 Okay, thanks. Maritime cyber village people. Hack the sea, our first one. So thanks for coming. We've got a panel set up here of folks from industry and government and something that's really kind of on the edge of all of that. And so I'm going to pass the mic down, have everybody introduce themselves. And then we'll get started and go from there. So here we go. Hi everyone, I'm Christy Coffey. I'm Christy Coffey. I am the VP of Operations for the Maritime Import Security Information Sharing and Analysis Organization. So we're a non-profit organization focused on protecting the maritime industry from cybersecurity threat activity. My name is Andrew Pasternak. I'm a senior risk analyst in the DHS Cyber Security and Infrastructure Security Agency, focusing on transportation issues, primarily maritime and maritime cybersecurity issues. My name is Robert Reeves. I'm with the Coast Guard in the Office of Cyberspace Forces. We're focused basically on implementing the different national level cybersecurity strategies within the MTS. I'm Carly Jackson. I'm with the Seasteading Institute. We're a non-profit that is building a network of entrepreneurs who are working to develop floating islands to create innovation in sustainable fish and seaweed farming and energy generation and eventually live out independently in the international waters. Alright, thanks y'all. And I'm Chris DeWitt. I am a senior advisor for ABS, which is a class society if you're familiar with that. But we write rules for things that float and get wet. And as part of that, I help with the cybersecurity team and figure out what's best for our clients. So we're going to start. I'm going to ask a bit of a question here. In case you didn't hear, Carly's kind of a unicorn in this space, right? She's got these entrepreneurs that are building essentially a new world order on top of the ocean. And it's really interesting stuff, but I think you'll find that there's some overlap in what we want to talk about here. So I'll kick it off. One of the things Brian asked was we want to figure out when vulnerabilities and exploits are discovered, there's a pathway from that discovery up to the organization that is responsible for that gear or manufacturers that we also have some governance from regulatory bodies that have a hand in that game. And then there are ways to communicate these things up and down this food chain. So I'm going to maybe ask each of you to describe where you fit in that life cycle or how these exploits get discovered and really communicating a discovery up through to our government. And then we'll kind of back that down into how that exposes itself in governance that comes out of our U.S. government. And then I'm going to ask Carly to kind of help us look at that through the lens of the things she's doing in the seasteading space. So Christy, will you start with that? So from a vulnerability perspective, we do see vulnerabilities, newly discovered things. We receive those sometimes from our customers, port and maritime customers, who discover things in their environment, problems with vendor equipment, software, firmware, whatever. Sometimes we receive information from security researchers like Project Gunsway in the Hack the Sea village. When we receive that information, we don't vet the information. We assume that whoever's reported it has already vetted it. That's not really within our scope. We ask for whatever evidence they have of the vulnerability. And if it's our customers, we always get that. Also, with the research team, we usually get that as well. We, first of all, try to identify anyone in our customer base that may be impacted by that. We notify them to be aware of the vulnerability. Depending on what it is, we may push out some kind of early warning to our community. So we have kind of a community distribution list, vetted organizations and individuals can participate within our community. We, usually our customers, if it's a vendor, some kind of vendor problem, they'll notify the vendor. I don't think that they have a lot of success in notifying vendors themselves. We often, I think every instance, we notify the Department of Homeland Security and also US cert of what we've learned. And we provide them whatever evidence has been provided to us. So, when reporting a vulnerability, generally CISA is the place where most vulnerability software and hardware vulnerabilities are reported. And we're the ones that do the coordination and then it goes into the CVE, the common vulnerability and exploitation list that's run by MITRE on behalf of us. So if you have a vulnerability, if it's maritime related or not, there's a website on CISA where you can get the information on how to report it. I can give you a two. You don't have to give your name or anything. You can give a fake name. It can be done through Tor if you want. It's not something where we're requiring you to tell us everything. You have to tell us what we want to know is the vulnerability. And we'd like, first we try and coordinate it. It's something where we're trying to make everybody happy in doing this push towards disclosing a vulnerability. If you come to us with the information, first thing we do is we're going to go to the vendor. If you want your name withheld or whatever, obviously that's all withheld. It can be anonymized. And we try and develop a way to develop a patch for whatever vulnerability is. We don't want to just disclose an open vulnerability into the wild without a patch being available. And once that's done, generally we try and do it in a 45-day process. Then it's a coordinated release. It's done through CVE. We'll produce our own bulletin. Ideally, the vendor releases the patch at the same time. And if it's maritime-related, which I guess is what we're trying to get at in this talk in particular, this is something where we will in particular reach out to partners, Coast Guard here, who will talk in one second about their process for it, as well as others in the, you know, there's others like the Maritime Administration, which is part of the Department of Transportation, and is actually the advocate, generally, for mariners and the marine industry inside the United States. So they know all the partners inside the United States, and they can send out their own public alerts, which is called a maritime advisory, which immediately goes out basically to the entire U.S. maritime community, not international, but the U.S. one, as well as potentially e-mails to specific partners, if it's something that we're worried about a specific partner. There are others as well. There's a ton of agencies that have involvement inside the maritime community. There are a ton of private partners, such as the ISAO and others, and so that's what we try and get to. And with that, I'll pass it on to Coast Guard. So from our perspective, I don't want to say by the time it actually has a CVE, it's a little too late anyway, but it's more, we want to know those vulnerabilities, the true zero days, that kind of thing. That's what we're, sorry. I've got a bad voice for a mic. It's horrible. I apologize. So we try to focus on making sure that, from our perspective, it's very similar to the MPS ISAO's in that we're trying to get that more of that information out to the community more so than within, because typically we'll get that information from DHS. So we already know that CISA has it, therefore the government already knows about it. We're good there. We just, our focus is on trying to get it out to everybody. Our method for doing that right now is we're, and we don't have a good solid method on that right now. And that's the problem is that we don't have a good repeatable process on how to do that. What's the best way to do that? So that's what we're working on internally right now. That's one of the focus things we're doing, but right now we're leveraging the area maritime security committees. And that's, we're kind of pushing everything out through them if we get that kind of information. Now if it comes in through one of those sources to us, and CISA hasn't been notified, that's pretty much how we do that is we push that up. But we kind of look at it more as we just want to make sure everybody's aware. This is a problem. Do something about it. So that's from our perspective. And I'm kind of really anxious to hear how that works. So at this stage, Seasteads are being prototyped. So there's, there was a Seastead that was off the coast of Thailand for a couple months. The Thai government didn't like it there. So they took it down. And that company is looking for a new location and working on their version two. There's another company that is building a floating home prototype in California. There are a number of entrepreneurs who are developing fish farming and seaweed farming, but they are working with universities and private companies. So they're working within the systems that already exist. But with Seasteading, so at this point, there's nothing I could uniquely say is a, if there's some, if there's a vulnerability that's affecting technology that affects boats, it would probably affect Seasteads. There's not like a distinction I could make at this point because we don't have Seasteads actively working to understand that. But as the Seasteading Institute, my goal is to connect Seasteaders so that we could develop communication and, and you know, make people aware of, of problems with technology and obviously, like for all, all of the reasons of developing and collaborating and working together. So at this point, it's all, it's all theoretical. And, and at this stage, Seasteads are working within all of the existing legal structures and, and I guess cultural structures that exist. All right. Thanks. So I guess what I just heard was you'll follow whatever the organization, geographic, geopolitical organization is that the Seastead is actually functioning within. Is that correct? Yeah. Okay. Okay. Hang on. And then, and then I also want to connect some dots for y'all here because as these things move further and further offshore, they get into this, this unknown area of governance, right? Our, our, we got 12 nautical miles off our beach to international waters. And so, okay, well, well, that's good to know, right? So in, in this whole process, I guess, I want to ask you to help, help us understand that more, how, how you govern the technology that'll be in play. And I would, I would agree, I think it's going to be a lot of the same stuff they have on ships or in chemical factories or whatever process controls or just, you know, there were controlling stuff. So if you would explain that a little bit, and then I want to come back to what you guys are doing and what's in your way, right? The, the time from discovery to a CVE to a patch, you know, what, what are those timeframes look like help us through that? Here we go, Carl. So generally the goal of seasteading is to provide space for more rapid innovation. So, so we want seasteaders to be able to, you know, work within the systems that work. But then if, if there is something that doesn't work, then be free to try and find a new way of doing things without running into regulation or, or, you know, other and without being in close contact with people who would be affected negatively if, if you take a risk and then that risk ends in disaster. So we support people going out and trying new things and taking those risks on themselves and not, you know, bringing down full, you know, other organizations or communities or neighborhoods when they are trying new technologies. So, so the ideal would be to allow all kinds of testing, all kinds of innovation in many different types of technology, including governance structures. So if you find a bad actor and you're out in a seastead that has, that is not under the jurisdiction of a specific country, it's up to whatever the, the governance structure that that seastead has set up for themselves to figure out how to handle that bad actor. And we think that providing this space for all of these different kinds of governance structures will be able to find the best ways to form communities. My boss, the president of the Seasteading Institute, Joe Quirk, he became interested in seasteading because he was a science writer and saw how evolution worked, where you saw adaptation and change and the changes that were the most beneficial to the organism are the ones that survived. So, and he saw that that could be a parallel process happening in human communities. And so that's what we see with seasteading. And so I think it expands into, you know, handling any kind of threat, whether it's an online threat or if it's a physical threat. We want to see lots of different methods being tried to handle those things and handle conflict and see what works. I've got kind of, could you just repeat the question for me really quickly? Yeah, so the question I have is, so now we have an idea of the process for how exploits and vulnerabilities are discovered and communicated up. But there's a time frame there. I'd like to hear some ideas on how to shrink that time frame or what different entities, not just the government, right, but what can other entities do to reduce that time frame? Are there problems that are unsolved? Maybe we can't, I don't know, but if you could elaborate on a little bit of that, that'd be helpful. So, time frame to disclosure. So if you send something, this is a, generally it starts a 45-day clock, is the goal, is a 45-day clock from the point you bring it in to the point that there is a CVE in patch released. Obviously we live in the real world where that is often not the case. And it's, because we're trying to do something that's a coordinated disclosure. So you have the researcher and you have the vendor and then you could have other interested parties like Coast Guard or others for maritime. And maybe it's a patch, maybe it's a vulnerability that we don't even know is a maritime vulnerability until we actually do some research into it. Maybe it's just a general PLC vulnerability and then we find out that, you know, most cranes in the United States use this PLC. That can cause a delay as well. It's so, shortening that time frame is basically something that's not really necessarily something that's policy. That's more about the coordination within both the industry, the affected vendor and the researcher. We're trying to bring, we're trying to make everybody happy. And the problem with that is that often people end up just 80% happy and 20% mad. And it's either because it takes too long or the patch, you know, if the vendor needs more time and has a legitimate reason, we'll give them that. Or as well, you know, to be blunt, we're still the government, you know, it's not like we move at lightning speeds. So I wouldn't say there's necessarily a policy in place that or a fix like that, that could change the time frame. But if you as researchers or others come in with the understanding that this takes time and you're going to work with us, and if you, if you are willing to work with the vendor, work with the vendor as well, that actually can speed the process significantly. So as he said, the biggest hurdle is we're the government, we're here to help really slowly. So I think that the best way that I've come up with that I've ever seen to overcome that kind of time gap is because it is then formal processes. So what Andrew was speaking to was the formal process of getting that disclosing that vulnerability and getting it to the CVE. That doesn't mean that that vulnerability isn't, it's out in the wild during that time period. So the solution there is work with the relationships you have. That's why organizations like ISOS and ISOX are phenomenal because it's, you're sharing with each other, you're talking to each other, it's building that trust and it's using those trusted relationships to reach out. If you know that that's an issue, you reach out and say, hey, by the way, we know this is out there, something's coming, but just be aware this is, this is out there. So I think the solution to kind of fix that is that are those informal formal processes figuring out how to create that community while skipping all the bureaucratic requirements that we have to go through on the government side? Great, thanks. So at this point, we're going to open it up to questions and you can make a line right here. I'm just kidding. But if, does anybody have any questions for our panel? Come on, let me, let me see if I can drag this over to you. Since it's based on maritime, where does Navy inside DOD play in? So the Navy fits basically, it's a DOD entity and they work, I believe, with SISO very well. We work with the Navy a lot from the Coast Guard perspective. When it comes to sharing vulnerabilities, that's not necessarily their job, their responsibility. So it's more of a communication and collaboration with those who are responsible for it like SISO would be. So they're there as a supporting collaborative entity. Does that make sense? Does that answer your question? I guess the way, another way to put it is that if you're, what, 12 nautical miles in from the United States, it's Coast Guard and it's DHS. Navy does not operate, you know, inside that area in terms, you know, legal boundaries, popsicumetatus, all those other parts. If Navy, if theoretically Navy found a vulnerability, they forwarded on to us. And that's how that process would go. Or yeah, and then we would work with a vendor, however. But other than that, Navy doesn't have a specific role because maritime cybersecurity inside the United States is primarily a DHS function and primarily Coast Guard, but other DHS as well. And they're involved because they have knowledge and expertise and we try and utilize all the knowledge and expertise available to us. But in terms of an actual legally defined role, that's not really their area of concern. Okay. One more question. I think we got enough time. Hey there. I'm curious what the various organizations up on the panel are doing regarding the IMO 2021 mandate. So from the Coast Guard perspective, they're currently working on putting out a NAVIC, which is basically just kind of guidelines that lay out with the Coast Guard's roles going to be in that and identifying that the primary focus right now from the Coast Guard perspective is how we train our own people to respond and assist with that requirement. So it's great that those things come out and then all of a sudden people who were doing inspections from the get go are all of a sudden supposed to know exactly what that means. So what we're working on is drafting something from the internal perspective that, hey, this is what we need to do internally to be prepared to assist when that kicks on in January 2021. And then as well, the secondary goal there is to inform the community within the U.S. This is what we're going to be looking for. This is how we interpret that and then provide a path to ask questions if they don't know. And I can add a little bit to that. So the IMO guideline was to incorporate cybersecurity in your safety management system on board by January of 2021. The Boy Scout in me says, why didn't they do December 31st of 2020? But 2021 is the day. And I think if they go back to a few of the Navix that the Coast Guard's published in the past, even using the draft, using the guidance in change five of 0303, some of those things are really useful in coming up with what a safety management system should look like. And quite frankly, there's a lot of overlap between physical security and cyber. So I think that's where we're going to end up. I think we have time for one more question. Read out? You got one? Okay. Well, I don't want to jump in here because I came in a little late, so I don't know what I was asked. Well, I mean, I think that Andrew already kind of somewhat addressed that maybe a little bit right about the process that's on the websites isn't always the quickest turnaround or response. Sometimes it's like going in a closet and yelling. I've had successfully CBEs get handled though by ICSRT. But unfortunately, it was because I had worked at the NKIC and had people hand carrying kind of my stuff through the process and shepherding stuff through the process. One thing I might throw out there is maybe if there's been thought given. Well, yeah, I mean, I don't know what the fix is for that though. I think it's kind of, yeah, I think it's maybe like what Andrew was saying about working, maybe, you know, industry at some point has to step up, right? So the, yeah. Here we go. What I will just add, and I probably didn't make this clear first, is that our first preference is that you work with the vendor and with private industry first if you have a vulnerability. It doesn't have to go through us first. And the part of the reason is because, you know, we are very limited in our manpower and our capabilities. It's not a perfect system and we always are also looking for feedback. So if something does go wrong, keep emailing the hell out of us until you get an answer. And then we find out. We do want to get feedback. You know, our goal here is to be open and transparent. You know, we aren't hiding anything. We aren't trying to, you know, withhold anything. Anything that comes into us is going to go back out. We don't, you know, nothing gets held back as a secret or anything. And so we know that the system isn't perfect, but we're always trying to do better. We really are. And it, you know, it's still DHS. But, yeah, I hope that helps a little bit. So that's all that I've had a second to think about what I was actually going to ask. Yeah, so I think the better follow-up I think is, and I don't know if you address this, but if you can address talking about maybe a better supply chain transparency. So yesterday we had some members of Congress, their staffers come through and they were kind of asking myself, and we had a few other people from my in the cavalry, you know, kind of like what can we do from the legislative perspective? And we were telling like one of the things I told them was the vulnerabilities that I worked on last year, they were, it was a Norwegian company that was totally unresponsive, was unresponsive to their own Ministry of Defense who I reported things to because it was their national cert. ICS cert was responsive, but was just getting like dead silence on their end, right? So there's nothing really ICS cert can do. But this was a vulnerability that was up chain in the supply chain from all the major US diesel engine manufacturers from Cummins, Caterpillar, these other organizations. And to date I'm still not really sure that they're fully like aware of and responsive to the fact that they've been slapping a label with their brand name on it, and then selling these Norwegian vulnerable controllers, which have still not been patched. So these are like zero days that we're now like almost two years out from when I first contacted them, and they haven't patched. Some of them were like in ships, like the US government operates, right? Like NOAA survey vessels and things like that. So I think something on the lines of, so I know that's more of a legislative problem, but I think certainly if like DHS, you know, whatever DHS could do, I'm not really sure what maybe what could role DHS could play in helping with like the supply chain transparency. And I think, but the main reason I threw out there was to speak to the Coast Guard, like I've seen the draft guidance from 2017. And the question I have is how can I help fix that? Because it was like it read like stuff that was good information to tell people 10 years ago. And some of the information in there about like, well, make sure that your networks are segmented or whatever else. It's not untrue, but it's stuff that's so inadequate. But the folks reading that information, who are starting from a knowledge base of zero, take away from that, oh, we're good. And I had this, I had the conversation with the the head of security for NOAA about these vulnerabilities. And you know, his IT guy told him, oh, you know, my IT guy said we're air gapped. And I said, well, what does that mean to you? And because that doesn't you know, I'm wondering if that's really true. And of course, it wasn't. And he said, well, he told me that nobody can reach our net or the IP addresses on our network from the internet. So what he really had been told was that RFC 1918 addresses were being used internally and added, which is not the same thing, obviously, right is being air gapped. So anything we can do, you know, if there was and I know, like there's not this is not going to be a turn a quick turn around thing, but having worked with the CISCP program at us or help actual actually helping stand that up. You know, if there was like those types of opportunities for technical exchanges between Coast Guard and the private Infosack sector to help provide the inputs, right, and help talk about like, what is the right information? Like, I have no idea what those draft guidance is that have been put out. How do I even respond and not just yell into the void to actually help you guys take a better stab at that, right? Did I go first? Okay, so just just a little bit from a commercial perspective, most of our clients read, they read the Navix and they treat them as regulation, even though we know they're not. And what I've found is, is it's a, you got to, you got to boil the frogs by turning the heat up slowly and especially in maritime and by that, I mean, yes you do, because they all jump out of the bucket. So what I'm saying here is that change is really hard in the maritime industry. And what you describe with the Navix, I think they did, I think they did a great job of setting up kind of the new world order, right? There's this thing called cyber, you got to start thinking about it. And so awareness of cyber stuff, at least in our client base is now there. I mean, they all know something about it, whereas maybe two, three years ago, they didn't know anything about it. In fact, it was just something that added to their workload. So I see, I see the Navix and, and disseminating information in that way is kind of the slow cook, as opposed to the, the broil. So I really wanted to stay from the, stay away from the draft in 2017, because it's taken three years and it's still sitting on a desk somewhere. But to address the how can you help kind of thing. So that gets kind of back to the whole, there was this new thing and all of a sudden we expected everyone to know within the Coast Guard. So the problem with that initially was that when that was drafted, it's as Chris was saying, this was kind of like a collateral duty for someone who was on the side. So it was someone drafting it who may not have had the most thorough knowledge of what it really was was saying, right? The way you help. So we will, and we'll be doing this. So we're working with a, we're working on using the NIST framework to create specific frameworks to help specific industries within the maritime. So I think the next one is supposed to be navigation systems, I think. Don't quote me on that. But what we do when we do that is we reach out to private industry and we hold workshops to sit there for two, three days and just have those conversations. What's important to you? What are we missing? Educate us because we're too stupid to do it ourselves. So we, if you're interested in being a part of something like that, by all means let me know next time we do one because we will have one coming up that's going to focus more on risk assessments more than anything else, but it'll be a risk assessment framework kind of thing based off NIST. So we'll be having those workshops to sit in a room and get those ideas that we're going to miss if we don't talk to private industry. I'm a big fan of engaging private industry. I think that that's the best way to go because that's who we're supposed to be helping, right? So any chance I get that I try to make sure those engagements are as often as possible? Yeah, that's mine. I guess I will acknowledge that one area we've definitely lacked in is bringing researchers into the fold. There's been a lot of talk about private sector engagement and usually that means the shipping companies who have their own preferences and usually want to, you know, sometimes they are extremely helpful, sometimes they're not as helpful. And so I think moving forward definitely one of those goals is going to be and one of the things we're trying to clarify in the national cyber strategy is roles and responsibilities. And part of that role is how do we, you know, talk with the outside world, including researchers because it is one of those where, you know, if you want to report it to us, but it's got to go to Coast Guard and they're the ones that are real contacts and they, you know, where, you know, how does the ice south fit in and, you know, can they help us both bring things in and take things out as well? On the other hand, I will note and also say in defense of the navoc, if you go to most places, we, when we think of ships, we tend to think of the big shipping companies, your mares, your msc's in the US, maybe your crawly, most of the actual businesses and operations are very small mom and pop or a little bit bigger than mom and pop, but you get the idea they're very small. The IT department is a one person shop who is, you know, who's the CISO and everything else related to computers. And maybe they took a one hour cybersecurity seminar at some point and that's what they know. And so they say, oh, well, I have McAfee and then we're good to go. And for a lot of it, we're also not just talking about ships, you know, the real choke points often are the land side facilities, your terminals, you know, where you load and unload bulk or containers or others. Because if those goes down, then the ships just stand there and there's really no movement tugboats and bunker refueling and all those others. So and a lot of them just have no awareness and very few connections. And so even getting out to them is a struggle on its own. And I'll give an example of that. We released a joint seal infographic earlier this year, which by the way, joint seal huge victory getting two agencies to agree on anything. And basically it just said, these are the NIST cybersecurity principles. That's that's and here's how you report something. And that alone in itself was, you know, that kind of baby step is really critical and started building this up for the larger sector. And you're absolutely right that it needs to be built upon and there needs to be a lot more done. But for a lot of these people, just, you know, even saying cybersecurity is a almost a win in itself. First, I want to pat Andrew on the back for that joint seal, because that was all his work. And that that was awesome. Anyway, so getting to the point of, you know, as Andrew was saying, it's meant for kind of it has to be able to speak to everyone from the one person shops all the way up to a fully manned sock, right? And as slow as it takes to get those kind of things to go through and get out, it's hard to get the specific languages to change in there when someone has a good point needs to point something out, right? So not only so typically when an average released, if the organization within the Coast Guard that releases it, the office will send out a company guidance kind of with it, like add something else, because that's something that if like in this case, it took three, it's taking three years to get it as far as it is. It's a little bit dated. So when it's released, they can they can send messaging with it. And that's the some that's the that's the information you can change on the spot before as as it's going through the releasing process. So I think that that's where that that would come in. But I think it's a very good point that it needs to be it needs to be identified that this is not the answer to everything. This is the beginning, not the end state. So I don't mean to sound disrespectful, but I am representing the private sector. And I can tell you that the popular belief is that reporting to DHS is like reporting to a black hole. There nothing comes back. There's no like when we report, we've reported besides yours, we've reported two vulnerabilities this year that were discovered by one of our pork customers. And I mean, it's not like there's an incident response number that's generated, it just goes in and there's nothing that comes back out. So I think that you know, one thing that can definitely help is for there to be some kind of accountability, right? These things, maybe they're being tracked and maybe they're being worked inside the government once we report something from the private sector, but we have no visibility to that at all. So I think I, you know, maybe it's not a black hole, but the perception from the private sector is that it is because there's no, like I said, there's no incident response number. There's nothing that comes back where we can query it and say, Hey, what's going on with this? You know, have you talked to the vendor? We try to talk to the vendor, you know, what's going on? It's just just quick thing. I guess, you know, one ouch, but no, I'm just kidding. It's, it's just one of those. You have to remember when we're talking the number of vulnerabilities per year that try, we try and process into CDEs. It's not hundreds. It's not thousands. We're talking tens of thousands of a year. So, and we're talking offices in CISA and that's it in the specific cybersecurity division. We're talking maybe a dozen people, maybe a couple dozen that do this type of work. So a lot of times, no, you're not going to get a response. And that's something what we'd like to improve upon. And if there's something where, you know, you don't get a response, feel free to reach out specifically to me or if you have an issue, I'll be back over in the hack the C area after this. Feel free to reach out to me or to others in government and generally we'll try and get a follow up then. But yeah, we still, we do still have our issues. It's still CISA as an agency. We celebrated our one year anniversary, if you will, or birthday, like last week with cake and everything. So it's still really new for us. And it's still, you know, especially in maritime, something that's still very much in the early, early phases of maturity. So if you have issues, yeah. So I agree that maritime is in the very early stages of maturity. But somehow we have to find a force multiplier, because it is critical infrastructure. So somehow we have to close the gap from where we are to where we should be in fast order. And I think it's going to take all of us working together to figure out how to do that. All of us working together. So that's not the first time I've heard that being a black hole. I've a lot of the engagements I've done with the different ports. I've heard that exact wording. Are you writing their speeches to me? So part of the reason I was brought in for the position I'm in is because I have experience in the background of coordinating from the government side and reaching out to private industry. Coast guards recognize that that's an issue within the maritime world. It's a huge issue. And the other side of it too isn't just the reaching out and giving something back. It's the silos. So for example, ports and facilities may have a great conversation with ports and facilities, but vessels never hear about it because no one's talking to them. So we're working on that. My thing right now within the Coast Guard is focusing on making sure that whatever route we go to do that, it's documented and that it's repeatable. So that if I decide to go on two, three years down the line, it still happens two or three years without me. But yes, I 100% agree. I believe that if, especially if you want to get something from private industry, you have to give. And from a government perspective, I think whatever you give has to be two times better than what they're giving you. I've never actually seen that successfully happen, but we try. All right. Well, thank you. Thank you all. Carly, do you have any ideas now for a new innovation structure for maybe solving this problem, one of the CSTEDs? Well, so based off comments from the other panelists, no, I don't have a solution. And that's the good thing about CSTEDing is that I don't have to have the solution. We want to support many different people coming up with their own solutions. And that does mean that they're taking on the risks as well, that if you're developing a new technology, it's on you to make sure that it's secure and works properly. So I keep thinking the term spontaneous order, lots of individuals making decisions and taking action and aggregate, you come up with good solutions that then other people can adopt and can be adopted by the broader community. So I hope that CSTEDing can help provide some solutions, but it's not coming from me personally. All right. So we're over time. Thank you everybody for coming. Please thank our panel. I'm not sure who's up next, but thanks for coming.