Skip to main content

tv   Natl Cyber Director Discusses Cybersecurity Infrastructure  CSPAN  June 10, 2022 8:13am-9:12am EDT

8:13 am
it on the c-span no mobile app over ever you get your podcasts. >> c-span is your unfiltered view of government. we are funded by these television companies and more including midco. ♪ ♪ ♪ ♪ ♪ >> midco supports c-span is a public service along with these of the television providers giving you a front row seat to democracy. >> now, national cyber director chris inglis discusses u.s. cyber infrastructure and resiliency. this is part of a a conversatn hosted by the center on cyber and technology innovation at the foundation for defense of democracies.
8:14 am
it's about an hour. >> hello. i am samantha ravich, chair of the center on cybernet technology innovations here at the foundation for defense of democracies. thank you so much for joining us. for more than a decade report after report as documented the growing number of unfilled cyber positions both in u.s. government and nationwide while offering strategies and recommendations to addressat the shortfall that often goes north,
8:15 am
the secretary of defense has stated that the pentagon is in desperate need, desperately short of people with cyber skills and all services, and we have to address it. that was in 2010 and that was the secretary of defense robert gates. and that was one yearref after cybercom was created and that's when amazon has a workforce totaling 34,000 last year and is on a workforce of 1.6 1.6 mn people. so the need has gone up, and the difficulty in attracting people with down has gone up as well. the congressionally mandated cyber state solely in condition will be called csc published a white paper workforce in september 2020 identifying barriers that were stymieing existing work for seo efforts. these barriers include a lack of centralizedth leadership, insufficient coordination across the federal government, a nonexistent federal strategy to guide priorities and resources,
8:16 am
and an effective organizational structures which all combined to limit the potential of the very programs designed to strengthen and diversify the federal and national cyber workforce. no clear focal point for interagency coordination existed atal the time the commission's report but the july 2021 everrmation of the first national cyber director, or ncd, has created a new opportunity to overcome these pervasive barriers. buildg to continue and upon the work of the solarium commission the commissioners recently established csc 2.0, experts publish a thorough report looking at how the national cyber director could lead the federal departments and agencies in growing and strengthening the federal cyber workforce. es that in many cases, the ncd will need legislative support so it also
8:17 am
recommends actions that congress can take to support federal efforts to grow the cyber workforce. these actions include extending the federal cyber workforce data collection at, establishing a federal cyber workforce development institute, and authorizing a federal accepted cyber service. while these recommendations focus on the federal cyber workforce, the federal national workforce is also drawing from the same community of professionals, so the approaches must address those. the report outlines actions that private sector leaders can take to support national cyber workforce development more generally. we are fortunate today to have two very relevant leaders and experts on that exact issue. first, i am pleased to introduce chris inglis, the inaugural national cyber director. he was confirmed less than one year ago and came from teaching at the u.s. naval academy and
8:18 am
serving as a fellow commissioner on the cyber space solarium commission. prior, he was a security leader, rising to the deputy director of nsa. he also flew c-130s and retired in the air force reserve. we also have mark montgomery, one of the authors of the report i mentioned on cyber workforce issues. he is a senior director of the center on cyber and technology innovation at fdd and served as executive director for the past three years. prior to that, he worked for senator john mccain on the armed services committee and served in the navy for 32 years, retiring as an admiral. a few quick words about fdd before we start. fdd is a nonpartisan research institute, exclusively focused on national security and foreign policy. fdd houses three centers on american power that promote the use of all instruments of american power and produce
8:19 am
actionable research and develop policy options to strengthen u.s. national security. fdd proudly accepts no funds from foreign governments or corporations. for more information on our work, visit our website at you can also follow us on twitter at fdd. the csc 2.0 project on the workforce paper is available at cyber space solarium -- chris, it is great you are here. since you left to become national cyber director, it has been about 11 months since you started. you are probably running a startup in the white house. maybe take a few minutes and tell us how that is going. chris: in a word, good. there is a joke that goes with that, and i will not completed,
8:20 am
but it has been about 11 months. first, let me say how grateful i am for this venue or for the cyber space solarium commission 2.0. i am a fan of 1.0. you might say i am a byproduct of 1.0. that foundation has been extremely useful to us. in terms of how is it going, i am a big fan that form should follow function. in this case, we stuck the form in place and try to figure out what with that form do? what with the national cyber director do? so we have been working hard the last year to establish principles that you would underpin that. first and foremost, i think we, and when i say that, the federal government, and a growing consortium between federal government, state, local and private sector, i think we can say that we agree cyber is more than technology. the fact we are having a discussion about the people component today reflects it far more than technology. there are three dimensions,
8:21 am
technology, but there are rules and responsibilities. solarium addresses a lot of that, but we have been working within that -- working on that. and then there is the people please. think about those in the reverse order, and when we think about the creation of the national cyber director, we are giving due to the technology piece, but focusing on the latter two pieces. having said that, we began to put life forces in play and how do we get a better definition of responsibilities? that is what i am accountable for, getting the roles and responsibilities right, not just across the federal government the larger ecosystem. finally, how do we get those doctrines and those roles and responsibilities properly supported by the people piece of that? that i think is a work in progress. i am delighted to discuss that today. we established a solid
8:22 am
foundation of roles and responsibilities. we need to make sure we fill those roles and responsibilities of people whose skills are up to speed. in that regard, i sent you a preview of my own remarks, which i think we should be concerned about the jobs that have cyber i.t. that go unfilled. there was a lot of focus on that, only 550,000 within the u.s. we should be equally and perhaps more concerned with is everybody who plays a role in cybersecurity, everybody, does everybody have the skills they need to take full advantage of cyberspace? the vast majority of us are not digital natives but apt natives, and we need to make sure we have the skills necessary to take full advantage of the positive aspects of cyberspace. that is an all problem, and we have to make sure everyone has the skills necessary while we focus on filling the jobs that have cyber i.t. in the title. how is it going? i think well. those are problems that only we can share and solve, as opposed
8:23 am
to pointing to some poor soul in the corner and saying they have got to solve that. samantha: just to follow up, at the office of the national cyber director, how are you doing on staffing? chris: in a word, good. i remember some reporter, a really good reporter, and i won't mention them by name, but was poking me pretty hard, saying, how many people do you have, what authorities do have, and what have you done today? literally the first week i was there. we were were not appropriated and the money showed up in november. i would rather talk about where we are going. we are going to double it, double it again, and we will be eight at that time. they said, how many is that now? i said, do the math. but we are not 40. we are on the high-end of 95 to 100. in a cyber world where you do operations, that is a small organization, that's not our
8:24 am
job. you're the coach, not the quarterback. we are not micromanaging cyber operations. we are making sure that roles complement one another, that all those parties have the resources they need to do the proper job on the field. within the white house, and organization of 90, 95 people is going to be huge. and we have given reality to that. we have a workforce education initiative that comprises 1/5 of this organization. we have a focus on software, supply change, all those things that you would say are the foundational building blocks necessary to ensure that the roles are proper, that we properly have the pieces in that system, and our principal modality is to work with them. i think we are in a really good place that way. samantha: let's turn to the issue at hand, the workforce reports, the challenges that the federal workforce in cyberspace
8:25 am
is paired mark, you wrote a terrific report about the challenges of recruiting find talent, of training, developing, retaining. give us a sense of the challenges and the size of them. mark: thanks. first, i want to acknowledge the core writer of this and was a terrific part of the csc 2.0 and 1.0 teams, and i am happy she moved onto the department of treasury, where she helps the government more directly. this is a challenging problem. i could go all the way back to 1999, when i worked for dick clark on the national security council and we wrote a national is for structure insurance plan and laid out -- and national infrastructure insurance plan and laid out big tasks. the government solidly achieved three out of 10 and 22 years, and even at the most progressive schools, 30 is not a passing
8:26 am
grade, so the government has a lot of work to do. and they are working hard. there is a group with technology and commerce, and, you know, they are doing great work trying to figure out code jobs and what skill sets go with what jobs and they have done a great job with that. there is a great team at the national science foundation, which i am sure we will talk about. there are good people working in education and training areas. and good people at opm, although they are drowning slightly, and there are good people sprinkled throughout the federal government. the reality is, the overall progress, that is not enough to overcome the barriers we are facing. the number one barrier that we identified is the lack of data. government cannot make good decisions without good data.
8:27 am
we all understand that. despite the fact that we actually have a legal, you know, a statute saying collect the data, we do not have good data. and there are a lot of things responsible for that, the provisions are not written perfectly, and even as written, it is being ignored or carried out inconsistently among the 101 federal agencies. so that lack of data is critical. and normally, any military person would say it is a lack of leadership, but if you don't have data, it does not matter if you have leadership. once you have that data, you need strategic leadership. someone at the white house has to be the head, and not as the hand of god. chris: i think that makes me god, so i have to be very careful. mark: the national cyber director will talk about that, but -- and he is the coach, to use his own analogy. the next thing we are missing is
8:28 am
a quarterback. we don't have coronation among the federal agencies, and that coordination should be led by opm, much like i think chris called them his quarterback for federal cyber workforce is going to be at opm, and it is not there. there was no one there standing. there is more likely hi nikki there than brady -- there's more likely heinicke than brady. the federal government cannot get its head around that sometimes a job is about experience and not about masters degrees and bachelors. so understanding that the person you need may not have a bachelors degree, but they need to be a gs 12 or 13 as you hire them. those kind of barriers really hit, and the final thing is, it will all lead into a diversity
8:29 am
traffic jam. what i mean by that is there is a significant diversity problem in our workforce. the most egregious example is among women, where there are only 21 to 24% -- 24% to 20% of our federal cyber workforce and only 11% to 15% of our federal cyber workforce leaders. those numbers are unacceptable as we look forward. i think that is the big challenge that chris or whoever is the hand of god is going to face in this. chris: as the right hand of god. mark: right hand of god. samantha: mark put a lot on your plate. first of all, do you see the challenges the way that mark and the report laid out? chris: i broadly agree with his framing. i would start with there are impressive pieces and components, at least of -- not least in the private sector, but
8:30 am
what mark cited in the federal government. you have the national institute of cyber education, nice, the national science foundation, cyber core for service, the senators for academic excellence, cyber talent management system, all are pretty interesting. they could make an even higher kind of leveraged difference if they were connected to some larger strategy. what we think is not so much of the piece parts. there is more to be done there. what is missing is the strategy. we would use that strategy to figure out how to use them and amplify their efforts, not within the stovepipes but broader across the federal government and joint arm in arm with the federal sectors of the government can solve its end of the problem. you cannot filter one out of the pole but you have to solve the national problem. if not, something even bigger. in that regard i would do two things. first, actually have a strategy that defines what is missing.
8:31 am
then have to make use of the parts already there and connect us to that strategy. in the next strategy needs to be driven by data, by someone accountable for using that data to define the strategy and then driving that execution across all those parts. i think if we were to do that, we could make rapid progress and find ourselves re-examining everything. i don't think we have appeal to a broad enough population. i don't think we have a diverse enough talent pool thinking, can i play a role in this? we have not balanced that aspiration to the destination eye tracking people along that progress. we have misspecified the destination. sometimes you require about first-degree when what is really required our critical thinking skills, not that they are divorced from one another. but let's think creatively about what we need and more broadly about where we can get that and manage the space in the middle with all the excellent programs. strategy and data are going to be that thing that connects all of us together. samantha: so, mark, i mean, you
8:32 am
guys cut right to the chase with the title of the report, workforce development agenda for the national cyber director. when we look back on the reports that have been written and the people who have been involved in this for decades, many of the pieces have been there for decades, and people are very frustrated that the problem is growing and staggering, and people want things done. you cut right to the chase with your title, workforce development agenda for the national cyber director, what do you think that national cyber director specifically should be doing? mark: first, i would like to acknowledge the napa team and karen for excellent report. there is a lot of violent agreement on what is wrong. i want to agree with everything chris said about how he sees his job, data and strategy. if you left it there, that would
8:33 am
be a success. i would add in budget oversight, which is, i am hoping, the relationships that the national cyber director built with the office of management and budget, where chris is so counted as an national cyber director, as well, that they will have the opportunity to look at the individual agency budgets in a lot of ways. one is, are you spending enough on your workforce? there is no surprise, the answer is going to be, if you don't have cyber in the name of your agency, it is likely that the answer to are you spending enough is no. and i will exempt the department of defense because they have unlimited pockets, but for the 101 federal civilian departments of agencies, the vast majority, when it comes to budget crunch time, and does the department of agriculture buy more food inspectors? they buy the food inspectors because that is in their job jar
8:34 am
that the cabinet member sees, so it takes omb, and by extension with omb, them over siding them. i would add that in, but i agree on the strategy. i will assume for a moment that the national cyber director writes the national cyber strategy. and then we will say there should be annexes, and one would be this workforce and expect goes right in there, and say, because as you said, chris, there are three legs to this tripod to success, technology, adopting policy, and personnel, so having an annex on personnel or a national workforce for federal cyber security workforce strategy would be really helpful. i am excited. those are recommendations. chris: this reminds me of why i missed working alongside you so much. let me give the larger context for the office of national cyber director. we put out a statement of intent in october and it was more about the workforce, but the workforce is at the core.
8:35 am
it laid four broad responsibilities for the national cyber director by mutual agreement of all the parties who are involved in this. first and foremost, to drive it within the federal government between the federal government and stakeholders in the larger cyber ecosystem, so private-public collaboration and natural extensions of that. two, to focus on future resilience, which is about inherent resilience in people, doctrine and technology, and i think likely in that order has got to be the priority. we can defend technology to our purpose if we get those roles right. if you don't know your responsibilities, and people don't have well-defined skills, it is a full gerund to try to get that alone right, -- it is a fool's errand to try to get that alone right. it is about getting the rest of the events. we can do that if we think through the properties of the system and what they should be, and the people properties.
8:36 am
the third responsibility is performance assessment. we need to understand that all of the applications of the time and material and roles and responsibilities are stuck in the middle and delivering results we find acceptable or preferable, and it will take a fairly broad brush to that. i consider the roles and responsibilities and skills that people have are up to snuff and then use that, not simply to make reports for vicarious purposes, but to then drive the implementations of our budgets, time, and attention to get that closer. there has been a fourth piece, which we will be accountable for, which is the details of implementation to oversee the roles and responsibilities, but when you add them up and you consider the people are at the core of two of the three dimensions of cyberspace, doctrine and literal people skills, that gives a context in which we can define strategy, whether it is called strategy or
8:37 am
it is the implementation of broad and we can make the progress necessary to have the data and to have the kind of material necessary to make use of all those good parts. samantha: there is another actor involved in making all this work, congress. mark, you and laura's report calls out specific legislative and potential recommendations for congress, maybe you could summarize some. mark: thanks. one of the successes, 1.0 was successful broadly, and one reason was that we wrote legislation early on. some of our congressional leaders, presented of langevin and gallagher, and senator king, you know, told us, hey, we do not want recommendations, we want legislative provisions that are tied to recommendations, and i think that -- i think you two as commissioners would agree that that was really critical to
8:38 am
our success. and so, one of the things we try to do in this report is continue that tradition in csc 2.0. we've done some water provisions recently, and in this one, we have some workforce provisions. so we do have some recommendations for congress. we have three specific legislative provisions. they're -- one's reasonably easy, two will be hard, and then we have some appropriations recommendations. but in the legislative provisions, the first one, the one that really has to be done is we have to extend and amend the federal cybersecurity workforce assessment act. that's the one that directs data collection. it will actually sunset soon, and then our poor data collection will dribble down to a zero data collection if we're not careful. at least, you know, legally dictated data collection. and i think we can help the national cyber director in his role as a coach if we can amend -- if we can extend that, i think at least out to 2027, and probably have to extend it again after that. but also amend it because one of the things that's missing is any
8:39 am
kind of forethought. it doesn't say what are you going to need three to five years from now or two to three years from now in your federal cybersecurity workforce. and as we all know, things like the national science foundation scholarship for service aren't hiring this year's workers, they are hiring three years from now workers, right. and most of our programs, and hiring programs take two, three, four years so we really need to understand that. so the first thing is amend and extend that provision. the second is one where we have to figure out how to -- i used to say how you go from apprentice to journeymen but now i think the right terminology in the government is how do you go from entry-level to mid-career? and it can't be that we're poaching people, you know, from other agencies or from the private sector. that doesn't work for us. we need to grow our people, and to grow our people we need to have a training environment to do that in. and so, we recommend a federal cyber development institute, it's not brick and mortar, it's where you go while you're working for the government to
8:40 am
get job skillsets and to get certifications to move on. and i think that -- that's probably harder than the extend and amend of the previous act but it's probably doable. the third one is the rosetta stone, if we can crack this we're really going to understand the -- the system. and that's -- that we -- we really do have to come up with a new hiring mechanism. we're recommending a cyber excepted service, we give three different options to the national cyber director to work on, obviously, he can go off of that sheet and come up with a fourth or fifth. but the one that'll really make the most difference, the one that's really helped dod is having a cyber excepted service. this'll be tough, there will be people who fight this both in congress and in, you know, federal government organizations. and it's going to cost money, but i think no one ever thought fixing federal cybersecurity workforce was going to be a cheap endeavor. and i think having a federal cyber excepted service is probably the key. i do want to mention a couple of appropriations, we do need to bump up the national science foundation's scholarship for service program.
8:41 am
right now it's cruising in around 55 to 65 million every year over the last two to three years. that's producing about 400 workers a year. and they're popular, i know they're popular because at the fair -- at the matching fairs that they do in the spring nsa and cia are -- are the two organizations taking the most people. and they can hire anybody and they come and hire these kids, so i know they're the right ones. but we got to get that scholarship for service up to about 1,000 graduates a year, it's currently at 82 colleges, universities, and community colleges. it needs to be spread to a few more. nsa's identified i think 370 schools through the cae program. so we know there's schools to go to. and i really strongly push this rotc-like program over other initiatives. there's one in congress now on a cyber defense -- digital cyber academy or digital service academy. i think 11 this is a real -- i think this is a real mistake. first of all, a brick-and-mortar
8:42 am
institute is going to take us years to build and suck money but second, it's not going to contribute to the private sector, right. when we run these scholarship service programs, rotc-like ones at 80 to 100 to 120 private universities, many more than our graduates -- than the people we take into the federal service are benefiting from the professors we fund at those schools. you know, we're producing two- or three-fold numbers of workers going directly into the private workforce. so we really have to kill this idea of a digital service academy and move forward with full funding for the scholarship for service program. and there's a few other appropriations i'd do and they're in the report, but i think those are the big ones. samantha: yeah, that's fantastic. and the level of specificity that mark and laura put into the report, can really show you why cyberspace solarium, csc 1.0 was as successful as it was. because it's based on the specificity of making real the recommendation. so chris, let me get you to comment at least on a couple of
8:43 am
some of the recommendations that mark just spoke about. specifically, the cyber workforce development institute, and the government-wide excepted cyber service, and any of the other ones that you'd like to comment on. chris: i'll talk about those things specifically, but let me just talk more generally though about what i think are three broad aspects that underpin mark's remarks, all of which i think have some sensible and actionable recommendations inside of those. there are three kind of stretches where initiatives go to die. first is this kind of stretch that i call aspiration to destination, we all know how many jobs we'd like to fill but there aren't any vehicles or many vehicles that essentially would take that aspiration in essentially meaningful -- meaningfully assist folks to get from that, hey, i'd sure like to vie for one of those jobs, to get them into one of those jobs. people who show up today at the
8:44 am
front door of a government organization with a bachelor of science in computer science but no experience in hand typically are turned away. because we stayed, you've got to have the experience, we need to figure out how do we actually do the internships, the co-ops, right, the cyber clinics to get them that experience, to get them from aspiration to destination. so more flexibility, and more investment in that actual stretch along that first kind of part of the highway. second, once they get in the game is not over right? , we have all this poaching going on, so we don't have career tracking where we continue to make the investments in those people. and continue to make them feel like they're part of a larger community of interest. and so, we need to bring those barriers down between the various kind of entities that would hire these people. and we need to also kind of make sure we're investing in them not just to get them to that initial job but throughout their careers. i worked at nsa for 28 years, i had what looked from the outside world to be nine very different jobs, but i was always an nsa employee. i always felt like i was along a single career track. so how do we take computer kind of personnel, i.t. personnel, cyber personnel and give them that sense that they have a very rich career field in front of them and they're not being poached from job to job but rather they're being progressed
8:45 am
from job to job and getting all the stronger as they make their way from one responsibility to the next? and so in that regard, something that actually cuts horizontally across the federal government, i think will be extremely valuable. finally, to mark's point about, you know, these institutions that might then assist in that regard, we have to make sure that those institutions, whether it's a service academy that i was a benefit from, need to have a parent -- they need to have a parent service that says, "i'm the person or the party that will kind of ensure that i have a sense as to what the standards and the requirements are for whatever this service is set up to do and i will then employ, right, what then becomes of that." if you lack either of those two dimensions, it's probably a good idea in the corner, that lacking the parent that would actually define the requirements or then accept and employ, right, the beneficiaries who kind of derive kind of the education for that institution, they'll fail. rotc programs essentially do something that's magic in the middle, which is they actually kind of take the resources from a parent that says, "hey, if you
8:46 am
make these investments, i will hire the result. i'll just be that instrument in the middle," but they've solved the problem by actually marrying that aspiration to destination. we need to make sure that we do that. samantha: mark, if i'm not mistaken, the deficit shortfall in the federal cyber workforce kind of tracks with what we're seeing, you know, in the private sector cyber workforce. i'm wondering if you learned anything during the research for the writing of this report on the federal stuff that is actually -- can illuminate, you know, a way forward on the private sector side? mark: you know, you're exactly right. i mean, it's this -- it's the -- it's mathematically very similar problem. about 70% of the jobs are filled , about 30% or 35% of the jobs are empty by the cyberseek, which -- while the numbers may not be exactly right, i think the general trends are correct in that data. and they're struggling too. there's a lot of poaching going on in the private sector. this failure to develop from entry level to mid-career really
8:47 am
exists just as heavily there. and so we've got to figure out how to incentivize the movement, you know, of people from entry-level to mid-career. chris talked about incentivizing, getting them right. in the entry level, i think that's true too with the apprenticeships. i want to give a shout out -- microsoft's got a good program they're working with community colleges. they advertise a pretty big number, like maybe $20 billion with it, i suspect that that's a lot of intellectual property being counted a few times. but they're certainly sharing a ton of curriculum and data with 80,000 community colleges. i cannot tell you how important -- with a thousand community colleges. i cannot tell you how important this is. and there are other programs doing this. you know, there's other opportunities out there for certification and job training programs that specifically target entry-level cyber skills and the movement from entry-level to mid-career, when you've gotten the experience, and we needed to acknowledge those, -- need to acknowledge
8:48 am
those, support them, and ensure that they are being replicated throughout the country. ibm's got a program they're working with historically black colleges and universities -- i think it's successful as well. but we've got to get it so that at particularly at the community college level, kids are leaving, graduates are leaving with the certificates they need and experience from an internship, which is -- or a work study program that would be -- you know, that would be highly useful in transitioning into a full time job. so i think they're the same problems, i think they probably have a little more flexibility around pay and hiring than the federal government does. i mean, who doesn't have more flexibility in hiring than the federal government? but i think they still face the same challenges. samantha: yeah, they may also have a little bit more flexibility in terms of where they get their workforce from -- all due respect to -- to mr. musk, i think people aren't going back to the office as much
8:49 am
in the private sector, in this space. they can get now people from around the world to fill their employee roles. so maybe maybe it'll open up more ability for the federal government to recruit since the private sector can recruit from a larger pool, but we shall see. look, before we turn it over to the audience to ask their questions, i wanted to ask chris about an issue that is near and dear to my heart. on the cyberspace solarium commission, we recommended and it was approved in the national defense -- 2021 national defense authorization act -- which is continuity of the economy planning, or cote -- continuity of the economy planning -- which looks at how do we prepare for and recover from a major cyber attack that rolls across our economy, not just targeting one organization, one sector, but
8:50 am
multiple at the same time. so how is it going? the act -- you know, legislated, as you know, that the administration was providing a plan by the end of 2022, which is rapidly approaching. chris: yeah, so i must admit that my horizons have been expanded a bit since i was on the solarium commission. now, when i first thought about that continuity of the economy assignment, i thought about it almost entirely through the cyber lens. of course, there are many hazards that kind of hold an economy at risk -- or many resources, both materiel and often digital infrastructure and virtual that are required to actually make a kind of an economy run smoothly. and so you have to actually have a broader kind of lens to look at that through than cyber or -- cyber alone. so it's not something that has fallen naturally to the office of the national cyber director. it falls more naturally to the cybersecurity and infrastructure security agency, working hand in glove with what's called pound resilience, but the national security council component that worries broadly about societal functions.
8:51 am
and so they've now got that and are working their way through that to try to determine how do you actually cut across all of those critical activities that constitute a viable, running economy? i think when we're all done, you'll look at that and say, "that was about far more than cyber, about what it takes to get that done, and it's frankly more about the horizontal than it is about any particular vertical." samantha: well, we will stand by to see what is rolled out. so i think we're going to take some questions from the audience. yes? >> that's correct. we will have a question-and-answer period right now. if you will raise your hand, we'll identify you and then ask you to stand up, introduce yourself, and then ask the question. >> thanks. sam visner with mitre and the space isac. always good to see you, chris, mark, samantha.
8:52 am
an observation not so much as a question, but whatever can be done to bring good, young people into government and give them something meaningful to do. as you know, i am an adjunct at georgetown. i've sent my students to the executive branch, to the military, to the ic and to the hill. and it's pretty much a dog's breakfast. occasionally, they will come back and say, "you know, i've had something interesting to do." some have come back and said, "it's a toxic work environment, i don't want to stay there a moment longer." one left the federal government to take a job for more in the $60,000 private sector but would have stayed in the government for the mission if the work environment had been suitable. what can we do to provide an environment in which these people are not locked into "well, it's -- you're a gs-7, gs-8 for the next few years, you have to do something meaningful before we decide -- meaningless before you can something worth your time?" these are people who are highly motivated, they want the mission, they want to contribute
8:53 am
to the mission, they want to be part of something larger than themselves, and they don't essentially want to be locked in the basement eating gray meatloaf as a gs-8 for the first four years of their careers. so hopefully we can find a way not only to develop the workforce by getting these people on board, but to develop the workforce by giving them something meaningful to do so that they stay on board and continue to contribute. thank you. chris: i'll take the first point, ok, just -- only because, sam, you had. chris: a lot to say about it because i don't like gray meatloaf any more than mark does, all right? mark: yes. the -- first, you did have a student come work for us here at fdd, hopefully they came back with positive thoughts. >> they did. mark: ok, good. so look, agreed that it's tough -- it's -- you see this in the military, you've entered -- you don't enter as a lieutenant colonel, you enter as an ensign or second lieutenant. and you have the -- chris: a few ensigns become lieutenant colonels. mark: yes, there you go, that's true, fair enough, yes. and then maybe the space force
8:54 am
someday. but i would say that the key to this is having what chris described as nine jobs within nsa that felt different, i felt the same way in the navy -- i was a navy officer, had about 14 assignments, only one or two were the same. they were vastly different every time. we're starting to see that. there is a cyber workforce, there's an act has just passed that's going to allow some movement between agencies. i think that's the beginning of it. there are different ways in the federal government to get job satisfaction and to get that psychic pay that covers down for the slight loss in physical pay that you might experience as a federal government employee, but i think having some movement between jobs will be good for the government employee, but also be good for the agencies as you get cross-pollination of ideas between different agencies. so i'm hoping we're going to tackle that. it's certainly a concern, and whether there's a toxic work environment is probably point by point and that should be solved at the place it's at. but the idea of having some flexibility in your job movement is a good one and one that congress has started, and we're
8:55 am
going to have to see how this pilot program goes and see if we could push it fully into the federal workforce. chris: i subscribe to your general thesis, which is that culture should be our principal focus as opposed to being beholden to the administrative aspects of it. we're always going to follow the law, we're always going to follow administrative procedures within the extent of the law. but i have never been in an organization where i was compelled to essentially bend, right, to the strictures of a particular kind of role assignment or the strictures of some gradations. i've always been in an organization which had the authority to install culture and to hire not employees but owners, to give them a full piece of that responsibility on day one, to let them make a difference on day one. and frankly at nsa, which -- that's the majority of my work life experience -- we never had a problem with retention of the kind that is broadly described across cyber circles now. our retention was on average about three and a half percent
8:56 am
to 5% attrition meaning , everybody else stayed, which was unnaturally low for an organization that has to turn over every 20 to 25 years. why was that? it wasn't because we had swell parking we did not. , it wasn't because we had the best color in the world, we had lurid green inside of our hallways. it wasn't because we had this wonderful pay system, we were gs kind of pay. it was because we gave people feedback and said you can make a difference on your first day. here's the feedback associated with that, and when we did that, those people would come and stay and stay and stay. so i take the point that it's about the culture that should not be beholden or subordinate to the administrative system. ultimately that form should follow the function, but we need to drive the function first. >> hi, there. sean lyngaas with cnn. thanks for doing this. chris, i wanted to get your response, as you know, general nakasone, this week, confirmed that cyber command has taken the full spectrum operations in support of ukraine. i'm wondering a couple things. first of all, have you all seen any response from russia in
8:57 am
cyberspace to that activity? and more broadly, are you concerned at all that the russians might see rightly or wrongly those activities as escalatory, given we've seen everyone and their mother participate in cyber operations in ukraine. there's been hactivists, there's been people using u.s. infrastructure that might be -- opens up the door to misattribution. what can -- what's being done to make sure that isn't misinterpreted? thanks. chris: yeah, i can't speak to any russian reaction associated with those remarks. or for that matter, any operations that may or may not be taking place in cyberspace. but let me address what paul nakasone -- what general nakasone said. the white house affirmed those remarks i think as recently as yesterday, in saying he's correct in what he said, which was not in any way, shape or form breathless. it was just a statement of fact. the statement of fact was that cyber is an instrument of power. and to the degree that we're applying many instruments of
8:58 am
power to assist in the defense of ukraine, cyber is one of those instruments of power used in our -- from our perspective in a defensive kind of modality. meaning that while they might impose affects or have kind of -- might make a difference to the receiving end of that, whether it's financial sanctions, whether it's lethal materiel applied kind of in military ways across the ukraine, what we're trying to do is to assist the defense of the ukrainian people, right. and i think that cyber then, as an instrument of power, can and should play a role in that. that's what i heard paul nakasone say. and i haven't heard anything that -- from that day forward. a couple days ago i would say it's been provocative. most people that i think understand the nature of this domain have said that makes sense and anything less that that wouldn't. mark: if i could pick up on that, it reminds us that this cyber capacity building, which we're effectively now doing -- apparently doing after the war
8:59 am
starts, it's also something that we should focus on left of boom, you know, before the crisis and, you know, in ukraine specifically like we had usaid run a program for four years doing cyber capacity building, about $39 million. there's fingerprints of cybercom doing, maybe not defend forward operations, but support to the ukrainians and the time leading up to the conflict, which now has been acknowledge by general nakasone. so, it's those efforts -- that cyber capacity building for our key allies and partners who can't afford it themselves. so, probably not for the u.k., but for countries like ukraine, georgia, taiwan, you know, that we should be thinking about these things left of boom and making those deterrent investments at the same time we that we make the ones right of boom. >> next question. >> next question here. >> i'm derek johnson with sc meeting. mark, youou mention a law that we're going to need to extend
9:00 am
and reform. i didn't catch it, in order to kind of address this problem. >> yes. >> and you said that you expect pushback in congress at from some of the bureaucracy about that. can you talk about that a little bit more in terms of what kind of push backk your expecting wax and then, if you are chris can just talk about how you kind of navigate to this issue, where you're trying to jump for elevating the board's ofde cyber hiring while kind of dealing with all these agencies who, you knew, without diminishing the roles or jobs the kind of others do we think are also important, how are you all sort of navigating that issue? .. and amend of the federal cybersecurity workforce assessment act will get too much pushback. it's just getting it and finding the right vehicle to get it done. sometimes the problem isn't anyone opposes it, it's that the process is cumbersome to do something like that. so, we have to find the right vehicle, you know, whether it's the ndaa, national defense
9:01 am
authorization act or another one. so, i' >> so i'm hoping that will get done. some of the other ones, having a digital work force developmental institute or cyber type of service, those will get pushback. the way this should be worked is through the appropriate congressional committees and used to always tell the three of us, we need-- my big issue we need one big one in the house and senate and roll our heads back, you're never going to get that. we put a floor amendment in killed in 30 minutes, which was a speed record for killing a floor amendment, but the idea of one cyber committee would make this easy. we don't have one cyber committee, but i would start in
9:02 am
oversight and homelanden senate and government affairs. congressman maloney critical for getting the national cyber done with the support of jim and jerry connolly has done a great job working on opm and general, and john catco from the republican side committee of homeland security. you get those kinds of voices talking about this, we might be able to get the second two pieces of legislation done and in the senate, senator peterson and portman have been bipartisan how to tackle things. if this can get on their agenda, they'll deal with it. the problem is they have a long agenda of things to get done in cyber this summer and fall and you can imagine not too many legislative vehicles moving through town. so, if we can't get it prioritized and into the national defense authorization act, it will take a year. that extension cannot take a year, we need to extend and amend that act this year so that's the one you'll probably see the biggest push on from the leaders and it's really
9:03 am
bipartisan and bicalmeral. >> you've asked that's on the radar screens of decision makers. you have to look at broadly, that they're not indelible or discretionary, or hand off to the people with cyber and i.t. and saying this is your problem and job, this makes the thing work. and why do we say not discretionary, the def-con he would look at why do race cars have bigger brakes so they can go faster. why do we have cyber? >> so we can do the things that organizations and societies choose to do with infrastructure. it's not discretionariment --
9:04 am
discretionary. broadly whether you have inherent resilience in your documents, who is accountable for what, people skills, we've had a long discussion about that and of course, technology needs to be inherently robust. to mark's point we need to get to the left of that. and we have to look at the systems that we deploy for the purposes we use them. and finally what will result in that is not an inherently secure, perfectly secure system. that would be lovely, but none of these systems are. they always have some frailty, some kind of fraught nature attendant to them because people are inside of this them making choices all day and what is going to encounter that, we can't have we'll do this, and
9:05 am
we need to be collaborative inside the system and doctrine in a collaborative sense and that can change our fortunes in cyber space. only if the leaders say this is no longer delegated to the side. >> we're coming up over a year since the executive order was put out and now we're coming into the limitation phase. i want to find out, chris inglis, how you're involved in that and see that moving forward helping the government become more secure. >> first, you're talking executive order 1420a may of
9:06 am
2021, just over a year now and i think that that has been, in a word, boldly successful, why? because it declared that the federal government was going to make a fairly significant commitment to the foundational attributes that any digital infrastructure should have for inherent robustness. the percentage of systems that have met the specified kind of requirements that everyone has to have multi-factorial, and enchristian for data at rest and so on, and so forth. and technical mechanisms in there. we've made significant progress in that regard. and the 100% might not be the right goal and some systems don't warrant that and they don't have a public attack surface or have compensating controls that we don't use
9:07 am
those in ways that are security relevant. that being said, the first and foremost, we fundamentally commit to doing things so that we have an inherently resilient and robust architecture and it's the department heads and agency heads that are accountable for that. and to ensure that we're tracking those statistics and drive those to at conclusion and entirely appropriate given the needs of the system and the threat that we're up against. kind of a preview that we won't be tracking executive order, 14208 forever, that we've already got to go to supercede that. using 14208 as the foundation, that first cut of what right looks like, now let's go further and let's had a zero trust architecture which has some specifically assigned attributes associated with it
9:08 am
and plan across the fiscal cycle which goes two, three years into the future, with detail, tell he is how you're planning for that, how your budget is associated with that and we'll look at the superset of things in the executive order. >> we've got time for one more quick question before some wrap-up comments, perhaps. >> and adam, biocredit future. thank you both for your time today. i wanted to ask about a lot of attention has been given to russia and cyber crime, but it's not the only threat. yesterday, fbi director wray talked about the threat from china hackers and that that country's cyber operations were bigger than all of their countries combined, i would assume not bigger than the u.s. i want to ask if big u.s. government has seen an increase from cyber threats from china, especially in relationship to taiwan or any sort of posturing in that area and if so, what's
9:09 am
being done about that? >> well, first i say with respect to china-- >> (inaudible) >> thank you, katrina. i know you've spoken before, director inglis, about. mcs13 anl understanding when that's coming out and a follow-up on the general's remarks and your response to them, when you talk about cyber and instruments of power in ukraine, are you seeing those operations as solely taking place on ukrainian networks or is that going further, is that an instrument of power maybe americans with their fingers on those particular cyber tools? >> give me a lot of choices, that's like eight questions inside of all of that, all good questions, let me start with the first question, the denominator when you think
9:10 am
about anything china, the denominator is large, a population excess of a billion and any commitment of some portion of that population to that, it's going to be big. i don't see a dim minnishment, but we do remain concerned about china's disinformation, surveillance that they would do for non-- for purposes that we would find nonsecurity relevant, that is not those things that actually aid and abet stability of nations or kind of the interactions of various nations. we're very concerned about that so therefore, while we're focused on the clear and present danger that is kind ever obvious in the ukraine, we have to keep our eye on that larger set of activities and certainly china remains in that.
9:11 am
and in the administration did review that, it's not four or five years hence, its original introduction four years hence. and let's take a look at that in terms of what its purposes are and what the sop's would be, is it doing what we expect the way we've expected. >> we're now leaving this taped program for a health oversight and reform committee hearing on humanitarian in ukraine. the grave crisis that's having cascading effects past ukraine's border, yemen, syria and somalia. roughly one third of ukraine's entire possiblelation have been forcibly displaced from their homes during more than 100 days of war. united nations officf


info Stream Only

Uploaded by TV Archive on