 Ladies and gentlemen, good morning. My name is Lieutenant Commander Sarah Nugreschel, and I am the outgoing Chief of Plans Policy and Partnerships at US Cyber Command Office of the Staff Judge Advocate. As you heard in Colonel Hayden's welcome remarks, we can't do anything without our partners, and that's especially true when it comes to our partnership with the Cyber Security and Infrastructure Security Agency, or CISA. So I'm thrilled to introduce Mr. Brandon Wells, the Executive Director of CISA. As Executive Director, Mr. Wells serves as the Senior Career Executive, helping oversee execution of CISA operations. He is responsible for leading long-term strategy development, managing CISA-wide policy initiatives, and ensuring effective operational collaboration across the agency. Some highlights from his illustrious biography include, in February 2022, he was appointed as the lead for the federal government's domestic preparedness and response related to the Russian-Ukraine crisis. And prior to that, from November 2020 through July 2021, Mr. Wells was the Acting Director of CISA. In that capacity, he led CISA's efforts to defend civilian networks, manage systemic risk to national critical functions, and work across both the public and private sectors to raise the security baseline of the nation's response to the SolarWinds Orion supply chain attacks, Microsoft Exchange vulnerabilities, and the Colonial Pipeline ransomware attacks, amongst many others, while completing this standup and reorganization of the agency following the passage of the CISA Act of 2018, which established CISA as an independent agency. Joining Mr. Wells is our very own Colonel Nate Kearns. Colonel Kearns currently serves as the Air National Guard Assistant to US Cybercom's Office of the Staff Judge Advocate, as well as the senior lawyer and advocate for the Commonwealth of Massachusetts. As if that wasn't enough in his civilian capacity, Colonel Kearns is the Director of Operations at the Defense Institute of International Legal Studies, where he has planned, managed, and executed over 150 international missions in over 100 countries. And when Colonel Kearns is not globetrotting, he's also an adjunct professor of law at Boston College. Colonel Kearns, I'll turn it over to you. Thank you very much. Director, thank you for joining us today. So what I'd like to do is just kind of run through some topical areas and questions. And at some point, if we have extra time, we'll hear from some folks from the audience. Sure. So the first thing I'd like to ask you about is some of the current cyber and operational challenges faced by CISA, and if you wouldn't mind addressing both domestically and internationally, sir. Sure. So first, thank you for the invitation. I think as was noted, this mission is one that's built on partnership. And the work that we do with Cyber Command, the National Security Agency, DOD more broadly, is essential to the work that we do both domestically and internationally. In terms of some of the challenges that we are facing, I would say it's at the intersection of a couple of trends. The first is over the last decade, the increasing digitization of everything, meaning that IT systems, things that are today enabled by IT systems that weren't a decade ago, create increasing risk. Secondly, the increasing complexity of the technology in general has meant that a large portions of our critical infrastructure are operating using technology that they really have no business using, because they don't have the innate capability to actually secure it. And third is the level of sophistication that our adversaries pose now to this technology has all come together in a perfect storm. And so these are challenges that face us not only here domestically, they are the same ones our international partners are grappling with. I was talking this morning with colleagues from across Europe at an event that the Lithuanian Government Ministry of Defense was holding, and it was the same exact topics, how to grapple with the challenges of emerging technology and cybersecurity in the face of growing threats. I'll remind everyone that the director was on the phone with Lithuania, probably 0-3-30, so I'm sure thanks for being here for us. So I was wondering if we could also get your thoughts. You mentioned it briefly on the current threat landscape, I would say if you wouldn't mind addressing some of the radical transparency, the international collaboration, communication, and you sort of touched on it, what we didn't have in the past, we now have a lot more folks, agencies, governments with access to previously things that we hadn't had before. Yeah, so when I look at the threat space, and I think many of you know this very well, trying to deal and grapple with going after these threat actors, when I look at the threat space, I see kind of two unique challenges when it comes to the specific threat actors that we're facing. On the one hand, the nation states what we are dealing with today have grown a lot better at what they do. They're able to hide more effectively, they're able to obfuscate their activity. It is harder to keep track of the specific threat actors we have good insight thanks to our intelligence media partners about strategic intentions, but a lot less insight in terms of what they are doing tactically day to day. And that is because they've grown better, their tradecraft has improved, they're operating, they're no longer developing custom malware as often, they're now living off the land, and so it makes it a lot harder for us to discern exactly what they are doing, where they're doing it and how they're doing it, and they're able to burrow in and hide in networks in ways that we didn't think they were able to do in the past. On the other hand, the kind of democratization of capabilities for criminal organizations have kind of lowered the barrier entry for criminals to get involved in more sophisticated cyber type attacks because they'll utilize ransomware as a service or other tools that are developed by more capable criminal actors and who sell or lease those to lower skilled actors. And so it has meant that the scourge of ransomware ramped up over the last two or three years as criminal organizations have specialized. And all of that is now hit against this, what is a largely an insecure technology base. As I mentioned before, we have dramatically increased the digitization of everything. However, our technology infrastructure today is not designed with security and mind up front. What gets technology to the front of the market today is based on cost, speed and innovation and it's not around security. And that has meant that every day thousands of new vulnerabilities are discovered in technology and it is not sustainable that any company, any government is gonna be able to keep pace with the scale of vulnerabilities that they're the technology base that they're dealing with. So we have been pushing, thanks to our director, Jen Easterly, a new focus on kind of secure by design and secure by default, that technology needs to be developed upfront that is more secure and that it is by design and by default deployed in the most secure way possible. And it needs to be easy enough that small and medium sized businesses or small and government agencies and local governments around the country, municipal hospitals and water systems, that they have the ability to use this technology in a secure way. And that's just not the case right now. And we know that because as soon as new vulnerabilities are identified, we can see the malicious actors exploiting those vulnerabilities at scale. And we're never gonna patch our way out of it. So it is great that we're identifying those and companies are deploying patches, but the scale of those vulnerabilities mean that we're always behind the eight ball, we're always chasing the adversary. And so the only way to get ahead of that is this focus of kind of getting ahead of it. We want companies to be designing and deploying technology that is as safe and secure as possible upfront. So I guess along those same lines, you're mentioning some of the challenges we're seeing out there. Could you maybe address some of the strides and some of the successes we're seeing or partnerships on the way ahead both domestically and internationally as well? Sure, and I think this is a place where as I said at the beginning, this entire mission space is built around the notion of partnerships and CISA as an agency was designed to be a partnership agency. We're not a law enforcement entity. We're not really a regulator. We're not an intelligence community. Our real, the reason why we were created was to build and sustain partnerships between government and industry. We do that in a lot of different ways and at its center is kind of establishing this strong trust that when we provide this useful information around cyber threats or incidents, tactics and tradecraft, that it will generate useful outcomes. So we have seen this in a number of cases, whether it's our response to the vulnerability in the log for J software library at the end of 2021 where we served as kind of an authoritative source for what products were vulnerable, which ones were being patched and provided that information in a transparent way to the community. Similarly, we stood up our joint cyber defense collaborative in 2021. This was something that had come out of the cyberspace Larry commission was authorized by Congress at the beginning of 2021 to create this joint cyber planning office. So we call the joint cyber defense collaborative today where we bring in industry starting with the largest technology, cloud, ISPs, cybersecurity firms brought in the US government entities that focus on cyber from across the interagency. So folks here at Cyber Command, NSA, FBI, DOD, to all work together with the idea of we wanna reduce any barriers and we wanna reduce the kind of previous work to be done with the private sector that tend to be one-on-one. We share information with one company, they share some with us, we do that 50 times and by then we piece together a story. Well, we decided to go to a multi-to-multi sharing environment where in the early days of the Russia Ukraine crisis when one of the companies in the JCDC was seeing the initial malware being used by Russian government actors, they were sharing it with all of the members of the joint cyber defense collaborative in real time, reducing the amount of time it takes to get information out from kind of days to hours. We think that those are real successes. It is also enabling us to kind of build trust with that community so they're sharing new insights with us. So one of the new things that we've just announced that was based upon individuals from across cybersecurity firms coming to us to say, and technology companies, they started seeing things happening because they had access inside of some of the adversary infrastructure. So they were seeing ransomware operators connected to US critical infrastructure but they didn't have relationships to go touch those critical infrastructure entities. So they came to us and said, hey, we believe that these entities are being targeted by these ransomware crews, they have access in there but we don't think that they have encrypted their networks yet. Can you go let them know? So just in the last four months, we've notified over 120 US and international companies that they had ransomware operators on their network prior to an encryption happening. And we've had at this point numerous examples where the companies have come back to us and said, thank God you told us because actually we just saw them try to activate the malware they had put in our network. And it was only because they had early warning that they were able to stop it. And this is, there's been about a dozen schools, hospitals that have benefited from this as well as 20 international partners around the world. So we think this is a model where, this is not doing the heavy lifting here where we built a relationship, we've established trust and now people are coming to us with information that we think is really game changing in terms of getting ahead of some of these challenges. And so I think it demonstrates the power of partnership to advance the cybersecurity mission and the importance that building these kind of trust based models with both industry and government, why it's so essential. Well, those are great examples. Thank you for sharing those. I know one of the things that folks in the room that the cyber command is interested in and it just happened to coincide with this conference is the new national cyber strategy. And so there's a specific area I wanted to ask you about because critical infrastructure as you know is a key element. I wanted to ask about that relationship of private enterprise and if you could address the responsibility to protect and sort of elaborate on that for us. Sure, so CISA, I've been around with the agency from before when it was known as CISA when it had much more complicated and less discernible names. And we were always around, our mission has always been around critical infrastructure. We started, our agency was formed, its predecessors in the wake of 9-11 attack to focus on the physical security of critical infrastructure. In the aftermath of Hurricane Katrina, it kind of expanded from the original CT mission to focus on more all hazards resilience related to critical infrastructure. But still today, when we talk about the homeland, we talk about cybersecurity, we're still predominantly talking about what we need to do to protect and secure and make more resilient our critical infrastructure. The new national cybersecurity strategy recognizes as one of the key pillars, the protection of US critical infrastructure because it's so essential to our way of life, our economic security, our national security, the work we're doing with DOD, focusing on defense critical infrastructure is an example. And the national cyber strategy recognizes that we need to use a variety of tools to get after this problem. We need to use regulatory authority where it makes sense, where we have the authority, where we think we need to get it. I think you've seen some examples of that. For example, TSA in the aftermath of the Colonial Pipeline incident, decided to use authority that they had but had not previously deployed to regulate, have minimum baseline cybersecurity standards for pipelines, for rail, for aviation. EPA has put new responsibility on state authorities that conduct sanitary surveys of water utilities to put in place, they need to do cybersecurity reviews when they conduct those surveys. But regulation is one part, largely done by key regulators across the US government, some independent, some part of underneath the executive branch. But CIS's role as I referred to earlier is more kind of helping to coordinate the voluntary efforts across the government. So we build these partnerships, we've established these mechanisms, we were given these unique authorities to create information sharing mechanisms that are in some cases protected from regulatory law enforcement use to encourage industry to come to us, share information on critical vulnerabilities so that we can use those to make the entire ecosystem more secure. It's the reason why we brought critical infrastructure into our joint cyber defense collaborative because they have unique insights into this and they can also take action at scale that the US government can't take alone. So getting 100,000 water utilities in the United States to do something is hard. Getting three cybersecurity companies to take action that is used on hundreds of thousands of companies across the world is comparatively much easier. So I think we look at this from a variety of perspectives and try to figure out how we harness our kind of strong capabilities with that of our other agencies, how do we lend our expertise to regulators while still maintaining our ability to have real trusted relationships with industry. So I think that there are, you can certainly ask Steve Kelly when he comes and gives his talk since the White House has been at the forefront of thinking through how to utilize all of the different expertise and capabilities across the US government to achieve this mission. It's complicated. There's not gonna be one size fits all to these challenges we face because of the unique authority structure, because of the unique challenges. What will work in a highly centralized small sector is not gonna work in a highly diffused sector made up mostly of small and medium sized businesses or municipal authorities. And so it's gonna take a lot of work and a lot of thoughtfulness about how do you employ these strategies. The National Cyber Director is now working on an implementation plan for how do you take some of these ideas, identify what's working now really well and where are the gaps that we need to continue to work to build a stronger ecosystem. So you just talked to quite a bit about private industry and I'd like to kind of head down that road for a second. What role or where do you see private industry say the next five to 10 years and looking at the companies that everyone in this room knows, the Googles, Apples, and Microsoft, what role are they playing and how do they partner with us and what are your thoughts on that? Yeah, so those large companies have been kind of key partners to us because they have unique visibility, they have the ability to scale solutions very quickly. That being said, kind of going back to the National Cyber Strategy, one of the key policy shifts that identify the National Cyber Strategy is putting the burden of cybersecurity on those best able to handle it. Today, almost the entire burden of cybersecurity is on the end user and whether you are a small business of three people or you are a Fortune 50 company, you both have the same burden of cybersecurity even though the requisite capacity is far different in those two entities. We don't think that that's sustainable and the National Cyber Strategy reflects that. So I think we believe that technology companies, because of the reasons I mentioned earlier, have a unique responsibility here to take on a higher burden of providing products that are more secure and make it easier for those small and medium sized companies to be able to utilize their technology. And even for large companies today, still dealing with a relatively insecure technology ecosystem, oftentimes you'll talk to one of the large companies in the country that's in critical infrastructure and they'll tell you that they're using 150 or 200 different cybersecurity tools to protect their network. And now they have to figure out how to integrate 200 tools to provide their analysts with actionable insight about how to protect their networks. And then they have to hire consultants to help them improve their integration of those 200 tools. And it's all because we have an insecure technology base. So I think we think it starts from there. Secondly, it moves to thinking through how does corporate America look at cybersecurity? For CEOs, for boards of directors, is this just a problem that they can assign to the CIO and think it goes away? Or is this something that they have to take core responsibility for? Because ultimately this is not just an IT problem, but this is kind of core business risk. And the companies that have had significant breaches, significant incidents, they know that it's core business risk. Unfortunately, sometimes it takes getting to that point before a company will be kind of galvanized into action. And so we think that there's a, and we've kind of been pitching this concept of cybersecurity, corporate cybersecurity, corporate cyber responsibility. Sorry, that's the 4 a.m. showtime with Lithuania talking. Corporate cyber responsibility, the idea that you as corporate leadership have a kind of unique responsibility here to make sure that you are addressing these systemic risks to your operations. And those could be first order, how well you're doing protecting your networks, but also when I talk to business leaders across the country, the thing that most often comes up is third party risk. They think that they've got their network under control, rightly or wrongly, but they're concerned about the suppliers, the vendors inside of their supply chain that they think exposes them to a risk that they're not able to sufficiently manage. And so that is a place where I think it is the unique responsibility here to work between government and industry to figure out how to expand that protective umbrella. What can those companies do to help the small companies in their supply chain? What can we do to help bolster them? So we have some initiatives that we have launched this year, focused on what we call target-rich cyberpore. The idea being these are companies and segments of the economy that are often targeted by adversaries, but they don't have the capacity. So hospitals, K through 12 schools, water facilities. And so we've been spending a lot of time thinking about how do we provide them more services? Congress gave us the ability to expand some of the shared service offerings that we have previously provided just to our federal civilian partners out to some of our critical infrastructure entities. So we're looking at doing that starting this year using some of these new authority from Congress. But we think it is super important that both the government and large companies together take that responsibility to figure out how we broaden this because ultimately every company in this country relies upon a network of small companies that are the weak underbelly of our cyber ecosystem. Sir, along with these public-private partnerships, how would you say that extends to the challenges with our international partners? Yeah, so I'd say all the challenges we have here, they're just magnified overseas because they often have less capability, less capacity when I think about the amount of expertise and capability that resides in the federal government between CISA, the FBI, NSA, Cyber Command, DOJ, DNI, and the really vibrant cybersecurity ecosystem in the private sector here. When we start working with international partners, some of those folks obviously have a lot of capability. We work extremely closely with a number of our Five Eyes partners, have done a lot of joint production with them on guidance, but when you start talking about country in America, Southeast Asia, there's a lot of capacity that's needed to be built and these are countries that make up critical supply chains for the United States that we rely upon for US companies. And so there is a real appetite out there across the world, whether it's countries in Europe that I was on the call with today or countries in the kind of global South that want to get better at this because they're seeing challenges when you've had countries like Costa Rica that have been ravaged by a ransomware incident affecting their government that lasted for weeks. They recognize that they need to get better, but they don't necessarily have the capacity and so I think we are looking at what we can do to help build that. Obviously our focus is still here at home, but there is a lot that we learn in terms of early warning from working with our international counterparts. We have relationships with over 200 certs, the computer emergency response teams around the world that we share information with regularly, but there's a lot that we're trying to figure out how we give back. We've been doing a lot of capacity building with Ukraine. Obviously right now we've got some work that we've done through Singapore, to Asian countries to expand capacity, but there is just a lot more work to do out there because there is a real hunger and just not enough capacity. So you've mentioned a little bit about DUD's role in cyber comms role just to take it to the folks in this room, to the SJs here, a bunch of the staff are here. Where is SZA, where is Cyber Command? Where are we going together? Where do you see the next few years is that relationship? Yeah, so I mean we think that the relationship between the offensive and defensive work is really essential and I think our goal over the next few years is to make that the information flows and the tipping and queuing back and forth even faster, more ingrained because when it works it's worked super well and so there's been real world examples and since we're going out to the world I'll be circumspect here, but there's been real world examples where the activities that you're doing overseas has given you insight into actual incidents here in the homeland. You've handed over to us SZA and the FBI go out and talk to the victim. Maybe we do some incident response. Now we're identifying additional, whether it's additional activity that the adversary was doing, additional infrastructure that they were utilizing. We're passing that back to you guys that you're using to expand the scope of your mission to identify additional targets to go after and back and forth and I think that type of symbiotic relationship is really critical and I think it has worked extremely well when it's worked and I think we now need to figure out how are there gaps, what we need to do and grain that type of relationship so that it is smooth. Frankly, it is new. Cybercom is a relatively new entity certainly at full operating capability. SZA in its current incarnation is relatively new and I think we need to make sure that we build some muscle memory where this is just happening as a matter of course. The other area that I would touch upon here is obviously the relationship between Cyber Command with the various Cyber National Guard units around the country in part because we've got a very close relationship with our state and local governments. We do a lot of work to provide support to those state and local governments and a lot of state governments will utilize their Cyber National Guard units to help buttress and support state level and incident response activities within their jurisdictions and so I think it is more important than ever that we've got good relationships so SZA has a growing footprint across the country about 600 field-based personnel mostly made up of various types of security advisors both physical security, some of them focused on emergency communications and about 100 cybersecurity advisors spread out across the country who are there to do assessments and build relationships with our critical infrastructure and state and local partners and many of those folks do have good relationships with their tags and other National Guard related leadership at the state level but kind of thinking through what is the future of that relationship? What does it look like for information flow? What does it look like when you're actually conducting operations at the state level? How do we provide mutual support in those situations? So I do think that there's a lot of growth. One of the things that we have rolled out over the last year is a new grant program for state and local governments. Congress gave us as part of the Infrastructure Investment Act billion dollars over four years to give out again cybersecurity grants focused for state and local governments and they're using that in a variety of ways. The first tranches of money actually just started going out the door a few weeks ago because we approved the first 12 plans that were submitted by states that had to submit pursuant to the law and so there is more capacity that's going out and being built to the state and local level and we know that National Guard units are kind of a key part of that ecosystem at the state and local level so the more we can do to understand what that looks like so that we can have where we need to have consistency where we need to have unique state tailored efforts so that we can do that. No, Brandon, thank you very much. I really appreciate it, especially the plug at the end, I will say through the Cyber Nine line, through the establishment of state and local partnerships, the ability that I hear across the 54 states and commonwealths and territories is they have never come across an agency that they've reached out to that hasn't had a constant support or an ability to proactively help them or reach out to them and it's been fantastic so thank you for that, sir. What I'd like to do now, I think we still have a couple of minutes, is open it up to some folks in the audience, I know that there's some folks that would really want to take advantage of this opportunity. If anyone has any questions, we ask that you just turn your microphone on so that those virtually can hear as well. Morning, sir. Frank Shaw from Army Cyber. Ms. Wales, you had mentioned larger companies taking on a greater responsibility for cybersecurity when you have this three-person small business who does have the capacity for that. Since those larger companies are ultimately accountable to their shareholders, what is the incentive for them to do that outside of their organic supply chains? How has that conversation been to incentivize them to do that? Yeah, it is a good question and I think it'll likely depend upon kind of the criticality of those small and medium-sized businesses in their supply chain. The ones that are obviously more critical, the ones that have less substitutability. You may feel maybe much more willingness when there are kind of more single points of failure for their operations. I also think that it is a question of what exactly you're doing, how complicated is it? There are some things that could be relatively easy. You have certain services you might pay for from a cybersecurity vendor to provide protective DNS for your network relatively inexpensive to add some protections for another party if they're willing to do that, whereas more intrusive capabilities, probably not true. But you also think about kind of what your due diligence is, what your ability to provide some support and mentorship for what they need. Ultimately I think it's going to be, they have to represent their shareholders but ultimately if they think their business is at risk to think that their operations could be compromised because of weak cybersecurity at one of those vendors, then I think arguably it is in their shareholders' interest to provide that just like it is in their shareholders' interest to invest in their own organic cybersecurity. And frankly, as I mentioned earlier, this is third-party risk is the number one issue that I have heard consistently across every critical infrastructure sector. And so if every critical infrastructure sector says I am worried about third-party risk, they can't then say, well, but I can't really fix it because my shareholders, ultimately if it's one of your top cybersecurity risks, then you need to be willing to invest. And if that's not just in your organic capability, if that's in helping third parties that are critical to your business, that's where it is. Good day, sir. Lieutenant Commander Mike McCarthy, Canadian Armed Forces, Office of the Judgment General. Very fascinated by the use of National Guard in assisting with local and state, I guess, cybersecurity. And I'm just wondering how that came to be and whether there's been any pushback from private industry who also would provide those services normally. Thank you. Yeah, I mean, I really think that this is something where I think it probably most likely started in some, and maybe there's some here who can actually answer that question better than I, but my sense is that it started with a lot of the ransomware incidents that started affecting municipalities around the country. And when a governor looked at this problem and said, what assets do I have in my disposal that can try to deal with it immediately? Cyber National Guard units under state authority were able to be activated to help. And I think that makes good sense. At the end of the day, I don't believe that those National Guard units are really displacing at large scale cybersecurity vendors throughout the country. In many cases, if you're responding to a large scale incident, like a ransomware incident, you're most likely, you could have the National Guard helping out for a period of time, but you're still gonna bring in private sector vendors to finish the job, to rebuild parts of your network, to focus on long-term security. I think in many cases, National Guard has been sent in there first, kind of stabilize the situation, begin to get things back up and running, and then this transitions more long-term to a private sector vendor. But I think it is a recognition that there is a lot of need out there and that the National Guard was a ready source of real expertise in a place and a time where governors do not have a lot of their disposal. But it's not consistent because we've engaged with states that have had incidents and they've immediately brought in one of the large cybersecurity vendors, and other states will bring in their National Guard and later bring in a contractor to come help and finish the job. So we've seen a variety of different types. There's no one-size-fits-all in terms of how states or municipalities will address this problem. But I think it is one where we are likely to see consistent use of the National Guard across the country because it is a real source of expertise that is under the authority of the governor and can be readily deployed when they have a significant incident. I'll just add one thing as the Air National Guard Assistant here at the US Cyber Command is there's a direct liaison relationship to CISA where our folks across the 54 states, Commonwealth and Territories can directly reach out through the Cyber 9 line directly to members of CISA. The members of that team have been incredibly proactive in the sense of if you think there may be an issue or you think there may be a malware, for instance, you know, reach out proactively and they will provide guidance information, et cetera. Also, under Colonel Hayden, US Cyber Command has a specific division that the Guard can also reach out to. As Brandon put, there are, you can imagine like different companies, some that are more robust, very well-developed, some who full-time work in the industry, but there are also some that are nascent in learning and so having both the support of US Cyber Command and CISA's instrumentals to the 54. Good morning, good morning, Sir. Dane Blocks from Joint Task Force Aries. I was wondering about your agency's relationship with CISA and Joint Force headquarters, Doden, and then a follow on if you all run into any impediments when it comes to information sharing and classification. Yeah, so two good questions. So first, on the relationship with DISA, yes, we have an extremely close one, so I didn't talk a lot about today, but part of CISA's core operational responsibility is kind of the operational lead for the security of the Federalist Civilian Executive Branch, which are the 102 civilian federal agencies, everything from large cabinet agencies like DHS or Department of Justice, down to micro-agencies like the Marine Mammal Commission. We are not the ones who ultimately manage the security for their network, but we are responsible for providing support. We provide a lot of technology. We've got some new authorities to do more proactive hunting and assessments on those networks, and one of the things we do issue are things like binding operational directives when we see an emergency directive, when we see a real acute problem, we can issue an emergency directive. So for example, in the aftermath of solar winds, that Sunday night after it was discovered on Saturday, that Sunday night we issued an emergency directive to remove all solar winds devices that were certain version numbers within two days. We issued binding operational directives, more long-term strategic focus areas, things like that every federal agency needs to have a vulnerability disclosure program so that security researchers can know where to provide critical vulnerabilities on federal agency networks. And we work very closely with DISA to make sure that we are sharing information on the action that each other is taking related to the operation of our various networks. We don't have exactly the same challenges, so we're not going to be issuing every single directive inside of SISA or the STIGs and other actions that DISA and General Macassone does as his responsibility to be the national manager for classified networks. But we do share information very routinely on what each other is doing so that we can understand if there's actions that we're not taking, whether we should take any lessons learned from actions that you are taking, what's working, what's not. So that relationship is very strong. Your second question was on... Any impediments on information sharing? Classification. So this is something where I think if you would probably ask me this question seven years ago I would have given you a different answer but I think today the relationship is such with kind of the key producers of intelligence that we are able to kind of get information downgraded that we need to at speed. I mean, so NSA, when they produce intelligence for the most part and almost all of their non-compartmented intelligence is generating unclassified, tear line, victim identifiers for CISA and the FBI to go do victim response, immediately oftentimes we'll get those, start working on exactly the language that we wanna use, work that with NSA and within hours we're gonna be getting our teams in the field on the phone with the potential victim of an incident. That is happening literally today in hours. I think if you would ask me that question five or six years ago it would have been a potentially a multi-day fight to get to where we need to be but I think we both have recognized the value of operationalizing this information as quickly as possible and when there are times where we can't release information as quickly as we want there's good reason and that is part of a kind of ongoing dialogue with us and the relevant producers. We understand what the challenge is and we kind of work to see well if we can't release X how about Y and Z? Can we get that out there if we can't get some of the key information? But I do think that today I can tell you that I do not think that there's any significant impediment to the execution of our Cyrus creator responsibilities because of classification. Thank you so much for joining us. That's all the time we have today for questions but on behalf of the Office of the Staff Judge Advocate thank you so much. For the live audience we are on a break until 11.15 so please be in your seats a few minutes before 11.15. We would like to talk to you about what makes working a U.S. Cyber Command Office of the Staff Judge Advocate so unique, challenging and rewarding and why you would want to join the military cyberspace operations legal community. Experience in any operational field is an outstanding foundation for dealing with cyberspace operations. No matter the domain of operations international humanitarian law applies in all armed conflicts and as a matter of Department of Defense policy it applies to all operations. Observing the principles of military necessity, distinction, proportionality and humanity is always required no matter the means or method of operations. However, the way we implement these principles and protect their underlying values are often challenged by cyberspace operations that can achieve strategic effects without rising to the level of a use of force or armed attack. Laws designed primarily to protect life, limb and property from kinetic attacks do not translate easily when applied to comparatively non-destructive effects. The role of the military cyberspace operations legal community then is to interpret an imperfect regime in real time offering careful consideration of international law, domestic authorities and policy implications and their impact on national and international security. The work of this community stands within and at the forefront of some of the most complex operational legal issues today. Cyberspace operations legal practitioners have the ability to, through careful and thorough discernment, shape the evolution of practice. It is not uncommon for a cyberspace operations legal practitioner to be asked to weigh in on questions of international sovereignty, domestic criminal laws, constitutional principles and under certain circumstances what may be lawful as part of a single mission. Take non-intervention for instance, in cyberspace, borders are porous and threats can emanate from anywhere and everywhere. As a result, the physical domain does not neatly translate to cyber. This can make working in the cyberspace operations legal community a challenge as oftentimes legal issues may be cases of first impression. Additionally, cyber lawyers need to be able to effectively distill what can be complicated technical jargon and translate it into language that is accessible to a broader audience. After all, not everyone speaks in ones and zeros. As a result, cyber lawyers must translate technical information and apply it within our domestic and international legal framework. The cyberspace legal practitioner is not limited to reacting to events but is also tasked with helping lay the groundwork for a future. The practitioners asked to weigh in on the ramifications of policy, of potential legislation, of interagency cooperation and of partnerships with industry, the private sector and our international partners. The reality is that this is only the beginning. Legal and policy parameters for governing state behavior in cyberspace, domestically and internationally will continue to evolve in order to keep pace with the threat. Recent events have demonstrated that these issues are not mere hypotheticals or academic exercises but instead are stark realities that require serious and proactive measures. We look forward to continuing this conversation through our practice and through the thoughtful dialogue demonstrated here at the US Cybercom legal conference. We welcome you to join us in the cutting edge legal practice of cyberspace operations.