 I'm Ali Amoyorakis. I'm the Secretary of Homeland Security. Jeff, thank you very much for inviting me to share a few thoughts. You know, I want to start on a somber note because this morning I spent some time addressing the tragedy, the natural disaster tragedy in Hawaii. Approximately 55 people already confirmed deceased, and reports are that a thousand are missing. It is a fire that has really destroyed the island of Amawi. You know, last year we had a software vulnerability that enabled an individual to really circumvent, to bypass our security measures, and communicate from our official .gov site, our email address. And the results of that could have been catastrophic because we communicate with people, millions of people every single day, and very often we communicate with vulnerable communities every single day, including, for example, the survivors of the tragic fires in Maui. That consequence never materialized. The vulnerability was discovered and addressed. And it wasn't because of anything that we in the Department of Homeland Security did. It was because of what you did. One of you, one of the more than 500 people that participated in HACDHS, our bug bounty program, discovered the vulnerability, communicated it to us, and allowed us to close it. We need you. We need you to help us. And I want to share a story that I thought of on the way out here. There was a Postal Service employee and his wife, and his wife worked, I think she worked as a bank teller, she worked in a bank, two people, a couple of very modest means. And they lived in a very, very modest department in New York City. And he loved art, but they couldn't afford very much. So he would always travel through the art district. And if there was a young, struggling artist that he liked, he would, and he liked the piece, he would buy a piece, a couple hundred bucks, maybe sometimes a little bit more. And he made it a regular event with his wife. It was their weekly outing. And over the years, he gathered a lot of this art of young aspiring artists that had not yet made it. And a couple decades later, every inch of his apartment was covered with this art on the walls. It was stacked on the refrigerator. It was under the bed and the light. And ultimately, in their later years, they donated much of their collection to the Smithsonian valued at more than $250 million. He had an eye for artists that became the dominant American artists in the post-war period. And there's a clip that I saw of him meeting with one of these artists that he liked. And he was looking at a piece of sculpture. And he looked at it and he said, you know, that's nice. But I think it would look better like this. And he turned it on its side. And as soon as, and I'm not an expert in art, but as soon as he turned it on its side in this clip, I recognized that as an iconic sculpture, the artist adopted that way of positioning his art. We need you. We need you to turn us on our side. You see things that we do not see. You discover things that we do not. And we really need your help. You know, we need to serve people more effectively. The things we do are of tremendous consequence. I hope that you understand that your talent and what you can do is, is and can be of tremendous consequence. And not just when you, when you discover a vulnerability or what have you, or when you discover an opportunity, the real life consequence is that that work, that discovery, that exercise of your ability can have. I hope that you will, you know, work with us and help us in that regard. We're going to take the Hack DHS Bug Bounty Program and we're going to expand it this year. We're going to expand it to our use of AI. And we need to make sure that our use of AI, we want to be leaders in the responsible use of AI. We're very concerned about the security implications of generative AI and other iterations of it. We're also very concerned just quite frankly about some foundational issues, some values, principles with respect to AI. We are unique in the federal government. We have a statutorily created office for civil rights and civil liberties, an office of privacy. These are two areas of tremendous concern for us with respect to AI. And hopefully you'll work with us in that regard as well. Hopefully you will participate in the Hack DHS program relevant to AI and also more, more expansively. This week CISA, our Cyber Security and Infrastructure Security Agency, issued a request for information on areas of investment in open source security. Our Cyber Safety Review Board issued a really groundbreaking report on how to better secure open source, the open source ecosystem. It's of such tremendous utility and promise. It's here too, is an opportunity to work together ideally. What I'd love to do is I'd love to recruit many of you to actually become members of the Department of Homeland Security. I don't know what I would call that recruitment effort, whether it would be like Hack the Bureaucracy. But yeah, by the way, one goal that I had coming in and behind schedule is to demonstrate that government can be as nimble as any other non-governmental organization. There's no reason that we can't be. As I said, I'm a little behind schedule. But in certain areas of our work, I think in the cyber domain, we are. I think we are innovating in ways that are unprecedented. If you take a look at some of the innovations, the use of technology, the harnessing of your talent in other domains of our work, it's pretty powerful. If you're unwilling, unwilling to join us in our hallways, in our offices, hopefully you'll work with us, turn us sideways, make us better, and really help people very much in need. Thanks so much. I'm looking forward to a conversation with Jeff. He thinks he's going to ask me all the questions, but I may have a question or two for him. And I'm really proud to be here. Thanks. Is it on? Can you hear me? Okay. I think we're both got... We're both wired up. This is Vegas style. Yeah. You're good? I don't think... Can you hear me? Okay. Yeah. Yeah, now, yeah. Okay. So, here I am, a government employee sitting across from you. You started DEF CON 31 years ago. Twenty years ago, if a government employee sat across from you, what would have been your message to the government employee 20 years ago, then 10 years ago, then now on behalf of the community? That's a good question. The first conversation would have taken place with my lawyer present. That's for sure. But since then, things pretty much improved. You've noticed we don't have us really... It's a spot the Fed contest. Once Fed started intentionally outing each other to get the shirts, we knew that something had changed. We were no longer perceived as the adversary. And then about 10 years ago, it changed where when people from D.C. would come, it was, I'm going to go see the people with green hair. It was like a summer kind of like, ooh, a sideshow. Now, you're here. You know what I mean? People, it's quantitatively changed from, oh, that's interesting, summer concert too. I've got to be there. And some things changed over the last decade. And we're still doing what we're doing, but it seems like the stakes have been raised. Maybe the value that we can contribute has increased, but something has really changed in the last 10 years. I would say I'm not sure... Well, I'll let you speak to whether the value that you can provide has increased. I would say my reflex to that is the value that you can deliver is better recognized. I'll tell you a quick story, and I'm sorry. So, this is a second time. I've spoken at DEFCON the first time. It was when I was a deputy secretary. And it's a tradition when one speaks for the first time to take a shot. At that time, it was Jack Daniels. It was 10 in the morning. And I said, listen, I got a lot of stuff to do. I can't, sorry, can't, no can do. And they said, you know what? We'll give you, we'll go on stage, we'll give you a shot, but it'll be water. And I said, we have a deal. So, they came out. The subject of my speech was building trust. So, I took the shot of water. And then I continued with my remarks. And then I looked out. And I said, you know, I just took a shot of water. And here I am talking about trust and building trust. And there was, more significantly, a bigger deficit. Then there remains deficits understood. And it's our job to close them. And hopefully for you to be open to having them closed. But then I said, listen, bring it on. And so, I wrote off the afternoon and had a good shot at Jack Daniels' attempt. Right on. So, I was lucky. I was, you know, a little skeptical. I was in the back of the room watching. And as soon as you did that, and the audience was, whoo, and it's like, okay, he's one. Like, you know. Routing for my demise. Yeah. But, I mean, that goes to a very important aspect here on community. Building community. I mean, DHS is what, you're up to 300. How big is the department now? 260,000. 260,000. And I do want to give a shout out. You might not realize this. TSA is here. TSA is at DEF CON. Right on. Right here, this guy. And Dave Pekoski, please stand and be recognized as an innovator. Yeah. So, when we heard that TSA was coming, I'm like, do they know the fuck they're doing? I mean, like, that takes some courage. But TSA does a lot of cool stuff with technology. We just always hear about the screeners. But it's a big department. And it makes me think FEMA does a lot in disaster. I'm sure you're on the phone all day today with FEMA in Hawaii. And there's all of these communities that DHS essentially is stitched together, and you can't function if you don't have the trust of those communities. You know, TSA, building communities in the technology space. So really, if you think about it, your power, your authority, or your motivation is like more of a grassroots, bottom-up kind of community-driven. You're not necessarily top-down intelligence community DOD style, right? So the way you operate is different. We, I speak of our department as a department of partnerships. You know, we, our job is to make life better for people, to understand where we are falling short, and to close gaps in our own ability to deliver. But we don't, we can't do it alone. We cannot do what we do alone, which is why, frankly, I have come to ask for your partnership. And so, so with that dynamic, the bottom-up versus sort of the top-down, isn't that sound a little different than the foundation, the founding of DHS after 9-11, right? I mean, do you imagine that what the department has become or had to do to adapt? I mean, it was fundamentally a counter terrorism organization or conceived that way. And now, what we're talking about is not counter-terrorism, right? Well, the, a few things. The threats evolve. I mean, in 20 years ago, we're in our 20th year. In 2003, when we were first stood up, people were not talking about the cyber threat vector as prominently as we are now. That's just the reality. And so we evolve as the threat landscape evolves. And frankly, we build service delivery as communities' needs evolve as well. So, so give me an example. What's, what's like the latest service delivery? Or what's a new, a new, um, look, you know, I, I, the first thing that comes to mind, I don't, you know what new means, but I think that adverse nation-states exploitation of the divide in this country is something I speak of as a homeland security threat. You know, the, the, that we've had our disagreements in this country for ever since its founding, of course, and they have led to horrific results born, I think, of horrific practices at times. The residue in some regards still exists. The divide, the rhetoric now is so sharp, the divide is so becoming so extreme, it creates a vulnerability. That's one thing that I think of as well. But we, we have to, we have to change the way we do things sometimes. I will tell you, there was a scathing piece in the Washington Post a couple years ago about our provision of assistance to natural disaster victims. And the criticism was warranted. You know, I say to colleagues, let's not shrink from criticism, let's just work really hard not to deserve it. We deserved it. A black community, a very poor black community in the south was devastated. A small community was devastated by a hurricane, a tornado. And in order to receive assistance, one had to present documentation of one's home ownership, mortgage, documents, deed of trust, whatever. And this community, these poor homes, people had received their homes that had been passed down from generation to generation, they didn't have the documentation. And we disenfranchised them by reason of our lack of understanding of their reality. And therefore what we needed to do, and we did do in response to this criticism, was we changed our policy. If you don't have those documents, do you have a utility bill? Can you attest to your ownership of the home? We've got to reach people where they are. That's what good government writes about. Yeah. It's very refreshing to hear you say that, because half of it is just acknowledging the problem. I mean, if you listen to my talk earlier, I'm acknowledging the problem. We screwed up on badge manufacturing. I wish I could change it. I can't. I'm doing everything I can to improve it. We have people on airplanes flying from the manufacturing. We're doing everything we can. Can't go back in time and fix it. But by acknowledging it and trying to be transparent, that's all you can do to help communicate with your community. You brought up a point, though, about the new attack vectors. That's perfect. I have that question right there. See? Russia, invasion of Ukraine. Information operations from China. You're finding yourself more in the countering nation state game, which has been traditionally viewed as more of an intelligence. I see function. How does the department work either with partners, or Ukraine, or how do you, you're domestically focused here, but to be domestically focused, you have to be outwardly focused to try to counter these foreign threats. How do... So, I have spoken about the fact, and we have spoken about the fact that homeland security has converged with national security. It is not the lens, the aperture is not exclusively domestic by any stretch. I know that Jen Easterly, the leader of CISA, spoke earlier with her counterpart from Ukraine. The cooperation between the United States and Ukraine in assisting Ukraine in defending its systems against Russian attack, I think, is a success story. Rob Silvers is here, our undersecretary for strategy, policy, and plans, leading our international efforts, along with Ann Newberger of the National Security Council, homeland security, and national security have converged in this environment. Are there models? Are we sort of following a UK model, or we have our own unique model, and other people are learning from us? Because it seems like we're all trying to figure this out at the same time. Is it sort of like... I think here I would use the word partnership again, and I would just broaden it to say we have to work very closely with our international partners, and what we do in this realm, what is the relevance of a physical border? So then you're building these actually international communities? Yes. Which I'm really glad to see, because it's kind of like we're fighting like a two or three prong battle, right? You've got the hard, the physical, we're actually under ransomware attack, things are actually being deleted, we're in sort of an information, hearts and minds kind of, you know, wedging communities in America against each other. And then we're also in an influence game, and this is where I think United States, until recently, was kind of behind where standards bodies, the IETF, other communities, America that helped build these, like the companies that helped build them were so successful, they just kind of moved on, and that created a gap for other countries, China, Russia, to show up and basically co-opt a lot of these standards bodies. And now I see DHS, CISA and others representing, sending officials, showing this is American perspective, this is the DHS perspective, and it's so refreshing to see us out and engaging again. That was really missing for years, and the problem is that takes money and time, to build trust you need some consistency, and a lot of times that's not present in some of our institutions. I think it's very, very difficult to build trust if one is not present. Right. You know, look, you know, the last time I was in the department in 2010, I shared with a colleague, he was very reticent to go into the community and get his teeth knocked out. And I said, look, you know what, you got to get out there, you're going to get your teeth, sorry, I can't see you over there. You got to go out there, you got to get your teeth bashed in, and then, you know what, you come back, and then at least people see that you're willing to get your teeth bashed in, you will maybe realize when you pick up your teeth that some of them deserve to be on the floor, others deserve to be put back, and you learn and you get better, but how do you build trust if you don't engage? Right. And it's painful, right? You can't always, you can't please all the people all the time, so you have to really focus on what your priorities are. It is really painful to not be trusted. Yeah. So let's talk about that a little bit more, right? You mentioned two things that I'm proud of, of the department, the Privacy Office, Office of the Liberties, maybe just talk a little bit about that, and if maybe there's a story when the Privacy Officer shut something down, or the Civil Liberties wrote a report that wasn't the most glowing, like you have these internal functions that not all other departments and agencies have, I think DHS is slightly unique in that area. So, you know, I think what we are doing now more than ever is our Office for Civil Rights and Civil Liberties, SHOBA, who leads it, our Office for Privacy, they have a seat at the leadership table. They are involved in all of our discussions, you know, we have an Office of Intelligence and Analysis that shares Intel with our partners around the country. Our Office of Civil Rights and Civil Liberties reviews those products to make sure that they are sensitive to our principles, our values. And have they ever asked something or is it, no, things are pretty good, they're not having... Yeah, they're not passive. Good. Because one of the things I worry about maybe is, you know, you touched on AI a little bit. And it seems like the potential for abuse of human rights is greater with AI. And I think the pressure on companies, on people, on governments is to use AI everywhere to become more efficient. And it seems like when the government uses AI, it's different than maybe a university uses AI. So I think the potential for harm or for potential for benefit is greater in government. And that means... Look, Jeff, we're using AI now in the context of facial recognition. Something that our Office for Civil Rights and Civil Liberties is taking a very close look. This is the TSA when you're boarding a plane or you're screening. So yeah, well there I think we're explaining what we do and what we don't do. But in other arenas as well, you know, there are significant concerns with facial recognition's ability to discern individuals with different colors of skin, different tones, especially concerned about youth. And these are challenges that we have to tackle. We have to confront and work through it. Do you see will be sort of an AI oversight board or is that just going to be merged in with the Civil Liberties and the privacy? Or does this constitute a new thing? Or will you task every one of your departments and agencies and say you need to have an AI report or you need to have a, you know... So I think one of the things that we are looking at and I don't want to get too far ahead is, you know, to have like a safety review board, just like our cyber safety review board that is now issued, you know, very significant reports. The first one with log 4J, the second one with lapsis and now we just announced, you know, lessons to be learned with respect to identity authentication in the cloud-based environment. So we just announced that. I think there's just a lot of things. And by the way, what distinguishes that board in addition to just its groundbreaking work, it is security researchers, talent, your talent is involved in the analysis of incidents and in the recommendations that are made. It is a board that is not about accountability. It is not about blame. It is about learning and strengthening. It's sort of that, what's the near miss, the pilot FAA1 where if you make the contribution and point out the problem, you're basically insulated from liability. But if you don't reveal the problem and it blows up in your face, now you're in trouble. You want to incentivize this collaborative environment where people aren't pointing fingers at each other. It's all about identifying, well, understanding the treasure, the open-source environment, understanding how to make it more secure and like and Rob is the chair of the board. And Heather Adkins from Google is the vice chair. It's a public-private partnership and we use security researchers to really drive the best results. So on that open-source question, this is a hobby horse of mine is to beat up companies that they take a lot from open-source in the sense that they build products, they innovate a lot, but they don't upstream their code changes. They don't fund the communities of which they get their software. And the one I like to point out that does a really good job of this is Netflix. Netflix makes tons of changes on the networking for FreeBSD and every change they make ends up, they fund code optimization and FreeBSD, the operating system, is way better because of Netflix and Netflix is way better because of this relationship. That's a very positive ecosystem. Yeah, ecosystem give and take but that's rare. That doesn't really happen much and so it almost feels like a tragedy of the commons kind of social dilemma problem where the backs on which we're built, all this is built, they're not getting kind of rewarded and in tragedy the common problems or social dilemma problems a lot of times the solution is government. Government does not exist in a purely commercial function, they're filling the gaps for what the needs of society are which are maybe not commercial needs and so I'm really excited here when you talk about open-source are the ways we can support open-source, fund open-source, identify critical pieces of open-source. It's like anything that makes open-source more healthy, you're raising the boats for everybody in the planet, not just, you know, a state. So, I mean, I know that we have reached out with respect to how you can help us secure that environment. Jeff, if there are other ways in which, you know, other aspects as to which we should reach out, then let's talk about that and let's do that. Yeah, I think one of the things, I think FEMA would have grants, I've been talking with Director Easterly, are there ways you could identify and do a summer of code, a grant to improve the security feature that we all need but there's no, the company's not interested in adding it. Are there kind of commonalities where we can help improve the system, but I don't know the grant process, I don't know how, you know, I don't know how that part of government works, but I do know if something like that doesn't happen, if it's not philanthropic or government or, you know, it's probably not going to happen. So, we, so a couple of thoughts. One, we have a cybersecurity grant program. Two, our grant process is not a model of publicity. It is something that we are working on. I tasked a private sector advisory council to make recommendations. Maybe we need to take a look at how we can deliver grants to non-traditional recipients and maybe that'll help build the partnership that I request as well. Yeah, I know. I think one of the things DHS... Maybe we have to step out of the orthodox on that in terms of grant recipients. And I want to touch briefly on some of your comments a little bit developing the talent with the workforce, right? How is DHS going to onboard these people? And it's probably here, years ago, I was on a task force at DHS on developing the cyber skills task force. And to see those recommendations kick in and things to change, how would you see you know, you're calling for people to come to DHS, how has it changed in your perspective, you know, onboarding, offboarding? The idea that maybe people don't enter government service for their career, maybe now they're entering for a period of time and coming in and out of private sector, like the way people work seems to have so absolutely. And it doesn't need to be a commitment in perpetuity. You'll decide the duration that you would want to stay. We would love your talent to bring in your talent for whatever period of time you'd be willing to do that. You know, we have models where it's actually we almost like borrow your time, your talent for a short period of time, for six months or so. I will tell you and Jen and I have talked about this. I have a mixed feeling about some one aspect of our recruitment of cyber talent. It's tough to recruit because in the private sector we can't compete from a financial perspective and we have been able to kick up the income of incoming cyber talent and I've got very mixed feelings about that because I have to tell you, you don't come to the government for the money and there are people that have dedicated their lives to public service and the reward the reward is more fundamental reward than financial and I know that the vast majority of you if not all of you I don't know your community well enough to say but the reward that you seek is you don't do what you do for money. You do it for its consequential nature. What it means what it means to you what it means to you so you're talking the sense of mission a sense of mission I would say a sense of purpose and so I think civil society can provide that government can provide that our communities we provide that for each other and so once you recognize that you need to have a really clearly defined sense of mission you need to be able to not have one part of your department destroy the sense of mission from another department it gets very and in the social media age you need to be nimble and be able to respond so I was going to say how fun is it for you then eight years ago or so as an S2 now you're there S1 where you go from it go I guess I guess what I'm getting at is like what excites you right fun wouldn't be the first word that comes to mind right so it's the sense of mission that's the motivator 100% 100% what my greatest source of pride is the people with whom I get to work and the purpose that we all share is my greatest source of pride I have to tell you we came to this country in 1960 as refugees, political refugees escaping the communist takeover of Cuba it was the second time in my mother's life that she was a refugee I grew up with a profound sense of gratitude with respect to what this country was able to give to my family and me and that's what led me in 1989 to join the government as a career employee and that would you become a lawyer by then or this was I was a lawyer at that time and so that perspective the legal perspective your background I think that helps you connect with the people in these communities because you understand what it is to maybe be in their shoes that empathy that we don't see in a whole lot of leadership in companies where it's a lot about bravado can I how do you leave that behind can I can I share a quick story please because you say people's shoes I I have to share this even though it's I'm going to stand so I can see it's too personal for me so I grew up in a home where my parents really made sure that my sister and me understood what it means to be displaced and my father left the country of his birth he did not get a chance to be by his mother's side when she passed he had to take us out and I grew up with a really profound understanding of what it means to be a refugee a political refugee then I think it was 2011 I was a director of US citizenship and immigration services we administer the legal immigration system and we have our refugee affairs officers who travel around the world and interview people to determine their eligibility to come to the United States as refugees and I visited the refugee camp in Dadaab on the Kenyan-Samali border we traveled by a small jump plane from Nairobi to this camp and the entire flight all you see is sand all you see is sand and these individuals had traveled from Somalia to this camp hundreds of miles I don't know how they made it and the camp was designed for 90,000 people and at the time I visited there were 300,000 sand and they were covered by either plastic or paper bags there was nothing and they shipped food in twice a week and I sat in on an interview of a family parents father and mother and four children and our refugee affairs officer spoke first to the 17-year-old young woman and asked her where she had been born and she looked down and then she looked at my colleague like puzzled and said I was born here she had known nothing else but this camp and you cannot describe these individuals as poor because poor suggests you have something you just don't have enough they have nothing and I left there first of all thinking the world is not civilized and second of all I couldn't call myself a refugee she's a refugee this family we came we came with things and my father though he struggled for a period was on his feet and I've carried that with me because I've never been in their shoes I've carried that with me it's just not an opportunity it's a responsibility of government to address that and whenever we issue a policy whether it's in cybersecurity or anything that says something about not only who we are but who we want to be and there are many policies of which I'm incredibly proud and there are many of which I am not and it's sometimes a struggle it's always a privilege and making a difference sometimes a small difference sometimes a really big difference is really why that's why a lot of the people are in government to make a difference it's all about people you make a huge difference in what you do you can make such a big difference in helping us be proud of everything that we do and closing the gap in our sense of our own pride and really I just if I have one message to all of you is you know quite frankly I mean I do care I was about to say I don't care if you trust us or not I do care really deeply maybe you have to wait till we've built you know built your trust maybe you're willing to give it to us and see if we keep it whatever it is you know far better than I I'm not expert in your work I recognize your talent you see things that you see things you find problems you know how to fix them that can really make a difference in people's lives and I know that that is why you do what you do you also of course have to support yourselves so it's not hack DHS for nothing it's a hack DHS bug bounty program we all have to make a living but there's a sense of purpose in this room and I want to just communicate that we share a purpose okay Ali we can't beat that I don't have a topper question that was incredible and I really want to thank you for coming out here and talking to us and I'm really proud of what the department's been doing and that's largely in part to you so thank you for coming out and talking with our community thank you all very much thank you