 So we have a pretty interesting talk today. We have Jen Easterly in our own dark tangent. They're going to give us a little discussion about how Aerosmith and Run DMC can tell us about the future of cybersecurity. So enjoy. OK. Hi, thanks for coming to our talk. And I'm going to reveal our agenda. This is what we'll be covering. That's blank, because this is going to be a more unscripted conversation between Jen and myself. And we have a couple of things we want to cover. But really, we wanted to have a sort of an authentic conversation, not a scripted thing where I have to make sure I ask a specific question and so on and so forth. So it might not be totally smooth, but it'll be totally interesting. And then at some point, we're going to start involving the audience with some questions. And so you can listen to us maybe work through some of your questions. And before we get started, I have to de-conflict myself. I actually am on the CISA advisory board. And so I'm going to be wrapping my Keep CISA weird shirt. So just to remind the director that just because it's government doesn't mean it has to be boring. Exactly. Love it. I should have brought mine. Now I feel kind of guilty. Yeah, look at that. In the Blade Runner font, for those of you wondering what that font is. Should show in the back. I can't read that. What does that say? It says, how about a nice game of chess? Yes, nice game of chess. Which Kenneth Gears is running the chess competition at DEF CON in case you want to have a nice game of chess? All right, let's kick it off. Why are you here? Yeah. Well, let's see a show of hands. How many people know what CISA is? Wow. It's pretty good. How many of you work for CISA? Well, maybe I can leave. My job is done here. You've converted them all to employees. Exactly. So as you know, CISA is the newest agency in the federal government, founded by our mutual friend, Chris Krebs, about three and a half years ago. And I think events like this, especially with the folks who are here, are so important for us to develop trusted partnerships with. And so you and I, before I was confirmed, had a great conversation about the importance of this community. And certainly from my past in the Army at the NSA and even at Morgan Stanley, where we sent folks here, realized that this is such an important community for us to connect to. So I was excited to come hang out with you. Yeah. And have some fun. You're all important. We're going to talk about that, I think, a little bit. It's interesting, because when I started with DEFCON, and it was all about the technical, and it was all about the party, and it was all about the hack, and the social grew up around it. And we'd always talk about keeping true to the core of DEFCON, meant that you had to stay kind of hacker. And all the things that weren't hacker, that's fine too. But if you lost that core, you might drift. And then you're not quite sure what your identity is. And one of the things we do with DEFCON now is when we're reviewing papers, is we say, we're not an InfoSec conference, we're a hacking conference. And there's difference. Here it's maybe the joy of discovery, spontaneous learning. InfoSec may be advancing your career, honing a technique that will help you in your job. Have you ever really thought through, what is the core of CISA? Like, what is your guiding stone? Or everything else kind of orients? Because we've had 30 years to figure it out, and you've had a year and a half, plus what Chris had. Well, a year and a couple of weeks. Yeah, yeah. Well, it's a good question, because one of the first things that I looked at when I got there is, what's our culture? What are our core values? What do we expect from each other? And what do we aspire to be as an organization? And because we were built off the back of a staff element, we really didn't have any of that. Well, I was curious, if you can share the numbers, what's average turnover in a government agency or in CISA? What's retention even like in that? Yeah, I mean, it's actually pretty good. Retention, our turnover are attrition, and I separate attrition from regretted attrition, because not all attrition is necessarily a bad thing for the organization. But it's under probably like 10%, so maybe in some case, under 5%, but it's low. Compared to, say, Amazon at 40%, not looking so bad. Yeah, but I have a different philosophy. I mean, so attracting and retaining talent is really predicated on developing a great culture, and that's why we've laid out what the core values of CISA are, what our core principles are. But if somebody wants to come in to defend the nation for a period of time and then go back out to a critical infrastructure owner or operator, you become part of the collective defense of the nation, so I'm totally cool with that. Come learn what it's like to work in the federal government. We are probably as much like the private sector as any place in the federal government, and so I think it's about building the capability for the nation. I remember when I was spending time with the government, when I was spending time in DC, there was always like the politicos, the full-time employees, and the contractors, and there are these three communities, and they're all working at the same agency, but they're different, and they have different interests and different motivations and everything, and originally at Big DHS, they had quite a large number of contractors, and I remember having a conversation with some leadership back in the day, saying if like 60% of your workforce are contractors, that means the remaining 40% have to be really good at managing contractors, right? You have to have those expert skills, but if your 40% is just like those 60%, so does it mean that as you're building that culture, you have to have the culture of managing contractors, or is it you treat everybody identically, knowing you have to have different skill sets for the, you know, how do you, because it's not like managing corporate America. Yeah, for me, we are just riffing here, so. Yeah, yeah. It's just, for me, I really don't see a distinction. I mean, there is a distinction in terms of certain rules, a way a contract is handed, so for example, you know, I'm a big mental health advocate, so we made 22 the year of mental health, and employee well-being, but really everybody well-being, obviously if you contribute to the mission of CISA, but one of the things that we did was, we got Headspace, the Mindfulness app, do you use that? Okay, I don't use it, but yeah. I recommend it to you. So it's good for meditation and mindfulness, but so we got that for all of our employees, we couldn't get it for the contractor, so there's certain legal things, there's training that we offer that we can ask a contractor's company to offer to them, if we give days off, we can work with that vendor, but otherwise, I just see, you know, everybody is part of Team CISA, same values, collaboration, innovation, service, accountability, all of us same principles, and we have a culture council that we stood up to make sure that we are guarding our culture and embracing it. And people in other agencies looking at you, like, what the hell is Jen doing? Or are they like, that's awesome, we want to imitate that, that, okay. I don't know. I think people see that we're having a lot of success with bringing in talent. Yeah. And so that's good. I mean, partially, that is the culture that we're building, but it's also because we were uniquely given authorities as America's cyber defense agency. I mean, the Congress went all in on us, they gave us more money, more authorities, they gave us something called the Cyber Talent Management System, which allows us to hire much more agilely and pay more. Like one thing that always drove me bananas was, you know, you have to have a bachelor's degree or a master's degree or a PhD. I mean, and then you get a PhD and come in as like a GS-11 or something. Right, doing malware analysis. Exactly, like I don't really care whether you have a college degree or not. My most technical person at Morgan Stanley, my head of cyber analytics had no college degree. And so I think it's really about aptitude and attitude. And that's why I think the culture piece is so important because you might be the most technical person in the world, but if you're an asshole, like that's not gonna be good for the culture that we're trying to build. And so, you know, aptitude and attitude is what we need to do and the CTMS takes us there. It also helps us pay closer to market, not what I paid the guys at Morgan Stanley for close work. The CTMS she's mentioning. Oh yeah, you started that, right? Well, like eight years ago or more, that we did some recommendations on hiring in DHS and how to retain, attract. We were really big on this concept of verification of talent. Or so you have to prove your skills, demonstration of skill I think is what we called it. And then that way you would hire, doesn't matter what your education is, if you can demonstrate the skill, then you're qualified. And it was a good report. People agreed with it and then nothing for it until just last year, seven years. Yeah, pretty funny one. And so speed of government. But now that it's happened, now you can run with it. And so yeah, it's like slow fast. In our world, and how can you expect things to happen very quickly, but in government world sometimes things are slow. And I kind of use that to balance both sides of my personality, right? But it's a bureaucracy, and then people ask often what keeps you up at night? You know, the adversaries are out there and they're really sophisticated and increasingly complex thread landscape. But for me it's battling the bureaucracy both so we can attract and retain talent, but also be able to do the mission. We have to be able to move the speed of cyber and not at the speed of bureaucracy. You can't get a PhD in bureaucracy, can you? Or government. Yeah, or government, yeah. And so that's the thing that I worry the most about. And that's the thing that we're fighting against is how can we do things much more like the private sector and battle the government bureaucracy. And we're starting to have a lot of good success and part of it is what we've been talking about since over a year ago is like how do you build those trusted partnerships since this whole talk predicated on unlikely but powerful partnerships. The Run DMC and Andrew Smith, 1986, walk this way. I like the DMC, I'll take that, that'd be good. One of the things I think we talked about this is that, and I'm curious if by show of hands, how many people trust an organization versus trust an individual? Like, you don't trust, say, the FBI, you trust your buddy at FBI, or you don't trust Microsoft, you trust your buddy. So show of hands, who would trust the organization and who would trust an individual that you have a relationship with? Right, and so I think knowing that, or trust no one. Trust no one. Yeah. And so I think that means that we have to organize, you have to build a way for people to build those relationships with your organization and then maybe over time they trust the organization more and more and more, but yeah, until you have that kind of continuity of trust, because I think when the shit hits the fan, they're gonna call up their buddy. They're not gonna call the switchboard. No, I mean, that answers your question, right? And that's why I'm here. That's why I spend so much time engaging with people and on the road and going to various events to meet people. Right. But behind you, you have to have a team or a group of people or? Yeah, I've got an awesome team. Yeah. A lot of them, as you know. A lot of them are here, but no, you and I talked about this, right? And I just came from a discussion around elections. And the word, the operative word for all of this is trust at the end of the day. And so the question is, how do you actually build trusted partnerships between the federal government and all of the partners that we need to work with? Because we're a voluntary agency, we're not a regulator. And our job is to defend critical infrastructure and we don't own the vast majority of critical infrastructure. So you have to have trusted partnerships so we can work together to make sure that everybody has the guidance and the resources and the tools to be able to defend the nation. And so again, it's about trust. And again, what we talked about, what we've been trying to do through the Joint Cyber Defense Collaborative, as you know, through our Cyber Security Advisory Council, through the Technical Advisory Council, and I really want you to talk about that, through the CSRB, the Cyber Safety Review Board, that you and Rob Silvers and Heather Atkins talked about, is creating trust between the federal government and all of the stakeholders to include industry. And I see, you know, the most important things is you got to approach it with, first of all, humility. We certainly can't solve this problem as a government. We don't have all the answers. And so humility, I think, is truly important. I think vulnerability is something, so it's interesting, right? Because vulnerabilities are such a negative word in our technical community, but I think vulnerability is an incredibly important thing when you're talking about building a trusted relationship. I think transparency is something we always talk about, transparency builds trust. And that's huge for me. And then finally, like gratitude, bringing together a community and sort of figuring out how we can appreciate what every side is bringing to the table. So you mentioned a couple words that I really resonate with me, right? One is transparency. Just because DEF CON, we've done so much work trying to build, we were the first conference to use like a transparency report to try to tell people what happened. That's a little painful because you don't like revealing the bad things that happen, but the good that comes out of it outweighs the bad, right? And the other thing I think is, this is a global game now, and so things you do are setting a standard or an expectation with all the partners and allies and frankly, you know, opponents. And so it's almost like if you could set up your organization to play, so what is team rule of law strength? It's transparency, it's accountability. Like team authoritarian doesn't want to be transparent, they don't want to be accountable. So it's like the more we can emphasize and highlight that contrast between both sides, team decided in the middle, they can make a more informed decision of which team they maybe want to associate with. And so I think the more that you or I or any of our organizations can operate in a transparent or an accountable way, it makes it that much harder for your opponents to say, oh, well, we're transparent too. Oh, look how accountable we are. No, we might have other things that are similar but draw the contrast. And it might be hard for a government to do that because you're so used to not or the liability of being transparent, right? You might have laws against it. It's really interesting. So I spent the first 27 years of my career in the Army, a good portion at the National Security Agency. I was at the White House under the Bush administration then under the Obama administration then went off to Morgan Stanley for four and a half years. And when you think about the first half of that, being in the intelligence community, it was a little bit counterintuitive to say, okay, we want to be really transparent with everything. Not because we didn't believe in transparency but because there's always a fear of sources and methods getting compromised and then not being able to do the mission for the nation. But I think increasingly, and this was after 2013, there is a real embrace of transparency because ultimately government has to be accountable to the American people. And so I've seen a very good evolution in the embrace of transparency. And frankly at CISA because we are such an outward facing agency every day is working with private sector or state and local election officials. It is about, we know that unless we're transparent, unless people can understand why we're doing what we're doing, the products are going out, we're asking for feedback from them unless we're being completely transparent, the model breaks down. I don't have a badge where I can show up, I don't have like subpoena power. And so it's all about, okay, why should you trust CISA because we add value because we're responsive because we have great expertise. So it's the all kids, all carrots, no sticks kind of. Not really. I mean, we have very, very small regulatory power on the chemical facilities, anti-terrorism side. There's a physical security. So you have, it has to be voluntary. But it's all voluntary, which like frankly, I embrace because I think if we were a regulator we would not be able to create the trust and partnership. We would be in court like every other minute. You wouldn't get anything done. Yeah, that we needed. When I was in finance, it's not like, hey, let's go rush to tell the regulators when we discovered something. Yeah, and for the stuff that we talk about, you guys did some great work and I really want you to talk about this on coordinated vulnerability disclosure. You have to have a relationship where you can have that trust with the researchers and then ultimately be able to put information out. That is, people are gonna have confidence in, believe it, understand it, be able to mitigate vulnerabilities and it's just incredibly important. So can you talk a little bit about the TAC? Yeah, so, okay, so Jen constituted the Security Advisory Committee for CISAP. And it looks at, I think we have what, seven or? Yeah, probably seven big things. It's about how do you build the agency? How do you evolve America's cyber defense agency? So it's a very eclectic group. But I really want, and not everybody's technical, right? Some people come from. Yeah, and you're doing infrastructure and energy and misinformation. You know, we have different. Finance, energy, exactly. Yeah, finance and so out of that spectrum of subgroups, I'm chairing a technical advisory committee. And the part that was really cool is I can bring people in from other countries. Clearances aren't necessary. All of our reports become public and we just published two reports. One on threatened intelligence and one on vulnerability disclosure. And we'll be producing more reports in the future. And so I had a lot of leeway to attract a diverse group of people. And yeah, it's been really amazing because unlike the big HAC reports that would take a long time and be very large and there was no immediate impact, we delivered our first reports. They were voted on by the overall committee. They were approved by the director. And two weeks later, we're having calls with people inside CISA from those teams and Threat Intel digesting our report, excited that we've given recommendations already making changes inside the organization. Like, what's going on here? Like, I'm not used to that. It's not your daddy's government. No. And they're excited and they're like, wow, you gave us a great idea and that reinforces this other thinking that we need to tie a connection between just not the threat Intel, we need to start enriching it with metadata because the people in OT, they wanna know, do I really have to turn off my vaccine processor to patch this? Or can I just put in a firewall rule? Like, yes, you said this is a critical mine but what does that mean to me, right? And so we wanna create one of our recommendations was essentially creating a way to enrich these with metadata in a community portal where people, the other vaccine manufacturers can say, no, no, no, we're running that Phillips gear, just do this other thing. And then we're missing that. And what that does is without that metadata, people are frozen within decision and they're running all these risks, right? So we can speed up that loop, making the threat Intel more valuable faster. And so there's other interesting recommendations like that but just the speed at which they got it and they wanted to implement it. And so I think for the rest of the technical advisory committee that have never interacted really with government before, there's a lot of them, this is their first chance ever being on an advisory committee. It's really empowering to them, they're really excited, like they listen to us. And they did something, like this is not how it's supposed to be. And I'm hoping that through this experience more and more people wanna get involved. And so for example, we would interview 20 different people on a report. So even though you're not on the tack, if you're a subject matter expert in something we're looking at, we might call you up and you might come in and give us your opinion. And because of that, we get people across the whole industry, small manufacturers and energy, giant Southern corporation style, huge companies. And we're really focused on diversity of opinion because what we're finding too is there's no one single use case, especially in vulnerability disclosure. There's some people that are out of business, companies are out of business but they're widely adopted. How do you disclose that to the manufacturer if they're gone? Who can bless that it's okay for you to reveal that publicly? There's no law, there's no... So you can run into these thorny issues and CISA acting as sort of a governance mediator, I argue, that they should take on a more of a coordination role and get between sometimes between the researcher and the company because a lot of researchers, we don't wanna spend the rest of our lives arguing with the company, we found the bug, we want the right thing done but I'm not willing to sacrifice three months of pain. Yeah and that's exactly what we're doing. We have the platform and recently we did this for elections actually, folks might have seen a report we did working with a researcher and working with Dominion and that was a really complicated coordinated vulnerability disclosure and so we spent very, a lot of rigor, very deliberate efforts to do that and sometimes it's hard to necessarily mediate the middle of that but... And the interesting thing is people say, well what's the role of government and it seems like role of government is to get involved in these sticky issues that don't have a clear business solution, right? It's like a conflict between sort of commercial and civil society and you need a disinterested third party to make those hard calls on some of these. Disinterested is an important word because we are only, I mean our North Star is defense which is kind of pure to me, like having been on the offense side, I actually like the defense better and I think defense is the new offense but you know it's a pure mission and so I think that's really important when you think about we are only in it to defend the nation but I wanted to pick up on something you said because this morning I got to just chat with some of the researchers that we built relationships with over the past six months and it's kind of funny, one was Jags if you know, Jags and then Silas Cutler. Yeah, Silas is always fun. Yeah and then I saw Marcus over at the EFF poker tournament with Kurt so that was fun too but I met those two guys because they reached out to me on Twitter like actually with some critical, like Jags had some, he was unhappy about something that we, decisions we had made and he just sends me this like DM and I said well, let me give you a call what's your phone number? I didn't know who he was, but we were like. Yeah, you didn't know who he was, I didn't know. He like talked it out and actually we talked through it and he was the one who said well you know it's, because it started out with Ignite the Hackers he's like no, what you really need is this technical advisory council and I said well I've got you know, Jeff Moss, he's like well he's fabulous. I said yes, I know. But you know, I am such a fan of the incredible power of researchers. Yeah, the community. I've seen the power on the government side but on the private sector side, I mean we are really leaning into working with everybody who wants to be part of this community and you know, Silas worked with us on the Maui ransomware report that we did doing some fantastic reverse engineering Jags worked with us on the hermetic wiper stuff for Ukraine and so these types of collaborations are just so absolutely critical and I think we're making some really good progress. So talk a little bit, like I'm always curious on since it's a global nature, like when you're talking to our partners or others, how do they come up and say hey, how is this working? Are they lessons that can be imitated or is their you know society so different that it's we're kind of like a unicorn? Like. Yeah, other feds, you mean? Yeah, or other countries like Australia, UK, anywhere. Like I saw you sign in an MOU with Ukraine. Yeah, Victor was here. So what is the MOU? Like how do they see CISA in the US government? It's not an MOU with FBI or NSA, right? It's the defensive agency. All defense, but that's the beauty of it, right? Because every country has different things on encryption. Different things in terms of authorities they can do on the offensive side, different things that they're doing on the foreign intelligence side. Defense is pretty much the same around the world and so we have fantastic relationships with over 100 certs because we're US cert and ICS cert. We have what's called the International Watch and Warning Network, which is 16 nations across the country, really terrific information sharing partnerships. And then of course we're very, very close with all of our Five Eyes partners and so the international piece is fantastic. You know, whenever we talk about the JCDC we lean into the private sector part but the JCDC includes all of our international relationships to include Ukraine and we have this terrific, as you said, meeting with the sort of four different agencies across Ukraine. We did this memorandum of cooperation which is really about capacity building as well as ways to more agilely share. Is there like the equivalent of if you see something, say something, sort of like we're the US government, we see something, we're gonna say something to the UK or Ukraine, is there sort of that kind of? Yeah, like 100%. We see, obviously if there's an imminent threat, we will, whether it's private sector or whatever, we have an obligation to ensure that we are getting that information out but sometimes it's just dots, right? Suspicious activity. Only in hindsight, yeah. And so we will always lean forward because we think. So it's a bias toward? It's always a bias towards action and we'd much rather be in the proactive space than in the reactive space because left of boom is better than right of boom which is probably the name of the game is resilience but a great example is Albania, right? The whole thing happened that came out and we have a good relationship with their cert and so we were able to help them based on researchers that came in to work with the JCDC to do some malware analysis and to give back some really important information to them and so it's really, you know, this community coming together for the global defense. Well that was, I guess there's so much to talk about. Man, we got beers, we got beer all night. We have to ask questions, did you say beers? I wish we had some beers, yeah. Cause I can drink, I don't know if you're technically on duty but I don't know. I stopped drinking in 2021, which I think was a bad idea. Oh, that's good, let's go for a question or two and then, but I wanted to get back to your North Star, you said that core principle, right? Like we're a hackathon, CISA is a defense organization and you are what, defend today, protect the... Well Chris and I talked about this. It started out defend today, secure tomorrow. Secure tomorrow, just sort of show, put out today's fires. Yeah, and secure the future. Think longer term. Sure, I mean the emerging tech pieces, we do the quantum pieces, you know, a lot of work on that with NSA and NIST and focus on 6G, focus on security of smart cities and so we're working. So there's this longer term perspective, you're not just a firefighting agency. No, and we don't wanna be, we wanna actually ensure that all of our partners are building resilience into their systems. And that's one thing, from a tech perspective, we've talked about this at the Cyber Security Advisory Committee. I spend a lot of time talking about things like multi-factor authentication, more than a password and all the basics. But what I think we need to do is ensure that the big technology companies are actually taking accountability for baking security into there. It drives me crazy that... So users don't have to actually ultimately worry about NSA. The people I think most responsible are the people closest to the levers of power. And if you're the manufacturer, if you're Microsoft, not to beat on them, they do a great job. But if you're Microsoft, you are in the best position to make the correction, not a third-party piece of software after run on top of your operating system. And so I think there's that responsibility there. And they've been acknowledging it in Apple and Google, but I really think that the more that can be done at close to where the problem is, that frees us up to do... 100%. And I think they're recognizing that as well. I mean, part of the executive order last year was to signal that use of the government's purchasing power. So if you have contracts with the government, some of these requirements will become necessary to do this. You must be this tall to sell to the government. Right, sort of exactly. Exactly, so we're getting there. And then your other point about the federal partners, I think the other really cool thing about the JCDC is it's the only federal cyber entity that by law brings in CISA, NSA, FBI, DOD, DOJ, ODNI, the National Cyber Director, Secret Service. So by law, all on one platform. So we stood this thing up. Different than a fusion center, right? Exactly, we stood this thing up, but it's not CISA. It's a platform where government, where industry can come to government and not have to have that PhD in government to figure out how to interact. Right, right. Okay, let's go for some questions, guys. Gail, who's got a question? CISA can influence any of the state and locals for cyber security? Yeah. Can I repeat the question? Yeah, the question, can we influence how money goes to state and locals? And certainly, I have to say, we have been really blessed in terms of our engagement with the Congress. Cyber security, happily, is still a very bipartisan issue. And so when I go up on the Hill, whether it's to talk about my budget, whether it's to testify, just an update on what we're doing, the questions that I routinely get from the House and the Senate are, what more can we do for you? Which is not the question that you will always get from Congress. And so that's actually really, really encouraging. And one of the things that I talk about the most are the importance of us being able to work closely with state and local to do all kinds of security, but a lot of focus on election security. And so we are always advocating for state and local. And the grant program that we're about to do, the NOFO, the Notice of Funding Opportunity, I think will be really, really important for state and local. I thought it was great. That was in the last package, a billion dollars, 200 million this year, hugely important. And the other thing is two other things. So we are, over the next few years, really growing our field force, which I'm, it's one of the things I'm most excited about, to have more folks out all across the nation. Out of the Beltway. Yeah, exactly. It's where I love to be, out of the Beltway. Working with state and local, we've got cybersecurity coordinators working with every state CISO, state CIO. And so we're really gonna dig into that. I've got my cybersecurity advisor for Region 9, which is based out of California, Joe Oregon. I think he's in here, and David Rosado heads that. But we are like totally leaning in on that. So please continue to give us feedback. The other thing, we're trying to be creative in terms of, first, how we help small businesses, because they are really, as Josh Corman would say, often in the space of being target rich, resource poor. And so we've done a lot of work in terms of, how do we break things down to make it simple for a small business, to be able to protect itself, knowing that the median side of a small business is 10 people. And so small businesses are out in everybody's jurisdiction. And then also trying to be creative. We were, as part of the committee, working this really cool pilot, like a town gown, right? It's awesome. This town gown pilot in Austin with Mayor Steve Adler and Bobby Chesney, who they're both on our board, to try them. Bobby made these shirts, so I blame him. Yeah, Bobby made the shirts. And so what we're trying to do is, Austin has this 3-1-1, so people can call and, you know, if they've got an issue, somebody's on the other end of the phone to help them. They turned out they'd get a lot of calls about cyber stuff. And so now we're gonna have students on the other end who are gonna be trained to how to respond to things. And then that will also help them get- It's the Cyber 9-11. It's very easy. 8-1-1, 6-1-1, you can call 3-1-1, they can get some help. Exactly, so creative ways to, you know, build the bench throughout the nation to raise skills. One of the things, lots of acronyms at DHS, but one of the things I like is it's a ground up organization, grassroots, it comes state, local, but there's acronym SLTT, state, local, tribal, and territorial, because we are more than a nation of states, right? And I always respected that, because it was always the SLTT, the SLTT, because you never hear people talk about the tribes and the territories. I mean, some presidents don't even know that we have territories. And so it's confusing, I understand, but yeah, so it's really nice to see that DHS really recognized that no, it's all Americans. This gentleman here, and then we'll go over to this gentleman here. Yep, yep. So if you are a critical infrastructure, and I don't know if, you know, there are actually some small entities that are critical infrastructure, we, that is part of our core mission. We are working with businesses large and small as part of critical infrastructure to ensure that they have tools and services, and frankly, a lot of our stuff is free, which is a great four letter word. So you think about, and I would invite you to take a look at our website, because a lot of that information is there, and we just updated what we call a small business cybersecurity action plan, because we wanted to break it down as simple as possible, and then provide all of our no cost services. Some of the stuff is pro bono provided from our industry JCGC partners. So we realize that small businesses and small entities don't have the wherewithal to create these huge security teams, like I had it at Morgan Stanley, and so we're spending a lot of time again trying to make sure that the resources are out there and broken down in a way that they can, that all businesses can avail themselves. And so I would say like follow up with us, because I'm really interested in particular in feedback on what we're doing with small businesses, because the other part of critical infrastructure is now it's also a blurry line, because just given the interdependencies on the supply chain, you might not be the classic member of critical infrastructure, but you can very well be a vendor for that critical infrastructure. So what we're really trying to do is have a very large blanket across the country as we continue to grow our own capability as America's cyber defense agency. This gentleman over here. Repeat the question. Or I can, he asked Chris Krebs at Black Hat was talking about several different things that could be improvements, and one of the suggestions he's had was potentially separating CISA and creating its own standalone. The question is what are the pros, what are the cons? Yeah, I think over the last two decades, when I think about federal cybersecurity, there's probably two big things that happened that have really helped to change the landscape in terms of America's capability. One was on the offensive side, and that's when we stood up U.S. Cyber Command, so that was Paul Nakasone, T.J. White working with Keith Alexander, Chris Inglis, and I think that was a really important capability that now 10 years on is making a real difference. And I think the most important thing that happened in the last five years was the establishment of CISA. In 2018, which really proved that a name change and more money and more authorities can make a real difference. I still have NPPDs. NPPD, right. There's no infrastructure in there or even cyber. And so building a cyber and infrastructure security agency I think was critical. And then following on to that, there were actually organizational changes and more authorities that came with the NDAA 2021 out of the cyberspace salarium. One of the things was, it was called the Joint Cyber Planning Office, but JICPOS sounded like a disease and a horrible acronym, which is why JCDC, because it sounds like ACDC. And who can argue with ACDC? Who can argue with ACDC, exactly, right. So so many really important things have happened. And my job, Tommy, is to make sure that I am all-in on what we are doing now, and I don't, you know. If you split it off, it's unclear what the benefits are immediately. So I can see the turmoil and the bureaucratic churn and the fighting for budgets and turf, and even the concern would be, oh, well, we've got an agency for that. They're in charge now. Oh, I'm, you know, OMB, I don't have to do that. That's their problem. And so it's like, okay, well, if we put up with all that churn and there better be a really big golden egg at the end of that. And I don't know what the golden egg would be. I think, Sissa, I feel like we're a golden egg. You are right. So, and the other thing is there are benefits to us being part of DHS in terms of having that connection to my friend Dave Pekoski, TSA, right, from an aviation security, Deanne Criswell from a FEMA perspective. So they're important connectivity secret service that we've got there to have these colleagues around the table as fellow components. But you know, I am like laser focused on building America's cyber defense agency to be the agency that America deserves. And that's like no small endeavor as you know, given your role. So, yeah, so I'm not sure. It's not clear to me. It sounds like it's not clear to Jen what the benefit would be. I just see economic, I mean, I just see bureaucratic churn. But I like the big thinking, but I don't, if it is the time, it's not the time now, I don't think. I think it's gentlemen in the back and then in the front. The FBI problem. We'll listen but never talk. Yeah. First of all, thank you for asking that question because I think it's exactly the right question we should be asking. What can we do to help and what can you do to help us? So, you know, I think the DMs in Twitter is emblematic of what folks probably thought, you know, about the federal government. Hey, you know, these are just people kind of making decisions in a bad way. But honestly, it's pretty cool. Do you DM the head of the FBI and get a response? Yeah. You know, I noticed an organized crime group down the block, he's not. I think his DMs probably are not open. Yeah, they're not open. But what we have done to build on that is really leaning into this new thing that we stood up, which is the Joint Cyber Defense Collaborative, which is working with all of the researchers that wanna come to the table with us, working with every company that wants to be a partner. I just met with like the ESET guys this morning. So, we are really open for collaboration, open for business. And I would just say if you wanna be part of the collective cyber defense of the nation, which it sounds like you do, reach out to us. You don't have to just come to the director. Everybody, I think, is in fact approaching the collaboration with the humility, the vulnerability, the transparency, and the gratitude, and frankly, something that I think is important, and that's like assume noble intent and treat feedback as a gift, right? I mean, that's like my operating principles in life. And as an agency director, you kinda like, you gotta do that. This gentleman in the front? Yeah. Right, do you wanna come work for us? Cause you can, let's talk after this. Yeah. No, I know. This feels like a congressional hearing actually, but yeah, that's good, that's good. What's your name? Jason. Jason, thank you for the question. Yeah, man. Part of this is like dealing with bureaucracy and slaying the dragons of bureaucracy. I mean, it's a good thing that we have the CTMS system, but we just started it and it's rolling out. We are. So you see that's like a year or two, how long does it take to digest something like that? Well, we're almost to the end of, I mean, it started last November and putting a system in place, which is not even on the GS scale. It's a completely different scale. It's a completely different way of hiring, completely different way of paying. So, you know, it's a little rocky getting these things stood up, but to Jason's point, we are also reforming all of our HR processes. It's one of the reasons why we're, you know, I'm hiring a chief people officer. We don't have those in government, but I felt like we actually need somebody to lead our human capital strategy to ensure that we can build a talent, like a true talent management system, not just get people in the door, but bring people in the door more at entry level because we're a very senior agency. And I just think that's, first of all, that's a strategic risk to be so senior. But I also really believe in creating career paths and ladders. And, you know, we are kind of starting from, not scratch, but we are starting from a place where I am very aggressively trying to reshape the organization. So we're bringing in more junior people. We're doing career ladders. We're doing mentoring and coaching. It's part of like the gift of having a startup agency and the burden of having a startup agency. But, you know, if you are talented, we are gonna get you in the door. So let's actually, I'd like to talk after this. But the other thing I'd say, there are things that you can do to contribute to the collective defense of the nation without, while you're waiting to come join the team. And so if you talk to Jags, or if you talk to Silas, people like that, who have made a real contribution to the products that we're doing, the advisories that are being used around the world, I think that's one way you can contribute in the near term. But, you know, I'm working to solve that problem. So you're going for the hire the B team and turn them into the A team, not try to hire the A team, because that's the one you can't. No, I agree with that, but I don't like A and B. I mean, as an example, if you don't have this lot, like I'll just hire the best. It's like it doesn't work that way. You can't build a good culture if you're only trying to get a personality general type alpha. No, 100%, I mean you need to, what I want to do, coming up, is a ton of recruiting at schools around the country, so you can bring in the energy. Well, what is it, the NSA has a 20 centers of university? Yeah, it's the NSA DHS. Right, yeah, so you've got a... It's as well, the center is the academic excellence. So what I'm trying to do is go visit all of the minority serving institutions around the country, because we're also trying to aggressively diversify, which I think is a, not just a national, not just a moral imperative, but a national security imperative when you think about the importance of... Diversity of perspective. Yeah, diversity of perspective, diversity of thought, that's how we solve problems, whether it's neurodiversity, diversity of gender identity, sexual preference, race, national origin, all of that equals diversity of thought. And that's not where the government, it's like the administration's leaning into that, but that's not necessarily where the government started out. Right. So we got work to do, but it's all high, you know, my two priorities, people, partnerships. Because I'm facing this way, I'm getting all these people, is anybody over here that's with a question that I'm just not in my line of sight? Okay, so I'll go back over here. Oh, in the middle, middle, oh, okay, middle. Where are you? Oh, behind the camera. Has this considered partnering with high schools around the nation to... Advanced computers. Oh, advanced computers. Sort of like the high school version of the NCCDC, the National Collegiate Cyber Defense Challenge. There was a high school version of that, but maybe a broader engagement. No, we absolutely have. These are all part of what, you know, I'm talking about building this talent management system where partnering with high schools, we brought in our first high school intern, you know, partnering with organizations like N-Power, partnering with Girls Who Code, partnering with Girl Scouts. So we are doing these things entrepreneurially, which is cool, right? But what I'm trying to do is to ensure we can do them systematically and at scale. So if there are great ideas about how we can partner, because I know there's probably a lot of great folks who are doing things like this, you know, please come and work with us on it. Okay, time for one last question, and then we've got to call a wrap on this. If you're interested in policy type questions. Oh yeah, we're doing some afterwards. Yeah, after this, in the policy track, we're doing a little policy meet and greet with some beer. And so hopefully we'll continue conversations that you have, not just with Jen, but with other people in the policy community. Jag's probably be there. So let's take the last question. Gentleman in the blue. We once see a bank in other companies that, so I'm not sure, from the mobilized, very known in machine learning, AI, et cetera. He's a professor, not just me. And we said that he published some research that from the dangers of AI, so in machine learning. So it's not just supervised machine learning, et cetera, but we have to also moderate it afterwards. You can give the machine learning in general a good flow. Right, so I think. I think everybody's happy. I think the. The way to get to be is to make them stupid, so stupid, you know, not trying to make them happy. Well, I think. The machine learning might become like making everybody stupid on productive and excessive great things for the future. I'm convinced that machine learning is used for all these algorithmically generated YouTube videos that are just pursuing maximum clicks, which probably do produce a high stupidity quotient. Maybe one day will rise to a national security threat. But that sounds like there's, you know, the AI and the quantum, there seems to be these larger, bigger things out there on the horizon. And sometimes private sector is not equipped to deal with them and that's where I think, again, role of government plays a role. So you get the last word in. Gratitude. Thank you. Thank you for having me. Thank you for the great questions in the time. And you know, if you want to learn more about CISA, if you want to work with us, if you want to be part of us, please reach out. And for those of you who use our products, please continue to give us feedback. We really want to make sure that those are as helpful as possible. And so we are really leaning forward into responsiveness and value added. So thanks very much. Thank you very much, everybody. Thank you.