 Hi everyone, my name is Lauren Zabrick and I am the executive director of the cyber project at the Harvard Kennedy School's Buffer Center. First, I just want to thank Rice and Bort and the entire ICS village for and team for inviting me here to discuss our paper entitled toward a collaborative cyber defense enhanced threat intelligence structure. I want to start with a story just to paint the picture, you know what how this is really informing my thinking. I spent over a decade in the United States intelligence community and a big chunk of that, where I was an analyst working counter terrorism. The group of analysts that I was a part of developed an entirely new methodology that at its core suggested that all data, no matter when it was collected, or from what sensor was collected is important to identify malign activity from the this mindset combined with leadership who removed your product burdens such as arbitrary reporting requirements. Let us be analysts and figure out the hard problems and you know isn't that what we all want as analysts who want to be empowered to do that. Our work allowed us to become very entrepreneurial in our work. We made relationships across the community, offering our cutting edge analysis for access to more data, and even creating our own forward deployed spots to make good on those relationships, and to continue the mission. In this setting, I deployed overseas multiple times sitting side by side with analysts and operators in joint operation centers or jocks where everyone was free to share information with each other, and where we all had awareness of the battle space, because the nightly operations and intelligence briefing. This is where I first became acquainted with this model that I described in the paper, which is best highlighted by the general stand in the crystals motto where he says, it takes a network to defeat a network and that's the whole crux behind this paper. So say what you will about our overall strategy in Iraq and Afghanistan from a tactical intelligence and organizational standpoint, I think we're innovative, and there's some really important organizational lessons learned here. When I came to the cyber world in January of 2016, I was fresh from government and fresh from this whole environment, and I watched organizations try to build up their own cyber capabilities for intelligence capabilities, operating on slim budgets and really trying to figure out how to defend themselves and during a mid rising cyber threats, largely without government involvement. And I just remember thinking, there has to be a better way. Now, I want to be very clear here. I know there was recent pushback over conflating cyber and CT, and while there are some distinct differences and some areas of similarity. You know, it's, it's the intelligence and the organizational concepts that I'm really trying to carry forward here. So the cyber threat environment demands the need for more collaboration increased collaboration, we're witnessing increasing ransomware attacks and intrusions into our critical infrastructure by both state and non state actors with increasingly sophisticated capabilities and sharpened intent. So the strategic vision set forth by our president and his senior cyber leaders is truly critical to helping us become more secure and resilient. But to operationalize that vision, we have to ensure that the structures and the policies to facilitate that collaboration are in place and as we know there they've been lacking. So this is my idea to create those structures and policies kind of like, if you build it they will come. From there, you obviously need strong relationships between people and an even better ways to operationalize intelligence. And this paper doesn't exactly address that, but I will make a quick one for share the mic and cyber which in October we're going to be really focusing on those human to human tactical relationships for public private partnerships. So is this a perfect answer. I don't know but it's a conversation starter. And there's new ideas in here building on some existing ideas from other people. So I'm really excited to talk to you about this today. So first I want to go over how we did the research and what we know about the current state and then I'll go into our five recommendations and wrap up and I'll wait for feedback. We conducted research and interviews, starting back in November of 2019. We wanted to talk to people across the entire ecosystem we did. We spoke with people at state fusion centers in national labs. People who were still in the federal government or who just left people from CISA, the Department of Energy, the intelligence community, the FBI. We talked to people at ISACs and ISOWs. We talked to people in various private sector companies, especially threat intelligence analysts of large and small and some even in the critical infrastructure sectors. We wanted to map the current state. And an earlier version of this paper has 20 pages dedicated to the subject but we cut most of that out for length because we want people to actually read the paper. But our thesis was that our current environment across the domestic landscape is that it's very stovepiped and uncoordinated. And as you know, it leaves the analysts and the operators over extended. You're all exhausted. And it's not getting much better. And of course our critical infrastructure remains vulnerable, which was born out of our research. We know that for defense there has to be a layered approach between the diplomatic community, the military and intelligence community, of course, regulations. And this paper doesn't address that it's really just focused on the nature of our collaboration and threat intelligence sharing. So take that for what it is. We looked at the landscape through four different lenses, cultural, organizational, legal and technological. And it was part of my hypothesis from the outset that these were where some of those barriers were to effective collaboration. And as we know, domestic cybersecurity is really hampered by limited resources, talent data funding. There's a siloed approach and even especially at the state and local levels and emergency management law enforcement approach, which isn't necessarily that thing but doesn't really lend itself to strategic whole of nation approaches to the problem. The private sector is responsible for their own networks and their own data, as you know, with varying levels of maturity and resources. And similarly, the federal government suffers from swim lanes, budget limitations, paperwork requirements to actually work with the private sector classification issues there's a lot of trust issues between public and private and the state this thought of well, if I'm going to work with you what am I going to get out of it so a lot of entities thought they weren't really getting much out of that collaboration. Not one person has been able to really hammer this out between the interagency and you know engaging with the private sector on from a holistic standpoint. And so, to us the fundamental challenge is that the structures the policies and the incentives are lacking in the relationships that do exist are largely ad hoc, and their point to point. There's no clear operational picture of the entire threat landscape, or, again, a coordinated sustained strategic approach to really address the issues. And I lack a comprehensive understanding because we aren't collecting processing and sharing that data that's out there and in a coordinated manner. So before I jump into our five recommendations, I want to read you a quote from team of teams by Stanley with us on where he says organizations must be networked, not siloed in order to succeed. Particularly we restructured our force from the ground up on principles of extremely transparent information sharing and decentralized decision making authority. We dubbed this goal the state of emergent adaptive organizational intelligence shared consciousness, and it became the cornerstone of our transformation that quote right there is really just the driving vision for the structures and the policies that I described here so restructuring transparent information sharing and you know at the different level decentralized lowest levels and making those decisions but still having that that common thread across the whole landscape. So, our first recommendation to actually create those structures is to take something that exists now and transform it. And what we're recommending is taking the current CISA regional office structure. They have 10 regional offices right now and they are staffed by from what we could derive a handful of people they're more advisory posts right now. But what we are recommending is to take each of those offices and just build them out. And creating making them bigger outfitting them with all, you know, a number of workstations and common communications across across all these nodes. And we're calling them, or we want to come the collaborative defensive and analysis centers for CDACs so mirroring the jock. Sorry, the jock construct, but you know we don't want it to be over militarized, but in the setting. Analysts and operators would sit side by side analyzing sharing cyber threat intelligence. Providing early warning across the ecosystem and coordinating defensive actions with stakeholder organizations and mentioning the stakeholder organizations people may think well who has a seat in the CDAC. Obviously, not everyone can have a seat in the organization and of course it is incumbent upon the different entities staffing levels whether they can send somebody or not but at a minimum. We're thinking people like representatives from the FBI representatives from CISA representatives from the state fusion center so the states that are operating in that region. The different ISACs and ISOs especially ones that have a heavy presence in the region. Different private sectors companies, both big and small but especially ones in the critical infrastructure sector. So bringing all these analysts together and also giving me the ability to have reach back capability to their own organizations for additional analytic support and any sort of defensive actions. A lot of people have asked well why regional offices we think that they're key to this vision because they offer that physical breath to the mission and a field office touch point for businesses and states operating in that region. We think a structure like this would ensure a sustained government led coordinated presence in all regions of the country but to combat the threat on a local level, something that I've heard called reaching communities and highly distributed and and having intrinsic understanding of entities in that region I think is really important because there's just different needs and different realities on the ground. And then of course every day or night, we think there should be an enterprise wide operations and intelligence briefing that everyone in the CDAC could observe and gain situational awareness. You know the analysts would share strategic intelligence operators could debrief the incidents and you know no any major reflections from those activities and we think this would be the thread that holds all the different nodes in place and continues to build that connective tissue. Our second recommendation is to scale voluntary data collection and processing. We can't really have this structure without the data to to go through and to really provide that foundation for enhanced analysis. So collecting more threat data and processing it, and by processing I'm talking indexing applying analytics, minimizing it so stripping out all of that personally identifiable organizationally identifiable information to create that common operational picture and then to ensure that it is shareable at both speed and scale. We have the information out there you know that it's it's in all these different networks it's with companies it's with government organizations cloud service providers ISPs etc. But we need to get this data again this anonymized data into the hands of analysts to really drive those operations and you may be asking ourselves well don't we have systems like this in place with say scissors automated indicator sharing system or do these crisp. Yes, however, while they can be or they should be very foundational and help to provide early warning across the system. They're just not, or at least ACE isn't to a point where it can really do that yet. So, they, both of those programs need to be upgraded as far as the technology and increased in scale so for instance, in September of 2020. The inspector general release to report that noted, at least in 2018 only 219 private sector organizations were members of a IS, and those who did participate found that the information that they were getting just really lacked usable context which as you know is just not, you know as helpful as that could be. And this also was understaffed which were really limited outreach to the private sector and the whole, you know where DHS is really seen as a regulatory agency, I think a lot of organizations are very reticent to participate that in that and so we need to change some of those policies incentives. So, to get wide, wide scale voluntary participation we think a number of things should happen so first, ensuring that anonymization or minimization so again stripping out that information that we don't need that is personally identifiable or organizationally identifiable but stripping that out making that automated but but even further than that is to put that burden on the solution. So, instead of having every single entity who participates to have that as their responsibility has to be on the solution. And that's not only from a legal standpoint but a technological standpoint to access controls based on authorities. Applying analytics and indexing this data again to be instantly shareable. And, you know, maybe it's through a data lake or maybe it's through the notional joint collaborative environment that the cyber slaying Commission recommends either way, but you know to create these analytics on top of the data to help analysts to free them up to do the higher order analysis and to essentially triage. And, you know, couple I mentioned the legal aspects of the cybersecurity information security or infrastructure security act of 2015 should be amended to help facilitate the sharing. So again, taking the minimization burden and putting it on the solution and really the government to do that. And then, removing the limited liability clause that limits private sector protection so essentially adding more protection to the private sector entities that participate on there so it doesn't have to be just sharing with DHS for instance. So, and ensuring that the incentives are there the business cases are there but making it easy for people to say yes to do this. So that I will turn to the next recommendation to create a culture shift. And again, I will read you another quote, I think from team of teams and maybe from my share of the task but my crystal said that in the world of intelligence information was power, leading people at each stage to ask themselves a set of questions, should we pass this intelligence and so how much will we get in trouble for it. And those doubts cost us speed and often diluted the intelligence making it less likely to lead to targets. We widely distributed without preconditions intelligence that we captured for analysis that we've conducted actual information shared was important but more valuable was the trust built up through voluntarily sharing with others and that I think is so key. Because as we've seen the, the trust really needs to be built up between the public and private sectors trust as well as again was the structures and policies. So, much like the task force in the early 2000s. I think that we need to make a major cultural shift in our domestic cybersecurity posture. A lot of interviews told us that there's a big disconnect between the field and Washington DC. So, they may ask questions to certain representatives and it would just take forever because they would have to root those questions back to DC so really, we have to flip that mindset on its head for both this expeditionary culture, in which a lot, you know the major activities happen in the field and DC is the reach back office for the federal government and in fact, Chris clubs, the former says a director has said the future of says that is in the field so along that that line we think this could really be an interesting solution. And then to incentivize people to buy into that, then we recommend tying the ability to go out into the field if you will, to promotions bonuses and raises for instance. And then we need to really create a culture in which sharing and collaboration is the norm, and not the exception, and the way to do that is for the leadership to set the mission and priorities, as well as the conditions, and the infrastructures technologies, etc to do so, but also to build that connected tissue between the nodes and ensure that people are executing in line with those missions to help do that. So in my example, we need to move from same metrics as measures of effectiveness metrics and numbers say reporting reports created to analytic outcomes. So, in my experience organizations that mandate a certain number of reports. And then collaboration and information sharing then becomes not the goal, but an inhibitor to creating those reports. So, where the leadership removes those burdens of production from analysts and instead focus on those hard analytical outcomes and subsequently operational successes then become more entrepreneurial and innovative. And most vital to realizing this is personnel from leadership on down to the most junior levels. Everyone has to be welcome diversity is key, focusing on those people, but ensuring that they're, they're welcomed and they're supported and really focusing on diversity and demographics background and experience. So my recommendation is to unravel the interagency. In our research we discovered that the interagency cyber environment was really characterized by competing equities and priorities and up until the creation of the national cyber director. Every person was really only are able to unravel that yarn to determine those priorities and who arbitrates among the interagency. You know the equities to classification battles and then as also as they are coordinating with the private sector. So, with the creation of the new national cyber director role. Notice that the deputy national security advisor for cyber and learning technologies under and new burger will handle title 10 and title 50 cyber issues so more on the offensive side and the NCD will be responsible for the rest of the interagency and engagement with the private sector so on the defensive side from a strategic standpoint, while in continuous coordination with each other and this distinction is important. And that the president really in view the NCD with that authority to ensure that the director can determine those priorities and hammer out those conflicts because when Congress set this position they really gave the president some some wiggle room on on how to actually take this role so we're really hoping that the president can really give that role the authorities that needs on par with the counterpart at the NSC so in the program. So, where a new burger and Chris English set that strategy, the other agencies and especially CISA will operationalize it. Given the agency's importance, and it's relatively small budget and the recent politicized political can't say it politicization, we echo the call for scissors independence from DHS. We believe that it would give greater authority, bigger budget, more operational flexibility to an agency that just really needs it right now. We think it could provide greater flexibility and hiring practices as it looks to scale up and out and informally we've heard you know some frustrations there so we believe that it would also allow for reform of the sector risk management agency construct that I'll get into in a second. But with CISA as its own freestanding agency, we're recommending that it establish its own intelligence arm becoming the newest member of the intelligence community. That way, the office can work with the different seed acts to inform the intelligence collection requirements and priorities. At this point there's no real institutional mechanism for to inform the collection framework, despite a lot of those threats really focusing on the homeland. On the SRMAs, we think first that PPD 21 should be revised to enhance collaboration and sharing across all sectors and entities so transforming the focus from a sectoral approach to a cross sectoral mission focus and collaborative one and then second, if you could take those missions to collaborate and share information with the private sector that are currently on each of the SRMA so think DOE think TSA for pipelines for instance. Instead I think you could transfer those missions to CISA but really operationalized at the CDAC so again at the CDAC level then they would be the ones taking care of sharing that information and working with their constituents basically in the private sector. Our final recommendation really focuses on personnel. We often read about the gap between the number of open jobs and cybersecurity and the number of quote unquote qualified personnel. According to CyberSeq there were over half a million open jobs in the US and we currently lack the personnel to fill them. The pipeline is always going to be an issue. There are a lot of people who are looking to get into this career field they're working towards this employment, but for a variety of reasons they're finding it very difficult to make that jump in. And one of the biggest reasons and there are a lot we won't go into them right now but one of the biggest reasons is that a lot of jobs, even entry level jobs want their candidates to have experience. So how can you get experience if you can't get in. And a lot of people are, you know, even if they're able to overcome those high costs of training and certification to make that jump has been very prohibitive. To bridge that gap we're proposing a service here in which a person interested in this field could say receive training and support for certification in exchange for at least a year of service at one or more of this is a regional CDACs for instance, but really getting that critical boots on the ground experience. Now, this is not the military you're not going to have to get up and do PT you're not going to have to deploy overseas. It's just this is your national service in exchange for training certification you're getting that experience. And then, importantly too I think it would really help to fuel civic renewal, which is something I think we desperately need right now. You know, to make this happen. The President actually signed a law the American Rescue Plan that included $1 billion for national service. And so we recommend that the White House establish this interagency service core between now DHS but if says it becomes its own regional freestanding agency and then something like that for instance, and you know eventually maybe include other agencies but in cooperation with the National Community Service organizations to create those opportunities to create those pathways in, because as we know we desperately need people. And then on the other end of the spectrum, you know to raise the level analytic capability across all federal entities, and to get people who are very interested in cyber but who haven't really found those pathways over yet to create those opportunities for analytic exchanges between the agencies but especially between CISA FBI and NSA. And so we think that it would sort of raise the level of capability, it would provide bio experience and training, but also build that connective tissue and that trust across the different interagency elements. So, thank you so much for hanging with me I know that was a lot to digest, but I'm really thrilled to be here and I really look forward to questions and your comments. So thank you very much.