 It is Cybersecurity Awareness Month and it's what we all know is that it's just a couple of weeks after a major outing outage at Facebook and all of its apps which stopped business in some parts of the world. So I really can't imagine a better time to have a conversation with our guests, Siobhan Gorman and Mike Rogers, Admiral Mike Rogers, both of whom are with the Brunswick group. I'm going to ask them to introduce themselves and then we will engage in conversation and then we'll be sure to give you some time to ask your own questions. So Siobhan, I'm going to start with you. Great. Well, thanks so much, Emery, and thank you everyone for joining us. We're really looking forward to this conversation. I'm Siobhan Gorman. I'm a partner with the Brunswick group, which is a strategic communications and advisory firm. I happen to be based in DC where I co-lead our cybersecurity data and privacy practice. We work with companies across a range of industries to prepare for and unfortunately I'll too often respond to cyber incidents from kind of a crisis management and communications perspective. My background is as a reporter, I was a reporter for 17 years at a variety of publications so I tend to bring that skeptical perspective to these conversations. Over to you, Mike. I likewise echo Emery. Thank you very much for the opportunity for the audience. Hey, thank you for spending some time with us today. My name is Mike Rogers. I'm a retired four-star admiral and 37 years in the United States Navy. So worked for you to taxpayer for a long time and for that I'm very grateful. My duties when I was in uniform largely centered around cyber and intelligence. I ultimately retired as a four-star as a commander of United States cyber command and the director of the national security agency. So I work cyber from both an operational offense and defensive standpoint. I also work cyber from a very technical standpoint as well as how do you use it as a tool with spying and espionage, for example. I am now as a retired individual. I have joined the Brunswick group. I have the honor of working with Siobhan every day and part of the team cyber. My focus at Brunswick, which is a global advisory and communications firm, which I like the fact 24 office just spread around the world. So I get to work around the world, which I really enjoy. My focus tends to be cybersecurity as well as geopolitics, leadership, and kind of crisis response. So look forward to our discussion today. Great. So I want to start by just getting the lay of the land. One of the things that I find most interesting in somebody who focuses on national security generally is the expansion of both the category of cybersecurity and the understanding of that category. I think even five years ago, if you talked about cybersecurity, people would have, they would have said, yeah, hacking, right? Certainly hacking into North Korea, hacking into Sony. That got people's attention, I think. And they would have understood probably in 2016 on they might have understood the sort of broader dangers in the information space. But I mean, Mike, the cyber command was a whole new idea that cybersecurity is not just for companies. It's not just for good hygiene on your your own computer. This is a new part of conflict and you actually have a command just like you have commands for other terrains. So I want to start and Siobhan, I'll start with you. I'd love for you to just kind of describe the the landscape of cybersecurity, who are the major actors and that both really, you know, policy people like those of us in Washington, but also those folks who we might call digital citizens have to be aware of. I'll start with you and then I'll turn it over to Mike. Sure. And when you're when you're saying the actors, you mean threat actors, right? Yes, yes. So I'll start, but Mike, please jump in. You know, it's it's it's obviously a range of characters, right? It's every nation state that tends to be active in this space. So of course, that's Russia, China, Iran, North Korea and so on. But increasingly, you're seeing, you know, criminal groups adopt the kind of techniques and behaviors of nation states, which is what gets kind of alarming because criminal groups with the capability of nation states, but the intent of criminality can do in some ways a lot more damage, at least a lot more immediate damage to companies, which is why in part you've seen sort of this rise in ransomware attacks. And I mean, I won't even go through all the different means of groups because you have different permutations over time. But the interesting thing is that, you know, they're they're they're using a combination of the types of tactics that and techniques that nation states use, but they also can outsource it. They almost provide like consulting and outsource services so anyone can buy their services and and they can, you know, they have help desks to help companies pay ransom and things like that. So nation states, criminal groups, you still have some of these political sort of activist kind of groups as well. And, you know, they're capable of also purchasing the services of these criminal groups. And so one of the the main things I think we've seen in the last few years is almost the democratization of cyber attack capabilities. And I think that is really challenging for companies, for governments and certainly for individuals to try to defend against, because, you know, anyone with not even that much money can kind of buy their own cyber attack capability, which means that you're going to start seeing, you know, new actors on the stage, probably, you know, for for quite some time. And, you know, it's not clear necessarily where the next threat is right now. It's still very much ransomware. I can say that from the very kind of unfortunate set of clients that I'm working with are all dealing with these types of attacks. But, you know, as we pull out of Afghanistan, what's what's what's going to happen there in terms of things moving on to the cyber stage? You know, what were the other kind of hot spots in the world where a cyber capability is going to become a big deal? So with that, I'll pass it to Mike to add. Here, so let me let me let me I want you to jump in. But I want to ask a specific question just building on what Siobhan said, where when she started listening state actors, she listed a lot of states that some of whom used to be called rogue states Iran, North Korea and adversary states. Would you include, you know, the Iran cyber command? Where does that mean we're also part of that landscape and other states that are defenders? Right, so there shouldn't be any doubt. Every major nation state in the world is investing in some subset of cyber activities. And cyber doesn't exist in a vacuum. My argument when I was in government always was, look, cyber is an element in a broader national strategy. So if you look at the way authoritarian states have tended to view cyber, it's an it's a traditional national security espionage tool. It's a tool designed to potentially gain military advantage in the event of a crisis or conflict. In some cases, like China, it's a tool to gain access to intellectual property that when extracted and shared with industry potentially offers China strategic advantage or able to close, if you will, capability gaps. They believe they have with others around the world. You look at the North Koreans, they tended to view it really as much more all that, but they also viewed it as, hey, this is a way for us to bypass sanctions and the fact that we're so isolated. We'll use cyber as a tool to overcome our financial restrictions. Hey, we will rob banks. We will mine Bitcoin. We will break into gambling sites. So every nation tends to view it differently. For us in the US, we generally viewed cyber as, so it has a national security traditional espionage kind of dimension just like many other states. We viewed it as, hey, we believe it has a military dimension to it and potentially in a conflict, it enables us to gain advantage or place at risk capabilities that adversaries will value and need. We also were very concerned about the defensive side of this in terms of its implications because we're such a highly hyper connected and highly automated society. Not that that's unique and I wanna argue that, but because of that, we tended to be very focused initially the cybersecurity aspects of cyber, the defensive side, the offensive side for us was a capability that developed over time. It wasn't our initial focus. It's not where we put our resources. The only thing I do wanna add to something Siobhan said, it has been an interesting journey. Cyber starts out many ways 30 years ago in the hands of individual hackers who decide that this is a venue or a vehicle. In some cases it's just, let me show the world what I can do. I'm at home, I'm sitting in my garage, I'm in the basement. Hey, I wanna take down my school's computer system. I wanna change my grades. It really started out very much individually. You then watch the nation states look at that and say, you know, there's capabilities there that might be advantageous to us from a national security perspective. And also we need to be mindful of the defensive aspects of that kind of activity. And then you've seen, I would argue in the last several years while nation state activity has continued, the greatest explosion in some ways has been in non-state actors, particularly criminal groups who believe that cyber is a vehicle to generate revenue at significant levels that justify this proliferation of groups around the world, this wide development of tools that allow you to access or place at risk data or infrastructure. The last one I would highlight that is much more in the last few years that we also need to be mindful of, cyber is being used by individuals and also nation states as a vehicle to sow disinformation as a vehicle to manipulate perceptions, viewpoints. You didn't see that five, 10 years of it very much. You sure are seeing that today. So generally I tell people of three bins you really need to focus on in terms of highest impact. Nation state activity, criminal, but don't forget the individual and the whole disinformation impact, which also has a state element to it as well. So that's really interesting. And those of you who just joined us, we are with Siobhan Gorman and Mike Rogers, Admiral Mike Rogers from the Brunswick Group. And we're having a conversation, but do store up your questions or put them in the chat. We'll capture them as they come to you and then we will be turning it over to you as well. So we've been setting the stage and I'm gonna turn to Siobhan and ask her about political responses. I do have to comment on the sort of the idea that as we move more fully into the digital world, so that for many people it just will be mixed reality. There's a kind that you can touch and then there's a kind you can't touch but you can travel in and do all sorts of other things. There are two ways in which it's like going back in history. Siobhan, when you were talking about all these kind of cyber warriors for hire, I'm thinking about the Swiss guards, the mercenaries who used to be all over Europe, and a European prince would just hire a group and go to war. So that's a kind of almost neo-medieval thing, but when you're holding up for ransom, we're back in the Wild West, it's a stagecoach where we sort of think about this very easy really, at least initially, way of committing crimes. So it's an interesting landscape with historical elements. But Siobhan, help us then understand the responses. How is Congress, let's start with our own legislature, how's Congress responding to some of this? Well, I mean, Congress as always has a challenging time getting things done. There was one bill that was passed that was gonna provide schools with more cybersecurity resources. Good thing, probably not gonna change the world, but a good thing. There are, I think more than it does in cybersecurity proposals pending right now on the Hill. They deal unsurprisingly with protecting critical infrastructure and increasing reporting. And sorry, and it's a dozen cybersecurity proposals that have emerged just since the colonial pipeline attack and so this is like proposal since May that have emerged. So I think that between the SolarWinds attack that we saw that supply chain attack sort of late last year, early this year and the colonial pipeline attack that has sort of raised awareness in a more significant way than we've seen in quite some time. That's a good thing at least in terms of awareness raising. And I think that that is probably leading to some of these proposals. So you've got critical infrastructure with reporting requirements, if you're a company that provides critical infrastructure and there are a variety of proposals, some say 24 hours to report, some say 72. The idea is you've got to be more forthcoming about that. The second category would be cybersecurity workforce development. So this is kind of a chronic problem of lack of skills in this space. And so you have proposals that will get training, training veterans up to provide cybersecurity types of skills and services and things like that and other types of proposals in that vein. The third piece is sort of cyber crime prevention and response. And this is where kind of the other cyber education programs for the public and other types of things come in as well as I think there's one bill that's asking the Department of Homeland Security's cybersecurity branch known as CISA to look at the pros and cons of allowing companies to fight back proportionately against cyber attacks. That's been a long running. I'm sure that's making Mike's neck hair stand up. That's been a long running debate in the cyber community of whether companies can hack back and things like that. Just in terms of thinking about sort of the overall probability of any of this coming into law, I think probably this group in particular is familiar with the National Defense Authorization Act often becoming a vehicle for pending national security related legislation. So I think if any of these are going to become law we'd probably see it riding in on NDAA, particularly around critical infrastructure protection. There does seem to be a fair amount of bipartisan agreement on that. The other thing maybe to keep an eye out for is obviously there is a pending infrastructure and sort of otherwise kind of social spending bill and nobody knows what those bills are really gonna hold ultimately, but you could see, I think there are some cyber provisions in there. And so they might stay in there as well kind of tied to the infrastructure piece. So that's kind of a lay of the land on the congressional side. That's interesting. I'd love to see more for cyber literacy and what New America has done work on cyber citizenship with Florida, which has cyber Florida whole, part of state government to try to basically bring its citizens into the digital age when it comes to digital literacy and knowing what is, it's just like good hygiene, but it's another step. This doesn't look right. This probably could be a deep fake, et cetera. But so Mike, yes, I'd love to hear you comment on companies taking matters into their own hands, but more broadly, you've had lots of experience sort of building resilience at the national level. What do we need to do or what would you advise organizations to do to build cyber resilience? So first in terms of entities in the private sector applying cyber as a tool to attempt to inflict pain or forestall others' ability to penetrate them, so to speak. In general, I was never a proponent of that. I can remember this discussion, boy, in the White House situation room more than once and it goes back to something, an analogy you used. At one time I got pressed by President Obama who said to me, you know, come on, Mike. And I said, sir, I already feel on some days like it's the wild, wild West and myself and my team. We're standing out on the dirt street with a gun. I said, the last thing I need is more people with more guns on the street. This really is not again is where we need to be. My other concern, I used to talk to general councils about this all the time. In the private sector, aren't you worried about the liability implications of engaging activities that may have destructive or disruptive effects on second and third parties over and above the quote, target, not just here in the US, but given the fact that cyber doesn't recognize geographic boundaries, not just here, but potentially overseas. I mean, doesn't that worry you at all? So there's a reason why most companies today have said, look, well, intellectually they understand, not so keen to do it. I am a proponent of this idea that the application of force should really be held to the nation state. This is not something individuals and groups, although there have been plenty of times that you have indicated historically when nation states lack capacity, they often turn to the private sector, as a naval officer, we didn't have a Navy when the revolutionary war started. So we issued letters of mark to merchant men and said, we will let you attack British ships. We will let you confiscate their cargoes. We'll let you bring those cargoes and those ships into US ports. We'll let you sell both the ship and the cargo. We won't penalize you. We won't hold you legally liable. We'll let you keep the money as a way to gain more capacity because we didn't have a Navy. So there's certainly a historic precedence. I don't think it's the best precedence in this particular case, but it does highlight to me increasingly resilience is the smartest focus and investment for organizations. When we started this journey, we tended to think of cybersecurity in terms of cyber defense. Hey, I should make the moat wider. I should make the moat deeper. The walls higher, the walls thicker. My focus should be on making it more difficult for an adversary or an actor to gain access to my systems. And as an individual who is part of teams that penetrated networks for a living as well as defending them, I would tell you, look against the motivated actor with what is available broadly on the internet today in terms of tools and insights, an actor who is focused, who is dedicated, there's a high probability of success. If you define success as penetration of a system. I think we need to focus increasingly is don't walk away from cyber defense, but think more broadly. Cyber security to me is cyber defense and cyber resilience. And we need to focus more on the resilience side. And that is about, so if someone penetrates, how do we make it harder for them to actually succeed if their goal is locking down functionality or locking down access to data or the potential for disruption or destruction? If that is the adversary's goals, what can we do to forestall that even though they've entered our system? And there's a lot of different things that you can do. I urge industry, you need to think more about that. And we certainly did it in the government is again, I said, I was both offensive guy and we defended the DOD's networks. And one of the comments I used to remind the leadership is, look, we have got to assume that despite our best efforts, the potential exists for an actor to gain access and movement within our system. So we need to spend time focused on what are we gonna do? And that's not just, what are we gonna do from a technical or an IT standpoint? I used to remind the leadership, this is also about you, Mr. Secretary. This is also about you, the chairman. This is about you senior commanders in the military. We got to work collectively on this. That's fascinating. And I just have to say, when you were talking about the Navy when I used to teach international law, it's in the constitution that Congress can issue letters of mark and reprisal and students would be like, what on earth is this? But yeah, it's like, it's like privateering really. Hey, can I make one comment, Anne-Marie on something you want to say? It's interesting, historically in the US, we have resisted large legal frameworks associated with cybersecurity. In part, it's a reflection of our history and the fact that in our society, we have always questioned the role of government, not trying to say it's good or bad, but we have fundamentally questioned the role of government. If you compare where the US is from a legislative or regulatory perspective with respect to cyber and cybersecurity versus the EU versus China versus other places, you find a much more formalized regulatory and legal framework in place in Europe, with data, digital privacy, et cetera. And as a result of that in the US, you have watched several states, California probably being the most aggressive in the absence of large federal legal frameworks with respect to cybersecurity and data and privacy and individual rights within the cyber realm. You're now watching individual states attempt to step into the breach. California being the most prominent, but if you look around, you've got legislation right now pending in over a dozen states that's designed to address that. It'll be interesting to see, does it play out that way over time? Or as Siobhan has highlighted, there's probably more cyber-draft legislation currently in play at a congressional level in the federal government than we have ever seen at one time. It'll be curious to see which dynamic ends up playing out over time. Yeah, that's great. As you, go ahead, no, please. Oh, I was just gonna say, it's a great point, you know, having watched this over the years and sort of covered it as a reporter, you know, back in, I don't know, 2010, 2009, whenever it was that they were sort of first looking at, you know, are there gonna be cybersecurity standards that either critical infrastructure or other types of companies need to adhere to and everybody kept going toward the voluntary side. They're just gonna be voluntary standards. And so what will be interesting to me is whether we sort of move past that, you know, now more than a decade of resistance to those kinds of requirements and actually do that. Because otherwise, you know, we are dealing with these sort of like 50 states with 50 different flavors of requirements, plus GDPR, plus, you know, all the other kind of regulatory regimes around the world because organizations, when they're breached, you know, they often discover that it's not just US data, it's not just data in a handful of states, it's quite dispersed. And it's nation, it's non-state actors in ransomware that has driven this dynamic where cyber activity has just gotten to the point, particularly shaped by criminal groups in ransomware where you now have the government fundamentally saying, have we reached a point where it's just time to impose reporting requirements, hey, putting in a legal mandate that says you cannot pay ransoms. We never had this dialogue five years ago, but actually. Yeah. And part of that, of course, is once the thicket of different state and international regulations gets too dense, then business flips, right? Business then wants at least one clear set of regulation. They prefer to have none, but they'd rather have one than 50 or more. So the politics of it do change. It's interesting, I really like the way you put it, Mike, that instead of talking about what cybersecurity has two dimensions, right? That you would think about resilience as part, and now I've already forgotten the other. And defense, cyber defense and building resilience. And I would have said that building resilience is like vaccines, but a couple of years ago, I'd have said, yeah, it's prophylactic, you know, your whole thing. I wouldn't use that metaphor anymore. And it does actually show you that people don't even, they don't want to be told to do things even that are necessary. Let me come back, Siobhan, to the workforce comment. You mentioned that some of the bills in Congress are focused on the workforce. And New America is working with a group called Share the Mic in Cyber to lift up the experiences of cyber professionals of color. And also to build pipelines and communities of support for people in lots of communities, many communities of color, where cybersecurity is just not thought of as a career. It's such an important career. And it's also, you know, it's one that you can even have apprenticeships in cybersecurity. We've done some work around that as well. But say a little more, if you would, about the importance of having diversity in the workforce and really just as we would think about recruiting defenders in any area, why it has to reflect the population. Well, I mean, the most practical reason is that we need more people to do it. And so reaching into populations that have historically not gone toward that as a field is like a really basic reason to do it, right? You know, beyond that, I think that it is reflective of the reasons why you'd want diversity in the workplace more broadly, right? I mean, cybersecurity is definitely something where you're going to benefit from having multiple perspectives. It's very hard to see around corners when you have a homogenous group of people looking to think about things. And so, you know, and I think also, cybersecurity isn't just about ones and zeros. And so I do think that there are more types of cybersecurity jobs out there. Sorry, Mike, it is also about ones and zeros, not just. But, you know, there are more types of jobs that maybe if there are different types of groups that may not have felt particularly inclined toward computer engineering or something like that, well, there's a whole, you know, range of management jobs, governance, you know, other types of things that can tap into skills. Again, where a diversity of views, I think, is really almost just inherently beneficial, right? If you're trying to figure out how to make sure that you have the right cyber governance, how it is that you persuade your employees to really buy into this. You know, there are lots of less technical, but very important kind of cyber roles in companies in other organizations. And even at cybersecurity companies, right? There are companies too. And so sort of furthering the mission of those companies as well as requires a whole range of skill sets. And I think you've seen a real growth in the cyber industry, not perhaps surprisingly, especially as you've seen the growth of ransomware and all these kinds of things. Yeah, exactly. Mike, was this an issue in cyber command? Well, yeah, always. People are, you know, I agree strongly with Siobhan. I mean, one of the things I used to try to tell our nation's leadership was, look, we are not gonna, technology is not gonna give us a silver bullet that's gonna solve all this. I wish I could say that was the case, but I really don't believe that. And the other thing I used to try to say was, look, the hardest part is not identifying technology and employment. The hardest part is how do you shape cultures to, if you will, work in harmony with this technology to achieve outcomes? Because you can have the best technology in the world. You can have the greatest resiliency and defensive strategies. But if you've got a workforce that makes poor choices that doesn't understand the implications that they as individual users, the impact they have, everything is undermined. So the educational piece here is incredibly important. Two last points I'd make. I also think it's very important. We do not need a cookie cutter where everyone in cybersecurity has the same background and the same education. Boy, in cyber command, going back to the DOD, but I was the second commander. And one of the discussions at the time was, so what should the workforce look like? What are the skills and the backgrounds that we ought to go? When I first got there, everybody looked at me and said, well, they all need to have backgrounds like you do Mike, because in some ways it was if I was grown from a test tube for this job. And I said, I don't think so guys. You don't want everybody to have this quote, heavy cyber background. You want a broad range of perspectives, insights and backgrounds. And when we bring that together, we're that much stronger. And then the last point I would try to make based on what you and Siobhan had to say, I think we also have to acknowledge, look, we are gonna have a human capital shortfall here for an extended period of time. We are unlikely to be able to train, develop and put in place all of the human capital we need and we want. So we've got to come up with solutions that aren't just built around, well, don't worry, I'll get all the people I need. That is unlikely to happen. So we got to figure out, given this talent kind of challenge, how do we create shortfalls? And how do we create solutions and strategies that enable us to achieve some measure of success, despite not having all the people we want? I mean, yeah, we are at one of these moments, of course, where the options for jobs, right, are just not keeping pace with the needs in ways. You look at all these low-paid service jobs, you look at the great resignation, you look at the, but then the possibilities, cybersecurity can offer both meaning and a very good job, right? You are protecting your company, your country, your community, if you think about local cybersecurity, but you just can't move folks who've been working in service jobs into cybersecurity without a lot of government action and a lot of investment. So we're gonna turn now to some more specific cases and I see one great question in the chat, which we will come to. And again, for those of you who may not have heard me the first time around, if you have a question, it's fine to put it in the chat or I can just call on you when we get there. I wanna talk about some more specific cases and specifically I'll start with you, Mike. I wanna talk about Afghanistan because I think, again, I think a lot about national security broadly and whether we should have pulled out of Afghanistan and how and all those questions, but I think most people would not make a connection between being in Afghanistan or not being in Afghanistan and cyber threats, but I think there may be one and I'd love for you to talk about that. So number one, as I said earlier, I always try to remind people, look, cyber doesn't exist in a vacuum. Guys, it's an extension or element of a broader strategic picture. Afghanistan is part of that broader strategic picture and we're in a position at the moment where we have allies and friends who are questioning, hey, what is your commitment? Can we count on you to be a good partner? Are you gonna be there for us? And are you really a partner who brings us into the decision process, who collaborates with us in the generation of strategy and policy choices and are you gonna be somebody who just arbitrarily walks away with no coordination, no collaboration? So we have to acknowledge that that is an ongoing discussion at the moment. It is not insignificant, for example, the first time that I can remember, we had a NATO ally pull their ambassador out of DC. That was for a short period of time, but I'm going guys, that is what you expect to see in the third world. This is not what you traditionally or with authoritarian states in terms of democratic nation's responses to activities on the part of authoritarian states. You do not normally expect to see core historic allies who are also bound by a formal alliance framework, in this case, in the form of NATO, decide that they're so frustrated and they wanna send such a clear and very public message that they pull their ambassador out of it for a short period of time. So cyber is an element in all of this to me. Cyber, I think, offers great opportunity to actually draw allies and friends together because it's one problem everybody has. Doesn't matter how big you are, how strong you are, how economically powerful, what kind of military capability you have every single nation out there has cybersecurity challenges. So it's a great opportunity to draw us together. By the same token, it also is a vehicle for states, groups, and individuals who might believe, hey, I'm looking at an America that seems to be a little weaker. I'm looking at an America that doesn't seem to be as focused, if you will, on some of the more traditional national security and external challenges that seems to be internally at a high level of discord and disarray, 6th January being a great example of that, the outside world looking at that and wondering what is going on in the United States. We've never seen anything like this before, as well as nation states who believe that cyber offers them an alternative lower, it offers you a high level of potential ambiguity, a attribution tying it to a nation state can be difficult. So identifying a specific actor, in some ways it just offers them lower risk. It's one reason why the Chinese, the Russians, the North Koreans, and the Iranians were so much more aggressive in cyber in some ways than we were. We tended to view cyber as something that actually had a high level of risk, had strong potential for destabilization, potentially placed at risk, things that we cared about and potential relationships. Those authoritarian states came to a very different view. Cyber offers low risk, some measure of strategic ambiguity are covered for us. And quite frankly, we can engage in some pretty escalatory behaviors and not trigger a response. I would argue the Russian influence operations in the 2016 election, probably the most egregious example of this where they just thought, hey, look, they're not gonna do anything. We actually can go after their most fundamental democratic process, a free and fair election. We can undermine it and attempt to influence its outcome and we can do it without being held accountable. That is not a good thing for us. So, Siobhan, do you want to comment? And I also wondered if you would talk about the sort of how, if you're shifting to the non-state group side, how the tactics are evolving, and how, again, one of the things we know, there's the Taliban's in charge in Afghanistan, but you have other groups in Afghanistan which we're gonna be less able to patrol if you want and what their tactics will look like. Yeah, I mean, it's interesting because if you sort of look at the kind of potential overlay with terrorism or counter-terrorism efforts, what's actually been interesting is, in terms of the US side, a lot of the people who were experts sort of post-911 and counter-terrorism shifted their lens towards cybersecurity in recent years. And so you actually have a lot of people who kind of look at both issues. For some time in the counter-terrorism arena, there was a fair amount of discussion around, Al-Qaeda's gonna use cyber means to attack and things like that. I don't have a good reason, maybe Mike does, as to why they never did, at least to my knowledge. Or maybe there are examples that were so sort of secret that they worked or something like that and we were never aware of it. I do think that given the greater prevalence now of sort of cyber attacks in the broader public consciousness, it may well become something that terrorist groups or other sort of non-state groups see beyond criminal groups because they certainly seized upon it as a way to wreak havoc, whether it's via sort of breaching a network, manipulating something, disinformation, all of the above. Obviously, I mean, I'm not giving anyone any ideas, they can think of all this on their own, but the fact that so much of this is kind of for sale on the internet, that I don't think it requires too much creativity on their part to put it together. But it's interesting to me that we haven't seen all that much of it yet. It's interesting that these criminal groups have really pioneered so many of these tactics, whether it is, how do we get us sort of a tax software on your system, do a lot of reconnaissance, you can't find us because it's really good, see the previous comments about sort of state-based capabilities. We can steal a bunch of data without you knowing and then all of a sudden, we freeze up your systems, you can't do anything. That's paralyzing, right? And that's what's happening to companies every day with ransomware. And criminal groups are motivated, as Mike pointed out, because of money. And so they're highly incentivized to figure out what's the most effective way to do that. Terrorist groups have somewhat different motivations and that may explain why you haven't seen them sort of do the same level of adoption, but I wouldn't rule it out. Okay, can I make a comment on that? Yes, I was gonna ask you, too. One of the implications, I think, of the withdrawal from Afghanistan, and we'll see how this plays out. With respect to terrorist actions against the US, because despite their efforts, they had low success in terms of their ability to bring tax into the homeland physically. You tended to see many of those groups focus on, so how could I access America on the battlefield? Whether it's IEDs, attacking facilities, airfields, other things where there were large concentrations of US individuals, they happened to be probably the State Department or military, but they were America, they were an extension of the US. One of the implications I wonder is, as we have pulled back from physical presence, Iraq, still there, but the numbers much smaller, Afghanistan, Syria, does part of the strategy for terrorist groups, do they start to shift to say, okay, so what tools do I have to access an enemy, the United States, that I no longer have physical proximity or direct access to? Interesting. It does make you wonder, does cyber become a more attractive tool? Because I always thought, I was surprised, quite frankly, that non-state actors, particularly groups within the terrorism arena, were not more aggressive than cyber. Traditionally I viewed cyber as, it's a tool to spread ideology, it's a tool to recruit, it's a tool to generate money in terms of those like-minded individuals who are willing to contribute or share funds with us, and it was a vehicle to coordinate among widely dispersed elements in terms of activity. But you never really, you never saw them really view it as a weapon, so to speak, that could achieve direct effect, much like we watching bombings and other things. Right. To me it was only a question of the wind, not the if. And now that we have less physical proximity in some ways, I wonder if there's more remote capability becomes much more attractive to some of these groups. That's interesting. So I'm gonna bring us back to actually sort of cyber citizens and more personal cybersecurity, but I do wonder, terrorists depend on spectacular events, right? I mean, 9-11 as a recruitment tool, but also as a tool of terror, right? You have to be able to see it, you have to be able to fear it. And I wonder particularly given whom they recruit, right? Young men who are by and large, if a cyber attack just doesn't have the kind of wow factor, to make it have that, you'd have to have really tremendous capability, but ransomware, a ransomware attack even on a city is unlikely to generate. That's worth, it's a very interesting point. So Siobhan, last question before we go to the audience, coming again, what's interesting about cybersecurity is yes, you have Cyber Command and then I as CEO of New America have to make sure that we have cybersecurity training and we really do think about it. And actually occasionally, the government will notify think tanks that they've seen a threat, right? As part of the policy ecosystem, but I'm particularly interested given that we're all now working in hybrid environments. I mean, I know we're all sitting, most of us are not sitting in our office, it's hard to tell exactly. What is that going to do for cybersecurity? I mean, does this mean I have to sort of harden my home system, which God knows, most of the time nobody can remember the password to get on the home system because it's all wired into your computer. Yeah, I think that that is, I mean, I don't have hard sort of cause and effected on this, but in terms of sort of coinciding, the huge ramp up in effectiveness of ransomware attacks and sort of remote work almost exactly coincided, right? And so there has to be some relationship there. What's interesting about that is, and I mean, I remember, you know, there were many people kind of at the outset of all the lockdown saying this was going to be an issue. And then there was sort of a pause. I mean, I remember just looking at it from the standpoint of the work that we do with companies, it felt like breaches actually kind of paused a little bit in March and maybe the beginning of April. And usually Easter is actually a ripe time for breaches. So that's interesting, but then in May, it just took off and it never stopped. And so, I took that to mean that, the various kind of criminal groups and others behind this were kind of recalibrating, figured out what they were going to do, and then they pounced and it just didn't let up. And so the interesting thing to me is actually, now as we move to sort of this hybrid work environment, that actually makes it worse because it's not just worrying about home or office, it's worrying about people constantly going between the two. And so it certainly means the problem isn't going to get easier to solve and it probably means that it's going to get harder. You know, what hopefully we will see is that organizations, employers will step up their efforts to kind of give their employees more digital awareness, more cybersecurity skills, more cyber hygiene reminders. If you take one thing away from this, change your password, like always change your password. Have backups, all these kinds of basic things that your home computer is your work computer in some ways these days, or at least your home network, even if you're using a work computer. And so that just makes it a lot more complicated for employers and for employees. And I think that's going to be with us really for the foreseeable future. So Irana, you, Irana Asimutson, you have two questions in the chat and it's certainly probably, they may both be aimed at Mike, but I'll let you ask one, choose one and we'll ask Mike to respond and then if Siobhan wants to come back, if we have time we'll ask both. Thanks, Samarie. So I work in California and one of the things that I often wonder about is we sort of have this social contract that big tech firms can protect their algorithms, can protect their sort of trade secrets about how their stuff works, which really means that we rely on them for our security. And they've shown that they're not always super interested in our security. So for all sorts of reasons, I think that this business model should probably be rethought, but that might also put, as you put it, more guns in the hands of adversaries. So I was wondering if you could sort of comment about whether you think it would be better if people had more agency to protect themselves and know what was going on. There clearly is an interesting discussion ongoing at the moment about what is the right construct? Traditionally in the US, we have allowed the developers of technology to monetize it, to apply it, to create corporate infrastructures and frameworks, if you will, that monetize it and lead to the generation of revenue and profit in the capitalistic society, profit being viewed as a positive thing. And yet what you're starting to see is a view that, well, is big tech different? Have we gotten to the point where the scale of some of these companies and the fact that they have created entities that are so foundational to day-to-day life in many ways? Hey, does this mean we really need a different construct? Because look, you're not gonna opt out of social media. You're not gonna opt out of online buying. Most people, I mean, there are some whose attitude is, well, fine, the answer for me is I just won't participate. I think for the majority of citizens that is not viewed as a particular realistic response, and so now you've got the government trying to argue, well, do we need different constructs? And the first battlefield for that in some ways is gonna be data, where you've got the government and others arguing when we started this world, this journey, we tended to view data as not directly an element of ownership of the individual, rather data was something that a separate entity could employ, use for monetization and quite frankly could use to better understand the financial habits, the buying patterns, et cetera, of individuals. Now, because you've already seen this in Europe, you're seeing this debate now about, well, do we need a different construct about data? Hey, data should remain the property if you will of the initial owner. It shouldn't be viewed as something that we just arbitrarily allow others. That's one thing. The next area I think is to your point more specifically is gonna be the algorithm question. As we start to get into more widespread use of artificial intelligence and machine learning, the next big question to me we're gonna grapple with as a society is going to be, so what should the governing model be for some of these algorithms? Is that the private sector that developed the algorithm, they have free reign to use it as they see fit? Is there some measure of independent verification of algorithms and their applications and their particular usages? I don't know, this goes back to also my previous point about look in the US from a legal standpoint, we have been very reticence for the government to impose a regulatory framework on cyber writ large, let alone on questions like data, algorithms, et cetera. I think what's gonna happen is we're gonna very slowly work our way into this. I don't expect that in the next one to two years you're gonna see some massive legal framework about how we're gonna govern artificial intelligence and the development use of and oversight of algorithms or for data. I think we'll start with data and we'll kind of slowly work our way into this, but it's an interesting challenge for you in California. It's an interesting challenge for big tech because big tech finds itself now as a company. Many of these companies are in a very different position than they were fiber, they're massive, many. And yet the way they're viewed within society and by government and by competitors is a little different now than it was, say, five, 10 years ago. And I've had this conversation with CEOs out in the valley about, so what are the implications for you? Do you think it's, hey, I just keep doing the same thing I'm doing, I just get bigger, more powerful, more wealthy, wealthier, distribute more money in my shareholders, everybody's happy. I don't think that's the message that society and the government is sending right now. So, Irina, you haven't, no, please. Oh, I was just gonna say, just on that, it's also interesting at points to sort of a larger debate that isn't particularly new, but I think it's sort of, it's more relevant now than it has been previously, which is how responsible are tech platforms for how they are used, right? What's done on them, what data people leave there, what they do with the data that is put there. And for a long time, they've taken the position of not our problem, like we just provide the platform, it's up to others to figure that out. And there's actually a pretty good precedent for that, right? Like the telecommunications companies forever have said, we're not responsible for what happens on our lines. However, I think that the impact that you're seeing of sort of that hands-off approach in the tech sphere is more significant than what we've seen in the past. And we're starting to see it come up in cybersecurity in content moderation, sort of across the board. And so I agree with Mike. I think that we're going to sort of slowly see a curbing of some of these, this sort of liberty, so to speak, that tech companies have. But I don't think it's gonna be, it's gonna have to be sort of in small ways over time. I wouldn't expect it to happen all at once, but at some point there is gonna be a set of public expectations that those companies are gonna have to meet. And that public expectation isn't gonna be, you guys can do whatever you want, anyone can do whatever they want. It's kind of, it's a free-for-all. Yeah. Indeed, if you look at how long, it took a couple of decades, right? After at the end of the 19th century, early 20th century where you had the massive fortunes and steel of the industrial age, steel, telecommunications, railroads, which is another kind of platform. It took a while, it wasn't all at once. So, Irana has another wonderful question, but I wanna give anybody else in the audience a chance to just speak if you have a question. Speak now or forever. All right, I hear nothing. So Irana, go ahead. Well, Frank, I'm just thinking about any questions. Though it's been very curious to me to see the US regulators go along with cryptocurrencies being integrated into our financial system. Because to me, the huge business model of cryptocurrencies is that they get to be anonymous and they don't have to deal with any of the other regulations. And it's to me basically a Ponzi scheme. So, are you guys worried about crypto like that? Am I just missing something about their business model that makes them much more benign? Would love to hear your thoughts. You go ahead, you go first. You over to you, I think it's just this rare area. Well, I'll give you an opinion. So, part of the challenge with cryptocurrency, number one, there's last time I looked at this, we're approaching 2,000 different cryptocurrencies in the world. So, number one, we've got a proliferation of different vehicles. Number two, we have no standardization and no, so there's no real security. There's no really verification mechanism widely accepted. Security standard verification mechanism or standard as to what the level of value is for different currencies, unlike the physical world. So, part of the reason why governments have been, at least the US have been unwilling to really get involved in, I think, just my opinion. There was concern that if we start to provide guidance in direction, it somehow implies that the US is supporting or condoning, if you will, cryptocurrencies. And I think the government view was, we're not prepared to really do that. We're not comfortable with the idea of condoning this. Now, you're seeing some governments around the world. China is going to develop a digital currency. You're seeing other governments argue it's the reality. And so, what we need to do is create a framework that enables some measure of government oversight, control, and by extension profit in some ways. I personally think that that's the way the US is going to go in the long run. Look, this is not going to go away. And I've had conversations with Federal Reserve leadership on this in my previous life, where I used to argue with them, you can stick your head in the sand and pretend that this isn't going to really be a factor, or we could actually try to work together with other nations to see how can we develop an international framework for just how we're going to deal with this issue. And then how do we take advantage of it? Because it is generating significant amounts and ever-growing amounts of economic activity. My view is, don't you want some element of oversight, control, regulation, security associated with that? And quite frankly, don't you want to gain some measure of profit from that kind of activity? But that's just my thoughts. Shaman, you want to close this out? Well, I mean, I would agree. I think that you're starting to see more, and not just in the US, you're starting to see more regulator discussion around it. And I think that government leaders have been really put off because it's often been seen as sort of a haven for criminals. And I think as it becomes more mainstream and it becomes pretty clear that it's not going away and it's getting a lot more complicated, I don't think that there will really be much of a choice than to sort of become more involved, whether it's from the regulatory side, whether it's figuring out how to tax it, and other types of things. I mean, you're starting to see regulators in the US, at least ask questions and start to try to create some rules around it. And so I do think, I would expect that to happen a lot faster than I would some of the other policy shifts that we were talking about. Well, I have to say, when I see things like the Fed is thinking about offering stable coin, I'm just like, whoa, wait a minute, what happened? A minute ago, this was the realm of criminals. But again, I'll end this on a historical note. The different states of the United States had all different currencies. And again, back in Europe, further back, money was not a uniform thing. Money was what different groups of people wanted to exchange. And as we realize we need to trade with one another, and also as a matter of government power, you have to standardize it. So once again, in the digital world, we are many centuries in some cases behind where we are in the physical world, but the physical world doesn't always offer a model. Indeed, because I do think the difference in degree when it comes to the current platforms is a difference in kind. I mean, the technology is so fast and the potential for disturbance is so great that you can't just use telecoms as your model. But thank you. Thank you to both Siobhan and Mike to really a fascinating discussion and a huge array. We covered a lot of ground. And thank you to the audience for joining one of our lunchtime dialogues. We really enjoy these with our friends and supporters. And I hope you'll come back. So thanks very much. Thank you. Bye, everybody.