 I want to thank everyone for joining us online as well as the participants in this conversation. As was described, this is an event to explore how to hack DC more directly. What is the future of cybersecurity and cyber threats? And to discuss it, we've put together just a fantastic panel of leading experts on this topic. To begin, we're joined by Nicole Pearlroth, who covers cybersecurity for the New York Times, and also looks set to win Room Raider with her background there. It's phenomenal. She's the recipient of a number of journalism awards for her reporting on topics like Chinese government, intellectual property theft, etc. She's also the author of a forthcoming book. This is how they tell me the world ends. That is the untold story of the cyber weapons market. Then we have Senator Angus King, who is Senator from Maine and before that Governor of Maine. And along with him is Representative Mike Gallagher, who is represent from Wisconsin and before that United States Marine. And they are the co-chairs of the Cyber Space Solarium Commission, which is a bipartisan commission of leaders and experts that issued some 80 recommendations on how to improve US cybersecurity strategy. So it's a phenomenal group and the flow of this is rather than having it be each person giving a presentation. We're gonna take advantage of the fact that we can all be online in exchange. And so we're just gonna kick questions back and forth to each other. And so I'm gonna start it off. And the very first question is essentially tackling right on that topic. I'd love to hear from each of you what is one way that you think cybersecurity is going to be different in terms of the threats of the future. So let's just go in the order that I introduced. Nicole, why don't you start us off? Well, I think in the future, the big obvious one that comes to mind is Internet of Things. And we are just plugging everything we can online. We have been for the last decade. And so all of these threats we're seeing right now in terms of ransomware. I think in some of the more destructive attacks, I think we're going to unfortunately see an IoT component to those. In the future, I think right now we haven't seen a number of attacks on IoT systems beyond some of the targeted attacks. There was the recent attack on the water facility that Israel has blamed on Iran. There was the attempt on the wrong Bowman Dam in New York. But we haven't seen these things at scale. And so I think that is really where the threat's going to move over the next decade. Senator King. Well, I think everybody's thinking about elections right now. And the more I think about it, the more vulnerable I think our elections are. We keep having warnings, but things don't necessarily change. I mean, last week in Georgia, apparently it was a semi-disaster. Wisconsin wasn't good. 2016, we know what happened. Our election system, the conventional wisdom, is our election system is such a hairball that it's nothing to worry about because it's so decentralized. I'm not so sure about that. I mean, a sophisticated actor can tell you, anybody can tell you which counties in Florida you should go for, which counties in Wisconsin or Michigan. And it really doesn't, wouldn't take a hell of a lot. And I think we are way more vulnerable than we think. I've had hearings with secretaries of state and chief election officers and they're almost cocky about how invulnerable they are. And I just don't believe it. And I'm very worried about the election in 2020. I think it could just be, and I guess the final point would be, if you think about it, elections are exercises in trust. The day after the election, somebody tells you, here's who won. And you say, oh, OK, and you move on. What if that whole basis of trust is undermined one way or another by manipulation of how results were reported or what actually were voted or who got to vote or lines at the polling place, all of those things. And then, of course, you add the coronavirus on top. I'm very worried about the vulnerability. Can I ask you a follow-up on that? My nightmare scenario related to that is not just attacks on it, but you phrased it as, in the normal times, you find out the night of the election, the results. But if what we've seen out of, for example, right now in Georgia, it seems more likely we're going to see an extended period of time of just the basic counting of them. And that's in a scenario in Georgia where you didn't have. It looks like a major cyber attack. How do you think we're going to be able to weather the storm if we have a delay in terms of the reporting, particularly coming from battleground states or districts? What would that look like in your space? Well, every day that goes by will be a new layer of uncertainty and suspicion. Conspiracy theories will be rampant. People will be saying, what's going on in Broward County or what's going on in Green Bay? And it's a, I just, again, I go back, we take so much for granted in our country. And one of the things we take for granted is you go and vote. Your vote's counted that night. You find out who wins. Suddenly, if the trust and confidence in that system is undermined, that invites, I hate to say it, but it invites violence. It invites people going into the streets who feel that their votes weren't counted or something crooked happened. This is, we had an election in Maine in 1880 that was so close that we ended up with Joshua Chamberlain locking himself in the state house in order to talk down an angry mob. I mean, we almost had a civil war in the state over an election. And it just, I just don't think we're anywhere near ready. I hate to be doom and gloom about it, but that's what worries me right now. And it may be a foreign actor, it may be a domestic actor, or maybe several foreign actors. All they got to do is undermine that confidence and trust and they're 90% home. Representative Gallagher, do you want to get on on this point or a different scenario? Well, I just want to note a fun fact, which is that 1880 election was the first vote that a young Angus King actually cast. So, personal experience. Okay, I'm joking Angus. Hey for that, Gallagher. No, I very much agree with everything Angus said. We had a lot of recommendations in the initial report related to election security. And then our pandemic acts, Annex not only talks about that, but also has a recommendation related to internet of things which Nicole talked about. And I agree very much with what she said. So, you know, if I am trying to think about the future of cybersecurity, I mean, I think it's obvious to suggest that it will be AI enabled, it will be faster, adaptive, intuitive. And that means that the threshold for access to tools will be lower and a lot more non-state actors that will be able to do serious critical infrastructure damage. We were talking the other week about, you know, the next horrifying scenario, the next Columbine doesn't need to be carried out with a gun. It can be carried out by an ambitious young person with knowledge of cyber weapons and tools. And so that really concerns me, but I also think it's bound up in this bigger question, which we're starting to ask ourselves and for which there's a ton of proposals emerging on the left and the right about how we responsibly decouple our economy in critical hardware and software from China. And I think what the coronavirus crisis has revealed is how dangerously dependent on China we are. And I would suggest that regardless of who wins in November, and regardless of who's president in 2021 or 2024, I think we are on an inevitable process of selective economic decoupling from China that has important ramifications for cyber that's going to be extraordinarily difficult. And then the final thing I'd say to bring it back to the scenario that Angus was talking about in terms of that uncertainty surrounded the next election, I mean, add into that mix, you know, state-sponsored propaganda, whether it's Chinese Communist Party, apparatchiks on Twitter, spreading misinformation or whether it's Russian actors spreading misinformation. And so unless we get our act together now, I think we're going to be in a very difficult situation over the next couple of years. Can I follow up on that? You said unless we get our act together now, what does that mean? What specifically ought we to do? So at least in the pandemic annex that we talked about, we really emphasize a lot of reforms, the Election Assistance Commission, for example, needs to be able to distribute grant funds to state and local governments so that they can ensure that alternative methods of votings can move forward so that the administrators are prepared for possible rescheduling of voting. We suggest that the pandemic also illustrates the need and importance of paper-based systems to sufficiently audit and certify a vote. We believe we can't afford to have several ballots be voided and that a paper-based system to check that any electronic system is accurate and makes sense. And we recognize the irony of a fancy cyber commission recommending paper balloting. But there's a variety of proposals related to election security in particular, but then we talk more broadly about the need for civics education, cyber education in K through 12 education so that we can educate the next generation about the nature of propaganda and interference, but also the importance of voting and things like that. And I defer to Angus for anything else I missed there. Well, Peter, one of the big problems we're facing is the disorganization of the federal government in terms of dealing with this. One of our, you asked a question, what should we do? And my glib answer is read our report. We have about 80 recommendations. But one of the major ones is the creation of a position of national cyber director in the executive office of the president, Senate confirm, presidential appointed, Senate confirm. There needs to be somebody overseeing the crazy quilt of cyber activities throughout the federal government and involving the federal government and the private sector. 85% of the target space in cyber is in the private sector. So the relationship between the private sector and the federal government is really crucial, but right now there's no one in charge and there's no one who the president can go to and say, work on this or you're in charge of this, you're responsible for this, you're accountable for this. We think that's a very important recommendation. We're working, the White House is resistant to it. The national security advisor, I suspect doesn't like it. No national security advisor would because it's some diminution of their authority. But I think it's one of the most important recommendations we have, the other is to develop a strategy of continuity of the economy, planning. We learn from the pandemic. We should be thinking in advance about the unthinkable. What happens if the entire Northeast energy grid goes down or if there's a simultaneous attack on water supplies across the country? What do we do? What are the steps that we take? Who do you call? Who do you activate? All of those kinds of things. So the two of the really important recommendations are national cyber director and setting up a really strong structure for developing continuity of the economy. So Nicole, I've been watching you. You've been nodding. How do you assess, so we've heard these are the various things that have been proposed. These are the things we ought to do. You're an observer of this space. How do you assess the likelihood of them happening in time? Well, I was actually quite impressed with the report. I had just finished my book and I just finished the epilogue in my book where I'd come up with solutions. And then the report came out and I put them together and theirs was better. They nailed it. It was the we need a coordinator in the White House. We need someone running point on this. I don't know who that person is right this moment. We need someone, especially with the election threats I've been documenting over the last six months. It is not just Russia anymore, although Russia has been extremely active in the disinformation space and amplifying the arguments we're already having with one another and starting with one another. But Iran is targeting the Trump campaign. China was recently caught trying to break into Biden staffers' personal Gmail accounts. We know this is happening. This is very real. It's the only difference this time is that there's going to be many more players. And so I was really nodding along with what the senator was saying about, we're constantly being told that the one thing that saves us from election interference is just how decentralized and tangled up it is. And after what happened in 2016, I totally disagree with that and agree with the senator. All it would take is something like we saw from software errors, not a cyber attack in Durham County when people showed up to what in that case was a blue county in an otherwise red or swing state and couldn't vote because the e-poll books had shut down. And then later we learned through these leaks that the e-poll book company had been breached by Russia. And we didn't know until six months ago, so almost three years after the election, that it was actually technical errors that were to blame. And there was a lot of tension there between the state, the Secretary of State in North Carolina, and Department of Homeland Security just taking a forensic look at their systems. And it just stems me that we only found out less than a year ahead of the next election that actually now it was software errors and IT configuration issues to blame in a situation that had this terrible recipe for an election that we would all continue to doubt. And one of the words I hear tossed around to describe what you were saying earlier, Peter, about the delays is this idea of a perception hack. Right now, we are more divided as a country than any other time I can remember in modern history. And all it would take is a situation like we saw in Iowa with the Iowa Democrats primary, where the caucus results were delayed for a couple of days for people to doubt the outcome of the election. And if you start doubting the outcome of an election in a political climate where we have a president that continues to use the word rigged to describe mail-in ballots, you really do have a recipe for a disaster. I was nodding along. I am equally terrified. Yeah, I think there's an interesting connection between what you raised on IoT and also in discussing the emerging threats to elections is that while the narrative in both is sort of the whole system goes down, the all the power goes down or in 2016, as Representative Gallagher alluded to we saw disinformation campaigns that targeted the entire U.S. My sense of what looms in both IoT targeting but also on the election side is more specific kind of micro-targeting. Whereas, you know, so it's not all smart cars are hacked. It's rather a specific numbers of them. All the way down to, you know, we play this out in the burning book, a single smart home being hacked as a new kind of crime, committing arson against one home, or it's not every single water treatment plan in the entire U.S. because there's this patchwork quality to it, but I go after one. Same thing in elections. I don't try and spread disinformation targeting the whole because that's a lot easier to detect now. I go after this specific district or this specific slice of voters or maybe it's the voting machines in a certain location. And that the intelligence side of it's gonna be a lot harder to detect. I wanna throw the question back. Peter, can I ask on that? Yeah, go ahead, jump on in. But does that, I mean, do we need some more widespread, what I would call Battlestar Galactica fail safes? I mean, for those of you less versed in nerd culture, you know, the idea that, you know, the Galacta is the only ship that survives because it's the least advanced, right? So as we ponder IoT and 5G future where everything is connected and the attack surface for bad actors is essentially unlimited, do we, particularly in the military domain, need to build in more fail safes or maybe less networked equipment or something else to minimize the risk of catastrophic cyber attacks? I think there's a different, you know, while I love and we could spend the whole time doing, you know, BSG and frack and talk like that. To me, the parallel is we want escalators that fail in a way that doesn't mean the system collapses. So you want a system that allows you to have the most advanced, but if it doesn't work, you still have a fallback. Peter, there was a perfect example of that in Ukraine in December of 2015 when we're pretty sure the Russians hacked the Ukrainian electric grid and they brought it down and they flooded the call center and they brought down the electric grid, the lights went out and it only, but it only lasted six hours and the analysis of why did it only last six hours was that the Ukrainian electric grid wasn't fully digitized and there were some old fashioned analog switches and, you know, people who had to go and throw breakers and it's exactly what Mike was talking about. It was, you know, back to the future that because, and actually, we passed a bill here about a year ago that is asking the Idaho National Lab to look at, are there places in the grid where we could undigitize, not to screw up the whole architecture and, you know, literally go back to the fifties, but critical places where it can be isolated more easily and a hacker can't control it because somebody physically on the ground has to do something. So that's, I don't think that's an unrealistic proposal at all and in fact, it's what saved the Ukrainians during that situation back three, four years ago, five years ago. And I would just add, I was in Ukraine last year and they were about to have their elections and it's all done on paper. The idea there that you would ever digitize any part of the election is just laughable, laughable over there. And if you remember, they had a hack back in 2014 where they didn't hack the election, but they hacked the reporting system to project a victory for a far-right fringe candidate and they caught it just in time. But ever since then, they've completely rolled back any effort to digitize any part of their election and I think that's a model for us. Nicole, can I ask a question back at you? So we asked you to evaluate sort of what you see of the space. Let's self-evaluate. How is the media equipped to report these kinds of stories, whether it's IoT hacks or election hacks? Do you think the media is well-equipped to tell the story the right way or will it either spread fear, uncertainty or doubt or even in some situations aid the attacker in their very goal to spread distrust as the two members of Congress have laid out? I knew you were gonna ask this. So I think, no, I don't think the media is prepared. And I think, I mean, one of the things I've tweeted publicly and I've said publicly is we need to be very prepared in the media for when the hack and leaks come. And I do expect they will come this election season. We need to have a big red box at the top of those stories to tell our readers where that material came from, if we plan on reporting on it the way that the media reported on some of those hacks and leaks in 2016. That's just one example. I think people really don't understand, let's just look at Russian disinformation right now. I don't think people, and I don't think the media really understand what it looks like. I think when we got that report on February that Russia was once again trying to meddle to reelect the president and also to boost Senator Sanders' candidacy. I don't think people really understood what that looked like on the ground. And what it looks like on the ground right now, I'm just working on the story that I think will be out today if it's not already out, is it's just, Russia is just pushing distrust, they're just pushing populists versus the establishment. The ultimate goal is total is that we'll be tied up in so much of our own political infighting on both sides of the political spectrum that we won't be equipped to check Russia as it maneuvers however it wants. And I think that's actually already playing out. And so I don't think the media fully understands what that dynamic looks like in that partisan infighting and these vitriolic partisan battles we see playing out every day is the goal. And I think if we had some broader informed perspective about what the ultimate end goal of these Russian disinformation campaigns look like, we might be able to at least have a couple of paragraphs in some of these stories that offer some of that context and right now I don't think we're anywhere there. So I wanna toss this back to the members of Congress. You are part of what feels like one of the last or bipartisan efforts, at least observing from NASA. Do you think that is possible in our space? Well, let me respond first because last week, Peter, we had the markup of the National Defense Authorization Act and we got I think 10 or 11 of our recommendations into that markup and there's room for several more as we move forward in that process. And that was all on a bipartisan basis. This commission was a very interesting one. There were 14 members, four members of Congress. And of course we know their party. There were Mike as a Republican and Jim Mangevin in the house, a Democrat, Ben Sasse Republican, I'm an independent. And so that was the make up there. The other 10 members of the commission, which came from the administration or from the executive and from the private sector, I haven't the faintest idea of their politics. I haven't the faintest idea of who belongs to which party, how they voted, who they supported. And that's the way it ought to be. We had over, I think we had 30 meetings and lots of discussion, lots of debate and differences of opinion. Partisanship was never, there wasn't a whiff of it and that's how it should work. And I think we're gonna be able to do a lot of the recommendations on that basis. This doesn't seem to be a partisan issue. I'll never forget one day in the intelligence committee when we were talking about, you know, the Russians and the Trump campaign, Marco Rubio said, look folks, Putin is not a Republican, he's an opportunist. And next time it could be us. And I thought that was an important insight that somehow right now, you know, at least in 16 the Russians were attempting to help Mr. Trump. But next time they may not, they may go in the other direction. This is dangerous, no matter what the party is. And so I don't see this as a partisan issue. It has a partisan flavor now, particularly when you talk about Russia because the president has never acknowledged that Russia played an active role in that election, unfortunately, but by and large, I think people understand this is a danger. And individual candidates are starting, we're starting to see and feel this either from other countries or, you know, the whole thing about deep fake and conspiracy theories and wild accusations altered photographs, all of those kinds of things, that's starting to happen to us as individual candidates. And that's when people understand the nature of the threat. I was just gonna say, I think Angus really set the tone from the top of the outset of a bipartisan tone or a transpartisan or whatever the term is. And it was his leadership that I think got everyone to work together. There were a lot of times when I is sort of, you know, I'm supposed to be the evil hawkish Republican on the commission, I felt like the dove. And, you know, Angus and I had tensions on certain deterrence related issues. But I think ultimately what we're trying to do in the report, and Nicole, you're incredibly kind with that assessment, was to lay out a strategy that we call layered cyber deterrence and a set of reform measures that will endure beyond the November election or at least convince a group of people in the White House and Congress to study these issues with not just a short-term, reactive perspective, but a long-term, how do we restore some semblance of deterrence and cyberspace and cultivate that expertise both within the executive branch and the legislative branch that we think is necessary to defend the country in this space. And so it creates a lot of very strange bedfellows. Some of our strongest allies when it comes to the National Cyber Director recommendations are actually Republicans in the Senate and the whole thing is just, you know, it really, there's no clear ideological or partisan fault lines a lot of the time. I wanted to weave in a question that Anand Shah posted on the chat which is about the coronavirus pandemic. And they framed it in terms of how did it lead us to think about critical infrastructure in a different way. And Senator King, why don't you lead off, not just in terms of, why don't we frame it this way? How did the pandemic affect your thinking? So you had this report come out, 80 major recommendations, and then we've moved into a new phase in American life and politics, and you've recently had a series of follow-on recommendations. So how did the pandemic affect the way that you and the commission were thinking about these issues? Well, that's a really good question. We, in fact, when we found ourselves in the midst of the pandemic, the report was released. The release of our report was one of the last large gatherings in Congress. I think it was something like March 11th. And if it had been two or three days later, we probably wouldn't have had that meeting up in the heart at Senate office building with a couple of hundred people. But we then found ourselves in the middle of this and we said, well, what can we learn from this? So we did additional study and discussion and created an appendix that was released a few weeks ago about lessons learned from the pandemic. One clear lesson is the whole work at home idea, which has been, which has really sustained us through this thing has created a whole new set of targets or at least an expanded set of targets. I mean, imagine for a moment what the effect on our economy would be if we didn't have the technology to work at home. We had, you know, 40 million people out of work. It would have been more like a hundred million if all the people that work for insurance companies and engineering firms and those kinds of things couldn't have worked from home. So that's created a whole new target space. That's one thing. It also pointed up the importance of, gets back to the national cyber director, having somebody in charge, having somebody in charge, not only of the response but of the planning. It goes back to the, it sort of underlined our belief that there has to be continuity of the economy planning. I mean, in some ways the pandemic was a wake up call or even more than had been before that saying, you know, here's how interconnected you are. Here are the risk levels. Here's what you should be thinking about and that you gotta be planning ahead. You gotta think about the, it really is think about the unthinkable. And, you know, that's how you learn. I mean, in the military, you always have an after action review and we ought to be looking at the pandemic and the response, which by the way, is not over by any means and say, okay, what do we learn from this and how do we apply it to a similar kind of catastrophe only on the cyber side? Representative Gallagher. Well, we had our first cute child alert in the background there. We did. We brought in extra cybersecurity advice and expertise. Very good. I should say, I went to college with Nicole and I was, I mean, I was a nerd talking about Ballastar Galactica. So she may have been unaware of my distance, but it's been awesome to see all of her success in her great work. So I agree emphatically with everything Angus just said. I think if anything, the pandemic, not only I think reinforce recommendations on reorganization, National Cyber Director, but made us realize that we undervalued security of internet of things to tie it back to something Nicole mentioned at the outset. So one of our new recommendations is to ensure what to get Congress to pass an IoT security law focusing on known challenges like insecurity of wifi routers and mandate that devices have reasonable security measures such as those outlined under NIST's recommendations for IoT device manufacturers. And I think that recommendation kind of gets to this, this needle we tried to thread in the report of, we very much did not want to take a prescriptive, top-down, heavy government mandate and regulation approach. We want the market to work, but we do believe that the federal government needs to create incentives in this space. And certainly when it comes to cloud security and IoT, that's an area where we try to do, we try to achieve that incentivization without being too heavy handed from the federal government. So one of the questions that has been posed in the chat is our workforce capabilities. This is both the technology and the people problem. And as a number of reports have alluded to, we have insufficient talent in this space. There's a number of scrunch. What do you think are the best ways to go after that? And how are we doing in terms of meeting our current and future needs? Well, it's a crucial requirement. We discussed the workforce pretty extensively in the report. We've just got to think in a whole lot of different ways. We need to have scholarships. I mean, this is talk about back to the future. My mother went to college in the 20s on a scholarship, which basically said for every year, you get to go to William and Mary. You have to teach for a year in Virginia public schools. It was a kind of indentured servitude, but we need to be thinking about those kinds of things. You know, the ROTC, we need a cyber ROTC, where we provide scholarship help and support for students who make a commitment to public service when they get out on the cyber side. We also, and I've talked with the military about this, we have to think about what the real requirements are for a cyber warrior. Do you really need to be able to do 100 push-ups in order to be a cyber warrior? Maybe, you know, I don't mean lower the standards, but just we need to think a little bit differently. There's an enormous amount of cyber talent out there. Think of all the kids who at this very moment are playing pretty sophisticated video games. We need to figure out how to tap that talent. I was told the other day there's something like 35,000 IT related jobs in the federal government that are empty. So to say there's a need is a really understatement. So it's got to be a kind of all hands on deck. There's no one solution, education reform, scholarships, marketing, all of those things, but it is a serious problem. And it's one that we need to address in a, you know, no single solution, but in a multiplicity of ways. So Representative Gallagher, I saw you nodding your head on that, you wanna jump in? Well, I just think we have a lot of recommendations on, you know, 20% increase in the cyber core scholarship program, trying to get the military to improve its transition assistance program. So when you transition off active duty, at least when I went through it, the program was terrible. It doesn't set you up for success, particularly for a young Lance corporal, you know, seeing if you can spot and identify the people that have talent and immediately as they come off active duty, slot them into a cybersecurity role. But I think, and maybe Angus would disagree on this, but I think as we looked at this, we kind of came to the conclusion that even in the best case scenario, if we really improve pay, improve hiring flexibility, you know, allow that young kid with purple hair who doesn't wanna do, you know, push-ups or get a high and tight to nonetheless be a cyber warrior, there's still, we get to this point where we still are never gonna be able to compete with Google and whoever on pay and lifestyle, right? But we can't compete on mission from the federal government, right? The NSA has a cool mission. I mean, you can do things there that you can't do anywhere else. Similarly, if we elevate SZA and make its mission just as appealing and as sexy as Cyber Command and NSA, we believe that an organization like SZA, which is charged with defending our critical infrastructure and our domestic networks, can occasionally compete with and attract talent and beat Google and Facebook and the other companies that might be able to offer a far bigger paycheck than the federal government ever will be able to. Can I follow up? We've talked about the pipeline into the military or we talked about SZA, why do we not have an auxiliary for that in terms of, you know, not people becoming direct cyber warriors, but a broader, you might think of it as a reserve corps. You think about what Estonia has in the Cyber Defense League. What we have at certain state levels, Michigan has a cyber corps that's, again, not part of their national guard. It just strikes me as such a gap that the Coast Guard has an auxiliary that helps it do boat inspections. We have the Civil Air Patrol that can mobilize to help with aviation related emergencies. And yet we don't have a cyber equivalent. What would fill that gap? Because again, if it's just sending more people into the military or directly joining government, it still leaves a massive gap. Peter, we almost do in the sense, there's a lot of cyber capacity in the national guard. People who work in the private sector as engineers, IT engineers and other things who are in the national guard and there are guard units around the country that have tremendous cyber capability. So that's not a full answer to what you're talking about, but I think there is activity going on in that area. And I agree with what Mike said about making the transition out better. Peter, I don't wanna miss since our time is running out, talking about the international aspects of this and norms and standards. Part of our report talks about the importance of having international norms about cyber crime and use of cyber so that it's part of the deterrent strategy. We want militia cyber actors to know that they're gonna be international pariahs if they do so and they're gonna pay a price internationally. And that's an important part of our recommendation. I just wanted to be sure we got that message across. Can I chime in? We do ask SZA to look at the creation of a civilian cyber reserve, ideally creating something that might, when I got out of the Marine Corps, I did the reserves for a little bit, but I ended up just not wanting to do it. And I think there are a lot of people for whom they wanna serve, but maybe the national guard or the reserves isn't an attractive option. So theoretically SZA could create something that's a bit more attractive. But I'd be curious, Nicole, if you mentioned the epilogue of your book and kind of recommendations you laid out, did you arrive at any hypotheses about the human element of this and how we can improve recruitment? So I do think it's the most important part. It's all about getting- I agree and thanks for asking. I think one thing that we have to always remember is we're at such a disadvantage in a capitalist society and a democracy. We don't have the same advantage that China does where it can tap some of its best engineers in the private sector to do some of its moonlighting and contracting after hours. And we don't have the benefit of being a Russia where we're just gonna let an entire cyber crime industry do whatever it wants, so long as it doesn't hack inside Mother Russia and does favors for the government every once in a while. We just don't have that. So we are already at a huge disadvantage in this case. And I think some of the efforts, I think they are still baby steps, but I think they're moving the right direction and might be a model for scaling up is within the Pentagon right now, they are doing within the, and I'm sorry, I'm blinking on the name of it, but it's the digital defense agents, something. You can look it up. They basically, they are taking people for one two-year tours of duty from Microsoft, from some of the security firms just to take a look at some of the low-hanging fruit on .gov and .mil and locking up those systems. So that's a start. They are also engaging SINAC, for instance, and some of the private bug bounties where they're calling in some of the best engineers from Microsoft, from the security space, from the hacking community, and asking them to take a look at the networks that are attached to our weapons systems, for instance, and patching up those holes. But I actually think we could do something even more ambitious, something like a Google Project Zero where we recruit some of the best security people at these companies. It wouldn't even have to be two years. It could be a year. Spend a year doing the service for your country, get Google to help with some of the pay on the backend or some of these technology companies or something like the Linux Foundation, which is really interested in locking up our open source code and get people who are big names in the space to volunteer to do a year of duty, basically hacking the government and seeing where we are most vulnerable or, alternatively, if we do find ourselves in a situation where we do need to call up for a private reserve, have those people be a part of that natural talent pool that you would tap? So I want to hit a couple more of the questions that we're seeing in the chat here. So this is going to go, let's just go round Robin on it. We've created a new branch of the military, Space Command, Space Force. It should have been command in my own personal opinion. So is there a need to create a new military service on the cyber side? We've got it, we've got it. Cyber Command, the question is whether it's strong enough. There are about 6,000 people. One of our recommendations is that the Pentagon do an analysis of whether that's enough. The commander of Cyber Command is Paul Nakasone, who's also the head of the NSA. Traditionally, those have been two different jobs held by the same person, so-called dual hat arrangement. Whether that is sensible going on into the future is something that's debated practically every year, but we do have Cyber Command. I personally don't think it's strong enough. I mean, this raises a sort of fundamental question of are we fighting the last war? Are we preparing for a war that is unlikely to take place in terms of guns and missiles and ships and airplanes and not sufficiently preparing for what is, I think, more likely the next war, which will be bits and bytes? So, Representative Gallagher, I'm gonna put that in a two-part question. And one, should we have cyber as a separate service, given that we did so for space? Why would we have a space one and not a cyber one? And second, dual hat or not, should we continue with the current double structure of the leadership within NSA? Well, so, first of all, it should have been space core and it should have been subordinate to the Navy. It's fundamentally a naval mission. Look no further than the rank structure in Star Trek. It's Captain John Luke Picard. I mean, these are Navy ranks, so I rest my case on that. I agree with what Angus said about it's less a matter of creating, you know, a new service than it is. I mean, it's hard to create two new services in less than a decade than it is adequately resourcing cyber command, giving new acquisition and budget authorities to cyber command and seeing what the new four structure assessment comes out with. We, for example, are recommending allowing existing agencies to do threat hunting on defense industrial based networks, allowing CISA to do threat hunting on .gov networks in the way cybercom can do it on .mil networks. So I think it's, we sort of took the approach of taking what we have right now and elevating and empowering existing agencies rather than creating a bunch of new ones. I asked for the dual hat question, very controversial, but we've asked DOD to tell us where it has met certain expectations, you know, and where it hasn't. And so I'm punting on that one politically right now. Look, if I have my choice, I'd put Paul Nakasone in charge of several other parts of the government. I mean, he's one of the most talented people that we have. I will not punt on it. I do not believe that Space Force was needed if we were gonna create a new service that should have been on the cyber side given that the space issue was mostly, was an acquisitions problem versus cyber. It was everything from acquisitions to it's highly operational. Also, if you're gonna talk about creating a new service that means a whole new service culture and the like and clearly as we're going back to the human side, cyber is one where having a very different culture makes a lot more sense than space given that despite all the advertising, no one from Space Force is going into space anytime soon versus the cyber side, they're all operational. And so having a very different identity promotion and the like made more sense. And I also think we should split the dual hat that having a simultaneous head of NSA and cyber command is like having the same person be general manager of the patriots and coach of the Celtics. They're two different games. Even so, even if you have a talented person and sorry for represent Gallagher, I didn't use the idea of having the same general manager and coach reference for the Packers because we saw how that went previously. Well, it worked under Lombardi, he had full authority for all of that. Many, many generations back. So let's jump into, I think we've got time for one last question. And actually we'll ping off of on the Packers side. So there is a saying that if you have two good quarterbacks, you actually have none, which is something about to play out in terms of draft strategy there. So in terms of priorities, of all the different priorities that have been set out there, all the different actions that could be taken, what do each of you think is the most important single thing that ought to be done in terms of US policy? So what is the one, so for the members of the commission you had 80, what's the most important thing that you think should be done? Nicole, you've just finished up a book, you clearly had lots of ideas. What's the single most thing out of that? So Senator King, why don't you start us out? I'm gonna modify the question a bit by saying the two most important things. I think the first is one that we really haven't discussed at all. And that is the establishment of a clear articulated public doctrine of deterrents. Right now, our adversaries essentially pay no price for attacking us. They, you know, some sanctions here or there, but there's no cost imposed for an attack beneath the level of a physical attack. And I think that's the problem. I mean, that's why we keep, they keep coming after us. Why wouldn't they? It's cheap. Putin can pay 8,000 hackers for the price of one jet fighter. And there's no deterrence. I want the people in the Politburo to say, gee, if we do this, if we go after those American elections, some bad things are liable to happen to us and maybe we ought to not do that. In other words, I want them to know there's a cost imposed. So that's number one. I think there needs to be a clear, establishment, establish of a deterrent posture. It's not the same as nuclear deterrence, but in the realm of if you do this, something bad will happen. Number two is the organization, the National Cyber Director. I think one of their problems right now is the sort of incoherent structure that we have. One of my principles of management is messy organization produces messy policy. And right now there's no central driving force. And so I think a National Cyber Director, not with a huge office, but with an opportunity to coordinate, oversee the other agencies. Those are the two things that I think are the most important of all the things that we talked about. And how optimistic are you about that making it into the NDA? Well, there's a placeholder in the committee. We voted last week and there is a provision that talks about the National Cyber Director, but it's literally a placeholder so that there can be further discussions with Mike Rounds, who's the chair of the Cyber Subcommittee with the administration. So essentially we're still working on it. I'm really hopeful. You know, I'm not gonna put a percentage on it, but it's so logical. And as I think Mike mentioned earlier, we have strong support, for example, from Ron Johnson, the Republican chair of the Homeland Security Committee. He believes this is important too. So I'm hopeful and basically it's gonna be persuading the administration, I think. And this isn't about President Trump. This is about any president. This is a favor to the president, giving them someone that they can hold accountable in this area. So I think there's a reasonable shot at it. As far as the declaratory deterrent policy, again, that's really up to the administration and the president. Congress can talk about those things, but ultimately the executive has to promulgate what our strategy is. Representative Gallagher? Well, I agree with everything Angus said, but maybe just to kind of add to that, if you get the organization piece right, I mean, the goal is for a better organized federal government to do better public-private collaboration, right? Because in cyber, the federal government, I would argue, is not the main effort. It is the supporting effort. And as Angus alluded to before, most of our critical infrastructure is in the private space. And so I really think that some of the most important recommendations are all of those in a report that aim at elevating and empowering CISA. CISA is not a household name like NSA or Cybercom, but CISA is supposed to be that interface with the private sector. The private sector's preferred collaborating partner. And I think if we can get that piece right, if we can make CISA cool, not that it isn't right now, I think better public-private collaboration flows from that small part of reorganization that we're recommending. Nicole? Well, and I'll just add to my point. I mean, I think a lot of people have had a lot of skepticism about Homeland Security being the agency charged with our defense in many ways. But I think over the last few years, CISA, I think people have put their skepticism aside. I think Chris Krebs has done a really great job and a good job being the face of that agency and coming from Microsoft, being able to recruit more people from the technical community where he needs them. So just I'll throw him a bone on this Zoom meeting. But I think a lot of people really roll their eyes when they think about regulation being the answer to all our digital problems right now. And I roll my eyes sometimes too. But I think one thing that really surprised me in my own research that I think would be really helpful to provide for some of this is there was a global vulnerability report that was done about almost 10 years ago now by some academic researchers. And they just looked at country by country. What are the countries that are most secure in terms of their cybersecurity? And I think the metric they used was what percent of attacks on its machines are successful. And the safest country in the world is Norway. So Norway is extremely digitized. But what they have on us is they have made digital literacy and cybersecurity quarter their curriculum, which I know is in your report. They have also they have a master plan. They have a cybersecurity master plan. They update it every year based on current threats. And it does things like the things we've been trying to pass through legislation unsuccessfully for the last decade. It identifies critical infrastructure. It sets up mandatory requirements for those critical infrastructure operators. There are liabilities and fines for critical infrastructure operators who do not meet that bar. It requires them to go through basic common sense things like penetration testing and to use encryption and multi-factor authentication. And it's not rocket science, but Norway is the safest country in the world when it comes to cybersecurity. And then another really useful case study they did was actually Japan, which over the course of one year upped its cybersecurity score by something astronomical, like 50%. And what they when they saw when they looked at what was the difference that year was Japan came up with a master similar master plan for cybersecurity. And they really put a lot of effort into digital literacy, cybersecurity training, both in the public and private sector, fines. They were the only national cybersecurity policy to mention the word airgapping. They put a lot of emphasis on setting up perimeters, non-digitized perimeters around some of their core critical infrastructure. And this is something we could easily do here. We just unfortunately have a lot of strong lobbies and lobbyists who've argued that some of these really basic things that we would require from our critical infrastructure operators or to burn some on the private sector. And that's just nonsense at this point. When you look at the cost of cyber attacks related to terrorism these days, the cost of cyber attacks is now by some estimates in the trillions, whereas we see the cost of terrorism going down. So it's time to really focus on this issue and think about what we're losing in terms of intellectual property and business every day from cyber attacks and ransomware attacks and intellectual property theft. So yes, master plan, look at what some of these other countries have done and implemented here. So I'll close by, I think it brings this full circle. For me it's to, in that master plan, go after the risks that you identified in your answer to the very first question, which is a particular focus on internet of things. Essentially, my feel is that we are recreating almost all the mistakes that we made with internet security when it was the last generation in terms of it being used for communication. We're basically recreating all of those mistakes as the internet alters into an internet of things where it's about operation. And the numbers tend to back that up when it comes to how little security we are baking in because of this absence of requirements. I mean, one study found that 98% of IoT traffic is unencrypted and 57% of the devices out there right now are vulnerable to medium to high level threat. And as we play out in the Burn-In book, but also we can steer the audience to a new info graphic that we have on the New America website. You, it basically lays out 10 different ways that you could hack the city of Washington DC by going after a number of these different IoT elements that we've talked about in the discussion today, whether it's smart homes, whether it's the move into having drones, whether it's trains to water treatment plants. The reference of what Israel suffered in the last week, someone going after a system and targeting the chlorine levels. I can tell you from actually having done the research, if you think that the small towns and small businesses that do water treatment upriver on the Potomac have better cybersecurity than the Israeli government, they've got really, really bad news for you. And so we, in my sense, we need to, we're baking in vulnerability right now that we're gonna regret for the next 15 years, much like played out with the last 15 years related to cybersecurity. So I'd love us to get on top of that. This has been just a fun, rich conversation. We've hit on so many different topics. So I wanna thank again all the attendees who joined us, but in particular, our distinguished panel Hill. Thank you very much for giving up your time to have this conversation with us and to everybody out there, stay well.