 welcome to DEF CON. Hopefully you all are having a good time. My name is Priest and I'm the mean man of DEF CON. So if you haven't heard me, what I want to go into, I want to talk a little bit about what we're doing here today. Back at DEF CON 9, and yes I am that old, I've been here since DEF CON 4, we had someone from the CIA come out. And you know, they got ahold of MKUltra or something and volunteered to actually get up on stage, if you've got that, thank you. Everybody else like what? To actually get up on stage and answer any question you wanted to ask of them. The understanding is that there will be some questions that you will ask that they cannot answer. And as I said in the program, we promise no extreme renditions or mind control unless you really deserve it. So if you see me reaching for my microphone, don't run. You'll just get caught tired. I put together a panel of people who are kind of off beaten path. You're seeing some retreads, you're seeing some faces you may have seen before, because they also do serve a joint purpose, you're also seeing faces you probably never have seen before. We were a very heavily military weighted panel. The reason for that is because our military, one of their missions that they're realizing is what we do is very important. So we're not spotting the fed, sir. Don't give it away. We're very lucky to have them. I ask that you, you can ask anything you want, just be prepared for the answer. So keep that in mind. And we reserve the right to make fun of you. And you can try to make fun of us. So with that, I'd like to get started and have everybody introduce themselves on the panel. Starting with this gentleman right here, whom you should know. Hi, my name is G. Mark. G. Mark Hardy. I've been here since DEF CON 4. He's one of our pet feds. We have our own little petting zoo here. 30 years U.S. Navy, retired two years ago. Private company, national security corporation. No, hold on. Where did you work? Farmer defense. Okay. Sometimes you have to beat it out of them. All right. Full disclosure here. My career was not in the intelligence world. It's interesting because I'm wearing an NSA shirt and NSA lanyard, but things are not what they appear to be. It's always kind of embarrassing because everybody says, oh yeah, you worked with the agency, you were the fed. Earlier this year, out of the conference on the east coast, I took a group of people up to NSA to the crypto museum for tour. And Hal McConnell was there. And Hal's about 80 years old. He's been around forever. And he turns around and says, G. Mark, how are you doing? Everybody's convinced he really does work here. The point is that it's all in the right direction that we all work together as a team. You believe that? He doesn't. That's my story and I'm sticking to it. Any more? You got to ask me a question. All right. I'm John Idaunasie. This is, I have not been here since DEF CON 4. I think I was, I don't know, maybe. I don't know if you were born here. Yeah. Something like that. I spent about nine years in the military, specifically in the Navy. I was a Navy SEAL. And yes, we do other things other than shoot guns. We have a lot of computer affiliated operations. He's the guy who read the comic books to the other SEALs. But he still had to move his lips when he's reading. Right. No, it's an honor to be here and priest. I appreciate the opportunity. Jim Christie actually pulled me as a sophomore in college out of one of the classes and said you really should get involved in a lot of the stuff going on. And I found as I was deployed all over the world that more and more a mindset is needed to defeat adversaries and that mindset is what this conference represents. I do believe and I started a company around it that your world is a white canvas. You can paint whatever you want. The question is how much time do you want to put into it? So if you want to spend your time doing the puzzle out there on the hardware board to try to figure out what that means, you can probably solve it. If you want to spend your time in near-field communications, you can probably do it. If you want to become a Navy SEAL, you can probably do it. So we're in an unbelievable time where we have digital ubiquity and as we continue to approach that paradigm, knowledge is in abundance, although time is not. So the choice is yours in being able to find what you'd like to go down the path but understand you define your own limitations. And you're going to get a lot of questions about that video game. What is it? So calm and call it duty. So be prepared. Inactive valor. Inactive valor, yeah. Hey, good afternoon. My name is Lieutenant Colonel Mark Colfin. I'm a U.S. Army active duty officer with 25 years of experience. I'm currently stationed at U.S. Strategic Command in Omaha, Nebraska. Normally that's associated with nuclear but also we have the lead for cyber, not cyber command. We're the higher command, above cyber command. All right. I'm the cyber branch chief in the J3. The J3 is in charge of all operations. Prior to the strat comm is at European Command in Stuttgart, Germany where I was also the cyber branch chief there as well. I'm an offensive guy, not a defensive guy. He's actually a really nice guy. I don't believe him. So if you have questions in regards to policy, strategy, doctrine, planning, and execution of cyberspace operations, feel free to ask those questions. Also, I had the best job in the Army prior to that. I was one of the Army red team leads where I was allowed to break inter-legally around the world, which we were successful in doing every single solitary time we went out, which gives you some indications of the status of our networks that we would find both physically and electronically. I'm sorry, sir. I get this out of the way. Where are the nuclear vessels in Alameda? Thanks, priest. So part of the intent of this panel here is to help build a community of interest. As part of that building a community of interest, I'll also serve as the managing director of a forum on LinkedIn called the Cybersecurity Forum Initiative. About 15,000 people, both national and international. It's a discussion form of all things cyber. So if anyone's interested in continuing the dialogue, we can also dial up there. And we'll all be available after this is over for the question and answer sessions across the hall. And I'm also working behind the registration counter. So if you see me tomorrow and you have something you don't want to ask today or over there, just stop me and we'll be glad to chat. Thanks. Feds are people too. They are, all these guys are very approachable. Hi, my name is Mike Fox. I'm currently an Army DAC, working for G2 and INSCOM. I assumed that position about four years ago. I spent 36 years in the Army in Intel and special forces after my retirement became a civilian. For the last eight years, I've been building Army cyber capacity, working with INSCOM. And what we've created is a brigade. Part of that brigade is made up of 400 civilians. And so we're looking for people just like you to fit in. That brigade does both things. It does offensive and defensive things. So I have a recruiting team here with me and they've been walking around and during the Q&A, if you'd like to discuss what we do and how we're looking for talent, you can talk with myself and that same team next door. Two things. I speak Fed and I speak English. So if they say something gobble, gobble, gobble, G2, blah, blah, blah. And you have a question raise it. I'll be happy to translate for you. And we are serious with the government is hiring. And I went back into government service after 9-11 and it is a very rewarding career with some very, very cool toys. I have a half a million dollar a year budget just for myself for toys that we put together. It doesn't pay as much. But like I said, you get the really, really cool toys. And in his case, you get to kill people. My name is Jim Lent. I only had 21 years in the army, but I started out in 1975. And I got to go to some other places in the government. I'm currently the G2 for CCOM and it's a civilian bill that's been civilianized to the G8GG, 13 or 15 bill. And it's a very unusual that positions are civilianized. So those of you who didn't want to go active duty and run PT and run long miles, there is really hope. There is civilian jobs. Right now he's got the money to hire. And it's a lot of fun. But it's a lot better on your body too. I started out in the Marine Infantry, then went into Marine Corps counterintelligence, then Army counterintelligence, retired as a Army special agent in counterintelligence, and then ended up working overseas civil service in Korea. Got a job with DHS Intel for a couple years as they were standing up. And I was a lead cyber intel analyst. Moved from there to department of energy, worked security of the national labs, 10 national labs, $81 million budget. Good God, you think that's a lot of money? It isn't. It wasn't as much as we needed. And obviously cyber is a big issue at DOE. Currently, the army came up with a great promotion and an opportunity for me to go over to the Army Communication Electronics Command. Basically, it's not as sexy as a lot of these other places. But think about all of the sensors, the sigint, and the communications equipment. Basically, the Army has WNT, a tactical land. We can put it up in any country and soldiers will use that. Just like your telephones, just like everything that you have here. We build it in another country quickly. Now, my silly job is to figure out how to do research and development and acquisition, security and intelligence for those toys. Translation really cool shit. Lots of neat toys, but how do we keep that safe and secure? And later on, in question and answer, you guys might ask how we do that. By the way, I want to point out there is one fighter pilot on this panel. If we've already gotten to him or when we get to him, I'd like to see if you can guess who it is. It should be pretty obvious. If you notice, you know, I'm uglier than sin. There's really only one movie star quality guy on the stage who is perfectly proportioned, has a six pack at his age. Any guesses by the way? Anybody? No guessing? Priest, how do you know he has a six pack? Sir, sir, it's my understanding you can only ask me those kinds of questions, sir. Priest, you can ask those questions and I gave you a six pack of corona just a couple minutes ago. I told you it wasn't cheap, sir. I'm the fighter pilot. My name is Punch Moulton. I grew up in the Air Force in the 70s and 80s and 90s, flying F-15s. I spent four different times I was assigned over in East Asia, but what matters most to this organization is that my last job I was the director of operations for European command. That's a job that, for those who don't know the vernacular, I was the J3. It's a job that tackles all the U.S. military operations and coordinates with any other government agency that would be in the European region that's doing U.S. federal government kind of national security stuff. So we dealt with the State Department. We dealt with the NSA. We dealt with the Department of Energy and USAID and the like. That job spanned 51 countries. That's from Vladivostok to Greenland, from the North Pole down to the southern edge of the Mediterranean. And it was air, land, sea, space and cyberspace. And the reason why I'm up here is because when I took that job over three years ago I felt that we, the Department of Defense, we, the federal government were way behind in thinking about cyberspace. I left after three and a half years of doing that job, believing that we're still way far behind. But what we did try to do is tackle some larger, bigger, strategic, how do we use cyberspace for national security and how do we organize our use of cyberspace for national security? And so I'll be happy to talk to people if they want to down that path. One quick statement. Let me give a shout out. I have retired from the Air Force now and I'm working for a firm doing cyberspace strategies. But I want to give a shout out to CSFI. Mark mentioned it a minute ago. I consider it to be a vital community that tackles cyberspace security on a day to day basis. You're now going to hear from the very scary person. Not really. I'm Cathy Roberts. I did 32 years in the United States Air Force, mostly in space, some also in cyber. In the first fed panel, they mentioned eligible receiver. I was a party to all of that as a younger officer. I spent a lot of time in and out of the NRO. And my last position in the NRO was as the director of the signals intelligence satellite acquisition. I retired in 2009 and didn't want to go back to a fairly regimented in lots of hours so I worked for myself. I highly recommend it. Does everyone here know who the NRO is? Very good. So when you go outside and smile for the satellite picture, she's the one who gets to see you. They are still and were one of the most secretive organizations in the U.S. government. They didn't even acknowledge that they were officially existed until 1992. To give you an idea. The next gentleman I'm going to introduce myself because he's too modest. This is the real Mark Harman from NCIS. You had the posers on stage. Here's the real Mark Harman. Honestly, God. Go ahead, sir. My name is John Lee. I recently retired from NCIS after 24 years. I started out of LA with Leon Carroll who was on the panel previously. Some of the things I did, I was assigned as a special agent of flow to board the U.S. as Kitty Hawk when she was commissioned or still commissioned. And as a special agent of flow, one of the things we were officially known as a special agent at Drift because once you pulled away from the pier and where it was in the middle of the ocean, everybody forgot about you in the office. Subsequent to that, I went overseas and I started doing cyber investigations. I was a cyber street agent for about six years. Moved into management for four years. I was a division chief for the Pacific Cyber Division. And after that I said, I believe I drank the Kool-Aid and I went to headquarters because they said it was a career enhancing position. They lied. They did. As a result, I've since retired and doing well. Do you have any questions on federal law enforcement getting into it or what you need to do? The process, please see me afterwards. He also got to kill people. I'm Jim Christie. I've been with the government for 41 years now. I started out as a system administrator and then a programmer and then I got the opportunity to go to the Air Force Special Investigations to run their computer crime unit. Things people don't realize is that OSI was the first law enforcement agency. That includes NCIS. First law enforcement agency anywhere in the world to have a computer crime unit. And they formed it way back in 1978. After 11 years running that program, I had the opportunity to be detailed to Senator Sam Nunn on the Permit Subcommittee for Investigations and we ran hearings back in 96 on the cyber threat to national security. From there I was detailed to the President's Infrastructure Protection Task Force down at the FBI headquarters for two years. Glacier, like man. Anyway, all you FBI agents in there, raise your hand. And from there I went over to OSD, worked for Len Wells who was on the previous panel. And for the last 10 years I've been at the DOD Cyber Crime Center where we have the world's largest accredited digital forensics lab with about 110 forensic examiners. And we're always looking for talented people and that's why we've been coming to DEF CON for about 14 years now. Well, let's go ahead and open the floor to questions. If you could please, okay, we're just going to rush the podium here. We'll start with you three and after they're done. If you raise your hand on Connie, if you please go to the mic or if you have a pair of lungs strong enough to enunciate to the back row, please stand up and shout out your question. Okay, this question was originally intended for the previous panel. Since they didn't get it, you're getting it. I'm going to change it slightly. Originally it was going to talk about FISMA, FIP standards, and all the HSPD stuff. But basically, basically it's about the difference between compliance and security. Let's say somewhat disappointed. In the federal... Are you all getting this? On the civilian side, there is this process that we go through for security that ends up with a lot of paper artifacts and very little security. FISMA 2.0 failed in the Congress and there's been a couple things since that really were misguided. But now we have a few thought leaders like the State Department where it's about continuous monitoring. What I'm looking for here is some hope that we're going to go in a direction that is not purely defensive, not purely compliance driven, but has something to do with actually reaching out and touching the bad guys when they come in to attack our systems. Unicorns exist, sir. They really do. Unicorns do exist. Does that give you hope? There's a lot of unicorns in this room that can do what I'm talking about. Does that give you hope? I think we have the ability to do it but it's not legal and it's not policy. So I'm wondering is there any possibility that we're going to change to a paradigm shift here and become not offensive but a little less passive in our defense? Actually, if you look at the bottom of every e-mail I send out, my tag line is threat-based security. And you talk about compliance for the sake of compliance and I think there's a lot of people in the government who are against that. You know, rigidly following regulations we all, a lot of us have grown up with security Nazis who only read the regulation and my guys, we got to do it that way. Well as we grow up, as leaders, we get an opportunity to decide right and wrong and accepting risk. We learn to accept risk for the commander. But you have to learn to accept risks for the commander based on intelligence and what the threat is. I will not build a 10-foot fence when I know I'm being attacked by two-foot midgets. But I'm an idiot if I build a 10-foot fence or if I build a fence and I'm attacked by 10-foot people. So I have to know what the threat is. And that is where the intelligence people come in. We have to know what the threat is, advise the commander and let them make decisions based on that. That's like the problem with that is you never know when the two-foot midgets are going to come with a 12-foot ladder and that threat environment keeps shifting and if we're only reacting, we're never really different. That's what intelligence is all about. Smart-ass disgruntled whistleblower. And we'll burn your ladders. All right. I'm going to take a stab at this one. Now, before I do it, I must just tell you now that the views that I express here on the panel are not those of the DOD, the United States Army or U.S. Strategic Command. They're my own personal views based upon 25 years of experience and doing this for some quite some time. Yes, I know. I'll be drinking glass of water while he talks. Yeah. So the question, the very long question, was in regards to whether or not we were doing anything other than defense. Here's the answer. Yes. But more importantly, it's the skills that you have that we need to bring into the fold to make what happens to defend networks that much more proactive rather than reactive. And just to add on top of that, think about what's happening in our corporate world now in regards to the attacks they undergo and the theft of intellectual property. You see what they have done on their own as a corporate entity to help disrupt those attacks. They've not just been purely defensive. Also, they've not just taken place within the cyberspace domain. They used all assets of power available to them in order to help execute an action to stop the pain. Don't you think your government is able to do the same thing? But you don't, by the way, you're not going to see it all the time. It's not going to be done for everything all the time. And it's going to be done for the most critical things of all. That's a fact in reality. Capacity, capability. Smart people, some of you, most of you are in the room now. You have the ability to do things that we need done in defense of the nation. All right. Question becomes whether or not you seek to step up and serve? Not necessarily as a military uniform like I wear or a U.S. government civilian but willing to serve in some shape, form or fashion. Thanks. By the way, I'd like to add, you only hear about when the government screws up. You don't hear about when we have a win. And there's a reason for that. I'd like to get a clarification first. Are these people off limits for spot the fed during this panel? You're a woman so my answer of you're not very bright are you? That's not nice. And I can't do it. They're off for spot the fed. I'd just like to say something. I've been here since I've been attending DEF CON since about 1997. I'd say about 12 of them. And during that time I was never spotted and I was really worried when I worked for the government. But so you all fail. And here I am. He would run the other way when I was coming. Literally. He'd see me. And also he handed out business cards. So y'all suck. Next question, ma'am. Go ahead and form a line. We do want to get this on tape. Generally the U.S. military is prohibited to operate on U.S. soil against U.S. citizens. And here we go. No, it's okay. When I was in a seaweed battalion, it's an electronic warfare battalion. We were explicitly prohibited from using our equipment even for receiving civilian broadcasts. They didn't want us to even go that far like TV stations. That's what the Canadians are for, sir. Exactly. So my question is what sort of techniques or steps are you taking to ensure that any offensive reactions they're taking on behalf of the U.S. government or on behalf of the country as a whole are not adversely impacting U.S. citizens? I'm going to preface the answers with as far as you know. As far as you know. So the answer is that we are a nation of laws and those that do intel for the nation and DOD, the first and foremost thing we stick to is understanding what the Fourth Amendment means and the laws that drive that. Actually, with all due respect, the answer is that everyone that does SIGINT as you did in the seaweed battalion has to be trained twice a year and understand UCID 18, which is the compliance with how you protect the privacy of U.S. citizens. And the fact that if we do a foreign intel mission, that does not mean you do it in comas. And so we strictly look at that and INSCOM is tasked with managing that effort for the entire army and it does so quite robustly. I want to point something else out and your med is called, they miss you. How many people like retirements? Yeah, I was about to say, you know what, I'm a civil servant just like everybody else. Everybody else in this panel is, I have a wife, I have a child, I have a mortgage. I really don't want to go to jail. And I guarantee you, you have experience? Only two days in a Italian jail. We'll get to that in a minute, sir. That is the philosophy that pervades. The movies are great, you know, oh yeah, big bad CIA breaking in, you know, enemy of the state, I got bad news for you. We're all civil servants. We all work nine to five. We're not plotting how to get you and we are not going to break the law and it will come out. CIA selling drugs in South Central Los Angeles, not going to happen. It's going to make the post. It's going to make CNN. Someone is going to be disgruntled and pissed off and leak it. It will get out and it just isn't done. We don't want to go to jail. I know I don't. And even at my size, I don't want to be somebody's bitch. So it's just, even if the thought crossed my mind, I'd sit back and go, oh wait a minute, getting screwed in the ass. No, not going to do it. So just as a follow-up, do incidents occur? Of course. I mean, we're people. Things happen. Every incident, though, is reported and it's investigated and that report goes all the way up. Some of them result in action against individuals, but most of the time it comes back to training. Priest, let me make two comments to this. First of all, a lot of people are focused on U.S. citizens. The law is actually much broader than U.S. citizens. It talks about U.S. persons. And that's a very different definition. So you should go to the legal document and look at U.S. code as to who all is included in that because it's a lot broader than U.S. citizens. The other thing in support of what was just said, before people jump to the idea of conspiracies, conspiracies are hard. Never assume conspiracy when ignorance or stupidity will do. I have one comment. Everything you see on the NCIS TV show, you can believe it's true. I hate you. You know what? I've been a subject of investigation peripherally. They are not nice people. They have no sense of humor and they are deadly serious and you will go to jail. Someone made a mistake and it was an honest mistake, but they went to jail for a very long time for doing it. You do not pass go. You do not collect $200. Your union rep basically drops you off. You're done. They treat it very seriously. So. My question is for the entire panel. In 1989 and 1993, the Department of Defense and other government agencies engaged in two very high profile searches for high value targets. Individuals that were bad guys. Since then priorities and technologies have changed. So this is a higher priority and we obviously have new techniques, technologies for chasing high value targets. I know that the gentleman from the Navy was involved on the kinetic end of that and Stratcom is now has responsibilities in that area as well. So if the panel could speak about in the public domain what, how technology has changed the hunt for individuals in the real world rather than the virtual world. How virtual tools have changed that process? I'll start off. What I think you're asking is sort of where we operate and we see that there's a nexus between the virtual world and the physical world and they very frequently we try to arrange that they come together. So for instance, technology has changed our job in digital man hunting requires understanding the digital terrain. People's digital exhaust. Everybody has a presence online or maybe three or four etc. Sifting through that understanding what that means. Understanding a person's digital terrain enables you to begin hunting them online. However, through that continuum it must and in our cases will result in some sort of physical engagement. Maybe I run into you at a bar because you've been an online friend of mine and all we're doing is having a drink but I'm pulling all your phone information into my pocket. It's still a physical example that has a virtual nexus to it. So from our standpoint and what I still am involved in doing is building a full spectrum holistic capability that combines utilizing the virtual world technology with physical reality for an end state. What else? So I would tell you that based on how we do support for Iraq and Afghanistan it's really a multi-disciplined effort where you have to have human and SIGINT and OSINT all those ints come together and help build what is a profile of what your target set is so that then you can take the right actions to key the right intel mechanism to enable the actions that need to be taken against the HVT that you're looking for. High value target. I'm not an intel guy but I will tell you that as a user of Intel I've continued to watch it. This is not only happening in the government but it's happening in the private sector as well. And I could very specifically spot a company over in Europe whose mission it is is actually to support government agencies generally law enforcement kinds of things but to tackle searching for bad guys in the virtual world to create a physical arrest. The best examples that they continue to use routinely as they describe their capabilities go down the path of some child porn guy that bounces through cell phones rapidly like a drug lord and goes through that whole sequence but they have multiple techniques. This is a company not a government that's doing it. Now they only do their, they only provide their services today in the open to the best of my knowledge. Two law enforcement agencies with the appropriate judicial rids, et cetera but that doesn't make any difference as far as I'm concerned because the techniques and the processes exist completely outside of the government. Anyone else? Yes, the domino story. Yes, thank you. You know that answer was kind of like eating sushi, you're full right afterwards. Then about an hour later you're like, man, I'm hungry. So there's a lot of words in there but not a lot of information. I'm sorry, it's just the way it's gonna be but yes, there's some really cool shit. Watch the Discovery Channel actually or come to the talk on the drones. We're having a talk I think later on today on drones. I was yesterday, I'm sorry, I was yesterday. We got a talk on temporal displacement this afternoon, so go back. That's right. Yes sir. Hi, thanks for coming before us and a few months ago I left a top five financial institution and because of our inordinate market share we had much more communication with government officials and military forces than most other companies yet it still felt like a one way street. What are some ways that you can give us in the private sector meaningful information that we can act on and defend our critical infrastructure because right now it's only one way and it's not beneficial to us. I'll start that one. Who in here has heard of the defense industrial base cyber pilot? One, two people, three people? Yeah, I wanted to spot some feds, there you go. Goodness. All right, you can Google it. It is a new initiative, well I said new in the last two years, it's been fully approved. Sir, for those of us who didn't have our notebooks ready, what was the name of that initiative? It's the Dib Defense Industrial Base. It's actually enhanced security now but it was a cyber pilot. The intent is for those organizations and entities, corporations who wish to participate and there are certain gates you must obtain is that the national security agency will share select signatures with you in an effort for you to put them into your system so that when malicious traffic comes your way it's dropped, redirected, et cetera, et cetera. In exchange you will also advise NSA about the attack, right, so they can get a better understanding of where the attack is or it's coming from and what it's doing. It's all open source and it's available to any corporation who wishes to participate and meet the individual standards. There's basically got to be standards, you realize that, right? It's a give and take, it's a two way street. Only corporate, well sir, the Secretary of State Nevada is right down the street, they have the forms to incorporate. You see how I'm going with this. I'm thinking like large EUs that might have really, really large target rich environments. There's also DHS, one US CERT has a whole portal for you reporting and they have I think five different list servers for stuff going out. When I was there 2004 to 2006 they were coming up with a program for pushing information out to corporations but because of the proprietary information of the corporations and the government holding that, there were problems with that and that's where you have to sign up for their program, get into their program and both the company and the government signs an agreement. If you look on the DHS website they have the newer information that I would have. But definitely they've got a program and that's really at DHS level, that's beyond the military side, they have the information there for sharing. Okay, don't fall over but I'll be plugging in an FBI program. How many of you here have heard of the Infer Guard program, a few of you? That's a public, private partnership between the FBI and private industry. You can sign up for that, they have regular meetings, they've got a good information flow, you've got to contact your local FBI office, they're a cyber squad and they can provide information to you. And you get a really cool fez, because fez are cool. There's also one other thing, there's a program with Carnegie Mellon, where Carnegie Mellon actually acts as a filter if you will or a spacer between the government and industry, so that you don't have to expose all your corporate secrets, but you can transfer information back and forth. Do you know the name of that program that Carnegie Mellon has? We always just called it the Carnegie Mellon CERT program. Take a look at the CERT program at Carnegie Mellon. Okay, thank you. I'm gonna springboard off this just a minute. I want to say this to all those answers that just came up. Thank you very much, sir, because they're so sanitized in many instances that they're useless. Here, those are all, those effectively, you said, how do we drain the Pacific Ocean? And we said, well, here's four or five little tin cups, knock yourself out. We as a federal government need to stop and reorganize. We are not set properly for this mission set in a large sense. I will tell you, I'll give you the anecdote. Nobody on the planet said that the Department of Defense should be prepared to shoot down airliners on the 10th of September, 2001. And everybody on the 12th of September thought that that should have been done. We're gonna go through this same metamorphosis in cyberspace, unfortunately. My belief is that you don't want DOD in charge of securing our cyber lives as a nation. Most people would say DHS is the right place for that. It might be organizationally, but it's not the right organization. They can't do it. So Punch Moulton's answer is that we need a whole new way to think. And what we need to do is capture what the federal government does well and what private industry does well. And then to try to cover each other's weaknesses. The federal government's good at looking broadly at problem sets. And your bank probably is good at looking at its niche, but doesn't care about that other niche that Cisco does care about or Google cares about. So the federal government is actually good at thinking about the holistic problem. But the federal government is wholly inadequate to be flexible, to be dynamic, and to be responsive. Private industry is. And so what we need is a marriage. And I'll tell you that I've thought long and hard about this, and we've done some work trying to work on Capitol Hill with little success so far. But my proposal, which is first draft and should be probably modified so much it doesn't even look like it after you guys all think about it, is that we actually take a model that does work sort of, and that's the Federal Reserve. It's quasi-governmental, but outside of the political process. It would probably have a board of governors of this new cyber Federal Reserve thing that is some people from government and have a holistic, probably some people from academia, but a bunch of people from the spread of what cyberspace companies are about in our country. Some of them macro, the Googles, the Apples, the Microsofts, the Cisco's, some of them smaller, probably some of them just past startup in the cybersecurity arena and have them all on a board of governors that leads then a staff of people that tackle the large questions that we have about cybersecurity for our nation, which would then, if you had that large infrastructure on top, remove from politics, but inviting in the entities that really benefit from this in the corporate world, you would create an environment where sharing public and private would actually really happen. Actually, I'd like to say you set that up because it's a great segue for one of the things. We need new thinking, as he says. What I've got is, I want you to all think is really new thinking, except that DHS was doing it 2004, 2005. CIA and DIA was doing it in the 80s, I think. It's called Red Cell Analysis, and get your pens out. And basically, it's the portion to think the unthought. One of the things in the 9-11 Commission was that Intel and the intelligence community had a failure of imagination. Now let's face it, 37 years, you get a little rigid. All of us get rigid. And it's harder to think out of the box when you're inside a box. And we think of set answers, we think of SOPs. And you guys don't even know the SOPs. So this is a neat thing. What Red Cell Analysis is, not red teaming, Red Cell Analysis is basically coming out and bringing in, we brought in academics and regular civilians off the street at DHS and asked them, we did one on WMD, we did one on cyber. I can't remember the other ones. Me pandemic, I think. And we asked people who were specialist in those areas to give their wacky thoughts. What's worst case scenario? What's not so worst case scenario but possible? And the Intel analyst in the back of the room kept their mouths shut and didn't ask too many questions because they did not diverge classified information. The entire event was unclassified. But as a result, we're able to walk away. I'm a big proponent for using the intelligence cycle to make it work. And you have to put in requirements. But you have to think up requirements. And how the hell am I going to think up that airports are really ammunition centers on the 12th of September. It was an ammunition center. Airplanes are a weapon now. How do we start thinking about those things in cyber? So what I'd like to do is I've got both a charity and then my day job at work. My charity will pull things for blogs that the charity does. It's a national security charity. But we're looking for ideas, thoughts about how something, what are we forgetting? What are we not thinking, the unthought? And send it to the email address that the guys just set up for me today. DEFCON20Lint, L-I-N-T, it's a four letter dirty word. Just like in your washing machine, Lint. DEFCON20Lint at gmail.com. I'm watching it. And some of them will, if you're up in the Maryland area, we may pull you into Aberdeen for the trip through our campus. But we may do it either there or we may try to do it through VTC. Real quick folks, we've got about five minutes left. We're not gonna get to all the questions. I'm gonna see to it that a discussion group is starting on the DC forums list. And I'll give out my email on that list. You can email me directly. I have contact with everybody here. If you didn't get a chance to ask your question, if you didn't get a chance to ask your question in the Q and A period, I will make sure that the message gets passed and we do our best to get an answer back to you and the entire community. There will be Q and A after this. Sir, go ahead. I have a more practical question just about talent acquisition. And it's not to anybody specifically or any division or it's pretty much federal agencies in general that I see all the time. I work in the financial services sector so we have kind of the similar problem looking for SQL developers looking for data analysts. But my main question is, have you guys actually gone through from a QA process and tried to apply for a federal job? If you know how punishing it is. And so I hear like, you know, I hear panel after panel after panel, we're looking for these people, we're looking for these people. Yeah, but then if you've ever tried to go through that process, it's just unbelievably horrible. First of all, sir, get a haircut. Wow. That's why I get to work where I work because I can look like this. Second of all, I'm probably the most recent person on the panel to have done a federal application or any application of the government. My advice is the following. If the application says we are looking for left-handed glass blowers in Alaska with long blonde hair, put down I have worked for five years in Alaska blowing glass with my left hand and my hair is two feet long. Because what happens is you've got a bunch of very low level people and I think now computers that look at the application and look for keywords. You may have absolutely no experience blowing glass with your left hand, but maybe the best right-handed blower they've ever seen in order to get in front of the person who can make that decision, you've got to lie and say you're a left-handed glassblower. I'm sorry, not lie. That's a bad word. It's called patting, patting. You've got to think outside the box because that's how, you're right, it is stupid. It is, it is, bam. But I think that's a big thing because we just had the discussion about, okay, if you don't have a degree or you don't have this and people are like, yeah, we want to talk to you, but I don't think any of those things really make it to the people that really can make those decisions to hire those people if they can. Part of the reason they are here is so that they can make that connection, number one. If you're a poor, if you're a poor writer, you're going to have trouble. And usually writing's one of the skills. You're going to have to write a good resume and you're going to have to be perseverance, have perseverance. I hear people, when I went from 14 to 15, I believe I've sent over a hundred resumes out. A hundred applications. If you don't have perseverance to send them out, then you're not really trying. And I really don't believe people are really trying to get into government service if they haven't sent out their first hundred resumes. Okay, thank you. Pearl, can I, can I, I'd like to talk? By the way, I'd like to thank everybody for not asking about the Space Aliens or do we sell crack cocaine in South Central? I really actually appreciate that. Yes, sir. Step on up. In our organization, we grew so fast that we had to grow by hiring contractors not by government workers. So what's happened is, as we get those government positions, we're looking at the contractors who have already proven themselves to us, come on board and the majority of the government folks that work for us, we're working for us for the last three or four years as contractors. So take the job, get your foot in the door, prove yourself to the management, and you'll get hired. They will make a position for you. Let me add one. Coordination is not my best. Let me add one more thing to that. You have to look at the skills that they're asking for. One of the things, particularly on the acquisition side, that we try to do is not be in the position of having to add security on all the time. Patching and patching and patching is real hard with a complex system. We'd like to be able to hire folks that can help us build it in and build in the flexibility that we need upfront. And I'll tell you, having been in the acquisition side, there are times that I put a request for proposal out on the street, open to any company, and got zero responses because it's not fun. It's not cool. It's not penetration testing. You know, it's great to break things. I need people who can help me build things, not just break them. We are actually, we've got about 30 seconds left. Hopefully this was informative. I realize it was short. Hopefully we did answer and dispel some myths and put kind of that happy smiley face on what the government service does. And we'll try one more. Okay. Can we do one more? Can you talk fast? I can talk fast. So you said that we were a nation of laws, but given the Fourth Amendment and that you're building domestic spying facilities. Here's the wing nut. That's fine. I'm just gonna go ahead and ask it then. I'd completely disagree as a civilian. So here's my question. When I see that my own government is building domestic spying facilities. Okay, we're not making political statements. This isn't a political statement. This is about building trust and working with. In the form of a short question, sir. Okay, so given like torture and we're prosecuting whistleblowers, you needed that trust in this community to actually go forward and push forward. So my question is, how would you change how things are currently run to facilitate trust and cooperation? That's actually a good question. Thank you. I'm happy to please, please. We needed some comedy. Looks, Marx looks like the second question. I haven't had my hard time hearing your question. You said, how do we change the culture of trust? No, how do you change how things are currently run to build trust and cooperation? You got an election coming up in November, right? Yes. Oh, seriously, you got accountability that's built into our democracy. And if you think you've got a runaway system in terms of our federal government or any agency or any entity that's not responsive to the requirements either by law or by in terms of some moral standard that you have, you need to go ahead and take an action. One vote is not necessarily gonna tip it, but you can get active and get involved. That's why we have groups of people. That's why we have things like the EFF and the like that stand for a position and use the court system and use our existing infrastructure to make change happen. And you've gotta be willing to lean forward and make change happen, because if you just sit back and complain, nothing's gonna happen. Reagan said best, trust but verify. Ladies and gentlemen, we'll be in track to Q&A area. I'm actually hopefully active in changing things so I'm not doing nothing. Let's do the Q&A, we'll keep going. Okay, do you want to clear up for the next question? Yeah, a round of applause would be good for the panel. Thank you for coming. Thank you.