 Hi and good morning and welcome everyone. My name is Bridget Chan. I'm the program manager for the share the mic in cyber fellowship at New America. And I'm very excited that you are joining us this morning for a fireside chat with Nicole Tisdale on cyber insecurity and 2024. I also have the great pleasure right now to welcome our second cohort of share the mic in cyber fellows who are at this conference room table with us. And so we are welcoming you to join in the conversation with the Q&A at the end. To frame this whole event. If you have been keeping a pulse on all things cyber in 2023, you'll know that last year was fairly eventful. A few highlights include the release of the national cybersecurity strategy, the proliferation of generative AI products and services, emerging conversations about data governance and privacy, and just increased ransomware attacks. 2024 promises to be just as if not more intense, the 2024 presidential election will be happening in November. There's a predicted rise in AI enabled cyber attacks and intensifying efforts to fill the cybersecurity workforce gap are among some of the things that we can anticipate in an otherwise unpredictable year. So Nicole will be in conversation with Sam Stephen of Axios to help us make sense of what we can realistically, or what will realistically be the most consequential issues on the horizon impacting our nation and issues that she has her eye on in 2024. So now I'm going to hand the mic over to Sam. Thank you for tuning in. Thank you everyone for tuning in. I'm Sam Stephen. I'm going to be able to actually meet Nicole in person for the first time and talk with her and pick her brain. We spent like 10 minutes learning about Nicole's routine and life and I'm like, trust and overwhelmed and feel ill equipped to do this but we're going to see what happens in the next hour. Before we really get the conversation started, Nicole, before we look forward, let's set the page. Looking back at the last year and I know we're only like three weeks into the new year and maybe perspectives will change as we get more time but for now, what were maybe some of the big trends and, and yeah I guess big trends at 20.3 that you noticed, saw and think are going to be meaningful having into the year. Yeah. Well, first of all, thank everybody for joining us. I'm very excited to be able to kind of see it and have this conversation. I think we all know, at the beginning of every year you have all these people that kind of like lay out their predictions for 2024, whatever the new year is going to hold. But I love that we're here with the research community, the data collecting community to talk about our calories because I think sometimes in civil society, the priorities are a little bit different than any of the important for government actors and for the private sector. So I'm very excited about today. I'm also a fan of spam. I've been slightly stalking her lightly on the internet because I also think you do such a great job at these talks and bringing cyber down into a space where it's like everybody know how to do their own. So that means and I'm going to do the thing and say, well, this is the biggest thing in 2023. I, I think, taken from 2023. I thought we saw cyber security really be a model in effective government. And so they were with me. I think when you see in terms of the strategies that we're all about, so you see the White House Office of the National Society, we're going to roll out not just their national cybersecurity strategy but also their education and workforce strategy. We were also in a place of, and I think about when you think about what a strategy is the White House also rolled out their artificial intelligence, you know, all of that, those strategies, those are playing as those are roadmaps. So that is the administration and the executive risk and this is where we want to go and we want to ensure private sector knows this is the roadmap. This is how this is what we're going to do. But also to Congress is a signal to Congress. These are the areas that we are going to be doing our policy making and so as you're thinking about where you're going to do while making this is it at all possible where we should coordinate and where we should be on the same page. I also think it's a really good signal to civil society. Because civil society gets to act as an advocate in a very different way of shaping what those priorities should be and then also being a voice for what types are being a voice for groups that may not have been included. And so I thought also on, so you've had the strategies coming out and then you also saw a lot of implementation. So I'm, I'm quite a fan of Congress, people know this work here for a decade and so I remember a lot of people say well we need Congress to do something about yeah we need Congress to do something about it. And I'm like, wait, Congress needs to be delivered. And Congress is doing a lot on AI. We don't always need a piece of legislation and I think it's important sometimes to just stop, get away at the land, give advocates a time and give advocates time to participate in the lawmaking process. And I also would remind people is Congress didn't want to work on cyber security in the previous year and so if you saw a cyber incident reporting indicating law that Congress has given that agency's time to come up with that rulemaking process. So now that you know that all critical infrastructure owners and operators have to report major cyber incidents. What does that work like? What data do we need to collect? How quickly do we need to get that data? And then kind of what our response is. Congress also got to see the fruits of their labor in the rollout of the cyber security grant program. So that was a billion dollars that Congress appropriated in 2022. And so you saw that money started to actually take the communities that are going to be using it. And so when you put all of that together, I'm biased because I like cyber. But I thought that was a really good model of this is what effective governing looks like. When you add to the piece of not just what we've been doing domestically, but what we've done internationally. And so you see we have the global ransomware task force, but also, you know, we now have a U.N. Working group discuss and cyber. So I'm like being very public about it being part of a mainstream conversation in a way that hasn't been. And so I hope I'm in the case of like when I say effective governing, I think all of this show a level of coordination, as we are all trying to move toward resilience. Totally. And I think just to have a point, right. I think a lot of people in Silicon Valley and tech industry, people in news, myself included want things to like move fast. And that is not what government does by just the nature. Right. Well, if you don't want to do a lot every two minutes and then like how back and forth and all of this like compliance and money dog. So I think it makes a lot of sense. Right. It's effective. You know, we're learning, we're figuring it out. There are all these moving pieces and kind of are just shoving through the door and it's a lot of stuff. I do wonder though in in the last year, there were any, if there's anything in that these roadmaps and these implementation strategies, the actual implementation. If there were any like big trends or big questions that you think started to rise that will end up being that means throughout 2020 or anything lessons learned from the past year or anything like that. Yeah, I think the big question and one of the things that we'll get into this a little bit more. I think we're going to have to be a lot more aggressive when it comes to parents right so as we've been seeing these attacks increase and whether that's the use of more to alert the tips that we need to data breaches. There are all these signals that where it's more and more is happening. The tax are happening. The tax surface is getting larger and happening at a scale. And I think time is always really, really important. And I think we are at a time where we have got to start back having policy discussions about returns. We cannot always be in this reactive space. I would also say, defense is great, but defense without deterrence just means you're in this constant battle. And so, I wish to joke with people about cyber incident recording I'm like that is the piece of legislation that I spent my entire career working on. But it's because the timing wasn't always there, so that people could say, wait a minute. Why don't we have mandatory cyber incident recording and I always tell people it was really prolonging your life for the cyber community. And I always cautioned cyber experts who are like, well, it was just a bad cyber hygiene. I'm like, no, that could cyber security as a kitchen table issue in a way that it had not. Right, so that was at a time where people are now saying, well, what is ransomware? What is a cyber attack? Why is it impacting my ability to buy gas? There was also an influence operation where it was like actually it's not compacted. We're going to go by gas. We're just all making a run on the gas stations and our global budget is not set on that way. But for us, I was in the White House at the time that got me to the top of the congressional agenda that got us to the top of the press cycle so that we could say, hey, y'all, we really do want to make some improvements on cyber security. And one of them is where we start with when you want people to report these cyber attacks when they have it. And most of the public did not realize that that was a requirement. It wasn't a requirement, right? And so I was able to do in eight months what I could not do in ten years on the deal because it was a time issue. And I think as we see these attacks on our healthcare, like nothing is off our end, right? All of these things can be attacked. No hospitals can be attacked. Our wastewater and our water drinking supplies, all of these things can be attacked so if nothing is off limits, when do we have this conversation about the service? So that's the big question. I know there's like a few pieces of legislation and of course Congress consistently is having my hearings where they're talking about this. The White House has mentions of it but I would love to see in 2024 that we, especially civil society, start to get to the technical and say, all right, what are we going to do about cyber norms? What are we going to do about insurance and what are we going to do about penalties? Totally. And when you're talking about deterrence, is it basically like having that cyber plan knowing once you, I know it's everyone's favorite phrase. Is it something like that or certain people need different things like deterrence? Yes, I will say, I mean, I do have a national security background. I have words and intelligence. I think all things should be on the table, but I would caution people against hacking that as like that. So that's not deterrence. To me deterrence is a tool box and you have multiple tools in the tool box. Deterrence can also include attribution. Deterrence can also include classification and information. How much information do we share with the public? How quickly can we give attribution? Who did this? What methods did they use? All of that stuff is a part of deterrence and so I'm sure we have people tuned in and are like, Nicole's all for having that. That is not what I'm saying. I'm also not taking it off the table, but we need more tools in the tool box. That's amazing. Okay, and it's sanctions. It's those court orders. It's all that stuff. Get your computers ready and let's get after them again. Yeah, I mean, that is a big thing. And I always warn, there are multiple things when we talk about research, right? And so I'm thinking about this one. I'll also make this base of, on the field and when we're at the White House, I've heard a lot of the arguments of, well, if we set up cyber norms, only the big guys are going to follow the cyber norms. And I would say, well, right now into the guys or follow those cyber norms. And so us not having the norms is not stopping the attacks. And so we have to have a full conversation. And it's a conversation that we cannot have without civil society being at the table because I think we have to have more than just the cyber community and the national security, the traditional national security community at the table. Like we need to have the human rights activists. We need to have people with healthcare backgrounds, all this. As we set this up, we need to make sure these are going to be rules of the road that everyone can follow and everyone can be included in it. Totally. Totally. And the process is one of these things, but as Thomas, we're going to look ahead to 2024. I promise we're not just going to talk about the past. But you know, heading into 2024, what are maybe your top three things that you think the community needs to be talking more about, focused on. There are more than three, I feel like three. Yeah, I don't want to limit your creativity and thought process, but you know what, what are maybe those three items and it's okay to turn one of them. Well, so when I for 2024, I think that I'm going to be working on is how cyber operations, not this text, but cyber operations impact marginalized communities and vulnerable community. I mean, when I think about the top three things they all fall under that umbrella so I'm really interested in focused on what we're going to do about. And then both cyber attacks, and I'm interested in election security, and I'm also interested in international coordination and all under that umbrella of protecting marginalized groups and our most vulnerable populations. And I say, I think as everyone rolled out their articles about the biggest hacks of 2023. What became clear to me is their groups that are not at the policymaking table because they have like traditionally just not been included in a national security conversation. So we hear that the, the supplemental food program suffered a, they're sorry their cars that they use to pay out for food assistance to vulnerable groups had a major cyber attack in 2020. And then you saw the policymaker, the policymaker is kind of being a response mode where it's like, okay, so we are realizing now that those cars don't have traditional fraud protection. So just because someone steals your money from the public food assistance program doesn't mean that you can call the 100 number and the money will be put back on the card like your credit card. And so you saw Congress very quickly get a supplemental in place so that you could recover some of the funds, but you could only recover two months of the funds. And so you have people who were who are already on the margins of society, right, they need assistance and that was low income families, a snatch of disaster victims that are military veterans and they're felt their families it's also our Asian population. They cannot sustain a cyber attack that takes away two months, one month, three months of their benefits. And so when I think about that, we don't normally, USDA runs that the food assistance program USDA cyber division is at the cyber policymaking table, but not the benefits. Right. And so when I work I didn't know that the car didn't have traditional fraud protection. They have to be sitting at the table when we're having these discussions, because and we can have Congress always been in a place of saying, Okay, this happened so now we're going to try to give an influx of cash. And it takes a long time to do that and also recoup everything that we lost this just not an effective way to do policymaking. So what I think about AI in both attacks, I'm thinking about those people who are not at the table. When we talk about election security, I think the cyber community has done a really good job in terms of getting ready for 2024 elections, not just in the United States but also global community. And so when we think about it, I see a lot of a lot of assistance and work being provided to our election critical infrastructure, and the people who support that work. I think you also see civil society has a little bit of muscle memory and so we know how to physically protect people from intimidation at the polls but also in the leader. It seems like we do not have a private sector focus and civil society which is trying to wrap their arms around it are protecting the most vulnerable groups from the influence. And when I say influence operation is left about who you're going to vote for is really depressing and suppressing people's belief in democracy as a whole. And when you talk about marginalized communities impact them in a very different way, because democracy is the only way they can address some of these systematic issues of racism and classism and sexism. And so telling people that democracy isn't working, they shouldn't vote, nothing is going to change. That is impactful in a very different way. And when we see now we're seeing state actors have got it. And now they have cyber tools that they can use to do this at scale and it's relentless and it is tailored to these communities and the grievance the real grievances that they have. So when I talk about election security, if we're thinking about the three pillars the physical security and then the cyber protection of the election infrastructure, I'm firmly in this third tier which is focused on cyber enabled influence operations. And even if it's possible to make this short at this point, just the international coordination of all of it. I always tell people when they're like the elections are coming elections come and I'm like, y'all, the elections have started. This is a global election year we're going to have 2 billion people deciding their names heads of states. This is an important election year not just for the United States we don't go until November a lot can happen between that time period with our other international partners that is going to impact us in a way that includes what happens to us as a whole, but we are going to be either going to be our partners that we're going to be governing with for as long as they are in office in that respective states. And so I think we have got to when we talk about what we're going to be doing in 2024, just make sure that our partners are at the table with us and we are in loss because we know whatever phishing can happen happens in the United States can also happen in the UK. It can also happen in Nigeria, whatever election security issue that happens in the United States can also happen in India. It can also happen in southern hemisphere countries. Totally. Yeah, I feel like there are a thousand questions I can ask from, from the story about kids and I have the impossible task of thinking one which I guess maybe what are the ramifications that we don't focus this in and think about it seems like the overarching trend here is thinking about the impact on people and the impact especially on more joining communities. I feel like a lot of times we're thinking policy we're thinking since I said we're thinking the flow of money we're thinking trade and other impactful things that are not about the actual victim so we're the people who end up having to live with the circumstances of influence operation or even like a water plan EMS. What are the ramifications that we don't center this on people or we keep getting about the people in this right that you manning aspect of cybersecurity. I feel like anything I say I try not to be like a doomsday person in cyber I feel like there are a lot of doomsday people in cyber. But what you're going to end up with is just more system. Whatever we are talking about, it just amplifies what is already there and so if you to the point of like what happens if we don't address this, you're creating more inequalities you're creating more disparities that are impossible for people to overcome. And you are I think about these attacks that have been happening on our school systems and we don't have a lot of data for the private k through 12 schools but we have a lot of data about how much money, these public k through 12 schools have been have basically had to use to respond to cyber attacks, but also increase their their cyber protections. Those schools can't get that money back. And so if they are, if they are, the money has to come from somewhere right like if you to percent more for your cyber budget, you have to take that from somewhere. That's not something that's going to be impact on society but that's a long term impact on society, because that is something that is taken is it the after school programs. Is it the Miss learning days there are all these things that are going to impact our society as a whole is not when we attack our most vulnerable and our most marginalized communities. That ripple goes throughout society and it happens long term. And so when I see these attacks on our school system, I don't think about what their response is today I think about what these students are having or how these students are being attacked long term. If you see a student's data has been released publicly, or sorry has been part of the data hack, or identity fraud. I think about what is going to happen to that student with their credit is messed up at age seven or two and when it's time to apply for a financial pay when they go to college. I think about what's going to happen when their employer is like we can't you can't get a security clearance because you're crazy. That is what I think is the long term issues and as we're thinking about how this impacts us in the future you can't think about the 30 day 90 day to be thinking about what is this going to look like in three years what is this going to look like in five years. Totally. And then just a reminder for those here or tuning in virtually, probably in like 10 minutes or so I'm going to take audience questions so start thinking about them or living them. Please submit questions. I mean I can keep talking forever but you know. And maybe just switch here a little. You very clearly have a lot of government experience whether it's in the administration or Congress. And of course, ever since Colonial Pipeline it's felt like there has been like a sea change in even what cyber policy looks like how it's structured how it's governed in the US. I would love to hear a little bit about how you're kind of doing everyone's roles and how they shifted in years and where potentially we can keep strengthening or building upon the changes that have happened in the last three years. Yeah, I do think DC has become, especially when we talk about cyber policy, I think we've become much more inclusive of the groups that need to be at the policy table. I think it's not lost owning that we are here today with the share share the mic in cyber fellows who are also part of cyber civil defense where we have all of these nonprofits who have very focused areas that they are working on in cybersecurity and you have like we have everything from cyber education and awareness with Girl Scouts to the think tanks of the world like the Institute for Security and Technology or the Aspen Institute, but then we also have shadow server who is also provided technical services to the federal government. And so wouldn't I say the cyber civil defense I'm like, yeah, you can join your three, all the way up until at this point, until you decide. And so I, that is a really good example, it has not always been like that. There was a time when I was on here where we will work on legislation, we really had to be very intentional about many civil society groups to come and sit at the table I remember the first conversations we were having we were trying to decide what are we going to do on the bridge, are we going to legislate on encryption, where are we going to require it. And we were inundated with people from Silicon Valley, literally today, strange all the economy to let me go to pay. But then we also have everyone coming in from the executive branch. Most of them hated it. And I just remember saying like we got to get some more players at this table because yes, like the private sector can provide good information and they can help with policy making, but their mission is just very different right same thing with the federal partners. Their mission, the FBI has a very specific mission that impacts how they feel about encryption. Having civil society at the table really does give you kind of like the best of both worlds. And so when I think about how the roles have shifted, I decided to see where we have organizations like SZA, and I'm trying to use some acronyms in 2024. I'm going to talk about cyber, the cyber and cyber security infrastructure security agency, but then also the national security agency, these partnership programs that we are now talking through, do we need to cut a button somewhere. And I tell people I'm like, y'all, that's just not where this town was on both sides, right, the private sectors like do not fit in well it will be a part of a public partnership. Also the agencies are like, hey, we're going to keep this up. This might just be something that the current. I think that is a significant shift around being proud of the cyber community to say, you know, we need these partnerships, we need to make sure that they are set in statute because it doesn't matter who's leading the organization, these are important. And we want to maintain these relationships. And so I'm very excited about that change in roles and participation. Totally, totally. I feel like you mentioned clarification of those programs, I feel like the cyber space, the lawyer and commission, that's like what they're all about. Probably someone from Senator King's office is here listening and like, thank you. Yeah, I guess so we have the government, you know, private sector civil society, all kind of working together to help ensure that we have better security ideally. I hear a lot about what we're doing better, where are places where we can improve and keep improving. Yeah. It's so funny that you brought up the, the cyber and because I want to be clear before I say this, the Salarian Commission gave us great recognition. I think the majority of them have now been caught up in some type of born, but the one the cyber community is starting to scare me a little bit. And I can't figure out, I mean, we've seen this in writing and I've seen like a couple of things like socialize this. This whole idea that you need to streamline all of the cyber jurisdiction in Congress to one thing in the house and one thing in the city. And like a very real way, because I don't think people fully understand how, how many people, how many committees, how many members of Congress need to be involved in the development of security policy. And so when you brought up the commission, I know that was one of their recommendations and even when I was at the White House, I dealt with a couple of people being like, it's just too much cyber jurisdiction and on view every community has cyber jurisdiction. I know that every agency also has cyber jurisdiction. Are we going to, we just talked about the impact of the through the systems program with USDA. I don't want USDA to not be a part of the cyber security community. When we talk about what happened in 2022. We also had the attack on JDS, which is a new process and play USDA was at the front of that conversation. I'm not taking, I don't think we should take cyber jurisdiction away from USDA. That also means we don't take it away from the community in the house and we don't take it away from the community. I think as a cyber community, it's a little bit of a red hand. I would encourage us to move past that because that is not what inclusive cyber security is, nor should we concentrate our point to a single community in the house and a single community on the same. We're just not going to have a whole society. You point when we're pushing what will be the only legislation that works on these issues. It's almost like we prepared this because that seems so nicely into my next question. Jurisdiction really confuses me sometimes. It's been several years covering the speed and it makes sense, right? If a farm or manufacturing plan is hit, I understand that the sector specific needs to be involved in some way shape or form. But I do wonder there's been so much shifting and changing in terms of who has jurisdictions, which offices even exist. We're talking like the Office of the National Cyber Director is a language like two years old that maybe three math is hard when you're on a new year. But I do wonder if you feel like it's clear still who does what and for what purpose and if we can be doing a better job of signaling why we have to come up with all these people at the table involved in discussing these things. Yeah, I think it's a fair question. I can only imagine. I want you to feel how I feel have to like sit back and be like, wait, this particular issue in the house, what can maybe be in the Senate, what can maybe and when I was at the White House I was directed what it's like a fair a lot of my time was big talking to the agencies to be like, you know, we're not going to go to House Homeland Security Committee for that we need to go to the House Energy and Commerce Committee for that. First, I think, as we like we got to give ourselves a little bit of grace, because we're trying to figure this out. The Office of the National Cyber Director is a really good example. And that is that is governing at its best where Congress has said we want this office to exist at the White House. It has been two years they Congress accidentally for that to give them money the first year. So really, we talked about two years it's really been about a year. You see that they're trying to address this issue. Not only did they release their national cyber strategy, they released the national cyber implementation plan. And in that implementation plan, you can see what agency is in charge of what I will have it for people, you really see those implementation plan as many public. I mean, we, like, Congress, yes, the executive branch usually shares them with Congress but you don't see so much the intention of trying to help people navigate where to go to talk about issues and to participate in what policy made a process. And that's an example of like, we are going to have to constantly redefine where people go with the roles with life. But I, I will also that's like kind of the first thing of, we're doing this in real time. And so it takes a little bit of time to realize that in a natural disaster, there's some things you talked to FEMA about but there are some things to FEMA at the Department of Homeland Security but then there are also things that you need to talk to the Department of Transportation about and at no point have we just decided that we want to do away with any world or department of transportation has to do with natural disaster recovery. We're going to always need those different ones because people have different specialty. The other thing is, I don't spend too much time trying to figure out cyber dirt system on the house in the same way this is what I tell people, if you are, I was an attorney on a committee. There should be no issue that a member of Congress can bring to me that I can not figure out how to read so they fix into my committee search. This is my job. If a member of Congress tells me that they want to regulate the cybersecurity behind baby formula production. It is my job to figure out how to write a piece of legislation so that I can get that he will refer to my community. I tell people, I use that as an example of like you don't have to figure out jurisdiction. That is what the staffers get paid to do. And also ultimately, the jurisdiction doesn't matter so much. It is the it's what you want. If you get there's a piece of legislation that you're talking about, you want it to get to the floor of the house in the Senate and you want it to become while spending so much time on where it starts. It's probably not a big use of me once time, especially when you have lawyers like me who are like, I don't care where it starts. I can start it here in house on land on the house side, I can start it and send it until it just shifts. And when we talk about legislation, hearings are just completely oversight. Anyone can send a letter or we want a Congress like that. I don't think you can see someone would be happy to hear their member of Congress saying, Well, I can't work on this issue for you because I'm not on it. Or I can't help you with this problem, because that's a committee that I don't have jurisdiction over. It's just not how Congress is going to go top rate. And so I would tell you, you can always ask them to do, but also, I would worry about the jurisdiction so much. Yeah, no, I think that makes a lot of sense. And not like two wish minutes one minute. So I do audience Q&A and of course we're going to squeeze in one quick question around the 2024 elections. Simple we have itself Nicole. Yeah, I think you were mentioning earlier that the concerns that you have and I think rightfully so around disinformation campaigns targeting marginalized communities. It's happened in many elections before it will undoubtedly happen again this year. Yes. You know, I'm curious to hear what specific strategies you think should be implemented in pursuit this year to help mitigate the impact of these campaigns as much as possible knowing that there are so many in New Papua. All of them but what I did see how to solve that. Very easy question. I really want the national security community, especially the cyber community to stop out being out of elections. And then I from the outside looking in, it feels like our adversaries have figured out where our constitutional protections are and then also how to have a certain victim in a way that is not about upholding constitutional rights or provisions because these are a lot of these bad actors are from authoritarian government so they don't care about receipt. And what I want, I think we, the cyber community rightfully so for civil liberties reasons but also political reasons are very hesitant to get involved in these influence operations. And what I would like for them to do is see their role as being just as much about the way we gather information as well as contextualizing this information right so we know that these attacks are tied to geopolitical war is campaigns issues that are going on throughout the world that context and what civil society is not in a place to do, because they can't see all the intelligence that is coming in and all of the information that's coming in. You can always figure out where the next dominoes going to fall and I don't respect the national security community to become my readers, but there are some patterns that you can see about these campaigns that are there are going to require more than just the general here the threats, these are the things that we're seeing for 2024. It's going to require a more active engagement and I think we just don't have the muscle memory in the national security community. But I bet context when I think about the intelligence reports that I've read over the years, and the, the framing that I would draft legislation and I always have the context all around. And I feel like a lot of the people who are going to do that influence operations like they're going to be on the receiving end of the influence operations, they don't have the context. I think attribution is going to be very important in the lectures. I am very stressed out the 30 days before every election with this kind of I'm calling it arbitrary because this whole like unofficial dead time that we have 30 days before US elections, which was created in the days when we were mailing information to each other and thinking about the problem. I can always like can we please revisit this y'all like I just, I think it is dangerous, especially when people know and at the speed of information to say other things we're not doing anything. A lot can happen in those 30 years in 2024, it could not happen in 90s. And so really just kind of going into the elections, it's willing to move at the speed of these influence operations, especially the ones that are coming from state actors and state linked actors. They have so much more sophisticated technology they can do things like still and the tailoring of this. I think that's really important. So, we think of answer, but I really want the national security community is instead of kind of having this plans also approach of like, we will, we will advise and share information from up to here. I think they have to, it has to be consistent, and it has to be more tailored to what is happening around the world to show. And this is why we're doing it. Okay, so we're going to move to the audience. Q&A. I don't know if anyone in the room has a question now or. My question relates to something that you said you talked about the progress over the last few years in collaboration between the government and social society and the private sector. What are some of the barriers that you've seen now that needs to be overcome to continue to progress or the next several years. The biggest thing and talking to civil society and also just kind of knowing where you all are going to be. I really want to, I want the research community, I want civil society to lean a little bit more into the public making process. One of the things that I felt it on the panel felt it when I was at the National Security Council. A lot of civil society is still in the like venting and renting space. Sometimes when they come talk to policy makers and lawmakers, and there's a place for that and I think you should always be in a place to be and really kind of express your grievances. But then you also have to ask for something like you have to give very, because I think of the rules of not lobbying that a lot of the nonprofit and civil society. It keeps them from advocating in a very direct way. So saying that we need to address the shortage of cybersecurity professionals is very broad. Coming in and saying we need the government to start giving grants to nonprofits in the same way that philanthropy does so that we can invest in the infrastructure. That is something very direct and from a policy makers standpoint, I can do something with that that is, is not as clear as a broad kind of reading. And so one of the things I think it is being very intentional about getting into the advocacy space and then very intentional about what we're asking for and really like drive. And so like to put that in line with ours is like, you should make a commitment your white paper should have recommendations, but your white paper should have an action plan to so this is these are the recommendations here is this and we used to do this at the White House where it's like, we have a strategy, but we also have a legislative action plan. These are the pieces of legislation that I mean you all to pass so that we can get this done. In Congress, the beginning of every year, all of the top Democrats and Republicans of every community they lay out their priorities. They give the roadmap of this is what we're going to be doing in cyber. If you see something on that priority list that you like or you don't like or you wanted to be a little bit more nuanced. It's your job to reach out to that committee to reach out to those members of Congress, and tell them exactly what you want to see. I'm going to go in order here. So you have a question from. I hope that you're on the entry. So what was born from cyber incidents or breaches. What are the lessons learned from the fact that you're from breaches instance that happened that organization maybe can start applying and helping them to rethink how they're defending their networks and anything like that. Yeah, I was, when you said I'm almost like I'm worried. I'm not to the private company but again knowing where our audiences smaller and I think civil society can set the standard for this. We do not have them in my face. So one of the things that I was thinking about as we keep talking about the healthcare attacks right. And I love that because we're really just relying on the journalist community press community to like, break down what that means like show us impact. Don't tell me the hospital in Kansas was attacked and leave it there. Tell me how many patients are started by Medicaid. I want to share the demographics if you have the race and ethnicity that would be great too. But I also love to know what the income averages are for the community. I want to know is that a single serve healthcare facility for people in a 30 mile range, a hundred mile place that context is really important and it's missing. And I think it's because the cyber community is really focused on kind of the life to teach me the tactics techniques and procedures and it's like oh hey but can we get it out because that's the impact. Tell us impact, because I think we have to start talking about these attacks in a more narrative form so that we can do the journal public again. How do we get that to the kitchen table not from a place of theater, but a place of awareness so that people know this is happening every day this is happening to your community. And I think that something that's very unique that civil society can do, especially in you also position as fellows. That's something that you can do in your research and you set the standard and then people will start to follow. I feel like not understand that impact also makes it more difficult. I feel like what this question I'm looking for was like advice for defending your organization, which I don't patch and prioritize but not understand that impact also makes it difficult to provide that advice right like if you don't fully know the scope of the issue or you know the impact of those TTPs or whatever like I have some advice but I don't know for sure if that's really going to help until I know the full picture of what's going on. And I will say to you this feels like I should do this disclaimer. I'm a part of the cyber community that I am a part of the cyber policy community. So if you are calling if you want technical advice about how to protect your organization, I am not the person to call. Perfect. You I want you to call the right person and you follow up with me and you're like, you know what we really need it we needed a policy in place for this we need a policy in place for us, which was not the question but I would be remiss if I did make that. If I didn't have it to the cyber workforce. Is that something that has been a lot of time talking about when we say more people in cyber security, we don't just need people with technical expertise in cyber security right like I am a political science attorney. I am in cyber security and I have a very defined language is working on public policy. Then it's just as important as responding to an attack, because I'm over here trying to figure out how do we deter the text, how do we make sure that the people who are impacted by their text are also protected. You need people when we say we are cyber industry needs more people we need more people everywhere we don't just need people with technical expertise although to me a lot of people with technical expertise. But two years ago we saw the Biden administration under the White House was very clear saying we need more cyber attorneys. The National Security Division has said we need more cyber attorneys. I feel like everybody is raising the flag of cyber attorneys and people need more people in the policymaking space, and folks are like, I'm going to go get my certification. I'm like, okay, I want some people to go get their certification and do the technical work, but just make sure we are understanding that the cyber community involves a lot of different people that don't always just have technical expertise. Thanks. So, I'll just raise your hand if you guys have them. All these questions are from an anonymous, I think it's just fun. They're really low, they're really not scary, I just think it's a funny distinction. The next one is just as technology advances, how do you see the relationship between privacy and cybersecurity evolving and what measures are in place to help kind of balance. Yeah, I, this is a hot take. But when I think about privacy and cybersecurity, I think we have the tools we have just, we've got to start social lives in them. So, when I talk about, again, don't even get tired of talking about marginalized communities at impact. But when I think about an attack on the healthcare system, the, yes, there is the physical reaction really of like, well, services, free scheduling appointments, all of those things. But when you think about what is being stolen, a conscious step, and that is ultimately going to be used as part of an handling fraud. That also creates an erosion of trust issue in a healthcare system. And so when you talk about communities that are already fearful about healthcare services because of past hard, you're now adding to that. And one of the things when I try to talk to communities about this, I'm like, I know you don't want to talk about encryption, but that is always a way that I enter a very technical term into a conversation about how an attack makes me feel. And so I think as we are trying to figure out how we get the text to stop being realistic that they're never going to, we're not going to be able to, like, put the switch and no attacks will happen. How do we lessen the devastation from an attack? And I think that is a conversation about encryption. I think we have to figure out a way to standardize encryption in a way that protects doing that, that protects patient data. So that it makes it less of a target to be targeted in the first place. Totally. Totally. And then, I think the other questions are totally different topic at the election. Here we are going to solve them today. So, you know, how is the program here for election and cybersecurity evolved since 2020? And what steps should be taken to address cyber threats to electronic systems? Well, I mean, when I first, a long time before I was doing cybersecurity and espionage policy, I used to do seaford to American policy. And so I always tell people I was like in the space for two years and really just kind of dealing with that. In 2016 election happened. And I was one of the staffers that was in the room when the executive branch came in and informed Congress that Russia was interfering with our elections and I just remember being so angry. And I was, I wish I had another emotion to this topic, but I was really just angry that something might back to happen. And I remember in 2016, we were dealing with what are really major issues, but now they're so far in the review, because it is a sign of success. But we know now that all of our stadium, our state officials, state of local election officials, someone has a security clearance so that we can talk to you about what we're seeing in as close to real time as possible so that someone knows, even if we haven't been classified yet, we're also going to provide information at a faster rate. Also, I think, you know, that was also the year that we made an election infrastructure, a part of our critical infrastructure. I still feel like I mean people sometimes you know like isn't still a part of our infrastructure, it's there, it's there. And I, that is something that sounds very technical but saving that our election infrastructure is just as important as our healthcare infrastructure is just as important as our communications infrastructure. That is something that is very much needed. So, when you think about that, I think we made really good shots, I think, in terms of the product sector commitments from Microsoft to META to Google where they are saying we are going to invest in the support of the technical support and the technical support for not only election infrastructure but the people who use it. And then we're going to invest in cyber awareness and education so that they know how to use these tools. I think that's really good. I, I, again, as we're talking about the areas, I do think we have a long way to go in terms of cyber-enabled influence operations, but I've been very pleased. I, you know, never won't, we never want improvements to come because the disaster happened. But I don't think it was a wasted disaster because we got a lot of improvements that we didn't get in election security. And we also just made it a part of a national dialogue and a national conversation, which I think is totally totally good. I think that's good. Thank you. Yeah, so I will bring it back to vulnerable communities, especially because I'm a advisor at the cyber business, which focuses on the impact on vulnerable communities inside operations can have. So we are one of those NGOs mentioned as an example of what society can do in this space, so informing on the, on impacts of harms and so that, but in this respect, I was, I wanted to ask you about advancing norm implementation, which you mentioned as one of the key issues for global cyber security governments, because these have been a very problematic issue in some respects, especially after 2021, which was a very successful year for both GG process and online working group process with two consensus imports being agreed up. Since then there is this kind of stagnation in practically implementation on a global one. And countries do have problems to agree on all these issues. We always speak about incremental progress in the negotiations and so that an incremental progress is important, especially in the situation we are right now with the geopolitics of which is increasingly more difficult. But is that especially with regard to vulnerable communities is there. And maybe a poetry to take in this platform negotiations to advance the issues as a global group, like for example, one of our programs is mapping the impact on cyber attacks on healthcare. What does it mean for the communities and I really liked your, your comment on this aggregated data, and, and who are the communities where impacted so we definitely will take into account now work. But is that from your point of view some perspective and take to really further the protection for vulnerable groups that would be also infested for the global communities and maybe a point of cooperation in this very difficult sense. Yeah, I mean, this is a very complex question. I, and I've been following the word that cyber peace Institute has been doing as well. I, this is going to sound like the most government going to be response amber, but I think that is the process right and so I will also say before I say what I think we should do. I just want to remind people that we can do hard things like I feel like that is, when you talk about how difficult it has been to get the international community to like coalesce and say, we are going to have to have norms that everybody follows. There's like one of my former co workers at the White House has like a sign on her distance as we can do hard things. And so it is going to be difficult, but I think the idea that we would have, we will have norms of warfare and battle for physical, for physical impacts, and we are now in a digital phase, and we won't do that for digital and we won't do that for cyber is ridiculous. And I think it is a place of government is going to have to push. I don't know. I don't want the private sector to start hacking back. And so I think government is going to have to send these frameworks and then we're going to just have to do it. Someone is going to also have to go first. I think it's going to be about cyber incident reporting. One of my talking points to try to get members of Congress to like support us doing it. Was there's only one country that has cyber incident reporting and they were always like, what countries is the UK. I'm like, no, it's the people's recover the job. And so like, we are going to have to do cyber incident reporting. And I think it was adopted. So you see the UK is like, and we were in talks with our partners. And they're called integrated body or called integrated bodies as well. We knew multiple other countries were considering cyber incident reporting. It's just no one wanted to go first. Right. Like it was like, this is going to be a big taking this on is going to be big. It's going to be hard. People are going to hate it and then maybe we had got to the point where people love it but I hope we're getting there. But someone has to go first. And I think that's what's going to have to happen with the cyber norms. Someone is going to have to put forth the policy and then someone is going to have to do it with the understanding we may not get it right. We will constantly revisit this we will go back. We will tweak it, but someone has to do it and we have to move it beyond just the conversations and just the people who are impacted, making it at the top of their. To also be at the top of the national security priorities as well. This should be at the top of the law enforcement priorities, and then we're going to just do it. So looking at the clock and that we're right a little past 1130. So I'm going to let everyone go be free, be married, digest this conversation, Nicole. Thank you so much for sharing all your wonderful thoughts with us. Thank you so much. This is really great. I'm very excited about the fellows program. And I'm happy that I was able to have this conversation.