Go to school. That joint measure of our goal together and individual work is what so inspiring and what is aspiring when we see everybody here together at the conference. So its exciting to be here. Thank you. Thank you for the conversation today. Thank you for your service. And thank you for being on the front lines of our nation and bringing us together in this important fight. It was an honor to be with you today and thank you for the honor of joining us today. So good to be here. Good morning, everyone, i hope you are able to get caffeine in your systems, get your blood flowing. I do to cknowled good morning, every i want to knowledge all the media that has been with us for the last four days. We really appreciate all your coverage and all youve done for us. Thank you for being here. We would like to follow the fireside conversation by taking a more indepth look at the future of cyber. For our next session, 2024 and beyond, the hard road ahead, we have invited a distinguished group of experts to look at the topic or multiple lenses. Moderating the discussion will be rene nguyen, former cio nasa and our featured speaker for this conversation are dave frederick, assistant Deputy Director for china, National Security agency. Eric goldstein, executive assistant director for cybersecurity, cfd sza. Retired Lieutenant General dean fogarty. Senior executive adviser. And andrew adviser and technologies. Formally coo cia. And dave richardson, Vice President of product and Point Security lookout. Please join me in a pleasant welcoming our speakers. Wow,. I hope you have shaken off the,. Malaise of being in a conference all week and talking t good morning, everybody. Hope you shaken off the malaise of being in a conference all week. I hope youre using your devices as we are a cybersecurity conference. Thats always a good thing. The road ahead, insert it you got that at the front desk. Good morning, everybody. Its great to see you. Given the Rapid Advances in technology and the ever shifting Political Economic and environmental landscapes, the future of cyberthreat world is sure to change. This group of experts will explore how this future will likely impact cybersecurity and things to think about in order to keep up and we might go back to some of those oldfashioned human factor problems that will lie ahead in the future as they are here with us today. So, gentlemen, this is a all play so everybody gets to answer and hopefully you will sort yourselves out. If not, i will help you if it is necessary looking beyond cybersecurity, what big shifts are happening in the world that will change how we should be thinking about the Digital World and protect it . Versatile, its a pleasure to be here. With this group of professionals. I think as we look at the way ahead, i am forecasting out a little bit, the things that concern me the most, demographic shifts, particularly in the global south, lots of opportunity, but lots of challenges there. I think supply chains are increasingly becoming an issue. If you think about restrictions that we placed on transfer of technology to the prc, there will be a fortat there. I think we have had the opportunity to purchase a lot of raw material from them, things that are very vital for everything from moving to electric vehicles to building cell phones. So, no supply chains will have to be reconstituted and that will require significant hat investment. Then, i think that things we cant predict. Social, economic, political and cultural factors that are really going to drive this, but we have to watch it and i think this is where if you go back to the comments from earlier this morning and start with the other comments, the key is partnerships. It is foreign partners, inner Agency Partners within the u. S. Government, its commercial partners, its partnership with academia that give us an Early Warning and we never seemed to predict these things exactly right. But, that will be the critical aspect of getting through this. Thank you. To build on steves answer, i think one of the things that we should look at thats happening in real time is we are watching a digitally enabled army to take on an analog army. And we are seeing the digital army winning. We dont know how this will end and overwhelming force may win at the end, but there are a lot of lessons here beyond the battlefield lessons about what a 21stcentury capability can do against the clearly 20thcentury capability. Beyond us improving and becoming better, i think there is also others were paying attention to the sensing that david can take on goliath and maybe win. I think it changes the defense dynamic broadly in the National Security dynamic as people watch us unfold. Thank you. Eric. Its wonderful to be here. At such a privilege to be on the stage. If we look at the cybersecurity ecosystem, i think at this point, we can fairly say it is defined by a constantly actors who seek shared goals, shared norms in cyberspace, freedom, openness, resilience and some seek the inverse and then there is the middle and there are organizations and countries that are in many ways as yet undecided about what the future of the internet, the Global Digital commons, should look like. One of our broad challenges which apply to cybersecurity that not only cybersecurity is how do we in the United States convey that positive affirmative message of the internet of network Tech Knowledge ease as being an ecosystem that enables growth, enables prosperity, enables freedom of expression, and that cyberinsecure cybersecurity is because right now, there are two many places around the world and the issue of supply chains, where there are countries who are attempting to make inroads in entering into commercial agreements and, supplychain dominance in a way that undermines our collective global interest in seeking a world where small Democratic Values are the norm and are enabled by security and resilience at scale and it is up to all of us in this community to convey cybersecurity not only as an approach to protection, but as a positive vision to advance the values in the future that we seek. Just be he represents a Critical Infrastructure so, those are important remarks. Based on the interconnectedness and dependency on, lets say, electricity and clean water. Anyway, dave. Its great to be back. When i was here last year, i was in cybercommittees executive director and i am in a new role as the assistant debbie director. Eric and i did not coordinate on our comments, but i want to build up on some key points he made. Starting with this focus on the prc. We really assess that the prc and the competition between the prc and the United States and allies will be the defining issue for the next generation. What we are seeing happened today with the prc is that they are exporting Digital Government model designs to improve and support authoritarianism and increase their global influence. I think that is an area in the u. S. And our partners will have to work very hard at to counter and provide positive options especially in the global south and other regions. Another area where i think competition between the United States and prc will be critically important is intactnology standards. We have to work closely in close cooperation with our Form Partners to effectively engage in standards both for the base of Telecommunications Standards that we are focusing on today but we need to think about emerging issues and standards related to Artificial Intelligence and other emerging technologies. We are sort of innate trade war of sorts with them and what does that mean for supplychain that we are also accustomed to having on the less expensive side and what does that mean and how do you make shifts. We are talking about a huge Economic Impact both on the Positive Side and on the negative side as well. Very thoughtful remarks. I want to build on what you are talking around Artificial Intelligence. There has been a lot of discussion already around Artificial Intelligence, but that is essentially lowering the skill gap are both good actors and bad actors. It becomes so simple these days to generate compelling automated attacks whether that be phishing emails or fishing websites but sophisticated exploit chains and those kinds of things. Where that used to be something that required highly skilled individuals to be put in a very dedicated effort. These days, you can buy a phishing kit online. Its even simpler than that with the rise of Artificial Intelligence but there is a flipside as well. Its a tool that can be used for good and used for sorting through massive amounts of data and finding anomalies and things like that. Something that needs to be embraced by organizations, as it was mentioned earlier, an attacker only needs to be right once and the defender, you need to be right all the time. In order to successfully defend your organization. I think Artificial Intelligence is a big one. The other big one is post quantum encryption. If you think about a world that is five years away or a month away, who knows these days, there will be a world where encrypted data stores will all be given enough time and enough money and can be broken so organizations did you think about where your data lives and who has access to it even if it is encrypted. Because there is a clock on that and someday someone will be able to get access to that data. Excellent. Thank you for that. We were in the green room preparing, you mentioned that theres a pretty important vulnerability out there right now that perhaps our audience might benefit from hearing about. Sure. Absolutely. If you havent seen the news, late last night, citizen lab sent out a vulnerability disclosure around a new exploit chains in the wild called blass pass. Its a affecting all apple device out there and this is a pretty scary exploit chains so basically what can happen if someone can send you through i message whats called a pass kit file which is basically like your boarding pass for your flight later or Something Like that. And your phone automatically parses that when it arrives to generate an image in a pretty thumbnail and the act of parsing that can exploit your device. Remotely. So, you could receive and item from an unknown number, you dont even have to look at it or open it, or see it, or know that even happen, and then your device can become compromised remotely and infected with advanced spyware like pegasus. This is found in the wild apple put out a patch last night for all apple devices and iphones, ipads, et cetera, and you should get that update as soon as possible. Its very, very important. And these are the modern kinds of threats that exist these days where your phone can be in your pocket and you can get a text message and it is not compromised and the attacker, first thing they do is delete that text message and notification and you dont even know what happened. Somebody is living in your phone and watching everything thats happening in there. Thank you so much for that. Also, remember, a friend is not going to send you tickets to taylor swift. Just keep that straight. That is also audience participation. Make a note, not until we are done in 27 40. Pay attention to these guys. They are talking beyond now. All right. There seems to be an emerging conflict between developing technologies focused on decentralization and traditional political and economic entities. Wanting to Leverage Technology for control. How does this play out . Steve, why dont you get us started. Absolutely. This is nothing new and not emerging. It is a constant, i think, for all of us. Particularly those working or have been on the government side and have worked the government side and now that i flipped over to the commercial side, its a very interesting viewpoint. What you realizes you are working towards the same thing. But the value systems and value chains might be different. So, you think about what i think a lot of people would look at is web 3. 0. Or web 3. Block chain. So, that becomes as popular discussion and i fall along the molly white viewpoint which is its a bunch of scammers, a bunch of hucksters, budget people that are out there and what is the Value Proposition . So, that is one example of where you can be i think there are other examples, use of a. I. Generative a. I. Quantum, either computing for power or for encryption to protect encryption. So, you have the Tech Knowledge ease that will come and go. I think they said it very well. In 2018, the issues and concerns they were facing are not the same ones they are facing today. Part of that is change and technology. So, where i am at on this right now is that tension can be useful and i think it is not just government, not just big business, and the little guy that are out there. There are a variety of factors well beyond the technology. Sometimes we jump into the technology and i think its important to look at some of the other fact years. There are social factors, there are economic factors, there are political factors. There are cultural factors. The discussions we are having in the u. S. Where you might have in the european union, you might have in another place in the world may be very different than the discussion you will have in china. Or in russia. So, this tension between freedom and oversight or compliance or regulation actually, i think, is very valuable. You will have some people who are pushing the limits and sometimes they get themselves in trouble quickly. They always either one to look for someone to bail them out, or there is another group that are rapidly exploiting gaps in regulation and oversight and compliance. So, there is a role for both the government to be involved in this space, a role on the commercial side and certainly there will be a very loud political, increasingly more political role in this. So, i think where we have to be at the end of this is, again, clear communication, very Good Partnership between the people deploying the Tech Knowledge ease and the government the technologies and the government and i think it is getting expertise to understand the technologies, understanding the effects and most relaxing most recently you think about the release of chatgpt and it created this firestorm and i am sure the Big Companies pulling the capabilities didnt foresee that visceral reaction was going to be. I know the government is still trying to sort out that we what is the role of government in this space. So, the question i think, tension is always going to be there and that is actually okay, thats what im saying. Thank you, c. Eric. We are in the middle of what is an interesting and dangerous period. I characterize it as both a deepening and broadening of cybersecurity risk. On the broadening, weve been talking for a while about the democratization of the cyberthreat manifested tangibly by the ransomware ecosystem. Where youre able to rent without any training and launch attacks on victims of your choosing and even leverage brokers to get access to victims in order to execute your malicious intent. If we combine an ecosystem of that nature with the increasing ubiquity of regenerative ia, we are further reducing the floor to launch damaging intrusions and democratizing the availability to actors who have malicious intent but no capability. Now, all you need is the intent and a little bit of money. Combine that with what we also see which is the deepening of some of our apex adversaries and the advisory that we released on prc living off the land which is extraordinarily challenging trend line and now instead of using traditional malware and commandandcontrol infrastructure detectable by the cybersecurity tools we all know and love, it will not work anymore for actors using these techniques. You need to understand the activity on your network to such a granular degree that you can detect anomalies that indicate that adversaries are using legitimate tools, Network Management tools used by your administrators, but for malicious intent and to gain and sustain persistence. If we see this at an intersection, democratization and advancing sophistication, what does that mean . We would it means in the first instance, a focus on resilience and the fact that our goal is detect, prevent, respond in every context, we will never succeed because we will never keep every adversary out of every Network Every time. What we can do is make the investment to me to make sure when our adversaries gain access, we ideally find them quickly but limit their ability to cause harm on american organizations and the american people. That is a bit of a cultural shift because it takes us outside of the traditional cybersecurity box and becomes more of a business issue and Business Continuity issue, but that is where we need to be. What we encourage is we are a little bit preaching to the converted but lets try to get out into the broader world and speak with the Business Community so the Resilience Community of how we can join these disciplines and make the investments before they are needed. Thank you so much. How about you, dave. Im so, the i think the part i would reinforce, kind of really off of erics point is an area, a trend that has been very positive is the relationship, the partnership between government and private sector. I think there is still a lot of room to get better, but when i reflect back on when i first came out of the intelligent side of nsa and started focusing on cyberand cybersecurity in 2016 time frame, it has improved so much. And we are continuing to work on that and align the work of private sector firms with the cybersecurity industry and with government support. I think it will be critical to deal with these longerterm trends. The other piece i would like to how do we have it effective conversations with Business Leaders with investment in cybersecurity . There is financial uncertainty, Economic Uncertainty and risks of people pulling back but how can cybersecurity have an effective conversation with Business Leaders about risk and make sure we are not too much in the geek speak mode and making the case in trying to keep the foot on the gas in terms of deeper improvements to network and hygiene resiliency through investments. Recognizing this is so, how do we get through that . I dont envy that the folks that have to make those cases in wrestling with the cost, but i do think work like we are doing in the government with the advisories is helpful in the sense that we are trying to communicate some of these risks to a broad audience and not keeping it in the family anymore. I see that as a major change across the inner agency and with our Form Partners. Over the last few years it has been very positive for the whole community. I want to remind folks, as we talk about our external threats, you might as well think your internal threats and more complex environments. Your Insider Threats are just as complex and as hard to catch and monitor, but some of the things we talked about can be turned inside to find maybe anomalous behaviors downloading at 3 00 a. M. When you are on the east coast and you know they didnt have a newborn. Right . You can say, okay, i think thats a little awkward there on that one. So, as we move towards Renewable Energy sources, the need to attach more devices to our connected Digital Space opens more area of attack, more surface area to attack. How do we think better about security at the edge. Eric i will start with you. It is, i think, a truism that securing an enterprise environment is just getting more complex by the day. Whether it is bringing your own device or mobility or whether it is cloud and hybrid are the complexity for a given organization is really challenging and for a small or Medium Organization is practically impossible. Where we need to focus as a community is how do we help organizations simplify and help organizations prioritize. I think we have seen really exciting work in the vulnerable eat management space to help organizations say, you know, if you try to address every vulnerability or misconfiguration on your network, you will not succeed if you focus only on critical high vulnerabilities, you will probably miss allocated resources. How can we help you identify the smallest number of vulnerabilities to focus on some of the smallest number of controls to deploy and test, to achieve the broadest out of it . For telling organizations, here are 200 controls and 10,000 vulnerabilities, they are not going to achieve the goal. At cisa, we are looking at this in a few ways. We need us to sync with the steps that a small or Medium Organization can take to achieve the most Risk Reduction by cost complexity and impact but also help the organization focus on what are those vulnerabilities that are actually being exploited in the wild and the likelihood of being in the wild. Lets start there and then build out but it is reasonable to note that mature organizations have a Vulnerability Management program where they are able to triage and prioritize sought enterprise risks, the vast majority of organizations dont. How can we make their lives easier and relieve them of the burden and focus on what matters most. I think that is a excellent point. Those closest to it can also time Vulnerability Management and should there be a freeze on your Network Updates for missions, since i work in nasa lunches and stuff like that. Having that program and knowing when you can do it, not just if you can come up but went because sometimes when is just as important as doing it. Thank you so much, eric. Dr. We are talking about the edge. I first want to build on that Vulnerability Management point because i was talking earlier about this vulnerability and these vulnerabilities, when they first come out, then nation state level, actors know how to exploit them, but months later, anyone knows how to exploit them. There is a time line and to give a concrete example, prior webkit exploit chain called trident was used to infect devices with pegasus and malware. It was a series of three exploits and webkit to compromise a device from a single click that same exploit chain is if you look up a Youtube Video or how to jailbreak your nintendo switch, it is the same exploit chain. That exploit chain ones from nationstate to kitty, to literal kids using it to pirate games on their nintendo switch. In the course of nine months. This is, its important that you also think about the time line on vulnerabilities and getting those in understanding what needs to be done day zero and what needs to be done day 30. All of these things that are remotely exploitable need to get caught up in patched. On the point of edge, coming back to back, security has always been the pendulum that swings from secured network, secure the edge, centralized, decentralized, kind of swings back and forth. I think the right answer is, of course, all of the above. All the good best practices that we all know and these days, they talk about this idea of cybersecurity mesh architecture and that these things need to be in communication with one another and you your as devices need to understand their own state but you also need to understand all the egress and ingress from your network and if you are thinking about like Renewable Energy and these modern sources and electric vehicles, these are basically data centers on wheels. They probably have more in common with the tablet that drives her car. I have more in common with an ipad then they do a Combustion Engine vehicle that you would have bought a decade ago. So, there is a completely different model these days and, of course, you need to think about, how do i secure that device from all angles . Excellent. A tip i heard about the nintendo switch, if the third grader spells phishing , that is not a spelling error. A. I. And Machine Learning. They appear to be creating a new environment for such things as over trusting technology. And increased potential for deception and misinformation. What are some of the implications you see as a. I. Begins to reach its full potential . I want to remind you guys, a. I. And ml are already on mars in the rovers that are up there right now. So, we have already punted on another planet. Lets talk about earth and how we can really capitalize on a i hear. So, dave, why dont you get us started. First of all, i want to note, i was worried when dave brought up this next point that we would lose the whole audience. I was glad you asked everybody to hang in there for 27 minutes. It takes about 27 minutes to do the update. Or engage the audience. So, i am sure for folks who have ted tended this conference the whole week, they have heard about a. I. And i will pivot back to my main focus which is the prc with both an example, recent example, and i look to the future. As one example, in 2022, on a major u. S. Platform, and an enemy was able to run a completely fake news entity through a number of a. I. Generated videos called wolf news which unsurprisingly was prochina communist party. I think as an example, if you are if we have an adversary who can take advantage of a major u. S. Platform or some period of time, that is the kind of tip of the iceberg on where this is going to go. The work on regulatory frameworks, how do we handle deepfakes . How is the u. S. Going to look at sending setting some standards on dealing with fake media. We need innovation and detection of deepfakes and i think it will open up a whole range of challenges and enable low enable malign information and disinformation operations but will enable our adversaries to do more propaganda effectively across multiple language barriers. If you think about chinas efforts to shape the information environment globally, certainly we would expect many nationstates to take advantage of the strong capabilities to be more effective in their propaganda campaigns. We will watch that really closely. I think there is a lot of work ahead for the whole community on grappling with this challenge of a. I. And getting the right framework in place. It strengthens and falls but gives some boundaries for the Tech Knowledge ease technologies. Andy. In it to build on that, when i joined cia, i spent a lot of time and effort trying to understand soviet denial and deception. They were very good at it. But that is childs play compared to what exists today. So, that is going to be an enormous effort. To be able to tilt real from fake, which can be cutesy about your favorite celebrity, but when youre making National Security decisions based on information, you have to be able to tell real from ache. Look, on the a. I. Front, lets look at analyst. Your favorite three Letter Agency is trying to make sense of the world for policymakers. What we use computers for for the longest time was to be a sieve and we put a bunch of information there, shake it around, and it would allow me to look at the stuff i need to see so i could help inform a policymaker that doesnt work anymore because that sieve is still a mountain of information. Now i have to rely on something that i dont understand, which is true for most people, to draw conclusions and show me the conclusions so i can figure out how to make sense of the world that puts the onus on someone doing this and trying to make sense of the world for a policymaker to understand how that thing works. Because otherwise, do you trust it or not trusted . At the same time, you have an adversary who is trying to fool it by inserting information it cant detect as fake and offering up to you. It becomes this spy versus spy game with an everchanging environment and a constant reason to keep turning on a. I. Your a. I. Has to get better than the a. I. That is there to fully and as someone trying to make sense of the world, you will have to be able to Say Something is wrong with this a. I. Something is not working right. Because i am first of all, the idea that it will take over is bs. To my its mindnumbing to me that smart people think this will take over. It will never replace a human being. I just dont that ever happening. But it is a very valuable tool. And i dont think we can go forward without using it as a tool. It is saying, i dont trust a thing called an automobile, so i will continue to ride my horse. Right . Its not going to work for very long. We have to move to this a. I. Enabled world but i think it will require almost an Education Campaign for people to understand what it can do and cant do and proclivities are and where i can go wrong and how it can go wrong. It opens up a whole another realm for people to understand as they try to make sense of the world. Excellent. Thank you for that. D. R. Just to add onto that a little bit, another factor that people need to think about when it comes to these publicly available regenerative a. I. Tools, how are they training the stata and is it training on your data . Is it training on your organizations data . Do you have the right policies and things in place and controls in place to make sure you are not accidentally feeding information that it is learning on and continuing to get better on. And actually proprietary information that should not get out there. That is one factor that you should think about what the other is the inverse of this deepfake thing which is a world where you dont trust anything. Right . Where you can just accuse any evidence as being fake and anything you see as being fake and any, whether there is an audio phone call or video, or Something Like that, it is all fake. It can be fake at some point, but the authenticity verification have to go on both sides and like youre going to need tools to build authentic verifiable video. Authentic verifiable photos. Authentic verifiable that this came from a legitimate source, which will mean mart metadata, more Additional Details and other factors and of course, adversaries will also try to fake and fill all of this in. To try to us to a place where it is like we can try to sift out what is real and what is fake. So, i am also worried about the flipside where anything can be accused of being fake at the end of the day. Excellent points. We are coming to the end which i thought went incredibly rapidly. And there were so many nuggets including a spelling opportunity for you provided here and a psa for your apple products which you can do upon conclusion of this event. Right . But i want to summarize, i think, what some of the key points are in our connected world. And that is resilience being resilience and its deeper now and far more broad. Then it was even probably a couple years ago. Partnerships are key, whether it is a partnership with a cyberprofessional or your mission or your business entities. Partnerships with your boards and others in the private sector. And between the private sector and government keeping this country safe. Cyberis an enabler, not a prevention. It is here to protect you. It enables the business and enables the mission and it helps you address reputational risk, right . You dont want to be that apple product that just corrupted your phone that you live by. So that supply chain, supply chain is more complex than it was and if we go and move towards Renewable Energy, those materials we need, there is a geopolitical complexity associated with the modern world and the world about the come. A. I. , ml, great opportunities left and people like me will still have jobs. Thank you, andy, that it will stay in the loop here. And it is on other planets, so was already done that. We will watch mars and see what happens there and if they find water and creatures, we will see what happens there. Being protected in a post quantum encryption world is steadily coming in 24 and beyond. Remember, the threat actors, the big apex hunters, are still out there. But the emerging actors, its easier to get into the game to attack you, your business, and your government. So, with that, remember to update your apple product and have a safe journey. Fantastic panel. It is becoming increasingly obvious that they can be better informed by leveraging those who are taking a more proactive approach to countering the threats. In our next session, helpful spectrum cyberoperations enable each other, we hope to offer you ways in which the u. S. Government is working to enable more direct interaction between the two groups. Moderating this panel is senior Vice President booz allen. Joining him is timothy , sr. And andy boyd, former director for the center for cyberintelligence cia and nicholas whole, deputy to the cyber please join me in applause and welcoming the panel to the stage. Trying to our panelists for being here and those who are still here on friday morning. We were just talking backstage and i think we are on cspan. Just a great discussion to have around fullspectrum. I wanted to start with the statement, a hypothesis statement, that will undergird our discussion today. I will read it is to braille in conflict, competition, and pisces. The whole of our Community Must cyberreparations faster and more effectively. That is the he pot hypothesis. You can imagine when we got together on the phone, one of the first request was to define spectrum. This conversation could go a lot of ways it shouldnt and isnt allowed to in this environment. The panel has defined full spectrum to mean the full capabilities and partnerships required to address all the threats across the full spectrum of National Power. Still a pretty broad definition we can work with. So, jumping into things, and the national cyberstrategy, we have identified the need for more integration to disrupt and dismantle threat actors. It states that we will use all instruments in National Power to that aim. Military, canada, nonkinetic, intel, law enforcement. I wanted to start the first set of questions, nick and andy, too cute, i want to get your point of view on how we are thinking about these requirements. When we think about what is emotion today, to achieve this vision, where are we and how are we thinking about those requirements, i would like to start with you and andy and you and tim as well. Great. First off, thank you to the great human hair at billington for having us and giving me the opportunity to talk about the great work that the men and women of the force are doing every day as we persistently engage adversaries to defend the nation. I think its about partnerships. When we look at the scope and scale of the threats we face, in all domains, particularly cyberspace, you cant do it alone. It takes strong partnerships between the department of defense, Intelligence Community, other arms of the u. S. Government and with industry. Industry maintains billions of endpoints and networks around the world and that is where the threats services and that is where the attacks services. How do we Work Together with industry to take what we know and what we are doing in the government, share with industry and learn from what they are doing and the best practices. Share Threat Intelligence back and forth so together we can really confront and defeat these adversaries. Andy . I like to use the metaphor on how we executed the war and terraces 9 11 because sometimes we look at cyberas if it is a new environment and in a lot of ways its not. After 9 11, it took a couple years, 18 months, two years to get the Community Integrated in a sense that was relevant for countering the terrorist threat globally. When it all started, the Intel Community and special Ops Community and regular military were doing their own thing but over time we integrated. I think we are further along on that and we were 23 years ago on the ct fight where the Intel Community, the title x dod community, cybercommand, are well integrated. Pillar two made reference to the cyberstrategies and again, in a different context, a lot of the same instruments in National Power sharing some times, we share that across the board when it comes to cyberthreats. With dod and cisa, too. They have an International Portfolio as well but we do integrate that entire community. So, you made reference to the private sector and i think that is one thing that is vastly different than the counterterrorism fight. The private sector owns the industry and the cyberinfrastructure and we have to integrate that and that is the major difference. I think to kind of key in on both what nick and andy have said, its really a partnership and the underlying tone and responses is we are focused on a mission. The more industry can understand the missions and things, we dont do this for sport. We are developing capabilities that will see operational use and conflict and other uses and we want to make sure that the more we are closely partnered with the government, the better we are able to develop those capabilities and make them relevant for use in operations. We will come back to the capabilities in a minute. First, i want to take the conversation we are having and put it through the lens of what we have seen with the conflict in ukraine. And ask, from your point of view, what is the conflict taught us about the integration of defensive and offensive cyberand its role during wartime . Andy, did you want to start . Thats an operational example of the strategy we were talking about in the first question. I mean, we collect intelligence and cia along with other and then inform operational decisions and the rest of the government. We cant do that alone. We need our International Partners and we have had some ukrainian officials here in the conference this week and they have done an extraordinary job utilizing all the tools and power they have in ukraine to defend against the russian onslaught. We have been integral in that and the general on the first day of the conference rate trend that made reference to utilizing intelligence and sharing that intelligence across the nato partnership also with ukraine. I think that has been decisive for where we have been since february 2022. What is also decisive is engagement from American Companies and other International Companies helping the ukrainians i cannot just since february 2022, but from 2017 were the ukrainians learned a great deal on how to protect their Critical Infrastructure and protect all other government systems. I think we in the United States and across the world should learn from our ukrainian allies and the enormous capacity they have built since 2017. And prior to that. The Human Capital that they build to defend their own networks. None of that can be accomplished without the integration that we have had across the community both on the u. S. Government side, and International Partners. Nick, let me ask you through the lens of cybercommands. Looking at ukraine and the role of offensive and defensive cyberduring wartime. What is your view . I think a couple things. We have had teams on the ground in ukraine in the runup to the russian invasion until the very last days working alongside ukrainian partners to defend the year. Networks against cyberattacks. To discover threats that we are seeing on Ukraine Networks and bring us back, share them with Network Defenders inside the United States and across industry and really learn about how we can defend together against the threats. And learn how we can up demise both Government Allied partner systems and private sector systems. We found things on ukrainian networks that we share with industry and industry enrich the data and use it to defend networks here at home and then shared that information back with the ukrainians. The other thing we learned is that partnerships come from trusted you cannot you have to build trust over time. By working together and working sidebyside against common goals. So its really an investment in building those partnerships and deploying teams to defend the word with allies and the Amazing Things we can accomplish when we work with our allies. Backed by industry and backed by the government. That has been the big lesson we have learned from ukraine. If i could just add on to that. I frequently find myself explaining what cybercommand does across the spectrum to some of my colleague in the intel immunity who are less familiar with that. They may say we have an allied partner who needs help getting their act together and defending their networks and we need to hire a company to do that but i think we already have that in the u. S. Government. That gets to your point on how we integrate. I honestly think they are the greatest tools we have in our arsenal on the cyberdefense front. And building that trust and partnership across the globe. I couldnt say more about your teams. Thats really the great thing. It is really combined action against threats. It is not a Training Service that we provide. A quasicontractor, its really our operators learning how to work to other to identify and defeat common threats. Thank you. One of the in light of what we have learned, the solutions we need, but talk a little bit about, this is for the full panel, that the department of defense and Intelligence Community have the right neck and mechanisms and partnerships in data to truly be interoperable i heard you say we are more advanced and making a lot of progress, but do we truly have those or are there areas of progress we are still working on . Nick, do you want to start . I think we do. I think the problem we have is there is so much data and so much data in the attack surface is growing every day. Our adversaries are adapting and the Threat Landscape is changing at the speed of cyber. Where we use to hunt for exquisite tools, right, look for indicators of compromise with highend malware, now we are seeing prc states sought statesponsored and hiding regulatory subnetworks to operate. That is really hard to unpack. If you dont know what your network looks like at a granular level, you will never see that sort of anomalous activity. And you cant run any Antivirus Program to find it because theres no virus. I think the challenge we have and this is where there is opportunity for defensive application of a. I. And mission learning is to baseline networks and make sense of the data in the normal behaviors on networks. And help identify what is truly anomalous. What really doesnt fit even if it looks to a casual observer or practice threat hunter is something that looks normal. I think that is the challenge we are confronting now. Andy. I mean, we are swimming in threat data and then we have two very different systems. We have an enterprise system at the classified level that doesnt connect to the data lakes. I think in my opinion, the Intel Community full spectrum spanisha while space for a while. What do you think about the solutions that are being brought to the government five years ago versus now . How should we think about the right way to achieve speed, agility from a solutions standpoint. Maybe we can talk about what the Government Point of view is. Moderator Government Point of view is. I would say it is two pieces. From a technical perspective we want our offensive and defensive teams to believe theyb are at the top of their game. Having those teams Work Together and play off of one another and inform the solutions each of them are developing i think is critical as we move forward. Xp as we move forward. Xp need to be thinking differentlyv about these problems and s developing new systems with that kind of nation state level adversary in mind and going into the designs of the systems. I think for industry to answer the second part of your question is, i think we can look at those things from a contractual point of view. We talk about speed and agility. The Health Industry and government go faster to get these capabilities to mission more quickly and i think government needs to hold government accountable. There are a lot of contracting done in this space. We need to get to a more resolve space actually deliver capability that is ready to see the battlefield in mission space. They said we are not doing this for sport, we want these things to see operation and our government partners need them to succeed. So we need them to succeed. You are shaking your head. I am agreeing. S the private sector leaders, are presented here and who i have hl been speaking with throughout this conference, i think they understand thoroughly the requirements and i would presume that dod requirements as well. The talent pool and a number of the Companies Represented here is extraordinary as a talent pool. We just do not have enough. We need to make more of them. We need to make more of them. Again, i think across the board we are more fully integrated. I do agree. I manage my workforce with a ph results oriented philosophy. I think the most opart of the nt private sector has the same philosophy and as long as they hereto that it makes it easier to integrate the private sector in the mission. If everyone is dedicated to the mission and intended results of the mission, everyone has the same job satisfaction, willingness to put effort into. The mission. I think we are there for the most part. Okay. I think it is all about partnerships. It is about Building Trust through common goals, common objectives, setting those objectives together and then holding habitual relationships you Work Together. We talked about the cyber ma security collaboration center, Cyber Command has a program called under advisement where c we collaborate with Cyber Security companies in a Bidirectional Exchange of information where we bring what we learned, things like operations where we are defending with allies, what we bring, where he bring things we learned from our action with other government partners. And bounce those in realtime against Cyber Security professionals from a variety of private companies. On a really collaborative basis where we both look at common data and and go off and use that data to defend our networks. We have a velittle bit of ti left so we will ask the magic wand question. Looking at full ospectrum operations, i will start with you nick, if you could wave a magic wand and create new capability, new technology and new skill sets, a new partnership, what would that be . If you were to be able to just e prioritize one thing that would help the spectrum Operational Success to happen, what would that be . First off, if i had a magic wand i would be a lot more fun at parties. And you s. Could do tricks appear i could do tricks appear then your mom could see them on cspan. Hi mom. I think it is two things. As we look at cyber actors e increasingly living off of the land, using native commands, using native administrator techniques to do their exploitation. There is tremendous opportunity there for smarter tools that can query across commercial data and classified data right . To get those two links of data pulled together in a way that we can really find these threats. And that we can find these t threads together because it is not just Government Networks being threatened. It is la that works, partner networks, networks operated in the industry. Then the other thing, is, as weg increasingly defend forward with our allies, our allie es networks are getting more complicated as well. And our tools and hunt kids need to keep pace with the cup i of the evolving Threat Landscape and increasingly complex networks. So that is really about integrating Machine Learning out at the front end so rather h than just collecting data at the front end post processing mo it back and pushing it forward, we can do more advanced processing to find these more advanced techniques at the te front end. And initiate Immediate Response than having a mmediate response delay to push it back and push it forward again. We have nine minutes you can probably go with one more if you want. If i had a magic wand, we would have of the human capitol coming out of undergrad programs for graduate schools with the skill sets we need, not just csa but crush the National Security spectrum in the private sector. We hire some extraordinary people, computer scientists, electrical engineers and cci but not just that, some of these folks are represented in the audience. People have an understanding of technology but maybe humanities majors and learn how to write and can brief and translate technology into operationally relevant discussions at the director of the ci l cia level. I think we have the academic programs across the country to develop, maybe not 10 x but something along those lines. I do think we need to do a better job in the u. S. Government of marketing the opportunities in the u. S. Government in the Intel Community for people with stem degrees, with nonstem degrees but an interest in technology, in particular in Cyber Technology because, if we do not, we are just not going to have enough human beings to deal with this over the next decade or two. To kind of piggyback on what you are talking about. I would say, this industry, our industry has sort of always been shortstaffed. I do not see that changing but, we are trying to come up with more innovative ways to solve that problem. One of those is trying to i call it manufacturing talent but did get preparing for but did get preparing for creating an environment where people want to come to work every day and sort of bang ay their head against the wall ande try to solve problems that are not necessarily meant to be solved. We have to create that special environment to to attract and retain talent and industry in the space in general but the second piece is leveraging all the new technologies, whether it is automation or ai or whatever it is to better enable the workforce we have to be more effective. Then, i could get to my answer, if i had a magic wand, until we can kind of solve that problem or bring it collectively together, if we could simplify the problem, there are 15 steps, whatever it is, if we i can have 14 that we could focus that much better on those 14, i think we as a collective industry, be that much more effective. Thank you. Any. Closing remarks that you all would like to make . Thank you for hosting us and giving us the opportunity to talk about these important c challenges. The comments about talent, we had to figure out how we can attract and bring out the best in every part of american society. Bring them in. Bring people in, get them the training they need, give them a meaningful work they deserve. Then, figure out how do we let people go . And bring them back . Right . Because part of being a good partner is learning what your organization looks like from the outside. Learning how industry works and how agencies work. One of those things we are t thinking about hard in Cyber Command is how do we do that . How do we leverage our alumni networks, had to make it easier for people to come back, and we leverage the tremendous talent in the National Guard and reserve components. En but, it is really great to see that happen. And to see the couple of thousand young people we have in the Cyber National mission come to work every day. And get after persistently engaging our adversaries and really defending the nation against the common threats we all face. We are fortunate to have them. I would say thank you again. I think to our collective point here, having a venue like the summit to get our message out for many years, the cia in particular is kind of a black hole, i would love to figure out how to work there but i do not know where the front door is. We have been doing elthis in other venues as well the past year or so during to get that message out that the cia should be considered an employer of choice for technologists and people interested in technology. We just have to keep getting the message not just in washington but across the country in the private sector. And academic institutions so we can get that healthy cycle of people in private sector either coming out of school directly or in the private sector are ready to want to spend time in the National Security arena and the go back to the private sector. We are trying really hard to ce accelerate the security clearance process to enable g that. We are not there reyet, we are getting there. I think it iis critical or els we will not get where we need to be from a Cyber Security perspective. I was just say thank you, it is an honor to share the stage with you this morning. Thank you for being a great moderator for as. I think the theme i feel that has come out of this panel is the message of partnership, whether it is government to government partnership, industry to government ownership. As we e rhave heard all week, t problem is not getting any easier. It will take all of us working to other together to solve it. There is a lot of opportunity in front of us. A thank you all for the time and thank you to your audience. [ applause ] every day, ts o everyday thousands of fcyber personnel work to make sure our nation is secure. With our next panel, emerging cyber leaders, we wanted to provide you with at the operational level. Our distinguished panelists make decisions everyday based on the real world events they face everyday. Monitoring byron love, associate director of Program Management joining him on stage for the discussion our director of ai, cia. Unit chief, Cyber Division fbi. The managing director of security and Lieutenant Colonel stephen , joint task force commander, Cyber National commission source. Please join me in applause in welcoming our speakers to the stage. [ applause ] good morning, everyone. As the announcer said my name is byron love, i am a Security Director at supporting the sub security and Intelligence Service business. I have been looking forward to this conversation all week. As you have heard, there has been many great speakers here at the billington conference. All at the very senior level but, Cyber Security looks different from the trenches. Where these great Cyber Security emerging leaders are performing. This morning, we will have the opportunity to hear unique perspectives on leadership from law enforcement, from the Intelligence Community, from the military and from industry. A great way to start is with introductions. I would like for Lieutenant Colonel who allowed us to call him steve today to begin and we will just move in order. I appreciate it. I have been in the army for 16 years now. Currently serving as a joint Task Commander in the Cyber NationalMission Force. A bachelors degree in computer science, masters degree in computer science. Getting to do the job i love in the army and in the Cyber NationalMission Force currently leading individuals across the United States army and United States navy to help defend the nation. I am the managing director for Customer Success at christophe. I lead a team of amazing technologists that help our federal customers achieve security outcomes with microsoft solutions. From a career perspective, i have supported some form of regulated industry throughout my entire career. , really focused on the federal government. I have been in a lot of different capacities including operating programs and serving as a to government customers. The mission, the purpose is really what calls to me and that is what i tried to install in my team as well. Think full to this panel and the team for having us here. Excited about being on stage with these amazing speakers. I am the director of ai at the cia and i started there 21 years ago. But yesterday my way through as a developer, program manager. Iran Enterprise Software development efforts. Iran Enterprise Data science into this current job which is about driving ai strategy and implementation across the enterprise. It is exciting, it is new and all of you. Who didnt hear me . [ laughter ] do i need to do . Okay. Do i need to do it again . Okay let me see if i can do exactly the same. Director of ai at the Central Intelligence agency, started 21 years ago. Started as a developer worked my way through Program Management running enterprise, i. T. Projects. Enterprise data science to include the entire management of the data science and finally into my current position as the first director of ai for the agency. Which is really about driving the agencys ai strategy and strategic implications. Good morning. Thank you for have any to speak today. I am a unit chief in the fbis Cyber Division. I have been with the fbi for about 18 years. In that time i have actually supported a couple of missions. I Counterterrorism Mission and in 2016 i went to support the fbis cyber National Security mission and in that time i have had the great opportunity to work with many here on the panel today. And our project partners and international orders. I am happy to be on this panel to talk about how we make that happen. Thank you to you all. We have some great experience and great talent here on this panel today. Lets get started with our first topic, Cyber Security challenges. Cyber security environment space, face amy reid challenges for personal shortages to tools fatigue and many others that you face that i have no idea about. What are the Biggest Challenges you face when it comes to meeting the requirements for your job . Who would like to go first . I will start it off. I think cyber is an inherently challenging domain. What you will probably hear is challenges across the entire Cyber Enterprise are not too dissimilar. When i think about advances in technology and the last five years, a rapidly involving environment and not just for us but also in my case, adversaries as well. At the Cyber NationalMission Force, really no shortage of people. A lot of people from across the military services who want to join, want to be a part of the mission and help defend the nation. Training those people and retaining them is an opportunity for us. Getting people to stay, getting them exposed to the mission is something we are able to do and help drive people to stay and be a part of it. If i could build on that. Same thing for me. A human challenge. There is a challenge, i envy the fact you do not have a shortage of people. There is a challenge of shortage. And, for context, when we build our organizations, we higher for a lot of things, to add to our culture and we hire people that are passionate about the craft, the industry, our customers outcomes. When we have the situation where we have it creates what ends up happening is, we are not going to let capacity stop us. We are not the little engine that could, we are the little engine that will. If you the wheels fall off the track. So, shortage and capacity was yesterdays problem. Today the problem is exhaustion. I think that is a big area. I think recognizing not only just our people but managers get exhausted and burned out too. I 100 agree with that. It is important that we are thinking about and their wellness and how we can support them but also get the most for our vision. I think what i am thinking about the ai cyber nexus, there is other things we are also thinking about as challenges. The Data Availability and quality. When we are working with our industry, how will we integrate any potential solution they might have into our systems, which are very unique from a former security requirements perspective, all types of activities. We also need the right talent. I think i am sure everybody in this room, we are all trying to find those official intelligence petitioners who know how to do this work. And we need to be able to do it with ethics and legal applications in mind. Those are our trying to put all of that into place, it takes time, we are still working through those issues and challenges. I could not agree more with everything everyone else has already said. Resources and management is a challenge in the fbi, we are always trying to focus on over the horizon threats and we try to write anticipatory intelligence and that means trying to do more with the same amount of resources. While also paying attention to who our consumer is which is one of the levels including the private sector and also the public in our messaging. With that in mind, burnout is a real concern. I tried to take into account that if my people want to build their career, i want to help them build their career. If that is with the cyber mission, that is great. But the fbi has a wide mission set and if they are interested in another mission set, i will support that because that tends to keep them on my team longer building the expertise whiter and further up. It seems that the Cyber Security challenges are in people and, we have heard a lot about the shortage of personnel that have the talent to operate in cyber, opening up more pappas paths to take care of them once they are there. That brings us to the next topic, the positive work culture of making Cyber Security environment a place where people want to work. And the pace of evolution of Cyber Threats is overwhelming. We are figuring out and then along comes a barracuda zero day and then oh by the way, threat actors are now using ai. It seems like it piles on top of each other. How do you build a positive work culture during stressful times when our Technical Resources are short and you have more need than money to get things done . I am happy to start. In the fbi, try to focus on the mission, the fbi Cyber Division missions it is imposing cost on the adversary. In order to keep my people focused and engaged on that mission, they have to feel like they are involved in the mission. To tell a short story, last year, i had the opportunity to deploy one of my Intelligence Analyst to albania in response to a cyber attack. So in the world of cyber intelligence, you can take the and then so that anyone can understand so that executive managers can understand it. She had the opportunity to create high levels of u. S. Government as well as government. It is those opportunities that i think are people keep people coming back because they are exciting, new and career building to get back to my earlier topic. That is why i want to build their careers. I also think that when you are kind of leading an organization, the people in the organization are looking to you to create that culture. I think it is important that you are communicating your values and your to them, whatever that may be and then you are living it. You are demonstrating it. Not only talking about it but acting it out everyday and they see it. I also think that the people in your Organization Need to feel valued. They need to feel that what they are doing matters. And they need to feel rewarded. I think, if they are seeing kind of the fruits of their labor, not only show, he see positive outcomes but then they are feeling valued for it, that start to build out a positive work culture. I will build on both of what you said. It is the same thing, it is three things for me. First, it begins with communication. That means listening to what your team has to say, it means communicating transparently and so, when you do those two things and they see were acting on what you have told them you were acting on, what you have heard from them, it builds trust. That bidirectional trust. You are executing on what we told you and you are honest with us even when we do not want to hear that answer. Just think about leaders that you followed where you felt supported like you could run through a brick wall for that person. I think it is a big part of it. Communications, clarity, you mentioned shared purpose. There is a clarity for the individual as to what role they play in the mission but there is also clarity for how that fits into the Overall Organization and makes the Mission Effective and achieve short organizations purpose. Then, recognition, absolutely recognition. I would love to say that i have infinite buckets of money you can just get out rewards and awards and those kind of things but, you also want to recognize for impact. Recognizing everyone is not recognizing anyone. Recognize when there is positive impact. Compensation does not have to be the thing. We commissioned a coin a message written in binary, our Leadership Team gave out a coin to a bunch of folks on our team. What it does is it lets the entire team see in the public forum what you value. I got a call from one of my team members about a month later, just like man, compensation is great but i want to get one of those coins. So there is different ways you can motivate your team to recognition. Absolutely. Building on what jay said, building a positive culture, those are the types of things that come to mind. Having a unit identity, a coin, colors, a model, something that people can rally behind and help identify their mission set and give more credence to what they are doing. We have a model, people first, mission always. It is more than just words. Actually meaning that we care about the people. I have found, throughout my career so far, as long as you take care of the people in your conization then the mission will follow. You will have people motivated and dedicated toward the mission. Building on before, we talked about it is easy sometimes the challenge of overwork, there is also a challenge of under work. I have seen great cultures and organizations who keep busy with the mission they have. Idle hands sometimes can drive a bad culture but keeping busy has helped improve culture. Absolutely. I am retired air force myself and we learned integrity first, service before self and excellence in all we do. And that has carried with me throughout my career because leadership comes a part of our pattern of life. That our adversaries leadership is part of our pattern of life as well. It is observable and people will mimic those behaviors. I applied you all for setting those examples for the people who follow you. You all are effective leaders which is the next topic. Each of you represent different sectors and, as a result, you bring a unique perspective to Cyber Security leadership. What is one positive thing you believe has helped you to become an effective leader. I am a lead from the front kind of person. I think it is the way i am wired. Whenever i started my career in systems implemented in, i want to do every phase of the a security engineer, an architect before i was in the capacity. For me, i think it is being able to engage with the team at every step of the process. But, not take away from them. My focus is looking at the forest through the trees and helping to set the guardrails for, are we still achieving our purpose, we still achieving our vision or strategy. This has extended into the team culture a little bit. I have this phrase i say whenever we are engaging anyone. This phrase of sat in the seat. As we engage our customers and my team comes and says hey i have this thing we are working on. I say well who on the team has sat in that seat. Other it is someone that has performed that ended capability or lift that mission of that customer. We are a Customer Service organization. Having that perspective of, have you gotten the perspective of sat in the seat. That has become part of our culture. I love what jay said about, you guide and direct, i think, you know, the ability to know how to build that team and have and bring the right people to your team that can feel your gaps. None of us as leaders can do this on our own. None of us know the right answers. None of us are on top of every part of it. The team you build is so important. To health help you feel the right gaps. Both from kind of a subject matter expertise perspective and from a culture perspective. You want it to be a positive place to work. Then i think on top of that, i think what helped every leader is, just having a curiosity and learning mindset. I think being really interested in what you are doing is a positive so that you, yourself are building some acumen and also leveraging your team in the spaces you need to. They will not always be there to answer every question. So i cannot bertans more of having team identity. Just like everyone has said. It is important so they understand what their role is in the mission. In that identifying what a winning Team Looks Like and everyone in here has said. Identifying what type of personnel need to fill those gaps. So that you can build a team that volunteers for more things. And takes on Career Opportunities to both fulfill the mission. I do not think i would have been in the position i am in now if i had said no to a lot of opportunities, i said yes to a lot of things that i was not necessarily prepared for but, it has been beneficial. And co, in that same vein it is important to bring that spirit to the teambuilding aspect. The first positive thing i want to talk about is having had leaders who allowed me to fail, to try Different Things and not been upset when they did not work. They knew, they trusted that the team could get past the initial failure and if we did not fail we probably were not really trying hard enough. I appreciated that as a positive aspect. The other was when i was just starting off my career, kind of learning the value of teamwork and what really is capable. When i was given tasks, i could easily accomplice them myself but, i had a leader pull me aside once and say the success of the unit is not whether or not you accomplish your tasks, it is whether everybody does. Now, being a leader of an organization and looking to the junior members and helping them feel the team can do much better when we Work Together and having them truly believe in that concept. And the trust that you mentioned, that has to be earned. You have to listen to your people and take action on that. I doing that, that earned trust. You want team leaders that are supporting us to have the same type of values, at least i do. And i like what you said about the delegation part of it. I had a general once teach us, a group of young officers that if something comes across your desk that is fun, then it is not for you to do. I agr agree. Everybody needs a chance to shine. They have to have their opportunities. Absolutely. We talked about the one thing that we would do on a positive perspective but, what one thing that you did while perhaps not overly positive still helped to shape how you make decisions . I do not know if i have a specific thing but, i think the thing that helps make decisions are the diversity of experiences that i have had. I think it is important, i always tell people who come and ask me like for those types of flight hey how do you do what you do . You have to build your toolbox. You have to get that diversity of experience. At a certain point, you are making decisions with limited data points. You will be called on to make those decisions. What fills in that data when you do not have data points for the experiences you have had . I think it is important to have that diversity of experience and help inform your decision making. This is kind of a personal thing but for me, i have absolute clarity on what this is because it was when i first moved into management, i really wanted to be successful. I wanted my team to be successful. It was my first opportunity. What i found is that there is a difference between being accountable for your teams success and empowering them to be accountable for their own success. It was a hard lesson because it started off with oh this is a little bit off, meet week and tune. I was helping making sure our team achieved the objective in the best way they could. It took a peer mentor of mine punching me in the gut lovingly to tell me that spending working. That was a big lesson for me. If it is rolled into how i lead and engage and manage my team right now, i will set early deadlines on things because, not to stress them out, i frame it as let your ideas on the table early but lets give ourselves times to iterate so you can be accountable for your own success. Not, i am fixing something at the end. That is a big one for me. I think a lesson for me, i was recruited into the Cyber NationalMission Force after of all things winning a hacking competition when i was not a cyber officer. When i first showed up i was a little bit arrogant. Fortunately, i had some Senior Leaders who helped me realize the value of being humble and did it in a positive way. To me, i can look at it as a negative on myself. I was bragging about these things. I have come to this organization that has this Great Mission and there are a lot of other people like that. The opportunity for mentorship there and the value of remaining humble and you know, whether it is you, people on your team or the entire organization, just kind of staying true to what youre actually doing. I think it is so important that my team understand my role in the team and not just see but understanding like on a day to day basis everyone has said, i could do the task that has been assigned but it is more important for them to do it and get those fun trips and exciting things and experiences and build their experiences to bring back to the workforce. I want them to understand they can come to me for problems and i can be the problem solver. And that i can work with them to so that everything is done in a standard way so things are accomplished in a manner to meet deadlines. I think understanding what my role is on the team. You mentioned problem solving. We talked about being punched in the gut. Dealing with conflict is always a challenge for leaders. I have found it important to listen for different conflicting perspectives. Even though it might be hard to hear her to take that punch in the gut, that tends to make the team better. A natural part of organizations is to have conflict and how we manage that is important. But how do we motivate, the next topic. One of the challenging aspects of leadership is motivating different types of people. What are the key motivators for you, your team and your people as you strive to serve in your everyday job . Im happy to start on that one. I came to this one, this question and i did not really have a framing for it. Then, i sat in kemba waldens sessions and shes talked about the our team is like an orchestra and we are the conductor. Really what that means is understanding each individuals unique passion, what makes them tick. Then, our role is to align their passion to our organizations objective to the mission and the community and people that we serve. That is our role as kind of an alignment role. I would love to say this is kind of like the lego movie but everything isnt awesome always. And there is general discord. So, what happened in those situations is i think and there are a couple of folks that mentioned this, really focusing on that persons passion and, if you have a diverse mission, finding a way to get them to move to their passion. Sometimes that means as a leader, you will take the pillar of your organization in this one strength and move them to Something Else they are passionate about. That is kind of scary to say i count on you for this but i am going to move you somewhere else. What we have seen is they get so much energy, so much motivation, they bring it to that mission you align them to and the other people they work with feed off of that. Is like my little 6yearold, like she is always watching me kind of thing. Other people see that you are willing to invest in your people and find them an opportunity to do what they love in your organization and that is retention. I think going back to some of the other things we talked about, knowing your people and genuinely knowing what motivates them because it is different for a lot of people. There are people i work with at Cyber Command who just saying the facilities is motivating on its own. Driving into the building. A lot of people like oh i am driving into work but for some people just that site is motivating. One example, i had a Young Software developer working in a room developing software for the Cyber NationalMission Force but he never got to see it used. In his opinion he always developed code, it went off somewhere but he never got to see the end result. Bringing him on the mission to see when it was used was the biggest single thing and motivating that individual. You have to be a part of the team and that got him to stick around a lot longer than he had planned to. You have to see first hand the impacts. You have the informal recognition of what you do is valued and people care about your role in the organization. I could not agree more about personal motivation. Understanding your team, figuring out what a like. Whether it is travel, whether it is getting up in front of a crowd and being able to brief. Whether it is getting to sit sidebyside with a Mission Partner and find a solution to a problem. You can start to map peoples personal motivations to things that will also reward the organization. I also feel like i get a really free pass for motivators because, where i work, the motivation of mission is threaded through every officer who works there. If you ask anybody from top to bottom they are like what motivates me is the mission. People in the Intelligence Community and National Security feel like they are a part of something bigger than themselves. So, it is very special. And then, i think getting people the opportunity to solve really cool and unique problems, that we often get to do, is a really powerful and potent motivator. They want to come and work for us because we have cool problems. We often do not even talk about. But you cant talk about. We cant talk about. The passion and motivation, just like everyone has said is key and the fbi too. Getting to know my people, if they want to work on ai, lets get you to work on ai. If you want to work in the private sector we will get you to do that. It all feeds in the mission and opposing costs on the adversary. Just like in the cia, people want to join the fbi from a very early age. It helps we have a lot of tv shows that motivate people. I would like to say the fbi is like a tv show but it is not exactly the same. Itself itself. Just getting them to also understand the impact of their work like everyone has said. To see the product that was or breach by the president or to the president and get their feedback, that is really inspiring. That is motivating. We are getting close to the end of time. Lets take about 30 seconds and talk about driving production, production change innovation. Bring our perspective, what does it take to drive productive change and innovation in your dynamic environment you work in . I touched on this a little bit, not being afraid to fail. And not accepting no for an answer. A lot of times when you are working something for the first time it may be scary to hire leadership were staff to approve but, kind of settling those fears and talking through how what you are working can be successful and why you need to innovate to continue to work the mission. The risktaking, we have a phrase grace on our team. For me, i am hyper passionate about this one. Our adversary is creative, when we identify ways to mitigate them, they find ways around that. We need to be creative to combat that. What we need to do that is, we need more diversity within our industry. It is when we bring many voices together, listen to those voices that we get the best idea, the best creativity. That creativity is what will spur the innovation. It is all about bringing a lot of people together and listening to them. I agree with all of those. All of those perspectives. I think it also is a convergence of top down and bottom up. I think it is the people who are boots on the ground who understand the problems to be able to enervate against those problems. And, from the top down, we need to give them the space and ability and resourcing to perform that innovation. I think it is important that those two things converge. I think discipline is key. It is always scary as people say to up and the applecart and try a new innovative technique or skill. Also, it t t t t is important t understand what your team is in resourcing. Not just my unit or division or the fbi or private sector resources, foreign partner resources so we know all of our options are. As general paul m. Nakasone said at the first fireside session, he said at the end of the day, leadership matters. These emerging leaders before you hear for contributing to the panel and conference. Please join me in giving me a round of applause. [ applause ]