 to develop capabilities and so that's really on the on the on the leading cutting edge and on right on the tip of the tongue of cyber command and a national security ecosystem and so I have the pleasure of introducing Mr. Eric Rosenberg who was introduced previously as a moderator but just as a reminder he is one of our superstar civilian attorneys at the US Cyber Command legal office practicing contract fiscal acquisition and tech transfer. Eric over to you. Thanks Lieutenant Colonel Johnson. So we're gonna introduce our panelists. So we got a Mark Montgomery. He's a senior fellow at the Foundation for Defensive Democracies. Pleasure to have you here. We have Courtney Majuli. She is the procurement executive program executive officer of cyber at US Cyber Command a part of our J9 and we also have Aaron Smith. He is the CISO of Goyan Utilities up in Alaska so we really appreciate you coming down all the way from there just to speak with us. So the topic of our panel today is innovation in government acquisition and technology transfer. So kind of before before we got into that we're gonna talk a bit about fiscal law right so it's kind of unique to the government for those of you who aren't government attorneys fiscal law kind of governs the spending of money in the government because Congress give it goes back to the Constitution and power the purse like Congress gives us a certain amount of money and they want to be spent in a you know on certain types of things in a certain time period and up to a certain amount and they don't want us to exceed the amount which they give us there's a certain level of activity that Congress wants us to be doing and not above that and so that's sort of a key thing so when we so they give us this money and they want us to do a certain level activity so whenever we get stuff we need to generally pay for it unless there's a statute that says otherwise and so through acquisition and technology transfer these are ways that sometimes we then get things and so with acquisition you know typically through procurement contracts we you know we usually spend money to get things so the definition of procurement contract is when the the principal purpose of the instrument is to acquire goods or services for the direct benefit or use of the government and that can be by barter purchase or lease technology transfer the definition of that is different so technology transfer is basically just the exchange of resources between the DoD and a non-DoD entity that's the definition you'll find in the DoD 5535.08 on technology transfer and so it's it's a bit different and specifically within technology transfer we have these agreements called CRATUS so those are cooperative research and development agreements and so there's this relationship between acquisition and technology transfer so acquisition most procurement contracts are governed by what's called the FAR the federal acquisition regulation and the FAR you know most contracts fall under it and you know it kind of lays out all these rules you know procedures for how to how the government should go about getting goods and services from the private sector there's also non-FAR agreements that are part of procurement as well you have other transaction agreements a whole host of other ways there's if you go in the Defense Acquisition University website there's a beautiful contracting cone at least I find it beautiful maybe for people who are more normal you don't find it beautiful but it's a beautiful cone and it lays out all these different ways of working with the private sector through different acquisition vehicles now but with tech transfer you know we have CRATUS and there's a basically the definition for CRATUS when we take resources you know people equipment facilities other resources we pool that with a private sector entity or a non-federal entity and then together we collaboratively research and develop consistent with the laboratory's mission except it can't be a procurement contract so a procurement contract and a Crata it can't be the same thing by definition court case on this called chemical services versus EPA we won't get into the details of it too much but the idea generally is that craters are contracts but they're not FAR contracts and it's key thing so would create at the key thing is the principal purpose has to be R&D whereas procurement contracts the principal purpose is to acquire goods and services so what craters we can get to use the we can leverage the resources of the private sector their people and their equipment you know but you know we're it's not the principal purpose of it so how do you get to use craters and patent license agreements and software license agreements these various technology transfer authorities that exists we you have to be a federal laboratory and to be a federal laboratory that's a facility for which there's a substantial purpose is the performance of research development or engineering by the federal government's employees so there's this substantial purpose test so there was a debate about well what is the limit of what is a federal laboratory so there was a court case called Babbitt and in Babbitt Yeltsin National Park they entered into a Crata with a company and someone didn't like that idea that's like no Yeltsin National Park that's like for tourism right like they're not a lab that's not what I don't really think of a lab and I think of Yeltsin National Park but you know the court said it doesn't conjure up the traditional image of a laboratory but there is actual R&D occurring at Yeltsin National Park now it's not the principal purpose of Yellowstone but it is a substantial purpose it meets that test and so the idea is that you will have Yeltsin National Park's a lab the cybercom could be a lab too and so on October 18th 2023 General Acasone designated cybercom as a laboratory for technology transfer purposes so that's sort of the touchstone of why we're now engaging in technology transfer agreements is because we are a federal laboratory and so it says that sort of our intro now moved to Courtney we want to kind of sort of go over sort of how acquisition works at cybercom so I guess how how does it work where do our authorities come from how do we do what we do good afternoon is this on we good so cybercom is a combatant command and combatant commands are operational commands they don't traditionally do acquisition the one exception to that before cybercom was SOCOM and so SOCOM was a little bit different they were designated a major force program which made them service like without creating a brand new service and they grew really big really vast and Congress went whoa that was a lot so cybercom was constructed a little bit differently in FY 16 the National Defense Authorization Act the NDAA gave cybercom limited acquisition authority we could spend up to 75 million dollars we were given 10 billets to go and start trying to do acquisition successfully we got one program manager two contracting officers SJA legal support all right go try this out but this is going to sunset in a couple years this is not forever we want to see if you can even do this and the command was successful and so over a series of subsequent NDAA's all of those restrictions were lifted so today there is no ceiling on our acquisition authorities at cybercom and we've been growing so that initial 75 million limitation now that we are unrestricted in FY 23 we did about 750 million and we're continuing to grow I think you heard earlier about enhanced budgetary control which gives the command the decision authority over affordability decisions for cyber across the services and the cyber service components so we're expanding our ability to acquire cyber goods cyber services for the DoD in an integrated and holistic way in FY 24 I touched on we had those 10 bills initially we're adding 50 billets this year so we are staffing up for a right-sized and ready workforce it's a pretty exciting place to be Eric touched on our lab designation so we are growing into these authorities and starting to execute in more and more rapid and responsive ways and could you go a bit into the joint cyber war fighting architecture known as the jikwa and Eric so the FY 22 NDAA National Defense Authorization Act tasked us and we were told to go stand up a new program executive office for the joint cyber war fighting architecture what does that mean the purpose of jikwa is to integrate cyber capability development priorities across the services so there are service cyber components today and they run their own programs but we're not integrated and opt the primary purpose DoD has 133 cyber mission teams so this architecture is necessary for integrating the priorities that then deliver for those teams to go execute missions with do excuse me jikwa is centered on innovation and modernizing technology in the cyber domain and the cyber domain is really dynamic so that integration is crucial because things are changing every day and we have to be unified we bring together the best in breed of all the different tool capabilities and most importantly it's the talent of the people across the services as well it's inclusive of five parts we have a comprehensive suite of cyber tools a unified platform for integrating and analyzing data joint command and control mechanisms sensors in support of the defense of our networks and the persistent cyber training environment which provides training and permission rehearsal great so I think it was move on to Mark so how do you view the current state of DoD acquisition and and how can it be improved that's a pretty open-ended question I'll just start by saying generally broken and I'm not talking about in cyber here I mean in general I mean the Navy just published a list that basically every ship we're building took a one to four year slip and it's taken 10 to 100% increase you know increases I could go through the Air Force in the Army and do the same thing so we have it a broken acquisition system I think Secretary Hicks or Deputy Secretary Hicks has made that clear as well interestingly in cyber it's different I'll talk about that in a second but I do want to just stick on the fact that it's broken and and we're and we'll talk a little bit later on about ways to get at it I think I hope in a question but I'll start with that I'll say I loved your description I was part of the congressional staff that roast most of those incremental things or when the Salarium Commission did the same but I'll tell you we did we did the wrong thing for the right reason right the services are broken and their ability to generate forces and that's not what recently I'm at FDD we've done a paper on the organization the personnel part you can certainly look at up FTD.org there's a pretty good paper there on why we need a cyber force but we really didn't spend as much time what you should have on the acquisition part which is at the service the reason we had to do this and it is as you pointed out unusual and the last time we did it it was a dumpster fire I mean we should tell the truth about SOCOM in the end we ended up with two two billion dollar submarine submersibles in an Idaho lake of no value to the government so when we leave a co-com in charge of of acquisition we take risk that doesn't mean it's not going to do great at cyber command I'm just telling you we're one for one on took a lot of risk and the lack of I think you've described it perfectly there's forces the reason we need Jiqua is because the forces were not aligned or integrated or developing forces how can cyber command win when you have four four services who aren't fully committed to providing the equipment and the people to win to generate the force structure you need this isn't a jam on cyber command cyber command gets a lot done with the stuff it's given not enough but a lot so in my mind that that's part of that that brokenness and I have to be clear here we're also taking an incredible risk and we did it knowingly like representive Langevin was the number one driver of all this but we'd sit there and wonder who is going to be the civilian oversight like when a service does something build something they have civilian oversight that civilian oversight doesn't exist in cyber command in a combatant command in the same way exists in a service so we're taking and Congress doesn't do good oversight for a lot of reasons but we have lost our you know we are now taking risk by having a combatant we have no other choice we're going to keep doing it because we're at that but so when you ask me how we are we're broken we're recovering with an incredibly risky plan that's already 0 for 1 in execution back in the in the 2000s so I worry and I'll never say the words I love your I'll never say by the way I find Defar's beautiful I appreciate that you said that and I'll never begin any sentence with there's a recent court case so I really appreciate the opportunity to be here and learn from you guys at this but I must start off by saying I think we're in a risky place I think we got ourselves here on our own I think our services of the no no good to help cyber command on this and I really hope you're successful in digging us out of this hole thank you mark Courtney so how has cybercom been innovative in its acquisitions follow so to do a slight re-attack and then build off with the question I think the command is a really exciting place to be I started out by talking about how we were given very limited acquisition authority and I hope that telling you that 10 billets and by the way they were not all resourced from the start to where we are today helps amplify the growth that has started to occur so we started very small we didn't start to implement until fy 17 and we've grown to today and I think this is very exciting because we've done small-scale innovation and we're now poised to grow and that growth and innovation at the command I hope will address some of the concerns that you've touched upon so I'm going to stick a little bit to my script to make sure that everything I say is appropriate for public release but if you Google DIU which is the defense innovation unit DIU cyber command hunt kits you'll find their product catalog and this addresses a really great partnership that we constructed with the DIU organization FY 22 we took these kits that we had that were already in existence but they weren't meeting mission need they were developed for use in government networks with security parameters and they were not forward deployable for the missions that our teams needed to go execute and so through DIU there are phenomenal organization that helped us do prototyping this is fast so if you're not familiar with prototyping it allows the government to say listen we know what our problems are and we don't know the granular decomposed requirements that normally we would spend a very long time defining and we don't have that time we want to allowably produce something that has mission effectiveness that is of high value and not sitting at the bottom of a lake in Idaho and and we partnered with them and we were able to generate successful rapidly prototyped kits combination of hardware and software travel friendly for operations at mission partner sites that had demonstrated measurable effectiveness that was superior to the traditional tools and applications available at their heights so this is a great success story we've been smaller because the command has had a small posture that posture is growing in fact I believe we're about to be hiring for another agreements officer tell your friends but we are committed through what our lab is doing and through our teams of professionals and then through our partnerships with folks like DIU to growing that innovation at the command yeah and just to you know to get a touch back on the different types of vehicles so those were achieved through what are known as other transaction agreement you know prototype other transaction agreement prototype OTAs and then we've done a follow-on you know production OTA so that's that's the contractual vehicle we're using to you know to acquire those those hunt forward kids so Courtney what makes cyber acquisition unique compared to like let's say buying a tank or or submarine what makes it different the cyber domain is different it's fast it's rapid so we don't have the ability to take the time that you would normally put in to building a tank or a fighter jet or you know putting up a satellite is 10 years we don't have 10 years to wait we can't afford you touched on a four or five year slip in four to five years anything we're talking about today is going to be obsolete so that introduces challenges right how do we allowably stand up programs that are responsive but still have some level of oversight and some level of guardrails and so striking that balance with the right-risk acceptance is really crucial we are doing some exciting things to get after those challenges so one challenge in DoD we have what we call the colors of money which means that money is not just money I can't just take money I've been allocated and go spend it on the things that I need I have procurement dollars procuring things I have research and development dollars I have operations and maintenance dollars and you have to use the right dollars for the right thing because when you mess that up you have to stop spending that money and go back and and fix your actions so we received in an FY 19 NDA and then in FY 20 NDA with additional detail a little really cool pilot to try spending money like it's money so that when we field a piece of software okay should that be O and M well we're going to go back and modernize it we're going to do some enhancements to it oh is that already T and E I don't know okay let's remove that restriction this is really fun because it's also aligned to the programming planning budgeting execution report that came out on modernization enhancements there so the command is really at the forefront of looking at how do we need to spend money in a way that supports the forces another challenge that we have is constructing acquisition strategies that are responsive so major capability acquisition that's where we think about traditional acquisition milestone a milestone be very labor intensive very time intensive very rigorous and DOD has given us some really great tools in the adaptive acquisition framework software acquisition pathway and middle tier acquisition with rapid prototyping are allowable ways to pursue acquisition that have strategies that are more responsive and tailored to the types of acquisitions we're doing and so we're being given flexibilities and tools by Congress that allow us to be faster and more responsive for the type of acquisition we're doing with cyber let's see and then you touched on the far and I appreciate your enthusiasm as well I am enthusiastic about acquisition because it allows us to get after needs that we have but a singular system is really difficult to align to acquisitions which are not a singular type of acquisition and with cyber being rapid and needing responsive software and services in a little bit of a different way we now have access to systems through some what you touched on right non-far-based contracts that allow us to be more responsive as well so it's a little bit different and we have some challenges and then we have some solutions that we're starting to pursue that are pretty exciting for us but one thing on that I agree completely with Courtney by the way I love your idea that it's an exciting place it's a commanded access I believe it probably should be risky places are exciting so I would want to go but on the issue of what's unique here in defense cyber acquisition is that let's say I was going to build a tank it isn't like hey southern company wants to build a tank as well or you know PG&E's building a tank you know we're usually we're just doing it on our own and we can fiddle fat around and that's how we end up in three to five years what's really unique in cyber acquisition particularly in defensive tools but even to some degree some of the offensive tools if somebody else is also there's a whole marketplace out there in the private sector and that's both that's a challenge and opportunity the challenge is if I were given advice to if somebody came to me said man mark I've I broke the code I have the best tool for anomalous activity detection of the world my first piece of advice would be do not go anywhere near DoD or the IC run to the private sector and sell your product and make a ton of money because if you run to DoD and IC I won't see you again for 12 to 18 months and that's being generous you know and whereas you know we don't want that to be the theory we want we want DoD and the IC to be seen as the first choice not a well I need to go there and so I think in cyber are if we want to be on the cutting edge of innovation if we want entrepreneurs who are out there developing tools to come to the department and come to the intelligence community then we're going to have to create an environment where they can move at the same speed and pace they can in the private sector and and I know your goal is to get there but I would just say in general the Department of Defense has not been the place you go for agility thank you mark I mean I think you know we're trying to get that you know leveraging these different types of tools I mean that's also where the kind of the creative discussion will come in right because sometimes we know we buy things that they ultimately don't work the creators are a way we can kind of explore the realm of possible for offensive and defensive cyber capabilities you know kind of pre-acquisition and kind of you know learn what types of capabilities would work for us and what wouldn't and so I think you know together I think we can you know we're gonna have more customer comprehensive planning like using craters using OTAs using Sibbers to try to kind of get at these problems kind of left of like you know a big A acquisition and that way we can kind of reduce costs and this actually ties into the next question which I know you're looking forward to sir is about the Valley of Death so could you kind of explain the Valley of Death concept and how do we get out of it so the value of death and I think everybody here probably gets it but in that the shorthand is the amount of time from when we introduce a product into that R&D phase and end up with a product that's at least in the operational testing evaluation and potentially ready to go into low rate initial production and that and you know if you look at a Navy ship that's a 10 to 15 year process aircraft are about the same I think smaller items you know handheld items can be you know three to five years but in cyber is you know Courtney's alluded to you know we're trying out we're getting special authorities and we're doing things to try to shorten that process part of giving SOCOM acquisition authority was a you know the secretary I think it was run money and then go the way back to Rumsfeld I think who just became extremely frustrated with the answers he got from service acquisition authorities on the new weapons that we were discovering we needed in 2002 2003 2004 as we started to enter you know significant ground combat so that Valley of Death is this is an excessively long time through which the seed funding or initial funding for a company expires before they can get through that R&D or and in the operational testing evaluation you know I think this leads in a bigger problem for the department which is that we also we just we don't take risk right and I think Deputy Secretary Hicks has talked about this a couple times probably you know the the kind of early release of the replicator was a reflection of her frustration with the with the department's inability to take risk in acquisition I mean by that is that you know we have a success rate in the department and I say this you know kind of humorously of 99% on our programs because we just keep throwing money and time at the programs and eventually there is success now not in a way that you and I would define success if we ran our personal checkbook you know and you know we're ten years behind on the rent and you know and you know in the house is half the size we expected you know we would be really unhappy but you know the problem we have is we're not willing to take risk what I would love to see is that if of a hundred products that cybercom command put into the conculator to start looking at the R&D level if 40 to 50% failed in other words have a high failure rate but right now most I mean I've worked my way up through the ranks in the Navy most of people in here work in their way up to the civilian or officer enlisted ranks in the services you don't get promoted by failure right you there's a sense of zero defect it really permeates the procurement Mark like I mean so I mean I guess what do you think of Sibbers though and sitters like that's small business innovation research that's when the government does make different size bets you know like phase one Sibber that's a bunch of little bets and then phase twos slightly you know a fewer number of bigger bets and attack by and stratify what's your sort of take on that a big fan and I'll go further and say that I think the Office of Strategic Capital is on to something with their bets on small business loans I'll also tell you that the small business loans the DoD is like an infinitesimal percentage of the federal governments so just to be clear we're not the DoD isn't near as excited about Sibbers is the as we in this room might be right you know I mean big DoD they don't bet on they don't bet if you go to most PEOs and say hey I got an idea here about 70% chance it'll work but it's gonna take about 40 million for me to get it figure out if that's true or not you're not gonna you're out of the room next guy's in who goes it's a hundred percent chance I'm gonna succeed or it's 98 or 99 we want that success rate look look at our number of Nun McCurdy breaches it's like two or three but you look at the number of programs that are donkeys out there they've gone way over budget but we rename them or restart them or do something we all know the bull Hucky that the you know the department produces to get its way through these these fence posts and milestones and so from my perspective we need to we need to experience a lot more failure real failure failure at the front end so that we can get to this and that's where innovation kicks in if you want to have innovation you got to have failure if you go to venture capital firm and you ask them what's their failure right they're gonna say 70% right that they 70% of the people they put a little money into fail or come back at 1x or 2x right not a you know a failure in terms of making money thank you Mark Courtney do you want to add anything so I'm a huge champion of empowering our workforce that's one of my biggest cornerstones when you touch on failure I actually really embrace that that's kind of a key principle of prototyping right which is a new one of the new acquisition pathways I touched on you don't prototype to go straight into production you're prototyping to fail fast and cheaply so that when you get to your end thing you've already gotten the failure out of the way and you're not investing heavy program dollars at that juncture so how do we do that how do we create that culture it's through investments in the workforce and I'm thrilled with some of the training that is starting to evolve and come out of DAU there's a credential for other transactions and there's a lot of classes that are getting us towards things like cradas I'm a huge fan of cradas you touched on things sitting on the shelf you know what we need is not cuts anymore not commercial on the shelf because we again don't have time things are antiquated too fast in the cyber environment we need cradas not for commercial on the shelf but to go straight to commercialize innovation that's out there and bringing it in and again the way that we do that is through the empowerment of the workforce and so that is a huge focus in the cyber area because it's not a stodgy and antiquated and outdated acquisition model that we want people to come in with we really want to leverage these tools that we've been given with a workforce that knows how to use them strategically and effectively I just wish a senior leader I love what you say but I was just sitting there would just stand up and say you know I'm a big fan of failure because I would believe if someone said that we would be actually on the on the on the track to success but I think there's a disconnect at the very senior level between their understanding of failure rates and prototyping things and probably you know at the program executive officer level I do think there's still that disconnect and I don't think a PEO can have like two or three failures in a row and move on to program number four thank you mark so we're gonna pivot a bit now back to tech transfer for a little bit so so before I came to cybercom I was actually at the six seven cyberspace wing I was their chief of cyber IP law and I had the pleasure of negotiating with Aaron Smith on what was our second critical lecture second critical infrastructure crater and so what does that mean so there are different things we do with craters there's really kind of infinite possibilities but you know the the type of cybercom is gonna be focusing on is one bucket like capability development focused craters like we designed a crater with University of Missouri Kansas City it's gonna focus on UAV enabled cyber ops and AI enabled cyber ops and you know really exploring the realm of possible for offensive cyber and it's gonna be a great opportunity partner with academia the other type of craters we're gonna be doing are what we call critical infrastructure craters that's where we research and develop collaboratively with the partner you know potentially on their networks to develop new TTPs for defending different types of systems you know we're talking often operational technology industrial control systems this is really beneficial to our forces because they often you know don't do not have as much experience with OTICS systems but if this country were to be attacked OTICS networks you know for the power plant the water company these would be you know of interest to the adversary and so it's really important that we get our folks are that experience and the relationships with the private sector so we can have this true public private convergence of there was an attack we could really hit the ground running we already know that that power plant near the military base they're to have a crater with them and you know we can save hours and that could really save lives so the first critical structure critical infrastructure crater we did the wing was with a CPS energy in San Antonio but the second one we did was in doing with doing on utilities so Aaron could you kind of describe a bit you know how you I guess why you entered into a crater with the government and how that came about yeah absolutely and thanks Eric for letting me come up here or over here really a couple days ago I was fishing on the knacknack which very good chance to go to Alaska and fish you should absolutely do it and it took me 24 hours to get to DC but it's well worth it so I just want to say one thank you and two yeah no and two really thanks to everybody in this room you know I'm not as lively as discussion that's happening over here but it's after lunch but just everybody in this room really help support what we do if we didn't have the government side the FBI partnerships the DOE partnerships that I have I would be losing this fight right as a chief information officer of a utility company with some real adversaries that are coming to shut us down because if you can shut us down you can shut some of the capabilities completely off in Alaska so you know it's 40 below and you can turn my power plan off or my heat plan off from a you know threat or perspective you can significantly limit what what the DOD is able to put into the fight or the potential fight so do I utilities is a utility company that was really created just to run the army's utilities in Alaska and everybody here sees Alaska on a map sure everybody in this room knows exactly how big Alaska is but from the three main installations the utilities are vastly different right heat is a very big issue on one side of the plant again if it shuts down that base starts to freeze out at a certain period of time and then in other areas we got to keep the power up for obvious reasons down south in J-Bear and the water plants got to keep going or again you start to you know really pull back what you're able to deploy as a force and a combatant commander and I'm sure again you guys understand that piece so I don't have to go through all that and I will say that I don't use many acronyms as everybody else in this panel or everybody else I've heard talk so I'll just throw that out there I get lost a little bit even though I'm actually a DOD person myself sometimes some of these especially lawyers love acronyms more than anybody else I think so anyway that's what that's what do I on utilities is we're the army's utilities you know we don't have the opportunity to fail we have to provide safe reliable utilities to those installations so that we can you know really provide that critical infrastructure space so Eric I may be jumping a little bit but he came to our lawyer and said hey we want to get into this cooperative research and development agreement and the lawyer very very on top that so I don't really know what you're asking of me but I've got somebody who does and I saw this agreement and was very excited with one exception I told Eric when I started talking I said if this is just a tabletop exercise where you want to come in and sit around a table like this no offense and talk about cyber and cyber defense I don't want anything that you're wasting my time that would be an absolute waste of what we have the resources that we bring to bear on the civilian side and the resources that I know are out there on really at this point on the Air Force side from the cyber protection team so I you know it was really really good conversation it was really innovative conversation again partnerships and information sharing is a huge pillar of a strategy when I came in that we set was if we don't have good information sharing we don't have good partners across the entire threat space to include really now what we're doing here then you know we're gonna lose this fight from my perspective and the civilian side is absolutely gonna lose that fight without those type of partnerships so I recently got to spend a week with the FBI really at their CISO Academy I'm now here so these partnerships are just I just can't footstomp enough that how critical they are and how how really welcome they are and hopefully they're beneficial both ways and I and I really think they are absolutely I think secret is you know they're an imperfect tool but they're really our best tool for public-private convergence I just really want to emphasize this it's not a one attorney at cybercom when I was introducing the concept he was like our credit is a panacea for all of our problems I'm like well no but it is one of our best tools for this sort of collaborative you know working with the private sector on these problems and so Aaron so what what sorts of activities have we have we done with you know has the wing done with joint utilities in via the Korea yeah yeah so the 67th sent us over to Scott we got the 853rd the roosters came up for us and which fantastic group you know they have been back to joint utilities three different times we've looked at three different sets of utilities we're able to actually provide them with live data so we were able to get them in effectively into our network without actually being into our network we can't cross that barrier and you know disrupt obviously those operational pieces so we taught operational technology we're making water we're making power we're producing heat the very first exercise actually convinced them to come up when it was quite cold outside I think it was a shock to most of that team but it was a good shock very professional but the first the first one was really just to look at one of our water plants just really you know we're gonna provide them again with what's happening in our operational technology which looks an awful lot like an IT system with a little bit of variances here and there but give them a good look at what a commercial water plant looks like so you know this team had been used to looking at DOD installations really Air Force water plants so it was a different look for them to come in and look at what our water plant looked like the type of traffic we were producing was relatively similar but the way we were doing what we were doing across the space was definitely different to them right so we have you know we just it was a different look I don't have a bunch of airmen that are in there running this or a contractor from perspective that are working with airmen it was it was really this is a privatized utility that was running things and I'd like to say much like a good strong privatized utility should and then we progressed from there so we expanded and they were able to bring some very young team members out to see this space as well as bring back some of their season teams everybody in this room knows that a good cyber defender gets sucked up by the private sector almost as fast as they can get them so some of that rotating piece was really I think helpful for that team and it was helpful for us to get the look from the Air Forces side but they had seen around the space and the and the pieces of that they were working on you know just from the cyber defense side we'll get into some challenges too and I just I would say that one of the big challenges we've had and continue to struggle with and hopefully Eric can help us sort some of these out kind of going forward is very difficult for us to share information back and forth at times we found doing utilities is harshly owned by a Canadian company that created a significant roadblock it's some challenges with our DoD partnerships so we sort of struggle with this information back and forth but just having them in three different years in a row come back repetitively work for them throughout the year we've been out to visit their site at Scott that has just been a super valuable partnership to us I can go back to my shareholders and say look at look at the support we're getting go back to the Army and say look at the support we're getting from the DoD as a whole and we've got Air Force cyber teams inside of privatized utility that's directly supplying to our one customer which is the Army and that's a pretty powerful message I think across the space it's been very successful and thank you for that and look how you teed up a legal issue for me to discuss so people can know how to partner with the government so yeah so would create as so by default when we have a creator with a company we can share up to control on classified information in CUI with them assuming they have the appropriate systems to take on that CUI but then we can also do classified work under creators so the creators joint work plan can sometimes require classified work and if that's true the company can use us as a justification to get a security clearance we don't pay for it they would have to pay for it but they can use us at the justification and at the you know back was at the wing there were several companies that were able to get security clearances because they had craters with us so that's a way we can sort of expand the Dib so getting at what makes cyber acquisition hard you know the Dib for cyber is quite small because you know there's often a lot of security clearance you know barriers right they make it harder for companies that are just starting out to get involved so craters are a way we can expand the Dib now we're not we don't enter into craters to get company security clearances that's not why we would do it but it is an incidental benefit of companies entering to craters with cyber command with the wing you know with other entity with AFRL and places like that now touched upon the foreign ownership aspect so yeah there's three buckets of craters there's just pure domestic craters then there's foreign owned US subsidiaries and then there is non-domestic craters you know purely you know they're in Japan or you know South Korea and so with a domestic crater you know the idea of the technology transfer statutes and you know the credit statutes you know we can just pick any company we want to work with and we can just work with them which is why it's very different from the far where there's much more sort of procedures on who you can work with now with a foreign owned US subsidiary we have to go to the office of the US trade representative to get their sort of concurrence they're kind of looking at factors like does that count does that this is the home country not because it's a US company but it's foreign owned and does that does that foreign company that owns it does that host government is the home government to treat US IP rights with respect you know do they do enter into similar agreements with our companies and sort of there's a reciprocity sort of notion and then when we do a pure non-domestic crater then each DOD component for tech transfer has to kind of build out their procedures for for doing pure non-domestic craters one is to go out to the office US trade representative but then you're probably going to want to do a more holistic approach in cybercom we have a DOD technology transfer instruction that we published in September and it kind of lays out our procedures and you know we kind of put our J5 kind of out in front I'm trying to do that coordination with the whole of US government on how to kind of go out and do non-domestic craters and so that just highlights a few issues but yeah so obviously his company partially foreign owned so then that did kind of inhibit some information sharing we do hope though with companies that you know I think it's a stumbling block but you know overall though we think craters are a way to do information sharing to do kind of blue-red teaming exercises to do you know to do kind of you know help do what we call technology tradecraft transfer where we're transferring our skill sets and hunt assess and hardening to the partner so that way they can help themselves so also I and I think you touched upon this a bit but I guess why do you think it's beneficial for the cyber mission force to be able to experience private networks yeah so you know we talked a lot about partnerships it's a theme across the space you know I think that just really what brings some good health on both sides is this relationship piece that we're building across the space so again I think it's key for us to build a relationship and understand that we're protecting DOD assets and that you know we're helping support that mission and that those DOD assets are in turn really providing us with some insight to maybe better keep our our utilities running and making sure that critical infrastructure piece is running again there are lots of different partnerships that we have right the FBI is obviously a key critical partner for us Department of Energy is very helpful and the Department of Energy is actually going to get over some of these hurdles of foreign-owned companies as well so I think this information sharing is key I think addressing and hitting these issues head on and making sure we can get that data across has been very helpful and I think even just the declassification that was talked about earlier and getting that out to where we can act on some of these really classified pieces all kind of play into this idea that we have a cooperative research and development agreement we're helping build cyber defenders out there in the real world as well as protecting assets that are right there on the front lines in a space that is very critical to our actions moving forward in the future to make sure that we're a good deterring force and if necessary a good engaged force yeah thank you so much Aaron so I guess we'd like to open up to questions if we have time we got time for one question market thank you market challenges with some of the national labs because it would seem like especially like for for Aaron it would be there are national labs who's who have either OT or other cyber related directorates that would potentially overlap with cyber comms mission in that space so it's not unique that like I mean there's different parts of federal government have different missions and so tech transfer you know the whole US government does does create us right like Department of Energy NASA HHS they all have laboratories in a very broad definition of it so even within DUD you know we have medical institutions right so then they could be done potentially having overlapping subject matter with HHS laboratories as well right so it's not a it's not a unique issue right but and we are trying to partner with a with the interagency we are kind of trying to de-conflict some of these relationships we're working right now with our different partners and trying to figure hey maybe you want to work with this and they work with this company and we're also trying to find ways to have different members of the interagency actually take part in our trade as as other participants which in some cases is a possibility where they can kind of come up come under our authority and and and then take part in the R&D let me jump on that because I love the pilot you guys came up with but I'm going to stipulate it's completely not scalable for the challenge we face you know if we saw anything in volt typhoon and a lot of reporting that's coming on that's our adversaries are absolutely going to attack all of our military mobility all of our power generations our ports our rail our aviation we can't make individual craters with each of these there's some bases that we could uniquely defend and I'd put Alaska pretty high on that list but we're absolutely we actually have to I would be careful micro solving this problem and I'd be stepping back and saying how can we at a macro level ensure and this to goes back to interagency that the other agencies are doing their jobs right Coast Guard is properly working with the ports to ensure that the 19 strategic sea lift ports are secure that TSA is where somehow they own rail by the way I'm not sure how you know is working with the six rail companies that move all our troops and forces and equipment across the country to ports and to aviation how TSA is working with aviation our energies working with the power industry to ensure that we're defended because unlike every other warfare area we don't own it do D if it's a submarine threat they got it if it's an air threat they got it but when it's a cyber threat we don't own the battle space the infrastructure on which it's being fought and we have to have those other federal agencies we can't have I love these pilot craters but I cannot scale to the degree to defend every to defend all these areas and that's really gonna take the department really the White House getting the other federal agencies to defend our national curriculum structure with the same vim and vigor the Department of Defense does it and I'm gonna tell you 16 out of 17 other federal agencies aren't up for the fight right now I think the goal is not to scale I think the way maybe not to what you're saying we're not trying to replace this I think CISA has a huge role I mean that that this is their space for us this is more about conducting R&D you know so that our forces can be better prepared to support CISA and so if there was an event you know like a disco event so I think the goal is not for us to replace them there's certain places that we're prioritizing based on input from the geographic combatting commands then maybe are supporting key US military installations but we're in no way seeking to to take on responsibility for all of that saying is the other part of this is that you have to force that you have to force the rest of the federal government to have this level of commitment I think I think that's time all right Eric Aaron Courtney and Mark sir thank you for that fascinating and thought-provoking panel if you had a bet on the DeFar being described as beautiful more than once you're the big winner your prize is out front but I do think this panel demonstrates that sometimes partners agree and can reach a wonderful outcome sometimes partners and friends don't agree but through engagements and discussions we can all mature and get to that point that our client is trying to get to and is in the best interest of the American people so thank you please give a round of applause to our panel and we are back on at 1435 you're on break hello my name is Major Alex Holtz-Claw and I'm joined here by Captain Ray Macias we are legal advisors with the US Cyber Command's Office of the Staff Judge Advocate we want to share with you what makes working at this office unique challenging rewarding and why you should consider joining the DoD cyberspace operations legal community the United States along with many other countries around the world maintains an international law applies to cyberspace the DoD at large is committed to ensuring that cyber operations are conducted not only in accordance with international law but with domestic law and policy as well the law however remains very much unsettled in the cyber domain the role of military cyber practitioners is to interpret and apply an evolving regime in real time offering careful consideration of international law domestic authorities and policy implications and their impact on national and international security it is not uncommon for cyberspace operations legal practitioners to advise commanders and decision-makers on questions of sovereignty constitutional principles domestic criminal law fiscal law and even the law of armed conflict for example the prohibition against the use or threat of force during peacetime is generally well understood in the physical domain in the cyber domain applying treaty and customary international law becomes more challenging where cyber malicious activities are conducted below the use of force and where the identity of the threat actor may not be clear due to the low barrier to entry state and non-state actors including criminal organizations and violent extremist organizations are acquiring sophisticated cyber capabilities at an alarming rate using this technology to target critical infrastructure financial institutions media platforms and elections cyber threat actors employ cyberspace to undermine democratic values while advancing their malicious goals events in the news demonstrate these issues are not mere hypotheticals or academic exercises they are present reality cyber legal practitioners enable the United States to maintain and extend our technological advantages in the cyber domain through development and acquisition of capabilities and talent needed to thwart malicious cyber actors today and stay ahead of future threats legal advisors perform a vital role in assisting commanders with making informed risk-based decisions to ensure that our response to malicious cyber activities complies with applicable law and policy we also help decision-makers develop meaningful relationships with other federal agencies international allies and partners and the private sector to ensure that all stakeholders are working together to defend against foreign and domestic cyber threats experience in the operational environment national security law intellectual property and contracts are all directly applicable to the do d cyberspace operations legal practice by encouraging respect for the rule of law and reinforcing norms of responsible state cyber behavior as well as acquiring the necessary capabilities to maintain and extend our technological advantage cyber law practitioners can ensure that the united states in its allies and partners are positioned to defend shared interests in a rapidly evolving strategic environment we look forward to continuing this conversation through our practice and through the thoughtful dialogue here at the us cybercom legal conference we encourage you to join us in the cutting-edge legal practice of cyberspace operations all right ladies and gentlemen welcome back we are ready to begin our next session and let me just start off by saying who knew government acquisition and tech transfer would be one of our liveliest discussions yet but we want to keep this energy going and i am excited to introduce our next panel this topic is and has been prevalent in the news the role of the private sector both in the Russia Ukraine and Israel Hamas conflicts what is the role of the private sector in conflict but also how does that role change and evolve prior to conflict as we move from the competition crisis to conflict phases i am excited to introduce our moderator for today miss natalie orbit the executive editor of law fair and the deputy general council of the law fair institutes etaly thank you thanks very much so the premise that we have here for this panel is that there will need to be rapid fire communication and partnership between the private sector and government in times of conflict but before we even get there i think it's clear to most of us that private sector and government actors sometimes speak quite different languages and so it's useful to understand each other's vocabulary understand each other's frame of reference so i want to get started there let me first introduce this illustrious panel before me so we have jonathan horowitz who is a legal advisor for the international committee for the red cross he focuses on new and emerging technologies in armed conflict urban warfare and partnered operations then we have lori blank who is currently serving as special counsel to o gc at dod see i'm using acronyms too even though i'm a civilian um she's on leave from her job at a as professor at emory law school where she directs the center for international and comparative law and is the director of the international humanitarian law clinic and then we have adam hickey who is a partner at the law firm mayor brown in the cyber security national security and government investigations practice groups he was previously a deputy assistant attorney general at the national security division of doj and before that in a usa in the southern district of new york so to get us started i think we should start with the private sector given our our audience here um and i want to just talk about as i said the the baseline so we're in a pre-conflict pre-crisis moment um i want to talk about what private sector actors who maybe become very important for the purpose of partnerships in a time of conflict what are they dealing with what is their frame of reference and what are the key pieces of vocabulary that they're using because it's not necessarily going to be obvious that the people later gathered around a boardroom table thinking about how to deal with a request that just came in from cybercom um are going to have just finished a conversation about an 8k or the gdpr so so thanks nally and thanks to cyber command for having here today um and i like the way you're introducing this uh as let's think about what normal looks like what normal looks like i think for most companies um there are probably established information sharing relationships that may be with law enforcement that may be with the intel community there may be highlighting of threats that are seen through telemetry that may be sharing with the public this is a very small piece i think of what most companies are thinking about day to day um there are some technical legal restrictions on how you share information with the government the store communications acting like but there are usually ways to work through them and companies find a way to share information when they need to and requests that come in from the government can be handled in the ordinary course that's just a small piece of what you're thinking about if you're in house legal what you're really thinking about most of the time is an incredible intersecting patchwork of requirements depending on how you're regulated um the largest chunk of them have to do with incident reporting and thinking through when you have an obligation to tell some regulator or some state about a data breach or some foreign data protection authority uh you're thinking about enforcement actions that target individuals like sissos and so now the environment of monitoring for a data breach and thinking about your response now there's a sort of personal liability sometime at stake or viewed that way and you're thinking about bad publicity class action lawsuits shareholder derivative suits and that's just a legal part you're also thinking about reputational concerns you're thinking about how the products you sell or what you're doing relate to cooperation with the government and whether cooperation with the government could theoretically make it harder to sell those products or services say in europe you're thinking about skepticism in europe and other parts of the world about the data you hold and where you get it and how you share it with the u.s government or other governments and so during the steady state period i would say there are companies maybe i'd bucket into two camps there are those that have established normal steady state information sharing relationships and that could be pursuant to legal process or something else and then the rest of companies that don't ordinarily think about this problem and so as you think as you as we talk about the shifting in perspectives i'll be interested in whether we're thinking about the companies like the large tech companies that already have those relationships or are we thinking about someone who's getting a request completely out of the blue because of where they happen to be located geographically of the product they happen to make another consideration reputation results of the attitudes of the workforce you know periodically you will see innovative companies with workforces you know concerned about just how is our product going to be used and how does that company navigate wanting to participate at the cutting edge of technological development and be part of the procurement chain well at the same time having to deal with workforce concerns where people don't necessarily feel comfortable making weapons because they don't think that's what their job is um and so i'll just i'll sort of give you an example of what happened during steady state that i think is not the way to solicit cooperation so imagine a circumstance where a three-letter agency is interested in records the company holds related to proliferation the shipping of some sensitive equipment somewhere else in the world and approaches a business leader in a company and asks to have a confidential even classified relationship so that person can share information with the three-letter agency and the business executive signs an nda feels very cool shares the records and months pass and then later the company gets a subpoena apparently related to a counterproliferation investigation from doj the gc has no idea about this confidential relationship it has to pull teeth to figure out who is sending what to where in the government the government because this is a sensitive relationship doesn't want to own up to what they were asking for or why they were asking for it and there's the at least the optic two things are of concern one did this subpoena have something to do with the information we shared and are we sort of worse off because of our cooperation and two you know what if word got out that we are secretly sharing information of this kind with the government what would our corporate affiliates think around the world what would our customers think what would other governments think yes we only shared certain information but what if people thought that our relationship was cozier and that we were somehow providing access that allowed for surveillance or the like even if there's nothing in the record to suggest that so cutting out legal for example would be my number one advice for what not to do if you're looking for cooperation okay thank you lori i want to come to you with the sort of broad question of from the frame of reference that you bring both in your capacity as a scholar and now at dod in the pre-conflict pre-even crisis point moment what are the key sectors in the private sector and the key issues of concern to you my microphone was concern number one so first thanks very much for having me and i i do need to start by saying that i'm speaking in my personal capacity and not on behalf of dod or anybody else so i think you know when we think about the and i'm kind of chuckling when you said pre-crisis because i'm trying to imagine what something that's not crisis imagine a land imagine a land far far away where fairies flit about right um but just thinking about it in the international law space you know a lot of the and we're going to end up talking about thresholds and definitions and etc but those frameworks in international law are essentially there to provide stability predictability clarity maybe not usually but possibly and ultimately laws i like to think about it is about expectation so if this happens then this is the parameter of responses that i state or other actor um have in my quiver of arrows in my toolbox and that's the sort of parameter of options that i would expect a i'm not going to say an adversary but another actor in this magical pre-crisis land that we live in um might have and those are generally designed um predominantly to keep us in that pre-crisis space right so we have if another state engages in an unfriendly act okay you can do a retortion etc if you think you've been the victim of an internationally wrongful act but it's not at a level of a use of force you might be able to take counter measures if there's a use of force if you're the victim of an armed attack we have all of these thresholds and ultimately those are about keeping us in an environment in which we have some sense of what the rules or the reactions might be and what that does is create that that world of expectation that world of predictability even if um you know we don't know what the results going to be we at least the predictability is in the sense of this is the world in which it could happen this is the general framing and i think that's a really for me important sort of story about the the international law piece i think that's obviously relevant i'll defer to adam on the you know domestic side but also for companies in thinking about what you know it's like a chess game if i make this move these are the things that could happen or might happen or what should not happen um and that's that's sort of how we try to avoid moving up that scale that you're going to take us up through right and then things happen that bust us through those barriers um but i think that framing and so part of i think one thing that's useful in thinking about this public private sector partnership etc is whether it's education whether it's communication whether it's um partnership awareness whatever the right word is is that there is a common language for that or at least a common awareness so that you're not operating in silos where one entity those in the public sphere the states etc have a certain set of expectations but their potential or erstwhile partner is not living in that world and so doesn't see those same sets of thresholds expectations potential reactions great thank you jonathan i guess same question to you and also i think just as a starting point you know i think most people when they think of the icrc are not necessarily thinking of engagement with the private sector in a pre-crisis you know we're not talking about usan bello for sure um at least not yet in our conversation um so tell us about um what your concerns are in this period and especially i think the paper that you wrote recently about educating private sector actors about international law i think speaks very much to what lori was just saying great um thank you for the question thank you to us cyber command for for the invitations great to be on a panel with everyone so let me if i can for all of you just give a little bit of perspective of where the icrc approaches this issue whether it's in situations of armed conflict or more to your questions outside of situations are armed conflict and it's not going to be anything particularly surprising but ultimately it's an environment where um civilians governments uh governance municipal institutions are just highly connected to the digital environment um for everything um for essential services for transport for agriculture for distribution of food for voting whatever it may be um and what we're also seeing um is as that is uh moving forward we also realize there's considerable reliance on all those uh access points with the private sector in terms of digital infrastructure governance essential services and we also see that that relationship in that partnership is building and building and building and there's nothing wrong with that in fact it seems like it's sort of a logical trajectory of how the technology is working how society is working how governments are working in the types of relationships that they are building with the digital tech sector with the private sector writ large at the same time though we're realizing that that also increases the vulnerability of all of us um to different types of cyber intrusion cyber disruptions and and things like that so things are becoming very connected across both um in peacetime we would say sort of people and governance but of course if we talk about moving into situations of our conflict we're talking about a lot of interconnectivity between now we're moving over to civilian stuff and military stuff and so what the ICRC is seeing is that we're seeing an environment where things getting increasingly tangled up with one another for purposes of cost effectiveness resilience things like that in peacetime and then we're starting to not only imagine but actually see what happens when that runs into a situation of armed conflict where you have different norms different standards but different legal obligations and different legal frameworks and so that's one of the reasons why either as a somewhat preventative measure or as a reactive measure the ICRC is taking increased interest in speaking to the private sector about these issues so the ICRC has been around for 161 years now we've become pretty comfortable talking to folks who are here sitting with us in military uniform to professional military institutions very normal we've seen a proliferation of non-state armed groups over the years I think we're at a count of 2021 of about 600 plus we've engaged with around 400 plus of those non-state armed groups the private sector is still something is still a part of the battlefield landscape is still an actor that's increasingly in that landscape that the ICRC is trying to to Laurie's point learn how to communicate their interests with our concerns our concerns with their interests and that's something that is a is a project that's ongoing but we see it as one that will continue to be relevant over time not one that is sort of a blip in history that will go away at any particular moment in the near future okay so let's move into our crisis phase and I think we can hear think about as a preliminary matter in a in a world of cyber activity policing the line between armed conflict and not armed conflict seems particularly complicated and not only complicated but perhaps not a matter of consensus among different decision makers so let's talk about the phase at which it's very clear that tensions are reaching a boiling point just to throw out a couple of examples you know say that a social media platform is being used to coordinate an armed attack what seems like it will become an armed attack and then we see actual activity on the ground imagine that a data broker is unwittingly selling data to an adversary or someone who will soon become an adversary what are the things that you are thinking about and that need to be coordinated between the private sector and government actors at this phase can start with whoever lori you want to start one thing we haven't raised yet but i think is kind of the it's not really the elephant in the room but it's certainly a significant issue is state responsibility and so anytime we're talking about this phase of you know tensions increasing i mean as you're giving examples i'm thinking to myself well the immediate question has to be did some threshold get crossed what is the what is the range of options right if you're thinking as a legal advisor here's your range you know this is your left and right limits then the policymaker has to decide well what just because i can't do something doesn't mean i should do something hopefully it doesn't go the other way and but so so one piece of this is trying to assess what action that i'm either absorbing that i'm watching develop that i am concerned about developing etc do any of these trigger certain reactions that i might be able to take again as a state and that's assuming that you're on the receiving end of such activity and so then we're thinking about things like prohibited intervention we're thinking about whether or not some act that might trigger the authority to use countermeasures has taken place we might be thinking about whether a use of force has happened or you mentioned possibly an armed attack the essential piece of that then is of course who is responsible for this conduct and trying to then assess okay is it a state actor is it a we've been talking about quote our side's commercial private sector but we have to remember there's a commercial and private sector and there are private actors that are that side again if we're now in a crisis phase we start to have sides so who is responsible within the international law construct for that and is there a state that bears responsibility in which case as a state i might have certain available avenues of action or is it a non-state entity and i cannot make the attribution connection but then i would have other avenues maybe there sanctions maybe there's criminal law avenues maybe there's any number of possibilities there and so that's one piece of it is understanding the attribution piece the flip side of that attribution question is when are the actions or activities of the folks we've been talking about engaging with now going to be somehow be attributable to the state on our side and that's an equally important piece and that i think gets very much into some of the discussion that we've been having about understanding the relationship about sort of building awareness education training and that goes both ways right it's not just the hey commercial entity let me share with you how international law works or how we view this question or this is what happens but it's also understanding what is the nature of these commercial entities activities right i am and and deepening our understanding of the connection between those activities and the government and the state or perhaps linkages with partners and allies and so trying to understand that and knowing when okay i've been busy thinking about my own activities but i got to be aware of what commercial actor is doing let's take an example that is the more extreme example here which is space right we've been thinking about cyber but it's kind of they're they're integrally linked right and in space we have an entirely different regime of state responsibility we're not just talking about the idea of you know acting under the direction and control of which we might you know the kind of general rules and attribution we see in the draft articles but in space we have a regime from the outer space treaty which says that states bear international responsibility for national activities in space and all of a sudden most things that happen either on your territory or by you know actors in your territory become either definitely the responsibility of the state or potentially the responsibility of the state depending again on how you understand what national activities is and and all these other questions to the extent that cyber and space have a very symbiotic relationship which in many ways they do it's important to understand all of those pieces and to know what those different you know sort of domestic commercial actors are doing so you know how to plan and how to foresee what's coming yeah and which state is responsible for a multinational corporation that is in space I think Adam I'd like to pick up with you because Laurie spoke about you know acting as an attorney in the government and coming up with the left and right parameters what's doable and then needing to turn to the policymaker to make the decisions and really in the private sector at least when you're talking about corporations the person that they that the lawyer is consulting with is not a policymaker or is in I suppose in some sense but is really someone who's charged with being concerned with business risk and with some of the other considerations that you mentioned earlier so can you talk about how that differs yeah I I guess I would say the mission is a little simpler maybe in the private sector because if you have shareholders your prime directive is to maximize value to them and then as we enter crisis what that means I think becomes more complicated so I think since at least the DDoS attacks on the banks in 2012 and 2013 and probably well before that companies came to understand that cyberspace was going to be a an area where they might face the brunt of retaliation for frustration with US government policy so I think there is very much a sense that even if they don't do nothing at all or have nothing to do with the crisis as it develops they might end up feeling the consequences of it so internally if you see storm clouds brewing one it's going to matter whether is the US a part of this or not are we are we over here and sort of picking a side to help or not help or just stay out of the way or is this actually implicating the homeland and US government because I do think that will make a difference second is there a good guy and a bad guy or is this incredibly complicated situation where whichever move we make is going to tee off a significant chunk of our constituency because that will matter to reputational risk third how are we as a company exposed where are our personnel what are our supply chains what is our network exposure and do we need to reposition or rethink what we're doing or how we're doing it just to stay out of the way so that we aren't you know this isn't primarily our problem so how do we just keep maximizing value without being caught in the middle of this is there a risk of retaliation to our employees at some point because of where they're physically located what is the US government going to use sanctions it's sanctions authority for and do we need to be ready to divest or get out of the way quickly because so they may be illegal for us to continue to do business in the way we're doing business that I think is sort of the short list of things that would occur to me on day one of crisis depending on where the company's doing business and jonathan I think this is really the moment at which I suspect with at least with smaller or less sophisticated private sector actors they may all of a sudden realize they really need jonathan Horowitz to come and talk to them and explain so what is what is on your mind at this moment and what are you going to be advising them well I feel like I should be wearing a mask and a cape or something with that description thank you no I mean I think what what what the ICRC is finding and it really blends nicely what was just mentioned is that while there's a natural understanding of some of the security risks involved in situations of armed conflict naturally that there's not always a full understanding of what the legal frameworks are that apply right and so a lot of companies and I would say it's not even sort of only in relation to small or medium but I think it really depends on the personalities involved and lawyers that are in the companies trying to be aware and understand that there is a legal framework that is in many ways so abnormal to what it is that they think about on a day to day and trying to comprehend what to do about that either from a risk management or from how to engage in contracts with partners is really something that the ICRC is trying to to drive out so what's the examples that the types of examples that I'm talking about the types of examples that I'm talking about are things like where a private technology company provides goods or services to a belligerent in a party to an armed conflict such that their infrastructure might qualify as a military objective and do company executives know that and do their lawyers know that that is sort of the issue that I think is very much on our minds it's been in the public these are not abstract theoretical discussions yes I wrote a law journal article on it it was based on things that the ICRC was operationally seeing in the environments that we're working on at the extreme end of this sort of set of examples has to do with employees our employees of technology companies engaging in activities that would in some way shape or form constitute direct participation in hostilities now the ICRC has its views on how to interpret the definition of direct participation of hostilities states disagree with their with each other on what constitutes direct participation in hostilities but the concept everyone agrees exists and there's a large agreement on the criteria for direct participation in hostilities for civilians at which point of course we all know it means they lose protection for such time as they do that from even a kinetic attack so it could be a life or death conversation or consideration that is also something that the ICRC thinks should at least be part of the risk management risk assessment risk evaluation now that does not mean that we think that all other risk management assessment models should be tossed out the window because ihl is a prevailing legal framework that all companies must automatically sort of drop everything and pay attention to but it's a blind spot if if if company lawyers and leadership are unaware of that dynamic if they're unaware that the international humanitarian law rules and principles allow for that possibility of company property qualifying as a military objective and therefore losing with the ICRC regards as otherwise its default status as a civilian object and from civilian employees which is how the ICRC regards technology company employees lose for those exceptional under those exceptional circumstances their protection because they are directly participating in hostilities for such such time as they do so so that's that's sort of the space that we're entering into it's going to be more relevant for some companies than others it's going to be an immediate point of relevance for some companies and it may be one that is a future relevant for other companies depending on where they're physically located where they want to be physically located so so there's a lot to do here but we're trying to sort of put a flag in the sand to to sort of register some concerns that are based on real-life operational circumstances that we're seeing across and it's not just one or two armed conflicts but but across several and it does seem to me that if you are talking to a private sector actor for whom you can say actually this law is really important to you because you may be converted to a military actor and therefore become legally target targetable it's more likely to get someone's attention so let's switch into our armed conflict or our IHL hat is on we are in our full-fledged armed conflict so let's talk about Adam to start with you what kinds of questions your clients will be asking you and I think just as salient what questions you expect that they may not even think to ask along the lines of what what Jonathan was describing so I struggled a bit in preparing for this because I don't know what the ask is from the US government in this hypothetical I don't why well here's here are three basic categories of asks right are you buying a product for me are you are you is it the standard procurement federal services you want a service that the military or the government will rely on that's analogous to what I provide off the shelf or is principally for militaries anyway I feel like that's a that's an easier bucket because the companies that sell that are used to thinking about their role in conflict to begin with are you asking for tips or leads or information sharing outside the context of process like a more sort of soft cooperation and there I think you start thinking about things like and here maybe it's not the US government asking maybe it's you know a sympathetic country but you're thinking about how will the information I provide be used will it be used to commit a violation of IHL which is something you have to think about a little bit you do think about whether you're getting drawn into a conflict with that you also think about the laws that govern sharing with the US government and the like and so that's one second type of ask and the third type of ask which is I'll just call it the weird ask so it's the surreptitious access to the company's network or products or something that's secret not paid for not procured and it's kind of a under the table cooperation which I can't even really imagine the full range of things but I can imagine happening in conflict and there I think is the highest level of risk for the company because there's what you're doing and then there's what could maybe become public at one point what the claim is for retaliation that's justified what other customers are I mentioned the Europeans and so forth what they're going to think about this so I guess to answer your question I need to know what the ask is and it gets progressively harder the more we walk down that road but the basic categories of legal questions would be is it is it prohibited are being asked for something that's somehow a violation of either this law or another domestic law then you think about the bucket of retaliatory or reputational risks and I would fold IHL a little bit into that although I'll be candid that I don't feel like some of our adversaries are really consulting with Jonathan on when the targets are legitimate or not so I would be inclined to approach this a little more guerrilla like I think the clients would think less about whether they've crossed the line in some legal sense to warrant retaliation as a more basic am I going to tag with this and is it going to come back to bite me whether the law says it can or not if that makes sense. Laura you've been eager to get to our conflict moment but let me ask you also you know under international law the role of the private sector and the way in which cooperation happens has very different implications both for the risk exposure of the private actor as well as the potential liability legal or otherwise of the U.S. government so can you talk a little bit about that? So I actually wanted to add a couple of buckets to your buckets. Please do. I forgot to mention insurance but we can come back to that. I definitely was not going to mention insurance so okay I try never to mention insurance so I was I would add in to that things that are not as obviously driven by a relationship between the company and the government or potential relationship between them and so activities that are part of the company's business like say the provision of satellite services or the provision of any number of services to perhaps other private actors to any number of other groups we see that it is not a new story that states do not are not the you know monopolistic actor during our conflict anymore so that would be one one piece you develop an app that is you intend it to be used for X and during conflict enterprising innovative you know creative people figure out they can use it for why and all of a sudden what does that mean both for your company what does it mean for the way the government is going to think about your company right and we have lots of examples from Ukraine about both the the actual deliberate development of apps for the purpose of providing information and so on but also just the use of other things of crowdsourcing information about violations and so if you're a company that somehow that's sort of part of the services that you provide in the pre-conflict stage and now it gets used what does that mean and the the other one I think is is driven by the everyday unremarkable ordinary level of integration and redundancy between civilian and military networks right I think there's some I don't remember I statistic I saw that was cited several years ago was something like 98 percent of you know sort of overlap between military and civilian networks I have no idea what the actual number is I just was like in doing some reading you know for this I saw that I thought well that's a pretty high number so what does that mean in terms of if the the company uses those same pathways of communication those same you know maybe even an easier example is a satellite bus with multiple payloads on it one of those payloads is military one of those is your companies to do whatever maybe you provide weather forecasting any number of things just understanding the exposure that your company's assets that your company's services that your company's people have by dint of being essentially cheek by jowl with military capabilities and military assets and military objects that's also critically important you may have nothing to do with the conflict you may be trying to stay far far away from it but just the nature of our current system of communication and cyber space and everything is that you can't you you can't escape it right you're trying to get away and you're intimately tangled together I do think the example of companies I think are have an easier time dealing with misdirection or misuse of their products right when it comes like let's imagine the conflict is over there and my you know app is being misused in that way I can take that on board and I can use the same framework I use to think about sanctions export controls or any number of like content on the platform what I do about that terrorist use the internet support and so on there's a framework of like okay I don't want my thing to be used that way anymore and you can deal with that I think that harder piece is this the last bucket you mentioned where I don't fully appreciate who I'm riding along with and I may be not be fully prepared for the disruption I mean even be a target but I'm not prepared for the operational disruption that comes with being in cyberspace or physically located in a particular zone nor do I think companies are used to even though I mean I think they're oddly we haven't dealt with a situation where the US is in conflict and making extraordinary ass for the private sector and I can't really predict how that will go and I think that's I think that is kind of the elephant in the room is like what if the conflict involves us and another power that that we are exposed to as a company in their market that is going to be much more complicated and how to work through that because you know some of your questions Natalie in advance were related to legal authorities and I was in a lot of meetings in government where people were throwing around statutes written many many years ago but I think don't quite let you do that the DOJ guy me would be like shut up okay so we're not gonna but like I just think we're not used to thinking through because we don't have a command economy it's going to be very interesting sort of how we get to the right place it's not going to be I think by hard law it's going to be through sort of clear communication by the government to the companies of what the ask is and sort of them thinking through our what are our risks and how we're going to approach that ask and then there's insurance by the way so to what extent when you say yes are you implicating so not only the the risk of retaliation but also are you you know tripping up something that would otherwise pay you back you know help reimburse you for cost because you've suddenly made yourself a combatant in a way that avoids your policy and just to jump in really quick on the insurance piece and I don't have the statutes and things at my fingertips but um understanding what it means when a statute says you know at war when it has these war related phrases in it that all of a sudden trip up what you what your expectations are of your insurance coverage I think is also important. One thing that I would reflect on is that the issue of bridges, airports, roadways, hills being used by civilians and being used by militaries have long plagued legal advisors providing advice to whoever they need to provide advice to on how the rules of international humanitarian law apply. It might be slightly on steroids a little bit with regard to the digital ecosystem where that's happening but these are not unique issues to the battle space or to international humanitarian law. I think they are unique issues to the private sector that hasn't operated in a conflict environment where they raise tricky questions and so in so much as there are hot debates around what constitutes an attack under international humanitarian law and what protections international humanitarian law afford civilian data and whether it's the same protections that's afforded to civilian objects or live issues the ICRC has positions on them some states have positions on them some states differ on their positions some states have decided not to take a position on them so I don't want to say that everything's easy and it's just a matter of you know transferring what we know from the more conventional kinetic world of international humanitarian law into the cyber context but it means that those struggles have been there for a long time and the reason why I say this is because I think some people who their contact point with international humanitarian law for the first time is a very complicated issue will immediately go to their comfort zone of other legal frameworks and I guess what we're trying to say is there are already legal frameworks in place they do provide operational legal challenges that is true for cyberspace but that is not new to cyberspace and we were talking about a tagline and I think that is true to cyberspace but that is not new to cyberspace is maybe one that I'll go with but that's a big reflection point for the ICRC right our point is you don't need to go reinventing the wheel don't go making new international humanitarian law unless you're certain there's a gap there. IHL does a lot of work with regard to military cyber operations but it does require socializing disseminating explaining and working through difficult questions that have existed long before the difficult questions that we're discussing on this panel. Jonathan you you what you're talking about raises kind of brings us all the way back to the initial conversation about the importance of communication and awareness and so on because the when you're talking about you know we've been thinking about these questions about when a hill or a bridge etc the difference of course is that you can see the bridge you can see the hill you can see military activity potentially happening there etc you can't see when there's overlap in the cyber world now obviously there will be you know both government and commercial actors who have significant visibility into the space where they're operating and who else is operating there but you still don't have particularly if we if we kind of step back from those big actors into other private actors right as an individual user you probably have absolutely no idea what the level of whether you know overlap or integration might be between you know the network on which i send my emails or just to be oversimplified and a network on which the military might be sending you know comms during a conflict and now i think my email is going to get to mom but it as actually you know that data is if it can be considered data as an etc etc all those arguments right it's now incidentally um harmed in some way right i've taken liberties with the law there but you understand the point um and so i think that's one piece that kind of emphasizes the need for whatever conversations are helpful to increase this level of awareness is because um you can't see literally visually those overlaps those things and as you're saying you might not even you know be thinking about that because you're busy thinking about your own lane and it's not in your face that whoa there's military activity happening right there whereas if you were a factory and you saw you know troops exercising before deployment on the next field over again to be super simplified you might say huh we're really close to those people maybe that doesn't seem like the safest thing right that would be a very obvious visual manifestation of it but we don't have that and i think that actually is somewhat consequential thanks i want to take some questions and in the meantime i will invite the three of you to think about coming out of this discussion if the goal here is to build durable partnerships to have clear and successful means of coordinating between private and public i'm sorry between private and government what would be the sort of top one or two things that you would advise that are really necessary for getting those into place now i will open it up for questions hello okay so it sounds like we've all sort of agreed that some sort of pre-crisis land of milk and honey education is required sort of with all interested parties i guess the question then if that is the case for sort of a better understanding across the board pre-crisis is the allocation of the current allocation of responsibility between public and private sector adequate is it correct does it put the responsibility on the right party to begin the conversation to continue the conversation and who should sort of bear that burden well i'll come back it i don't know i don't still know what the ask is i mean i'll tell you so take procurement out right so if the government wants something and it can buy it there's a way of handling that there's a policy to process in a company so take procurement out okay so then what's what's left is something that's hard to predict but some kind of cooperation between the government or warning i would just say the best examples i can point to are ones where and this is often been in the law enforcement context where i've seen it law enforcement goes to a company proposes say a disruption operation or a takedown or a cyber operation use whatever term you want and is pretty transparent about what it wants to do and how it wants to do it sometimes gets a court order so there's a transparency and it eventually becomes public it's easy your i think for a company to think through that and make an informed decision what i would what i would suggest to you is not what we cannot do now because no one here is saying what company will be asked to do what outside of procurement is planned in advance for that moment so i don't know how you have the shifting of the burden from the public to the private sector or the like until there's a very clear understanding of okay what are you exactly asking me to be ready for and i've been in many conversations where the government's ask is not because of the sensitivity of it not made clearly and so the recipient doesn't really understand what the government's trying to do or why they're trying to do it and so i would just say if you're planning for the future plan to communicate transparently in the in the crisis or in conflict it's gonna have to look a lot different from the fairly vague i can only tell you so much that comes over in steady state periods sometimes outside of procurement can i just add to that so the other thing that that we've been observing which i which should be obvious but isn't always is that different companies provide different goods and services which means the legal ramifications are completely different right so social media platforms compared to cloud computing services compared to different types of information technology providers are going to engage with risks around situations of armed conflict and they're going to engage with the rules of international humanitarian law very very differently and so i think this goes to the point that there also needs to be um and i don't mean transparent in the sense of publicly available but transparent in the sense of what is the private sector what is the government specifically asking the private sector to do and then at least with my international humanitarian law ICRC had on what are the legal implications that can pose particular risks whether from a targeting perspective or confiscation of property perspective or work or safety perspective we're talking about direct participation of hostilities that those questions in that conversation needs to be a transparent one between the service provider and in this case we're talking about a belligerent a party to an armed conflict so that's a government private sector dialogue that has to happen i think generally there's a broader dissemination sort of conversation that's what this is that's why i'm so pleased that this panel was part of US cyber commands annual legal conference i think that is part of the sort of road to sort of success on on trying to explore these issues that are not in my estimation at least going away anytime soon and then i think it is going to be incumbent perhaps even before some of those conversations with governments for technology companies to look inwards they're probably not going to again want to do it publicly to do in their own self-evaluation self-assessment what is our infrastructure what are our goods and services being used for they've covered a lot of risks the insurers force them to regulators force them to think about these things but that's largely absent from these issues that we've been talking to talking about today in terms of target ability whether it has to do with property or or personnel so i think there are a number of different entry points to to have a conversation and i think they can go in a lot of different directions depending on what the issue is that you're trying to resolve and what question you're being asked hey another question please mr haritz among the core principles of the icrc are impartiality and neutrality given the involving nature of the battlefield cyber activities and such and technology have there been or do you foresee instances in which the icrc would withhold or limit that assistance to victims on a battlefield um thank you for the the question is that am i right that that is not a cyber specific related question no it's just uh when i see the term business of battle like i i just have connotations of how it's changing evolving uh when we think of arm conflict it's evolving to something now where we can have conflict that's not geographically isolated to a particular region it can be cyber attacks that are conducted from outside the region um and when i think of the icrc's traditional assistance of providing that humanitarian aid to victims on the on the battlefield but with cyber activities you don't know who's the belligerent anymore i think if i correct you began your presentation i mentioned there are some 600 non-state actors at which icrc has assisted about 400 or at least are aware of about 400 are there some of those non-state actors for example that you would not support um because it might be a breach of your core principles of impartiality and neutrality great thank you for the for the um for the taking the time to clarify that um so um the icrc is going to engage with any party to an arm conflict because every party to an arm conflict has legal obligations under international humanitarian law so if a government is particularly unhappy with a non-state arm group labels that may criminal gang labels that may terrorist organization as a legal matter under international humanitarian law the icrc sees them through the lens of a party to an armed conflict who has legal obligations under international humanitarian law they have an obligation to respect uh uh and ensure respect for those obligations and so we are going to engage with them there's a separate question around how we provide humanitarian assistance right so those are two different things those are operational dialogues that's the first thing that i was mentioning and then there are questions around providing humanitarian assistance the bulk of what we do is going to be for civilian populations including those who are under the control of parties to an arm conflict whether they're a non-state armed group or whether they're a part of a government military um i do not see um what's happening with regard to the digital ecosystem in conflict changing how the icrc would approach its neutrality impartiality and independence um i'm not sure if that gets to the the question you're asking but but i appreciate being asked thank you we are running up against time so um my challenge to you has um gone up in ante and now you must have a bumper sticker explanation of what your main takeaways would be of how to promote cooperation and partnerships adam you want to start i use it on the question that's my bumper sticker uh my bumper sticker would be beware of the line between engaging and all of a sudden um bearing attribution and responsibility for so we'll be careful or think about where that line is in engaging with the private sector and yet not having them operating under your direction and control jonathan uh private sector uh has protections under international humanitarian law it can lose those protections and it also has obligations read the geneva conventions read the additional protocols and give the icrc a call if you have any questions excellent thank you so much adam lory jonathan and natalie thank you so much for your insightful discussion on the role of private sector from competition to conflict your viewpoints particularly as you walked through each phase were invaluable and certainly highlights the need for the legal advisor throughout so thank you ladies and gentlemen we are on on behalf of coast guard cyber command i'm pleased to have this opportunity to provide insight into coast guard cyber commands office of the staff judge advocate first established as an independent operational command in 2018 coast guard cyber command has rapidly grown and expanded its operational footprint and capabilities to support coast guard missions and national security interests cg cyber's legal team has grown with it both in the number of attorneys assigned and in the scope of their practice as both a military service and a law enforcement and regulatory agency the coast guard is uniquely positioned to address cyber threats a core component of our mission is to help protect the marine transportation system and the 5.4 trillion in economic activity that it supports on a daily basis coast guard cyber commands maritime cyber readiness branch and cyber protection teams are working with maritime industry partners to assess networks for vulnerabilities and to respond to cyber incidents in the last year our three cyber protection teams carried out 30 assessment hunt or incident respond missions on critical infrastructure those teams are supported by lawyers who ensure sensitive and proprietary information is protected while cyber threat information is shared with key stakeholders coast guard cyber command is also the primary defender of the enterprise mission platform which includes all us coast guard technology from cyber threats the coast guard's history of cooperation with allies partners provides a template for advancing our shared interests in cyberspace our legal team works in close coordination with department of homeland security programmatic offices the department of defense fbi other federal state local government partners and foreign allies to defend our critical infrastructure and leverage our shared expertise to protect us interests through strategic arrangement arrangements and relationships maritime authorities and institutions are developing cyber incident response capabilities alongside established all hazard responses cg cyber's lawyers are actively engaged in these efforts analyzing authorities assessing risk and crafting solutions that will form the plans and policies for addressing evolving threats as advisors for a new and evolving operational command coast guard cyber command judge advocates regularly address issues of first impression our analysis supports critical operational needs by assessing constitutional statutory and regulatory implications but our operations also require constant engagement on issues ranging from administrative law information law military justice ethics fiscal law and international law cg cyber's legal office is developing the workforce and talent that will keep pace with challenges and opportunities of the future it's an exciting time to be in the coast guard and a part of the enterprise that will shape the way we secure our digital ecosystem hello do you often find yourself pondering big questions such as what can i do with my life after working for the government as a civilian employee or military member are you contemplating retirement or separation from service have potential employers asked you if you have a post government employment letter that they want you to submit with your job application if so you need a post government employment briefing have you recently received a gift from a foreign entity or personage do you know if you can keep it find out with an ethics review have you been invited to speak at an event sponsored by a non-federal entity do you know that you can do it in either your official capacity or your personal capacity have you been offered free travel come to us to find out if it's legally permissible for you to accept that or not is your spouse trying to launch a reality tv career and wants you to participate do you want to find out what you can do to support them without losing your job irl do you inexplicably have enough energy to pursue off-duty employment find out your parameters before accepting an additional job do you perchance aspire to emulate a dragon and have a horde of gold and challenge coins ensure that you're handling those coins correctly with an ethics review are you handling multi-billion dollar contracts and just happen to be inspired to invest in the stock market pump the brakes on that investment and discuss it with your friendly neighborhood ethics attorney first do contractors try to slide into your dms to reach out to you to try to arrange meetings to educate you about their latest developments do you know what to say we do does using the appropriate appropriated funds appropriately cause you consternation or stomach upset does orf make you itch you're in good company talk to your ethics advisor about how to and if you can fund that tea party that you're planning failure to loop your ethics advisor in for review may cause severe side effects including job loss attorney's fees fines loss of pay sanctions in jail time all right ladies and gentlemen please take your seats we're about to get started all right ladies and gentlemen we have reached our final panel of day one of the u.s cyber command legal conference and just as we started strong and we kept the energy going we're going to finish just as strong and even stronger we have quite the distinguished panel to close out the day and so no matter where you fall on the partnership spectrum whether it's public private academia international partners we're all dealing with the topic of this next panel which is law and policy challenges amidst global competition so it's my distinct honor to introduce our moderator chrono retired gary corn he's currently the director of the technology law and security program at american university washington college of law here in dc and he's also an adjunct professor of cyber and national security law and the law of armed conflict at american university washington college of law and close to our heart he is a distinguished alum of the u.s cyber command legal office his final five years on active duty he served as a staff judge advocate with a general counsel here at u.s cyber command so sir over to you thank you for keeping that short so before i before i launch into the the panel proper i mean i've said this privately but having been involved in this conference a time or two in the past like kudos to you and the team p elevating it every time this is pretty amazing now it's online and people are viewing so you know there's somebody out there drawing a a mustache on me out on some screen right now or something that's great and i'm i'm gonna use my laptop different than other people their hand notes because i want to make sure that the chinese are able to collect everything on me during this this presentation but we are very lucky we'll come back to the the title of the panel in a minute but let me first introduce the great lineup of speakers that we have starting at the at the far end carrie cordero robert m gates senior fellow and general counsel at the center for a new american security at c nas also an adjunct professor of law at georgetown and a frequent appear on cnn as an analyst so you may recognize her from seeing her on cnn from a time or two but consistent across the the the panel we have folks who have deep experience in both the private sector in different capacities and in government public sector so carrie served many years including his counsel to the assistant attorney general for national security senior associate general counsel at the office of odini and attorney advisor at the u.s. department of justice has been working intel and national security issues for a long time it brings a wealth of experience next we have ben powell was able to get through the gate after a push or two so thank you for fighting your way through that even with air force pedigree and a blue suit they they gave you a hard time ben is the a partner and co-chair of cybersecurity and privacy practice at well wilmer hell um of one of the most well renowned and respected attorneys in the space of cybersecurity national security law in the private sector for a number of years but ben was also the first i believe correct general counsel uh at odini helped stand up odini in the in the early days and he also served as a special assistant to the president and associate white house counsel he was an air force officer as i mentioned and did work at the federal bureau of investigation again another with deep deep experience in the national security law space and over time so we get both hats to bring to this conversation which is great and then alissa starzak um i think the first time we met alissa i don't know whether it was when you were at dod general counsel maybe we bumped into each other but um the army tjag now joe berger um reached out to me when i was the sj of cyber command and said hey can you come to me with a meeting with army general counsel because the he was the sj at army cyber command and they were trying to do some re force allocation or something and he brought me into a a knife fight that i lost so um but anyway that was a good introduction alissa but we've made peace ever since no um so she is the vice president deputy chief legal officer and global head of public policy at cloud flair a company that most of you should recognize a cloud connectivity company on a mission to help build a better internet that's great i like that um but as i as i mentioned previously um plenty of time in government as the 21st general counsel of the army um also a dod general counsel's office worked on the senate as well on the hill yeah so um we are we are lucky to have this lineup to talk about a topic that as we did our due diligence and got together yesterday to plan i think we all realized we weren't sure what the topic is so this should be good um law and policy challenges amidst global competition um so we had a lot of ideas kicking around and i think we'll be able to cover most if not all of them i will say i'll give you a signal we're not going to wait to the last five or ten minutes for for questions let's get a hot bench going today let's get interaction we'll i'll draw questions in earlier hopefully um but part of it really was a uh thinking through what did we mean by this so we this is like pete really instituting mission command and giving me very general guidance seize the initiative etc so uh we have we have wide latitude but we know that we've been in in the dod circles and the national security circles for the last i don't know maybe 10 years the terminology pivots and and you know great power competition uh moved to strategic competition in the current administration that could be the setting of this discussion it's something i think broader there's there's we talked yesterday global competition so i i guess um my first question for for each of you um and and we can start with elissa and work our way down what do you take to be this topic and and the challenges that are presented currently um in amidst global competition so we did have a very lively conversation about global competition and i think gary started with me probably because uh my view is sort of a military one you know i'm i'm actually involved in the national defense strategy commission and so we've been talking a lot about what competition means and what what it actually looks like globally and particularly conflict with china potentially down the road what that would mean so i kind of turned to that one um and i i think um from a practical standpoint when we think about that one of the the pieces that comes from a private sector standpoint is really thinking about the role of technology um in that conflict and when you get into the world of of policy and legal challenges what is the barrier you know if we want to harness private industry and private technology companies in particular in a bigger you know all of nation fight or all of society fight if that's where we end up going what does that look like and what are the barriers that we see so that was how i saw the conversation about what global competition is and we can talk a lot about that because there are a lot of barriers right now um there are barriers inside the us about when we have conflicting ideas about what regulations are going to do and what that means for industry and what the effect is there are international barriers when we have conflicts in regulatory environments and different views and lack of coordination and then just generally a lack of understanding between between industry and and government in general so i think there's a lot we can talk about today i'm actually going to keep it short at least from an initial comment because i think i think i tend to think particularly at the end of the day the more we can have interaction the better off you will all be and the more awake you will all be at the end here here before i turn to you ben i i want to say i i asked chat gpt what the legal and policy challenges are and chat gpt told me there's just two i won't tell you which ones but it's just a two but ben um had a very long list of challenges which confirmed for me that chat gpt is kind of stupid because ben's really smart so i i defer to ben but what do you think the the challenges are and how we frame this question or this panel so i'm smarter than a machine that is prone to psychopathic hallucination so thank you gary for that compliment here at the end of the day recalls of some of our our past interactions i first met elissa at an intelligence oversight hearing um none of you will remember but there were a few there were a few controversies after 9 11 related to signals intelligence related to a variety of intelligence operations around the world but uh maybe that predated a number of people and you haven't heard about any of that but um um yeah uh the first month i took over the as d and i general counsel uh just i'll just tell one one more story i think we testified general hate and i believe we testified for 12 hours straight between the uh between the house and senate so uh that was my first month introduction to the to the job um and i was testifying about a number of programs which i had nothing to do with and had to come up to speed and testify extensively on so it was a quite a quite a quite a time of it to put it mildly but getting to the topic and happy to take any questions on this i think uh it's exactly what elissa said and we are also in many ways moving towards a more segmented world in a world that frankly threatens the us home field advantage that we have in it and technology that's going to be critical to both you know great power competition and and asymmetrical warfare so when i look across the landscape and we all live through the world about an internet of no boundaries and a boundaryless uh flow of data of course we've moved to a very different place right now and the velocity of that segmentation is growing so when you look at how long it took europe to come up with their a gdpr their privacy law um many years many struggles over that they enacted their eua i privacy law here you know at light speed in six months there's going to be more development for that it has to go to the countries and those types of things but you're you just look at this velocity that is happening when you look at the requirements for data localization uh the inefficiencies that that creates and frankly the looming national security challenges that are in the background that come out of those laws and of course now many countries enacting both inbound investment regimes similar to our committee on foreign investment in the united states which now looks at things like data sets and other things when it was traditionally many years ago really about what i would call core defense technologies all across the board and all across the landscape you see countries uh becoming more segmented when it comes to it when it comes to infrastructure and of course everyone is competing on artificial intelligence and just what is that going to mean for the united states and these technologies that we need to stay in the forefront of some of these will be advantageous to us because some countries will essentially remove themselves from the from the competition with stringent localization but in other places really it will hobble us to the extent that it will hurt our it industry to to compete on the global stage so very much when i look at this a um you know a segmented world that we're moving to and the challenges that that's going to bring definitely some things to follow up on there um but kary so thank you um gary it's so nice to be with alissa and ben and gary of course and thanks to sabral com for for hosting me again today it's amazing to return here after many years and being at some of the original conferences that gary had first put together and see how this community has grown and how this conference has grown so it's really an honor to to be with you guys here today um so i think the common theme that you're going to hear from all of us today um focuses on the issue of technology in particular it's not the only issue of strategic competition or global competition but it is a big one and i think it is a common trend um from both the government perspective and through the private sector perspective it's certainly the issue that is one that me and my colleagues at the center for new american security are thinking about every single day all the time because it goes through all of our different regions of expertise um and engagement the way that um that i you know might tee up in terms of thinking about sort of three different aspects um of how the strategic competition is centered on the technology sector comes down to these so one is thinking about policies that promote the development of the technology so we have to continue to think about ways that our laws and our legal framework is facilitating the development of the technologies particularly here in the united states number of my colleagues um both in our energy economics program and in our technology and national security program at cns have done work on the need for an industrial policy for the united states and part of that centers on the fact that we haven't had that kind of policy that it needs to take into account the technology aspects and it needs to take into account how you develop those with uh some of our close international partners so continuing to have policies that promote the development of those technologies the second is then facilitating access for the national security community for the defense community facilitating access to those communities um to those technologies excuse me and uh i think we heard in one of the earlier panels issues regarding the difficulties in getting innovative technologies into the hands of those who are trying to compete the mission um what i would observe is that this is not just a defend it's not just a cybercom issue it's not just a defense department issue um i sit on the homeland security advisory council and one of the reports that we did over the course of the last year was focused on the homeland security technology and innovation uh network and thinking about how to get the new technologies that are being developed by American companies particularly from the startup community into the hands of the homeland security operators and what we quickly found was that it the issues that they're dealing with in the homeland security community are very similar to issues that the defense department has been working through for many many years so getting the innovation into the hands of um the agencies and uh mission focused organizations that need them is a constant challenge on the government side and then third um area that i would tee up that i i think all of us have um thoughts about is then the need to protect information data um both from the data perspective and users and this is where i think we'll get into some of the issues that are come you know top of mind in terms of those who are engaged in the cyber security mission um as well as some of the the ancillary issues that are now in our information environment space so you use a phrase in there the need for industrial policy um that in some circles is anathema right that is little and that seems to be part of how how things are shifting and changing um especially in the technology space as you say uh and recognition of vulnerabilities that we have at a at a national strategic level because of supply chain issues you talk about chips uh you talk about data issues um and the development of ai all these things where do you see this headed from a policy perspective um and that's for you know any and all of you um kind of re embracing or rethinking about what is generally termed industrial policy and maybe explain for the audience sure so um so i would what i'm thinking about is in terms of um some of the work that my colleagues have done at uh c nas where the fact that we haven't had obviously you know it would be a major shift to move to that um to move to that construct um however there is um a couple reports that i would sort of commend to the audience one is called lighting the path and one is called rebuild a toolkit for a new american industrial policy and the reason for it is it relates to some of the the prior issues that we were discussing in the role of the private sector um which is that outside of a policy framework um companies including those that are privately held are going to get out in front of issues that are in conflict zones in the defense space and the integration of some of the technology issues in particular it's it's all just much more interconnected now and so the absence of a policy framework what you're then doing is you're leaving individual companies to engage in these world events in these geopolitical events in a way that perhaps they haven't uh before so i'll start there and hopefully that'll give us enough to i actually can i i want to follow on that you know i i think it's worth actually um thinking about the world that we're in now and how we ended up here um because it actually goes into some of ben's comments and i think carries as well right if you think about how the internet started and i think there was a one of the panels this morning kind of talked a little bit about it you know that the us started the internet um from a practical standpoint um through DARPA uh you know that the all of the things that came up came up because the us had an idea of how things should get built um and a lot of the ideas that sort of come in from the internet standpoint are all us oriented this idea of interconnected networks um the idea that we can all be connected it can things can go across borders big concepts um and the things that then that then led to um it's sort of interrelated with things like globalization um which then allowed for sort of diversity of supply chain across lots of different countries um and we're now in this period where people are starting to rethink those big ideas and i think you're seeing the tension with things like industrial policy which was always an anthem because it was not consistent with that idea of big um globalization and how do we think about this big openness interconnectedness how do we work through that um and you're also seeing it in lots of other countries who are saying hey i'm worried about my own sovereignty go away us we don't want you we want to localize our stuff we don't want you to have access to it and and so you're seeing this tension between a lot of those pieces i think from the private sector side the thing that we worry about um that is that the u.s puts pressure from the regulatory and policy side in a way that encourages that even more that ultimately decreases the u.s advantage because the thing that gave us that long-term path from a u.s standpoint of interconnected networks and an internet in the and private industry that that we're building for the world was a remarkable amount of power and and access and um just ability to control things and i think as we start putting pressure on that and separating and saying no no no we don't want to be part of the world we're going to take away that long-term influence and so we have to think about that balance in pretty significant ways because i think it will um it actually is kind of where we're moving and we're not we're kind of moving in fits and starts no one really has quite figured that out yet yeah i think it's a little bit um to be determined on where we go with industrial policy obviously we have the chips act which is a massive amount of funding uh that's supporting the development of of semiconductor manufacturing here in a number of places in the united states and we'll see where where that goes beyond that we don't have a lot of additional industrial policy things of the of the size of the of the chips act what we do have and probably many people are more familiar with it than i am in this room but how much covid supercharged the supply chain discussion not just on what we learned about protective equipment that we never thought of uh vaccine precursor chemicals and all of those types of things and where things were really made in the world we then had ukraine of course um adding essentially turbocharging that when we discovered wow we didn't realize this depended on some small manufacturers in Missouri we had no idea at the end of this long supply chain so seeing where we go with those kinds of investments uh and of course we're seeing that across the the it and electronic supply chain and we see that all the time in what the united states is doing with investment reviews and how rigorous uh those have become largely with very good reason of course right because we're looking at the trying to see are there hidden hands of adversaries where it's going to give them access in ways that are going to you know endanger the national security of the country or is it going to give them access to the supply chain in a way that we're going to become dependent and frankly i think it was a wake-up call to many people as a result of both covid and what we've seen in ukraine as we try to ramp up production and manufacturing and other things just how difficult that is and how you know what elissa had said how it are dependent we've come and that seems to apply across the board not just to you know things in the in the covid world but very much in the it infrastructure world what we see when we see the concentration in taiwan and what would happen there in a higher end conflict and the fact of the matter is is we're still very dependent for a number of very important components on people who may not have the us best interests in heart or even be allies of the united states so i think from an industrial policy and a military policy we're going to have to continue to think through that and manage those relationships clearly a complete cutoff would would be very problematic and so how we manage that has really been i think the the question that everyone is grappling with yeah i mean it's manifested in in different ways the discussions the the decoupling discussion regarding china which i think is polyanish i mean at best and i think to your point you're talking about recoupling in a way you there's the decoupling is probably not possible but but with these interconnected touch points you do have vulnerabilities it's somebody had a question this morning i think you know reaching back to the original sort of premises of the creation of the internet to your earlier point that there were a lot of it was going to be a a good for all right it ignored a lot of the potential harms that we've seen that are also involved and flow from that and i was sifting around through some things last night and i see an article around internet governance on a on a georgia tech website it's pretty good website but you know is the united states becoming china right so to your point of segmentation and fragmentation etc and they were making points about sypheus and other things what if china were to do to us companies i think they're already doing it but it's all manifest in in in different ways the same sort of recycling discussion how do we manage these relationships and i'm going to bring it to the theme of the the conference the power of partnerships well part of those partnerships as stressed in all sorts of strategic documents is international partners and partnerships how do we how do we manage that in this amidst global competition really good example in the panel earlier from the utility company talking about a partially owned canadian company because i think those of us in the national security space it's there's very bright lines when it comes to adversary countries and then there's pretty clear lines when it comes to our closest partners but there might be a range of potential international partners that are in between there's a there's a big range that is between our our clear adversaries and our very very closest partners that we still need to be doing more to figure out how to work with them partner with them particularly in the global technology space that are neither in not in either of those two categories and i think that's where sort of the the modernization of some of the sypheus related the the foreign investment conversation those pieces come into play even more in terms of thinking about our global partnerships when it comes to those countries that are neither the very clear adversaries nor the the the are very very closest allies and partners um i i think from uh from the from the role of a private company i think people might be surprised uh to understand how much of our day-to-day on the policy and legal side has nothing to do with the us or where the us is in conflict so the number of times we have to deal with data protection authorities in europe um because they're worried about the us government accessing uh data which should be something that we can solve and thankfully yes us you you us data privacy framework yes fantastic um but the number of things like that where really we're talking about people who are close allies and yet we're still in conflict with them from up from the from the private company side because two governments haven't talks um feels really challenging um and it's it's really hard from a company standpoint to manage that relationship and say no don't worry about the us no we're not going to respond to the us when they ask for something that sort of puts companies in a really challenging position um but if you want to do business as a multinational company you have to understand the role of those countries and again i'm not talking about i'm talking about allies i'm not talking about hostile countries i'm talking about allies and so understanding those partnerships and relationships where there are potentially conflicts um and trying to work them out from the government side i think is is something that doesn't happen enough um and often um i think when we interact with the us government the the number of people who don't process that there are other laws out there that apply to multinational companies is shocking right i mean i can't tell you how many conversations that we've had where people don't understand why don't you just let you let us in your networks well because that would cause us problems right i mean the number of conversations that we have on that point um again because of allies um is is really significant um i will also say um i think that one of the things that we see is trying to figure out what is being advocated for um in in sort of a policy positioning standpoint so if you have somebody who is sort of um on the border uh they're neither close ally as kerry said but they're nor are they adversary full adversary what are you asking them to do from a legal standpoint are you um when they put a law in place on data localization or on restrictions around sovereignty where's the us um what is the us saying um what what is the position of the us um how do you think about those roles i think we often see the us absent in those conversations um or in other conversations where the us i think could play a much more significant role in sort of shaping global conversations and global norms yeah i would just say you know there's when we talk about the competition and following on what elissa said about not just our adversaries but those allies uh and other related countries you know there's um everyone wants silicon valley everyone wants the dynamism and the innovation that the tech sector has produced in the united states and all of the things that it has done you know across the board what we've done in terms of cloud what we're doing in terms of ai of course everyone's talking about quantum and and uh whatever the next thing is on the horizon um but it is interesting because a lot of those countries have taken a very heavy handed regulatory approach or an exclusionary approach around data localization uh trying to in some cases hobble uh american companies that make it more difficult to operate um we can have a whole separate panel on whether that simply reflects different values across different countries and where they place the uh place their emphasis on things like uh competition policy privacy and other things or whether they're trying to protect uh local industries and create their own silicon valley um i have some personal views about you know good luck with heavy handed regulations somehow magically creating your own silicon valley um so we'll we'll just see where that where that comes out but my uh i guess i'd just say good luck to some of those countries because i don't really see that innovation and dynamism being created but i do see a lot of jobs for um bureaucrats being created so um you know we'll just see where that competition policy goes in the next uh decade uh as we accelerate the the innovations in the in the cyberspace world in ai in quantum across the technological board on on networking on data so you know there's just going to be a competition in these models um i don't know that the united states is going to join in that join in that competition um and we certainly hope that you know we we you know keep encouraging the innovation and the things that have frankly provided a tremendous home field advantage to the united states you know including our defense industrial base really to the kinds of things that you're you're operating the kinds of things that you're dealing with of course are just amazing and a lot of that comes out of our tech sector at at bottom in terms of producing the software and hardware that is a foundation for a lot of the you know incredible weapon systems that frankly the world wants right now right and uh is trying to get their hands on yeah i think um i think it's with respect to the new e u a i act right the that they've there's a category of social media platforms of a certain size it's a digital services act yes markets act one of those many regulatory e u things very very busy but you know if you look down the list of companies that they've identified as fitting in the category of being covered i think like 80 to 90 percent of them are u.s companies if steward bakery here he'd probably be a little less restrained i've heard of these it's this is just uh technological imperialism from from europe but um it is part of a we were talking yesterday i think behind all this there is a very live discussion about um in strategic competition shall we say ideological competition where are we with all of this and who's agitating to uh you know bring forth their own version of norms indigent in in internet governance in uh you know the the space of content moderation which fits underneath that uh you look at russia i've you know mentioned yesterday and in the first committee of the un pushing for a cyber crime convention which when you start peeling it away is essentially trying to define a whole bunch of information-based activity as criminal because it's being done on the internet therefore it's cyber crime um when we can imagine whose ends that serve how do we how do we do a better job of partnering internationally um to pierce through this and it's we would think that the europeans would be our best partners um and yet they're not necessarily our best partners and china who we could say is a defined adversary we have entanglements that are also complicating how we approach this so uh i'm actually going to start on some of the u things because i think they reflect a little bit about what's happening in the u.s as well so the digital markets act is essentially competition related and if you look at what's happening in the u.s on competition policy it's actually not that different um it there is some of the same incentives that are pushing the europeans are also pushing u.s policy on in different areas i think the challenge honestly from a regulatory standpoint is that there are lots of different interests and we see this across the board even in the u.s you have lots of different things pushing different ways from a policy standpoint so it's not all in one direction it's not all um we're not all in the in the strategic competition um there are lots of other interests at play and so how do you put those together into a coherent policy that does reflect the environment that we're in and that sort of anticipates the longer term uh the goals that we're trying to find it's really hard it's just the bottom line and digital policy is hard um i i think the thing that's happening on the international stage to your point about allies um so again going back to the foundation of the of the internet one of the the governance structures of the internet are multi stakeholder and that sounds really weird in a military environment but the idea that all sorts of people come together and make decisions about how the internet is run that is that actually is what happens right from a practical standpoint that's how protocols work that's why we have some of the the the ways that we have now for for how those things operate um right now in the international environment those things are being reconsidered um so uh they you know we're we're at a point where um some of those internet governance questions are coming up um and of course that's opportunity for a country that may for countries that may want to rethink those models um and so the challenge i think when you have a very complicated policy environment and regulatory environment and you have lots of different um goals from from a from a single government is that it's very hard to figure out what your policy position is when you get into those conversations so when you're talking about something like the global digital compact right um which is you know currently under negotiation or the cyber crime convention what are we trying to do as a us government um i think those are again we don't we don't always have one voice and that means if we don't have one voice how do we rally our allies around the same set of principles it's really hard i guess one way i would think about this is that from my perspective one of the challenges is that the united states still has not been able to settle on and agreed upon way that we categorize the technology companies the technology platforms in particular um in a legal framework and what i mean by that is so there's one theory out there that that some of the technology platforms basically function like utilities you can make that argument when you think about just the way that we need to use them on a daily basis i mean there's no aspect of life that you can go through from morning until night that in some way doesn't rely whether it's at work at home your social things the stuff you do with their kids everything there's there's no aspect of our life that doesn't rely on the uh infrastructure the technology infrastructure and the digital infrastructure so from that perspective it sort of sounds utility like and then there's other arguments out there that say well no particularly when it comes to communications platforms you know they're performing a function that's more like a news organization and so we have like these different old ways of thinking about um different industries and the way that the technology sector has evolved is just simply something different and are the unit when i say are the united states's lack of ability to sort of come up with a new framework that actually fits and isn't trying to fit these companies into an old legal framework that isn't applicable to the way that they conduct their work and the way that they operate in our lives has then left us having to respond and be reactive to for example what the europeans have done where they said okay you're not going to create a framework you're not going to put any um regulations in place then we're going to do it and we're going to impose it on you and that has placed us industry in a really difficult position well to some degree in in very different with very different approaches if we think content moderation for example in section 230 of the communication decency act here is almost entirely the opposite of what we see happening in europe now and their willingness to sort of step in and place these requirements on social media platforms and others for content moderation so it is it is challenging to think about how we how we get on common footing so as companies in the private sector i remember talking to um i think it was christin goodwin at microsoft several years back uh you know and similar conversation on the sidebar and it was you know you have to understand that you know x percentage of our customer base outside the united states which puts a lot of pressure even on the u.s companies and if you're feeling that the u.s government is not engaging i don't know do we have anybody from state here oh hello so they may they may have a different sense of whether we're we're engaging but what what's the level of interaction between companies and the government to convey these concerns and say you know how can we get on the same page and oh by the way does the company really want to be on the same page as the u.s government because of the competing interests that the companies have yeah i would say there's a lot of engagement um the the question is is really um the excuse me really the is the u.s able to engage and influence it so obviously a lot of concern uh i think in the u.s about these issues a lot of engagement but um a little bit be interested in this perspective but i think for a lot of companies there's somewhat on their own in engaging in europe and other places yes you know the u.s is able to support it but you know i think it's not the power of the voice that it once was you know we i think some of the challenges are the um it's not always clear what the u.s message is and i think that's not that's not a that's from a from from the government perspective that's a little bit of an interagency coordination problem you know we uh when you're looking at it from the private sector side this is going to be again kind of anathema to the military side of the world but the private companies look at it and say they pulled out of wto what um and all of these messages about the interconnected um you know interconnected trade and globalization why would they do that we had these great messages and you know in apac or in you know in asia pacific um what what does this look like for us and so you have you have this lack of understanding i think from a company side about um that the u.s isn't the u.s government isn't a monolith um and you have a lot of different voices and a lot of different influences um and but the the company doesn't see that they just see that the u.s isn't sort of supporting their commercial interests or supporting them as businesses and that that raises challenges i think longer term i i think for folks in companies who have been in government you can kind of see what's happening you can try to explain it um but i think it's still hard to understand you know if you're at a large company we're not a huge company we're a small company but if you're at a large company um and you're looking out and saying why isn't the government supporting me um in the competition world um why don't they want me to stay together uh in because i am a force against um in the global competition right um and i think that's confusing to a lot of people but again that's that reflection of a lot of different values um that that sort of gets swept in but i think that it's the interagency it's it's again kind of an interagency problem i would not i would not blame a single actor in the u.s government i think that we don't always have clear uh messaging across across different agencies we're not always synchronized across the interagency i know you're shocked everyone in the room is shocked okay so i want to scan for questions from the audience i think you should all be thinking too a little bit we have a lot of people in uniform in the room that's our primary audience here i can't talk to um who's watching from the outside um from what countries but certainly why does why does some of this matter you know you're you're in your fighting position looking over the edge of your your foxhole why does this broader discussion matter to do d or from a national security perspective you might think about that i can put it to the the panelists because no one's raising their hands with questions following on a listless point um you know we don't really we recoil as a government from having national champions right we we we don't have a national champion unlike some other countries who very much promote a certain area so that and there's a lot of good reasons for that but it can affect us in terms of that international that international that international discussion particularly when you have countries that look and say you know time and time again the power of american innovation american technology um kind of the freedom to innovate that the that the u.s has encouraged is just up for some of those countries that very different they speak a very different language um and particularly today in the world of world world of privacy and other things that you're seeing as they kind of free each new technology or you know kind of racing ahead to regulate it right our our traditional model has been let us see what develops here uh and then try to be a little bit slower and smarter hopefully about um regulation and and so right now you're seeing in europe and other countries a kind of like a new technology let's race to regulate it because we missed the boat on the last technology um you know i because you could tell i'm a little bit skeptical of that approach um and it results i think in some cases of some companies saying we're simply not going to operate in that country until we get a a clearer regulatory framework um you know we'll see that may in some cases we down to our benefit frankly from a technological superiority standpoint to the extent countries cut them off from that innovation but we're going to see what what happens so how do you see um right obviously there is that tension that tension between the push for innovation um giving an environment regulatory and otherwise that that uh favors innovation etc um are are we in a little bit of a through city and trap race you know we're in an AI race with a primary competitor um and how do we manage that question um on you know it's on everybody's plate these days AI and ones are taken over the world but um we're seeing more certainly in its executive order it's it's not to the point of legislation like in in europe um but how do we manage that that balance you need to ask questions folks because now we're talking about AI and that's all your fault um so i i will say um somebody gave an example at a at an event i was on a few weeks ago um on AI that i i thought was actually really interesting as we think about AI regulation um they talked about AI as a triangle that sort of considerations um you have uh you have safety security and supremacy um all at different points of the triangle and all pulling in different directions so you know the the reality to gary's question is as you think about AI the more controls you out of this the slower that you are going to go of course that's true from both the security side and the safety side which are different right so thinking about the protection of of an AI system just in general what kind of controls do you put on it and then thinking about the outputs on the safety side um i think i think the goal is to come up with not putting any of those at one point and saying this is absolutely we need to go as fast as possible clearly um i think we've learned that sometimes you do want controls on technology i think most companies have learned that too um but you then have to think about how you do that responsibly um and and still move the ball forward across all of them but i think that i thought that was a really kind of interesting model to think about those pieces as being intention i okay go ahead so i'm wondering on this like at a go at a global context like this this global competition frame there seems to almost be a global paradox where our global politics and our global reality are kind of different and what do i mean by that where regionalism nationalism industrial policy are taking hold simultaneous to our economies and our people becoming more and more connected and so as you advise with and i'll make this more tangible last year you know we had our most productive trade year with china simultaneous to probably our tensions being at their highest with between our governments so at that global level or advising through that it seemingly paradox how do you think through that or what advice do you have for wrestling through that for us start off a little bit i mean i think the the answer is very different if we're thinking i think part of it depends on are we thinking about this from a from a us government from a defense standpoint are you thinking about it from the private sector standpoint because i think the answers to those are going to be very very different um on the on the economic side of it i mean i think and that's why there's there's a difficulty in terms of the tensions within us policymaking right now right because on one hand we have a certain strand of our politics that is very aggressively treating china as an adversary and wants all u.s policy from from national security policy down to economic policy to be along that line and on the other hand we have the the private sector or commercial side of things that has markets and so that that tension is is continuing and i don't know that we ever get to a place where one is going to um uh outweigh the other i think we're continuing to navigate that line unless they're unless there is some acute sort of military catalyst that then changes the the balance yeah i mean we're we're the country's trying to manage through it right on a on a on a category basis right so we the the the new regulations around critical technology lists and other things and how that infects investment and essentially the government saying that in these areas right on this list of technologies on this locations we're gonna have a very heavy burden to allow you to invest in that kind of technology and those kinds of companies and we're also going to restrict exports to you um in that area right and that places a lot of tension on it because essentially their five and ten year plan identifies guess what many of those critical critical technologies is what they are saying are their priorities and at the same time there's a lot of things not on that list um where you continue to have interdependencies and of course we still have interdependencies for things on that list and the government's trying you know from our perspective the private sector the government's trying to manage through those interdependencies where you know it's still on that critical technology list but how do we how do we manage through that right it uh uh in in kind of manage the tensions in the adversarial relationship but as you said it's still a very large relationship it's still a very large um um trade flow so we've tried to you know it seems like now our our policy is to look very much at those critical technologies and have an ever lengthening list in ways that we didn't before right I mean it's not new right obviously things you know submarine propeller technology and all the defense things that were on there but now you look at that list and it's you know data sets on more than a million Americans and things that are a long way away from anything you saw for the past 30 years and when you look at you know bio and other other technologies so it's exactly what you outlined um right now I think we're trying to manage through it on a on a categorization basis right says if you're in these areas it's going to be okay um and we want investment and we want to continue the trade flows but when you're getting into a lot of the things that you deal with here in terms of cyberspace networking high-end software high-end hardware high-end processing uh we're going to have a more restrictive environment and you know potentially some some decoupling uh in those areas but that's obviously not the most stable place to be so we're going to continue to see these flare-ups we're going to continue to be on this this roller coaster I think so I think we have the grim reaper standing up there ready to cut us off so that's why I'm here um Carrie Ben Alessa sir gary thank you so much for that incredibly insightful and wide-ranging conversation despite some initial questions about the original topic I couldn't think of a better way to end day one so before we deliver a raucous round of applause for our incredible panel while I've got you three quick announcements for tomorrow so one we'll start back here tomorrow at 8 45 with administrative announcements two we're going to start day two with the national cyber director mr harry koker and then three just a reminder about our no-host social tomorrow at 4 45 at the golf club at the golf course final thing please grab your trash clean up your area take it out so with that thank you for a wonderful day one to our streamers everyone here and to our panel thank you so much the cyber national mission force or cnmf is a joint command available to us cyber command to respond to its toughest challenges 2024 marks the 10-year anniversary of the cnmf us cyber command established cnmf in 2014 recognizing the need for a force agile enough to respond to any crisis at any time composed of highly trained and qualified cyber operators drawn from across the services today the cnmf is composed of 39 joint cyber teams organized across six task forces consisting of soldiers sailors airmen marines coast guardmen guardians and nsa air force and di a civilians cnmf's mission is to plan direct and synchronize full spectrum cyberspace operations to deter disrupt and if necessary defeat adversary cyber and malign influence actors the cnmf conducts the full spectrum of cyberspace operations consisting of offensive defensive and information operations cnmf supports us cyber command and national priorities such as election defense counter ransomware global cyber security threat hunt operations and other operations of national importance cnmf works closely with other partners in the u.s government the cnmf routinely works with the fbi dhs nsa and others to defend the nation these partnerships are critical for this vital mission to defend the homeland each agency possesses differing authorities and capabilities the ability to quickly share information to leverage the proper authorities at the appropriate time secures the nation and keeps our adversaries off-guard engaging them as far forward in cyberspace outside the united states the cnmf is on the cutting edge of legal operations in the cyber domain since its inception cnmf continues to drive the evolution of cyber operations there has never been a better time to join the cnmf legal team the office of the staff judge advocate or osja conducts the full range of legal operations primarily focused on operational law however the office continues to provide advice across the legal disciplines individuals that join the cnmf osja must have a strong background in fiscal law administrative law international law military justice legal assistance and of course operational law the cnmf needs attorneys that are creative enough to link the various authorities together and present creative solutions to our clients as a plank holder in the cnmf osja you will have an opportunity to advise on unique and novel issues that have a direct impact on national events there are few other organizations in the government where you will be exposed to the type of issues that we see on a daily basis if you are a motivated legal professional that can work independently with little guidance we would love for you to apply to become a member of the cyber national mission force hi i'm colonel pete hayden and i'm excited to speak with you as a part of the u.s cyber command legal conference whether you are in person or virtual your interests in participation are critical to solving some of the toughest and most important and interesting legal challenges facing our nation our commander general hawk has set out his guiding priorities based on our competitive strengths people innovation and partnerships this conference will give us the opportunity to discuss exciting legal issues involving all of these priorities but i want to reach out on something near and dear to all of our hearts here at cyber command our commander's very first priority is people at every level we want to attract and develop talented practitioners in diverse disciplines to the cyber enterprise including legal professionals through participation in this week's events you'll see exactly why that's so important to cyber command to the services and to the nation the bottom line is this we need you here's why we hope that you'll want to join our team the cyber command enterprise is one of the very few places in which military attorneys routinely work side by side with partners from across the executive branch they also get the rare opportunity to partner with the best and brightest throughout the joint force to be a part of those high functioning joint teams comprised of talented attorneys from across the services our council work closely with the legislative office to help shape our congressional authorities whether drafting a legislative proposal identifying policy and legal implications of an authorization act or assisting with congressional testimony preparation our office is deeply engaged with our legislative liaisons and our legislative overseers our judge advocates civilian attorneys and paraprofessionals work closely with the private sector and academia to develop collaborative mechanisms to advance national security interests and defend against malicious cyber activity finally u.s cyber command attorneys regularly interface with our international partners on everything from military exchanges exercises information sharing to coordinating plans and operations furthering our interoperability and deepening relationships with our strategic partners here at united states cyber command we build relationships across the services industry research community academia and the whole of government and we do it to facilitate innovation and foster collaborative sharing platforms to advance our national security interests and defend against malicious cyber activity our partnership philosophy it's baked into our statutory mission to direct synchronize and coordinate military cyberspace planning and operations to defend national interests and collaboration with domestic and international partners our practice is diverse if you're a legal professional interested in national security law we offer you opportunities you won't find anywhere else through your legal advice cyber command will be better postured to defend department of defense information networks to generate insights and options in defense of the nation and in support of other combatant commanders and to ensure enduring mission advantage for the department of defense the united states and our allies and partners if you're an administrative law or a criminal law practitioner and you're listening in because you want to try something else or you just find this work interesting your analytic and advocacy skills are what we're looking for to solve emerging problems and make lasting change if you're a contractor fiscal law wizard please give us a call national security law and acquisition law work hand in hand to enable our operators to spur innovation and maintain our technological