrastructure that still allows the services to run. And when thinking about norms from an international law perspective then norms are not so much implemented on the private partners or private companies rather than thinking of public attribution for ongoing attacks or conducted operations already. So this is one of the aspects where the reinforcement or enforcing can be seen but from organizing public-private partnerships and also enhancing that then I would say that it's not so much regulated on a legal basis rather than it still comes down to the tactical level where the information is exchanged and also incidents are quickly responded and the necessary assistance is also given through various partners and players on the field. Very helpful. Sir, ma'am, and any thoughts on how you all handle reinforcing norms of responsible state cyber conduct? Well, I can say something about that as well. Last year, so first of all, for the Armed Forces in the Constitution, one of the tasks of the Armed Forces in the Netherlands is to promote international rule-based order. So that's also one of the things we focus on, generally speaking, but more broader, the Netherlands last year had together with the Republic of South Korea a re-aim. So that was a responsible artificial intelligence in the military domain conference. There will be a follow-up this year in Korea which tries to engage with key actors in order to develop norms, including the private sector. We have been active also in cyber, as you may know. We've been pushing, been one of the pushing countries for in the UNDGEs and the open-ended working group as well as the talent manual processes. So for us, it is very important. So under our cybersecurity strategy, one of our actions is to shape, uphold, and defend international cyber rules, norms, and standards. This includes actively participating in international forums and assisting our regional partners to build capabilities to counter cybercrime and also have a voice and participate in those forums. Great insights, everybody. I appreciate you sharing those thoughts. I wanted to space in trying to do a little bit of a compare and contrast of another challenge that we identified earlier today, and that's the issue of talent management. And here in the United States, as you heard Director Cocher mention, we're trying to find innovative ways of building up our national cybersecurity workforce. How are your countries navigating this problem? Is this even a problem for you all? And if so, what are the creative solutions that you all have come up with? Well, it's certainly a problem that's shared world round. And you would have heard me mention at the start of this panel, the Project Red Spice, where we're looking to triple our offensive cyber capability. We're also building our workforce and aim to have at least 40% of our workforce outside of our nation's capital spread around Australia. So this poses a couple of challenges. Obviously, workforce shortage is one of them. And to meet that, and part of the plan of having, I should say, our workforce spread around Australia is both to help address the workforce shortage and to build resilience in the way we conduct business. It gives us access to broader talent pools by having our offices spread around the country. But we're also looking at, and we've already started, to have a multiclassification workforce. So our facilities that we're building are multiclassification, and we have a multiclassification workforce so that people can do work on lower classified systems in lower classification buildings. And there's no requirement to pass the very lengthy top secret positive vetting process prior to being able to start work with the Australian Signals Directorate. And so we've managed to already quite rapidly expand our numbers. Very impressive. Thank you for sharing that, folks. Any other insights? Yeah, I can add on to that. We are, well, we've heard this mentioned during today and also yesterday that people are the most important assets. And I couldn't agree more. And we need to put our efforts and we need to invest in them so we can have the capabilities and just build on that. So in Estonia, we are implementing cyber conscription. So it means that all mandatory recruits are going through the basic soldier training, but they also afterwards, if they apply to the cyber command, they will conduct an IT and cybersecurity test where the brightest are selected and they are assigned to different units doing IT support or help desk or even programming developing. And from there on, they can build their own capacities and also move on during the conscription service period. And also one of the ongoing initiatives that we have is to allow various students in different programs in universities to do their internship in the cyber command in exchange for credit points for their studies. So these are case-by-case basis usually. And we have established an ongoing collaboration with various education institutions. So we are very much focusing on how to build up the workforce and also retain it, but we will never, I mean, the public sector can never compete with the private sector naturally, but we are doing our best and we try to be as appealing as possible. And we also contribute from the military side to various initiatives for students and different programs where they are testing their knowledge and sort of exercising ethical hacking. So we are partnering also in that sphere. So this is one of the unique approaches. I'm fascinated by this idea of the cyber constriction. Sir, is there something similar with the Netherlands? Yes, we put a lot of faith and hope in our bond with the reservists in crafting a big network of active reservists that we can call upon. And of course, it's very important to engage in good relationships with employers. So we have annual gatherings where we try to involve companies and explain the necessity of having reservists, especially with ICT personnel. And so that project is quite successful. We have about, well, we have an amount of reservists now employed who have various specialties. And so that has been an important development in involving more the private sector and getting more capacity. Fantastic, sir. And while you still have the microphone, so I appreciate you sharing your perspective for the nation perspective, the national perspective. I think a number of us are familiar with the CCD COE. And I was wondering if you could just talk a little bit about your work with the organization and some of the research and initiatives that you all are undertaking to help try to bridge that gap to develop better public-private partnerships. Right, yes. So the NATO CCD COE, the Corporative Cyber Defense Center of Excellence, took me a couple of years before I got that flowing. We try to promote cooperation. We have about 39 member states of which about a fourth is a non-NATO, but partner nations like yours. We have various initiatives in the past that I'm sure you're all well aware of. But currently, I think next week, we will start a project called Handbook on State Positions. We have received grants in order to further that, not just us, but it's alongside Exeter University, the Chatham House, the government of Estonia and Japan to further this handbook, which will enable states that don't have state positions on cyber, enable them to make it easier for them policy-wise and also show what other nations that have a state position have done so that they can use that. Then we will also start with a handbook on data protection in armed conflict. This is still in the beginning phases, but now we're looking for writers who can help with this handbook. The Cyber Commanders Handbook will be revised and made into a 2.0 version, as you have heard before. So these are on the academic side initiatives. Then, of course, we have lock shields coming up where we try to work with, I think now it's 39, I don't know, 38 nations in a lot of teams that will work together to also do the legal track. Lock shields is an exercise. Yeah, oh yeah, lock shields is an exercise, I should say. We have two big exercises. Lock shields is one of the crown jewels. And this year will be the first time that it will set in an armed conflict so that will also make for a very interesting legal track. I'm a bit biased because I'm leading the track, but I'm just promoting it as well. And finally, yeah, we have, of course, the international law course where with various esteemed professors that have teached there in the past and that I can recommend to all lawyers that want to learn more about cyber and international law. Thank you very much. Now, I imagine some folks in the audience probably have some questions, but I have one more question for you all. And what I'm looking for is your perspective, your individual perspective. Are opportunity to work together and have these conversations has been very eye-opening and I imagine it's probably very eye-opening for some of the folks in the audience and the folks that are visiting us and joining us online. But from your experience, working with international partners, how can international legal practitioners work together to enhance mission delivery and accomplish shared goals? How can lawyers help bridge that gap and improve partnerships between the public, private sector, but more importantly in this context with our international partners? Maybe we just go down line, Ms. Peterson, any thoughts? Certainly. I have four words. Be curious, ask questions. So we already collaborate really well. After all, there's a reason we often call each other like-minded and often we have something in connection with any of the partners that we're choosing to undertake an activity with. However, our strength also lies in diversity. We are different nations. We have different legal systems. We have different cultural backgrounds and it's from that diversity that we draw our strength and I just wanna borrow the words of Judy from yesterday, which is same, same, but different. We're all on the same page, but how we get there sometimes is different. So I would say we can enhance our mission delivery by being actively curious about each other's legal systems, operational capabilities, and therefore what we can and can't do. So for any particular mission or program, we can draw together those individual pieces of the puzzle to create a single uniform picture of where we want to be when we achieve that outcome. Wonderful, thank you very much for sharing that, sir, what are your thoughts? To end where I started and I'll try to look in the camera this time. As I said in the beginning, there is a lot of walls between agencies and there is on the other, well, not necessarily the other side, but in the private sector, there is also a different way that things work. And what is very important in this is that people know who they are going to work with. If you're gonna cooperate as a company with a certain segment of the government, it's very important also to know what that segment is responsible of. And at the same time, from the government perspective, it's you really need to know who you are going to work with and what, especially what your requirements are, because if you know what you need, then it's very a lot easier for the company to be able to do what you want them to do. And this applies no less in the international sphere. It's also, it's know who we are going to be together with, yeah. Wonderful, thank you very much for sharing that. And last but not least, Ms. Tumper. I would just add on to that, that just an idea that kind of resurfaced in my head earlier, it's variety and riches. So we should still maintain what we have, but also, like you said, be curious and respectful for each other. So thinking back to my previous positions and the things I've worked on, I would say that education and training is also one of the avenues and cooperative exercising as well is one of the avenues where we can come together and learn from each other and pass on the knowledge that we have. So this is one of the ways to ensure variety and riches. Thank you very much. This has been an extraordinarily illuminating conversation. We really do appreciate you all coming to share these perspectives. I wanna keep the conversation going and I'd like to invite members of the audience if they have any questions for our partners. And if there's questions that may be for some of our other international partners that you can answer, why don't we just open the floor for that? So any questions for the panel members I see back in the top left. Sure, we'll start right there. Thank you, panel, for traveling to speak with us. Are there international norms that you'd wanna see surrounding artificial intelligence and how do you think those norms should be achieved? Sure, well, why not? I think the AI has been one of the burning topics throughout this conference and thank you for the question. I've been involved in different projects where AI and the legal regulations have been under discussion. So one of the aspects that we have tackled with was do we need national defense exception and how far are we going to regulate it? So internationally, I would say we do need guidance but not necessarily in a normative way which will restrict our own movements or just capabilities. So yesterday I heard which was also, it definitely merits that for innovation too much rules is not good but I would also, maybe I don't wanna sound too much like a European, but rules also provide a certain amount of predictability for governments and for citizens in order to work with what we have. So I would applaud a basic rule set and the EU has, as you all know, recently adopted the start of it. I might answer the first part of your question so slightly differently because we are participating in the Council of Europe AI Convention discussions and have very similar considerations but in terms of other norms that we're interested in maintaining, we're very interested in continuing to defend an open, free, secure and interoperable internet through those international forums to make sure that it doesn't become under the control of any single nation state and continues to be that domain which is so unique and has all of our private and public partnerships maintaining it. Wonderful, thank you very much. Any other questions from the audience? Yes sir, right here in the back, back in the center. Yeah, are you aware of any standing international agreements either NATO, ANZIS or for Australia particularly Five Eyes that would allow bulk reciprocal sharing of cyber incident data either from government networks or contractor network cyber incidents? I'm not tracking any treaty level documents that would expressly permit it but I'm not tracking any that would prohibit it either. And so there's already a range of arrangements between Five Eyes governments to enable us to work interoperably. So I'm not sure that we need a treaty to be able to achieve that amongst the Five Eyes partners. To add from the NATO side, as I said I've not been working there for a while but I know that already when I was working there there are various information sharing agreements incident sharing constructs. Also in yearly cyber coalition exercise we do it's a NATO exercise, flagship cyber exercise we practice this and we share information and incidents and we use the systems that we created to that purpose. I think I see another hand over here, sir. Thank you. I know this mentioned or this panel is on international perspectives but I have a question about your respective nations, your respective countries that might have international applications. Estonia, Netherlands, the Scandinavian countries you serve as a model because you are some of the most extensively wired societies if not in, certainly in Europe, if not the world. I think Estonia you are probably one of a model of extensive interconnectedness in terms of the internet and cyber activities despite the fact that you're 1.3 million. You're also the safest. You also rank Netherlands, Estonia, the Scandinavian countries rank as the safest in terms of how little or relatively few cyber attacks you experience in your society. But what you share in common are your relatively small populations and your relatively homogenous societies. Do you believe that your success would be limited in trying to transfer your success to much larger states like a United Kingdom perhaps or more diverse or larger state or country like Australia that there might be limits to your success because your success is really the result of your smaller populations and relatively smaller geographic locations so that you'll, no matter what you can do, if you have a larger population, larger state, the cyber attacks will persist. Yeah, that's true. Thank you for the question. Well, there could be several reasons why those attacks have decreased, but in fact, as much as I recall, it was last year. The similar attacks that happened in Estonia in 2007 that were sort of the pivotal turning point for especially from NATO cyber policy, the same kind of denial of service attacks were 50 times stronger and more advanced. So time is moving on and I wouldn't say that we're not experiencing so few attacks. We do have a large number of incidents happening quite often and frequently and in terms of size and scale, the size of our nation and also the interconnectivities, it can be seen as a benefit, but it also can be a disadvantage in various aspects. So I'm not so sure how it translates to a larger nation, but what I do can compare is that sometimes it seems a bit overlooked that if in comparison to US you have a floor full of teams with lawyers and specialists working on different projects than back home, back in my country, there's likely only one person in that team. So we do need to set our priorities because otherwise we would be a bit overwhelmed. So I'm sorry to say I don't really have an answer how to transpose and translate our experience to a larger country and we just need to be vigilant, I would say. So not to come to the defense of the Netherlands even though it is my job. We are about 13 times the population of Estonia and about a fourth of Germany. That doesn't make us necessarily a big country but it is definitely a multinational country and I think the reason for its being, I take it relatively safe is not so much in the homogeneousness of the country but we have a very open policy. We thrive on trade, ideally everything is open, open trade and that's how we not only make our money but that's also what we like to promote and in order to do that, in order to have a society like that you also need to make friends everywhere and if you have friends everywhere, you have less enemies. So that's a very simple answer to a probably way more complicated problem but I think it can be the start of a right answer. Thank you, sir, great question. Any other folks? I think I saw another hand out in the audience. Yep, right over here, sir, on the right side. Yes, I was wondering in Estonia with world events going on so much with the war in Ukraine and things like that in Russia so close by, has that caused any changes in the statutes have been enacted and things like that? Have there been any legislative changes important since the Ukrainian war started or cyber? Well, as I'm trying to organize my thoughts, thank you for the question. The war in Ukraine has certainly had its impacts and I would say domestically and nationally we're being rational and we are implementing the same vigilance that we used to and from a cyber perspective we are from different mechanisms we are facilitating IT support and also other services to help Ukraine restore their critical infrastructure and also maintain its functionality. So we are contributing, but from a legal perspective I wouldn't say that we have not had, we haven't made any regulatory changes since the kinetic part of the war. And folks, I think we just have a couple more minutes left maybe one more question, any more questions from the audience maybe up on the balcony? Right up front, yes, ma'am. Kia ora. You talked a little bit about how countries' legal differences in the assistance of needs to be considered and addressed when working together in this area, but I was wondering if you had any thoughts about not necessarily legal differences but like cultural and historical differences that have the way they impact a society and maybe how those differences between nations need to be addressed when dealing with cyberspace? Does that make sense? Sorry. Open question for anybody, ma'am? Yeah, okay, great question, thank you. I think some of the cultural differences can boil down and flow into the policy stance that the different countries take and also their risk appetites for certain types of activities and where they draw the lines with those activities. So sometimes the national caveats that we put when acting together aren't drawn from our law, they're drawn from what's societally acceptable to our communities. And I think that holds true for cyberspace operations as well. I was just thinking of, well, from a personal perspective, I mean one of the cultural aspects that we are trying to implement is a broad security and national defence concept, which means that every vital service provider has their peacetime duties that they need to fulfil and also implement during crisis and war. And also we are including civilians in armed forces, especially, I'm the greatest example of being a civilian and working with the armed forces in cyber command. And this is one of the aspects that is really enforcing and trying to highlight the cultural difference. And I'm the example that it works. There's nothing so far, at least, there hasn't been anything bad about it. So it's still, like I said, a variety and riches. Ms. Peterson, Colonel Volma and Ms. Tumpeter, thank you very much, folks. Can you join me in giving them one more round of applause for joining us here? Thank you. Thank you Greta, Nick, Chantel and Ray. We've talked a lot about the power of trust and one way of building that trust is taking this type of opportunity to compare and contrast our policy and legal frameworks and ultimately learning from one another. As Chantel said, same, same, but different. So while we all have our own unique challenges, it is comforting to know that we are all grappling with similar issues. So thank you again to our international panelists and to all of our international participants who took the long journey to join us for this Cyber Command Legal Conference. We will be on break until 1545 for our final capstone of the day. Thank you. Hi, I'm Colonel Pete Hayden and I'm excited to speak with you as a part of the US Cyber Command Legal Conference. Whether you are in person or virtual, your interests and participation are critical to solving some of the toughest and most important and interesting legal challenges facing our nation. Good afternoon, ladies and gentlemen. I'm Colonel Carl Woodrow Rodriguez Medellin, Director of US Cyber Command's Office of Academic Engagement. In 2022, we launched the Command's Academic Engagement Strategy in order to deepen our partnerships with academia. Cyber Command established the Academic Engagement Network, also known as the AEN, which is a team effort across the DOD Cyber Mission Force and academia. Our Cyber Force members include the Command Headquarters, the Cyber National Mission Force, the Joint Forces Headquarters, the DOD and the Service Cyber Components. The response from our nation's educational institutions has been amazing. In the past two years, the AEN has grown to include 121 institutions from 37 states and the District of Columbia. AEN members include nine federal institutions, including Service 4 colleges, the Naval Postgraduate School and four of the Service Academies. Additionally, our 108 non-federal institution members include 15 institutions serving underrepresented communities. Cyber Command's Academic Engagement Program has four strategic goals. First, engage the future workforce by inspiring a diverse group of students to pursue cyber education careers, both in military and as civilians. Second, increase cyber-replied research and innovation by encouraging research on our hardest problems. We are hosting another cyber recon effort this year which involves student researchers mentored by Cyber Command staff. The capstone symposium will be held at the Naval Academy in Annapolis, Maryland in mid-April of this year. Third, expand cyber-focused analytical partnerships by providing insight into adversary cyberspace strategies, organizations and capabilities. Fourth, enrich strategic cyber dialogue. By engaging faculty, we challenge Cyber Command's concepts and refine Command's strategies as well as align our senior leader engagements with our academic partners. As we enhance our academic partnerships, the legal profession is a critical aspect to this maturing relationship that will allow us to increase intellectual rigor as we advance the nation's cyber warfare capabilities. To find out more, check out the AEN at cybercom.mil. Hi, I'm Colonel Pete Hayden and I'm excited to speak with you as a part of the US Cyber Command Legal Conference. Whether you are in-person or virtual, your interests and participation are critical to solving some of the toughest and most important and interesting legal challenges facing our nation. Our commander, General Hawke, has set out his guiding priorities based on our competitive strengths, people, innovation and partnerships. This conference will give us the opportunity to discuss exciting legal issues involving all of these priorities. But I wanna reach out on something near and dear to all of our hearts here at Cyber Command. Our commander's very first priority is people. At every level, we want to attract and develop talented practitioners in diverse disciplines to the cyber enterprise, including legal professionals. Through participation in this week's events, you'll see exactly why that's so important to Cyber Command, to the services and to the nation. The bottom line is this, we need you. Here's why we hope that you'll wanna join our team. The Cyber Command Enterprise is one of the very few places in which military attorneys routinely work side by side with partners from across the executive branch. They also get the rare opportunity to partner with the best and brightest throughout the joint force to be a part of those high functioning joint teams comprised of talented attorneys from across the services. Our council work closely with the legislative office to help shape our congressional authorities, whether drafting a legislative proposal, identifying policy and legal implications of an authorization act, or assisting with congressional testimony preparation. Our office is deeply engaged with our legislative liaisons and our legislative overseers. Our judge advocates, civilian attorneys, and paraprofessionals work closely with the private sector and academia to develop collaborative mechanisms to advance national security interests and defend against malicious cyber activity. Finally, U.S. Cyber Command attorneys regularly interface with our international partners on everything from military exchanges, exercises, information sharing, to coordinating plans and operations, furthering our interoperability and deepening relationships with our strategic partners. Here at United States Cyber Command, we build relationships across the services, industry, research community, academia, and the whole of government. And we do it to facilitate innovation and foster collaborative sharing platforms to advance our national security interests and defend against malicious cyber activity. Our partnership philosophy, it's baked into our statutory mission to direct, synchronize, and coordinate military, cyberspace planning and operations to defend national interests and collaboration with domestic and international partners. Our practice is diverse. If you're a legal professional interested in national security law, we offer you opportunities you won't find anywhere else. Through your legal advice, Cyber Command will be better postured to defend Department of Defense information networks, to generate insights and options in defense of the nation and in support of other combatant commanders, and to ensure enduring mission advantage for the Department of Defense, the United States, and our allies and partners. If you're an administrative law or a criminal law practitioner, and you're listening in because you wanna try something else, or you just find this work interesting, your analytic and advocacy skills are what we're looking for to solve emerging problems and make lasting change. If you're a contractor or fiscal law wizard, please give us a call. National security law and acquisition law work hand in hand to enable our operators to spur innovation and maintain our technological primacy, and build our enduring advantage as the finest fighting force in the world. We're in a war for talent, and we look forward to partnering with you in the unique, demanding, and highly rewarding practice of law at U.S. Cyber Command. All right, ladies and gentlemen, we have reached the capstone presentation of day two of the U.S. Cyber Command legal conference. We originally advertised Mr. Matt Olson, the assistant attorney general for national security at the U.S. Department of Justice, but he was unable to attend today, as you've heard a few times this week. Section 702 reauthorization has required the time and attention of several senior U.S. government leaders in the national security ecosystem. But in his stead, we are so fortunate to welcome Mr. Olson's principal deputy, Mr. David Newman. So for the format for the capstone presentation, Mr. Newman is gonna come up and provide remarks, and then we are fortunate to have Mr. Raj Day, who will join him on stage seated for more of a fireside chat, and then we'll open it to questions. And this capstone presentation is entitled disrupting cyber threats and protecting U.S. technology and data. So I will quickly introduce Mr. Raj Day, and then I'll introduce Mr. David Newman, and he'll come to provide his remarks. So Mr. Raj Day is a managing partner of Mayor Brown's Washington, D.C. office. He leads the firm's global cybersecurity and data privacy practice, as well as the firm's national security practice. Mr. Day has held numerous senior appointments in the White House, the Department of Justice, the Department of Defense, and the National Security Agency. As staff secretary and deputy assistant to the president, he was responsible for managing all written material provided to the president. He was also the principal deputy assistant attorney general in the Office of Legal Policy at the DOJ. And close to all of our hearts at U.S. Cyber Command, Mr. Day was the general counsel of the National Security Agency. And finally, Mr. David Newman. Mr. Newman is the principal deputy assistant attorney general for national security at the National Security Division at the U.S. Department of Justice. Before returning to the DOJ, Mr. Newman was a partner at Morrison & Forster. And he previously served in government as the associate White House counsel and special assistant to the president of the Office of the White House counsel, to the president and the Office of the White House counsel and various posts on the staff of the National Security Council and as counsel to the associate attorney general for national security at the DOJ. And he was previously a law clerk to the U.S. Supreme Court Justice, Ruth Bader Ginsburg. Mr. David Newman. Thank you so much for that introduction, Josh. And I am keenly aware that I am not Matt Olsen and that I stand between this group and the end of today and drinks. So I will do my best to be brief, if not interesting. As Josh mentioned, my name is David Newman and I serve as the principal deputy assistant attorney general for national security at the national security division or NSD as we are known because we need to have an acronym to be in the national security space. It's very much an honor to be here with such a distinguished crowd, so devoted to the mission. Before we begin the fireside chat portion and Raj hits me with the hardball questions, I just wanted to spend a few minutes highlighting some of the ways in which we at the Department of Justice and NSD, my division in specific, is innovating to address the national security cyber threat landscape. First, some very brief history. Congress created NSD in the aftermath of the September 11th terrorist attacks with a mission to unify DOJ's national security work. The vision was to bring together the prosecutors in our counter-terrorism and our counter-espionage section, which were both in separate places in the criminal division under the same leadership that oversaw the DOJ lawyers who worked with the IC obtaining surveillance authorizations from the FISC. And the original mandate for NSD was to take down the unnecessary silos that separated law enforcement and intelligence professionals and folks such as yourself to ensure that DOJ could bring to bear the full range of authorities to disrupt national security threats. And for the first decade of NSD's existence, our principal focus was on confronting the threat of international terrorism. And we knew we needed to change the DOJ mindset to become more threat and intel-driven. And even as hundreds of terrorists, hundreds of individuals were convicted of terrorists and terrorism-related charges in federal courts in the first decade after 9-11, we all knew and understood that the measure of success was not a conviction, but a stopped plot and the imperative to detect and disrupt terrorist attacks before they occurred. And today, in the National Security Division, there remains no greater priority for us than the international terrorism mission as the horrific October 7th attacks underscore. But as we all know, the national security threat landscape is a lot more complex, dynamic, and varied. And our work has evolved to reflect that threat from capable nation-state adversaries. This is especially true when it comes to the cyber threat. We've all seen and heard, I'm sure, at this conference about the concerning trend lines, hostile adversaries conducting cyber operations with alarming scale, speed, and sophistication. And cyber has become the vector of choice for hostile nation-states seeking to steal our most sensitive technologies to exert foreign malign influence and to project messages of repression at diaspora communities and compromise critical infrastructure. And the list of capable adversaries engaging at such activity is, at this point, by no means limited to the China's and the Russia's. You see Iran and Iranian-backed proxies engaging in a broad array of sophisticated cyber activities, both to generate revenue and to advance operations. You see the DPRK, the North Korean government, engaging in sophisticated crypto heists and IT worker schemes to fund its nuclear program and authoritarian agenda. And you're seeing increasing use of cryptocurrency and encryption from international terrorist groups to advance plots. And just as the cyber threat has evolved, the National Security Division and the work of DOJ has needed to evolve to meet it. And we've tried to draw on some of our terrorism routes to do so. It may surprise some here to learn that up until last year, there was no one section at DOJ dedicated to going after national security cyber threats. Instead, within NSD, that work was housed in CES, our counterintelligence and export control section, whose mission also focuses on counterintelligence, sanctions and export enforcement, countering foreign malign influence among other mission requirements. And the number of national security prosecutors who specialized in cyber cases within the Department of Justice was actually in the single digits. So one of the key takeaways from a department-wide cyber review that was undertaken at the direction of Deputy Attorney General Monaco in 2022 was that DOJ really needed to scale up substantially our footprint in this space. And the theory was simple. Disrupting cyber-enabled threats requires enough prosecutors with dedicated time, strong partnerships, and increasingly specialized expertise. And we needed more prosecutorial horsepower to achieve the kinds of ambitious disruptive goals that were being set in the national cyber security strategy. That's why the department last summer established a new national security cyber section, or NATSEC cyber, as we call it. And that new section, which is the first enforcement section that was added in the history of the division, put cyber on an equal footing with our counterterrorism and traditional counter-espionage mission. Within DOJ, NATSEC cyber is intended to operate as a critical resource and force multiplier for prosecutors in the 93 U.S. Attorney's Offices and the 56 FBI field offices throughout the country. Prosecutors and agents in those offices are on the front line confronting the cyber threats in their district. But NATSEC cyber enables us to partner with the field to respond swiftly to highly technical threats and to serve as an incubator for cases that are either too sprawling or too nascent for any one office to handle. NATSEC cyber is also a way to better align DOJ's own structure so that it matches that of some of our key USG and international partners, many of whom have dedicated cyber units and workforces. But obviously, changes to the org chart are the means and not the end. So I just want to give a few concrete examples of the type of work that we are accelerating. First, our focus is on disrupting illegal cyber activity before it can cause harm and threaten national security. Drawing from our CT playbook, we are taking a threat-driven but also a victim-centered approach. And while we always look to make arrests where possible, our law enforcement disruptions can take many forms. And that's a matter of necessity, because as we know, many of our leading cyber subjects and targets, particularly in the national security and ransomware space, are protected by hostile governments such as Russia and Iran. And in some cases, we know they're not just being protected, but they're receiving that protection in exchange for being on call for their local military or intelligence services. So how is law enforcement disrupting actors outside the context of criminal charges and arrests? Most prominently, we are emphasizing court-authorized technical operations so that at scale, we can curtail and at times even eradicate the infrastructure that these hostile actors are using against us, including infrastructure in the homeland that is outside the authorities of many other departments and agencies. Not long ago, those types of law enforcement, technical disruption operations occurred at most at a pace of about once a year. But so far this year, this year alone, the department has already announced three significant such operations, two of which were spearheaded by NSD alongside the U.S. Attorney's Offices and FBI partners. First, in January, we announced a court-authorized takedown of what was known as the KV Botnet. That's a botnet of hundreds of U.S.-based small office, home office routers, SOHO routers, hijacked by the People's Republic of China, state-sponsored hackers known as multi-foon. And the hackers used the botnet to conceal the PRC origin of further hacking activities directed against U.S. and other foreign victims, including a campaign targeting critical infrastructure, organizations in the United States and elsewhere. Using one of our age-old investigative tools, Rule 41, but in a novel way, the search and seizure warrant, we detected and deleted both typhoons' malware and took steps to sever the routers from the botnet. Second, in February, we announced a court-authorized operation that neutralized another network of SOHO routers that had been compromised this time by the Russian GRU. And those routers were being used to launch cyber attacks against the United States and our allies, including in Ukraine. And again, using a Rule 41 search warrant and a little bit of innovation, we were able to delete stolen and malicious data from the compromised routers and block the Russian actors from gaining further access to them. Finally, also in February, our colleagues in the criminal division who are critical partners in this work spearheaded their own disruption against LockBit, one of the most prolific ransomware groups menacing the private sector. It deserves emphasizing that this is a team sport. Even as the operations relied on DOJ legal process, we are very often not alone in planning or executing them. And we are almost always joined by a coalition of U.S. government, private sector, and foreign partners in this work. In disrupting the GRU botnet, for example, we planned and coordinated with the Shadow Server Foundation, Microsoft, other private sector partners. And shortly after we announced the operation, the FBI, NSA, Cybercom, 11 foreign partners released a joint cybersecurity advisory providing device owners and network defenders with valuable threat intelligence about the GRU's tactics, techniques, and procedures. Many of these same partners provided invaluable assistance in eradicating portions of the botnet within their borders. And of course, technical disruptions represent just one aspect of our work. We also use the criminal justice system to identify and attribute malicious activity and to impose consequences on actors who may be specifically deterred even when foreign governments cannot be. When DOJ returns, public charges against a malicious cyber actor, we are telling the world that we stand ready to prove the allegations in our case beyond a reasonable doubt with public evidence. And we intend for that to send a clear message about what conduct the U.S. government believes is so out of bounds that it is deserving of criminal punishment, even when committed by overseas actors. So this public attribution enables us to ask for and galvanize international support. And a good recent example is the indictment unsealed a few weeks ago in the Eastern District of New York. That indictment charged seven PRC nationals who were members of a group called APT 31 with engaging in a 14 year cyber campaign targeting U.S. and foreign businesses, political officials and dissidents and critics of the PRC. APT 31's targets included individuals working at the White House elsewhere across the executive branch, U.S. senators and representatives of both parties. And the indictment noted that the actors in the APT 31 group gathered information that could have been, even if it wasn't, released in influence operations in connection with previous U.S. elections. The indictment in turn enabled the U.S. government to express common cause with 17 countries in Europe and Asia who on the same day the indictment was unsealed made public statements condemning APT 31's targeting of democratic institutions and political processes around the world. So in addition to the cyber actors themselves, it's important to note that DOJ is also redoubling our efforts to go after the source, the cutting edge technology that enables these threats. Last year the department stood up for the disruptive technology strike force, an interagency enforcement team co-led by NSD, my division, and the Commerce Department's Bureau of Industry and Security. The strike force was created to counter efforts by authoritarian governments to acquire sensitive technologies, including the technology that enables advanced computing and autonomous vehicle capabilities such as semiconductors and microelectronics. And it brings together the collective power of law enforcement agencies to pursue enforcement actions against those who violate sanctions and export laws and trade secret laws to acquire sensitive technology. We've created 15 enforcement teams across the country made up of federal prosecutors and agents who are strategically co-located in places where there is a strong tech industry presence or heavy commercial trade, including in San Francisco, Phoenix, Miami and Boston. And the collaboration is already generating tangible results. In less than one year, the strike force has announced 16 criminal prosecutions charging actors in the United States and abroad with procuring microelectronics. On behalf of the Russian war effort, software engineers with stealing source code and other proprietary information to take to China, and buyers working on behalf of the Iranian regime with seeking to illicitly acquire UAV and ballistic missile technology. Strike forces cases include protecting technology that can be used for cyber related malign activity, including AI, which is a key focus area of this work. Last May, for example, we announced charges against a former employee at Apple who allegedly stole large quantities of data related to the company's self-driving car technology before de-camping to a subsidiary of a Chinese company that was working to develop the very same tech. Just last month, we announced the arrest of a software engineer at Google who allegedly stole over 500 confidential files from the company. The stolen information included details about the hardware infrastructure and software platform used in Google's advanced super computing data centers about the same time that same defendant was allegedly stealing the information he was secretly working with two China-based tech companies, including an AI-focused company that founded. We know that the cyber threats we face will increasingly be generated by AI technology and that that technology will in turn be powered by bulk data sets involving Americans. Bulk data about American finances, for example, can be mined for leverage, for coercion, blackmail, and espionage. And adversaries can use geolocation data and other information to identify US government personnel based on travel patterns and meeting activities. As a US government, we devote, everyone here devotes, extensive resources to preventing adversaries from obtaining sensitive data through illegal means, including cyber espionage and insider threats. But for too long, no federal law prohibited adversaries from simply buying this data in bulk from data brokers and others who sell it on the internet. And that was perfectly legal. That began to change just in February when the president signed a groundbreaking executive order giving the Justice Department targeted new authority to prohibit or restrict foreign adversaries from acquiring Americans' most sensitive data. This executive order protects seven categories of American sensitive data that pose the greatest risk, including genomic data, biometric data, such as fingerprints and keyboard usage patterns, geolocation information, personal identifiers, personal health, and financial data. NSD has been delegated the primary responsibilities for implementing and enforcing this new program for the department. And we are upping our staffing and resources significantly so that we can carry out this responsibility as we move through the rulemaking process. So what I've just set out is a sampling of the work we're doing on the cyber front, which also includes, of course, our sanctions and our corporate enforcement work. And you can expect more of this type of innovation in the coming years. But most of all, to end where I started, thank you so much for having me. Thank you for your understanding. And I look forward to the conversation. Okay, hopefully everyone can hear all right. That was great, David. And if you didn't know it before, I know we were supposed to be here with Matt, but David is really the brains behind the operation. And so hopefully that did come across in his comments. So our plan is for me to ask a few questions of David on some of the topics that he spoke to and then to open it up to the audience. So we're gonna have some time at the end. Now before I start, now that you know David is the brains behind the operation, one thing you may not know is that before I was the NSA GC, David's boss, Matt Olson, who was going to be here, was the general counsel and we're very good friends. And I asked Matt, I was very nervous about taking that job and I asked him, should I take this job over? And Matt on his way out the door said, you definitely should, what could possibly go wrong? And a few months later, Edward Snowden happened and my life got turned upside down. So I had been planning to use this Q and A to needle Matt a little bit, but I'm gonna take it easier on David in our questions. So okay, you talked about the disruptive technology strike force. This is the joint strike force launched with the Commerce Department about a year ago and you mentioned some of the enforcement actions that have been brought. It sounds like many of them have been against individuals, but the DAG and the department have, the deputy attorney general and the department have talked a lot about the importance of corporate compliance and corporate enforcement. What can you tell us about the department's plans towards more corporate directed enforcement and just generally where's the strike force gonna go this next year? It's a fair question. Thank you for taking it easy on me. The department has made a huge investment in corporate enforcement, especially in the national security space. This is something that our leadership has talked about extensively in the national security division, which historically focused on some of the worst actors at the end of the spectrum. We have been developing a very sophisticated program that mirrors much of what the criminal division has historically done to take the measure of corporations commitment to compliance with respect to national security laws. That included hiring a dedicated chief council for corporate enforcement who works in our division, someone who had brought a groundbreaking case a little over a year ago against a company called Lafarge that was the first ever guilty plea for material support for terrorism of any corporation. It was a multinational French company that had paid bribes to ISIS during the time in which ISIS occupied much of Syria. And it resulted in a 700 million plus a penalty that was paid as well as that first ever conviction. We have also been partners with the criminal division on some other very major resolutions over the last year, not in the strike force context. So it's a fair question, but in other contexts. That included the resolution against Binance, one of the largest cryptocurrency exchanges in the world that paid billions of dollars in penalties and whose CEO came from the UAE to the United States to plead guilty to a felony charge that potentially exposes him to a year or more of prison time and who has been required to stay in the United States pending his upcoming sentencing. We also brought what is the largest North Korean criminal sanctions enforcement case against British American tobacco a little over a year ago. But you are absolutely right that I think the next level, the next measure of the strike force includes doing more to show that we are able to hold companies accountable. And again, the reason we do that is not because we are looking to check boxes of corporate enforcement. It's because ultimately in these spaces companies are on the front lines. They have an obligation to protect their sensitive technology, their information, to report what they're seeing to the government. And we need to create the right incentives for companies that are doing the right thing to feel like they're not being commercially disadvantaged and for companies who are not doing the right thing to reconsider their approach. And we have done a number of things including in terms of our voluntary disclosure policies where we have tried to make more incentives for companies to come in early, but also frankly more deterrence for companies that choose at their own peril not to come in when they see challenges. So I don't wanna get ahead of any of our enforcement work, but I think it's fair to say that we are very focused on corporate enforcement both in the strike force context and more generally as a way to reinforce some of the national security incentives that we want companies to be responsive to. That's really great. As somebody who represents a lot of companies it's really great to hear that it's not just about punishing bad actors, but about acknowledging as many of my clients are good actors who are trying to do the right thing. So that's really great. So let me ask you, you mentioned the new NatSec cyber section and you mentioned the indictments against the APT-31 actors. So for lots of folks in the cyber arena, the threat landscape is just so overwhelming. So one natural question arises, do these individual indictments that the department brings really make any difference? I mean, they're great symbolically and they have some impact globally, but what is your best case to defend why that tool fits into our overall toolkit for cyber activity? No, it's a very fair question. And I think we know that we're not gonna be able to jail our way out of the cyber threat arena, but we nonetheless believe very strongly that our cases can have impact. We just have to, we have to choose the right ones. So APT-31, which I spoke about a little bit and you highlighted is a key example. First of all, separate and apart from the individuals, I think the fact that we were able to tell in an unclassified form with a high degree of detail and specificity, what it is that we had found is something that allows us to really galvanize, as I mentioned, international support, get other countries to sign on to what we're doing, show other countries that might have frankly less of an ability on their own to speak up and decry Chinese malicious cyber activity that they have in the United States, a kind of powerful voice that is verifying and corroborating what they are themselves seeing internally. I also do think that cyber actors, even if the countries can't be deterred, even if we can't deter Russia or China from all manner of cyber activity, that the individuals who work in those countries who are part of some of these ecosystems of non-government actors who freelance on projects that they know are kind of maligned in nature, they can be deterred and they, I think, feel the potential sting and punishment of even just being charged criminally in the United States and the restrictions that that comes in terms of their travel and their liberty. So I think that's very important. And then lastly, we also are very focused on using those charges to highlight what they're, to build kind of global consensus about what conduct is really wrongful and out of bounds, which I think is very, very important. And we give a lot of thought to that, both at DOJ and in conjunction with our inter-agency partners, so that the conduct that we're charging speaks for a core set of values and beliefs. I will also just say, I think there are opportunities as we progress to get hands and cuffs on individual actors. We have done so over the last several years. It's obviously the case that several countries, Russia, I think first and foremost, has operated as a safe haven for actors, but the Department of Justice has a long memory and once individuals are charged, even if it's not right away, they may one day find themselves in a country that unbeknownst to them has a better extradition relationship with the United States than they understand. And so we are very much trying to use this tool to impose consequences. It's obviously just one tool in the toolkit, but it's something that we believe strongly in. I'm glad you mentioned norms too and the value, because I know a lot of people here and particularly at DOD think about cyber norms and it's good to know that it's a government-wide effort, so thank you for that. Let me turn to the data security EO, which you referenced, so President Biden signed an EO a few months ago related to the transfer of US government data or bulk US person sensitive data. And there's a lot of details in there, but at a very high level, can you illuminate for all of us what was the real need for that EO? Are there any concrete examples of bad activities that this is intended to get at or the new regulatory regime? And then like in a very simple way, I have lots of clients asking why is justice involved in a regulatory EO about personal data? And so a little bit of the backstory is to why is the Justice Department initiative? Sure. Well, the answer to the first question is I think there was a very conspicuous gap in the collective authorities and laws in the country. Frankly, myself in the different roles I play in the Justice Department, it was striking that we spent so much effort trying to review, for example, under CFIUS transactions involving data-rich companies to see what sensitive data could be exposed to a foreign adversary. We spent so much effort working with the private sector on hardening their defenses against cyber threats that are being used to pull that data out illegally using malicious cyber activities. We spent so much effort on working with the private sector on insider threat detection programs. And yet there was no kind of comprehensive law that prevented people from just selling that data directly from the United States to adversaries or more realistically to cutouts of those adversaries on the open internet. And the market for data brokers is a very rich market that is easily obtained. And even if some sophisticated actors could use other means to get the data, I think the judgment that was made by many of them is that the easiest, lowest cost, lowest friction way to do it was actually just to buy it. And that is an unclassified level, I think part of the thesis of the case here. In terms of how that data can be used, and I previewed a little of this, but I think it's important to highlight it, if you have multiple large data sets of different kinds of sensitive information, financial data, geolocation data, health data, other data, that is a goldmine for any sophisticated adversaries ability to build models that can be used for all manner of nefarious purposes, starting most obviously with efforts to identify US government personnel, to try to have insight into US government actions, to try to start making informed assessments about plans, activities, operations of the US government. And I think frankly it's probably the real question is why haven't we done this sooner? Because it's such a significant threat, but at this point we felt like we had to act and do it. And then in terms of your last question, which is a fair one, first of all DOJ, I think our sense was we have been at the forefront in the SIFIUS process in some of our cyber related work in looking at vectors of vulnerability and attack into sensitive data sets. That's often where we are the lead in transactions under SIFIUS, that's a role that we play. We also are a regulator in the now security space already in the role we play under the foreign agents registration act. So we already have a civil regulatory function. And so although I would really concede that there's probably no one department that is perfectly positioned to take on this role, we, with the encouragement of the attorney general and the deputy attorney general, we were willing to take on this role because we just think it's a very important mission. Well it's great that we've taken a step forward. I think as most people know the data broker discussion often gets twisted around privacy issues, which are valid, very valid, but has led to an inability to pass any legislation or anything like that. So at least if we can tackle it from a national security perspective, that's great. Okay a couple more questions and then we're gonna open it up. So think of your questions. So the theme of this conference is the power of partnerships. And cyber is probably the quintessential example of a policy and threat topic that requires partnerships. Can you tell us a little bit about how the department is partnering with equivalents or affiliates outside the US? And what does that look like on a day-to-day basis? So it's a great question. I think we have an extraordinary series of partnerships with other governments. I think it would, without getting into specific ones in a public setting, I think it would surprise many to know who are some of the countries that have some of the best accesses and capabilities in this space. And we have found often that our tools plus their tools adds up to much greater than what we could do individually. And we the United States government and through our law enforcement channels can often obtain information or request information in a way that even other US government agencies that have very close relationships with those countries cannot. So for us that is crucial. Again, I think the trend has been toward multi-jurisdictional, multi-country disruptions that helps both to be more effective since a lot of these actions and actors are indifferent to national boundaries. And it also I think just highlights again that there is a growing consensus among a large body of countries that the cyber actions of small few nations is really out of control and violates some of the basic kind of principles and norms of our 21st century society. So for us that is a key thing. It's one of the reasons why we needed to have greater dedicated workforce in DOJ is to make sure that they're able to build and maintain those relationships by being really focused on this work and it's been a priority of ours. So it wouldn't be a conference with me not asking at the moment about the FAA and Section 702 you've all read about this. This is a statutory authority that allows the government to collect intelligence about non-US targets outside the US with the help of US companies. So there's lots of things happening on the Hill and probably a minute by minute update isn't worthwhile, but at a very high level I was at a talk with Director Ray yesterday and he made an interesting comment. And many years ago I'd worked on the 9-11 commission and so it resonated with me. He said the idea that the US government would need a warrant, which is one of the ideas on the table, to query information that is already collected to him, and he said this publicly, kind of is akin to the wall which is one of the identified issues before 9-11 which had to do with the sharing of intelligence information in the US government. And he said the idea that we would have to get a court authorized warrant to actually search information that was lawfully collected reminded him of that sort of unnecessary legal hurdle. So can you tell us at a very high level like why is that such a pain and do you think this is, from your perspective how do you think this is likely to roll out? So I'm not in the business making predictions about Congress, I know it's something that is being discussed today and that's one of the reasons that Matt Sun can't be here with you, but what I will say is for us at DOJ it's not even just a pain, it is unworkable and that is true because of the number of queries and the scale of what it would take as a program to have to go to the court each and every time. The foreign intelligence surveillance court is a very thorough and rigorous process, but they are not equipped to review in the volume of US person queries that need to be run. Many of them in the cyber area involving victims, many of them involving victims of other threat information, they are just not equipped to look at them in real time at scale. So that is one significant challenge. Another is they're just the standard of what you would apply to such a warrant would be very challenging to square with the reality of why we're running those queries. We're running those queries often early stages of an investigation in order to ascertain threats, plots, victims, targets and at that stage you are just not going to have the same type of information that you have when you're doing a traditional Title I or Title III files in the United States and then most fundamentally it is just a complete paradigm shift that's not required by US law and that's because you are talking, if you're talking about querying that data, about information that was collected because of lawful targeting overseas of non-US persons and about information that's already been lawfully collected and there is no comparable instance in which the US government has to get a warrant to review information that has already been lawfully collected about targets overseas for a court authorized, statutorily enacted intelligence purpose. So it is a challenge of ours of course, of course we always welcome the opportunity to find ways to enhance the oversight and rigor of the process and I know that's something that's extensively been discussed but and that you and I have both worked on in much of our careers but it's just not the case that we could go to the court each and every time or that that would allow us to move at the speed of the threats that we're confronting. And just to put a fine point on the first point you made for everybody here, a lot of not, I don't know the percentage but a lot of the queries have to do with on US persons is about searching for victims of cyber attacks so that we can know they were victims and alert them that they were victims. Okay, so let's open it up to the crowd. You must have questions for David. So we'll see, I'll look for some raised hands and then Raj is an expert too so you should feel free to throw it this way if you want. I know this isn't a shy crowd. Nothing at the moment, I could keep going. Okay, why don't I keep going and folks will think they'll have some, I think it'll percolate for a minute. So the topic du jour is AI. It's everywhere, it's in every conference, it's no matter what the topic. So one question for you is how is the development of particularly generative AI just generally impacting the department? Like how does it impact the threat landscape from your perspective? And then is it actually having an impact on the workforce? Are there things the Justice Department is doing with AI tools to help with the legal tasks? So in the national security space, we're focused both on how adversaries are using AI and also potentially how we can use AI. So sticking to the first of those in terms of the adversaries, I think we are very focused, for example, in the foreign malign influence space on what AI will mean for the ability of governments, including governments that don't have the resources to have a lot of native English speakers and others who can produce credible, seeming English speakers, what it can mean for them in that space, what it can mean for their ability to create fake personas, fake authentic seeming video and other media, what it could mean for influence operations. So that is I think a huge concern and the growth curve of that thread is just very difficult to get our arms around. In terms of, of course, malicious code and the ability to use AI to generate malicious code, that is another area that I think is of great concern just given as probably folks here know better than I do, what that could mean to the lowering the costs and barriers to creating all manner of malicious cyber tools. There is obviously, as I talked about with the data security though, a great deal of concern around what AI could mean for other adversaries ability to use large data sets for surveillance purposes and to detect and expose and respond to US government operations and activities. So, you know, to me, those are top of the list. There's obviously also a very vibrant conversation about what the government can do to actually use AI. That is something that will keep lawyers and business for a very long time. And it's a little less the province of our division, but it's a very important, it's a very important subject because it's obviously something that is changing the entire landscape. One question for you at a very high level. When I was at NSA, we interacted with the Justice Department quite a bit, both in terms of enabling some of the operations we wanted to conduct depending on the landscape, but also in oversight capacity. And folks here who are DOD or maybe an intelligence community have that same dynamic with justice. It's a little bit of support. On the flip side is, I think the average operator is a little scared of interacting with DOJ lawyers because you don't know where that's gonna go and are you really the friend or are you really the overseer? So, can you speak to that at a very high level, that dynamic and how do you encourage trust with folks at DOD, folks at NSA to ensure the cooperation you want while at the same time you're kind of doing compliance reviews and making sure we're all staying within the bounds of the law? It's a great question and obviously a fair question. I mean, first and foremost, I do think we regard our mission as to enable, enable operations to go forward, enable the operators to do our work. You know, in the national supervision, people went into that field because they care deeply about the mission and they have just tremendous respect and appreciation for the work that everyone is doing. And I think that mindset has to be the kind of paramount dynamic across all the interactions. In terms of some of the challenges, I know that DOJ sometimes does play an oversight role, sometimes is seen that way. You know, I think for whatever we add in terms of having to kind of put extra lawyers' eyes on things, we also do bring, as I tried to indicate, a number of authorities into the toolkit. I think increasingly, when you're talking about domestic infrastructure, operations, the cross borders, things that we can do with our criminal toolkit that maybe others can do too, but we can do it and then talk about it and then use it in a different way. There's a lot that we can bring to the table, but for us to be able to use those, we have to know about what's going on. We have to have the opportunity to be able to contribute. So I think we are still, in some ways, the newer kid on the block in those discussions. We don't have the same, the certainly the same size and scale as some of the other departments, but we are trying to show that we can add value and some of the things that I talked about in my opening are ways that we're trying to position our workforce to gain those relationships and gain that trust so we can contribute. I think we have one question over here. Good afternoon, gentlemen. We've made it two days into this conference now and no one has said this yet, TikTok. Do you, obviously there's pending legislation. Do you believe that is a singular one-off case or do you believe that's going to open the door to a game of whack-a-mole? So is your question about the legislation or about the threat, the legislation? A little bit of both, right? I believe the threat exists. Is legislation the right way or is there maybe another path to address that threat? It's a great question. I mean, I think at a top line, the Department of Justice, others have supported legislation precisely because there is a current gap in our authority that makes it difficult to address the issue of foreign adversary controlled social media applications. Essentially the problem that a lot of those applications both collect a very rich amount of data that ultimately can become available to foreign adversaries, including China. And also that those tools can also potentially be a vector for the transmission of either malicious code or other manner of malicious activity on behalf of a foreign adversary. So I think that is a very real concern even without regard to a specific company and the legislation that advance in the House, although it has specific reference to TikTok and ByteDance, it actually gives authority across a kind of targeted category of foreign adversary controlled social media applications for us to do things. In terms of the whack-a-mole or tit for tat, I mean, it absolutely is the case that of course there is that aspect with all adversaries. They're gonna find new entry points and new vectors, but this does seem like a significant gap in our current authorities. It's also the case that there really is no symmetry if you're talking about China between us and China in that space. China does not even allow TikTok itself to operate in China. China does not allow US companies to operate in any respect in the way that we allow all manner of companies to operate here. It's not intended to be, that bill is not intended to ban those applications. It's intended to change their ownership and it is not intended to change the ability of users to use the, to post content on the platform. So I think it is very, very different from the way, for example, China and other adversaries regulate their systems. It's not about ideas, it's not about speech. It's about responsible ownership. And the only thing I would say, you know, in conclusion is, if tomorrow someone tried to buy a social media application who is based and controlled, based in China and subject to the control of the Chinese government or the Russian government or the Iranian government, our siphious process would never allow that to happen. We would never allow a company that was subject to instructions by those governments to do that. So I think from our perspective, it's a little bit of a, it's a significant and notable gap that where something can grow kind of organically across borders and have that aspect, it is, otherwise it's suddenly beyond the purview of the US government. Thank you. I think we had one more question here. Or maybe if you both don't mind saying your question out loud and David can address them together. So ladies first. Sure, hi, I'm Amy Neiman and I'm the Army War College Fellow at DOJ. So just wondering in the wake of colonial pipeline and some high profile indictments of Russian hacking groups, there's been increased interest in what exactly the DOJ components are up to. So can you share some thoughts on the department's thoughts maybe on disruption versus prosecution? And to the gentleman, maybe we could ask your question. You can wrap them both up. Good afternoon gentlemen. Mike, as you were giving your, I don't wanna say speech, but as you were giving your presentation, one of the words that came to my mind is extraterritoriality. A couple of times it just kept popping up. Since the theme of the conference is partnerships, are you able to talk to how DOJ engages partners to overcome the perception that we are applying our laws extraterritoriality? I mispronounced that, but you know what I meant. Is there? Both really good and fair question. So I mean on threats involving Russia specifically, I think the department has been very focused for many years, but especially since February of 2022 in how we have to position ourselves. We have a whole task force kleptocapture that focuses on the seizing of Russian oligarch and Russian state actors and their wealth by enforcing our sanctions laws. We have done significant innovative things in the war crime space in regards to some of the atrocities being committed by Russia and Ukraine. We have worked extensively, including using the strike force to try to see what we can do to break the supply chains that are allowing components that the Russians are using in some of their most effective weaponry from being restocked by using cutouts and others that flow through different parts of Eastern Europe and Asia. And that is a huge priority of the department and there's a lot of resource being put into that space because we wanna do what we can to contribute. In terms of the extraterritoriality question, I think it's a great question. Obviously within DOJ I think a lot of our focus is on cyber activity that's outside the United States that aims itself inside the United States. And I feel like we are on pretty safe ground from our domestic laws and international laws from treating that activity rightly as activity that we at least have across this threshold to the point where we have a legitimate interest in deciding if it comports with our laws and with international norms. But I think the point you make is an important one which is it is important for us and we do our best at the dust department to try to ask ourselves with every case that we bring in this area, what is the principle for which this case stands? What is the rule that we feel like we ourselves as US government want to be able to champion and what are we exactly are we calling out as wrongful? Because I think where those cases are most impactful is when you have that principle where we can get other countries of like-minded values to line up in favor of those principles and where we can articulate a broader theory of the case. I think where we risk some of the kind of escalations and confusion that can happen is if we don't have that consistent theory of the case of what kind of behavior we're trying to render off limits and what kind of behavior we're willing to tolerate. Thank you for that. And everybody, I hope you'll join me in thanking David Newman. And Ross. Ladies and gentlemen, now you understand that why we as US lawyers practicing at Cyber Command and in the department and in the State Department and Homeland Security why we also value our partners at the Department of Justice. Just marvelous attorneys, marvelous partners, marvelous colleagues. And I think that demonstrates what Mr. Newman had to say, just how effective partnership can be. Partnership in the interagency, partnership in the private sector, partnership with our international partners and what they are able to talk about that they're able to accomplish. One of the best lines I heard today, it had nothing to do with hellacious. It had nothing to do with cadences or vitamin I or even federal acquisition regulations. One of the best lines I heard today was two panelists after the end of their panel who said, why haven't I met you before? And I think that is hopefully what we've allowed that question or at least the spirit of that question to be evident here after the second day. We heard from Director Coker who talked about partnerships and how it enables us to promote, implement, reinforce norms of acceptable behavior in cyberspace and how important everything that we do is to reinforcing those norms that the US wants to promote internationally in particular with regard to protecting our critical infrastructure. We heard about how partnership is critical to the responsible use of artificial intelligence, transformative, challenging lawyers and not to perpetuate in the words of General Grohan the vitamin I deficiency, that as lawyers we have to allow imagination, innovation to occur. Critical infrastructure protection, we learned that partnership isn't just nice to have, it's critical. We have to do it in order to protect critical infrastructure and that is one of our most important missions to defend the nation in cyberspace. In fact, and it wasn't just, this isn't just coming from the Cybercom OSJ, it's not just coming from other lawyers. General Malak sat right there and said why lawyers are important and it's because lawyers are integral to operationalizing partnerships. Leaders come up with great ideas on how we can work together. Lawyers then have to get together and figure out how to make it work, how to make our laws, our authorities, our capabilities, our resources and our limitations and liabilities all work together for everyone's benefit. And then we got to hear from the regulatory panel and this is the point at which it started to occur to us that partnerships are hard, right? As we're implementing more and more regulations, reporting regulations, cybersecurity regulations, data sharing regulations, they're different internationally than they are in California, than they are in Connecticut, than wherever. We have to harmonize the regulations and so the lawyer's job in implementing partnerships is hard. We get that. Our international partners talked about how they want to work with us and they wanna work with each other and how we can work with them. But what we need to do and the takeaway that I got from that was to be curious about one another's laws, limitations, partnerships, capabilities. And so that's what we're here for. We're here to be curious. So what do I take away, especially after hearing that remarkable capstone presentation from the Department of Justice, where Mr. Newman talked about three successful operations just this year that involve partnerships in the face of all of those challenges that we talked about this afternoon. Implementing partnerships is hard work. But we learned this morning that it's imperative that we do it and we as lawyers have to implement our partnerships to make it work. And the Justice Department told us not only can't be done, but it can be done with great effect and it's very successful. But more to the point it's immensely rewarding, right? To build and maintain trust over time with those people we would partner with and to do it over and over and over so that we don't have to say to the people that we really value, why have we met you before? So I encourage you for the remaining time that you have here, if you're coming to the social tonight, if you're around later in the week, meet people so that you don't have to ask that question next week, why haven't I met you before? Make your partnerships in this room and keep them enduring. With that I'm gonna turn it over to Lieutenant Colonel Lincoln who is going to thank the outstanding Defense Media Activity Team that has made this possible and the Smart Center and everybody else and then tell us where we can all go socialize later. Thank you, sir. So this concludes our two days of unclassified sessions and the end of our live streaming and we couldn't have made it possible without the wonderful production of our friends at the Defense Media Activity. So let's give them a wonderful round of applause. And as a reminder, these sessions will be recorded and available on Divins, so you, if you missed a session for our live streaming audience or anyone here, you can access that online for a long time from now. So please, please check that out. Also thank you to all of our international participants and of course the Smart Center for hosting us here. Just a couple administrative remarks. So as Colonel Hayden mentioned, please join us immediately following the conclusion of this.