Welcome to CyberFocus from the McCrary Institute, where we explore the people and ideas shaping and defending our digital world. I'm your host, Frank Cilluffo, and have the privilege this week to sit down with Mark Green, Chairman of the House Homeland Security Committee. Congressman Green, prior to serving Congress, was a combat veteran, a West Point graduate, a combat doctor, and has served in special operations, tours with the Night Stalkers, Army's well known
1/60. He's also been a successful businessman and has been a leader on homeland security issues, border security, and also cybersecurity, where he has recently put forward a bill, the Cyber Pivot act, which will help shrink the gap between the cyber workforce. So really excited for Today's discussion, Congressman. Mr. Chairman, thank you for joining us. Yeah, thanks for
having me on. Now, before we jump into the cyber discussion, I understand you have
a book coming out. Yeah, I do. It's called We Before Me. It's actually for
sale now, but the official launch will happen soon and so we're excited about it. It's really about my youth. My father lost his arm when I was in first grade and just the things that we learned from that about serving people. Anyway, and then I took that into the army and learned how military units put the whole above themselves, took that into business. In fact, when I ran my healthcare company, I
made everybody sign that they would live by we before me culture. That's awesome. Now I'm trying to do that in politics with the Reagan O'Neill Club and other things to put the whole being an American back to being number one and just how we as a nation are only going to survive if we put our country first, above ourselves in our own personal sort of like, you know, Kennedy said, ask not what your country can do for you, but ask what you can do for your
country. So something along that lines, and I'm excited to get it out there. Well,
that's awesome. And thank you for your service over all these years and your continued service to the country. And buy the book. Yeah, that'd be great. Awesome. Awesome. Well, thank you for joining us today. And I thought we'd start with the discussion around the bill you put forward before Congress, Cyber Pivot act, and its attempts to sort of shrink in the gap between the workforce challenges around cyber. What inspired you to
put the legislation forward and draft this? And then how do you think it'll help?
Well, if you look at the challenge between the United States and China, one of the critical success factors will be talent management. And it's interesting if you read Confucian writings, that's what it's about. How they built their governments even as early as 250 BC. It's really about talent management. And we have to be in that game of talent management if we're going to win in the challenge. Between us and China, we
have a 500,000 person shortage in cybersecurity jobs in this country. Empty spaces with nobody to put in them. I was having the Worldwide Threats briefing and Director Ray, the director of the FBI came in. He said, if I take every single person that I have working cyber and put them exclusively on the China desk, we'll still be outnumbered 50 to 1. Think about that. 50 to 1. 50 to 1. It's staggering. It's staggering. And so obviously this became the number one imperative for us from a
strategic standpoint of building our cyber defense. So that's sort of the incentive behind it. I think that was your question. But you know, the Pivot Act I think responds very well to the needs to fill those jobs. There are programs that are out there and they're good programs. We want to support those. In fact, in some of the legislation of the Pivot act, we actually encourage CISA to go and do more in those programs. But this one is ROTC like and creates a scholarship program that
will pay for a young person or really anyone. We titled it Pivot in case somebody wants to make a mid career change. Right. So you basically get two years of a technical degree paid for. And I like focusing on the technical stuff because you know, there are a lot of people and we've learned this over the past 10 years. We push so many people to go to four year degree programs, the graduation rates, all of that stuff. So let's focus on skills based. And so this
is a skills based. Let's give them the tools they need to do the job when they hit the ground at their workforce or workplace. And so that's sort of the way it's structured. We do two years, it's paid for, you owe the government, you have to come work for government. And this is non dod, right? The DOD has the ROTC program, but this is for non dodgy and the importance of what CISA does for particularly critical infrastructure. And I know you want to talk China later,
but we've got to address this need. And so we think Pivot does that supports other programs and the goal is 10,000 graduates a year. Wow. So does it solve the problem completely? No. But this is a good first step in addressing the workforce shortage in the Country. And if I'm not mistaken, it also allows the service those
two years they owe. The government can also include state, local, tribal, territorial. Absolutely, 100%. Which is where I think if you look at where our greatest vulnerabilities are. When you think about small states, big states, they face the same threat that the Feds do, and they don't necessarily have the. And everyone's connected. Right. So you find. They
find they're looking for the weak point. Right. So where we can help the state and local governments in this particular area, this will be huge. So what do you
think likelihood of passage of the bill? Well, I think what we've done is. And
we took the time to do this. Right, Right. Sometimes you rush a bill and now we've got a short. We're on short final for the end of this session. So I think there's a chance we can get it through the House, maybe. Maybe the Senate. But it's small, to be completely honest. But here we have the template. We have actually not a template. We have a finished product to go live right when the next Congress starts. There's no change in the House. There's a great change
in the Senate. So I think we can get it done. Awesome. And if nothing
else, it puts the marker in the. Not the sand, maybe the silicon in this respect. And it just makes a whole lot of sense. And no, it's a good
idea. And we need more of these ideas. Along with sort of upskilling veterans, there
seem to be some buttons we haven't pushed. This in combination with others, I think can get us closer to the goal. I think so. Absolutely. So in terms of. In addition to sort of the Pivot act, what other priorities do you see in the 119 around cyber? I think one of the greatest challenges we have has been
matched with an incredible opportunity. Greatest challenge, wide bureaucracy, not talking and communicating with one another, creating these. You know, they're operating in silos. Right. So they're creating regulations that oftentimes even go so far as to contradict one another. We got to harmonize. Right. What government is requiring of the private sector. Because if a company is spending more time complying than they are actually securing themselves, then we're doing. Government is doing harm.
Would not be the first time that's happened. So what we've got to do is go in here and I'll tell you, I've been really impressed. I was impressed with my team putting the Pivot act together. Right. What they have. You do have a
great team. I have a Great team. They're leaning forward on this. You know, I
cast out these things. I want, you know, my ideas and. Doggone, you got to
make sense of it all. Yeah, they bring it back. And so I've seen sort
of the roadmap going forward for the harmonization stuff and I'm really excited about that. I think again, we can make a substantive difference so that the problem is the lack of harmonization and the contradiction. The opportunity is the Chevron deference ruling from the Supreme Court. Boom. Right? That's the boom. And I actually have a bill that is a rolling repeal of every piece of bureaucracy regulation that violates Chevron or that the
ruling would cover. That's sort of more global, more strategic and focused on. This is the Harmonization Act. And we are going to be working with the private sector, they're going to be critical on this, with the bureaucracy, working with the agencies, and we're going to identify those areas. In the go forward, something we can do immediately is tell OMB in a simple bill, you will not pass a new regulation or put
a new regulation out there that is either duplicative or contradictory. And we make OMB sort of the funnel that everything has to go through. So in the go forward, nothing can be contradictory or duplicative. And then we got to go back and then it's going to be every single piece. And that's not going to be easy, but it's essential. And it seems like that has application far beyond just cyber. But cyber
transcends everything. Right now for me, I've got two critical borders, right? The southwest border
and the cyber border. And I get that that argument isn't calling it a cyber border is not perfect because a lot of times stuff is coming from within. But when you think of protecting systems, protecting organizations, infrastructure, then I like to think of it as a border and. I think that's valuable. I mean, when we think of
cyber, it. It is its own domain, but it transcends airland, sea space. When you think space as well, by the way, it transcends airland, cyber. So undersea and some things that we don't always think about in terms of cyber and protecting our critical infrast structure is part of our border, but we have to push it out, don't we? We do, yeah, absolutely. And, and ultimately we're never going to simply firewall or defend our way out of this problem. We need to impose cost and consequence and
bad behavior. So you, you bring up really two. I'm already there, so I'm sorry, you. Bring up important points. But, yeah, I. Look, we need redundancy. That's. That's an
issue. Right. You look at CrowdStrike and what it taught us, the cost of that 5 billion going back to the cost of the Pivot Act. I mean, just CrowdStrike cost us $5 billion. So I think we probably could be smart to afford it. Right. But anyway, I digress. We have got to create redundancy in our systems. So, you know, we're on from harmonization and synchronization now to that. The other issue is the economic models that support threat actors. Okay. And some of those are intrinsic to
ourselves, and some of them are extrinsic. The intrinsic ones are where we allow businesses to go put a product out there that has vulnerabilities in it. And I get the. I ran a healthcare company. I get first to market. We were hoping to be the first to market when I ran my healthcare company with a system where you could actually log into the ER from home and do a telemedicine interview from home, and we were gonna, you know, brand it and do all that. So I
get the concept. It's out there now that I've sold the company. But anyway, the point is, is if you can be first to market, that's a competitive advantage. Absolutely. Well, if you rush a product to market, to be the first to market, and it's got vulnerabilities, you could put the whole system at risk. So we've got to figure this one out. And reversing that economic model, there are a lot of different courses of action, but it's not palatable to anyone. But that's a challenge. Just because
it's hard doesn't mean we run from it. Exactly. Okay. Never quit. Never quit. So you got two different pieces to this, and we have to address both of them.
And the other side of that economic model is, I would argue for a while, we've been blaming the victim. An entity gets hacked, and you can't expect even the biggest companies to defend themselves against nations. China, Russia, Iran, North Korea, you name the bad actors. So we've got to sort of even that playing field as much as we can as well. Correct on that. Yeah. And that starts with the compulsory compliance
stuff that we give these guys. Right. So that's sort of the step one to this. But step two is a real partnership. Maybe that begins with the harmonization stuff, but then we can move that forward to actual protecting first critical infrastructure and then our economy and people. I mean, you can hack, you can hack, pacemakers so this ultimately has the threat to American lives. Individuals. Individuals, too. So I have a strong belief that we have to, as a country, own the fact that these
businesses can't protect themselves against nation states. And we have an obligation, as I spent 24 years in the army defending the country. Right. So I see that as something that we have to do. I think you're spot on. And I also think you're
spot on in terms of we can't just have a compliance. We need to raise the bar. There's no question about it. We can't get products out there that are built on quicksand because at the end. Exactly. Right. That's what we are. So some
accountability there, you know, and we've brought. We've done it. We brought. We don't want
to check the box either. Right. You don't want someone just to figure out how to game the system, check the box, game over. Because that'll create. That'll create the
problems that we've had. You know, we. We brought Microsoft and CrowdStrike both before our committee. We did that because accountability has to happen. You know, you brought up Chevron
deference. I. And again, I think it's unknown exactly what the implications are here, but I do think it puts a little more onus on this end of Pennsylvania Avenue Congress to be a little more prescriptive in legislation. Would you agree with that? Well,
we have to be very careful about that. Right. But you're right, honestly, when what happened to create the problem in the first place was Congress and I don't want to say being lazy. Let's assume for a second that they did it with good motives. Those guys know their business a little more than we do. Let's allow them to write all the regulations pertaining to X and Y. Okay, so let's assume for a second that there were good intentions in this. Well, what happened is the bureaucracy
grew so big and the right hand doesn't know what the left hand's doing. So. And then it got onerous and violated the rights of Americans and the rights of states. And that's where Chevron, all of that. That got to. Right? Yep. And so the Supreme Court said, heck, no, that's against the Constitution of the United States Congress. You have to do this work. And honestly, we're going to have to look at. If we're now writing legislation that has to have all of these specifics in it,
we may have to increase our staffs, we may have to hire different experts. We may have to. That's all something that as a global entity, Congress now has to grapple with. I think it's inevitable. I think it has to be inevitable. No, I agree, but that's the challenge we're looking at. And it's going to take someone championing that, what it looks like going forward. I'm glad you brought that up, because that
is where I end up. No matter how you square that circle. No, that's right. It has to go in that direction. And I also think the courts themselves, you've got a number of judges that don't necessarily have a whole lot of cyber skill and background. And I think the courts, we're going to have to see in the judiciary side, because we don't want arbitrary rulings to be the de facto standard in every case and form. Right. That's the flip side of all that. Sure, sure. We
can't write laws that violate the Constitution either. Yep, absolutely. So we need to make sure that we're thorough and that we have the right perspective when we do it.
So, private sector, I'm a little bit of a broken record on this. I feel like enough talk around information sharing. More needs to be done there. But what we're talking about is potentially the need for operational collaboration. You would know better than anyone, you trust those you're in the foxhole with, and I feel like more can be done there. What are your thoughts around that? Constitutionally, obviously, you know, I mean, I.
Think that's the direction we're heading. And I mentioned starting with harmonization. Trust. Trust is
key, right? No, absolutely. We don't want to create laws. And this is the way
I've always done it. I was a state senator before, and I'm a congressman now, and now a chairman. I love bringing in the stakeholders and having them look at a bill. And you can't imagine the number of eyes that we had in the private sector, in government. Take a look at this bill, as it should be. And my people went back and forth and they gave us great ideas and our staff took great ideas to them. This was a very collaborative effort to create legislation that
works for everybody or as much as possible. And so if we just adopt as Congress that process going forward, I can't imagine. I mean, I'd love to send a survey. Honestly, not a bad idea. My staff's probably hearing me say this. You probably ought to send a survey out and say, how did it work, working with us to put this piece of legislation together? Did you feel like you had input? Did you, you know, because a survey monkey or something, you know, and just get some
feedback. But I would submit to you, I bet you a 1/60 mug that they will respond. That team was fantastic and sought our input and we worked together to create a great bill. You know, you just came up with another idea that I
think efficiency in Congress. But that's a good. But that is a good concept. Imagine if all big pieces of legislation had a survey given the various stakeholders. That would lead to some transparency and efficiency, Right? Absolutely. We also need a scorecard on the
bureaucracy, though. Yeah, no kidding. Too. But that's the oversight. Absolutely. Yeah. A law is
as good as it's enforced and enacted upon. Spot on with that. What do you think? Cyber, and we know it's a broad set of issues. What does it look like in a new Trump administration? Well, I think President Trump is keen to understand
the threat. Right. He gets what China is his. And people. I think a lot of people don't understand how to speak Trump. They need to go read the art of the deal. The 25% tariff on Mexico. Right. And people go, oh, my gosh. Next thing you know, Mexico's got military on the Guatemalan border and military on the
US border and suddenly it's fixed. You know, so if you understand that with the tariffs he's talking about with China, you know, you got the G20 down in Brazil right now, they're freaking out about, you know, the tariffs and the impact on inflation. And listen, he's setting the discussion right. And when it comes to China, it's the same way. Right. So we're. We're. I think he will be very firm when it comes to cyber stuff. I'll be very interested to see who Governor Nunn picks to
be, you know, head of cisa. That. That's a conversation I hope I can. And they've already reached out to me, by the way, over the weekend about overall big ideas and people. So I think it's. I think it's going to be great. I know he gets the problem and the threat and that's step one. And when we
think about cyber, and I come from a national security background, so I've always looked at it through that lens. But when you look at it today, it's inextricably interwoven with our economic security. Right. I mean, it literally touches it all. Five billion from
CrowdStrike. Yeah. And that's one. That's one hit. That's a. Solar Winds. Solar Winds was more than that. Exactly. And that didn't. The CrowdStrike wasn't hostile intent. That's right. That was just exactly. Yeah, that's a butterfinger. So, but, but it is what it is.
So this sort of brings us to you and Congress and Representative Laura Lee put forward some, I think, important legislation around all the various typhoons, whether it's vault salt, you name it. But I'd be curious what your thoughts are around that. Well, it's
a first step, right. It's a task force to look into this kind of stuff. So it's, but it's, it's a step that has to be taken. I mean, you know, you crawl, walk, run. So. And Laura Lee has taken, she's a fantastic member, former Secretary of State for Florida, I think, the third largest state in our country. She gets it. She gets cyber really well. And so, yeah, this was her initiative
and I came in to support her. She's done a great job with it. And again, it's step one, it's a task force to dig into it, but we've got to do that. China Select Committee, I don't know, does that stay? Are we going
to see that in the 119? I think, I think so, but I haven't. You
know, it's funny you ask. I haven't had that conversation. Yeah, me neither. I didn't
even think about it until right now. I think it has had significant impact raising awareness to the American people because inside the community it can get a little confusing. But when the average citizen can relate to the consequences, I think it moves the ball. Maybe not immediately, you. Well, it can immediately. I mean, and I agree. And
I think a lot of people lose sight of the fact that we have an obligation with our oversight to educate. Right. And that's educate the populace, that's educate each other. And so our oversight has a purpose, and that is one of those is education. And if you want to move the needle, you can move it quickly. For example, we did President Biden had a just administrative decision to do away with all
hunting safety programs in high schools. And so we got out there, we started educating the American people on it, dropped a bill on it, passed the bill with only one no vote in the House and unanimously in the Senate, clearly a veto override majority. And he signed it into law. And I did that bill now. So if you educate enough Americans, they'll call their congressman and it'll result in action. Right. So that education piece is really important. Well said. I'm gonna put you on the spot.
We recently came out with a pretty big report looking at priorities for the incoming administration. We released it before the election to ensure that it was nonpartisan, we had the cyber advisors from the last five presidents, so. Oh, cool. Clearly nonpartisan. One of the things. And I've been advocating this for this for a while, but what do
you think about designating state sponsors of cybercrime the way we do for terrorism? That unleashes tools in the community that can be brought to bear and it just seems to me like one of those common sense. If I thought about it for, for a while, it sort of makes sense. But I don't want to put words in your mouth. No, I, I like the idea. The problem is that some of those
designations we'd have to create what it means and what authorities it gives. Because, for example, we looked at making the cartels terrorist organizations and again it wound up because of the way they're sort of interwoven into particularly Latin America. Going that far to name them terrorists would not work legally from a legal standpoint. Right. So I know there are several initiatives out there to try to create this separate sort of
RICO based entity that then they could direct more government resources against the cartels. Right. So I look at it the pretty much the same way. It's a great idea. But I got to get into the weeds on this one legally. And with the
cartels, though, they were designated transnational criminal organization, which do unleash some of the authorities.
That's correct. Intelligence authorities. That's exactly. And that's where I'm really going. Cooperative from Title 10 and Title. I mean, so Title 1050 is where it's all at 100%. Yeah.
And 32, once we start looking at some of the domestic sorts of issues. Yeah.
One of my initiatives is, and I'm trying to convince, and this is outside of my own committee because it's in the ndaa, but I want a Cyber National Guard unit in every state. And that way the governors can, you know, bring them on state level. State level. Activate them at the state level in case the state gets hit. So that's one of the initiatives that we're trying. We've got amendments to the NDAA on that. I hope that passes because we work very closely at Auburn with
the Alabama National Guard. National Guard, they're great. And whether it's in Title 10 authority or Title 32, is that. Because at the end of the day, the first to respond, the last to leave in a local incident are still going to be at that state level. That's exactly right. We saw that with Helena and I. Feel like we've seen this movie quite a bit and we still haven't figured that one out. What other priorities from a critical infrastructure standpoint do you see from a security resilience
that, that you're focused on? Well, we've covered workforce, we've covered the harmonization effort, which
is essential. And we've got the economic models. You know, we, we touched on one of those economic models, the first to market stuff. There's an economic model that we haven't talked about and that is how do we affect the incentive of the kid in Russia with a $3,000 laptop getting a $5 million ransomware payoff. Right. So that's
an imbalance and there are multiple different ways. You mentioned the state sponsors of but oftentimes it's just a criminal thug who happens to live inside a country that won't extradite to the United States. Now we implemented this ambassadorship at the State Department to deal with these but it hasn't been effective. We've got to figure out as a country how to put pressure on people to enforce laws to extradite when someone breaks
our laws. And this one I don't have all the answers to. But it's, it's when we got to put our heads around and get some smart people working on. Because that's not, it's not just nation states, it's criminal organizations that make a lot of money hammering small hospital systems in this country that risk American lives. Now you're
spot on there. And, and the role of proxies, who's the puppet, who's the master is not always easy to discern. Very good point. And when they call on them, they're suddenly there for Mother Russia or whoever else else right to, to do their bidding. And, and that does complicate all this. That's why I like the state sponsorship because that gets through the murkiness there. Sure. In terms of direct attacks and sponsored. But any, any questions I didn't ask that I should have. I think the most
important question is is army going to beat Navy here in a week? Army's looking good days and so hopefully, hopefully that that will happen and the world will be right. Well, I hope army makes the playoffs. Chairman Green, thank you for your leadership.
Thank you for spending time with us today and keep fighting. Thanks for having. Thank you. Thank you for joining us for this episode of Cyberfocus. If you liked what you heard, please consider subscribing your ratings and reviews. Help us reach more listeners. Drop us a line if you have any ideas in terms of topics, themes, or individuals you'd like for us to to host. Until next time, stay safe, stay informed, and stay curious.