 I was great to be with all of you today. I saw that a few of you last night had one of those shots in one of those rooms. I'm pleased to be here. I'm glad to see a good crowd. This isn't my first DEF CON. It is my first time speaking. Niko said the way it was listed didn't have enough pizzazz. She put from nuclear to cyber alternative approaches. I want to make sure I get the nuclear part in so you don't feel like you wasted your time or wasted your ticket here. When I was in the military, my primary business was doing nuclear ops. Interestingly enough, when the Air Force stood up the cyber mission, they gave that mission to my command not because they thought it was like nuclear, but because nuclear was a global mission and they saw the cyber as a global mission. What I want to talk to you about today is that we somehow are quite often constrained the way we think about cyberspace, except in places like DEF CON. What I want to try to do is see if I actually looking to get some ideas from you quite frankly because the people in this room tend to think outside the box. A lot of this is about looking at things a different way, challenging assumptions and looking at the way we think about the world. The nuclear part of this is if you think about what we did with nuclear weapons at the beginning, I wasn't born then, but those weapons were being used for war fighting. When we dropped them in Japan, they were considered war fighting weapons. Very quickly they said this is not a good war fighting weapon and it became what they now call a political weapon. It was used a completely different way. During the Cold War, it evolved to where the weapons became something that actually caused the Soviet Union and the West to not fight because they were so worried that they got into a big fight that a war would break out. What's interesting is the weapons took on a completely different context than they were originally created to do. I think there are some parallels to that in cyberspace and that's what I want to try to talk to you about a little bit today. First I want to talk a little bit about some different perspectives on cyberspace, different ways to look at it. I guess I should say I want to remind you how we tend to look at it typically from a network protection standpoint and then I want to try to argue for possibly a different model to look at it. There would be a proactive view that looks at both defense and then assurance the ability to use it. There's another model that DHS has put out that they call their cyber ecosystem and I just want to show you that if you haven't seen it before actually looking for some feedback from it and then tell you about some things we've done trying to put that to work and then I want to talk a little bit about cyber workforce development. I want to extend that to cyber leadership and what I mean by that is actually one of the big problems we would have in the Air Force is that some of our very best pilots they loved flying so much that they never wanted to leave the airplane and they got very good at it but they could never get promoted and get into some jobs where they could really influence some of the things that were going on and then they didn't complain about it but they weren't able to move up and so part of this in terms of leader development is I think we need to do more of that in the cyber world because for the most part the people that are making decisions about what happens related to cyberspace didn't grow up from the kind of beginnings that you are all familiar with. So the first thing and this is an old slide that I used to recognize in the Air Force and part of this had to do with trying to get people in the Air Force to think differently about how they approach cyberspace. What I found was that there were three different ways the people in the Air Force thought about cyberspace so the first one was the communications groups and they said well cyberspace it's all about it's just a different way that we were able to communicate and so cyberspace is what we do because we set up all the networks we set up the communication lines you know we we managed those networks when they break down we take care of it and that was a view that that view is actually a proper view then you had the intelligence community that said well you know the only way to really defend against the tax that we're getting in cyberspace is we have to have this really good intelligence and so and the only way to therefore be able to defend the networks is you have to be really good intelligence people and so they argued that that cyberspace should be controlled by the intelligence community because they're the only ones that would really fully understand how the intelligence and what that meant and then but the Air Force actually took a different view of this at least initially and they said you know everybody uses cyberspace and and and as it grows we're using it more and more and we use it for all of our different operations and at first the things that we did with the cyberspace we used it to extend the things we're already doing and if I could use a commercial example I mean these days nobody uses a yellow pages anymore you go on your you know you go on your computer and you look something up and you get a lot of information you can yell but or something else and get a review so that's an extension that's a legacy capability that you said I can use cyberspace to do that a little better but then you have some people that really took cyberspace and did things really differently like a Google or an Amazon where they said I could because of cyberspace I now do things completely differently but but up till now for the most part almost everything we do is through cyberspace very we do very little actually in cyberspace to where where we're at operating inside the space and there's some type of a of a transactions that are occurring inside and so people say well cyberspace is really different domain because you can't it's man-made and you can't operate and you can't live there yourself you know you can you can go into space you have to have a space cap so you can't really go into to cyberspace so they've had some hard times getting their arms around this but the point of this is is that what the Air Force did was say we're gonna put cyberspace under the control of the operators and what we did we said Intel you people keep doing what you were doing we want you to find out where the attacks are coming and help us defend and com community we want you to keep building up these physical networks for us and doing all the things that we can operate so just some different ways to be able to to look at this but then we tried to figure out how you could leverage cyberspace that to tell people you know the the reason that we have you know airlines is is not so that you can have a TSA you have it you have a TSA to do security so that the airlines can operate safely so it's the same thing I mean with with cybersacurity cyberspace does not exist to have cyber security cyber security is necessary so that you can operate properly cyberspace but cyberspace is important because of all the things you can do with it and so one of the things that it does it gives you this capability to bring together all these different communities and you said you see listed up here you know it can be whether it's a political but it can be a military it can be economic it allows you to a lot of social things in fact that's one of the big areas that we see growing up substantially and of course it allows us to have you know the information flows all over the world so it allows us to it's all about networking right you have physical networks you have these informational networks and then ultimately you have people networks that are using this and that that whole thing put together is what makes the cyberspace so tremendous so but it has these interesting attributes and one of the attributes is that for the most part when people are operating there it's your your anonymous when you're operating now you don't have to be if you want people to know who you are you can you can tell them but otherwise you don't the other thing if you're actually inside cyberspace if you will it's some kind of an alter ego that's operating there why because you can't go there so I mean you have you have a username or something and it it's what actually transfers through through the cyberspace so it's a different way to think about it the other thing that has made people difficult for people to fully accept this is there's no such thing as time and distance and it's kind of a funny anecdote that I like to tell people about this we were doing an exercise and it was a global exercise we had people in the Pacific we had people in Europe and of course people in several different places in the United States and we're doing a planning operation of course everybody was using chat rooms and they had headsets on and one of the people who came in to watch this saw these two people were right next to each other and they obviously were exchanging information with one another and the and the observers said that's odd why why doesn't he just turn to the person next to him and and and tell him what he wants and they said and we're kind of flabbergasted but they didn't fully appreciate the fact that there was another 200 people that were working on this project but they're in all these different places so this notion of time and distance is really different that extends to this being able to have a virtual presence it allows you to to actually work with someone and and if you can break through the fact that you don't have the actual human contact you can almost feel like you're doing that but there's two other things about it that I show here one is that it was cyberspace information to become a commodity and as a result we get a lot of information fact we almost get more information we can stand and so now we before we used to pay to get information now we pay people to sort our information for us right because you get so much and then the last one is this idea of a smart agent and that once again is because you can't actually function in cyberspace so you have to have an agent do it for you and an idea of if we ever took the smart agent to a to its full potential today and say you wanted to order something off the Internet like a tie to match a suit that you had for example well you would go on to the Internet you do some you run a search engine find some places that had it you might look up the reviews and then you would select that tie you'd you'd work the transaction it would then connect you with whoever's going to work the credit card and then you get your tie and it gets mailed to you well if you had a smart agent doing this you would actually just launch your smart agent and the smart agent would then meet with all these other smart agents for you in cyberspace go make you the best deal you can find and then the tie would just show up in your mail right that you wouldn't be involved with this at all and eventually I mean hopefully as a matter of fact that's where cyberspace will go because you'll fully leverage the network the network and capability that brings but again cyberspace is very powerful and just trying to expose just a different way to think about it now this group here would understand this chart more than typical audience that I would talk to in the one of the big challenges we have both in the business community and then the government sectors is that though the way we operate in particularly in the West is kind of a seniority system so you start at the bottom and then you work your way up and so if you look at the at the left side there is this hierarchical structure and the notion is that the higher up you are in that structure the more power you have the more value you have and you're also better looking or at least that's what everybody that's at the lower level tells you right well in cyberspace it doesn't work that way it's a it's a network it's a meritocracy there is no top there is no bottom and your your real power comes from how many connections you have so I mean if you have a lot of information but you have no connections then you also have no power so the more connections you have more powerful you are and the other thing is that your value it's a meritocracy so you can have a lot of connections but if you all of a sudden kind of get lazy and you're no longer contributing anything to the network then your value to that network goes goes down dramatically so so that's very different well the problem that we have is that the people who have after many years risen to some good level using that left hand model are kind of frightened by the right hand model and they want to push back on it but the reality is you don't have a choice when when you're operating a global system it's going to operate like a network you can't force it into a hierarchy we kind of learn that with the automobile industry by the way we thought that because we can we could control all the automobile sales that went on in the states you know they didn't need to do all the things for quality standpoint price control and everything else and then the global market came in and the U.S. auto industry almost failed it was a very hierarchical approach they adapted those same kind of methods that were being done became a global kind of a business again and now they're starting to thrive and they're actually doing very well so so understanding that you can't always force the model to operate the way you want is important but for this group understanding that you're fighting the model on the left but you need to keep doing that and recognize that you're operating this network but there are people that want to connect with you so this should look very familiar with you this is the traditional way that people look and I say they in the Department of Defense is how they would look at enterprise network protection and in the interest of time I don't want to walk through it but they this came out of there was a national military strategy for cyberspace ops came out 2006 and then when they were looking to figure out how they're going to implement it they said well what are the different things we need to deal with and they realized that the attack vectors they're involved in doing this are tremendous I mean there's all these different ways that you can get in this community knows better than most all the different ways you can get in one of the funny things though is if you want to call funnies that they kind of ignored the social part of it which is probably where a good 80% of the attacks actually come from and when you look at some of the things they have with the ways we try to do law enforcement the CND RA that's a the commuter network defense response capability so it's a if you if you launch an attack then you'd have some kind of response but the but the reality is when people look at this they say you know that's an awful lot of different ways that somebody can get at me so it must be impossible to protect and realistically and this community would know if you take this pure approach it is going to be impossible because the advantage goes to the offense and something like this and you can't possibly defend against every possible thing that's going to happen so that's why I'm suggesting we need some alternatives to this we need to have some different ways to think about this and I I asked if I could talk to this group because if there was anyone that would be able to find or come up with some ideas I figured would come out of this group your phenomenal solving problems right so there's one other thing I just kind of wanted to introduce in terms of the problem set here and that is if you look on the far left side of this you see the you know the DOD networks well they're they they're controlled and operated a certain way they're they're somewhat closed they've done a lot of work to reduce the gateways to the internet but there are still gateways and but there's an awful lot of information that's available from a protect standpoint so they they got a lot of intelligence and intelligence comes from a lot of different means and that intelligence is not widely shared now they extend some of that to the other government networks and they brought in the defense industrial basis with the dip stands for because they said you know our adversaries are now going after the defense contractors who are not as well defended so we so based on that previous model they're going to have to have more information be able to protect themselves then as you move a little bit further to the right that now you get into where you're dealing with like state is still government you have state and local governments and they get they get information but they don't get as much information as they're getting on the federal side and they don't get the same levels of protection and of course you have the Einstein and things like that that are that they've tried to put in place to do and they've done a lot of work with the ISACs for information sharing and they've made a lot of progress but but again less information available to you and then you get to the far right which is which is everybody else and what's interesting is that the information that's now becoming available there it doesn't have some of the the sources that the say the Department of Defense has but the sources are really good and as a result in the commercial industry you know people are going to and being able to obtain products that really do provide a level of protection but it's still based on this old model I guess I would say one other thing I wanted to show here is which goes back to the nuclear part is you get all the way to the bottom where it talks about the weapons of mass destruction you may or not be happy to know that none of those operate on on a on a network as you would think of it they're all they all use circuits and that's done for obvious reasons they're they're worried about somebody getting in the other thing is it's it's highly redundant so it it's not the necessarily the the most efficient way but it's a time proven way to be able to do to protect a particular piece of information or capability that you have to have all right so I said I want to give you two different models to look at and what I'd really like to do is hopefully stimulate some of the come back to you there have you thought about this model come up with say a third model but this one is actually was developed by an Air Force scientific advisory board studied back in 2008 and their their approach to this I just take a few minutes to explain the chart is they they they took the ISO layer see if you look in the middle you'll see the ISO layer kind of identified there and they but they put them together so you don't see seven so you they put you know devices and linkages together at hardware and systems together but then they added two layers to the put a human organization and mission layer so that was they started with that foundation and they said so what do the attacks look like on those different layers and so which is on the left are the the things that they did to try to characterize how those those attacks would be done and when you look there the reason I put this attack or focus is if you're going to try to deal with with those different types of attack that means you have to focus on the attacker and get the intelligence on how the attacker operates then the other thing they did was they said well what is the effect of those attacks on the users and that you see those listed on the right-hand side so you know at those high levels there's disinformation and then you get confusion it disrupts our ability to do command and control at you know at the bottom layers you get performance lost you lose your communications completely malfunction so the reason this they thought this would be useful is on the right side that's almost completely done by the operator and they we would refer to it as resiliency or mission assurance so what they said was that if you're going to try to deal with this problem you would need to look at this thing and break it into component parts I don't know how many in the room are engineers but that that's how engineers think you take a complex problem breaking into parts and so they would start trying to look at this thing so on the left side you have this intelligence and attack response that's the traditional with your network security you have this mission assurance which has been a traditional way that the military in particular but businesses do the same thing business resiliency one of the things that the business community particularly the financial community does that we don't for the most part do with our networks is transaction control so so you know there's this anonymity on the network but if you put controls on the network then typically it's a ledger journal type approach but it makes it more difficult for something to get a change to be made an alteration be made without it being detected if you put that in place that's how they and a lot of businesses have those kinds of controls every day that's how you avoid embezzlement by the way but then we put this other thing in there we said it would be a proactive defense and what scientific advisory board said as a matter of fact says if you look at these these different layers if you think of them as as targets then if if this were a military problem you would look at those targets and say what can I do to make it difficult for my adversary to be successful and there's three typical things that you that you do you can harden it you can maneuver it or you can obfuscate it like stealth or you know make it camouflage so it's hard to see so they said perhaps we should identify some of these really critical areas and that's how we should be looking to spend our resources but part of the problem is that we have not had a lot of good proactive ways to deal with this develop so but I want to show you just you know some of the things have been done so if you look from a trip a purely a net network security standpoint and you look at this this left-hand side there what we can do is say well in in addition to the normal thing they've they've set up these virtual machine sandboxes they've done things to monitor user behavior to look to try to detect to say that's you know it's not the the right person on there some kind of two factor authentication there's been some transaction controls done primarily in the in the business community because that it kind of fits for them easily there's products out that will monitor your registry and for example in fact in the department of defense now they have it's called host-based security system when you first connect to a network it actually looks to see if your registry looks the same as it did before and it alerts but doesn't do anything to fix it but it alerts you that the registry looks different you can do things with the hypervisor that you guys probably know more about than I do that that actually monitors how the operating systems behaving to see if it looks like someone tried to put something in there and then at these lower levels you know they can put in resilient capabilities that if something happens it takes out a router or something there's a there's another pathway that type of thing so but those these are still the fairly traditional approaches if you want to try to take a look at how you deal with these targets uh these are some of the things that a lot of them they become more process-oriented but you'd have you could if you found some ways to put some technology behind it it could be very useful so the idea of the two person controls that's another nuke part of this thing which is one of the ways that they make sure that some single person can't do something with a nuke is you can't do anything with unless you have two people and they always put the controls far enough apart that you can't possibly do both of them at the same time if you're trying to deal with with people understanding the target so if you're you're a good hacker and you go in and you start looking into system and you start doing all of your reconnaissance if that system changes so they rotated the process they're using they changed the system of the process then you have to start over again so that's that's considered one of the proactive ways that you can defend that's that's a maneuver type or a movement thing the session controls they put a lot of there's some different products that work with session controls now that that look to see if if a session's been hijacked and and and they basically they can terminate the sessions and minimize loss of data or damage to the system when they do that there's there's been some things done with the operating system obfuscation that actually looks like it has a lot of promise the only reason you don't see much of it being done is that once you do that the people administering the network have to know a lot more about the systems to be able to deal with it because it's going to look different to them every time so they have to know what's kind of what's behind the curtain to make it work and then at the bottom to you see there is the banks do a lot of this by the way is they they shift their hardware so by by rotating hardware is the same thing when you're trying to if a hacker's trying to come in one time they go in is one piece of hardware and other times a different piece of hardware complicates the problem for you and then the other thing they try to work with is a device diversity that's not what they do in the department of defense by the way which is a little bit problematic is they they want to make things standard so they make they're all the same right but with no diversity if something goes wrong with one of them then they're all going to fail but in the business community I think we've been a little smarter about that so you see a lot of diversity with machines operating systems routers all all parts of the network so that's one way to think about the the pro act defense I bring this to this community to look at because you might have some ideas for how technology could aid this but when you take a look at at how you do things from a mission assurance standpoint it typically involves having some type of redundancy if you're trying to determine if someone has done something with your sensors if you have more than one sensor you can compare them at least you know that somebody's done something with that in an airplane that's pretty typical they have a all of the the critical flight controls all have a backup and once you do all the time is checked to make sure that they still are the same and then if one of them is they're different then you try to figure out which one's correct which one's wrong you assume in most military operations that you're going to lose communication so they put in what they call lost communication processes and so if you put those kind of things together that's another way that you can deal particularly with some type of an attack like that actually caused your comms to go out the the redundant type apps means that instead of just using one particular application to do whatever your process is you have more than one by the way in the Department of Defense they're always that that's an anathema to them they they say we're going to standardize that we're going to save money because we only have one business community says I want to have three or four because I if one breaks or once quits work and I want to have a backup they started dealing with some of the attacks I wanted to go to the talk yesterday was talking about some of the ways to to beat some of the systems for dealing with the DDoS attacks and I wasn't able to make it but but they have some things that they put in place there that at least would try to mitigate some of those effects and then when you get down to the hardware layer the only way to do is to have more than one path and one of the one of the strange things about people when they talk about cloud computing things like that cloud computing is great but if you only got one circuit or leading to the cloud then you only have a circuit so if you don't figure out a way to leverage the cloud and you don't have multiple pathways into the into the cloud or into that network and then you then you have a limitation so so that's this one model that I guess I'm hoping that some of you would have some good ideas about how to do that better or how to some technical ways to take advantage of that so this next one is one that was actually put out by DHS and their idea was they were going to try to treat cyberspace as an ecosystem and the thought there was you're going to have a static defense but you're also going to have this this dynamic defense and if you if you look up there the things that they have on there the prevent those are pretty typical that you would actually they've inserted a couple other things that that they would like to see added you know like the you know the moving target idea that I talked about even the other one but but a big part of this thing is that you want to have a way to detect that something happened because for the most part most of the major attacks that occur whether it's in the commercial sector or it's in government it happens because they actually start seeing the impact and by that by that point it's so far down the road that it's very difficult to contain so trying to put processes in for detection gets to be important that's still considered kind of the static piece of this thing on the the dynamic side they want to have a lot of information sharing why because if you're only looking at at small points it's one thing to be able to sneak under the radar because you you avoid cross and a level but if you're able to bring in from multiple places and you say hey there's there's this kind of a odd behavior abnormality here and I got the same thing here and the same thing here now you say there's some maybe there's something going on and by combining the information you can leverage that when you see that then they want to have processes in place to to respond and then as soon as they can kind of put things under control then they want to have processes to recover part of this recover by the way and it's kind of interesting when talking to some people from 9-1-1 they said they thought that 9-1-1 was the first cyber attack and reason was was that nobody could talk to anyone after it happened it took out the no one could talk on a cell phone because everyone was trying to talk at the same time the the actual one the towers went down and took out some of the the PBX system so so com virtually stopped in New York City at a time when they really needed it and even the the first responders were having difficulty with communications something similar with Katrina in Louisiana that they actually saw where there was a problem occurring with the with one of the levy breaches but they didn't have a way to communicate because they had lost they had lost the power and they and they once again they lost a they didn't realize this when they lost their PBX system the cell phones at that time were all tied in the PBX system so so once they lost that they they couldn't communicate so their ability to first respond was lost so when when they talk about response here a lot of this has to do with having courses of action that get you up very quickly to where you at least have a capacity to continue to do these you know public safety types of things and but you see at the bottom they want to try to establish you know a trusted broker and that's what they try to do with these information and sharing an analysis centers these ISACs that that that they've established so we we did a a workshop that the cyber innovation center for DHS and we brought some people in from from industry we brought people in from academia we had people from government and of course we had the people from DHS and we actually tried to look at some different situations that were would be dealing with a first first DHS is interested in some kind of like a hurricane type thing so we were dealing with a couple of different scenarios that that might be a DHS type operation where cyberspace would be affected and we started looking to see what would be the impediments to doing this and I got pages and pages of the things that they they highlighted but but a few things just to highlight that I have here and my goal is not to read this to you because I want to leave you some time for questions but the bottom line was that even when we had these experts in the room it was very difficult to get them to think beyond the protect piece because they we would tell them it didn't work we've lost cyberspace and they always wanted to go back and fight or happen we said no it did happen you have to deal with it now and that mindset makes it very difficult to get these other parts resourced because you know the government businesses for that matter they don't want to spend money for things that they don't think are going to happen obviously so part of the thing we've been trying to do the DEF CON community does a great job of this which is highlighting the fact that it's if someone really wants to get into your network they're going to get in and we keep trying to reinforce this with people in government and in business but then to get them to actually do the resources is really difficult the balancing piece that you see there really has to do with the fact that they they always want to put the money into the the protection which is good but we've argued that if you assume that the protection is going to fail there's some smart things that you can do to set the stage in advance so that your ability to to basically respond minimize the impact and quickly recover would be helpful we then talked about some things from a detection standpoint that there's a lot of noise on most of the enterprise networks makes it difficult a lot of the things that they have that are the automatic detection mechanisms throughout so many false alarms that it's very difficult to deal with so this is actually one of the things to go back to the operator the operational community so whether it's a business or the government the people using the system say we really need to have you not do these things because when you do that it throws so much junk on the network that we can't really tell when when something's going wrong there was a lot of interest in trying to set up these automatic systems to where the machines would automatically respond to deal with these things and there's some problems with doing that particularly with some of the the drastic or draconian response you would have so one of the things we discussed is that you really you need to have a way that you can keep a human in this decision-making loop but be able to basically be operating a sensor response system that basically goes at the speed of information and and then finally I guess I actually talked about the last one they're about the balancing the this is really for the people that figure out where you should spend your money that they need to have a process that figures out how to how to do that so now this is my appeal to this to this community here when you when you look at this this workforce you these are the different elements that are involved in in in doing this workforce and if I went across this room you'd see that parts of you are involved in all these different places here and you know we do a lot of stuff looking at at trying to eliminate the vulnerability and we do a lot of things where we try to go find out what the threats are but there's some really good opportunities in the in the software assurance in the in the parts that actually look at the resiliency the transaction controls and then you know what are the things that we can do to help make the users of the network more accountable for their actions and more careful about their processes I bring this to you because I think this community could could actually implement this and make this work so that's the workforce part of it and the leader part of this is kind of interesting this this is a typical model for for any kind of a pyramid type organization right but the you have all these different functional specialties at the bottom and just like we showed on that that little chart before the communities come from many different places we tend to get very good in those in those individual areas but the people at the next level which we call the operational leaders they're the ones that are able to integrate and pull these things together in the cyber community we we haven't done a very good job of figuring that out that we tend to be very stovepipe so a lot of the things we've been trying to do is encourage people who have expertise in one part of the of the cyberspace to cross over and do something else and learn about that other piece of it so that they can help later with this integration at the the strategic level that's where you're actually trying to tie the thing back in and you're trying to to make it useful and the other part that we're trying to do is we have a lot of strategic leaders today that know virtually nothing about cyberspace they they don't want to know in some cases but it's incumbent on us to try to get them to understand the things that you know about cyberspace so that they can be better strategic leaders and they can better leverage cyberspace so that's what I hope that I was able to talk to you about today I think I left this with a few minutes for for question I'm happy to take questions I'm also brought my pen with me because I'm also happy to take ideas but thanks so much for spending time with me and I hope that you have a great DEF CON where you going you know any questions you with the long hair come back here anyone have any questions come on yeah they needless to say they don't give us wireless mics here you really tantalized us with a conversation about nuclear weapons and that they're not connected to the internet but connected via circuits I know you probably can't give us details but at least tell us you've got the best people on this and it's all too man control too so yeah no they're they they they they the Department of Defense and the Department of Energy both put their best people on it's kind of interesting you know we talk about this two person thing by the way it even goes the Department of Defense does not own the weapons the Department of Energy and it's done that way everything's split right down to to the weapons itself so the Department of Energy owns the weapons not the Department of Defense so it's that kind of approach that they really try to lock themselves into I tell you it's kind of interesting if you think about administrators on on systems and see the banks do this by the way they they set up their their super administrator accounts and it takes two people to to be able to get into the log or do anything to affect because they don't want anybody tampering with the logs it's once again as a two person approach to things there's the point is there's a lot of things that we can do that wouldn't necessarily cost a lot of money but we just haven't had the people think it through enough to to figure out how to do it we don't have the people with the expertise so earlier you draw the comparison between like TSA and cybersecurity I was wondering so we know if we don't have a TSA we know the kinds of things that can happen you know people put bombs on planes people turn planes into bombs could you imagine a a cyber world without a dedicated cybersecurity force and what that would look like why do we why do we need that in a way that we need the TSA to protect lives well when when the internet was established and what's funny about the internet it was when you go back to initial ARPANET in fact I'll give away some of my age I mean I I got to use one of the initial ARPANET terminals and it was it was just a research thing and it was just trusted people that were working together just like you would you would go to a bar and you'd you'd tell your buddies a story about something going on in your life and and you trusted them and that's the whole origin of this thing so now what's happened is after the fact we're having to figure out a way to make sure that people don't use it against you if you will and so so the cybersecurity is is basically how people can still use cyberspace but but have a way to feel like they're still protected but the but the reality is I think you need to have a dedicated cybersecurity force but I also think that one of the mistakes that we make is we we let our users off the hook particularly on these enterprise systems and we don't hold them accountable for their actions because the the the best defense at the point of the spear is for that that person that operator that's on the system to say you know that doesn't look right and then do something about it rather than wait until it gets to be so big that you do have to have the the cybersecurity professional come in and deal with it but no you there's no way we can ever go back this the the cybersecurity field is going to continue to grow my argument here is there's some other ways it should grow beyond just a purely a security standpoint and expand into this defense a more proactive defense and possibly even this mission assurance type of an approach so I'm sure everyone is happy to hear that Elvis Presley is in the house and has a question about cyber playing very much playing very much I'm Elvis you may have heard of me I'm kind of a big deal in the city so so one thing that that has happened in history is like for Pearl Harbor you know Pearl Harbor came out of nowhere and brought us in even 9-11 before 9-11 there were people already saying the things that needed to happen and no one wants to spend money until after the crisis we even saw it for Y2K and you know you were probably like 50 then so so even for Y2K even for Y2K though there were people saying you know there's problems in code and when it rolls over there could be a problem there were people that told Congress this and we always waited till the last minute for cyber we're doing the same thing we're saying the same stuff and and I'm glad that you're here and you're giving a lot of good information you're soliciting information that's I think that's great to partner like that but what's being done to actually get the wheels to actually turn are we going to have to have like a cyber Pearl Harbor before anybody really wants to put money into this because all everything's going to cost money no matter how smart we are so it that's a great question so so first to all of us the bad news is that history has a tendency to repeat itself so before we really see them putting the money into this that they need to they're they're probably willing to having to be a cyber Pearl Harbor that's the bad news the good news is that in a lot of the sectors business people like to make money and but they're also risk adverse so they've they actually bring in risk management principles into into the way that they do these things so a lot of these companies are now starting to invest the money that they need to particularly the larger companies I'll tell you the the defense contractors they they they now with what they now know about what the threats are they're definitely putting money into these types of things because they're they're fully aware the banks understand it some some of the other communities have done that so the the communities that recognize that their ability to continue to operate the way that that allows them to make money or to do with their business they are now starting to put money in those kinds of places but we're still like it maybe 10 percent of all the sectors in the United States and everybody else just assumes that the government's going to protect them from this and this is not something I mean cybercom is not going to protect the the small business owner from a cyber attack so and once once they figure that out that that's the first thing it's like I tell people it's like the 12th steps you know for an alcoholic the first thing you gotta admit you have a problem most people and I said that the thing that scared me when we did this one workshop I had these experts in there and even with those experts they kept trying to go back and say well clearly we'll figure out a way to keep this from happening and it's very difficult to get people into that mindset it's one of the things that you guys through these conferences do is you you highlight the people that there are these vulnerabilities and hopefully you know repetition they'll hear it and so I applaud you for doing that and I encourage you to keep doing that because it's the only way we're going to get the message across three questions one question there's two other people waiting we gotta get out of here okay I'll say all three get one so you get the answer all of them at once I like it okay that is just not your manipulating the system that is inappropriate wow one of the things that we've seen DARPA do is that they've engaged the community through the cyber fast track apparently cyber fast track has now been turned off it will DHS or anybody else pick up this or will the money go to the big contractors and slow innovation or will we see the same kind of initiative engage this community to develop those unique ideas those you unique defenses yeah so I didn't realize I thought that DARPA still had money in the cyber fast track but defunded but that is somewhat typical for DARPA DARPA's thing is supposed to be able to get something started and and then have others try to pick it up so what I can tell you is DHS DHS does have some programs in fact the stuff that that I do at the cyber innovation center which is pro bono work for me is work that's actually funded by the national science foundation and by DHS but if you if you go around the country there there are a number of and they tend to be non-profits that have stood up all around the country that are that are starting to take this thing on so it's it's it's becoming somewhat of a grassroots effort and I'm actually encouraged by that there is a lot of interest to do that so the other it's not going to have the kind of funding that the DARPA was able to put into though that's the challenge yeah the other thing that's being defunded is the dib you've mentioned the dib during this whole process who's going to take that initiative well so the the dib pilot went up at the but but the the information sharing continues so so it's it's all important they do still have the information sharing piece but they're using the ISAC to do it now yeah sir to what degree do you think from a eye information assurance standpoint we can start selecting for what and it seemed to leave the guy wrote Black Swan would call anti fragility the sense that right now we're in an environment of of large small of few large targets large fragile targets crack once exploit everywhere where what we need to do is start going towards a diversity of smaller more robust targets how are we going to get that change ground since the business imperative seems to be towards consolidation conglomeration and single and single source support much the way at standardization much the way the DOD does you're exactly right to it's a it's a huge problem because particularly in the business community they're looking for efficiencies I'm at sequestration particular everybody's looking for efficiencies in government as well where where I see some encouragement by the way for your question is is actually in the business community and the process that they're using is called is a risk management process they they apply it across their business they're now starting to apply it to their cyber systems what I'm worried about is that they're they're now starting to do some things like in the industrial sectors with the industrial controls of things like energy transportation starting to look at this but it turns out they're looking at and they say you know we designed it to be this very efficient system it's difficult to go back in and re-engineer it to be the other way but they are starting to do it now the only way to keep this thing going is we have to keep you know we have to keep telling the business owners we have to keep telling the Congress that it's important to not put all your eggs in one basket and demonstrate to them what what could happen sir you did a lot of talking about the processes and the high level strategies one of the things I've seen over and over again and government organizations that I've worked with is that this is about the people the government has gone to a point where it's about the certifications you have DoD 8570 and so forth to where we've lined a lot of pockets of certification companies in an effort to prove that people know these skills but on the outside in the commercial sector that doesn't seem to be the case they don't have as much desire to have people with certifications as to be able to prove that they can do the job and if they can't do the job they move on and they have a hierarchy set up to allow people to grow within their organization in most government contracting companies that I've seen and in the government military and civilian markets as well they average they want people to get a large breath of knowledge is there any thought about maybe changing that paradigm to where we get specialists where we let people focus in on the technical aspects on the things they like to do that they're good at and let them stay there without penalizing them within the system and maybe getting away from making it so hard to get rid of people and encouraging growth from within yeah so to be perfectly honest I still have friends in government that work on the personnel sides of things and they actually are looking at the exact type of thing you're you're talking about a lot of the standardization piece actually was kind of funny they actually were trying to mimic what they saw on the outside and they said we should try to do something like that but of course whenever the government does something it gets it turns into it's very bureaucratic and you kind of lose sight of the actual objective and you get locked into all the all the processes the bureaucratic processes but there's a huge effort number one to try to grow a cyber workforce particularly in the department of defense but in the other government agencies and they're looking to find ways to make it attractive quite frankly people to do that so the types of things you're talking about are all being considered and so so one of the things by the way I'm not in that business myself but I but I you know I have a lot of friends that that still work with that and so I'll give you my card because let me make sure I give you a card before you run out of here yeah all right so we we need to close the stage for the next speakers but we're going to take the general over to the the the chill out cafe so he'll do some Q&A there before he heads out to the airport all right thank you very much