 Testing one, two, there we go. OK. Well, welcome back, everybody. Hopefully, you all are refreshed and snacked and ready for the final push. I'm Brian Bellendorf. I'll be your emcee for this kind of closing session. We'll have some closing comments from Crowb later. We're going to do this in two parts. The first is I'm going to have a fireside chat with Jamie Thomas here from IBM. And then after that, we'll have a panel with a set of really great guests. But I certainly encourage all of you who are sitting out in the bleachers and the far off kind of corners. Feel free to come in closer. We don't bite. And being closer in, we don't have stuff to present or anything like that. Feel free to come in and make it feel like we're talking to a nice full room. Thank you all for sticking it out. So it is my pleasure to introduce to you Jamie Thomas. Jamie is the chair of the Open SSF Governing Board. She also oversees all of enterprise security for IBM. And she has been a part of this project since we pressed the reboot button in September, sorry, and got things underway. And I thought it'd be really fun to help the audience get to know more both about you and your work at IBM and kind of the interests that led you to this point. And frankly, the corporate world, so to speak, thinks about what we're doing and to what we should be doing as we go through this. So thank you for being here. I'm glad to be here. Great. So let's start by giving to know you better. Could you share more about kind of your journey inside IBM to the role that you have or tell us more about the role and kind of what led you to this moment in time? Yeah, sure. And one of my favorite topics, of course, is women and STEM, which we all know there's not enough of. So thanks to all of you that are here. But I try to encourage ladies that there's a lot of opportunity in this field, and it's really fascinating. But I joined as a computer science programmer in IBM before we had really we were just starting our software business and ended up being a $20 billion business in the end. You know, it grew a little bit. And along the way, I worked on application development projects, was part of the Eclipse decision to donate the original software to the Eclipse Foundation and start the Eclipse Foundation. I did a lot of work with our support of Linux in the early days when we decided fundamentally that we would embrace Linux, that we would support Linux as a key operating system. And obviously, those were the days where we were also embracing Java quite a bit. So Java is a key middleware component, if you will, for our middleware business. And I spent most of my career in software. Then somehow I got asked to go by our current CEO now. He's the CEO of IBM to go to the hardware division and stimulate software in hardware. Of course, hardware does not run without software last time we checked. And we were working on OpenStack technologies, Linux, again, a lot of the software-defined technologies. And through that path, I ended up owning, which is what I own today. And in addition to enterprise security, all of the IBM processor development and the systems development that support our high-end systems, Z-Power and quantum computing systems, in addition to my night job as enterprise security if things were not exciting enough. But those topics all kind of fit together if you think about it. Yeah, I mean, certainly quantum and AI and even processors, there are security ramifications throughout all of that. What would you say, though, is kind of different about cybersecurity in 2022, compared to five years ago, 10 years ago, and especially kind of in the domain that we're focused on? Well, I would say, first of all, and in my journey to get into enterprise security was really through the lens of product security. Whether that was software product security or hardware product security, if any of you are here from hardware background, Spectre Meltdown was pretty exciting. And that was also the precursor to, you know, the software supply chain attacks, like solar winds and things like that. And I think what's different now is that you do have to have, for an enterprise like IBM, you do have to have an effective melding of cyber operations with product security. I mean, they go hand in hand given the role that we play. They're both very important. And the level of sophistication of these software supply chain attacks, I think, was eye-opening. I'm sure that many of you all here, and first of all, thanks for being here and devoting yourselves to software security, because without you we're not gonna make a difference. But solar winds was fairly interesting from a number of dimensions, right? We've studied it, you know, we took it apart. We've got a PhD in solar winds. And I would say that we took away a lot of learnings from that that we started to implement even before Log4j hit. And Log4j was just more prevalent, right? Because it was a very prevalently used component. And therefore it affected, not only was it a cyber attack, right? Because for any of those of you that do cyber operations, you can see, at some point early on, we had instrumented, like day one, our tools to detect Log4j attacks. And we could see exactly how many we were getting every day and from where they were coming, literally. You know, which country of origin, that kind of thing. But these were very different attacks. And of course, Log4j was very prevalent in the software stack. And so patching that much software in a reasonable amount of time and meeting the expectations of all the customers, fairly challenging. So I think that then became a catalyst for all of us, though, in the industry to say, how do we be more proactive about this? How do we help open source, prevent these kind of things in the future? But more importantly, be prepared should they happen again in the future, right? Because Log4j, I don't know about you all, but it took up a little bit of our holiday season as did SolarWinds the previous year. So, yeah. And what about the degree of interest that we're seeing from government in cybersecurity topics these days and open source cybersecurity? Is this new and different? Or have they kind of always been paying attention? Thanks for bringing that up. Of course, it is new. I mean, the government's always been interested, but I would say the level of interest, of course, was heightened. Because I think it really started to heighten with SolarWinds and then Log4j was like the icing on the cake, right? And what it said is that we as an industry need to cooperate more fully to conquer this challenge. Without that cross industry collaboration, we weren't going to make as much progress and that included cooperation with the government as well. And so I think that's been the beauty of OpenSSF is we now have this industry collaborative for technology organizations as well as commercial organizations. We have a lot of financial firms that are also involved in the community. And I think that's gonna allow us to work with the government. And, of course, we had the two meetings that you highlighted earlier in the presentation. We've come out of those meetings, I think, with some very concrete actions that we can take. We also can see that other countries around the world will also want to do similar things. And we in IBM are being asked to participate on other government boards of a similar nature in other countries. Yeah, no, I mean, so in 2009, when I worked at the White House in the Office of Science and Tech Policy, I don't think there was anybody else in the executive branch, either a pointee or a career who had been a developer or who had engaged with the open source community previously. And to them, software was like something other people did, right? Something that the private sector did. You write an RFP and then you get responses. And there was kind of an arms length, kind of almost willful ignorance about software in general, but open source in particular. Now, in 2022, that seems very different. I mean, we have people like Alan, who's... Alan, too. Is one of many people that I've met in the last year who kind of demonstrate the difference in this. I've just before our meeting as well in the 12th, on the 11th, I testified to this House panel, the House Committee on Science and Technology who are also looking into this. It's not just the White House and executive branch. And to find that there were Congress people who were themselves programmers or who knew, had like operational experience with AI programming and the like, was pretty refreshing. And you could tell because their followup questions were knowledgeable. There wasn't just that they were well prepped by their staff, it was. Although one was still surprised when I mentioned I'd rather use open source code that had had bugs discovered in it. And fixed, of course, right? Because it was, I think it was a Congressman Pearlmutter who said, you'd rather use software that had bugs in it. And I was like, bugs that had been found in fixes, that means people cared about it, right? That means there's contributors. There's contributors, but there's also people scrutinizing it. So... I think it's great that there's been this dialogue, right? And understanding and a lot of really solid collaboration from the National Security Council, CISA, the NIST folks that have been in the meetings. I think that as a community, we all have our different points of view. IBM's a little bit unique in that we have lived for 111 years in the technology industry, which is hard to do. And so we have a lot of legacy out there, which others may not have, that gives us a different point of view from that aspect. But there's a number of technology companies and they bring their strengths, their skills, their point of view of the table, likewise the commercial clients. And I think that's what makes it unique. It's been a unique dialogue. Yeah. Well, I think also we've progressed from open source being seen as like the thing to build websites with and do this kind of almost, I don't wanna say frivolous, but something that was optional, perhaps until recently, right? And now is really about critical infrastructure. If it's about the software running in grids and power stations and the like. Absolutely, open source is more than critical. I think we've all taken, we've all made it critical. And the folks in this room have made it successful, made it critical and we're all dependent on it. So given how critical it is now, and given David's presentation on cybersecurity education, I mean, this is something that you see as a very, very serious thing worthy of investment. Do you mind talking some more about that? Well, absolutely. So we believe, and just this morning I got a report. Every day I get a multi-page cybersecurity report in terms of just what happened in the last week. And that's along with regular cyber reports of the day. And of course, sadly, the Russia report that I get. But 750,000 open cyber jobs in the United States, cybersecurity jobs. So how are we ever going to start to meet the need of that if we don't really expand the aperture of education? So IBM has done a number of things to reach out to different communities, right? That includes the historically black colleges and universities. We've selected 20 and we've announced six so far that we're creating specialized portals for cyber education. And we'd really like to partner with the Linux Foundation for some of the education that David spoke about, right? It's really exciting. How do we get that into that community, into that university and college sector? So the one that I like the most, of course, because I'm from North Carolina, is North Carolina A&T. But there's Southern University, Xavier out of Louisiana, Morgan State, Clark Atlanta University, a number of others that are participating. And I think this is important. We also have a program to reach veterans. There's 250,000 individuals that come out of the armed forces. So how do we work with veterans affairs to reach that community? And then how do we reach those with neurodiversity? All of us have relatives or friends that have neurodiversity challenges, dyslexia, or perhaps autism and other things. Very important to expand. And I've got members on my team that are neurodiversity folks that are executives and have done amazing things. So I really feel excited about that. And so I think we have to expand the reach. I have so many organizations that come to IBM and they say we can't hire a single person. We cannot afford to hire anyone with security skills. So we don't even know where to go. We don't even know where to start. There's an opportunity for all of us to create those skills and to leverage the education you all are doing. In fact, we saw your announcement already today. We wanna leverage that education for IBM internal to compliment our cyber training. So we track cyber training to the death. We are trying to make sure that people don't do those silly things that David talked about. That's why you have automated tools, cyber tools that detect the crazy behavior that does happen every day. Because you can't train everybody, but you try to, right? But along with that, this developer training, I think, is gonna be really important for going forward. The other thing we really feel is that contribution to open source is something we have to do. We have over 5,000 contributors between what IBM has and what Red Hat has, because Red Hat is an IBM company, albeit they're separate. And we also believe that log4j, we went back and we looked at our most utilized open source projects. And we did an assessment of contributors on those projects. And we realized we had to contribute to the most utilized projects, as well as to the cool projects, the new projects that everybody flocks to, right? And so we are balancing our contribution and we're rewarding people who go and contribute to those projects with monetary recognition. That's great, that's great. So you're chair of the Openness of Governing Board. And for those of you who don't know how the typical Linux Foundation governance model works, obviously all the actual substance of what we do is built in the public, built voluntarily, sometimes we're able to provide some seed funding for things here to help get them started. But really we want the application of things happening publicly and being driven bottoms up organically based on the phrase from the West Wing television show, so history is made by those who show up, has always been one of my guiding lights. But what the Governing Board does is oversee a budget, right? We're able to raise some funds, we're now at enough membership to be able to afford some staff, be able to make some investments and things. And it's through that kind of oversight on the budget and us as staff, you could tell us we're not doing a good job and swap us out, that you have some influence over the strategy and direction for the overall community. But it's really to help support the community. And we have on our Governing Board, I don't want to say, it's not every large company, but it's a lot of the large companies that matter in the software, the developer tools space, increasingly financial services firms and the like. As your servant, I work for you, right? I have opinions that I might hold to myself, but it sometimes feels like helping that group come to an agreement can be a challenge, right? Or look at kind of common direction. So as chair, what are some thoughts that you have on bringing that community around a common vision and working together towards supporting the community? Well, I think whenever you have a group of stakeholders like that, it will be impossible to agree on everything, right? But what I have seen is relative agreement on these top priority items. I thought the meeting that we had in DC helped me understand why some of them were more important to others than they were to me. So I took away that level of understanding. Well, I might not care about this, but others in the room did, right? And I think what we're doing is participating in those that we think we can have the most impact to. And frankly, it's like every other large firm, there's a lot of things that are pulling on people's time. So Jeff Borek, who's here from my team, I actually meet with the team since SolarWinds, I meet every week with the team on software supply chain actions. Because for a company as large as we are, there's something to talk about every week. And the importance to us is making sure we've got participation in these work groups and we're really at the table that we're gonna help the work group and we're gonna help ourselves, right? Because that's how we get the execution done. And I would say before this new governing body, we probably weren't, you know, we were perhaps not as at the table as much as we needed to be. We also, of course, collaborate with Red Hat, who are very involved in six store and things like that to make sure we're dividing conquer as it makes appropriate, right? Makes sense. But I think that that's the value that we can get together as this community. We, you've talked in this meeting about a lot of the important actions, right? Which is the automation of best practices for the open source projects to make sure the developers can take advantage and be responsible for security, but also have productivity. Because we keenly recognize the productivity that open source has brought to the world. But how do we do that and we still have security? The only good thing that came out of Log4J is an enormous amount of awareness of how important security is to everybody. My team that does cybersecurity, they believe that fundamentally until there's a big incident, you just don't get enough attention. So they believe that Log4J was the calling card, right? That said, we have to do something dramatically different as a community. And I think it's been a catalyst, perhaps an unfortunate catalyst, but a catalyst. And I think we can go from there and take advantage of that, the situation and improve things going forward. It's gonna be so important to us because the world runs on software. It's sometimes obscure what software you're running underneath the hood. I agree that the end client should not have to worry about that. Those of us that provide the software to them and support it, it's our obligation to take the burden of security and making sure that the software is designed with security in mind. And you can do different things, you can implement the things we've talked about, you can consume open source that you know has been managed well and curated. And obviously you can implement things in your product lines that support security. Well, one thing that's been really heartening for me to see has been the participation from the financial services industry in OpenSSF, not just showing up and joining as a member, but also making code contributions and participating strategically. We'll talk a little bit about this on the next panel. But what are some other industries? This is kind of a wild card, sorry, I didn't like prep you on this. What are some other industries? And I'll give you the two in my mind after I hear yours, but are there other industries that you think might be next in line as kind of end user industries as folks who should be paying attention to these issues, potentially having their staffs get involved and following what we're doing and perhaps even contributing? Well, clearly I'm really glad that the financial services teams are engaged because during log for Jay, I think I spent five hours a day talking with financial services organizations. Right. Literally, it was because regulated industries are typically the most concerned about these things. But that's a statement in and of itself. Why do you have to be regulated to necessarily be worried about this? But next I would say on the list was healthcare. So healthcare organizations through my lens, the most affected organizations around the world typically are hospitals for ransomware. And you saw this a lot during COVID-19 where a lot of healthcare organizations were being attacked, right? So healthcare insurers of healthcare, another big important area for us. And then the area that is most of a target that needs to step up to the plate probably more fully are those that are running embedded systems, whether those are in manufacturing or critical infrastructure like our grids and things like that. And that's where you have to take extra precautions because I own manufacturing because I own hardware. And so what you find in manufacturing environments are these hardened devices that have very old software in them. And when you have a case like that, when it's inside this $200,000, whatever it is, right? You have to take different steps and protocols to make sure you protect yourself until that is upgraded, right? You're not gonna just throw out equipment of that value tomorrow, but it is really critical, I think, that those organizations step up to the plate, right? Yeah, consumer electronics, embedded industrial, all those makes a ton of sense. The only other industry in my mind was the insurance industry, because all those companies that write in cybersecurity breach insurance policies, getting them to nudge their clients to use more secure alternatives and the like could be a way to help encourage investment in the right kind of thing. Well, certainly they started to increase the premiums, right? Because I think it was the pipeline, with the colonial pipeline situation. And I'm in North Carolina and all I can say is my cyber team sent me a note that day, pipelines have been attacked, we all went out and got gasoline. Now, people said, well, you're part of the problem. You went and got gas when you didn't need it. I said, well, I was here for the last hurricane that shut down that pipeline and I sat in line for seven hours. I don't have the time to do that right now. So this pipeline is gonna be down for seven days and I've got my gas and I made my choice, but that's how long it was down, right? Because that's the average length of time that those typically take. That's an example of one of those situations, right? That was very critical. My last question will be, what or do you think is the most important thing for us as a community to figure out how to do by the end of this year, to get accomplished, even if it's something we haven't yet talked about, even if it's kind of a wild card, just like one important thing for us to get out there and succeed at doing. Well, I don't know if it's gonna, I don't know if we could say that one thing is going to make or break the year, but certainly making a lot of headway in the education aspect because we're not gonna do this without thousands of developers who feel that they're being recognized and that security is important and that it's fun to be a part of security, right? I actually, in a strange way, have a lot of fun with cyber attacks. I mean, that probably is something odd, but you learn a lot from these things, right? And I think that's really imperative that we marshal the army of thousands of contributors that can make a difference and then that army will help us do many of the other things that we've been speaking about today. Well, my dad was a cobalt programmer at IBM when I was growing up and he would take me into the computer lab in the basement at Glendale's office and he would give me a green screen, a terminal to it. I don't know what he was thinking because I knew how to write basic and there was this one address I could poke and cause him to have to come out of his office and press reboot buttons on the mainframe. So I understand that... Reboots aren't good on the mainframe. That's not a good thing. No, no they're not. So I understand that why this kind of vulnerability thing and cyber texting could be a little bit interesting. It certainly was to eight year old me. So thank you very much, Jamie. This was a really enlightening talk. Thank you and thanks again to all of you that are here and taking your time for this important topic. Thanks and thanks Brian for everything you're doing. Great, thank you. Thank you. Thank you. I can never tell if he was doing this or this.