 Wow, that is a bright light. Defcon, 20 years. So I've been at about eight of the cons and it has been pretty incredible to see how things have changed over there. I'm actually quite surprised that so many of you are here today because Jeff's over talking in one of the other rooms. I figured that he would suck all the energy out of this room so I hope I have something mildly interesting to say. Back in 1999, I was still in the Navy and Defcon was still kind of a scary place for government and Navy guys to go. But one of my guys, Sean Murphy, Sean, you're not out there are you? He said, hey, you know, we had to go out there. I think that would be something cool to do for the Navy to go show the flag. And so we talked to the skipper and convinced him to let us send two people out here. But because we wanted to kind of be incognito, he had to give us special permission. So I had two guys that actually grew their hair out and grew beards for about two months, which was pretty unusual. And they were always getting stopped and saying, hey, sailor, you need a haircut. And so anyway, it was kind of interesting back then. Jeff's not here, but this is pretty cool that Defcon has been able to be around this long. Some people in the room here today probably weren't even born at the first Defcon 20 years ago. And if you've never heard the genesis of Defcon, how it actually started, you need to go buy Jeff a beer sometime and have him walk through it. But I'm going to walk through it really quickly here at a very high level. Jeff was living in Seattle at the time. He was living with a music producer that was producing hip hop music. And it was, I guess, kind of lame, but on the hip hop scene back then of something was cool, it was death. And I know that's pretty lame. And during the 90s, phone freaking was still the rage. And getting free access was what it was all about. And if you go back and you look at the number three key on your phone, it's DEF. So what really sealed it for Jeff, the name Defcon, actually it was the movie Wargames. And while Wargames had come out a few years earlier than that. In the movie Matthew Broderick, he hacks the Whopper computer. Anybody know what Whopper, remember what Whopper stands for? Somebody does. Has anybody seen the movie? Anyway, he hacks Whopper and starts playing a game called Global Thermonuclear War. And when they ask him, he says, what are the targets you want to enter into here? He puts in Seattle and Las Vegas. So he was living in Seattle at the time and he wanted to hold the con in Las Vegas. So it was like, you know, there's more to this. So anyway, that's how Defcon was born. So here we are 20 years later. And I think that's a testament to the staying power of our community and the significance of what our community, what the security community has grown to over the years. In the early days, even, you know, think about this back in 1992, computers were still pretty expensive. Not everybody had one like today, you know, when some of us have two or three or four or even a server farm in a closet at home. But the most important thing was there was no such thing as free internet access back then. I mean, there was no Wi-Fi. And when we think about it now, I mean, we go someplace and there's no free Wi-Fi. It's kind of like, what's going on here? No free Wi-Fi. I mean, I still get hacked off when I go into a hotel and I got to spend $14.95 for 24 hours of access. But anyway, back then there was so much to learn. I mean, it was like, it was the beginning of what we're doing today. There was so much to learn and there really was no place for people to go and do that. Until DEF CON. And at DEF CON you can actually meet people that are coming up with the cool hacks and, you know, you're going to see some amazing stuff here today. And you can actually build relationships with these people. It's a place where you could begin to build trust. And really our community, the security community, exists because of the trust that we have with each other. The other thing, there were no security jobs. I mean, there were virtually no jobs in the security business back in 1992. So if you think about that for a second, 20 years ago the jobs that most of us have now didn't even exist. I know that there was no CISO or CSO jobs, maybe CSO jobs to the physical side. But back in, I was actually, I was in grad school in 1993 in one of my classes. We got to play with a beta version of this browser thing called Mosaic. And I can remember thinking at the time that this is absolutely the coolest thing in the world. This is going to change the world. And I mean, think about it, the browser was a new term. And there was no worldwide web, Google wasn't around. So for us in the security community at the time, if you needed something, if you needed to find out about something, you needed to research something, you needed to talk to somebody about something, you couldn't just go and do a search and find it. You actually, you had to know somebody. You had to know somebody who knew somebody. So DEF CON opened the door for us to meet people that we'd normally never get a chance to talk to. Science and scientists and government technologists, researchers, vendors, publishers. So it really kind of opened the window for, you know, for the community that we have today. So you're probably wondering what the heck does all this have to do with Homeland Security and the Christopher Columbus Rule? A couple of people asked me that over the last couple of days. What is this Christopher Columbus Rule you're talking about? Well, the Deputy Secretary at DHS is probably one of the smartest people in the world that I know. I mean, she's absolutely brilliant. But what she calls the Christopher Columbus Rule is this, never fail to distinguish what's new from what's new to you. So what I wanted to talk about today are some of the things that DHS is doing that are contrary to what I think people typically think about the government and really specifically the Department of Homeland Security. The government has become very good over the years at dealing with and responding to incidents in the physical world. But the cyber world, especially over the last couple of years, has really caused us to rethink and react differently to a variety of different things. And as my friend Tom Kellerman, many of you know Tom, he's with Trend Micro now, and I was recently quoted in an article saying that, now anyone can download a cyber collision cop, a cyber getaway car, and a cyber grenade. It's a pretty cool statement. So one thing I want to tell you up front is that I don't think I'm smarter than you and I don't think the government is smarter than you. I don't think that I understand your business or your company better than you do. And I get that a lot from people as I go around that people seem to think that we do think we're smarter than the private sector. And I can tell you from my perspective, having been at DHS for about seven months now and I came from the private sector, I certainly don't think that the government is smarter than all you all and what you guys are doing in your own organizations. So the mission of DHS is to ensure a safe, secure, resilient place where the American way of life can thrive. It always sounds to me like if any of you are old enough to remember the Superman show that used to come on every afternoon, it started with truth, justice in the American way. It always reminds me of that. But I can tell you that employees at the Department of Homeland Security, at least within our organization, go to work every day thinking about that mission statement. So while the government isn't historically known for innovation or thinking outside the box, that's changed a lot really over the years but a lot over the past year at the Department of Homeland Security. Specifically, I think the way we've been driven to approach cybersecurity has caused us to be more flexible as we develop and implement new security solutions and services. We're hiring a lot of people from the private sector that are bringing new concepts of thinking. As I said, I've been there for seven months now and I've been purposefully, very specifically, targetedly hiring people that have a reputation for thinking outside the box, for thinking the way that government folks don't normally tend to think. Now I can tell you it's been a little bit unsettling for a lot of people at DHS and in the government but the 21st century is a terrible time to be a control freak in my mind. In fact, Secretary Napolitano appointed Jeff Moss to the Homeland Security Advisory Council a couple of years ago. There were a lot of eyebrows raised in the hacker community, especially here at DEF CON. I know Jeff took a lot of grief for that initially. But I can tell you he's been center stage on a lot of initiatives in the government and really helping us push the envelope and think differently. The Secretary recently appointed Jeff to a task force on looking at work force, cyber work force issues at DHS which I hope that we will then turn around and apply more broadly to the rest of government and even to the private sector. I have never asked Jeff this question directly but I would almost guarantee you that 10 years ago if you would have asked Jeff if he would have asked him if he thought he would be working this closely with the government that probably would have been pretty interesting to see his response. So anyway, I'm here today representing the Department of Homeland Security because I want to tell you about some of the things that we're doing but more importantly some of the things I think that we have in common and I also want to challenge you with a few things as I wrap my little talk up here. So you're all here at DEF CON to learn about new technologies and new techniques and new opportunities and no matter what your motivation is for what you do whether it's looking for zero days writing new apps or just wanting to learn how to run your organization better. Ultimately I think or at least I hope that we're here because we care about national security and we care about security within our organizations which contribute to national security in a large measure. I can't legitimately call myself a hacker these days but I have spent all of my adult life in this business and so the one thing I hope is that we do have a common concern for the safety of our nation. The United States is both a cyber power and a cyber target and General Alexander from NSA is speaking I think at noon today and I encourage you to go here because I think he'll talk a lot more about that. The critical infrastructure our society depends on every day relies on technology and is also very increasingly dependent upon cyber security. Those of you who were over at the Black Hat, Sean Henry formerly of the FBI gave the keynote on Wednesday and talked a lot about that. In fact you can read Sean talks about a lot in the media and been some pretty interesting discussions that he's started. But our economic vitality as a nation is really dependent upon the critical infrastructure for things we need like our communications, our transportation, electricity, water all of those critical infrastructure things are dependent upon the technology and the cyber security that underpins all of that. Defending our critical infrastructures that support our businesses and government requires innovation and bold thinking and that's what everyone in this room has the power to get involved with. Partnerships, collaboration and information sharing are essential to cyber security. The more partners we have the better protected and less vulnerable we all are. No one, no one company, no one country, no one government, no one organization can do it all. I still think there's a bit of a perception, slowly changing I think but there's a bit of a perception that the government is clueless about cyber security and I can tell you that is, it couldn't be farther from the truth. So while there's certainly some government organizations and private sector organizations that are more mature than others, we're also pretty technically advanced in a lot of ways and we have a lot of really smart people doing some fairly advanced work in a lot of areas. So really that's what I want to spend the rest of the time talking about are those issues. So we have three primary cyber responsibilities for the nation, the Department of Homeland Security. We secure the .gov environment for the federal civilian departments. We help the private sector secure their networks primarily in the critical infrastructure areas and then we also lead and coordinate responses to national cyber events that rise to some national significance. And in 2011, U.S. CERT received over 106,000 incident reports from government and private sector organizations around the country. They also issued more than 5,200 alerts and advisories. So if you do the math, that's almost 300 incident reports and 14 alerts and advisories every single day of the year last year. And I can tell you right now we're going to do more than that this year. Our industrial control system CERT conducted 78 on-site assessments of civilian control system entities last year and worked with those organizations providing them recommendations with how they could improve their security posture. The ICS CERT also distributed more than 1,100 copies of our C-SET tool and we conducted more than 40 industrial control system training sessions both at our facility in Idaho Falls and on our road shows around the country. As anyone, I can't see, but so I want to ask the question, I guess. The industrial control systems facility in Idaho Falls, I encourage you to check that out. It's something that anyone can participate in and I've seen different training facilities around the world where people do a variety of different things. And I tell you, the facility we have in Idaho Falls is absolutely the best industrial control system training, cybersecurity training facility in the world. And I encourage you, if you haven't been to it and you can get on the schedule and attend that training, well worthwhile and it's free by the way. You just pay your freight to get there and while you're there. Really a great program. We pay particular attention at DHS for industrial control systems. It's kind of one of my passions having come from the electricity industry before I came to DHS. I was the Chief Security Officer at the North American Electric Reliability Corporation and I worked with about 5,000, I worked with all of the electric utilities across North America. That's U.S. and Canada and even a couple in Mexico on working with them on ensuring that they were at least taking advantage of what we had to offer at NERC with respect to cybersecurity across their control system environments. We also operate the National Cybersecurity and Communications Integration Center or NCIC, which really is the nexus of cybersecurity information sharing in the federal government and increasingly with the private sector. We have, it's a 24-7 operations and we have people in there from all over the public and private sector. The various ISACs, the financial services, electric sector, IT sector, ISACs are represented on our watch floor. We have different federal government agencies represented there. We have the FBI, Secret Service, Coast Guard. We have a number of different organizations out there and I can tell you anyone who's ever worked in an operations center, it's the informal relationships that matter more than the formal relationships. And out there when you have somebody from the Coast Guard or somebody from the Secret Service sitting next to somebody from a bank or somebody working in the financial sector and they see different events within their sector. They're getting different reports from different companies on different security-related events or incidents that are happening and you start seeing the magic that happens with that information sharing and how it really grows across the watch floor and we're able to get a much better operational picture of what's happening across the nation actually. In combating cybercrime we work closely with the Secret Service, Immigration and Custom, the FBI and really any other law enforcement organization in the country both at the federal level as well as the state local level too. So not only do we have a lot of exciting and important work going on in our operations, we participate in a lot of pretty advanced research out of our R&D department in the Science and Technology Directorate at DHS. They sponsor a number of projects that have resulted in new technology and they continue to drive new initiatives. Way back in 2003 when the president released the National Strategy to Secure Cyberspace the report called out and said that DNS and BGP were two of the protocols that were actually most vulnerable and needed the most attention. So well I think everyone agrees that this is pretty important in the overall internet security. There wasn't a lot of commercial advantage for a company taking up that banner. So really that was an appropriate role for the government to step in and invest the time and money in to begin maturing the security of those protocols. So DHS provided a lot of funding and leadership. Dr. Doug Maughan is one of our, actually he runs the R&D department at DHS and really he is a great guy but he's been very vocal and forceful about pushing on some things that we all, we in the security business think are really important. He really pushed hard on DNS and DHS was one of the organizations, I'm not saying the only one but it was one of the organizations that really pushed hard in getting DNSSEC rolled out. So now DNSSEC as you know is rolling out across all of the different top level domains and over 70 countries have their top level domains already signed with DNSSEC. We're also providing funding for the development and employment of BGPSEC and as you probably know the protocol modifications are currently going through the ITF standards process now. And I just talked with Doug a couple days ago and he told me that they're also providing funding for development of routing public key infrastructure RPKI which provides signatures on address blocks provided to registries and ISPs. So that's just kind of a little tip of what we're doing. You know we're certainly not a, we're not an incutile like of an organization. We're not, although we do provide funding to some startups that have some promise for things that we look for that could develop into something that more broadly is transferable to the government and the private sector. There's just a lot of interesting things going, a lot of great opportunities within DHS to get involved with some of those things. So what else are we doing? I'm keyed on three prime areas that I believe we need to stay focused on to make the nation stronger. These include three things. Building a world-class workforce for DHS in the nation. Strengthening partnerships across the government private sector and achieving operational excellence. So building a world-class workforce over the past 20 years anybody that's been in this business for that long knows that we've constantly reinvented ourselves. I mean the things change so rapidly. I mean the things that I worry about today as a, you know as a security professional are not the things I worried about a year ago. I mean the threats they're different, the vulnerabilities are different. They've changed and you know my experience tells me that the things I'm worried about today are not going to be the things that I'm worried about 12 months from now. So even at DHS we've had to evolve. You know the following the 9-11 disaster the Congress decided that we needed an organization that was focused on Homeland Security. So we had got the Department of Homeland Security. But that the department is really an aggregation of about two dozen different departments and agencies. So there's a, you can imagine there's a lot of growing things that go along with aggregating those many, those different kinds of organizations. Some of which have been around for a long time. You know the Secret Service and the Coast Guard those are very legacy driven organizations and bringing them into one very very large organization has been some challenges. But I mean DHS we're, our organization we're about 240,000 people across the globe really. Four years ago in my organization today we had about 40 people. Today we have close to 400 people doing everything from running the N-Kick, running U.S. cert, running ICS cert to doing our national education training, education training programs and our national cybersecurity awareness programs. So we really do a lot. We don't just do operations. We do part of our mission, part of my mission is to go out and spread the gospel. And you know talking to a group like an audience like you today is different than talking to an auditorium full of people in a town or in a university somewhere. The level of awareness of the threat and the vulnerabilities that we deal with on a daily basis simply not there. So it's a big deal for us. Big part of our mission is to go out and spread that gospel across the nation. So just like you and your jobs our workload continues to grow which means we have to have better trained people all the time. So I can't see your hands but I'm going to ask the question anyway. How many people have all of the cybersecurity talent? Oh, thank you. Wow, magic. How many people have all of the cybersecurity talent in your companies or your organizations that you want and that you think you need? No one. So that means there's not enough cybersecurity talent in the world today. Well, I agree with that. And what I'm talking about here I'm talking about the uber talented people. I mean the ninja type people that the kind of people that if you had 10 or 15 or 20 or more room like this I could rule the world. Most companies don't have that. You know, coming from the private sector and working with electric utilities across the nation there's probably 20 really large electric companies in the country. But there are 4,800 or so that are not very large. And I can tell you a lot of those companies are clueless, absolutely clueless. So we as a community have to figure out how we can raise the bar for everyone. So we have a problem and that problem is that we don't have enough of those uber talented people to protect our private sector companies, our government and our critical infrastructures. And those are the people we depend on. You guys are the people that we depend on. The nation depends on. Identifying, cultivating and creating the next generation of cybersecurity professionals is critical to our economic viability and the security of the nation of our society actually. I don't think that's hyperbole and I really can't overemphasize how important that is. I was in Mountain View a couple of weeks ago. I go out and talk to companies and talk to startups every now and then and see what kind of things they're working on, if they're things that we that are translatable or transferable back into the government or if they're things that I think have potential as that next big thing. And I was talking with one company, a small company, there were 77 people in the company. Really cool product and they've grown from four people to 77 people in about four years. So that's a great, that's a success. The bad part about it is they have 55 open, 55 vacancies in the company that they can't find the talented people for. That's a big deal. I was talking with someone last night from a very large company and he said they, that is their number one problem, is finding the really talented people to come in. And it takes so long, he said it took 18 months for them once they identified somebody to get them in the company. So that may be a different kind of a problem. That sounds like a federal government bureaucracy problem to me, but so this is a big deal. It's something that we, I think as a community, need to be more concerned about. So I believe our first step to solve the problem is a cultural one. We need to make people want to choose cyber spirit as a career. We need, I don't think we'll ever get to a place where kids say I'd rather be a geek than be a cowboy or be a race car driver or something like that, but we need to make them aware that it is an option. I cannot tell you how many, you know, as I go around and talk to schools, both at the grade school and high school and university level, people simply do not know that you can actually have a career doing this. I was talking to three high school kids last week and when I said, hey, you know, there are people that want to hire you. You finish your education, there are people that want to hire you and they were pretty blown away by it. But that's good. I mean, so we just have to get better. We, the government and the private sector have to work together on changing that public perception, figure out how we can actually make it cool. You know, it's cool when you're here at DEF CON and you're hanging around with people that think alike, but you know, you go back out and you're one person in the sea of humanity that don't always think the same way. So DHS is taking active measures to cultivate the next generation of cyber security professionals. We do a number of things. I'm going to run through a couple of the different programs that we are involved with. We have a partnership with the National Institutes of Standards and Technology in a nationally coordinated effort focused on cyber security awareness, education, training and professional development. It's called the NICE program. I hate that term. I wish I'd have been around when I would have named it something other than NICE. NICE stands for National Initiative for Cyber Security Education. We also have a partnership with General Alexander's team at the National Security Agency for the National Centers for Academic Excellence by promoting higher education and producing graduates with cyber security expertise at 145 different universities and colleges across the country. We also have a partnership with the National Science Foundation called Scholarship for Service Program that offers scholarships for two years and then you pay back two years of service in a federal government agency. I really like that program. I actually like all those programs because it's kind of a win-win. We're increasing the talent pool in the country. We're floating the boat a little bit higher but we get first crack at hiring some of these people back into a sponsor of the National Collegiate Cyber Defense Competition and actually we help sponsor, we co-sponsor a number of other cyber challenge events. I attended the championship for that National Collegiate Cyber Defense Competition a couple months ago in San Antonio and I tell people all the time, if you're not going there and recruiting, you're missing an incredible opportunity. There are some really bright kids that are coming out of college and I'm telling you, the last night of the event, they hold a kind of a social and these kids are rock stars. I mean, there are big companies that are vying for the 20 year old kids' attention because they are really looking to hire them. Two years ago, Boeing was there and Boeing hired all late of the guys on the winning team right there. So a great recruiting opportunity and I really encourage people to go do that. So I talked about some of the college programs and I think they're really important but I don't want to be misunderstood about something. Some of the best security people I know, some of the most brilliant minds I know in our business never went to college. So I think that's lost, a lot of times we focus on going to college and these academic programs at universities and colleges. I don't want to miss, not everybody has to go to college. Those great people that I talk about, they spent those four years with hands on keyboards spending 20 hours a day hacking, thinking, learning, talking to other people. So I'm not going to poo poo the college education because I really do think it's important but it's not the most important thing and we can't you know, I've been to in a couple of organizations where HR didn't want to hire people if they didn't have a college degree and I fought that battle for the past 20 years and I think we all need to recognize that because it is a big deal. I know that there's probably a lot of you out there that don't have a degree that are a hell of a lot smarter than I am in this business, you know and if you are come and see me because I want to hire you. So one of my loftier goals at DHS is to actually make it a stop on somebody's career path. Now I'm not naive enough to believe that everybody in here is going to want to run and jump and come and join work for the government I'll say we have some pretty cool opportunities in the government we have some a very cool mission to protect the nation we have cool tools so it's not that it's a career choice for everybody but you know what come and work for the government for a couple of years two years, three years get some experience especially if you're new in the game it works great on a resume and it gives you the kind of experience that will allow you to go back to go out and compete a little bit better in the broader community so I talked to so while we're hiring great people at DHS just like many of you keeping those people is a challenge sometimes as I just mentioned and I encourage this by the way mention somebody come and work for the government for two or three years then they go off and do something else but of course somebody works for you for two or three years they're just getting competent enough where you can have them go and do other things and that's when you know other people are coming in with offering better money or a new challenge so we have to do that too I mean we have to and we think very, very specifically about this about how do we retain our programs that we focus on certainly with our entry level training we bring somebody in they get the same kind of basic training that probably most of you provide your new employees we really focus on that try to create that culture where they realize that we value that and then we have cyber rotations where we actually rotate people give them the opportunity after they've been there a while to go and work in other parts of DHS and you can go work in the Coast Guard you can go work in the Secret Service you can go work in the Secret Service has a National Forensics Laboratory great place to go we have a malware lab within the US CERT organization it's another great place to go and get some different experience so those guys look like they have guns oh no they're not cops so these rotational assignments are really really important for us and they broaden the experience and then when they come back to the organization they're much more valuable to all of us we also do formal mentoring where actually somebody can say buddy them up with somebody that does have more experience and they actually spend a year or two being formally mentored and then we have a masters level program where people take classes remotely from the Naval Postgraduate School and they end up getting a master's degree in cyber security from NPS my alma mater by the way so we have a variety of missions at DHS and in case you didn't pick up on it I'm trying to convince you that DHS is a cool place to work so my second goal is strengthening partnerships across government and the private sector nation sharing and public-private partnerships are things we've heard about for a long time and they're critical to our success but we really have to work together on this the private sector owns and operates roughly 85% of the nation's critical infrastructure so collaboration is really important and partnerships are even more important because they add a lot of value they help us with their effective force multiplier their essential components to building awareness and education with our stakeholders as I mentioned earlier the circles of trust might be the most important component of our business Socrates said the way to gain a good reputation is to endeavor to be what you desire to appear I said this at black at yesterday I think I might be the first guy to quote Socrates at DEF CON I think this describes a trust model pretty well because in our business we're all about having credibility not being a poser so we all know that partnerships are important it's my job to make sure that DHS continues to strengthen them build trusted relationships and cultivate them that result in valuable information sharing across the government and the private sector So my third goal is achieving operational excellence There are threats everywhere and we all see them mine may be different than yours but it will happen in a lot of respects My goal is to make DHS continue to be the lead for security in the federal government I also want us to be the key organization the private sector looks for to help in securing the critical infrastructure and the NKIC is really that place where we're seeing that now the call volume and interaction with the private sector and the NKIC is going through the roof people are beginning to realize that there's a lot of value in communicating with DHS from a threatened vulnerability perspective because we have a lot of information as we gather information from one company we share that out broadly you extrapolate that across the entire nation that's what results in all of those alerts and advisories So not only are we looking to hire the best people we can find and build a great talent pool we're also developing and implementing some of the very best products that this is available we're also focused on streamlining our operational areas so that efficiency and consistency are embedded in everything we do so you've heard that story this is kind of the way I worked in building the security programs in the different organizations I've done the story of you don't have to outrun the barrier, you just have to outrun your buddy well we all be building programs kind of with that in mind we build the bar high enough so that we become too much of a challenge and bad guys go somewhere else they go where the buddies aren't running fast enough and we as a nation need to be thinking about that going back to my first comment about we're both a cyber power and a cyber target I'd rather be a target of opportunity any day than a target of choice by the way so I'd like to leave you with three challenges and these are things that will help us in our defense of the nation but also help you and your companies first off, continue talking about cyber security to everybody you can I know it's a bit of a cliche but as I mentioned earlier and you guys know this too you get out in different communities you get in different areas and groups and people are clueless about what we do absolutely clueless about the threats that we face and the impact that it could have on our life and on our society you guys are the champions so we really need we the nation need everybody in here to raise the awareness level go out and speak at a school at a grammar school or high school get involved with a program at a school I was at Cal Poly Pomona last week they held a cyber camp they hold a cyber camp every year and I was at a conference and he's here somewhere this guy is a national treasure truly truly what he does at Cal Poly Pomona is phenomenal for those of you that don't know a polytechnical university is different than a regular university their motto is they learn by doing so you go through four years of classes at a polytech but each one of the classes has a lab you actually have hands on experience with everything you do and at Cal Poly Pomona they have really built one of the I think one of the premier cyber security programs in the nation anyway at the last week at the cyber camp 37 people participated in a week of training and then they had a CTF event at the end of the week and so it was just watching these and some of them were like 16 years old they looked like and they actually had a 60 year old dude in there too in the program it just kind of shows you the range of the people that are getting involved with some of these things so we are sponsoring a number of these different programs and does anyone know Alex Levinson Alex here Eric Cornelius Eric Betterby here well Alex both Alex and Eric were they were parts of these programs a couple of years ago Alex is now a senior security engineer at Zynga you know one of the great gaming companies up in San Francisco Eric he works for us at DHS he's an industrial control system security guy probably one of the most elite security guys in the industrial control system space in the entire world but I think that speaks to the quality of these programs that are turning out people like that I was actually talking with a guy from Rackspace yesterday and they actually sponsored some programs too at the university level where they're working with universities with people at the university on these kind of things just kind of after school programs so these are the kind of programs that we as a nation we need your companies to support get involved with some of these things the second challenge is to do whatever you can to make security less complicated and confusing for the average user we've been saying it for years but complexity is the enemy of good security we need to continue getting better about building security in so there's less bolting on later I'm going to tell Scott Charney's story many of you guys have probably heard some of you have heard Scott talk about this Scott Charney is the Vice President of Trustworthy Computing at Microsoft he tells this great story that he has a 4 year old son and an 80 year old mother and he has the same problem with both of them his 4 year old son will be on the computer and he'll get a pop up and his son just clicks right through it and goes on because he can't read his 80 year old mother who by the way has a PhD on a computer and she'll get a pop up and she clicks through because she doesn't understand what it means so we have to get better, we as a community have to get better especially if you're developing programs or you're writing code we have to get better about building security and making it easier for the average consumer to understand this I told this story yesterday I always talk to my dad on the weekend either Saturday or Sunday and so I see his phone number pop up on my phone on Saturday or Sunday it's not a big deal, I know it's dad who wants a chat for a little bit but if I ever get a call during the week on a Monday night or a Tuesday night or a Wednesday night I always know he's got some kind of computer problem he's got some and I always tell him I said dad don't click on anything if you get a pop up call me and so I get these late night calls and he says okay I have this pop up and he's trying to explain it to me in a minute we have to make it easier for consumers to deal with this kind of stuff so I want to talk about open source just one for one second I'm a believer in open source I know that for some people they think that the government is opposed to open source I'm trying to change that at least at DHS I think open source has a lot of value I mean from the very beginning I've loved open source technology because it's kind of it's like evolution you live if you're bad you die and we all have a part in making that making some of those decisions I think open source has a lot of value in helping making things easier for that consumer so it's said that you can recover from a poor decision but you can't recover from indecision so my last challenge to you is to execute use your talents for good and not evil be part of the solution don't be part of the problem do something good for your country because I can tell you we as a community have a lot of value to the country we can do a lot of really good things but we need to focus on doing those good things take your ideas and innovations and do something positive Tony Sager many of you know Tony he recently retired from the 25 or 30 years forever at the national security agency Tony's absolutely one of the most brilliant people in the world and he's so plain spoken and just he gets it and he knows how to take the most complex thing and turn it into something simple Tony says automate everything you can and when you get done figure out how to automate everything else so that we can save humans for work worthy of humans there's something profound in that I think and Rich Betlick Rich is the CSO at Mandiant he said last week or actually a couple months ago was quoted as saying the average cyber espionage attack goes on for 416 days before the average company discovers it's been hacked we have to get better at executing to change that we as a community have to get better at executing 416 days that's hard facts that's not just hyperbole that's not just made up numbers they know that we have to get better and it's our job it's all of our job to get better executing to mitigate those kinds of things so that's it and I'm out of time that's alright you can rush me out of here now anyway thank you very much enjoy DEF CON this is awesome 20 years