 Hey everybody, my name is Josh. I own the International Cyber Portfolio at the National Security Council for the President and really excited to be here. Don't often talk about it, but this specific topic is near and dear to my heart and has been for many years. What I'm here to communicate today is the fact that we're very concerned and we're excited that lots of other people are getting interested in the topic of Maritime Cybersecurity. And the reason why we are concerned and the reason why we're pursuing policies to facilitate people focusing on Maritime Cybersecurity is because as we look across the portfolio of risk that's held by you could call it the West, you could call it the modern industrial world. We think that this is an area where we have not yet calculated accurately or even inaccurately the risk that we hold and therefore it's a huge arbitrage opportunity, so huge opportunity for improvement. So at the strategic level what we've done is we've included issues of Maritime Cybersecurity and top-level policy documents that we've crafted in the White House including the National Cyber Strategy, which we just published about a year ago. That's the first National Cyber Strategy of the United States in I think 15 years. And in that document we identify that Maritime and also Transportation Cybersecurity is a critical area for improvement and then we've got to implementation plans that we're executing as a part of that to drive action in that space and as I look out across the room I recognize some faces, so maybe some of you guys are already involved in some of those activities. They're bridging both the public and the private sector and a lot of it is just things like this coming out and talking to people and letting them know that we're interested, letting them know that we're trying to find ways in which if there are barriers we can take those barriers away, barriers to work, barriers to other other mechanisms that will help promote this sector. So to go back to why we think that this is such a huge opportunity, arbitrage opportunity, one might say, or if you look at the actual financial numbers something at the order of magnitude of 25 cents on the dollar of GDP, US GDP, and touches the water. That's approximately the same amount as the financial sector. But if you look at what the financial sector spends on cyber security, it is at the order of magnitude of billions of dollars, probably tens, possibly hundreds of billions of dollars a year. If you look at the maritime industry, it's at the order of magnitude of millions of dollars to the point where it's very hard to actually find and we looked and we looked quite hard. And so as we have thought about it in terms of what we have to do in the White House, if you've thought about what we owe to the nation, we're looking for opportunities, big opportunities to buy down risk. And this is probably the biggest one, in my opinion, and that's why that's why we made sure to put it in the actual strategic documents signed by the president. That's why basically any opportunity, I get on a plane or get in a car, get on a train, haven't yet gotten on a boat, but that might be appropriate, and go talk to people about maritime cyber security. And so what are some things that I think we're going to see over the next few years? First, I'd say that at the sort of big muscle movement level, I think that people still have not deeply wrapped their minds around the convergence of IT and OT, which I imagine probably every single person in this audience is familiar with. And that convergence itself has first and then second and third order consequences that I think, again, people haven't used to calculate risk. And that risk is going to have to be calculated at some point. We're seeing things happening every day. We're, for example, not Petsha, where you have OT impacts from IT compromises. There are other cases like Triton that we're seeing where, you know, out in the public, we're seeing the bridging of threats moving from IT to OT or trying to. And we see those incidents happening in sort of ones and twos and now we see them happening maybe a little bit more, maybe tens. But I really do think that this is going to end up following one of the traditional, you know, curvature models. And pretty soon, this is going to be sort of day rigor. And so it behooves us, us in the National Security Council staff, and then maybe us as a wider community of folks that perceive this to be a thing that is coming at us to educate as well as work to find solutions. And those solutions can be on the policy side, they can be on the corporate side or they can be on the entrepreneurial side. Corporate side meaning how do we build out policies? How do we build out mechanisms that allow us to take into consideration those risks, price them into our own calculations for operating, and then use that to drive decision-making processes down into organizations. An example of this would be how are ports dealing with this risk? And we've seen with NotPetya, where ports were deeply affected by the NotPetya attack and had to roll over to manual operation from digital operation just because of a compromise in their business systems, not because of any OT compromise. Again, I think that that type of activity, previously not calculated, previously not projected now is sort of working its way into the mentalities of the folks that are actually building those risk models for those organizations. So that's sort of on the organizational side. We need to spur the people that build those policies to think about, OK, how do I need to buy down this risk? What do I owe my organization in terms of architecting policies, architecting legal contracts, architecting terms of service? How can those organizations themselves adapt to these new challenges? The next thing is obviously, and we see this outside with companies like those that are in the IT, OT, Hacking Village, where are there new technologies that we are going to need to develop and or build in order to enable us to have the capability or capacity to actually monitor these threats. And then on our side, and I'll just talk for maybe two minutes and then open it up to questions. What policies need to be put in place from the position of the United States government in order to make sure that people are thinking about these things, integrating them into their decision making and not in any way held back by regulatory constructs that were created well before this threat ever emerged. How can we remove those so that folks have an opportunity to, you know, without constraint, pursue solutions to this challenge? And so that's that's why I'm here. And I'd love to take questions. That's it. Anything? Great. Yeah, it's a great question. How do I compare the maritime industry to other industries that face the same or very similar threats? Really, I think it's we've seen the challenge of incentive structures. And so the maritime industry seems personally just a bit more fragmented, where you have products and services that are being provided to product and service providers that are providing those products and services to ultimate customers. And it's sort of like a cascading downhill relationship, whereby disruption at any one level doesn't actually move its way back upstream. Whereas if you look at oil, natural gas or power, those those those complex systems of systems are deeply integrated. And so power company goes down because of a problem with, you know, industrial control system, they themselves feel the pain. And therefore, as they look out across the the landscape, they're thinking, Oh, that thing that happened over there in that country in Ukraine, for example, might happen to me. And I know what my uptime costs are the downtime costs are. And therefore, I'm going to start to build policies such that I can try and at least mitigate some of that risk. Whereas like, you know, someone buys a ship. And the shipbuilder themselves may not have the, you know, doesn't doesn't have a relationship back to the customer if there's ever a problem with the vessel itself. Same thing with the port, ports have multiple different types of legal structures. So, you know, a port can be operated by the people that are actually running it, or they can lease space out to people that that then operate a pier or a slip or whatever. And so in the case where you have ports that are leasing space out to operators, it's just a challenge because the people that own that property, the port landholder, they don't exactly have an incentive to ask the question like, what is your cybersecurity policy look like in terms of like crane operation? Or I mean, other IT questions where you have had cases where malicious actors have sought to manipulate information resident on the networks and systems of people operating in the maritime domain. And there are some trying to remember some of the case studies and where I remember them from, but organized crime has has sort of operated in this space in the past. And so with these like multi tiered relationships on the maritime space, it's very hard to align incentives, just because you have so many players. And then in the power industry or other industries, it's much more centralized. And that's where I think the comment that I made about policy is much more important, because there it's sort of a good stewardship attitude that we have to impress upon the people at every level, where it's up to them for their long term reputational costs, or sorry, it's up, it's up to them to maintain their long term reputation that they should create policies that will allow them to have some measure of a feedback loop when they see activity that might ultimately affect their customers or tenants or whomever. Actually, I'm gonna, I'm gonna pull this. So the question was what's been the international dynamic in these conversations. And actually on the government to government side, it's been fairly good. Other governments deeply understand this. And especially when you look at other governments that have different economic footprints the United States. So there are other maritime nations that have a similar GDP breakdown that I made earlier, the 25 cents on the dollar of GDP touches the water for the United States. You have other nations that have a similar perception of risk. And they're a lot closer to their maritime industries. And so they've been very receptive. And then the companies have also been very receptive as well. And I think that you'll see in the next few months, some of the international organizations that have public and private aspects to them are going to start dealing with this problem. And running processes to try and get their membership to think about this problem. So actually, I'm pretty bullish. We've had good reaction so far. Any other questions? Well, what was it? Yeah, so this is a great question and slightly different. I've got an answer for that. So I'm glad you asked it. Yeah, so the question was, what's the reaction been as we've, as I've been the three other people that care about this problem in the White House, including the president, have talked about this and he does actually deeply care about this. Usually because the math, you know, he understands the math very intrinsically. So as we've had these conversations with folks, we have seen a lot of interest. And the interesting thing is it's sort of like a pincer, a pincer movement at the very top, people are interested in it, very top people are interested in it. And then at the very bottom, I have like, maritime executives who started off as tugboat operators who then worked their way up and now own, you know, small and mid-sized businesses coming up and telling me things that I already knew. But they're like, hey, did you know that like this one piece of software that plugs in, you know, to some aspect of my, of my, you know, GPS system or whatever, you know, has a direct connection to like critical system X. And by the way, I saw that it's operated by a company that was just bought out by this nation that we have some concerns about. And these are like actual operators, like tugboat operators coming up to me at events. And it's heartening to see because they themselves are starting to perceive risk. Because I think, you know, the creative mind goes to places where you don't want to lose control of your assets, especially if you're on board, especially if your reputation is at risk. So it's actually been pretty good. And in the various places that we go out and reach and touch and talk about this, people have been enthusiastic. I'd say the challenge is more on the sort of bureaucracy hacking side, like how do we encourage ports to start building policies that lead to executives that aren't in that sort of chain of control or don't have a direct touch on the problem. And that's where I think that we'll see some of the activity that will likely happen this fall is going to stimulate those conversations. And those conversations are conversations about risk. They're conversations about compliance. And those are really critical to have because I was not one of these people like my background is such that I've been very lucky to often operate in places where I was just sort of given a task to go do and then let alone to do it. And that worked out well for me. And so when I went to the private sector and had to run an organization through a compliance regime in order to do business with an entity, it was not my style. But funny story, it was the reason why we ended up getting a fire extinguisher that was up to date in our break room because it was on the it was like literally on the compliance checklist for, you know, whatever the compliance regime we were undergoing was. And gave me deep insight into how useful those mechanisms can be. And so starting that conversation with folks, even though I think for many people, most of the people, possibly all the people in this room, like that's not something where we usually go to where we're like, man, if we really want to solve this problem, like we should go talk to the people that write FIPS. Yes. So not not my first option, but actually probably in this area, one of the best options. And by having these conversations that allows us to stimulate the people that aren't usually dealing with those problems and allow them to get in front of something. And they end up being, or at least in my experience, limited experience have been have taken that on very aggressively because they want to be ahead of the curve, right? They want their compliance regime to have elements in it that are forward looking and are going to help them prevent catastrophe.