 Let's get started. So you are in one of the last sessions of the first day of DEFCON 31. All right. And so the idea here is sort of a fireside chat. I mean, I'll be asking a lot of questions, but it's really more of a fireside chat with the acting director of the Office of National Cyber... O-N-C-D-N-N. And so then it's my pleasure to introduce Kemba Walton, the acting director of... Um, this is her first time at DEFCON. First time at DEFCON. Wait. What does it mean when it's her first time at DEFCON? And she's graciously accepted the challenge. Okay, so I'm going to invite Kemba to come up and say a couple of words. I was thinking of teasing out all these answers through all these questions. What is O-N-C-D? What do you do? What is it like there? And it's like, no, just come up and tell us and we'll get through that quicker and we'll be more authentic and then we can move on to the questions. So with that, it's my privilege to introduce Kemba Walton. That's not long enough. So I'm vertically challenged. I'm trying to figure out a way to see you all. Can you see me? You can? No, you can't see me, right? Oh, why don't you stand over here then? Okay, I'm going to stand over here. Can see you all. You can see me. Okay, good. Hello there. I am Kemba Walton. I am the Acting National Cyber Director in the White House. I want to tell you a little bit about what we do and who we are and how lucky I am to be in the White House working with some incredible folks. Before I get started, I want to just point to the front row here at Duffcon. We have a whole staff here who are here to talk to you to help us design better policy. So who are we? Let's get this out of the way. We are the newest office in the White House. We were created by Congress in January of 2021. Our first National Cyber Director, thank you. Our first National Cyber Director, our first National Cyber Director was confirmed and appointed in July, and we were appropriated meaning that we got funding in November of 2021. I came into the office as second in command that following summer in June of 2022. So we were stood up by Congress to do one thing, and that was to develop National Cyber Security Strategy and Policy for the President and to advise the President as the primary advisor in the White House. We are designed to be a durable presence in the White House no matter who the administration is, no matter what is going on in the White House at that time, we are designed to be there. So we will be there hopefully for years to come. So what have we been doing since we got there? We first aligned all of the federal departments and agencies that have cybersecurity responsibility. So that is CISA, DHS, you've heard from Jen Easterly, she's a fantastic partner. That is the Office of Management and Budget where the federal CIO sits and the federal CISO sits. That is the US Secret Service, that's the FBI, that's the intelligence community. That is the Department of Energy, Health and Human Services, US Department of Agriculture and et cetera. They all have a role in cyber. So we were there to sort of orchestrate a common interest in cyber and to develop a national strategy. We did that with the help of you, with researchers, with civil society, with academia, with state and local entities, with my international partners. That was the first thing we did. We developed the National Cyber Security Strategy. That was done and signed by President Biden in March of this year, March 2nd, 2023, this year. After we did that, we then had to make it go, right? So we were novel in developing this strategy. We decided that we were going to pursue something affirmative this time rather than sort of pacing after bad actors and having them define our agenda. And so we were going to decide how do we want to build a defensible, resilient, digital ecosystem that's aligned with our values? And we discovered after doing a lot of research about what we've been doing for the last 20 years and whether that's worked or hasn't worked, we figured out that we needed to make two major shifts. The first is recognizing that cybersecurity risk and responsibilities now evolve down to the least capable actors. You've heard me say before, if you were here at Black Hat yesterday, that if my children play Minecraft and they click on an interesting link on some other application, they could cause a national security crisis. That's not fair and it's inefficient and that scares me as a mom. We need to upscale that so that those that are more capable of bearing cybersecurity risk do. And that I include the federal government, I include large enterprises, I include producers in that story. We are more capable of building a defensible digital ecosystem. But we know if you're in the risk business that you don't get to zero risk, you get residual risk. And so what do we do with that? We need to figure out what the investments are that we need to make in order to make cyberspace more resilient. And that is if you take the proposition that cyberspace is technology, people, and doctrine protocols, you need to make it resilient all the way through, not just in the technology, but in the people and the protocols. So we're looking for a defensible digital ecosystem and a resilient digital ecosystem. That's what we mean. And then we need to make sure it's aligned with our values. Technology by itself has no value. We put the value in it. People are part of technology. We are in the internet. We are the users of the internet. We build the internet as unlike any other domain. It's not like Landspace C here. It is something that we've created. So we build values into cyberspace. And so what do we mean by that? How do we execute that? So that was the first thing that we did. One of the major things that we did. Right after publishing the National Cyber Security Strategy, we worked with our counterparts in the Office of Management and Budget, because if you don't have money, it's hard to make these things go. And we identified opportunities for federal departments and agencies, because I can't really instruct what the role does, but federal departments and agencies, how are they spending their money in cyberspace? So we helped them prioritize, we're able to crack open budgets, and this is the wonky side of me, this is the superpower that we have in our office, able to crack open those budgets and figure out where to put the money so that we can make the strategy go. The other thing that we needed then is action, because the strategy is only as good as its implementation. And so we produced, and the first time we did so, in the White House, an action plan that's transparent, it's on the website. You can go and look there now. We have identified across 27 objectives in our national strategy, what are we doing? How are we going to implement this? There are 69 action items. We were thoughtful about it. We collaborated in order to figure out what those action items are. We identified departments and agencies that are leading on those action items. And the supporting entity, so ONCD, for example, my office is responsible for 14 of them, CISA is responsible for 10, the FBI is responsible for several DOJ, et cetera, et cetera. And we put a deadline, a timeline on that so that we're held accountable. The thing I couldn't do is to compel all of you to plug in. But the reason I made it transparent is not just to hold us accountable so that you can measure our progress, but so that you can tell us what we've missed or what will make it work better. This is a living document. The strategy is a durable document. It is there to sort of last for 10 years. It's technology agnostic. I think you might see the words AI in there once, maybe quantum is in there, but it's technology agnostic. The living document is the action plan. How do we make this go? So that's the other piece we put forward. Now, personally, I'm a people person. I think that people are the most important element in cyberspace, happy to take challenges and argue other ways, but I really do think people in that three-piece framework I just gave you is the most important part of cyberspace. And so we execute it, the National Cyber Workforce and Education Strategy in order to make sure that people are more resilient, that they have the foundational skills that they need in order to be able to live in cyberspace in a good way, right? That is what I've been talking to many of you about. What are the cyberskills that we need? What are the skills that we need to make this a safer space? How do we teach kids? How do we make sure the entire population has foundational cyberskills? What does computational literacy look like? What does digital literacy look like? But then, for the urgent need of the 700,000 or 800,000 or whatever tens of thousands of jobs that are unfilled, what are the skills that we need in that space? So I've been talking to several of you today about what does AI do to the digital workforce? How do we recruit you? How do you think about this? What do you do about federal workforce? How do we recruit you? How do we think about this? So those are the big building blocks of the work that we've done. And then there are some other opportunities that we've identified. We've just published an RFI, meaning a request for information, so that you can tell us how to do our jobs better. That's the bottom line. That's why I'm here. And that's why I'm talking to Jeff today. I just need to know from you how to do our jobs better. We are in the White House for a reason, and that is to provide strategic cybersecurity advice to the president. You need to help me do that. I would be grateful for it. With that, Jeff, if we wanna sit down. See, wasn't that better? Me trying to get that out of a Q and A. Yeah, so thank you for coming. It's a little bit like cheating. We ended up sitting next to each other at dinner last night. And so before we really get into the nitty gritty, maybe I will tease out of you. What did you do before this role? I mean, you have chased bad guys and gone after some bad criminals, right? Yeah, so one of the things I love about what I do is I'm mission oriented. Excuse me. So I was at Microsoft for a little while in what is known as a digital crimes unit. And I was asked to spin up a counter ransomware piece of that digital crimes unit. Find creative ways to go after the bad guys. How do we use our Microsoft's tools to do that? How do we use the court system to do that? Right, because you were a lawyer. Right, so you know how to... Yeah. So you're more like a lawyer legal hacker. It's found yourself in the policy space. That's exactly right. And we're like the technology hackers finding ourselves in the policy space sometimes, right? I like that, yeah. So yeah, you said a lot of things that I respond to. And so people in the audience, what we're gonna try to do is have a little bit of a conversation so it's not just one sided. So hopefully Kemba's got some questions from me. And we'll just... Lots of questions. And so we'll work through it. So first though, the last thing you were talking about workforce, I mean, that is a really hard one. It's been hard for decades. Yeah. You know, how do you attract, retain, compensate, help people through their career? I was on this task force where we looked at cyber skills for the department and we would find out that departments don't know the skill levels of their employees. So they're like, well, we've got people on antivirus, but we don't know if they're level one or level five or whatever. So we don't know if we need to hire more entry level or if we need to hire more experts. We don't know their skill level because we don't have a demonstration of skill like exam. We know they have a certification, but we don't really know how. And so it seems like to develop that workforce that you're talking about, we can need to calibrate, well, how many level ones do we have? How many are needed in the market? And so that was years ago. So I'm curious to see how's that evolved more from one department thinking about this to the White House thinking about it, department and agency wide. And then what do you do about it? You can't just throw money at this problem because you're the government and you don't really have much money. No, but we have mission. Yeah. That's important. And that's why I'm in the government. It's because of mission. It's certainly not for the pay. So, you know, if you think about it this way, cybersecurity really facilitates everything we want society to bring us, right? We want a digital ecosystem. We want to, for some reason, we plug our refrigerators in, we plug our dishwashers in, we have smart homes. So we need it to make sure it's secure in order to enable everybody to do the things that they want to be able to do. So we need to think bigger about skilling. Who are we bringing into this space? We need different perspectives in order to be able to do this effectively. The one thing I worry about is, if you have gatekeepers, like you have the stamp of a seal of approval that you were, just what I was talking about, you're the level one person. Well, whoever gets to assign the stamp is now the gatekeeper, right? I mean, that's also a little dangerous. Or, yeah, but it's the five year old test and things are different now. So it seems like it's more difficult than engineering where the physics of engineering don't change. Maybe the material science changes a little bit, but gravity is still gravity. But in the internet, or the skills, the demand for AI or rust or something are just changing. So how do you make this a living document? How do you know what that is? So first of all, there are two things in my mind. One, we need to figure out what barriers we've put upon ourselves, and how do we knock those down, right? Do we really need four year degrees? Do we need... Oh, I see what you're saying, right. Do we need really expensive certification or how do we get people trained and re-skilled and up-skilled and meet them where they are? Not everybody has whatever thousands of dollars to take a training course, right? How do we do that? And how do we make it so it's sustainable? So one thing is to break down barriers. The other is to incentivize lifelong learning and feeding the pipeline, right? So what are we doing for K through 12? What are we doing for lifelong learning? I was just talking to a gentleman that went from IT to OT systems and how he made the transition and now he's training others to train others, right? So how do we make that... How do we scale something like that? And so in the federal government, are you finding particular barriers, like things that we in the private sector or the market, we don't have those problems, but are there uniquely federal barriers? So Juan, I'm finding that the private sector is suffering too. The one barrier that the private sector doesn't have that the government does have is that you pay a lot more. But we have better mission. We have better mission. We really do. But in private sectors, they can smoke marijuana. I think. I mean, to say there's a quantitative lifestyle difference I mean, yes, people do smoke marijuana. That is true. I'm just thinking about when I was at DHS, it was always about suitability. Well, we can't get the clearance because suitability precludes. And it's like you are just walking away from thousands of people who otherwise would be qualified. And I'm seeing it play over again with the legislation or legalization of marijuana. You're excluding yourself from all these workers. I know it's not your job to fix that. Hopefully Congress will fix that. But it's one of those things where it's like when you let people in the military have tattoos all of a sudden. Well, all of a sudden, more people can join the military. And I just, like you're saying, what are the barriers? It's more than pay. No, I think I actually agree with you. And I will tell you that we are thinking about how to evolve our policies. And for the most part, we have been evolving our policies around that so we can meet people where they are. I wouldn't, I would suggest that if you do smoke marijuana or have in the past, that you can still apply for a job and see what happens. I do. You know, that's what I would suggest. OK, if you think it'll work, then give it a try. Could. So kind of along that line, it's interesting. Sometimes when I'm working on, say, a task force, it's US citizens only. And other times, like for CISA, I'm chairing this technical advisory council, I can have people from any planet. I mean, any part of the planet. Any planet. Any planet. Drink. Which was great, because now I can tap into people in Germany and Japan. And if you think about it, our problems are these global problems. And where does the education come in? Where is the skills coming from? It's a globally competitive environment. So again, also, can you hire non-Americans? Or what are the restrictions? Or they can only be a contractor, but not a full time? No, we can hire. We can hire anybody with the right skills. Except Russians. Well, there have to be some criteria for hiring. Like, you need to be able to lawfully work in the United States, right? You have to be lawfully here or lawfully able to enter into the US workforce. But we're not necessarily limited by US citizenship, right? Which means something very different than someone that's able to lawfully work with us. On all my travels, I've been a lot of places. I've been to Northern Ireland. I've been to Germany a few times. I've been to Estonia. I've been a couple of other places. We are all having workforce challenges. Not just us. So our system isn't the problem, really. Really, yeah. It's finding opportunities to upskill, reskill, provide foundational skills for the pipeline. What are we teaching our kids? I've got a couple of kids. You've got a couple more. What are we teaching them? How are we preparing them for this workforce, for this economy? Most of our kids are app natives. They were born into this space. I wasn't, right? But how are we training them? How are we upskilling, reskilling, teaching foundational skills? That is a common problem I'm finding across with my counterparts. Yeah, it's interesting because normally, there's sort of market forces. And so if you need a lot of engineers, the price of engineers go up. You get a lot of engineers. But for decades, market forces, for some reason, are not filling the gap. I mean, I don't have the answer. I don't know if you have the answer. But it's just something to think about. Why is the market failing? Yeah, because if you could get at that, maybe, or you could better understand, is it that people feel that to get a higher, like you said, four-year college degree, what I'm hearing is people say that it's hard to hire people with a four-year degrees. They'll tell you, don't use this protocol. It's insecure. And then you ask them, well, can you go configure the router to do that? And they're like, huh? Yeah, no, that's right. The four-year degrees, we need them for a certain, right? We'd need them. So I don't want to say that you should not go get a college degree, but you don't need to. Right. I guess what I'm saying is it's particularly applied in our space. You either know how to configure the router or you don't, right? There's not a lot of faking it. Yeah, exactly. And so how do we motivate and encourage those skills? How do we incentivize that work? I've heard that engineers do hack or a summer camp because they don't know how to configure a router. Right. They're all in it so that they can become the CISO or the C-suite person. But there are so many other pieces to this that are skill-driven. And we need to figure out how to incentivize that. And I just, I don't have all the answers, right? I'm the National Cyber Director, and I don't have all the answers. Let's make that clear. I need you to help me figure out what the answer is. Can you do you have the power to talk to some of your staff and say, hey, go do some research and find out what X-way. And then when you do that research, is it sort of internal only? Or can you share that and say, hey, we did a survey to figure out what for America would to do. But in doing that, we realized, here's this trend across 10 countries. So you can help our partners and allies. Because I have a feeling, since you said you're not the only one, we're not the only one facing this. If our partners and allies, and you're like, hey, Germany, you work on this problem, work on this problem, and all together, we can challenge. Or is it everybody feels like, no, no, I need to keep this information to myself for an advantage? Or is it more of a shared sense of sort of, we're all in this together? There is definitely a shared sense of mission. One of the reasons I came back in the government after leaving for a little while is that I was excited about how we're sharing. It's no longer sort of, give me, it's mine, it's more, let's collaborate, let's figure out problems together, and that's true in this space as well. But one of the ways that we are studying these problems, we issue, I know it sounds wonky, but we issue these RFIs, these requests for information. We've done two so far, no, we've done three actually, so far, we did one on workforce back in November. We did one yesterday on open source, and we did one, I think that also dropped yesterday or today on regulatory harmonization. All of the responses are public, right? So that we can then use it, we can share it, and we can use it to have a policy conversation that makes smart policies. Because I have a fabulous staff, I keep pointing to them in the front row, who are all here to pick your brains around all of our initiatives, but we need that input in order to be able to make effective policy. I mean, what other ways could we do that? I mean, we have our standard RFI process. You could go hire Gartner, I'm sure they'd be happy to write a report for you for a few million, and so you mentioned two things, I have to remember to cover both of them, open source and partners, and so, well, there's a national cyber strategy. There's a United States strategy for the internet. Sysa announced their strategy. Like, we've got a lot of strategies now, and we didn't a couple years ago. So you're in the audience and you're like, oh, another strategy. There's a plan to all these strategies, right? They all work. They all actually work together. Okay. Then Easterly and I talk on a regular basis, right? Nate Fick, who does our international work for the US government, he's the ambassador at large, and I talk on a regular basis. They are drafting, the State Department's crafting, their international cyber security strategy. He built an API for that. So paint the picture. You've got the overarching United States strategy, and that's several years old. Yeah, so we have, here's the picture. We have the national security strategy, and I know I keep saying that cyber security is not just national security, and I mean it. It's also economic prosperity and tech innovation, but we are nested under the national security strategy as a national cyber security strategy. That is meant to be 10 years in duration, shelf life of 10 years. And then nested in that, we have Sysa has their operational strategy. So that operational strategy is basically how they're going to achieve the goals enumerated in. Right, and they're internally consistent, right? With the national, and it's not, it is not NCD's strategy, the President of the United States signed this. So the entire administration is plugged into it, right? We would just held the pen. But Sysa's strategy that they just released has plugs into this. You'll see a marriage of what their strategy says, and what the national cyber security strategy says, and what the implementation plan is. So then when State Department has theirs, right? That's their version, and it goes on and on until it's, until everybody's sort of showing how they're part of this. This larger. And is there a level below that? Or is it now, once we get these in a couple years, now this is our game plan. This is what we're doing. Well, no, this is our game plan now. It's the implementation plan that is the, the piece that nests under it. Okay. That really articulates in a transparent way, how we're getting to the... So if you were in the audience and you're like, okay, I sign onto this national security strategy. Okay, I'm kind of down with this. Implementation plan. Man, that seems like a cool problem to work on. Yeah. So it's to the point now where you could sort of see where you could, you could do your thing. And I want, would be great if everybody in this room or as many of you that wants to go to our website and look at it and figure out, okay, this is the thing that's interesting to me. This is the agency. So you can go contact that agency. You don't have to come through my office. If this is how you go straight to Jen or Eric or someone else that's around, right? Right. Okay, and so the next thing I want to talk about is the four open sources, the values, right? You talked about the values. And so it's my turn to have a little rant on values because it really feels like, especially with what's been going on the last year with China and Iran and Russia for sure. A couple of years ago, I was talking about how I feel that there's a sort of great sorting occurring where it feels like maybe it's economic, maybe it's COVID, but there's pressures on not just the United States but countries worldwide like pick a team, pick a side it feels like. And so mentally I've separated it into team rule of law. So team rule of law, we might not all agree on the same laws. Some might be for end to end encryptions and may not but generally we believe in resolving our differences through a transparent or democratic rule of law. You got team undecided in the middle and they're being pressured by rule of law to, hey, come to our side or team authoritarian. Hey, it's so much easier on our side, right? And they're being pulled. And my contention is being strongly on team rule of law. Yeah, we don't always make the right choices but like can you imagine in China, Apple suing the equivalent of their FBI to prevent the FBI from cracking their iPhone? Like that would never happen in team authoritarian and team rule of law you get to fight in public with your government, right? That's really powerful. And so those distinctions that allow us to enumerate our values that are really bright lines between us and a team authoritarian, it's like, hey, look, this is what we stand for, bright line, you know, gives us more compelling arguments against team undecided. Hey, this is what it means to come up to a, you can see how we operate with law, people don't disappear in the middle of the night, you know, there's this, how do you take those kind of values and try to embed them into cyber policy or any policy to say, you know, because like you were saying, technology is kind of agnostic, but it has human value. So that means team rule of law's values, we need to bake those in to make it really clear what we stand for. Yeah. And are those kind of conversations happening? Are you thinking about that or? Those are the conversations I'm having right now, you know, here while I'm visiting with individuals in each of the villages, sort of how do we do that better? How do we, what are the incentives that we need to create in order to make sure that we're incentivizing the use of generative AI, for example, or building the algorithms for generative AI so that they reflect the values that we want to achieve, that we want to maintain, we want to sustain, which is really an interoperable open free internet that will not allow authoritarian regimes to repress their society, but also preserve American privacy, right? How do we do that better? I don't have all the answers, but I do know that people are an integral part of cyber. Yeah. It just is. And for that reason, that's the reason why I say people are the most important piece of this. So for generative AI, for example, how are we recruiting, training, retaining talent? How do we incentivize talent? To think about these values. It seems if you're relying on a sense of mission, then you need to be really clear on the mission and the values, right? Because otherwise you, and so if I knew how to articulate it better, I would, but it just seems like that's one of our superpowers and team rule of law. We have all this other messy stuff that authoritarians don't have, but we need to lean into our strengths so that every time team undecided is trying to make a decision, our values are clear. Yeah. And one of the things I worry about, well, not so much worry about, but going back to the Apple for an example, companies, and I'm curious when you talk to companies, they don't necessarily wanna be in the business of bumping heads with the US government. So if they've built their technology in a certain way that means that the FBI is gonna subpoena, they're gonna get subpoenas like every day of the week, they're like, well, my business model is not to hire 500 lawyers, my business model is to sell phones. So I wanna tell my engineers, get me out of this problem. And the engineers say, end-to-end encryption, we have no information to give them. The business says, great, onto selling phones. And so it seems like you have to also be careful because if you push one way, the market might respond a different way, right? Because they're not maybe so aligned with, so I also, do you get a lot of pushback from business or how do you think about this? No, it's, I know we're talking about values, but I can give you a very specific example on regulations, right? Regulatory harm, because I am a lawyer after all. Right, you knew the line. You know, businesses don't like to be regulated. Obviously I wouldn't if I were a business, just for the sake of being regulated. We need to raise minimum cybersecurity requirements, but we worked with the US Chamber of Commerce at the very beginning of the conversation about how do we do this? How do we do this more effectively? And that's how we came up with the idea together of, okay, we can't just regulate our way out of this, but we have to figure out how to harmonize existing regulations and find reciprocity. But it was, and so now the business community is very much aligned and they see themselves in the national cybersecurity strategy in a way that was unexpected. But the reason that happened is because we were there having these conversations at the beginning while we were building it, right? You hear Jen talk about secure by design, well, strategy by design. Like we, at the end of the day, we really are, we need to talk to those that own and operate the technology. The private sector really is, they're the ones that build the tools. So we have to have a conversation as they're building tools about what those values are. You said like a particular concern or something they're really worried about. Well, I mean. Like you can do anything you want, but. The president just sent, you know, signed an executive order a few months ago that prohibits operational use of surveillance technology for national security reasons, right? That's an example. Right, so you can start drawing these bright boundaries around. So companies are like, oh, okay, good. You're not gonna take my stuff and. It's clearer now. I mean, it's not perfect. There's still conversations that need to take place, but it's clearer now what the value is. And the question is now, how do we get there? Right. And so, you know, we have these conversations. This is why it's important for us to go and pick your brains so that we can make smart policies to get us from here to there. First, we agree on the value, right? Then we have to figure out how do we get there? How do we make sure that we are not operationalizing spyware to do harmful things? Right, or mandating people set the computers up in a, yeah. Right. It's kind of refreshing and a little scary to hear it, the conversation around regulation, because I don't know how many people have been in this field for like more than two decades. Yeah, okay, so yeah. So remember back when the market was gonna solve our problems and we were going to have like a consumer reports and tell people how insecure things were. And like Volvo, people would buy the more secure product. Remember that? Didn't work out. People bought things that had more features. This is more things on the box. Bummer. Software shrink wrap license prevented public disclosure of problems, right? You couldn't even have a consumer reports. It was against the software shrink wrap license terms. You couldn't even get your foot in it. Okay, that's fine. Insurance companies. So now if you've been around for about 10 or 15 years, right, insurance, cyber insurance is gonna save the day. And the insurance companies will know what's more secure. The companies will lower the rates. They'll buy the product. Everybody will emulate those products because they're the clear winners and then we'll all be driving Volvos a different way through insurance, right? And that didn't work out. And now we're looking around like, you don't have any tools left. Like the only tool left in the tool belt is regulation. And sometimes that tool like hits you in the face. And so, but it's the only tool left. And so, knowing that you've gotta approach it. It sounds like what you're saying is you're approaching it very delicately. We're approaching it intentionally and thoughtfully. So I think regulation is an important tool for sure. So my quick follow on was, I don't know if in this strategy you talk about insurance. We do, actually. In the... But we talk about in terms of how do we think about flood insurance, right? What, how do we create a backstop to incentivize insurance companies to do better? And then what are the trade-offs, right? So if we create a backstop, then can we then have insurance companies be a part of the solution for identifying appropriate security controls before, you know, to lower your premiums, right? So what, how do we do better with that? So we partnered with the Department of Treasury, for example, to figure out, we had that terrorism backstop that existed. How do we import that here? How do we take what worked there and... And see, can it be applied in this... Can it be applied in this domain, right? So there are a lot of tools. So we don't wanna throw away the baby with the bathwater, you know, as they say. Full disclosure, I drive a Volvo, but the reason why is because when I was a kid, I used to drive like a little stick shift in a little red car, two doors, not thinking about kids. But then as soon as I had a kid, remember, as a kid, being influenced by all those commercials, remember the commercials with crash dummies? So in my head, I had a kid, I needed to make sure that if I go full speed into a wall, I'm not, right? Like, it's a psychological thing, but you know, it takes time, right? That was a long time ago, it takes time, but regulation is another tool that we can rely on. And it seems like we're starting to acknowledge it and embrace it, companies don't push back as much against it, right? So now it's more like they're capitulating, it's like, okay, you're gonna regulate me, but do it in this way. Well, do it in a thoughtful way. It's really the message that I've taken. So, you know, trust, you talked a lot about trust earlier today. Trust in my mind is part capability and part character, right? We're capable, we know how to regulate. It's the character piece that we're building better in partnership with the private sector, those that will be regulated. We've acknowledged now that regulation for the sake of regulation doesn't really get us very far. So we need to do better and we need to do it in partnership with those that are regulated. And that's how we've come up with the idea of harmonizing, right? Finding reciprocity. So do you, I noticed you fly a lot. I do. And you fly to other countries, right? So the national cyber director is not necessarily national. Maybe talk about, like what's going on? Is it just because the international nature of cyberspace requires not just harmonization inside the United States? We've got to get with the EU and coordinate with there. So when it comes time to hunt bad guys, it's easier to, you know, like, what are the other challenges? Yeah, so there are lots of challenges. We don't have an internet that just ends at the US border, right? Neither does Canada, neither does Germany, neither does Mali, right? So my security, our security here is wholly dependent upon security of other countries. And so I have conversations with my counterparts in other countries on a regular basis because we're in it together, you know? We have to make it work. And that's the only way we can make it work. So yes, I am the national cyber director, but it turns out other countries have similar positions and we're thinking about, thinking through similar problems and we have different perspectives. Right, because you're more of a strategic role. You're not a tactical role, right? You've got to give the president advice on the big picture. And that involves... The actual picture, which is beyond the US border, right? How do we do that better? But you mentioned regulations. The other piece to that are standards, international standards. I'm, again, a wonky lawyer. And so I have a pet rock around what are the EU standards? What are the ISO standards? What are our NIST standards? Right. And how do they align? EU standards. EU standards, right? And how do we make that work better so that it benefits all? Are you seeing, and I know we're running out of time, so this is your chance to get in any questions on me. But are you seeing countries that are sort of weaponized these processes? Like, well, we'll just throw a monkey wrench in the international standards body. And will that team rule of law will just be broken for a while and we'll, you know. Yeah, there's some, I mean, we covered that a little bit earlier. There's some attempts that way. But the US is investing better in international standards bodies in order to be able to really help import some of the values that we all agree are appropriate, right? A free open interoperable internet. How do we think that through when we think about standards? How do we contribute to those conversations that we don't have authoritarian regimes really influencing the values of those standards, which underpin the regulations and cyber security requirements? But here's my question for you. Okay. Before we run out of time, because I see my goon walking around trying to tell me it's time to wrap up. So you talked this morning with Ali Merakis. And our office has a great relationship with the DHS about sort of the government's role and 20 years ago and 10 years ago, five years ago. I'm curious, how do you see this evolving in our partnership in DEF CON in the next five, 10 years? What's your vision? Yeah, so how DEF CON has evolved in our relationship, I guess, with the government, I guess? In the policy space. In the policy space. Yeah, so I guess when I started when I was a crazy hacker, nothing of consequence was online. You couldn't hurt anybody or anything. And it was really hard to even figure out if you could steal anything beyond free telephone minutes. And as things got online, all of a sudden, there's consequences now, right? People can get hurt. And that's kind of like the first reality wave when it's like, yeah, it's still fun and games, but now there's consequences, right? And that's when law enforcement, politicians, everybody started, and at the same time, people, the public started to realize there's these evil hackers out there, criminals, and they co-opted our hacking word, but people fear what they don't understand. And that's also true in policy. And so you have to spend a bunch of time trying to educate policy folks to not be afraid, right? These are solvable problems. Not everybody wearing a hoodie. If you're wearing a hoodie, raise your hand. See, there's not that many hoodies, right? Right, yeah. Yeah, where are my hoodies at? I think my staff's wearing more hoodies than right. Yeah, and so Defconn is largely a reflection of the hacking community. So we are not what we were 10 years ago. Things at risk were not what they were 10 years ago, and the asks from government are completely different than they were 10 years ago. 10 years ago, governments would not be asking for our advice. Now, it's almost like they're tripping over themselves. And not just America, I mean other countries. Everybody is trying to figure out what's going on, they wanna know the consequences of technology, and they need help that's not a lobbyist or a trade association to give them another perspective, so they can balance all these perspectives. So let me ask you, so then why are you here? Oh my gosh, thank you for asking that. I'm here because I need this community to help me make smart policy, right? See, and that one have been five years ago. Oh, it's just, we can't function without it. So I teach on the side, and one of the things I teach is on cybersecurity risk, and so risk is a function of threat, vulnerability, and consequence, right? So the government, for the most part, has signals and things and can figure out threat pretty well. Where we need the help, mostly is vulnerability, and like literally vulnerability is in our technology. What are those, and what's the impact of that vulnerability being exploited? So we can make smart policies and pull the right levers on that consequence and vulnerability piece while we're arresting bad guys, because we can do that and you can't do that. But that's what, we're not the smartest people in the room, but together we can come up with really smart policies. And I need, I crave your assistance in that. One of the reasons why I really like being in cyber is because I get to be around a lot of creative thought-provoking people. And I've walked around several of the villages and I've found creative thought-provoking people and had really specific policy conversations, and there are things that I think we're going to be able to do as a result of these conversations. And this has just been a day. And it's just been a day. Yeah, like I mean, can you imagine what we can do together if we had constant thoughtful conversation and interaction? And that's what I'm here to try to encourage. We're in the White House, but we are just like, you've seen me, I'm here. I'm not like six feet tall and scary. And I try not to be so wonky, but sometimes I can't help my quarks. But you know, we're here because we need your input. And so I would love more thoughtfulness about how we can gather some of that. Yeah, so then I guess to your question, if I had some master plan for DEF CON around policy, it's figure, find a path for hackers, researchers and academics that are interested in policy to learn more about policy and then have interactions with policy. On the other side, people who are in policy, your staff that are interested in hacking, find a way to channel them in and make those two communities meet in a cooperative environment that's not adversarial. It doesn't have to be on the main stage, it can be on the side. But the idea is if we're fostering these communities that intentionally want to work together, I have to kind of get my side going, right? And more thoughtful about the realities of the limitations of policy. And you got to figure out like, well, here's what you can actually really. And then together, you know, maybe if you're interested in this stuff, you can help improve policy. If not, that's great. Go hack something and fix the technology. No policy needed. But it seems like the way the global politics have changed, the consequences of technology, AI coming, like we can't always hide under, you know, in a bubble. Yeah, no, and we can't make smart policy in a bubble. Like this is just ridiculous. But coming here has been really helpful to me. We hosted a few months ago, Hackers in the White House. I think that was productive. I think we want to do that again. And maybe we want to do that in other areas, like go where you are, so that we can develop thoughtful policy based on reality. What do you think about that? Yeah, no, I'm really a big believer in diversity of opinion. Oh, yeah. Because so much technology has been built in a monoculture and rolled out to the globe. And so fixing that requires a very diverse set of experience, a life experience, right? Perspectives, you know, we have a very active Hackers with Disabilities Village. You just, how many of you think about designing a room for wheelchair access, hearing impaired, vision, you know, you have to take everybody into account because when you're fixing the problem for one person, all of a sudden you discover... There's another problem. Another problem for another group of people you hadn't even, you know, and I think the power of the technology of including everybody is, again, that's our superpower, right? We need to show our values. So anyway, sorry, get all wound up on this. Good, good. Well, I'm glad you mentioned your superpower in diversity of perspective, diversity of experience, because that is something that we hold near and dear. I mean, in my office, we focus on their four values that I sort of talk about in our office. And, you know, we're an office full of wonks who are cyber people. One is inclusion and equate inclusion. Another is accountability. Another is innovation. We need to be innovative in how we do our work. And so if we get those things right, and if we work with this community, we can go a long way. And put transparency in there. Transparent accountability. Accountability, okay. That's what that is, right? That's why our action plan is on the website. Right. For anybody to come in and plug into, tell us what's missing, we will evolve it, we will update it based on what you have to tell us. Yeah, so my... You gotta talk to us. Yeah, my final thought is building the community outreach to this community requires building trust and building trust. Is that accountability and transparency? Even when you screw something up, like we've never screwed anything up, you own it. Yeah, of course. And you try to do better. Yeah. And I think that's how you build bridges to this. I think so. Yeah. I think that's right. All right. Well, thank you very much. Thank you for being in our session.