Welcome to CyberFocus from the McCrary Institute, where we explore the people and ideas shaping and defending our digital world. I'm your host, Frank Cilluffo. And today we're taking a little bit of a different track to this particular episode. We are releasing a major effort in terms of priorities for the incoming administration on cybersecurity. I have one of my co chairs and co authors and another co author joining me today, Mark Montgomery,
who is also leading the Cyber Solarium 2.0 Commission. And George Barnes, who just recently left as Deputy Director of NSA, is at Red Cell and also a Senior fellow at the McCrary Institute. The transition report is a culmination of multiple meetings comprised of our senior fellows and other subject matter experts from our law enforcement community, our intelligence community, our military community, as well as obviously our private sector owners and
operators. And quite honestly, the amount of expertise in that room, I think added so much to what we hope is a robust report that doesn't sit on a shelf and rather is translated from those nouns into verbs. Irrespective of who wins the presidency in November, cybersecurity is going to be a priority and must be elevated. And this is a very nonpartisan effort, spanned five different administrations, including the women and men who
had leadership roles for five different presidents on cybersecurity. So a little bit of a different take, but, but thought we'd start it by why did we put this together, Mark? Well, I think you came up with the idea. And the idea was that
last time the Solarium Commission did, as part of the actual commission, did a white paper to turn over ideas to an incoming administration, and with no commission, the commission
sunsetted. No one there. I think you had the good idea that, hey, we kind of owe this to the next commission because one of the things we've determined is that after 16, 18 years of struggling in the wilderness to get cyber and critical infrastructure protection up at the right level, it's fair to say the last four years have seen a lot of action. Part of it is the result of the commission,
which you were a commissioner on and which I was executive director of. But a lot of it has to do with the current administration has really tackled this didn't hurt that Solar Winds arrived at the same time as the administration. But in any case, they tell you, but the most important thing in Washington is momentum. And to have momentum, you have to have ideas. To have ideas, you have to have papers
like the one that, that you led us through here. So from my, you know, from my perspective, this exists to help the next administration maintain the momentum that we've seen created over the last four years. And George, before I pull you in, I
think it's worth noting that the composition of the task force members spans five administrations with cyber leaders, which is pretty much the beginning of what we were at least referring to as cyber from the Clinton administration all the way through to the current administration. And if I can just add that we really did break it out into eight lines of effort, which we'll get into. But ultimately what I think we were trying to do is a recognize and I think. Mark, you said it very well,
momentum matters. Making sure that cyber is a priority and is elevated not only as its own domain, but cyber transcends airland, sea, space, and, and the reality is is has implications and impact much broader from a national security and economic security perspective. So basically we tried to take an attempt to really look back, see what's working right now, what's not, and what we need to, to be focusing on. So George, anything
you jump into? Well, just to tie into what you all were highlighting, momentum is
key. And if you look at the last several years, there has been year on year, more and more momentum. And I think we have to sustain that. And that's the purpose of what we're doing here. But also we need that level of intensity to rise because as much as we are gaining momentum and increased intensity, unfortunately, the threat continues to outpace our ability to match it. And so with any change administration,
we need to sustain momentum and have continuity across the divides of, of time. Because invariably when you have changes in leaders, you can have dips in focus. And so it's really incumbent upon us and we're really driven to do this, to bring attention to those things that are working. Where do we need to pour more fuel and where do we need new fuel on sustained systemic problems? Well said. So why don't
we jump into some of the lines of efforts themselves. And we came up with eight. If I'm being very honest to our viewers, we had hundreds of recommendations. We had to boil down into dozens of recommendations. And I think the key here is these aren't just nouns on a document. They're meant to be implemented and acted upon with a sense of urgency. We did break it up to near term priorities, midterm
priorities, and long term priorities. But Mark, why don't we start with sort of line of effort, number one, which is unifying the regulatory landscape and, and what that means from a national security perspective. You know, this is an important one. It's actually, I
think one of the most recent one, you know, I would say that it's, it's. Of the eight lines of effort we're going to talk about, it's the one that kind of emerged last. It came out of the National Cyber, the national, the first
inaugural National Cyber Security Strategy. You know, Chris Inglis, you know, if he, if he would tell you that he left one kind of hallmark initiative and he left more than one, but the one I think that he's most coming back to, it's the idea that we need to take a more regulatory approach to the security of our critical infrastructure. But to do that in an effective way, you really need to first
achieve regulatory harmonization. You can't continue to pile requirement on requirement on the private sector without first ensuring that you're not asking them to do the same thing in five different manners. And there was a pretty famous happening. It's happening. Yeah. I mean, the most, most unimpressively was when the Cercia Law was passed, the National Cyber Incident Reporting Law with its reporting requirements for companies. And then within I think 48 hours, this,
the Security Exchange Commission dropped proposed rulemaking that had different reporting requirements. Now, look, it would. What bothered us at the commission was that the rest of that SEC rulemaking was our proposed changes to Sarbanes, Oxley and any more senior leadership in there. So we generally had to support it, despite the fact that you saw this discordance with the recently passed cn it is an executive branch knew what circuit was going to
say they were negotiating the exact differences in it. So for the executive branch to both negotiate the Cercia numbers and then pass it and have it signed into law and almost simultaneously issue an SEC rulemaking that was contrary to it was kind of, I think the point where Chris said I have to comment on regulatory harmonization in
the strategy up front. And so he did it. And so what we're doing is tapping right back into that, saying, look, there likely is more regulation needed in certain industries, but before you achieve that, you need to first show the American people how you get to harmonization. Senator Peters has passed a law, I mean, excuse me, has
drafted a provision that has passed his committee on Regulatory Harmonization. I think it was written very closely with Nick Lesserson, a senior official from the Office of National Cyber Director who had testified at the, at the Senate at the hearing for that. So I suspect, you know, what we're doing here is saying pick up that thread and run with it. And George, there was also the need to synchronize some of the
authorities, most definitely title 10, title 50, title 18, 32, 40. And on the list goes. Anything you want to add? You made the point. There are many, many statutory
frameworks that really need to create a continuum. And because it's so complex and there's so many, that creates ambiguity, ambiguity among individual agencies and departments that are actually trying to understand their lane, trying to understand how their lane connects to other lanes. And so part of the whole essence of this push on regulatory landscape and the harmonization thereof is really to get clarity and simplicity to the degree we can. Because this
is complicated. Cyber reaches all corners of everything. And so we need to create harmony in a continuum that is not just responsive to the threat, but also has the latitude to move with the threat as technology changes year on year. And how they
interact with their crucial partners in the private sector. Because look at the private sector,
as we mentioned, they have an abundance of regulations coming down on them. They're spending more and more resources now on compliance, trying to understand and untangle this web of compliance responsibilities. And that is bleeding some resources away from money they need to spend on better defenses. Well said. And we double tapped a number of recommendations on operationalizing
some of that collaboration. But before we jump to that line of effort, number two is synergy in cyber protection and that's strengthening national multi stakeholder collaboration. You want to start? I'll try first on that only because look, this is. If you were to
grade the subspecial commission and the Biden administration's implementation of many and the Congress's imitation of many of the efforts. There's two areas I'd give you an A. One is on Department of Defense, moving the Department of Defense and, and you know, no surprise there, an annual ndaa. You get to tweak and tweak and tweak and tweak and eventually get things right. And you've been referred to as the NDAA whisperer. Yeah, I've
heard that for the first time yesterday. So I loved it. And so has also
taken, you know, approach is kind to Department of Defense. I just generally say, but it's outside of there. Like the second area I'd give a strong one to was the reorganization of the government. And the three big things we were pushing was a office of National Cyber Director, a strengthened and fully appropriated CISA and a, and a sec, an office in the State Department, you know, at the undersecretary level, its own
bureau on Cyber. All three of those has happened. We'll talk about the cyber one Later. But what I would say here is that, you know, it's getting the. It's just because you've established an office of National Cyber Director, no cabinet agencies running on its first authorization. Right. You tweak things along the way. As I said, the Secretary of Defense gets tweaked yearly. And if you look, there's actual tweaking to his job,
his undersecretary jobs, things like that, responsibilities authorities given and removed. You know, NCD is going to need another set of those. We need to take a fresh look at what's required there. And an incoming presence strengthen and strengthen and it is the job of the incoming president. She or he should look at that, determine what they want
the NCD to do. We have some recommendations and then move forward. And by the way, most importantly, talk to the former ones, you know, the two confirmed ones, Chris Inglis and Harry Coker, but also the acting Campbell Walden. The three of those should be spoken to to get their take on what's it. If I can mention one of the things. Mention SRMA's. Mark. Yeah, so yeah, the other. And we're going to talk about SRMA's routine. You're going to hear the word SRMA through like five of
these eight lines of effort. Because, because we did get them what. We did and
spell it out. Sector risk, sector risk management agencies kind of replaced at the time
the term of art was sector specific agencies. But it was never in constant law. And what. And so what happened was if you're not in law, cabinet members don't have to do it. And some like Department of Education, Department of Agriculture, epa, Environmental Protection Agency over decades were not doing their job. So not a partisan issue on a bipartisan basis failing to do the job. So you put it in law, now
they're required to do the job. And also it allows the appropriators to appropriate against the job. And that's important too because to do the job you need money. And we'll talk about that in a further sector. George, you want to jump in on
something? The only thing I'd add there is. Just maybe cisa, anything you are. I
mean the biggest thing really hinges off the SRMAs and their reach into the corners of our society. And you look at how we're finding now with a lot of the threats from say Volt Typhoon and those types of things where critical infrastructure is at risk and whether it's small companies or municipalities are not ormed fortified or have talent to address these threats. And so having a helping hand from the associated SRMAs
and then the big agencies and departments is really critical. And so collaboration really requires unity of effort and connectedness. And so that's part of what we need to drive.
And we had eight recommendations in this section. Just one I want to double tap very briefly is supporting state, local, tribal and territorial because at the end of the day SLTT and the front lines, just like in the counterterrorism sets of issues are often going to be state, local, law enforcement, emergency managers and the like. Frank, I'm
glad you bring that up because we constantly say and you know Dick Clark made this number up. He fortunately over time was proven to be true but I know he made it up 85 of our, didn't he say 88%? Yeah, so he, he moved around. But, but we'll say 85% of our national critical infrastructure is owned, is not owned by the federal government. Right, but that 85% isn't owned by the private sector necessarily. A good a chunk of that are state and local utilities, tribal and
territorial entities. And so they need the same kind of support. And honestly in the. Who has two wood nickels to rub together? You know, who has budget money? I would put state, local, tribal, territorial at the bottom of the heap because it's hard for them to change rates. That's right. Taxpayers 10 tax stress, look at the water raise money. You know all the threats there and their inability to really step up
to this. Look at the feds can't fill these jobs. There are hundreds of thousands
unfilled and, and they're paying better than local. So yeah, it's a huge issue and, and we have some recommendations and creative ways to backfill some of that through volunteer and other sorts of attempts as well. But let's jump to line of effort and I'll take advantage of being closest to the MIC right now and, and say and this is looking at cost, imposition, deterrence and why it's a strategic imperative and I think it's fair to say we are never going to firewall our way out of
this problem. The reality will continue to be unless we can impose cost and consequence on bad cyber behavior, we shouldn't be surprised when we see lots of bad cyber behavior. We are beginning to lean forward but I still think there's to be done. So George, I'll start with you this one. Given your previous role, I think you played a significant role in. Right, most definitely. So you know we were just talking
about the, the challenge of defending in areas that are under resourced and can't get the right skills in place. And just look at the pandemic, if you will, of ransomware and how that's hitting all corners of our country and our society, as well as a lot of the allied nations with whom we engage. And then you take the nation states that are actually pre positioning to hold us at risk for a day of their choosing, you have both of those pressures coming down. We're trying to
respond with, you know, of course, better statutory frameworks, better technology, better coordination. But. And we need to do all those things, but we also have to put our eyes back at the source of the problem. Right. And so you can't just sit there and defend. You actually have to actually put pressure in cost and position in the other direction and whether that's the nation states that are doing it or those who they harbor. And so we have made progress there, but I think we have to
make a lot more progress. And I think we need to look at all aspects of levers of power and influence. Some of those are diplomatic, some are economic, but some are going to be more forceful and also some are going to be more nuanced. We have a legal framework both nationally and internationally that we are trying to leverage to put in position back on foreign actors. But a lot of those frameworks were built, I'll call them, they were built for human time. They're too slow and
too antiquated for the sophistication of what we're dealing with. Mark, anything you want to
add? We had three recommendations in this section. One is actually coming up with enhancing operational capabilities through campaign plans and playbooks. The fact that we shouldn't ask, act surprised when we know who the perpetrators are hitting us and kicking us in the derriere and, and having those in place, as well as designating a process for state sponsors
of cybercrime. That's something I have spent a lot of time working on. But I'd be curious if you want to weigh in on any of those and quickly, because I just like the. George called the military forceful and I believe he called the
IC nuanced. I'll just leave it at that. I think we'll go to the next one. Forceful and nuanced is good. Let's go to the next line of effort. And
that is on resiliency. And this is looking at a proactive approach to risk reduction. And we had a number of recommendations in this particular line of effort, five of which I think we codified. So now this is, to me, this is important. So
I said earlier that we did well in the commissioning and the GUT and the Biden administration in Congress afterwards on DOD and on organizing the government. I'd say an area where we did not meet the mark was resilience. And I think first of all, and we recommend this very first, we need a system of prioritization. We can't boil the ocean, we can't protect Vicks Dry Cleaner at the same level as Dominion Power. In the end, we have to prioritize things. And I think the term of
art today would be systemically important entities. But whatever it is, you have to have that and then you have to have a rule set around it. You can't just say an NSM like the administration has said in National Security Memorandum 22, we need to have systemically important entities. We agreed wholeheartedly in our report here and we said and you need the next step, right, which is establish benefits and burdens associated that.
What's it mean to be a systemic and systemically important entity? What do you have to do? You know, third party assessments. Whatever it is, it says you've established a certain level. You have to give what do you. Get and what do you get. And then, you know, at some point we're going to have to broach the issue some liability protection for those companies when they're attacked by nation state, much like there would be protection if there was a cruise missile attack on their site, you know,
by a foreign, by a foreign power. If I could mention one other one, we talked about the need for sector specific standards. And again this goes back to sector, sector risk management agencies understanding, doing proper assessments of their sector and coming up with plans. And we recognize some of these sectors are too poor for regulation and those
are the ones where we want to push things out. In water we have something called the Water Risk and Resilience Organization that we're trying to get passed into law now those kind of things have to happen. And then at the higher end, things like financial services, nuclear power. Exactly. There's a regulatory kind of level. Most Americans understand that space when it ever becomes a critical infrastructure. I know, we'll talk about that
in a minute. If no one could escape. Exactly. Probably most Americans are to support regulation, some level of regulation space because they don't want things falling on their house. But you know, in water and K through 12 education systems and food and ag, we're probably going to have to start at a level below regulation if we're going to get to a successful solution. George, anything you want to add on that? No,
I think he said it Well. I mean, at the end of the day, I
think it's fair to say we need to lean forward and prevent all we can, but we're never going to be in a position where we can protect everything, everywhere, all the time, from every perpetrator and every modality of attack that we have to build in societal. And a lot of entities don't really understand the correlation of technologies
that are at risk and the bottom line of their value chain in their companies or in their municipalities. And so really understanding, assessing risks and understanding their relative priority in your system that affects your bottom line, your continuity of operations, your ability to actually recover. We see many sophisticated companies that are knocked over by ransomware and they have an inability to get back on their feet. So there, there's something there that
needs to be teased out. And if you make the impact of an attack and
minimize that and ameliorate that, that's also part of a broader deterrence effort. That's right. So let's go to line of effort number five. And that's on cyber statecraft. So yeah, you want to jump back in? I'll jump back in because you know, this
was a, a passion play for Representative Jim Langevin, our fellow commissioner. He had been pushing the Cyber Diplomacy act along with Representative Mike McCall of Texas, who most importantly was chairman, is chairman of the House Foreign Affairs Committee. So the two of them pushed through and got the Senate on board with a Cyber Diplomacy Act. Senator King on the, you know, from our commission as well, pushing from the Senate side. This
is critical. State Department needed to be better organized to deal with this if they're going to lead the US's international effort to engage, which was absolutely insufficient for the challenge we were facing from China and Russia and international organizations. You needed a State Department leadership role. I think we're very fortunate to get Ambassador Nate Fick as our
first leader, the Cyber and Digital Diplomacy Bureau at the State Department. And then the final thing I'd say on it is that we recommend a continued commitment to participation in international standard setting organizations. The Trump administration got a big win in the World Intellectual Property Organization elections. The Biden administration got a big win in the International Telecommunications Union elections. We need to continue to get big wins in these to keep authoritarians
out of the leadership positions. Mark. And I'm let you jump in in a second,
George, but I'm glad you brought that up at the end of the day. And this is not to hyperventilate, but this is about democracies and autocracies and this is not something we can afford to lose. And this isn't some squishy set of issues. This isn't very much in our national interest, but sorry. And I think, you know,
so many nations want to partner with us and get value from it. And you just. All of the nations with whom we're engaging in the liberal democratic world are being hit by these same threats. And many of them are, of course, not as well situated as we are to push back. And so look at what's happened in the probably about 40 nations now have come together on ransomware. I mean, those are examples. And as mentioned, Ambassador Fick has been really, along with those in the nsc,
engaging internationally. And that really, not only is it relevant and brings value to the cause, but it also sends a message to the autocracy because the one thing they can't do well is partner. They're very traNSActional and domineering, as we know. And so partnerships really matter. And I might note just last week, Ambassador Toby Feek in Australia's
first ambassador, weighed in very heavily on exactly those points. George. Thank you. George, why don't we start with you on the next line of effort and that's building capacity and specifically strategies for robust cybersecurity workforce. Yeah, I feel like I've seen this movie for many, many, many, many years. What can we do to try to move the needle? Yeah, I think we have to hit several fronts, of course. And one of
the key things we'll bring out in this report is, and it really builds on what I know Harry Coker and Oncd have been pushing is this whole what's the future Cyber workforce America? And that doesn't just start after you graduate high school. It really starts in the K through 12 showing we have kids that are coming of age in a digital era. And so they are much more nimble than I ever
was, of course, or any of us sitting here. And so exposing them to technology, exposing them to the, the inherent criticality of what cybersecurity means, to our use of
technology in every piece of our life. So that's just an exposure thing. And then you couple that with education and a way to actually make a difference and whether that's in a very focused cybersecurity career path or whether it's tangential but supporting, I think embedding that in the psyche of our next generation of children coming up through their various stages of education and maturation is just really key because we have to
understand that were threatened day in and day out by criminals, of course, by nation States but most of the breaches that happen are human factors. Right. And it's because we love efficiency and expediency of our apps. And a lot of times security has been clunky, it gets in the way, it's too slow. And so that affects uptake. And so I think education is a big thing and those kids can help make capabilities more seamlessly integrated so that you have more uptake. Well said Mark. We had
a number, we had six recommendations in this and I'm a big. Workforce guy, you
know it just, you know in the commission continued to work this with separate white papers and legislation. I'll tell you first I'm excited. You know we have great leaders inside government, career civil servants who've moved up. So a guy named Mark Gorak runs the Department of Defense one he's fantastic. They've got, you know, they're not solved but
they have a glide path to being right. And the right being I define as pretty close to how the IC runs cybersecurity workforce getting upskilling veterans, veterans properly compeNSAting people, onboarding them properly training them properly. We have regulate, we have still have some provisions for the.gov to get there because the.govlags but they've got people like Tony Benson that says are running the K through 12 Cybersecurity Curriculum Education, the scholarship for service
a program that I helped start almost 25 years ago still running hard. A guy named Victor Petrowski at National Science foundation running it. We have recommendations for funding there. And if a final thing I could mention Representative Mark Green, chairman of the home Homeland Committee has just before the Pivot act and I think this is important, great bill. It matches what Harry Coker the National Cyber Director has been saying which is
that this is more than four year education. That's right. This is, this is about getting the community colleges, vocational schools involved. So you can have a school like Auburn with a scholarship for Service Program, NCA, NSA's CAE certification but you go to these,
sometimes you need that produces great four year products. Sometimes what you need is a two year product or a one year product and this pays for that, pays their room and board while they do it and then they owe government time just like the scholarship of service, just like rotc. So we're pushing, we're endorsing that as well. So from my perspective workforce is an area we've been tackling. More work's needed but you can actually see successes on the horizon if we go grab them. Let me
just double tap very Quickly two other that were a little unique and that's keeping in line with pushing some of the burden to those that have capability. We were looking at a virtual sort of CISO model for small, medium sized businesses and obviously schools and the like. And then another one that I think is relatively, relatively unique
is looking at how volunteer organizations, Estonia, Israel, number of countries have reserve capabilities. And we intentionally didn't go down the, the, the, the active reserve component alone here, but looked at other sorts of roles. So all things said and done, there's a lot of problem to go around and there's not a whole lot of people to fix it. That said, I think we're, we're, we're making some progress, let's go to the
next line of effort and that's securing the future. Nice title, but it's looking at safeguarding critical and emerging technologies and, and I think we often take for granted our leadership and dare I say superiority in some of these areas, but we can no longer take that for granted at all. You want to start George or Mark or either. I'm happy to, I'm happy to start. I mean technology is kind of the
breadbasket of the United States. It's been our signature in the world and it's really been the outcome that shows the power of what we represent as a democracy. And so we need to understand that. We need to protect it, but we also need to understand it. It all is not just in the United States. We are totally globally interconnected. And if you just look at our software supply chain, most of the software that's used today is built globally. Unbeknownst to all of us that use it,
there are perils there that we need to grapple with. And so understanding, especially as we bring manufacturing home to the United States, which we are doing and must do more rapidly, that brings power leverage for our economy, for our industrial base, but it also brings peril if we aren't mindful. And so emerging technologies have to be understood
and protected. We also have to understand that we are in a race. China is very open and, and out there with respect to its strategies to dominate many technologies that the US has dominated for many years. That's a signal to us and we know that if they can't do it by themselves, they will, they have a proclivity to come and take our technology. And so that can't be easy street. No, no
joke. You know, the other one I think is the supply chain management. We had
just, yeah, we had just finished for the China Select Committee a look at, you know, deep dives on weapon systems. And you know, you kind of think, well, you know, the Chinese part might be in like the 8th or 9th level of the supply chain. Nope. And the vast majority of these illuminations, the Chinese part showed up in the second or third level down. Right. There's a Chinese company domiciled in the United States that just has a pass through to microelectronics production in China. Now look,
20 years ago when this was set up, that probably seemed harmless. As we sit here today, the idea that someone could install physical or cyber malware into a supply park, going into a weapon system is highly likely. And certainly the idea that someone would deny you spare part, you know, these, these constituent parts in a crisis when you're trying to build up your munition supplies is 100% likely. So hitting that, that
supply chain. We have two recommendations there on that I think need to be strongly attacked. And this is one area where the Department of Defense probably is not yet where it needs to be. And while it may not be sexy, it's really important
just having lists that are unified in terms of what technologies, emerging technologies I can and cannot buy, making it a little easier for our critical infrastructure owner operators who have to sometimes go through three different lists and next thing you know, ET Is calling. Home and some prioritization. We just, you need to better prioritize things. So I
think we have a handful of recommendations. We're, we're in the red zone now. So let's go to you on this one, Mark, last line of effort is a set of issues you were a big champion on in terms of continuity of the economy. But I think it's also more broadly. I don't think we'll find anyone who says cyber doesn't matter, but policy without resources is rhetoric. So where the dollars? So I'm glad you said dollars and cents. I'm glad that way I didn't have to say,
as Frank Salofell says. So, you know, okay, first we'll go with resources. And I'll tell you we are resources. There's a mismatch between, between the rhetoric of I do this, I support this, and the actual budget. Now, some federal agencies, some sector risk management agencies are all right. Department of Energy, I'd say is all right. The financial
regulators are all right. The vast majority of the rest are not all right. So a place like Department of Agriculture, you know, with, you know, tutor and Department of education with 250,000 to $500,000 budgets for sector based management agencies, we all professionals know that's one or two full time equivalents. One person cannot support 8,000 farms. One person cannot support, you know, 11,000 unified school districts. You know, they're basically doing website maintenance
at that. At that point, they need to be approved. The other big budget one was NIST. NIST was, we assessed it as 40% underfunded in 2021. Since then it's got about a 15% bump. You say, well, you're getting there. Except it's gotten all this additional tasking. Every executive order says NIST do this, NIST do that. There's no money in the executive order. So if the budget doesn't go up, you're not there. So NIST is no longer 40% undermanned. It's probably underfunded, it's 60%. And then finally,
you mentioned continuity of the economy. If Tom Fanning were here, he would have mentioned it first. He did, he did in a previous episode. Yes. So what I would say is we're at that point where the Department of Homeland Security needs to take leadership on this. The White House needs to acknowledge the importance of it and not say it's covered by our existing decision making. And what really is required is an
increased role for the private sector in the decision making. We are at a point where they own or operate 85, as we said, you know, 85% of the national critical infrastructure, along with the state and local governments. But they're nowhere to be found in the decision making on how to move forward in a crisis. Right. And that kind of prioritization, they're going to be critical to doing what the President wants and you're going to need them more involved. And Mark, if you can give two seconds
on the framing of continuity of the economy. We are all familiar with continuity of the government, continuity of operations and all the old national security implications, but this has much bigger. Yes, this has to do with the recovery of. The recovery of your,
of your major curriculum structures following a significant cyber attack or significant disaster, probably coupled with a cyber attack. And so, and what's important here is that you get back your national security for military mobility, your rail, train and port, I mean, rail, aviation and port systems. But also you get back your economic productivity. That's one of our
strongest tools in dealing with an adversary. And then, of course, your public health and safety, you know, you need to keep the American people alive, you know, during these, during these events. And fair to say, national security and economic security are inextricably. George,
anything you want to. Well, without further ado then we that is a wrap. Please do take a few minutes to read the report. And let me thank both of our civil servants, rock stars and good friends, Mark Montgomery and George Barnes for joining us today. So thank you, Frank. Thank you. Thank you, Frank. Thanks. Thank you for joining us for this episode of Cyber Focus. If you like what you heard, please
consider subscribing your ratings and reviews. Help us reach more listeners. Drop us a line if you have any ideas in terms of topics, themes or individuals you'd like for us to host. Until next time, stay safe, stay informed, and stay curious.