 Ladies and gentlemen, to our over 200 attendees here in person at Joint Base Andrews, Maryland, and to our countless streamers online, welcome to day one of the 2024 U.S. Cyber Command legal conference. I'm Lieutenant Colonel Josh Johnson, I'm the Deputy Staff Judge Advocate or the Deputy General Counsel at U.S. Cyber Command, and I have the pleasure of introducing the Staff Judge Advocate, the General Counsel of U.S. Cyber Command, Colonel Pete Hayden. Colonel Hayden has served in this job for the last three years during an incredible time in national security law and cyberspace operations. He previously served on the National Security Council and served on Chairman's Legal, advising the chairman of the Joint Chiefs of Staff. Ladies and gentlemen, please welcome Colonel Pete Hayden. Wow. Good morning everybody. As you mentioned, I'm Colonel Pete Hayden. I'm the Staff Judge Advocate at U.S. Cyber Command. Welcome to the 2024 U.S. Cyber Command legal conference. For the past 12 years, this conference has explored cutting edge of issues in cyberspace and national security, specifically in military operations. It's always educational. Sometimes it's groundbreaking. You may be familiar with some of the speeches that have occurred here at this conference, and some of the ideas that have come out of these forums over the last 12 years. The theme for this year's conference is the power of partnerships. We're going to get together with a bunch of panels and a bunch of colleagues, and we're going to explore how we can work together to build a safer and better world in cyberspace. Over the next few days, you're going to hear from subject matter experts, 44 subject matter experts in speak, and then of course all of you in the room and online. And we're going to cover topics the subject matter experts come from the private sector. They come from the academy. They come from government, not just the military, but the broader federal government. They come from our international partners. The whole point is to learn how we partner with one another across lines. The topics are going to cover everything from privacy and civil liberties to competition and great powers, innovation, acquisition, private sector engagement, artificial intelligence, critical infrastructure protection, data protection, harmonizing the regulatory environment, and many more. I think you're going to find it interesting. I know I'm going to find it fascinating. So what would we like to take away? At the end of every session, I'd encourage you to think of three things. First, what does partnership mean to you and your organization? What can you get out of it? Why is it valuable to us? What can we accomplish with our partners? The second thing, of course, that we should be thinking about is we're all lawyers, or most of us are. How do law and policy affect our ability to partner with somebody, an organization that's not like us? But the third thing is, and this is the challenge, and what we really hope everybody comes away with, what do you need to know about the people that you would partner with, about the organizations you would partner with to build better relationships, to build better arrangements as lawyers to build better agreements, stronger, more enduring, more profitable for all partners? What do I need to know from my would-be partner's perspective? Their regulations, their limitations, their constraints, their authorities, their capabilities, their equities. What do I need to know, and how do I learn to frame how I engage with them? Think of these things at the end of each session each day. I want to say thank you. First of all, if you don't know her yet, I'm surprised, Lieutenant Colonel Lori Lincoln, who has spearheaded this conference and put everything together. I hope many of you know her. Lori's entire team has done a remarkable job with Ray Macias and Lieutenant Colonel Johnson, and then of course all of our team out in the front and the volunteers and the smart center, and then the defense media activity that's making it possible to bring this conference to those who can't be here in the room. Thank you to our 44 speakers, our experts who came to join us. Thank you to you in the room and to you online. Thank you so much for engaging with this stuff. Your discussion is going to make us better. So now, I'm pleased to introduce the keynote speaker and the real reason that you're here at this hour, General Tim Hock. General Hock assumed command of the United States Cyber Command and assumed the directorship of the National Security Agency and became chief of the Central Security Service in February. This is after 32 years of distinguished service in both the intelligence community and the military operations communities, and I counted it up. The man has been in command eight times. So a military officer, you understand what that means. That means he's been entrusted to be in charge eight times, 13 out of his 32 years. That's a huge amount. But what does it also mean? You look at the why and the why we want to work and why he's entrusted with leadership. This is the kind of people that lead our largest organizations, just like his predecessor, General Nakasone, he comes up with a vision. His principles are people, innovation, and partnerships. And what's the very first word? It's an organization of heavy policy. It's an organization of heavy technological change, and we're going to hear some of that because he's an expert on all of that. As are many of his leaders in Cyber Command and many of the people that you're going to hear from this week. But number one was people. And the motto of Cyber Command is we win with people, because that's what good leadership is. And that's what I encourage all of us to take to heart as we go back to our organizations. In this dual role, I don't know how he keeps it all in his head. How you date both the intelligence community, the cybersecurity community, and the military operations community. But however he does, we are honored to work for him at Cyber Command. So please join me in giving a warm welcome to General Timothy Hawk. Good morning. I would normally start with some sort of lawyer joke, but I normally tell everyone that if you're going to be in cyber, you're going to be a pretend lawyer. So I feel like I'm with my people. So when we think about where we are today in US Cyber Command and where cyber fits in the department, I just want to take a little bit of walk backwards. Because we've come a long way in a short period of time. I had the honor to serve for General Noxone as the deputy commander of JTF Aries in 2016. And this was a time when the department was trying to figure out, where does cyber fit? Where does it fit in our military doctrine? Where does it fit in our national policy? And at that time, we really didn't have clarity. We didn't yet have law that said where does cyber fit inside of military operations. We didn't yet have clarity on our national policy. And we certainly didn't have clear military doctrine. But when JTF Aries was stood up, we had a mandate. The Secretary of Defense had told Admiral Rogers that he wanted to take ISIS off the internet. And Admiral Rogers stood up a joint task force that was focused on understanding what that threat looked like online. And so when we began to propose operations, each one of those operations required us to essentially knock on every door in the interagency to explain what were we trying to accomplish. And there's been a really good post-mortem done on Operation Glowing Symphony, which was one of our largest operations at that time. But we had to go to every single door, led by our by our legal team walking through with the verse with the joint staff and with OSD and making sure that we were aligned in what we were proposing and how we proposed it. And then we had to walk through every element of the interagency and then all of our policymakers had to review each operation. And that was how it was done and that was not that long ago. When we think about our understanding of what law looks like in the military domain, we have millennia of experience of what it looks like in the land domain. We have centuries in how we think about maritime law. And we've got decades when we think about the air domain. 2016, we're talking about operations in cyberspace that we did not yet have really a codified approach of how we conducted operations and where they fit in military doctrine. So thankfully, 2018, a significant shift for overall how we think about cyberspace and how we gained alignment in our law through the 2019 NDAA, the establishment of national policy. And then establishing US Cyber Command as a combatant command with a clearly defined set of authorities and responsibilities. So as Cyber Command today, we know exactly what our roles are. And we know where we fit with our interagency teammates and we've got process to be able to work with them. And I'll talk about that today as to where we stand and how that collaboration works every single day. But first, I wanted to just make sure everybody was level set, what our roles and missions are. So when you think about US Cyber Command, three missions in the unified command plan. First, we defend the Department of Defense Information Network. So we are the responsible element to drive the defense of the entire department's network. All 15,000 networks that comprise the Department of Defense Information Network, we drive that defense with our partners across the department. Second mission, defend the nation in cyberspace. Really being able to defend outside our borders against foreign threats, targeting our critical infrastructure, defense critical infrastructure, or the department. That really translates to countering adversary hacking activity. Third mission is to support the joint force. And that's our partnership with the other combatant commands. And I'll talk more about how that partnership has evolved as we've integrated planning staffs with each of them and how we collaborate every single day. We have a fourth mission that has now been identified in the DOD cyber strategy. Building partnerships with allies and partners. Clearly overlaps with the theme today. And we're proud of the work that we do with our international teammates. Both those teammates that have capabilities and those teammates that are really trying to determine how does their ministry of defense build something that might be a cyber command or an entity that thinks about cyber and where it fits in their overall national strategy. So that's US Cyber Command and the roles that we play. I want to touch on the roles of the National Security Agency, because we certainly overlap every single day in how we operate. National Security Agency has two primary missions. First, as a foreign intelligence agency, conducts signals intelligence. The lead for the nation in conducting signals intelligence activities. To be able to collect information in the electromagnetic spectrum and to be able to produce indications of warning and intelligence for our policy makers. Lead for the nation in sighing. The second mission is in cyber security. Clearly define responsibilities as the national manager for national security systems. Setting the overall guidance and configuration essentially of our classified systems or systems that process national security information. NSA also has the responsibility in that cyber security mission to produce cryptography. The ability to generate code. And inside that, producing the cryptographic material that defend all of our systems. So as you can see between NSA and Cyber Command, they're clearly defined missions to organizations but operating in the same space. And that's why we have a single leader of both organizations. To allow us to have speed and agility and to be able to operate in a way that ensures both organizations can succeed in their missions and also not collide in cyberspace. So really good, we have had great success. We can talk more about that if that's an area that you're interested in. The environment that we're operating in today certainly is a charged environment. You can walk across the globe and think about what the threats look like today. Whether that's Russia's unlawful invasion of Ukraine and what that is translated to both for Ukrainian partners and for NATO. We could talk about the crisis that is going in the Middle East since Hamas's actions against Israel and Israel's response. And what that has meant to threats to US forces throughout the region and impacts on a number of allies and partners. We can look at what is happening today in cyberspace when we think about ransomware and the effect on US corporations and Western corporations and what that threat looks like. We can also talk about what China's activities in cyberspace look like. And one of the areas that we think about often is how do we expose that activity in a way that allows the maximum number of partners to be able to take advantage of that understanding to defend against those threats. So when we talk about China today, one of the threats you'll hear us talk about is something we've identified as living off the land. And what that really means is we have put out very detailed descriptions of Chinese tactics in cybersecurity advisories. And those cybersecurity advisories detail how China has penetrated systems and then use the capabilities inside those systems to live off the land using the technical capabilities of the systems they've compromised to reside there. Not for the purpose of intelligence collection, but to assure access in things like critical infrastructure or within Guam. Areas that we know have relevance from a military perspective, but also for pre-positioning for other activities. Those are things we want to expose and one of the reasons we want to expose it at that detail is so that we can then partner with our allies, with our partners to talk about those threats at an unclassified level. To be able to share that information with our industry partners, who also have insights that look different than ours based off their vantage point in either building the domain or operating in the domain. How do we increase that collaboration based off our knowledge? So as we think our way across the strategic environment, there are opportunities every single day to partner. And those are choices we make about how do we get the maximum benefit for the greatest number of partners as we approach those challenges. So one of the things that we're also thinking about is in our partnerships, one of the areas that we will address as we think about the future of US Cyber Command is also how do we partner with industry in capability development? As US Cyber Command, the original model of US Cyber Command when we were constructed was that the services would provide capabilities to the forces they present. And that model was really one that was thinking that a monolithic acquisition system would be able to over time be able to generate the requisite capabilities. What we have found is that largely we've had to generate our capabilities inside our force. And so what that has now occurred over time has been the growth of what are the expectations of US Cyber Command as an acquisition organization. And with a model that was thinking about, how could we grow Cyber Command to be so com like? Leveraging service like authorities. Now, the reason I'm going to walk through this is because I think it really talks about what our partners look like in the future. Because I think they're going to be different partners. And the vision of making a so come like has been a journey for about ten years that was finally realized two weeks ago. The passing of the budget for 24 and the appropriation gave Cyber Command the authority for enhanced budget control. What that translates to is we now have the budget responsibility for equipping the offensive and defensive cyberspace force for the Department of Defense, that force that we operate. So now we have the ability to be able to validate a requirement under our authorities that we've been given. We can allocate the resources against whatever that need is. And then we will be able to acquire that under our own authorities, either inside US Cyber Command or in partnership with the services where we drive the requirement, we have the resources. And now we're going to be able to produce the capability that we need for our forces. That's a pretty radical change from where we started to now what we're authorized to do today. And what Cyber Command now has to do is grow into that role very quickly. And so in our discussions with the department, one of our key areas that we'll be talking about is how do we, as Cyber Command, rapidly mature our acquisition force. We're really confident in our cyber acquisition executive that we brought on to lead that team. Now we need to think about what our partnerships look like with DARPA, with our research and engineering teams at OSD. What does that partnership look like with the services now that we have resources, multi-billion dollar resources to align against our capability development? How do we use the authorities the department has given us as an S&T center to do tech transfer? Where does that put us now to be able to partner with industry as we start to think about capability and capability development? That's an area that for us is going to be one of the most significant priorities that we will focus on and we will accelerate. And those partnerships will primarily drive us with our teammates in the services and with industry. The other area that we have really talked about with our teams is as we think about persistent engagement and when we look at the national defense strategy, which talks about integrated deterrence. What integrated deterrence really means to us is that the rest of the department is looking at US Cyber Command to say, how can you bring cyber to our activities? And as they think about their focus on strategic competitors, they clearly would like to partner with US Cyber Command. And that's our task. Our ability to partner with those combatant commands to be able to generate options for them that enable either defensive or offensive options that put them in a better position to be able to campaign within their respective area of responsibility. The way we've matured that has been primarily through our teams that we have placed at the combatant commands. We have over time grown teams at each combatant command that are at the smallest 35 cyber experts that we've now put with those combatant commands to the high end of over 50. And that allows us to integrate every single day with every combatant command across the globe and with US Cyber Command being invested in their outcomes. And being able to deliver cyber as part of how they campaign and how they think about integrated deterrence. For us in the missions that we're responsible for, when we think about the overall responsibility to defend the Doden or to defend the nation in cyberspace, the areas that we're thinking about are outcomes. How do we break down a problem? And we normally do it through a very simple structure. How do we generate insights about that problem? How do we enable defense? And how do we impose costs? And inside there, what we have matured to is very different than where we started in JTFaries, which was about the department generating a capability and getting it approved to be able to execute. Today, it's about outcomes. And those outcomes could be a cyber operation. It could also be a public affairs release that exposes something from our adversary. It could be a defend forward mission where we send a defensive team to another nation to help them clean out a network and identify adversary activity and expose that activity. It could also be a sanction. It could be a demarch. It could be an exposure by the Department of State's Global Engagement Center. The outcome is what matters. And in doing that, we can think about how we campaign very differently. And we're proud of the work that goes on every day with our interagency teammates, with our other combatant command teammates, and also with our foreign partners that are also dealing with the very same issues, either within their networks or in requests from other elements of their government for more cyber capability. So the last area that I really wanted to talk about is how we really think about multi-domain. When you think about what the future holds and we look at what's happening today in Russia, Ukraine, and what it means to not just be able to generate kinetic capability, it's also about how we operate, how we defend networks to ensure that we have information advantage. And so for us, as we think about those multi-domain activities, it's also about realizing that as a Department of Defense, we have incredible capability, incredible experience. But we have not had a crisis against a near peer that could both collect against us at scale and also target us within the cyber domain at scale. So what does that mean for us when we start to think about our priorities? That means we need to think about how US Cyber Command leads the department to set the globe from a security perspective. How do we ensure that we're cyber secure? So that we understand that the department would be able to operate all the way from our strategic capabilities to be able to move goods around the globe and to be able to ensure that we're best postured. That takes a number of partnerships. When we think about how the Department of Defense moves, our global reach, what does that also mean for the networks that we operate? What does that mean about the underlying infrastructure of the partner nation that we're going to be operating with? That brings with it an implied series of partners that we have to have to be able to be successful in anything that we're going to do in crisis. Those include our combatant commands, those include the interagency, and they include the foreign partners and allies that we're going to be operating with. And it's going to be different than what we've seen in our past. So for us, it starts with setting the globe. Wherever that crisis is, we're going to think about setting the theater. And how do we partner with the geographic element that may be the lead for that crisis to ensure that they have information advantage? That's an area for us that's going to be continued tradecraft. That's going to allow us to be thinking about not just where do we place our cyber protection teams, our high-end defensive force. It's about how do we use all the authorities that we have to set the configuration of the Department of Defense networks to be able to set the training standard for anybody who does cybersecurity or defense across the globe in the Department of Defense. And it's also which partners and allies do we need to either team with or when they come and say, hey, we need some help. As we think about standing up a cyber command, that's where we're going to invest our time and our energy. Because it's going to be important to our command and command teammates to be able to respond in a crisis. The other thing we have to think about in any crisis is generating options. How do we generate options for our policy makers, for the secretary, and for any supported combatant command? This is where the overall department and Congress's investment in the US Cyber Command and our ability to generate capability. We've got to be able to do that so we can generate options that are going to be relevant in competition, in crisis, in conflict. We're doing it successfully today, but we've got to be able to do it at scale. And I think those are the areas we're pretty excited about. So finally, what I really wanted to walk through today, is kind of talk a little bit about where we are. As I get the very exciting week of getting to be part of posture hearings all week long after leaving you today, it'll be an assessment of where we are today as US Cyber Command and the National Security. And we're at a really great starting place. But we have opportunity in front of us, and our grade sheet should be built on how well we use the authorities we've been given, how fast we scale, and how we partner. So looking forward to continue the conversation with you. I'll take questions for a few minutes on any topic that you're interested in. It's our Sean McMahon from SOCOM. I know with the new passage of, as your service like authorities are going, and they have the ASD cyber, in alignment with SOCOM has ASD-SOLIC, our partnership, ADCON, Statutorily Defined Partnership. How do you see that going for you going into the building, in your cybercom hat, using that ASD and then being able to project and message to the secretary and those unders and deputies? How do you think that goes forward now with the current creation of it and then going forward? Do you see it becoming like an ASD-SOLIC or something different? That is clearly Congress's vision. Is the relationship between ASD-SOLIC and SOCOM should evolve that ASD-CYBER will look like that with cyber command. Now, we're gonna get an opportunity to really test that partnership fast. Cuz I'm testifying with the acting ASD-CYBER actually manning this week. And so it'll be our opportunity to talk about what we see this looking like. There are a couple things that Congress has already given us. That is where we're gonna owe products. So when we think about part of our future, we are talking about cyber command 2.0. And for us, that's how do we take all these new authorities? How do we take this partnership with ASD-CYBER? And how do we leverage a series of things that Congress has asked us to do? And Congress has asked us to study, how do we generate forces? How do we structure our headquarters that includes cyber command headquarters, our joint force headquarters that are our components, and our cyber operation integrated planning elements that are our forward presence with combatant commands. It asks us to also accelerate our ability to stand up a program executive office by 2027 to manage our architecture. And finally, we did a defense science board study on our architecture. So all those are due, but one of those studies on force generation has required us to go back between ASD-CYBER and the commander of US Cyber Command and brief the secretary on our vision for the future of force generation this summer. And so that's gonna clearly be a really good example to partnership. So you didn't ask, but I'll now dive a little deeper on that. Cuz I think it is a good cue and I know you're likely gonna have some conversations about it. So in the force generation study, what it asked us to do was to look at our partnership with the services. And what I will tell you is, over time, we have had with the services a different relationship between each service and at different parts of our creation and to where we are today. But we're pretty proud of how the services responded to a series of things. So before I go into that study, I'll talk about how we've worked with the services real quick. And one of those is, Congress asked us last year in an element of the law on section 1502 to evaluate the services readiness and their ability to present forces to US Cyber Command. So we provided Joe Noxone submitted back a response that said, here is how the services are doing. And here are five things that we think the services could do to improve our readiness. And most of those things were areas that had previously been tackled by SOCOM, as it looks at how the special operations forces are managed. And it was around personnel policies. It was in how the services leveraged tools that Congress had given for retention to each of the services. And it was about assignment policies. And so those five things were areas we identified that have now come back to the department in a different section of law in this year's NDA for the department to consider to implement those five things. Well, what we also found in the last year is that we have been doing a concerted readiness campaign plan with our service teammates and with our service cyber components. So it's been going on for over a year. And we have now seen a pretty significant jump in our readiness. And part of that has been driven by services implementing a number of those areas we had identified. Now, what else could the services do? Probably the number one thing that we would ask them to do is uniformly implement those five things. So we have seen individually within the services some really excellent things as part of our partnership to be able to improve our readiness. And use things that Congress has given us. The Army has incentive pay that's based off of certifications and qualifications, it's really good. The Air Force has now implemented a tech track pilot for keeping individuals in cyber for extended periods of time and have changed some assignment policies. The Navy has now created their rating. And the Marine Corps has an eight year initial enrollment for a new cyber officer. Those are all really good examples of something each service has done. We would like to see them all raise that floor farther. And that would be an area. So that's our starting point when we look at where we are in force generation. And one of the key things that we were told was evaluate where you are today, which is really last year's approach. Include the SOCOM like model which you've just begun. And then look at whether or not we should consider a cyber service. And so we're doing a study right now that will evaluate and we brought in an outside think tank to help us look at this. What are the spectrum of options? There are also a number of things in between there that we should consider. And also whether or not any of that menu should be applied together. So we're evaluating that and that'll be a great test for us as our teammates within ASD cyber and cyber command as we go forward. Good question. Good morning, sir. On our 10th leap, you mentioned the cyber security missions as well as cyber defense and partnership development. Could you please tell us a little more about the division between those missions, collaboration between cyber command, the interagency and partners? And what kinds of solutions you think are needed in that area? So first, I think as I think about internal to the department. What really there's been a number of initiatives by the secretary and the depth sec death to raise how we are doing cyber security in the department writ large and identifying where do we have any critical vulnerabilities. And one of the areas that US cyber command has taken on as part of that, we have a role within the department and in the law as the joint force trainer. So that allows cyber command to set the training requirements, not just for our force, but for all of duty cyber forces. And that allows us to now start to raise that floor. The first place we've invested our time in our training standards was in the cyber security service providers and what is the standard for every element in the department that does cyber security. And that is our offering to start to grow the overall capability of the department so that every weapon system has a cyber security service provider that is trained to a common standard. And so we have now been able to start assess the readiness of the key largest cyber security providers and we want to keep that going throughout the department. That's an example of how internal the department. With our interagency teammates, I think from both NSA and cyber command we clearly have we see defined roles between all of our other team mates. The role that DHS plays in terms of defending our critical infrastructure with all of the lead agencies for the identified elements of critical infrastructure. The role that the FBI plays in terms of response to hacking activity in the United States and how they pursue and investigate. You'll hear from both of them during the conference. And I think you'll find from both of them that we have incredible collaborative activities that go on with both CISA and with FBI every single day. They are focused domestically. We are focused outside of our borders and how we think about threats. So it gives us a really clear delineation. Now the other thing that we want to be able to do is be able to share information faster. So what the department has now done has given cyber command the resources that we will now place LNOs from cyber command with every lead agency for a critical infrastructure segment. And that will allow us just to have better connectivity. So if we see a threat, we'll now have somebody on site to be able to work with that lead federal agency so that we can move faster and be able to allow them to use their authorities if there's something that we see that they haven't seen. So I think those delineations have served us well. And there are areas that we want to make sure that we close any gap as we go forward. Good morning, sir. Steve Svansky from Army OT Jack National Security Division. Given advances in technology, there have been increasing calls for more government regulation in cyberspace and artificial intelligence, both in the private sector and the public sector. This could potentially disrupt the US market-based approach to cyberspace that we've had for the advent of the Internet, pushing more towards a European model of more increased government regulation. From a cybercom perspective, would we serve welcome that type of more of a regulatory encroachment or would we do that more as a hindrance? Thank you, sir. So I'll steer clear of the policy discussion about how the US government's going to regulate. And I'll tell you how I'm thinking about the overall problem. So I'll give you two very different lens to look at it through. So the first one, when I think about overall privacy, I think about service members. And how do we think about educating our force and how to operate in an environment where their data may be accessible by our adversaries? And how could that be used? And how well are we doing today to think about preparing our force for a crisis where they could be messaged or they could become a target of an information campaign? How well are we educating our force today? I think that's one that we have to consider as a department, as a risk that is increasingly something we should be concerned about. The other area is how do we think about AI and where do we contribute in terms of understanding the threat environment? So when I think about that, it really starts with the investment that NSA has now made to stand up our AI security center. A built inside of the cyber collaboration center that really is the outward facing part of NSA to be able to work with industry and be able to share what we know and to be able to partner in a way that allows them to leverage, we can leverage what they know. And we're able to enable that from our perspective. We have a different vantage point in how we can inform this conversation. How do we believe that adversaries are going to leverage this technology? How are they going to target it to try and steal it from an intellectual property theft perspective? Are there appropriate security controls that ensures the tools don't get subverted in some way? Those are the things that we have to be thinking about from a threat perspective to be able to inform this dialogue. And it's an area for us that I think we're increasingly postured for. We do have extensive experience in both NSA and Cyber Command of leveraging artificial intelligence and machine learning and have done so for extended periods of time. So I think from our perspective, we'll keep trying to inform that discussion but we'll allow the policymakers to determine what is the end game for what those regulations look like. Good question. So I think we've been a strong supporter of doing a pilot in that area. How do we think about this? I think there are a number of models that we've talked about with Congress. And we've also seen the Marines being pretty thoughtful in how they've approached this. So we were a strong supporter in the last NDAA to get language that would allow us to begin a pilot and think about what that would look like in terms of what a partnership a public-private partnership would look like and a way for us to leverage talent, particularly as we would think about incident response in the United States. So we're excited to pilot that and we've been a strong supporter of that legislation and we look to inform it as we go forward. It's a great question. Sir, thank you so much for taking the time to come down and kick off our legal conference. We could not think of a better way to start. And the lawyers will appreciate how much of a wonderful client you are in terms of you value the legal advice, you seek out the lawyers. But you ask us tough questions and make us do our job to ensure that Cyber Command and our partners can accomplish our mission. So best of luck in your congressional testimony. Ladies and gentlemen, please join me in a round of applause for General Hawke. All right, ladies and gentlemen, we are now on break and we will start sharply at 0945 Eastern Time, private partnership. In recent congressional testimony, the private industry has been described as our force multiplier. And so our first panel for our legal conference is a corporate round table, the evolving cyber threat landscape. And I have the pleasure of introducing our panel's moderator, Mr. Nick Hall. Mr. Hall is the deputy to the commander of the United States Cyber Command Cyber National Mission Force. And in this role, Mr. Hall is able to assist the commander in leading a 2000 plus member organization responsible for planning, directing, synchronizing full spectrum cyberspace operations to defend the nation from foreign malicious cyberactors. Ladies and gentlemen, please welcome Mr. Nick Hall. Thanks very much to everyone for being here. Thanks to the organizers. Thanks to our partners and allies from around the world. And thanks very much to Heather Adkins, the vice president of security engineering at Google, and Judy, the senior threat intel analyst from Microsoft's threat intelligence center. Heather and Judy bring a wealth of experience in operating and defending the networks that make up the domain that we are tasked with defending here in Cyber Command, right? So unlike any other domain, cyberspace is built and operated by human beings and built and operated by human beings in the private sector, right? So the private sector isn't just a partner here, right? The private sector owns the domain that we operate in, right? Which means that our partners and our colleagues in the private sector have tremendous insight into what happens in their domain, right? And play a critical role in building, operating and defending the systems that underpin all of modern life, right? So really, I'm really excited to talk to you all today about how we can work together to improve the security of this global commons of the internet, right? And make it possible for us all to live and work online in a way that's safe. So I thought we'd talk about the threat a little bit. How do you see the threat evolving over your time working in this space? And where do you see it going? So Judy, right? I know with all of the recent news about things like full typhoon, right? A lot of what's old is new again. So where do you see things coming from and where do you see things going? Absolutely, thank you, Nick. And thank you everyone for having me. I just want to start off. We have a saying where it's same same but different, right? So the cyber threat actors are trying to achieve their strategic goals. And these goals don't often change, right? It's for intelligence gathering. It's for gaining access and keeping access, right? However, that's the same goal. But the difference is they do it differently. So the commander just mentioned living off the land, right? That's not a new idea. It's a way to live in the environment that they are. So they don't raise any alarms. So it goes with the same same but different. And also they have a desire to be sneakier, right? So I come from a background where I've been tracking the China threat adversary for over 15 years within government and outside of government, right? And so in the beginning, predating APT-1 report, they used to be a lot louder. You used to be able to see where they registered their domains. They might use their true names, things like that. But these days with privacy and them wanting to hide their stealthiness and wanting to hide that hand, it's a lot harder to just attribute one activity without enriching your data set and looking beyond just one piece of data set. You know, I think, hopefully you can hear me OK? I would say over my kind of 25, 30 year career that the thing that really stands out for me is that the techniques we're seeing are not that different. What is different now is the scale, the sophistication, and the way these capabilities are deployed. I'll give you some stack on that. 40% increase year over year between 2022 and 2023 cyber attacks in one year alone, a 40% increase. That suggests to us that there's some element of democratization of hacking capability, that there's certainly an element in the criminal underground and certainly with the radicalization of teenagers enabling people to just do a lot more hacking. I mean, it's sort of out there. The other thing we have to keep in mind is that there are now commercial vendors providing this capability to various entities, not just governments, but in various places in the world, also to other commercial companies, to law firms, et cetera. 75% of all of the vulnerabilities against Chrome last year derived out of commercial security vendors, not nation states. This means that we are going to be dealing with elements of scale for quite some time. But the techniques are all the same. Living off the land is a really good example. Any of you have ever read The Cuckoo's Egg, a very classic book on a KGB contractor in the 80s lived off the land in US government networks. This is not new. I think what we have to think about from a defense perspective is how do we defend it scale? And we're going to do that not with people, but with technology through better security design and just better architecture and technology decisions overall. And I think that's the challenge for all of us in the industry building these platforms that billions of people use every day. So how do we shape the environment in our favor? It's something that we think about at Cyber Command and the Cyber National Mission Force. It's something that I know we think about in the private sector right here. You want to shape the environment in a way that's favorable to expanding market share, to bringing new products to market. How do we shape the environment in a way that's favorable to defense and security? Yeah, I think one way to think about this is just how hard is it to secure? I saw a stat recently that worldwide, we're missing about 2.3 million cyber jobs today. And that might be as big as 3 million in a couple of years. We are simply not going to hire and train our way out of that mess. It means that we're going to have to put the security job in the hands of not a security professional, but in the hands of everyone who runs the IT system, all the software developers, everyone who contributes to building, designing, and maintaining the systems. And the only way we're going to do that is by making that job much easier. Again, you're not going to train all of these millions of people doing IT and development jobs. We're not going to give them all a PhD in cyber. So the reality is that the technology they buy, the technology they build off the shelf, has to be secure by design. So that when you buy a solution, it's actually really hard to do the wrong thing. If you look at the way we built the internet, it is built on layers and layers and layers of technology that is designed to be trusted by default. This is why you can send an email anywhere in the world to anyone without authenticating, because it assumed that everybody in that ecosystem was trustworthy. We have to shift to the opposite mindset of zero trust by default. So as we shift to a zero trust mindset, and as we build the training and the infrastructure to improve security, how do we arm people with the information they need to take action to secure networks and counter threats? I think this segues ways into a big topic in this conference partnership, threat sharing between different partners and also continuous feedback. Continuous feedback can help us improve our security, but partnerships can also say, hey, we notice something here. And then we go back and investigate, and we're able to understand what they were doing and how they were abusing it and be able to put in new security features to be able to afford that activity. But partnership is really important in communication. And what have you seen works best in that space? Both, right? Both communication and partnership. I can tell you my team at the Microsoft Threat Intelligence Center were in partnerships with different government agencies, but also different private companies as well. Because communication is really important. Seeing you can see something in the left. I can see something in the middle, and the other partner may see something in the right. But combining that picture together, that's when you may get the whole picture. And then communicating that back out, letting your partners know what you discovered and what you think it might. And that comes from building trusted relationships, but also trying to build new partnerships. And entering the collaboration centers, like I think the commander just mentioned, the Cyber Collaboration Center at NSA. And CISA has their own collaboration centers. It's being an active participant in those partnerships. Yeah, I would echo that Judy. I think the partnership pieces, I think we've as an industry been working on this for as long as I can remember, 14, 15 years now, is to think about how do we build the common picture together, super important. And then companies like Google joining the JCDC, we're a founding member of that, contributing to shared threat picture actually for not just nation state actors, but also in the criminal sphere with ransomware actors as well, and the commercial security providers that are sort of eating away at this ecosystem quite a bit. I think the other thing to keep in mind is that in addition to the operating picture, we need to remember the foundations of how the internet was built. It was built through coalition, university researchers, government researchers coming together and building open standards, open protocols. That's how these layers on the internet were built. And I think that's also how the next generation of those technologies will be built. Coming to the table and saying, we need a secure solution that does the following thing. Let's not build a proprietary solution. Let's build an open one and interoperable with the systems we have today so we can migrate to a better future over time. And I think a little bit about some of the great work NIST does, for example, on crypto, many of the internet protocols themselves through coalition government. And that also allows us to more seamlessly work with international partners in Europe and the Quad countries, et cetera. So I would say that partnership is not just threat sharing. It's also the foundations of the technology that we build as well. And how do we bring in the open source software community into things like this? Yeah, open source hot topic at the moment. If I think a lot of people will be aware that there's an ongoing, I guess we might call it an industry incident where we're all watching the XV project. This is a piece of compression software that's been incorporated into many, many parts of the ecosystem. This has had one maintainer for quite some time. And we now, I think, better understand that single maintainer projects are a little bit vulnerable both to sustainability, but maybe also to social engineering, which is what happened here. And an unknown threat actor, at least unknown to me, has managed to attempt to get a back door in there. I think the open source community really imbibes that culture and spirit of the open collaborative process. And I think that's what they love contributing. Their time, their energy, they volunteer. Most of them do this for free without any compensation other than the pure joy of contributing. But they are all gonna retire one day. And there are probably 1,000, 1,500, 2,000 of these projects that will need a sustainability plan if we're gonna put them in critical infrastructure. I don't think we've got a great solution to that. There are amazing initiatives, Microsoft and Google both participating in things like the Alpha Omega project to give funding. We've got new frameworks for thinking about building secure software. OpenSSF is a great partner there. Again, industry coalition, industry collaboration. But we have to have a serious conversation, I think, about how do we help the maintainers over time. She took all the best words out of my mouth. She wrapped it up brilliantly. I have nothing to add. Heather, I think your point on the social engineering aspect of this recent vulnerability is really interesting. And Judy, I know you've done a lot of work both in the technical space, but also in the understanding where the adversary is coming from. And can you talk a little bit about how we're not just facing a technical problem and a technical threat. How you also have to understand who the people are who are behind the technical threat. The context, right? What motivates them? Why they may enter and target one sector, where can we predict that they might go next, right? So I don't want to jump ahead to some of the volt typhoon discussion, but if you look at China's strategy that they put out in 2020, the science of military strategy, right? Their military doctrine of where they would use CNA. There are specific sectors that are mentioned in this doctrine, right? And our team has kind of done where we've seen volt typhoon activity and we've compared it to that critical infrastructure list that was mentioned in this military doctrine. I'm not gonna say it's a one for one, but it's pretty close and we definitely see some sectors overlap. So we can do things like, oh, they've mentioned power generation and whatnot. Let's go look at this other sector that they might have mentioned and we'll take the TTPs that they've used and let's see if we can highlight, discover anything in those sectors that we may not have seen before. But if we go and hunt for specific TTPs that they use in that area, that helps us one highlight new activity but all the collaboration that we mentioned and the partnerships, we can actually go back to our partners and say, hey, has anyone seen anything in this sector as well? And I would say, looking at the trends to your point, also important for not just the one threat actor we know about, but the threat actors are learning from each other as well. So we can see the threat picture between Russia, China, DPRK, for example. Common techniques, whether they're studying each other or sharing between themselves, I wouldn't know. But this XV example, this open source example reminds me a lot of what the North Koreans did a couple years back where they set up a company, they impersonated security researchers, they made friends with all the security researchers and of course being an open collaborative environment, they like to trade research, right? All of these very, very smart developers. The North Koreans were actually able to make friends and get in there and then exploit their friends, right? And so that I think other actors are looking at that learning from it and probably adapting it. I think XV is a good example where probably somebody learned a lot a couple years ago by that example. And the only reason that we're able to defend against it is because partners come to the table, we share what we know and we can be on the lookout for that. And I think that, you know, I sort of credit the finder of this XV issue, which is a software engineer at Microsoft and being aware, being aware enough to spot something that nobody had thought about. And just adding on to what you said about threat actors learning from each other, you know, there's also a trend of if a zero day comes out, right? And, you know, someone posts the proof of concept publicly available, we'll see a group of threat actors that may have original access to the proof of concept, you know, basically blueprints to how to use it. And once that's out there, we'll see other threat actors pile on. And then it becomes a whole attribution mess of like, okay, which actor was actually leveraging the code to accomplish their mission. So it was a military command, right? It's really easy for us to conceptualize threats in terms of nation state actors, right? The Volt Typhoons, right? The Russian Intel Services, the North Koreans. But earlier you talked about radicalized teenagers, right? You talked about private sector, right? You talked about actors learning from each other, right? How do you think about the non-nation state threats that might be learning things from nation state actors? I feel like the situation's very fluid. And we, you know, my background's actually in marine biology. And one of the first things you learn is the Linnaean taxonomy for organisms, right? And sort of as humans, we put names and labels on things because it makes it really easy for us to understand them and understand the differences between them. I think we do that a little bit with threat actors, right? This is APT 1, 2, 3, 4, 5, 6, 7, 8. But in reality, I think there's a lot of fluidity here. And I mentioned radicalization of teenagers. One of the great honors currently from, you know, that I'm getting to participate in is CISA's Cyber Safety Review Board. And we did a review of a threat actor group called Lapsis. And when we were doing that review, we thought, okay, we're gonna review this Lapsis group, whoever they are. And then it turns out, actually, they're part of a broader ecosystem. And they called themselves Lapsis for all of three months. And then they all kind of splintered off. And, you know, they wear two hats, three hats, four hats. And some of them are just teenagers hacking to make money. And some of them are participating in very scary, organized crime, really dark stuff. And some of them are one step away from getting paid by a government to hand over an exploit, a technique, or access. So I think when we put these labels on things, be careful, because these lines are actually very difficult to define. We have a very professionalized approach, maybe here in the United States, but you go somewhere else in the world. And somebody may have a day job, somebody may have a night job, and people move between these roles. So it's not as clear as we might think about it. Another way just, you know, to be nation state agnostic and whatnot is just to look at the behavior. What behavior are they exerting? What are they doing that may catch our eyes? Like, are they doing something on the operating system that shouldn't be done, right? And then, you know, that is looking at the actual behavior that displayed. And then once you look at the behavior, you can, you know, build out your research and discover, hey, who else is using this methodology? And, you know, does this tie to a set of activity already? But that's how you, you know, sometimes you look for little nuggets that stick out. You know, I like, I like slogans obviously, but one of these things is not like the other. So what sticks out for us to go and look at that emerging threat behavior and whatnot and to build it out? And I was just saying, I think that's really important for the disruption conversation because defenders, you know, I tell my teams at Google doesn't really matter if it's Sally or Sam or Alice on the other side. It matters what they've deployed against you. You need to understand the in common techniques that might work and you need to defend against that. And I think that comes up in the disruption conversation as well because if you think about it, if you've got a threat actor who's doing ransomware and using social engineering to get in and you've got a nation state who's doing that as well, you're gonna disrupt them potentially using the same kinds of techniques that may have a different decision framework. So in some sense, we have to begin to up level the conversation on defense because we have to defend against all the threat actors and all the in common techniques. So back to, you know, what's gonna work, what's gonna make a difference. It's going to be through raising the bar on the defense side. So how do you think of non-state but seemingly aligned threat actors, right? So hacktivists, right? Who are doing things that are, right? Maybe not at the behest of a nation state but certainly aligned with a nation state interest, right? Ransomware actors, right? Who might enjoy sanctuary at a nation state, right? I think as we look at ransomware tools, right? That won't install on computers with a Russian language pack, right? That's certainly a tell about where they're comfortable operating and where they're not comfortable operating, right? How do you think about those threats and how do you think about what we could do together? I think it goes to Heather's point where it no longer matters if it's Sally or Bob, right? What are they trying to accomplish, right? Are they doing something that's really disruptive or are they doing something that's, you know, borders, computer network attack? So we have to look at their techniques and stop them at their techniques, right? Motivation is just always hard to measure, right? You never know the motivation of the person on the other side. So whether it be a hacktivist or in behest of a foreign government or just, you know, personal views and whatnot, it depends on their behavior and what they're trying to accomplish and how we defend against that. I think there's been some interesting conversation over the years about norms. So, you know, what are the norms around the use of cyber, especially in the military context? And could you have a kind of Geneva convention for cyber of countries agreeing to the do's and the don'ts? I think when you bring it back to activists or state aligned or even state tolerated, all the norms are out the window. We've seen this in Ukraine, for example. When Russia invaded Ukraine, Ukraine put out a call to the world, please come defend Ukraine. And you saw thousands of hackers all over the planet willing to hack Russia on behalf of Ukraine. These are not under any kind of military command. There are no rules, a lot of hacking and dumping of data, chaos, if you will. And we saw a little bit of this also with the current Israeli Hamas conflict. We released a paper tool of first resort where we saw activity by Hamas before and after October 7th. And we're continuing to see that. And it's not necessarily controlled by necessarily any one particular military command, but it's in support of Hamas. And again, it throws the predictability and the norms out the window. So I think from a policy perspective, we just have to keep that in mind as we think about how do we wanna regulate cyber? How do we wanna set norms? Understanding that the threat in the adversary is not always operating under a agreed upon set of rules. And that's probably going to continue for quite some time. So what have you seen work best for identifying these threats, right? For sharing information between the private sector, right? The open source community, the government, right? Like we talked a little bit about the Cyber Security Collaboration Center, right? Cyber Command has a program called Under-Advisement that works in parallel to that and in concert with it. But I also recognize that I spend most of my day living inside a vault, right? In a big glass building surrounded by fences. So how do we collaborate better, right? What works? What can I do better? What can we all hear in uniform in the room do better? I'll say that it's changed a lot in the last, say, four or five years, maybe. I think government coming to the table and declassifying information has been incredibly helpful. That has been a barrier for us on the collaboration front for a long time. Of course, there are certain things that deserve to be kept back and certainly to be discussed only in certain forums. But we can only take action on information if we have the freedom to do that. So receiving indicators of compromise, receiving information about threat actors and how they behave is helpful because then we can go program our systems to defend. That's why I'd say that's been really helpful and that has changed a little bit over the last couple of years. Encourage people to continue to think forward on this. As you mentioned, Nick, the cloud providers especially are providing a lot of services for critical infrastructure in the United States. Small to medium businesses in the United States are like two to three million of them, schools, et cetera. We can only help defend the nation if we have the information that we need to. But I think also creating the table for us to sit at to come together, whether it's JCDC or any of the other initiatives. We will naturally info share because it's in the benefit to all of our customers to do so. We're a Microsoft user inside. We develop Chrome for Windows. So naturally we've got Chrome developers. But also many of our customers use Microsoft and vice versa. So we're gonna naturally collaborate but I think creating the table for us to come together is very, very important. And then I also mentioned on the defense side not just the information sharing but on the defense side to make sure that we're all creating open, operable, interoperable solutions that enable us to sort of defend its scale. But yeah. Absolutely, echoing what Heather said, bringing us to the table at these collaboration all at the same time is really helpful because then we can also make a connection but we can actually have meaningful conversations rooms as well when you bring us all to the table and share threats, IOCs and whatnot. We can all be like, oh, so actually when we discovered, we've actually seen some of this behavior over here and there can be more meaningful conversation in the room that may highlight something from industry to government or vice versa. So we have classified information. You have proprietary information. You have customer information, right? Are the current systems, right, in place to make you comfortable having conversations, to make us all having conversations? We talked about declassifying, right? How can we help make it more comfortable to share proprietary information in a safe space, right? Not to enable a commercial advantage, right, but to enable common defense. I think a lot of the things that are useful to know aren't particularly proprietary. I think if you're building an open and interoperable system, then you're using open protocols, open standards, and these are not particularly proprietary secrets, especially when it comes to the kinds of techniques that help people defend its scale, whether it's security keys, which is done through open collaboration with the Fido Alliance, all the way to crypto where you have NIST as a kind of a collaboration body. So actually, I think that things that really matter are not that proprietary. I think we also do have to be mindful and respectful that as cloud providers, we're providing not just to the United States, but we have customers all over the world. We have complex regulatory environment, complex privacy environment all over the world, and complex customer expectations as well. And so we wanna be at the table. We also wanna be respectful of how other partners are looking at that. And so I think that just making sure we're being thoughtful at the table is really important. Being thoughtful, and again, to what Heather said, being thoughtful, and also continuous collaboration. These relationships take time. So your first collaboration meeting, you wanna start it with a bang. It may not start off like that. It takes time to build relationships. It's also, there's a level of trust between entities when you come to a collaboration, a wider collaboration. So it just takes time. Understanding that it's not gonna happen overnight. It may take multiple meetings to gain that trust, build that relationship, where you have a better understanding of what you can share and what you can bring to the table and what I can share and what I can bring to the table is really important. But just to understand that it takes time and it doesn't happen overnight too. Yeah, that's a great point. Right, we talk frequently of operating at the speed of cyber, right? But really we're operating at the speed of trust, right? And trust is a thing that you can't surge in a crisis. You've gotta build it up. Before we go to questions here in a little bit, any closing thoughts on how we can build that trust, right? What we can do from the government to help build that trust, to help improve that communication. Are there better questions we could be asking you? Is there a question you wish that I'd asked you today? Well, we didn't talk about AI. That's a question maybe we can't talk about, but again, I think the trust is built on relationship. It's built on bidirectional information sharing, bidirectional building. We find when we have to build trust between teams at Google, we give them a task whether it's in an incident or to build something together that creates more lasting trust than an occasional conference or an occasional meeting. People have to work together to know that they can trust each other. And so finding opportunities for work to get done, whether it's in standards bodies or sort of developing norms or sort of working through the difficult conversations on sharing, these kinds of things will build lasting trust. And then I would also think about just the natural movement of people. People come in and out of roles. If you really want capability to be sustained, then this is a relationship building that has to be ongoing. It can't be just point in time, one conference, two conferences. It must be a cadence and a steady drip of opportunity to build trust between generations of folks who are gonna move in and out of these worlds. And I'll sort of tie that a little bit into AI. I think AI is gonna change the workforce quite a bit in terms of capability and what technology they will have available to them to defend at scale. And so I think we're gonna all, as a community, need to come together in new kinds of ways as that happens. We're thinking about the early career talent coming in right now who are using security technology that the vendors are putting more and more AI into. This is data analysis at scale, petabytes of data now available to them to spot things they've never been able to see before. That's going to change the cadence, it's gonna change the kinds of things we do together. And I think underlines the collaboration that we're gonna need as a community. Hitting on Heather's theme of task and cadence is really important, right? Working on a problem together is really important, like Heather highlighted, but having that cadence, not just getting called out of the blue, but having quarterly or biannual meetings on this, especially enduring threats is really important because those are the ones that don't change. But if there's a topic for emerging threats, that may be a different group of people because like Heather said, we don't always have the same people working on the same issue. So it also gives different opportunities to different people to build the relationships as well. And we could talk about AI, right? So in the future, some more questions about AI and just thinking through what does it mean and how not only, how to use AI for defense, but I think it was mentioned earlier, how do our adversaries use the same AI technology available for them? Well, I really appreciate, you know, it's time and thoughtful approach to this big challenge. I'm really excited about the potential, right? The continued potential for what we can do together to spot threats, mitigate threats, right? And disrupt them as needed. Why don't we go to questions from the audience? Hi. Hi, yes. I'm Ed Vasco. I'm with Boise State University and I run their Cybersecurity Institute. And I have many, many questions we can take offline. But the primary one seems to be the push towards automation at the bottom layer. And it seems as though we end up, my concern would be, and question to you both would be, do we not end up in a spiral where if we can't train enough people to come in at the bottom layer anyway and we replace the bottom layer, do we not create a situation where we're not giving the base level of understanding, the base level of awareness, and the base level of training in order to be able to do the advanced work from a career pathway standpoint? So lots of opinions on this, I might jump in. When we look at where we might be deploying AI assisted work, we're looking at a few things. The reason we have such a problem with the talent base at the moment is that it takes a long time to train and then we have burnout. And that's probably a five to seven year cycle. I see most people come in, train, it's been really hard. Actually, we find people coming out of four year degrees and certification programs are having trouble getting the first job because they have no experience. I think we have the ability to solve all those problems. First off, we are starting to see people shape the kind of interactive AI LLM chatbots to be assistants and that includes teaching. So for example, if you had to learn to code, two years ago that would have been an intensive class you took, you may not like your instructor, maybe hard, maybe they didn't teach the way that you learn. Now we have an assistant who doesn't judge you for your mistakes. And also is as patient and can give you as much time as you need. And in addition to that, help you code basic things. Now I'm not talking hardware, firmware. I'm talking a script to automate a task that might otherwise take six hours to do manually. So this is very beneficial for early career. The other thing is you have an oracle of knowledge at your fingertips and to help you learn on the job. And so it could be possible that those early career people coming out of training programs, you would feel much more confident hiring them without any experience if you knew they'd had help to get the job done in a very unique way. It will also remove the toil that causes the burnout because we can have the automated, it's really the data analysis. So if you've got a sock, people looking at false positives every day, you can start to automate some of that away, make it smarter, make the assistance in doing analysis smarter, malware analysis, data analysis at scale. So I actually think it's gonna help the bottom layer, not replace it. They'll stay in the job longer, it'll be more interesting and you can develop then the advanced skills over time. The problem now is that everybody falls out of the field before they can get to that advanced level. That's just my opinion, but that's kinda where I see us going. I would also say that some of the automation are things, are tasked to help me, right? So these are some of the automations that we've set are things that we know to be true, specific TTPs and behaviors that I might be known to be true that I can automate so that then we can look for the different anomalies and that's really gonna help an entry level person when they come in because even though it's automated, they're gonna be able to ask me, they're actually gonna be able to look at how we automate it to see what is this task doing, why is it automated, what is it surfacing? So they're actually gonna get to learn quicker, I feel like, because it might have taken me months to develop the research to put the automation together, but they're gonna get a leg up because they're already gonna get alertings for some of the automation. So they're gonna be able to spot the next thing a bit quicker than I did in the past. This gives me a lot of hope actually that the defenders are gonna win. Bad guys are gonna use AI, good guys are gonna use AI. Yeah, we'll just agree to disagree on that one. Yeah, but I actually think that security is a data problem. We've long recognized if we could analyze the data we've got, all of the things we need to know are there. I would actually contend that security is a coding problem from a cybersecurity standpoint. I mean, you raised security by design as an option. I view that as a three generation problem. We have so much legacy tech debt that it will take us three generations just starting now to be able to secure by design. So we have so much of there that even with all the data analysis, we're still gonna have a challenge related to workforce, related to defense, no matter what. I would think of them as parallel tracks. So we're trying to get rid of passwords, for example. That's my goal in life. We've been on a- That we can agree on. Yeah. Thank you, MIT, who first put passwords on a mainframe. But over the last 15 years, we've been on a real actual journey to get there. Security keys, pass keys, these are all... None of these are the solutions. They're the pathway to the solutions. And it was only because we had the willpower to adopt these. But I would say it's not just the coding. We need to think of not only clever technical solutions, we need to think about usability. The human experience piece is more important here than the technical solution. We actually have a lot of the technical solutions. We just don't know how to get people to want to use them. And we don't know how to make it cheap enough. And by cheap, I mean time. The reason pass keys are successful, for example, as a replacement for passwords, is that it saves people time. And that's why they wanna use them. And we need to find what are those elements in every single technology component that's costing us time, costing us resources. And actually, I think you'll find people will get rid of the legacy tech debt when they realize, the productivity gains of going to a better solution. How long do you have to think about, do I need to patch my systems today? If you're a sys admin, how long does it take for me to check that all the configurations are right? For example. Thank you very much. Other questions? Yeah, hi, I'm Bob Peterson. I'm an attorney at the National Security Division of the Department of Justice. And I wanted to kind of pick up on your historical note that in the historical development of the internet, going all the way back to it as a DARPA project, it was basically populated by good faith actors who were interested in creating something cool and knew that in the first instance was gonna link university computers and then government computers. I would say that I think you'd probably agree we're now in the era of a high percentage of bad faith actors. And I wonder whether if you look at the role of international standards organizations. First of all, whether mitigating cyber threats is top of mind for all of them. But secondly, whenever I read about Russia or the PRC putting something forward at, for example, the International Telecommunications Union, I assume that it's in their interest but not in the interest of the world and the greater good at large. And so the question is, is the United States both in the private sector and in the public sector taking an active enough role in international standards organizations from the point of view of trying to advance the cyber security ball? And again, I take your point that the bad guys are not necessarily gonna follow the norms but it'll be a better world if the norms are better in general. So, over to you guys. You mentioned the norms first. Let me think a little bit. So we do have representation. I know Microsoft does have representation at international norms or interest in international norms, but they may not always, to be truthfully, they may not always align and be the same norms that the USG may be interested in. So it's really important to establish as to build those relationships again back to the partnerships of establishing what the norms need to be enacted before you go into the international realm related to that. And I would also say, I don't think all actors are all bad or malicious. Some of them are just curious. We have a lot of curiosity these days of what is it to push the boundaries a little bit and that in my mind isn't always necessarily bad because it allows us to adapt our cybersecurity and change things and enhance things as well. Yeah, let me push back just a little bit on maybe two assumptions. I think, you know, sort of if you are Russia, if you are China, you're representing sort of the prevention of harm to your population or to your interests, right? So I think when I see participation in the international standards bodies, sort of put it through the lens of what are they trying to get, right? I do think it's important that we continue to push for appropriate amounts of representation in the bodies. So I know this is something, for example, the groups who look at internet routing, internet naming, et cetera, pushing to make sure that that is sort of equal amongst the participants on the planet. I mean the internet, if you think about it, is maybe the most ambitious human endeavor in cooperation that we've ever done, right? And it moves at a faster pace than most traditional political dialogue happens, right? And the people who are willing to have those technical conversations at that very, very low layer of technology are actually doing it because they want to be there. They want to contribute and they want to keep it open. They want to keep it interoperable. And they would all prefer that. And I would say from what I've seen of the very low level that that's still true to some extent, but we will have to fight to keep it true to your point. I think the other thing to think about is that the internet has revolutionized so much of our lives. I mean, I think I was just thinking about how we navigated here using a map. Like that would have been a paper map and we've gotten lost three times. We would have been late. We've changed the world with technology across everything. And the reason that that all works is that we have the free flow of data to some extent through open interoperable systems. If we start making systems that are closed, we will lose the benefit. And I think because of that, we will continue to see a desire even from closed societies to use the open and interoperable technology. DPRK is a completely closed society. But as far as I can tell, they're all running on open source, right? Maybe a little bit of closed source that they're making for themselves or forking, right? So, and we certainly know they're using cryptocurrency networks, which is by default an open and interoperable financial system. It's kind of remarkable. So keep that in mind. They want to use the openness to achieve their goals. And I think that that's the commonality point that we should really continue to drive home for better and you're gonna get the good and the bad. Thank you. Good morning. Emily Daniels, Fleet Cyber. I just wanted to go back to one of the comments you made about information restrictions. And I can certainly think of very easily our classification restrictions on us sharing information with you. But sometimes one of the things we see is perhaps the agency that industry shared with might have like a law enforcement restriction that keeps defense from maybe using some of the information. So I wanted to ask both of you is how do you choose which agency to partner with and what goes into selecting, sharing it with agency A versus agency B? Thanks. We try not to be bias, right? We understand that each agency has different authorities. We understand that each agency has goals that they want to accomplish with it, right? So we never tried to turn down a different agency that may come to us, right? We may just have the more established relationship with agency A. So we may not know to contact agency B because we haven't talked to them in a year or something like that. So going back to the tempo of some of the relationships that you build is really important. And that also goes to say it's really important to have most of the players or all of the players in the room, right? So like JCDC not only has private public partnerships so not only industry but they also have other agencies in there at the same time that may get access to the same information but having different platforms like that is really helpful. I pointed at Judy because she's a practitioner and she knows this much better than I do. I will say as a, you know, I've never worked in the government and I do, I am somewhat sometimes mystified by all the acronyms and your org chart. And I think maybe some of, you know, I think for, you know, the Googles and Microsofts of the world where, you know, we have broadened folks who've been in government and, you know, we have teams who work directly with the governments every day. This is a little bit easier for us. As you think about some of the other players in the market, there's almost 700 softwares or service companies, many of them startups that you may need to rely on someday and they're not gonna have any idea how to interface with you. So I think maybe sometimes when you see the differences between, you know, when we go to one agency versus the other it might just simply be that relationship had been established and we've never heard of the other acronyms, right? So this is where I think the common tables are important, because you can think, you know, if I sit at this table, gonna get at the benefit of all these relationships without knowing your org chart, without having to memorize kind of the differences of responsibilities and who does what. I would say make it simpler and a little bit easier for us, give us a single API rather than 20, yeah. And I think it's incumbent on us in government, right, to not just be passive recipients of information at these common tables, right? But to also share what we know not just about the threat but about what other folks in the government space are doing, right? So if you come to the Cyber National Mission Force, right, and you say we're sharing this with you, we shouldn't just say thank you and then have it disappear into a big cloud, right? We should say, right, well, you know we're working with the FBI, right? We're working with other people in industry, right? Have you considered the benefit of us all talking together about this threat? Right, so I think that that's incumbent on us here in the room, right, to know what's going on in the government space, right? And then be able to help educate our partners in the commercial sector. I'll also add some of the joint advisories and whatnot have been really helpful because you see the multiple seals on it. So you know that, you know, even though I might threat share with one person, I know the information is going back to their partners as well. And so sharing information outward of what the government sees and having multi-agency seals and knowing that you are all working on the problem together is really helpful as well. That's great. I think we've got time for one more question. Sir. Good morning, Lieutenant Colonel Puzio, 335, single command. Throughout the course of your roundtable, you've addressed threats, threat indicators. In fact, your title of your roundtable is evolving threats. And you've mentioned state actors, two or three states we've mentioned. You've mentioned the radicalized teenagers. A couple of questions. Is industry noticing trends? Trends within like the last 12 to 16 months or 12 to 18 months on an increase in threats coming from a particular state or from particular individual actors or groups or consortia. And what gives you more concern industry? Are you more concerned about the threats coming from state actors? More concerned about groups or consortia or the anomalous or the individual that you can't identify? What keeps you up at night? State actor threat or individual actor threat? Yes. All of the above, all of the above. Well, I think, you know, no surprise, we are seeing an increase in activity from PRC. I would say both nation-state and nation-state affiliated, probably fair to say. Commercial security benders, so floor-pay hacking, not being funded by government. I mean, everybody's got contractors, but actually benefiting law firms, sort of non-state affiliated actors, et cetera. I mean, imagine you are in a place in the world, I don't know, let's pick Antarctica, it's easy to pick on them. And a law firm in Antarctica was in battle with another law firm, you could hire a hacker and hack your opposing legal counsel. So, and we're definitely seeing a rise in that because there's a lot of money in it. And we now have automation, which is making some of these bugs a little bit easier to find. I worry about that because it's hard to control. It's hard to see, it's hard to attribute, and it's hard to gather intent, and it's hard to know who all they're gonna sell to. So, I worry a lot about for-profit hacking that is legal in the jurisdiction it's happening. But I don't know, do you wanna comment a bit on the? No, I think all of the above, I mean, not only do we have to, because Microsoft is a platform, right? They can get to us to get to you and everything, right? So we can't just worry about one threat, we have to focus on all threats. And fortunately, we have, within my organization, we have different teams that are focused on nation state actors, but they're also focused on the cyber mercenaries. They're also focused on the different ransomware families, the syndicates that run those ransomware families and things like that, because you can't just look down one silo. Eventually, some of those silos overlap, right? We've seen more nation state threat actors use initial payloads of ransomware to gain access to systems. So you can't just peg them in these little silos, so you also have to look at all of them. And where they overlap is really interesting as well, to pull back and discover what's beyond that. Thank you very much, right? I think that was a great question to close on, right? Because like you said, right? As we look at the totality of the threats, it's the totality of our partnerships, right? The totality of our insights that make us able to effectively counter those threats, right? So to borrow a phrase from a former secretary of defense, right? It's not the threats that keep us up at night, right? Together, we can keep the threats up at night, so. Thank you. Nick, Judy, Heather, thank you so much for taking time out of your incredibly busy calendars at the Cyber National Mission Force, Microsoft, and Google. I think you really helped us better understand the contours, the opportunities, the challenges, and the importance of public-private collaboration, including the need to increase that cadence and frequency for which we engage. And as lawyers, I think we can take the task to help our clients in any way to increase that frequency consistent with law, policy, and regulation. And Heather, even inside the US government, we continue to be mystified by acronyms. So thank you for that. Ladies and gentlemen, please join me on a round of applause for our panel. And we are on break until 11 o'clock Eastern Standard Time. Thank you. Today's most consequential battle is being fought with everything, everywhere, all at once. It's in this room with you right now. It's the battle of information. Every day we see new examples of how the flow of information shapes the battlefield. A fake tweet, a doctored video, an encrypted chat. It has become shockingly easy to trigger unrest, radicalization, extremism, terrorism. As a joint task force under US Cyber Command, JTF Aries serves as the commander's maneuver element to tackle these emerging and difficult problems. Stood up in 2016 with the stated goal of countering the threat of the Islamic State, JTF Aries demonstrated immediate success. Declassified reporting has outlined the successes of JTF Aries, such as Operation Glowing Symphony, which dismantled ISIS's global media production and dissemination apparatus, striking a critical blow to their ability to spread propaganda, raise funds, and inspire further radicalization of violent extremist ideology. These successes required unique partnerships and coordinated operations across the inter-agency and international allies, which continue to this day. In 2018, command of JTF Aries was transitioned to Marine Corps Forces Cyberspace Command, which allowed for an expansion of missions across multiple violent extremist organizations. This transition was also a natural fit as Joint Force Headquarters Cyber Marines serves as the general support arm of US Cyber Command to US Special Operations Command and their global counter-VEO mission. As a result of JTF Aries operations, the global presence of violent extremist organizations is continually under pressure and has decreased dramatically. Due to shifting national security strategic priorities, in early 2021, the commander, US Cybercom, began to transition JTF Aries towards the strategic competition problem set. Nearing three years into this mission shift, JTF Aries stands ready to counter our pacing threats and deter aggression in competition and crisis. Fittingly, we take our name from Aries, the Greek God of War and Courage. We take his inspiration, our duty to fight faithfully, no matter where the battle leads us. Interested in war and courage? Come and serve with Joint Task Force Aries. Ladies and gentlemen, welcome back and to our virtual audience listening in. My name is Lieutenant Colonel Laurie Lincoln. I am the Chief of Plans Policy and Partnerships and the Office of the Staff Judge Advocate at US Cyber Command. Our next panel is extremely timely and it's often a hot button topic, both within and outside the government. The purchasing of data. What are the concerns with this? What, why does the government need this data? Does it circumvent the Fourth Amendment? What is its value? And is it data or data? These are just some of the questions that this panel will tackle. And if you think that we only stack the panel with government insiders, you are wrong. We have a diverse group here with differing viewpoints. That's what makes this conference so great. I am excited to introduce our moderator for the panel, Mr. Eric Rosenberg, who is the Acting Chief of Acquisition and Tech Transfer in the Office of the Staff Judge Advocate at US Cyber Command. And in case you're wondering, he calls it data. Over to you, Eric. Watch Star Trek, often say data. That's a typical theme. So I've revealed myself as a Trekkie. Non-endorsement. So I'd like to introduce our really great panel. So we have Lindsay Rodman. She is from the Department of Defense Office of General Counsel. She's the Associate Deputy General Counsel for Intelligence and she's basically been the lead on public available information, commercial available information, what we call PAI, CAI issue. She's really been at the front of that, working on DOD's policy to kind of give us more guidance on how to handle it. And we also have Mr. Eric Eichhorn. He's from the CDAO. That's the Chief Digital and Artificial Intelligence Office. And he's Director of Governance. We also have Mr. Aaron Mackey. He is from the Electronic Frontier Foundation. We're really happy to have him here. I think this could be beginning of a greater dialogue between our organizations, between Cybercom and EFF, but also DOD and EFF, and as well as with the interagency. And so it's great to have you here. He's the Free Speech and Transparency Litigation Director. We also have, to my right, Brandon Pugh. He is the Director and Senior Fellow at R Street Institute. And he's in charge of Cybersecurity Emerging Threats. He also, in his Reserve Capacity, he worked at the Army Jag School as well as a professor. So that's our distinguished panel. I'm really honored to have you guys here. So just to kind of like set the stage for this discussion, you know, the issues of publicly available information, commercial available information, it's really, really important. You think, oh, data, that sounds kind of boring, and your eyes glaze over, gets really abstract very quickly, but it's really, really essential. This is really at the heart of what we do as, you know, cyber operations attorneys, as acquisition attorneys in cyber. This is really at the heart of everything. You know, we're gonna, things are in flux right now. You know, there's discussions in Congress about potentially, you know, having, you know, it's changes to statutes. There's also, you know, DOD policy that's pending. Cybercom, you know, we're drafting our own policy, and right now I'm working with different folks at Cybercom on that, you know, to try to regulate that. We're already starting to incorporate clauses into our contracts at Cybercom to try to, you know, sort of address issues about, you know, data privacy and things like that. At Cybercom, we use, you know, we purchase data for a variety of purposes. So for intelligence purposes, for cyber security purposes, operations, as well as R&D. And that makes Cybercom a little bit unique because we buy it for a variety of reasons. And each, you know, these different purposes, and it's really important here for capability development and to support the warfighter. And I think it's, this is really an opportunity, one, to more transparency on this topic, to the larger public, as well as to get, you know, I think starting a dialogue and an opportunity for us to get feedback. Because policies in flux, we have a chance right now to, you know, to shape that policy. I mean, you have Lindsay right here, you know, this is an opportunity to, you know, give that feedback on what, you know, the larger, you know, national security community thinks should go into these policies so we can balance, you know, national security with civil liberties. And just one more thing, there's sort of three big policy goals we have to kind of think about. You have national security, civil liberties, and sort of this internet economy that's based on advertising, technology, and data. And it's hard to achieve all three perfectly. You could maybe get two perfectly, because you know, if we were to not buy this data at all, if we were like no one to buy the data, then you wouldn't have the civil liberties concerns and our adversaries wouldn't be able to buy it. However, the internet economy would suffer greatly if we couldn't buy the data. And so, you know, if no one could buy the data. So in that world where we can't, you know, prevent anyone from buying this data, we have to have compromise. And that's what we're gonna discuss today. So first question is gonna go to you, Eric. So could you talk to us about what is PAICAI? And where do these data sets come from and why does the government need them? So publicly available information, and that includes today's conference. So congratulations. Is information that has been public or broadcast for public consumption a formal reference because I heard that I was going to a legal conference is 3115.18. Commercially available information is a subset of that. So it's information has been made available to the public and is available for purchase. Specifically either by governments or the public writ large. Some of the different types of commercially available information that we purchase because we are a huge department. We have data activities that run the gamut. So we do research and development data. We do weather data. We also do internet of things data. We look at financial data. We buy legal data. Some of the different uses in addition to normal intelligence activities. We also use it for things like background investigations, insider threat, network analysis, which I'm sure is near and dear to cybercom. We also use it to look at supply chain vulnerabilities. So that's a huge area of growth for us. Great, thank you so much. Lindsay, would you like to kind of help lay out what the current legal and policy framework is for purchasing data? And if you have anything you wanna add about how we use data. Sure, thank you. And thank you so much for having me. I really appreciate the opportunity. So the terms, especially in conferences like this where you're bridging the gap between folks within DoD who are using a certain vernacular and then folks on the outside who are using different vernacular. Eric very helpfully laid out what we mean when we say PAI or CAI publicly available information or commercially available information. Those terms originate from executive order, well PAI originates in its DoD usage from executive order 12 triple three. So those of you who have worked within or with the intelligence community, you know that's our Bible. I carry it with me everywhere. I have a copy here if anyone wants to reference it. And EO 12 triple three originally signed in 1980 as an effort to kind of clean up what was perceived as intelligence community misbehavior, shore up the rules, get us on track with a strong eye towards protecting US person's information in the hands of the intelligence community. And one of the frankly exceptions to the rules as they applied to the intelligence community about the information that they were bringing in. A lot of the rules were softened for publicly available information or information for which the person concerned has consented to its disclosure. So right off the bat, we were using the term publicly available information in a sort of, you know, Venn diagram of there's private information over here in a circle and then the two circles don't touch. There's also public information over here and what's in the public information is stuff that is akin to what someone would have consented to being out there and usable, right? That's how we were thinking about it before technology started muddying the waters. Now we live in a world where there is public information at least the way that I like to think about it. There's private information but those two circles overlap and there is in the middle of that Venn diagram a world where there's information that is what we would call public information because it's accessible to the public openly. It's data that one can purchase relatively freely. There's nothing illegal about obtaining it in these ways but that has serious privacy concerns associated with it. There's kind of an obvious bucket that involves things like doxing and revenge porn, right? Like things where someone has done something illegal or nefarious in order to release what you would consider to be private information out into the wild. But there's also data about you that's floating out there that you have ostensibly consented to through terms and conditions and stuff like that or that's just collected from you as you're out in the world but that you might have an X factor associated with being fair game for DOD, the intelligence community, private companies, anyone, frankly, accessing and learning about you. For those of us who, well, I drove here today but when I'm on the Metro, I'm there doomscrolling and candy crushing just like everybody else and I have probably ignored lots of terms and conditions that allow people to know exactly where I'm going. Luckily, I work with the intelligence community and in the Department of Defense but not in a role where I guess I know that I'm vulnerable to people sort of tracking me and understanding where I am and I guess my OPSEC isn't particularly good but I'm gonna guess that a lot of you guys are in the same boat as me. So some of that data, as Eric suggested, comes from sort of literally being able to track where you are at any given time, what your preferences are, what you're saying out in the world, what are you putting out on social media? All of those things are ways that someone else might be able to gain an insight to you and I'm doing a lot, so Eric was like, what is the policy and I'm giving you a whole lecture on public and private and then diagrams and whatnot and I haven't even gotten there but the reason I'm doing that is because the point I'm trying to make is that we got here through lawful conduct, right? So we're in a place where people were sort of using the law sometimes but also just working within the law to enable conduct that fuels the internet economy, as Eric mentioned. This is stuff that, if you were to regulate highly, would actually really fundamentally affect the internet marketplace. Now that might be something that we as a democracy decide we wanna do but we haven't done it yet. So okay, so what is the law when it comes to all of this stuff? I had the opportunity last year to speak to, but last week I'm sorry to speak to non-lawyers about Fourth Amendment obligations and that was much more comfortable because I didn't feel like everyone's gonna be judging my legal analysis. This is a little bit more, I think maybe friendly but scary audience. So where does Fourth Amendment analysis start? Usually we start with Supreme Court for the lawyers in the room who did con law and then immediately started practicing in the Department of Defense and then didn't do con law again. So Carpenter of the United States, many of you will have heard of this, some of you will not. 2018 Supreme Court case, this is if you went to law school back 20 years ago like I did, if you were on the older side of the audience, you will remember we did Kilo, there were certain other Fourth Amendment cases that talked about technology and what could be seen and known about people. Well, since we all went to law school, 2018, Carpenter came out. Carpenter is a case where four men were convicted using cell site location data that was compelled by a magistrate judge. So what's important to kind of understand about that fact pattern when we try to think about its Fourth Amendment implications was this was not data that was obtained freely on the commercial open marketplace. This was data that was compelled by the company but it was not compelled using a warrant. And the Supreme Court struck that down and said no, if you're going to obtain this type of personal information and this was pattern of life geolocation establishing data, that is a bridge too far. You're gonna need a warrant, you're gonna need the legal protections associated with obtaining a warrant if you're gonna go as far as to compel geolocation information about individuals to establish pattern of life. In that case, Chief Justice Roberts also said, our decision today is an hour one. Our opinion does not consider other collection techniques involving foreign affairs or national security. So, you know, the young lawyer, enterprising lawyer for the Department of Defense can read that and say, oh, thank God, we've got an out clause, we don't need to leverage it. There's nothing in the opinion about commercially available or publicly available information and it's not supposed to apply to the national security application anyway. So we've got to get out of jail free, thank goodness, because if we had to get a warrant in every case, that would be a disaster. But I don't think that's actually a fair, that is not actually how the conversation has gone down in the legal community and the Department of Defense. We've all taken Carpenter to heart and Carpenter has shown us, and I mean in the conversations that I have with Eric and with many of my other colleagues around the Department of Defense and in the intelligence community, Carpenter signals to us that the Supreme Court and the public and Congress and you know, in these broader conversations takes very seriously the question of the sensitivity of geolocation data and what it means to establish pattern of life on people and that we should be thinking very seriously about protecting it and safeguarding it, understanding that it does raise an ick factor for people and it does raise privacy and civil liberties associated concerns. So whereas I think the jury's still out about whether there's really a fourth amendment right associated with all of this, I don't know, I am not the administration spokesperson on what Carpenter means for the Department or anything else. I do think it's fair to say that it really informs our force amendment analysis and it more broadly, because we go past what the fourth amendment compels, it really informs how we think about where we need to be going in terms of safeguards, guidelines and guidance to the field about what our obligations are associated with data that presents these kinds of sensitivities. Okay, so I see within the intelligence community in 2022 a senior advisory group led by some of the most distinguished lawyers in our community wrote for ODNI a review of the IC's use of commercial available information. And that was very, very close hold and I was at a conference last summer about the conclusions of the senior advisory report and I said, I'm sorry, I can't talk about it. It may or may not exist. And I go out and in the hotel lobby on CNN, IC, ICCAI report is released. So no one told me, but apparently as public you can Google it on CNN, they've got it. It's there as of last summer. And it will tell you, I think it's a good and thorough rendition of what the privacy and civil liberties associated implications are of the IC's use of CAI as much as we could publicly release, but frankly, there's really not very much redacted in that report. And they reached three conclusions. One was that we really needed to do a better job of data cataloging because we weren't doing a great job of responding to the questions about what do you have? And we're like, oh, stuff. And there's a lot of hand waving and some of that was because we couldn't say in an unclassified setting and some of it was because we hadn't actually done the work to go back and understand how people were using this information. Some of that is because it's really used at a grassroots level. So it wasn't like a top-down acquisition of this data. Oftentimes people were acquiring it at a lower level and so you had to understand how to, we had to establish the right capabilities to have that reported up. And number two and number three were to identify which commercially available information presents sensitivity concerns and establish standards and procedures to govern it a little bit better than we were doing already. Now it wasn't that we were operating in a vacuum. Those of you who work in the Intelligence Committee know the DOD manual of 5240.01 provides a lot of guidance on what to do about protecting US person information and that applies to commercially available and publicly available information as well. So there were retention limitations and guidance on when you can use this information and safeguards that you need to take associated with it. But these enhanced sensitivities associated with new privacy concerns around this data merited a new look. So ODNI is now nearly complete with an ICCAI framework. Some of you know this because you've been in the working group meetings and the implementation and all that. And that is set to be released any day now. I asked my IC colleagues at ODNI what kind of clear talking point, like what can I say about what's in this? And they wrote this, the following talking point for me. My colleagues at ODNI are the best and I really love working with them. So, thanks guys. And then they thought I wouldn't actually say that at the conference. I was like, oh, no, no, no. If that's what you give me, that's what I'm going to tell them. But what I can tell you is that it establishes nine principles and it provides a means of determining when CAI, because as Eric said, CAI can be weather data, right? But when CAI presents the kinds of privacy and sensitivity concerns that we're talking about, then there's basically a whole rubric of requirements for doing that analysis and then putting appropriate safeguards in place. So that is coming literally any day now. We thought perhaps it would be released this week. I think that may not happen at this point. So, DOD is also putting together its own CAI framework. And Eric and I have been in some painful and some not so painful meetings in the drafting of this policy. It is now in coordination in CADEMS. So if you have opinions about this, find your local person with CADEMS access and go to town on the critical comments. I say this because we really, truly want this policy to be workable for the whole department. So now is the opportunity to get that feedback into the policy-making process. And that will both cover DOD's IC elements, but it will be for the rest of the Department of Defense. And it's meant to kind of carry forward the important work that the IC has been doing in this regard to the rest of DOD in a way that makes sense as applied to DOD. Now, DOD also is not without its existing privacy framework. There's the DOD privacy program, Eric cited 3115.18. That is our current policy directive that governs publicly available information that is already in place. And we also have DOD directive 5200.27, which is titled Acquisition of Information Concerning Persons and Organizations Not Affiliated with the Department of Defense. So we have policy that currently governs how we work with this stuff. It's just that the way that technology has recently developed, we've recognized that we need to do a lot more. Both because it's the right thing to do, but also to signal to the public and to Congress and to folks who are looking all the way from California at what we're doing, that we're trying to do the right thing in this regard. So these policies go beyond what is required by the Fourth Amendment, as far as we know what's required by the Fourth Amendment. They go beyond what's established in law right now. But they don't have the force of law. They will be policy, they will be regulations. So if there is any future legislation, then that's something that would fall on top of them. I know I've been speaking for a very long time. Eric said I could talk as long as I want. That's his fault. But I will say one more thing. The vast majority of the missions that the Department of Defense is performing in the intelligence community and outside have absolutely nothing to do with US person information. It's just not relevant to what we're trying to do. And what we're trying to do, you know, people are mission focused. There isn't an interest or desire to get into US person information because it doesn't serve the mission. People wanna do their job, do it well, and then go home and hang out with their families or crush candies on the metro, whatever it is that they're doing, right? So there isn't a sort of like deep hunger to obtain this information beyond what is mission enabling. However, there are certain missions that do require digging into this information. And for those, that's what we need the extra safeguards in place. But I think also for those of you in the audience who work within the department on these issues, not only is it not particularly helpful for the mission, I interact with folks in the IC especially, but also DOD every day who are like, I don't want US person information because it makes my life so much more complicated to have to navigate the restrictions and the safeguards and sort of the bureaucracy that we have put on top of it. You know, there's no one sitting in the department who's like, ooh, I really want US person information, that'd be so awesome. It just, it sort of doesn't really help. That's not a fair characterization of what we see as people are interacting in the department of defense, nor is anyone sort of accusing DOD of doing that necessarily. But I think it's important to highlight that the type of guidance and safeguards that we're putting in place are really meant to make someone think twice about whether they need that information and whether they're gonna do the appropriate things to safeguard it when they access it. And making them think twice is actually, hopefully, a step in the right direction towards doing what we need to be doing. So, thanks. Thank you so much for that. Really appreciate that rundown. Also, I'd like to add that we may touch upon this more later, that Federal Trade Commission has also entered these discussions. They've been, there's been some recent orders that have been issued with respect to data brokers, and so that's also now kind of at play as well. So, Erin, so could you kind of give us a bit of your perspective on the government procurement of PAICAI, and also what, you know, reasonable safeguards would you hope would be put into place that aren't currently in place? Right. So, thank you for having me, particularly, thank you, Eric, for organizing this panel and making sure I got here. So I think big picture where EFF comes from is we come from a place of wanting to ensure that people's rights, particularly the constitutional rights, are protected. And so our view is that the Fourth Amendment should be the guiding star of all of these protections, and it's great to hear that DOD is taking to heart carpenter, which we read as really sort of a sea change, and recognizing a lot of sort of undercurrents that I think are real, including sort of the fundamental idea that the information we provide, whether that's location data, or other sort of personal information in the context of surfing the web or using an app that we consent to that data. And then as Eric just described, I think the FTC is also acting in a way that makes, that raises questions about whether that collection is itself lawful in ways that I think implicate the policies and sort of fundamental principles about the collection of this information in the first place if it is legally collected. I think there are concerns about whether that's actually true now. But I think more particularly what we think about is how do you protect people's privacy and honor their First Amendment rights and their Fourth Amendment rights throughout the life cycle of the data itself. And so that starts with collection, it also begins with use, retention and disclosure. And I think sort of looking high level and I'm not deep in the regulations like you all are. But I think a lot of this, once there's sort of collection, it's sort of seen as use limits are pretty limited. And there are retention limits, which I really appreciate. But some of the disclosure limits that are sort of like, do you have a reason to know or a reason to use? I think those are sort of concerning. And what it looks like from an outsider is that once we obtain this information as long as we obtained it lawfully and we purchased it as anyone else could, we can essentially do with it what we want and disseminate it further. And I think that looks quite different from the sort of normal Fourth Amendment analysis that a court would apply, which would ask at every step of the way, does a user or does that individual have a reasonable expectation of privacy and to the extent that the government action implicates it is certain legal process required for that initial search, the collection, the retention and dissemination. And so I think it's great to hear that there's forthcoming policies that are really trying to align with the Fourth Amendment. But I think there's probably more work to do and in trying to actually ensure that people's Fourth Amendment rights are protected. And I do think that DOD needs to take a hard look at whether or not this collection is lawful in the first place. I know we'll talk about some of the FTC settlements, but basically what happened is a number of location data aggregators have been subject to civil enforcement under the FTC section five authority on the theory that their collection of this information itself was unlawful because they deceived consumers, right? And that's not just sort of the general deception that we all sort of walk past when we scroll through the endless terms of service, right? Where they say we get to do with your data what we want and we also have a get out of jail free card, right? But the FTC actually held these companies to account and then one of the remedies that they issued in at least one case was a prevention of the further sale of that data. And so I think what's important to understand is if you start at the outset from this belief that the purchasing of CAI and PII is itself fully consistent with the law, I think the FTC and potentially Congress is acting in a way that might say that that's actually not true. And so I think that might shift a lot of the thinking and hopefully we'll see policies that reflect that reality. Thank you so much for that, I really appreciate it. Brandon, so I guess what's your sort of take on this? Do we have the right protections in place right now? What should we add, thanks. Yeah, no, Aaron kind of teased it up well. He mentioned Congress' action, but before I get there, I want to kind of take a step back and reflect on something the commander had said this morning, which was great. I was texting Eric during his remarks, I'm like, this is great, he mentioned privacy in response to a question, but a different dynamic of privacy. Obviously the risk and the threat of adversaries collecting and potentially using commercially available information against our service members. And I think it's helpful to take it, have that lens as well as a force protection issue. And if that at all interests you, the Army Cyber Institute, I know there's a few of you here and I have done incredible research around that, specifically looking at how China and other countries are collecting as much information as possible and leveraging against us, and we see it playing out in conflict present day, and that's even an open source. But taking a step back to Congress and what they're doing, outside of specific sectors, whether it be finance, healthcare, or even what the DOD is doing, and then specific states, there's largely no framework on data and privacy and the security of that data in the United States, which is astonishing, because countries around the world have similar laws, but there's no comprehensive federal data, privacy and security law in the United States. So largely speaking, you're free to collect as much information as you want, share and sell it as you wish. Obviously there's some limitations because you say you're doing something and you're not actually doing that, FTC is gonna come after you, but it's more ad hoc, there's no comprehensive approach. Aaron kind of teed it up, but Congress has been looking at this some of you in the room has been working on this longer than me, but well over a decade. And there's been a lot of disagreement on what a federal law could look like and balancing the needs of consumers, industry to Eric's opening, it's key to our economy and emerging tech, but also like the security and national security space, how do we balance all three of them? That's been a constant struggle. And many people had said I was an internal optimist and that likely we never would have action on a comprehensive bill. I mean not to make this bill specific, but it is interesting that this past Sunday we saw a compromise emerge between the Democrat chair in the Senate and the Republican chair in the House. I don't wanna oversell that, it still is a long path forward, but it does a lot around data collection and it targets data brokers. So it has the potential to be pretty extraordinary if it passes, not saying it's perfect in every regard, but it does a lot, but just briefly, what does it do for data brokers? It's designed to bring a lot of transparency to data brokers. So no more would there be the data broker that nobody's ever heard of, or as a very tenuous relationship to a legitimate company, they would have to register through an FTC registry. They would have to have a public website where they're notifying you and everybody here that they are in fact a data broker and this is how they're leveraging data. And it would also have a do not collect registry and that's maybe a little sensitive for those in this room because the law enforcement community has had some concerns around that because would criminals or others avail themselves of that. So that's pretty interesting, but at a broader context, it does a lot more on how data is collected in the first place. It relies on data minimization. So essentially there'd be 15 permissible purposes for collecting and utilizing data and security is a component of that, law enforcement is a component of that, but outside of that, no more would there be the days where you can collect as much data as you want regardless if it's actually necessary for a product to service. So happy to dive more into that, but there's a lot there. No, thank you so much. So I'd say Lindsay, do you wanna touch upon any kind of current legislation that you can talk about that? Yes. Eric's trying to see how much he can get me into trouble today. So first, I'd love the opportunity to respond quickly on the FTC stuff because obviously that was something that the legal community within the Department of Defense and the ICU was like, oh, okay, here we go. And so for those who aren't tracking the FTC, I mean, Erin explained it perfectly, like they are starting to really look into questions of data broker behavior, what is fair game from a consumer protection standpoint and the thing I think that's most interesting to us as we dug through what should the DOD policy look like is how do we define which data presents the most sensitivity concerns and what reasonable safeguards can, what do reasonable safeguards look like? What should we be putting in place for this kinds of data? So the decision we're talking about is X mode social, by the way, in case folks wanna look it up later. And ultimately there was a complaint that had frankly mentioned sale of information to national security agencies in it. So we were watching it. The ultimate settlement and order did not have really anything to do with those potential use cases. And frankly, I mean, that was really not what the case ended up being about. But X mode social was selling data, as Anne mentioned, in contravention of its own terms and conditions, right? Even like, you know, not what it said that it was going to be able to do. But what was most interesting, that leads to me, was that in the settlement and order, they actually define for the first time which information, which data about individuals presented the biggest sensitivity concerns. And so I think one can fairly look forward and say, okay, these categories of data are going to be protected beyond just whether X mode social can continue to solve this data, which the answer is they can't. And that was geolocation information that associated people with locations that presented privacy concerns. The big two that stick out in my mind, I think there were six, are certain healthcare clinics in Ohio, right? And then other would be geolocation information that would give away LGBTQ affiliation or status, right? So you can think about that data and think like, wow, okay, yes, I would like there to be restrictions on people selling geolocation information about which healthcare clinics I've been to. That seems reasonable. So we are also sort of interested and we see FTCs paying attention. And it is important for us to know and we always want to know if the people that we're dealing with have obtained the data in an above board manner. That informs a whole lot of things that we care about. And in most cases would mean that, you know, there's no way we're gonna even continue to look into that information. So that's FTC on Congress. Yeah, so I think you're talking about Senator Cantwell's proposed legislation. So that is really interesting because it is sort of an interesting, serious attempt by Congress to govern the space more broadly. We also have seen a flurry of legislative action that is focused on IC and law enforcement agency uses of commercially available information in particular. Over the past couple of years. So there've been a lot of incarnations. And what is interesting here, and Brandon kind of touched on it, is that this is not a partisan issue. Like the people who come together for these bills come from different political backgrounds. And that, you know, for civil servant, like then I can talk about it with, like there isn't really a partisanship associated with this. We're just talking about the issues in the policy. So that's actually kind of an interesting and refreshing place to be. I wish they weren't trying to take DoDCAI away, but it is interesting to be in that world. Okay, so last year we saw a House amendment to the National Defense Authorization Act that would have prevented the Secretary of Defense from obtaining commercially available information, essentially that had to do with U.S. persons. We saw that as very concerning, right? I think we've tried to explain that this information is important and could be quite valuable. It also presents privacy concerns. So, you know, we want to live in a world where we're doing the right thing, but also able to use this information to keep Americans safe. There was also a government surveillance reform act that was introduced in the Senate last year. Right now there are kind of two major live actions having to do with this, having to do with CAI. One is that the House on Thursday is going to vote on FISA 702 reauthorization. That has nothing to do with CAI. FISA 702 is about wiretapping, signals intelligence. CAI is about purchasing data that is freely, openly, commercially available in the marketplace. However, they both are things that the intelligence community uses to learn stuff, and so those two issues have gotten, I think, quite conflated in Congress. So you saw during FISA 702 reauthorization a number of efforts to tack on amendments having to do with preventing the Department of Defense or the intelligence community or law enforcement, or all three, from obtaining commercially available information. And then you get all sorts of rules, issues about whether it's germane, and things that are totally beyond what I pay attention to normally. I go to these meetings and I'm like, just tell me if the amendment's in or not in, whatever. And so those two issues have now been split in the House. But what that is doing, it is, people are now paying attention to the fact that there is a vote on FISA 702 on Thursday, but there is also a vote on what is called the Fourth Amendment's Not for Sale Act, also on Thursday on the House floor. The Fourth Amendment's Not for Sale Act, very catchy name, whoever came up with that. Good marketing skills or something. But the Fourth Amendment's Not for Sale Act would make it illegal for the IC or law enforcement agencies to obtain commercially available information about Americans or about anything that's happening in the United States, full stop. It would, for those of you who are in the Department of Defense, place serious obstacles in the way of us performing our mission on a daily basis. So I personally have some concerns about that legislation that because FISA 702 has more attention and has been sort of an issue for longer that folks are sort of forgetting that this other vote is happening on Thursday. There's also a bill in the Senate that's called the Safe Act. It stands for something. I didn't write it in my notes. I apologize, Google it later, Erin might know. And that would require a warrant for CAI access. But again, it presumes that we would go to a court under circumstances where a warrant would be feasible. So there's a lot of concerns that we have about that bill as well. It's been marketed as a compromise bill, but it has exceptions that we can't use and it still requires a warrant. So it's still ostensibly at this point, when we look at that bill, we say, okay, that just prohibits our access to CAI for IC and law enforcement purposes, which again, would stop a lot of things in their tracks. So, and as I mentioned earlier, and I think we're all kind of in agreement that we all share an interest in, well, I'll speak for everyone on the panel now. We all share an interest in putting reasonable, sort of safeguards in place on Americans' privacy and then what you deem to be reasonable, I'm sure will vary as people vary. But from where I sit, we also have a concern about helping facilitate the Department of Defense to perform its mission and not to hamstring that to the point that we're actually making people unsafe by putting these restrictions in place. Thank you so much for that. Erin, do you have any thoughts on, I guess on the current legislation? Yeah, so before I get to that, I think what's interesting is also to draw the parallel between, so the X mode, the FTC's order on sort of what information is particularly sensitive, right? Where does that come from? It actually comes from Carpenter. So Carpenter describes not just concerns about pattern of life analysis, but the fact that you can use location data to put someone at a particular place or location and whether that's a healthcare facility, a bar, or some other place that's sensitive, right? And so I think what's important is there is a through line in this that's recognizing the fundamental concerns here. On the sort of legislation, again, like I don't know your world at all. But where we come from, again, is from a place of the Fourth Amendment. And so when we see a decision like Carpenter that really sort of recognizes the Fourth Amendment rights of individuals to be free from this sort of search absent sort of government getting a warrant, we then see a few months later, right? The same data is available and is purchased. And we have concerns that essentially what that looks like to us is a way around the Fourth Amendment. And I'm not accusing anyone of violating the Fourth Amendment, but that's what it looks like from our perspective. And so we see bills that require things like a warrant when the same information, if you sought to compel it via FISA or others would have required, other authorities would require a warrant. We say why should that not be the case here? And so I think we are generally very supportive of proposals that will respect Americans' Fourth Amendment rights. And so we generally support these proposals because we feel like they do establish a baseline that is actually responsive to what the constitution requires. Thank you, Erin. Brandon, do you have any thoughts on? Yeah, maybe just a couple of additions. I think they both have made great points. I guess the play devil's advocate on the FTC side, I think the FTC has a key role in privacy and they have a history of doing it. The downside is a lot of it depends on who's leading the FTC at the time, not just political composition. Their priorities change, definitions change over time. So I think that is the risk of not having something codified whereas Congress is making the definition and Congress is setting forth a policy direction because what we deem sensitive today may not actually be sensitive in three years from now. So that is one concern and just personal opinion. Like I think the FTC sometimes is overstep, not saying necessarily on that particular case, but in the past, we seem to go a lot farther and people question whether they actually have the illegal authority to go in that path, not to make this an FTC panel. But it's sometimes hard not to. And we've talked about the NDA a lot, but another really neat provision that I don't know if anybody's talking about it, but maybe your world in acquisition is section 803, essentially putting an obligation that if DOD is contracting with another entity, there has to be a provision in that contract that they cannot sell it to a third party. Eric's more of the expert than me, but it's really neat because it's giving the DOD an obligation now to protect service member data and not just service member, but also DOD civilian data because oftentimes, I shouldn't say oftentimes, but that has the potential to be resold or transferred or potentially acquired by adversary. So I think the DOD now is doing something to prevent some of these risks in the future. Thank you for that, Brandon. And Eric, I think, would you be able to kind of touch upon, so a lot of these fourth amendment for not for sale act incarnations, they talk about carve outs for, if you can make sure it's not reasonably de-anonymizable the data, could you kind of just touch on the practicality of that? Yeah, I'm not sure that is, it's not necessarily practical. So yes, you can do things like you can strip out identifying information from the data set. The idea that nobody else is ever going to be able to merge that back in with another data set is not a practical requirement to put on us in particular. Now what I have seen with processing of data sets is specifically geolocation data sets is a lot of entities will have filter rules. So step one, filter out anything that looks like it's a US. If it's that long, that's easy. Okay, and that goes, and you filter that out and that's now in a separate category where yes, you have to have a clear need to access that. Nobody can just go in and get that information if it's US. After that, it's okay, now you might have something that still allows you to identify an individual. So maybe you have a device ID, an advertiser ID, something else that can be traced back to an individual. There are ways to obfuscate that data. You can use hashes, you can encrypt it, or you can drop the column when you move it. Our preference is that if you don't have a need for that specific column, drop it before you move it for any other use. And if you do have a need for that specific column, obfuscate it if you can. If you can't obfuscate it and you can't drop it, then you have to have a clear need to know to access that information with that personally identifiable. And a lot of it's personally identifiable type information again, or something of concern like an advertiser ID or a device ID. That technical link and how much time do we have left? 15 minutes? So next question I wanted to talk about was there's an executive order that was recently issued about sales by data brokers to certain foreign governments. Lindsay, do you wanna touch upon that? I'm gonna do the same thing I do every time you let me talk, which is talk about what I wanna talk about and then answer the question. So just to touch on what Erin mentioned earlier, I think that most folks that I talk to internally in DoD when we're just sort of like water cooler chatting about the stuff which we do, because we're nerds and we think it's really interesting, is that reasonable legislation that will place boundaries on what data brokers are allowed to do, on what terms and conditions need to look like, on what decisions people can make about putting their own data out into the world and how it gets leveraged, that that is something we need as a country. Our concern is that it's available on the open marketplace for anyone to purchase, including our adversaries, including anyone who seeks to do us harm, but that we would be hamstrung in obtaining it and using it to protect ourselves, protect not only our service members, but protect the United States against what our adversaries can learn about us. So that is the primary concern. Once there's, if there were a law tomorrow that said data brokers, you're no longer allowed to sell this stuff, then we would have to leverage whatever legal processes there are for DoD to obtain information that is otherwise not available on the marketplace. And there aren't that many ways that we can do that. So we do have authorities, for example, if we could find it through signals intelligence, then we would have to abide by the very strict rules around using signals intelligence to get that information. But if it's not out there, if it's not for sale in the open marketplace, our need to see it, our use cases go down as well. It's by definition not publicly available information anymore. So you take it out of the category that we're concerned about. So I just kind of wanted to touch on that because that is, I think sometimes there's a sense that DoD, or yeah, I don't wanna, I think sometimes there's a sense that we would, that this legislation kind of doesn't come from the right place from a DoD perspective. And I think we all wanna see reasonable constraints. What we don't want is constraints on our access to this information before there are constraints on everyone's access to this information because that goes in an order that creates a lot of concern for us from a risk perspective. Okay, data security EO. I got there, thank you for humoring me. So in early March or late February, I apologize, I don't remember the date. The administration released the data security executive order. This is an executive order that places prohibitions and also limitations on certain transactions selling bulk sensitive data about Americans to countries of concern. So that is what it does broadly. Now, if you read the executive order, it is very long and then you'll walk away saying, what are the rules? And there aren't almost no rules in the executive order because it creates, it basically establishes a rulemaking process. So right now we're going into the regulatory rulemaking process. There was an advanced notice of proposed rulemaking that went out that asks 93 pages, I think, worth of questions. Yeah, I got to legally review all of them. And it is out for public comment. Those public comments are due, I think, April 18th or sometime mid to late April, so it's still open. And what those rules will do is define what is the sensitive data? Like what breezes a sensitivity concern? So how are we thinking about defining the personally identifiable information? It doesn't use those terms, but that's in there. Very important from where we sit. Protecting government, it's sensitive government data is the term that's in the EO, but essentially protecting information about all of you, right? The folks who work in the national security community from going over to countries of concern. So there will be different definitions of what do we think about sort of every normal American's privacy information versus government information, which would be information about government employees, and then what are the bulk thresholds associated with that, right? So at what point are we limiting these sales? The bulk thresholds for government might be one. It might be 10. The bulk information that includes things like ad tech information, if it's sufficiently, sort of certain columns are eliminated. Maybe you can sell a couple thousand of those to China for reasons that you would have to justify. But that's essentially what's going on in terms of the regulatory process with the data security executive order. It is a really important first step. It places obstacles in the way of our adversaries, including PRC, and which ones of the countries of concerns is an attorney general decision, but it includes who you think it would. But it is not by any means the answer to the question that we have been posing today. It does not solve our problem. It places serious obstacles in the way of our adversaries obtaining this information, but it will not stop the flow in its entirety, so we need to be doing other things to think about how to stop that flow and protect ourselves. No, thank you, Lindsay. Brandon, I know you've written about this topic, so I know you wanna contribute. Yeah, this is a passion of mine, something I've been working on for a few months now. I think Lindsay does a great job of giving an overview, just to add a few points to that. The EO itself is great to read. Yes, it doesn't have a lot of substance, but it's a really good job of bringing together, yeah, not that every EO isn't great to read, but this is a really, exactly. No, maybe it just shows what interests me in life, but it does a really good job of compiling a lot of discrete statements by key leaders into one document. So past cybercom commanders have spoken about the threat of adversaries and data. The FBI director numerous times, the administration, the National Security Council, they've put it all into one document and really outline it and give some new details that had not been publicly shared before. So really interesting to see. On top of that, it's gotten criticism in a few regards, and just briefly talk about that, is resale. So if we prevent it from being sold to a data broker, what's to say that they won't then sell it to, a third party won't resell it to China or somebody associate with China? And there's provisions in there to get at that, that's a challenge. Second is like, to Lindsey's point, this isn't the be all end all. We know adversaries are gonna still continue to get data in other ways, buy companies with it, hack, use publicly available information and so on. So it is part of the solution, not the entire solution. And I would say it also calls out that not all data brokers are the same. Like yes, there are very nefarious data brokers that will for profit willingly sell to these countries of concerns and it identifies six in the, but there's also some others that are more legitimate that put themselves out there as data brokers and sell for fraud detection, tracking down victims of sexual exploitation and so on. Last point on this, it's not the only solution. Like everything else today, we've heard about many House and Senate efforts. On this topic, there's also those. The House unanimously passed an effort to do something very similar, but a different mechanism. It relies on the FTC using their Section 5 authority. The Senate, under Senator Wyden, has a import-export regime, looking at essentially high and low-risk countries, looking at the types of data. So all that to say, we'll see what goes into place first, but there is a long path forward for this EO. It's not an immediate obligation, but the design overall is a breadth is from being an ad hoc and a case-by-case decision and rather use these bulk thresholds as a guiding principle, but there'd be exceptions and also licenses available if there are some niche applications that were not being considered. Thank you so much for that. So I'd like to open, how much time do we get? Five minutes? So yeah, we'd like to open this up for questions. Thanks. Couple of points of clarification. Lindsay, I understand and I get the, we need to be sensitive to the sensitivities this kind of information and data in how we handle and use it and manage it. But that's different than saying the sensitivities of the data translate into reasonable expectation of privacy requiring a warrant to obtain it under the Fourth Amendment, right? I just trying to understand is there, it sounds like there's a line there that makes sense to me if that line is there. And to Aaron, I confess, I haven't looked at this in the Fourth Amendment context, but like your point about the FTC actions, United States versus White, the false friend doctrine, I mean, obtaining confessions or admissions through that type of arrangement where a co-conspirator is turned confidential informant has long been deemed admissible, like not violative of constitutional rights. So why does the FTC action transfer into a Fourth Amendment violation by obtaining that data that's still been turned over to a third party? I really appreciate the opportunity because if I have not been clear, obviously I haven't, it gives me an opportunity to kind of clarify. When I originally was talking about Venn diagrams and circles without a diagram and asking you guys to follow me, what I was trying to get at was this idea that this information presents sensitivity concerns that feel private, but they fall in the definition of what is public, right? You have consented via terms and conditions, it's freely available on the open market. And I think there are special concerns that we need to have about information that like the really nefarious use cases like the doxing and the revenge porn and stuff like that. I think there's where someone has broken the law to put something into the public. I think there's a different legal analysis there, but if we're just talking about stuff that falls under the definition of public, then from my perspective, that is not information where the government to obtain it to require a warrant or something like that would be a constraint that is not required or merited under the Fourth Amendment. Where that information, so I will stop there, but that is where it presents sensitivities is where we can say, hey, the Fourth Amendment doesn't require a warrant in this instance, but it would not be good governance for us to therefore decide that we don't need safeguards or protections or reasonable guidance for its use. And that is where the government is right now, so thank you. And I'd like to add on to that. If the data contains sensitive attributes, we don't have to go all the way to requiring a warrant. There is a happy medium of, yes, we can put it in a secure environment, yes, we can restrict access to it, yes, you have to have need to know to get at that information, which is a far more reasonable requirement than going all the way to, you have to have a warrant to get this. Really quick response, I think on the question of the FTC, to the extent I wasn't clear, what I was trying to say was not that that creates a Fourth Amendment problem, but I think when I read the DOD policies and particularly the ODNI report, it talks about a baseline of collection, of purchasing this data on the theory that it's legal and it's publicly available. And I think what the FTC's decision does is actually calls into question whether the initial collection by the data broker itself was legal, and then whether or not then the DOD can sort of consistent with its policies continue to collect it in that way because the FTC is saying the collection by the app that used the SDK that then sent the information to the data broker was illegal under section five. And then onto the Fourth Amendment analysis, I understand those cases and I would just disagree that I think the scenario that we're talking about looks much different than a person wearing a wire or who's an informant. If that person is even one person, they have multiple interests that the user whose information is collected is completely powerless to actually understand and comprehend in terms of the amount of information that's collected, who is able to collect it and where it goes. It's very different I think than a physical world analogy. And so I think we don't have the case, right? So that is a law and sort of the case law and precedent that you could rely on. But I think as much as we look at Carpenter and Carpenter says it's not like we consented to this and we voluntarily disclosed our bank records or the call details that we've sent over the telephone network, this is completely different. And I think that sort of theory applies here and why it makes it sort of a different scenario. Thank you. Thank you guys so much for your time. Panelists really appreciate your contributions. If you wanna get them after we're on the break, they're here for you. Laurie, over to you. Thank you to our panelists. We promised you a very diverse group here and I think we delivered here. So thank you on talking about how to balance national security while also safeguarding privacy and civil liberties. So for our virtual audience, we will start up again at 12.15 for a panel on legal careers and national security. For our in-person attendees, again, we've got two optional lunch sessions. So you can remain here and eat your lunch or you can go upstairs to room 219 for an hour of professional responsibility. I am happy to report we have two food trucks outside, to the right, chads, one stop and flames and cones. For everyone else, we will resume back at 13 years. US Cybercom has responded to Russia's invasion of Ukraine, state and federal challenges to the security of our elections, regular consistent state and non-state actors, continued cyber challenges from China, North Korea, Iran and other potential adversaries. And has supported responses to numerous domestic incidents. What was once left to only the kinetic is now supported or even sometimes replaced by the keyboard. Cyberspace operations are now a critical component and incorporated into military operations across all operations and geographic combatant commands. The need for legal advice and subject matter expertise has never been more relevant, both domestically and in our international operations and engagements. A critical partner supporting US Cyber Command are the 54 states and territories of the National Guard who work directly with the OSJA section responsible for cyber legal support in their domestic state capacity as well as their liaison and partner relationships with US Cybercom's plans, partnership and policy activities. The Air National Guard also leverages its relationships with CISA and cybersecurity and infrastructure security agencies through the use of the Cyber 9 line. These partnerships help the United States protect, promote, leverage, defend and harden our cyber needs and requirements. The ability to quickly share information to leverage the authority secures the nation and keeps our adversaries off guard, engaging them as far forward in cyberspace as possible. As the United States continues to adopt asymmetric and innovative ways to restore our comparative military advantage and employ capabilities in joint or cross domains, the total force integration of the citizen soldier remains instrumental and we must continue leveraging our total force cyber warriors. I am proud along with the joint reserve component members of our team to continue to support this incredible and pivotal mission. All right, welcome back ladies and gentlemen and to our live streaming audience. We have a great panel on legal careers and national security because there are a diverse amount of jobs out there not just in the government. And so this panel, you have a varied amount of people with different backgrounds. They will be able to provide their thoughts and inputs. So with our moderator, Major Alex Holtsclaw who is the Chief of Administrative Law in the office of the Staff Judge Advocate at US Cyber Command. Alex, over to you. Thank you ma'am and thank you so much for being here today to share your varied experience and what drew you to national security and cyber law as well as any tips or ideas for folks who are interested in kind of breaking into that, what it means to be a national security law attorney. And so I'd like to thank you each for coming in today. Chris Morgan Rees from the National Security Agency Office of General Counsel, Danny Hernandez from Amazon Web Services and Lieutenant Colonel Josh Johnson who I know well from as a Deputy Staff Judge Advocate for US Cyber Command. So I'd just like to start with asking each of you to do kind of an introduction on what interests you initially in national security and or cyber law and kind of your individual path that you could share with our audience today. Chris, we'll start with you. Thanks so much for having me today. So, beginning as sort of a young philosophy student got very interested in law of war issues. So like between zero and three people before me joined the Marine Corps as an enlisted man because I decided that that was where I was going to learn about law of war sort of from the ground up. By sort of happenstance got involved in computers and computer networking during the course of my time in the Marine Corps deploying twice again with the 1130 expeditionary unit as a tactical data network specialist sort of understanding a bit how the internet worked. That sort of piqued my interest but had always wanted to go to law school prior to joining the Marine Corps as well. During law school had sort of a keen interest in national security. Some of the issues that I had seen arise during my time in the service from 04 to 09 led me to at least dabble in some sort of privacy civil liberties organizations, international human rights groups. But sort of for me a fundamental portion of that was that I had also done an externship in a government agency and just sort of had seen the sort of immediate impact of that work in a way that I don't think that I saw in sort of the private sector or rather in the sort of nonprofit sector. After that was somewhat torn between whether or not I wanted to sort of do law or policy and the presidential management fellows program for those of you who aren't sort of intimately familiar with it ends up sort of offering at least some latitude to explore sort of both of those possibilities. Did that in CISA's predecessor organization which is the National Protections and Program Directorate which again now CISA where I worked again sort of on today's theme of partnerships but worked on information sharing environment issues sort of relatively nascent sort of critical infrastructure sharing communities and then did some time as well within the Office of General Counsel there. At that point did a rotation as well to the National Security Agency had no real intentions of having making a career in intelligence but to the extent that one can catch that bug I did worked sort of for the first four years of my time at NSA in Foreign Intelligence Surveillance Act and sort of all of its various colors, flavors up to and including sort of running the renewal in 2019 for Section 702 at least within the government from the NSA side. But then transitioned about four and a half, five years ago to direct support to a client organization which is the Computer Network Operations Group at NSA. In addition with a colleague I also have the CASA which is the Crypto Analysis and Signals Analysis Group. So again sort of the hackers and the code makers formed my client set in addition to advising the vulnerability equities process there and have enjoyed it immensely. That sounds like a great variety of experience from philosophy major to the National Security Agency. Translate more directly than one might think, yes. Great. And so Danny, can you share a little bit about your background? Yes, can everyone hear me okay? All right, good deal. So my name's Danielle Hernandez and I'm originally from Oklahoma. So for all of you out there online, you don't have to be from DC or the DMV to get involved in the IC. So my background, I actually did Peace Corps after college and thought I would get involved in international law and international development until I realized that international law doesn't really exist as a practice when you're a junior attorney. So then I was like, well, what can I do to serve my country? So I got involved, did internships with DOD, really fell in love with it, thought I was gonna be a JAG, got selected, and then got medically disqualified. So always have a plan B. And then got through law school, really loved it, got selected for DOJ honors for the FBI, then had some issues with the polygraph and they were like, this is gonna take probably three years to adjudicate, so find a different job. So have a plan C. And so then I had interned at DIA, I really loved it. Got involved, my mentor was a CIO attorney, Jamie Clark. He's still in the community, does federal acquisition security council work at commerce. And so if you guys know him, shout out to Jamie. But he was my mentor, got involved in CIO work, he really gave me a front seat on supply chain risk management when the FASC was just coming about. In that capacity at the Defense Intelligence Agency, I was also able to advise on JWICS. So anyone here connected to a TS network? Yeah, JWICS is the backbone. So that was a really great experience for me, really great for a junior attorney to really dig in on some cyber issues and network protection issues. And then from there, did a rotation at United States Forces Korea during the pandemic, cause there was a stop movement order in place for troops, but I guess civilians could move around. So I jumped over there, helped out, did some fiscal law analysis and really fell in love with fiscal law. Now I know that sounds so weird, but it is really cool guys. Everything runs on money, so appropriations law is where it's at. So I did appropriations law for several years for DIA and then really wanted to get into government contracting work. And that's how I bounced over to AWS. And now I'm an associate corporate counsel over there, doing government contracts work, supporting contracts with the intelligence community. So Chris and I were just talking, we're actually working on different sides of the same issue and didn't even know it. So very small world and it's really great to be here today. And that's really how I got into national security. Thank you so much. And we'll turn it over to you, sir, to talk about your background and how you got here to cybercom. Well, first of all, thank you for having me. Amongst my many duties this week, right? MCing, helping organize it. For me, this is the most important panel. The ability to educate young attorneys, practicing attorneys, law students, college students, anyone who's interested in national security law to help them get to where they want to go, for me is the most important because I didn't have that. I sort of stumbled into both law school and national security law practice. And so come from a family of public service, sort of your stereotypical grandparents who started in World War II, actually grew up outside Fort Meade when I was a young boy. And then so I knew I wanted to serve and I also knew I couldn't afford college. And so I ended up doing Army ROTC at the University of Virginia. And while I was doing ROTC, I didn't know what I wanted to do on the Army. And so it was kind of going back and forth between an infantry officer or an intelligence officer and then I took a constitutional law class. And I just fell in love with the law and the fact patterns and the analysis and the critical thinking. And I was an American government or political science major at the time. And so I'm taking national security courses for relations courses. And for me, just the perfect intersection of the law and national security was to try and become an Army Jag. Didn't know anything about becoming an Army Judge Advocate and I was told the Army's Jag School was in Charlottesville. This was a very long time ago, mind you. And so I just walked down the campus of the University of Virginia. The Army Jag School is adjacent to UVA Law School and I just walked in the Army Jag School. And I went to the front desk and I said, hey, I think I was 19 years old. I'm a cadet down the street at the undergraduate campus and I'm really interested in law and national security. What do you guys do? What can I, how do I become an Army Judge Advocate? And so they gave me great information. Took lots of national security legal classes to the extent I could as an undergraduate. And then when it was time to be branched for active duty, I was selected to be an intelligence officer. But I also asked, hey, can I delay my active duty service to go to law school? And so I was selected for educational delay. Went to law school and while I was in law school, took sort of your typical national security classes, public international law. This was a very long time ago. There were no cyber law classes at the time. And then I was coming in as an Army Judge Advocate. And so when I graduated law school, so did your typical, I think any service Judge Advocate, your first couple of years, you're really doing those foundational legal jobs really builds you up as a practicing attorney. And then when you have that foundation, whether that's criminal litigation or that's administrative law, contract, fiscal, then you can really launch into sort of a specialty. And so I was able to deploy to Afghanistan for 13 months where I was able to practice the closest thing to international law, right? So law of armed conflict, public international law while deployed, came back, had some other tours as an appellate attorney, got back to national security with the 75th Ranger Regiment and the Joint Special Operations Command did some more national security. And that was the first time I had a client ask me about cyber. And again, if you've listened to today's presentations, you heard General Hock talk about the evolution of cyber command. And so the time I got these questions, the authorities weren't sorted out. It was very nascent. And that really sparked my interest in cyber. And I think along with the development and technology where we all have cell phones, computers in our pockets at all times just sort of really developed my interest. And so I'm also, I think gonna be the one to tell you it's never too late to cyber and it's never too late to do national security law. I had no cyber jobs other than being in national security law jobs with cyber adjacent. And I came to be the Deputy SJAW General Counsel at Cyber Command. And I think anyone who's been in cyber command or the ecosystem as a practicing lawyer will tell you, you're learning things every single day. And cyber is a team sport, we like to say that. Cyber is a team sport. So is the practice of law, right? And the right office. And you can ask folks on your team, have this question about cyber, can you help me? And so I think my big takeaway is it's never too late to cyber, never too late to do national security law. And there's an ecosystem out there to help you. And so anyone streaming, anyone here that has questions, please reach out to me. You can find me on LinkedIn. If I don't know the person to get you to, we have the network and ecosystem to get you to the right person. Thank you, sir. And tying into sort of these diverse paths and somewhat meandering, I'll share my own as well. After an undergrad in economics and history, the natural path was, of course, to be a management analyst at the Defense Information Systems Agency. Very obvious career path there. That got me into the DOD and all the obviously cyber issues, the backbone at the time, DISA did a lot of different things to provide the networks that everyone else relies on. And so I learned a lot from the technology standpoint, from the mission standpoint, working with military from different services. And then being a native, a good native of Northern Virginia, when DISA bracked to Fort Meade, I said, okay, I'm never going there. I'll go to, now's a good time to go to law school. I've confirmed I want to do that and I really like what the GC does and these JAGs I've worked with. And so in law school, I had a little bit more defined vision of what I wanted to do and so I did take a lot of national security-related courses. I did internships with DOD and with the Air Force Jagd Corps and decided this is the best law firm that there is out there. Global reach, variety, you get to move around a lot on the company dime and took advantage of Air Force programs to get an LLM in space and cyber law and that brought me to the 67 Cyberspace Wing to another assignment and then ultimately to Cybercom, at Fort Meade, where DISA is right down the road that I swore I'd never go and live. But it's been a fantastic journey and as Lieutenant Colonel Johnson said, it's never too late to cyber and there's a lot of really great interesting problems. But sort of speaking to that idea of like, we all got here through very different paths and different both educational and experiential opportunities, what sort of areas of study or practical experience, if any, do you think are either critical or just good to have for someone entering and or wanting to enter into this? And I think maybe I'll pass it off to Danny first and give everyone else a chance as well. Okay, well, National Security Law is built on the back of admin law. You know, I was talking about fiscal laws, talking about contracts and acquisitions. You heard the, Dernza up here, director of NSA, talking about the importance of the new authorities and acquisition that cybercom has. You know, that's how we get things done. Everything runs on money. So if you wanna be a national security lawyer, you need to know money, you need to know personnel because nothing happens without those things. So I mean, it's really, I mean, as a junior attorney, you don't get to go in and do the sexy stuff. You're not advising on cyber operations on day one. You're not doing human operations on day two. You know, you're in there learning the basics and you know, it's a heck of a lot of fun. I mean, doing litigation, you get to read about the crazy stuff that people do and that is a lot of fun to do for a bit. Fiscal law, you know, really fun to see how the budget works. If you're an attorney in here and you don't know how the DOD budget is put together or how the IC is funded, you need to go to a course because money is how we get things done. So I would just say, if you wanna be a national security lawyer, just be a good lawyer in the basic things. You know, know how to write, know how to research. Don't think that something is too below you because, you know, everything, again, everything is built on the back of admin law and without those foundational practices, we don't have national security at all. Thank you. And as the chief of admin law, 100% agree. I'll turn over to Chris for additional experiences and perhaps training or courses you would think would be beneficial. I'll neither agree nor disagree with my colleague on the panel here in terms of admin law and fiscal law, but I will say that I've not done much of either. But again, it does touch sort of all aspects of the work that certainly can't be downplayed. I think practicing in national security, at least for me, it's an interesting sort of space. And I think to the extent that young attorneys can sort of start thinking through the ways in which it differs from practicing law in sort of an open setting, gives one a head start on doing a good job of providing counsel to a client. I think back to sort of courses that I took, books that I've read, and sort of the one that always sort of comes back to mind was Jamie Baker's, Judge Jamie Baker. There are many Jamie Baker's out there. They're not all created equal, in my opinion, but Judge Jamie Baker's book in the Common Defense is absolutely fantastic. Just sort of as a study, a fundamental study of what it means to be a national security lawyer to provide advice to a client who will then take your advice, hopefully, or perhaps not. But again, this advice is not necessarily going to make its way into court filings. This advice is not necessarily going to be put up for public scrutiny. This is advice that is going to be acted on or not. And at a certain point, sort of there is a final word on sort of those decisions. Understanding what it means to provide advice, I mean, speaking to a group of Jags, I know that you understand this perhaps better than most. But again, providing advice on operational matters where there is going to be sort of a fundamental, there's a go time, and that legal advice needs to be the best possible advice that you can offer in precisely the time that's been allocated. There is not necessarily the option to kick the can down the road. This is a fleeting opportunity is a fleeting opportunity. But again, to the extent that those young attorneys can sort of be thinking about how they would like to act, how they would like to be, who they would like to be in those circumstances when confronted with sort of the difficult decision of potentially saying no, but, or something along those lines, just sort of getting that resolve ingrained in themselves prior to being confronted with the actual sort of conflict situation is something that I can't recommend highly enough. Yeah, thank you, that's really interesting. Obviously, you can't file a continuance with an adversary to get the answer later. Sir, I would like to start with you on the idea of technical expertise. I think sometimes in talking to folks, law students, attorneys that have an interest, but maybe an intimidation factor, you said it's never too late to cyber and it didn't sound like you had a lot of technical training. What would you say about any recommended or do you think it's necessary to get technical foundational training or understanding in order to practice in this space effectively? Yeah, I think sort of going off of Danny's line, I think the most important thing is that you're a good lawyer, right? And so when you're presented with an issue from your client, the first step is you have to understand the facts, right? And so getting that technical experience, depending on what the question presented to you from your client is, then you need to understand the facts. If we're presented a cyber, if we're doing an offensive cyber operation, that lawyer doing a legal review needs to understand the mechanics of what we're doing. They don't need to be an expert in that area, but they need to understand those facts so they can provide sound legal advice and a recommendation to the client. It doesn't hurt. I mean, I know I've seen lawyers on one end that have every certification in cyber, privacy, and anything you can get. They were a computer science major. They founded their own cybersecurity firm and they also practice law. I think it's great, it doesn't hurt. I think if I had the time, then I would do that. But I think the most important thing is you need to be a sound lawyer. My experience, at least in the 75th Ranger Regiment was, we had an issue of to come and be a lawyer at the 75th Ranger Regiment in the special operations community, you had to go to Ranger School. You had to graduate Ranger School and have a tab. And I had a conversation with the commander one day and he said, I don't need more rangers. I need good lawyers, right? And so General Nakasone was asked sort of towards the tail end of his almost six years command, a cyber command, and as the Darnza, like what really stuck out? What were sort of two or three things that you wanted to emphasize? And he said critical thinking and leadership. And so obviously as a lawyer, that's what we bring to the table is critical thinking. And so I think it's great. I read broadly, right? I've read every cyber book, not a cyber book, but as Chris said, fantastic book by Judge Baker. I read every periodical. I'm not gonna endorse any of them. I listen to every podcast. I go and talk to our operators. I think you just write, it's lifelong learning. It's always developing yourself as an attorney, but you just gotta get the foundation, as Danny said. And I agree with Chris on the book. I also agree with Danny. Between national security law positions, I went down a path of administrative law. And we liked this for several years. And we like to say in the Army we have a senior leader who likes to say, America runs on Duncan, no endorsement. But the military runs on administrative law. So at least within the military, administrative law absolutely the foundation. But one of my regrets, lower case are, is I didn't do enough contract, fiscal acquisition. And so you look at, when I first practiced national security law in 2007, the technology was not developed and what you would call national security law is not what it is today, right? National security law today, as at least the Army Jack or thinks about it, is really the intersection of all these different practice areas, which is contract, fiscal acquisition law, it's intelligence law, it's cyber, it's space, it's maritime, it's information advantage. It's intellectual property, right? You have to know the constitution. You have to know domestic statutes. You have to know international law. When I was coming up as a national security lawyer and to your point, Chris, actually overseas when providing advice, I mean, the lives were at risk, whether it was American lives or those of the adversary. And it was slightly easier nowadays, absolutely, the intersection of all these different practice areas. And you have to sort of have an understanding or at least have that team that can do those areas. Hopefully that's helpful. Thank you, sir. I'll add in my own experience the actual operators, the military, civilian personnel who are doing the stuff, the IT, managing infrastructure, doing operations, they are amped to share. They love what they do. They love sharing it. And so I think if you don't come in with kind of the knowledge to get the set of facts and know exactly what it means, go back to the client and they will love to train you up. They will love to explain exactly what's going on. But also ask, I've been fortunate to take advantage of the surge in online training opportunities that DOD has been presenting in the last few years and took some introductory courses, the same stuff that some of our folks take. So ask, hey, is there something I can take or is there a way that I can sit in on this, kind of audit this? I don't need the certifications, I just want to understand better. And I have yet to be turned down, to have a chance to get in their training courses, to sit next to them and look over their shoulders and really get the best understanding I can without necessarily getting the certifications or even attempting to try to be close to their level of being able to do anything in this space. So I'd also like to... Sorry, Alex, if I could jump in, the original question you had asked, what's sort of a fantastic experiential learning opportunity to really touch cyber, to touch all these other areas, contract, fiscal acquisition, intelligence law. I'd be remiss if I didn't mention the Law Student Volunteer Program at US Cyber Command, which I wish I had as a law student. And so if you're a law student out there, get in touch with us, look for our advertisements, but as a law student, if your law school will allow you, you come to US Cyber Command, we put you through the security screening process. And under the supervision of a practicing attorney, you get to do all these really interesting, neat cutting edge things. We have two law student volunteers right now, we'll have two in the fall and then we've got some in 2025. But look for those opportunities. I wish I had that when I was young and I would fail if I didn't plug US Cyber Command opportunity. Yes sir, I definitely agree. We've had some great intern students helping out, getting experiences that I would have loved. I love the experiences I had just to kind of plug the various programs. I interned at DARPA, I interned at the DOD, I interned with the Air Force. You heard mention of the DIA internship and the Fellows Program. As a law student, just reach out, LinkedIn or the public-facing pages, hey, I am really interested in your mission. I would love to know if you have any existing programs or if maybe that's something that I could work on you with. Lots of students do it for credit or just do it because they want the experience. So definitely, I think that's one way when you're like, oh, I don't have experience. Well, when you're a law student, that's I think one of the prime times or recent grad, some of these different honors programs that are out there. So reach out, if you're not finding anything or your career services, reach out directly to the entities and they'll let you know what they have on the table. And I think in some cases, if an agency or command gets enough sort of spontaneous interest, then they can maybe make the business case to create a program. So you could also help yourself and future folks that want to get into it. I'll kind of go back to the question about maybe technical knowledge and training and just wanted to ask Chris as well on your experience and any suggestions you have. Sure. I mean, I think it's at least in my experience, highly dependent on the client that you have. So I am sort of happy to work with an extraordinarily sort of technical workforce. And so would say that any attorney and have said this internally as well, any attorney who is sort of coming to work at NSA I think ought to have a baseline technical knowledge. You need to understand sort of the basic fundaments of how the internet work to at least have some shared vocabulary with the client as you walk in the door. Again, that may not be true for all clients but I do think it is very true for mine. And so again, that doesn't necessarily hold to broaden that the scope then I guess of sort of the advice or whatever it is that I'm offering here. I think understanding your client's business. And I think we've heard already three to four to five to 10 great ways to sort of get that understanding whether it being not suggesting that you have to go to ranger school. But again, like understanding the people to whom you are providing that advice that can come in the form of online classes that can come in the form of client conversations which again is sort of one of my favorite ways to sort of engage in that practice. I think it helps to build the trust with the client to understand that they can speak to you about complicated issues that you are going to at the very least make an effort to comprehend what it is that they spend their entire day doing. And sort of my typical question and I've sort of phrased this in a number of ways over the years but my current favorite is essentially going into the client it helps that I happen to provide operational support but going into them and saying if you need to call me on Friday at midnight what is it that you want me to know when I walk in the door? What do you want my baseline knowledge to be before that emergency so that we don't have to start from square one on Friday at midnight? And again, as you've heard I think everyone on the panel at this point say like really that there's clients often are very keen to share that information with someone with whom they don't work every day to have the attorneys come in and express an interest in the way they do their work because often at least again for my client these are things that they can't speak about with anyone outside of the building and everyone who works in offices and cubicles around them already knows exactly what they do. They've already shared all that information so the idea to be able to speak to someone sort of openly and candidly about their work is I think an experience that many of my clients I hope have enjoyed as much as I have but that's yeah, I'll end there. I appreciate that insight. I mean obviously as you said you do need to know and it's been reiterated you need to know the facts. So I think I'm also hearing kind of a theme of like an openness to learning and not being afraid to ask, right? There's no dumb questions but there can certainly be poorly written legal reviews if you got the facts wrong. So yeah, I think someone in this space as technology changes as we've heard through the other panels today, you need to be willing to keep up or try to to the best extent you can. You're interested in hearing from you as well. I know in obviously like acquisitions, supporting national security missions, do you have a similar mindset and experience as far as what technical knowledge you need? Absolutely, I certainly think it's necessary to have a technical knowledge of what my client does. For example, like I work for AWS, we do cloud, if I thought cloud was in the air, I'd be a really bad attorney. So cloud is on the ground, it's data centers, it's wires, it's computers and that is cloud. Do I need to know how to code to be a good lawyer to my client? No, but do I need to understand their business and their services and how they wanna operate? Yes. Do I need to understand their security requirements? Do I need to understand their supply chain requirements? Yes. So it's very expansive the things that we have to be up on and I mean it's part of our professional responsibility. How can we be a good attorney if we don't even understand what we're opining on? My client doesn't wanna know what I think, they wanna know what the law is and how it applies to their business. So I certainly think it's very important to have that technical knowledge. So whatever client you're advising, just make sure you understand their business and what they're trying to do. Cause we're enablers, right? We don't always say yes, cause that's not the goal but we wanna enable them to do their mission in the most efficient way possible and in order to be efficient, we have to be knowledgeable. Yeah, absolutely agree. I think kind of going back to something I heard and at least two of your comments, security clearance process, right? That can be maybe intimidating or if you're a student and you've never, you don't have family that's worked in defense or any of these related industries and you are told, hey, we have this form and then it's gonna take a really long time. What maybe encouragement or insights or is it worth the wait, right? I will maybe ask Chris coming from the NSA office if you have any thoughts on sort of that potential roadblock to people even trying to enter the space? On the assumption that my security personnel will review all of my comments, our security office is great, they're there to make sure that the right people are getting in the door. Yes, but look, it's not the most comfortable process. I cannot claim that I had a whole lot of fun going through the process and I would not promise that for anyone who's listening. Nevertheless, the stuff that I do every day I couldn't do if I hadn't gone through it and it's fantastic. So again, is it worth the wait? Like if you're asking me, absolutely. Now, Lieutenant Colonel Justinian, you raise it in the context of the intern program but as someone who's been a supervisor and you've kind of worked with folks as well as your own experience going through the various processes, what maybe advice or thoughts would you have? Yeah, I agree with Chris. The NSA security folks are incredible and wonderful. I just wanna say first, it depends, right? Very lawyerly. It depends on the job you're looking for, right? If you're coming and you're interested in working at the NSA or US Cyber Command, we have certain security requirements and maybe that bar is up here, right? You need a typically top secret clearance. You need to pass counterintelligence, polygraph, some additional screening. If you're looking to go into a military service as a judge advocate, it's a little bit easier. You need a secret clearance. There is no polygraph required. It just depends. I mean, corporate America, whether you're at a corporation or you're at a law firm that has a national security law practice, it depends who are the clients. And so I don't want folks to get discouraged that, if you're not interested in coming to Cyber Command or the NSA or other government agencies that have sort of a high bar, don't be frustrated. There's a lot of jobs that are much quicker in terms of background checks and security clearances. One, I would, for those folks that are coming to those agencies and organizations that have a higher bar on security clearances, including a polygraph, I would tell you, be patient. It is absolutely, as Chris said, absolutely worth it. When you get through the process and again, depending on where you're working, you're looking for a mission and responsibility is in fulfillment that will go beyond your wildest expectations. And so patience depends on what job you're looking for and then absolutely worth it. Oh yes, please. As another tip, don't do drugs, like hard drugs. So stay away from those. I heard a CIA attorney say once that in order to get your clearance, live the most boring life possible. Like don't do crazy stuff that's gonna get you arrested or don't do drugs that you're gonna have to report. So it absolutely is worth it. It does take time. It took me several times to get through my polygraph. The worst people to take a polygraph are lawyers. The best people are sociopaths. So just if you have trouble with a polygraph, it's okay. My polygrapher made me cry. Probably not the best security personnel. You probably have better people over here. So just know that it might take multiple times. Just be patient, live a boring life, don't do drugs. And yeah, go get through it. I think maybe what we've heard here is also another push for all these different programs you could do as a student to at least get like a secret clearance and make you eligible for a fair number of jobs. I know we've got panelists up here who have all done jobs that required a top secret and that can be a longer process but there is a ton of great work in national security space, in cyberspace, as an attorney that doesn't necessarily require that. So if you're looking as like, hey, I wanna get into this. I want to start down this path to maybe work in one of the agencies or departments. Then if you get the right internship or get the right entry level job, you don't necessarily have to try to break all the way to your ultimate goal at the first step. And don't let it be an obstacle or a deterrent because as we've heard here, right? You can have one where it's like, oh, it's gonna take several years and that's maybe not a timeline that your student loan debt can sustain. So definitely appreciate your story of perseverance and as we're getting to kind of the end here as I wanna give a chance for each of you maybe to give an anecdote or example of something that was either maybe really interesting and rewarding that you've done in your career thus far related to national security and or cyber that you can obviously share in this in classified setting. I will maybe start at the end with the channel called Johnson as he looks deep in thought. I'm trying to screen my anecdotes for classified information. I would give two, I mean in sort of again, years ago when we were doing, we continued to do the counter-terrorism fight being part of an organization and providing legal advice where we were able to target someone who had caused grave damage to the United States and additionally in terms of casualties and lost Americans, we were able to target that adversary successfully and then really every single day at US Cyber Command and working with our partners at the NSA and with the private industry and academia. Every day I come to work, I don't dread it. I walk briskly from the parking garage to my office because I know every single day I'm gonna learn something. I'm gonna have incredible clients and incredible partners throughout the interagency of the US government, private sector, academia and so really every single day. I don't have one at Cyber Command that I can necessarily share, but there's so many. Thank you, sir. We'll maybe just come down the line to any of you having an example you'd like to share. Yes, let me tell you tales of fiscal law. No, I won't do that. But I would say probably one of the most rewarding things was resolving an issue that happened with one of the combatant command J2's. Whenever I was at DIA, there was an ongoing funding issue that had been going on for over a decade. I dug in, flipped out the CBJBs, the Congressional Budget Justification Books, figured out funding, wrote this beautiful memo and then went in there and just owned it. It was great and ultimately providing the facts and the analysis enabled my client to enter into a successful negotiation. So something that had taken 10 years to resolve was resolved with just facts and analysis. This is the truth. And so I would say that as we kind of go forth and be our little attorney selves, I mean, that is the success story, right? It's just like being a good attorney, getting down to the facts, doing the analysis, enabling the client. And so you can do that in whatever portfolio you're in. It could be a sexy cyber story that you can't talk about. It could be a really cool fiscal one. And so, yeah, I just want you guys to kind of go away with that knowing that, you know, just be a good lawyer. Thank you. And Chris? So in the interest of maintaining my job, et cetera, and having something to go back to on Friday after the conference, I think I'll just sort of make a broader statement if I could, just generally about I think the pleasure that one can find in what I would call sort of providing sort of translation services. So again, highly technical client that then needs to be either expressed there, that sort of highly technical detail needs to be expressed in a way that is sort of digestible, whether that is a Fisk judge or whether it's to sort of a decision maker and sort of seeing the legal analysis, seeing that our own understanding of sort of the technology can be sort of translated then into a way that is cognizable by the law and understanding that it's highly unlikely that that particular nuance of technical detail and that level of technical detail has likely ever made its way into sort of the legal spotlight. I find immensely satisfying and I'm just not sure where else one could do such a thing. Thank you all so much for your contributions today. I'll turn it over to Lieutenant Carol Lincoln. Thank you everyone for watching and participating. Thank you to our panelists for sharing your experiences and advice, both to our in-person audience, but particularly to our virtual audience targeting our younger attorneys out there and students that want to get into a career of national security law. So for everyone, we will be on break for the next 30 minutes and our session will resume at 1330. Thank you. I'm a third-year law student at Georgetown University Law Center. Hi, I'm Elisa Savanias and I'm a third-year law student at Harvard Law School. We're here to share about our experiences as law students with the U.S. Cyber Command Office of the Staff Judge Advocate. The U.S. Cybercom Student Volunteer Program provides an opportunity for highly competitive law students who have an interest in cybersecurity and U.S. national security to work alongside U.S. Cybercom attorneys in a variety of cyber and national security law-related matters while earning semester credits towards graduation. Law student volunteers have the unique opportunity to be exposed to cutting-edge legal issues affecting U.S. national security interests across the globe. The invitation for applications is published during the fall semester on the U.S. Cybercom website. Applications are accepted between January 3rd and 31st. Qualified applicants must be able to obtain a top-secret security clearance and should demonstrate strong legal research, writing, and oral presentation skills as well as have an interest in cybersecurity and U.S. national security. While the student volunteer program is unpaid, students can earn course credits toward graduation while gaining invaluable professional experience. I specifically went to law school with the goal of becoming a cyber and national security lawyer. So it doesn't really get better than an externship with U.S. cyber command. The attorneys are collaborative and involve us in all aspects of their practice. We tackle complicated legal issues and have planned a series of meet and greets across the interagency, exposing us to the work of other federal agencies. I definitely didn't expect to have the opportunity to review a cyber effects mission as part of the national security law team. I'm obtaining real-world experience that I know is going to be invaluable as I launch my career in national security. As a bonus, you get a clearance and develop professional contacts. I applied for U.S. cybercom's law student volunteer program because it offers an opportunity to gain hands-on experience and work on some of today's most cutting-edge legal issues. Our day-to-day work involves conducting legal research and writing under the supervision of the attorneys here at Fort Meade. Whether it's helping to draft a legal opinion, reviewing legislative proposals, or attending legal engagements with partners, this experience has been incredible. Working with them, I have learned a lot about how highly effective attorneys approach complex questions at the intersection of technology and national security. Their feedback has allowed me to sharpen and expand my legal skillset. This experience has been a highlight of law school, giving me the chance to be part of an incredible team and mission. If you are a law student who is interested in pursuing a career in cyber law and U.S. national security, we encourage you to visit the U.S. cybercom website and apply next time.