Welcome to CyberFocus from the McCrary Institute, where we explore the people and ideas shaping and defending our digital world. I'm your host, Frank Cilluffo, and have a real privilege to sit down today with Kirsten. Todd Kiersten is president at Wondros, which is a
creative firm focused on social change and policy change. She previously served at the Office of National Drug Control Policy, ONDCP, at the White House as a staffer on the U.S. senate Senate Homeland Security Committee, working counterterrorism and homeland security issues, and most recently as chief of staff at cisa, the cybersecurity and infrastructure security agency. Kirsten's known to all in the field, the bright light for so many years trying to move these
issues forward. So, Kirsten, really excited to sit down with you today. Thank you, Frank.
It's great to be with you. You know, when we look at cyber issues and
where we are today, obviously there's much we've observed and you played a key role in remedying and fixing. But I thought we'd start with maybe most recently coming right out of CISA and where you oversaw a bunch of the strategy that the agency was putting forward. What are two or three things that you were most happy to see, most excited about? Well, it was an interesting time because at the time CISA
was the youngest agency. It's not the youngest agency anymore, but it started in 2018. And so there was a lot of growth and building. And I think, you know, with Jenny Sterle's leadership and looking across just the leadership of the agency, it was both internal and external. Internally, as chief of staff, I think some of the things
that I was so pleased with was how we built out the workforce. We started laying the groundwork for a neurodiversity initiative to engage individuals with neurodiversity and really look at building a more inclusive workforce. It's obviously not easy in government and really anywhere when you're dealing with that size, but I think we planted the seeds for some
important work. I think also building the collaboration with industry, it's tough when you don't have the regulatory authorities, but at the same time, you're given an opportunity to really build partnership and collaboration. And Frank, you and I have been working in this a
long time to know that the word partnership doesn't always have meaning. You know, we talk about public private partnership, but trying to really engage in trust and collaboration, and I think, you know, a function of the times as well as the threat has really been the cross sector engagement. And that's I think the credit of government writ large, it's just appreciating that while there are critical infrastructure sectors, if we're truly looking
at securing them, we have to look with a cross sector approach. And I feel like we've made a lot of progress with that. Well, I'm going to pull the
thread on all those points momentarily, but before I do that, any regrets, any unfinished business that you wish? Well, I think, you know, I mean, in government service you
always want to do more, right? I mean, it's always. There's never a time as a civil servant, there's never a more important time because you wake up every morning feeling like you're contributing to the greater good and that work is never done. And so, you know, whenever you walk out the doors for the last time of that particular job, there's always some sense of, oh, you know, there's so much to do and so much you want to do and tremendous gratitude for the opportunity to serve.
So lots of stuff, no regrets, just a lot of work to be done and, you know, you wish you could just continue to do it it forever. Well said.
That was perfectly said, actually. So let's talk workforce. And you brought up neurodiversity, which is a passion issue of mine, because I do feel there's so much talent that is not being pulled into the fight. You see the numbers, the deficit is staggering. But doing the same thing as we always do is not necessarily going to get
us over the goal line. Let's maybe start with that. If you were to sort of look at the workforce deficit and where we are as a country, not only in government, but also in industry, how can we think about this a little differently?
Well, I think you and I have talked about this. I sort of believe that every role has a cyber component to it. So when we talk about the cyber workforce gap, I understand what that means, but I really think we all have this cyber responsibility. And so when we're thinking about cyber solutions and we're thinking about the actual positions, when we see cybersecurity, it's about building things, building solutions, building products, building
outcomes and problem solving. And when, if we understand and we agree that those are the two critical elements to cybersecurity, then we appreciate that the most effective way we do this is by diversity of thinking, bringing in sociologists, psychologists, economists, politicians, you know, kind of thinking through all of this. And so really trying to attract more than just individuals with aptitudes in math and science like you. I have a real passion
for neurodiversity. Because I think we as a nation will be so much better if we create inclusive workforces that represent and acknowledge and honor the aptitudes of individuals that we may not define as being in a band that we see as, you know,
quote, typical. And I think when we appreciate I sit on an advisory board for a company that has a workforce that's 50% neurodiverse, that are developing AI algorithms that are outpacing other workforces because there's an aptitude there that we really have to honor and elevate. And I think that's true for all, you know, for all skills and
aptitudes. We know that individuals who are hard of seeing have tremendous hearing. We know that individuals who are hard of hearing can see things that the typical eye doesn't see. So we just have to build out our band of really appreciating and attracting and really engaging individuals who have diversity. Of thinking and very well said. And I
mean, if you go back to World War II, I think it was largely neurodiverse individuals who won the Great War, those behind some of the most sophisticated cryptologists, cryptographers and the like that cracked the Enigma code and so much more. And I just feel like there's more we can do. And what are some other thoughts around sort
of building up the workforce? Because I don't think it's purely a numbers game and I think you're very right by highlighting you don't only need sort of the cyber Delta force that are very sophisticated in terms of their capabilities around zeros, ones and the like. But everyone has a cyber responsibility today. Everyone pretty much nothing doesn't run exactly one way or another. And being cyber aware is so important. But I'd be
curious what some of your thoughts are. Well, I think it's bringing it into curriculum,
bringing cybersecurity into the curriculum at a young age. I mean, we've talked about K through 12 engaging. You know, when a first grader gets an iPad, they should be understanding what does it mean to be cybersecure. They can develop an interest in that. You know, we know that young kids tend to want to be what is in their life, a construction worker, a doctor, a teacher. And so if we look at that, then we're also looking at high school, bringing this into vocational schools, to community
colleges. There's also been some really thoughtful, there have been some really thoughtful proposals about non degree work in cybersecurity, I think. And I want to pull that thread too. Yeah, the things that you see are that there's so much technology out there that people will just generate an interest on their own in this and they develop this
capability and this aptitude. And I think we have to just be able to identify that you don't necessarily need a degree that aligns with an aptitude in order for
you to have an opportunity in the workforce. And more and more, if we're looking at really going into communities that typically don't have access, being able to provide this workforce opportunity, we have to flex out to really be engaging and again be inclusive and really expand our definition on what qualifications mean and what it means to be qualified for a role. You know, Auburn University is a land grant university and started
around agriculture and we have a responsibility throughout the state, especially in communities of need around agriculture. If you were to build land grants today in addition to agriculture, which is essential to our well being and public health safety and our economy, probably come up with cyber, it would be top of list of what a new land grant would look like if we were to establish those today. Sounds like you have a
new policy you're building. I think we're slowly building that policy and we have a
responsibility to the communities, especially in some of the more poor communities and communities of need that I think we have an opportunity to not only bring about new job opportunities, but also truth is, everyone is cyber vulnerable. So what about gamification? Have you looked into that? Because I'm going to put another pet rock on the table here. I am a trustee at the Alabama School for Cyber Technology and Engineering, first magnet
school focused on cyber. The applied side is what attracts most of these kids. It's not sitting behind a computer and just the zeros and ones. It's actually seeing the fruit of their work and actually getting involved. Any thoughts there around gamification? Well, I
think that's human nature. There are people who do enjoy seeing sitting in front of the computer and being able to do it. But generally we like to see the application of this in ways that can engage. And so I absolutely think it's another tool for again creating an inclusive workforce and also going into underserved communities, going into communities that don't always have the resources for kids to see, hey, I have an
interest here, I have an aptitude here. I can take something that is critical. I understand it. I think it helps to build self esteem. What we're looking at is how do we increase the ability for individuals from all walks of life to have work, to see an opportunity to contribute to a greater good. And in fact, I mean in many ways you Know, cybersecurity is this great equalizer because it really doesn't actually differentiate the. We each have an ability. I am not a real technical person,
but I can. There are parts of cyber that I really align with, and I think that, you know, some people will just take different pieces of it. It's such a diverse field. I mean, we often talk about the language in cybersecurity, and this term, cybersecurity has become a little heavy, and it's jargon, but there's a reason for that. It's because it's so inclusive. It really means so much. And if you think about that from a positive side, it means that just about everybody can have an
opportunity within this field. And do you think that that's permeating and translating across? I
do remember when I first served in the White House, cyber was this black magic, and we know the characters that played that. But I do think now you have cabinet members, you've got agency heads who sort of grew up around the technology and a little more aware, if not savvy. And I would argue they are more savvy. But do you think that that's permeating? I do, because I think cyber is so
much more part of what we're doing, and we are able to see it more as a tool than. To your point. I mean, there was a period of time where those who knew it kind of took that, you know, elusiveness as a. Exactly. It's like, well, you won't understand this. And it's like, probably not. But I think now, you know, as we simplify it, as we demystify it, you know, all these words that are now used to align, but it is seen as a tool across
anything. I mean, you talk about agriculture, there are, you know, huge opportunities for how we're able to bring this technology into creating efficiencies in agriculture, into farming. I think, you know, we see that this cuts across every part of our lives, as with everything, we need to do this deliberately and thoughtfully. But to your point, I do think it is permeating. Great, great. And I feel that. But it's more anecdotal than
empirical. But I'm sure that there is some empirical data that would make that case. What about women? The numbers, I think, are staggeringly low. And I do feel that there is opportunity to attract more smart women into the field, that you shouldn't be the exception, you should be the rule for all of this. Why do you think we struggle there? Well, I think that it's more legacy and historical as far as
the national security space, you know, we have these things do not change overnight. And so if we look at these issues that, you know, sort of born, were able to, you know, nurture cybersecurity through the years, it is national security, counterterrorism, homeland security fields where there were typically a lot of men. But I think that it's so important then when we look at, you know, the workforce that we want to build,
we don't focus on a gender, on a trait, on a demographic. It's really, how do we bring everybody into this? Because I think we can probably. To your point about empirical analysis, you know, there's probably, there are deficits across lots of different demographic traits, different, you know, I think qualifications. But our goal should be how are we ensuring that we're making this an inclusive space and really attracting all types of people,
because that is really what's going to benefit the space toward innovation. Toward progress and
upskilling veterans. Is that something that you've been, and I know CISA was supporting efforts along these lines. I think that's another pool of very talented with real world experience. Maybe not the way we would define it in a textbook, but more importantly, the way it actually has impact in the, in the real world. Absolutely. Yeah, absolutely. And
I think there are a lot of good efforts that are out there. We can always be doing more. But again, it's how do we make this space look accessible and be accessible to talented people? I mean, to your point, veterans have such a broad, diverse depth of experience in fields that we absolutely need to be bringing into our commercial industry, government workspace and having the programs that reskill, upskill, and even, you know, older people. We see in our markets as people get pushed out for age,
for other reasons, experience, for aptitudes in technology. We have an opportunity. It's another segment of the workforce that we can bring. But certainly, you know, our ability to serve our veterans is so critical. And obviously, I think we have, you know, not done the work that we could do. But this is an opportunity to be able to engage from a workforce development. Not only the right thing, but the smart thing too.
And it expands. I'd be curious in terms of volunteer organizations and for transparency. You played a key role in a recent report we did looking at priorities for the incoming administration and weighed in heavily on some of these concepts. So curious if you'd be or would appreciate you sharing some of that with our listeners and viewers. So one of the things, when I first started working on this 2016, I
ran President Obama's Commission on Cybersecurity. And at the time there was an effort to create a national reserve for cybersecurity so it would mobilize forces at the local level. It didn't really take off in different ways, but we've started to see this build.
And in my current role, been working very closely with Craig Newmark Philanthropies. And one of the things that he has done is really engage grant money and resources to organizations that are looking at recruiting volunteer workforces so that when something happens, you have a community that's able to be mobilized. And whether it's people whose day job is a ciso, a cio, or they have an aptitude, it's sort of like their gig
interest and being able to engage them. Because the piece that we always have to remember is that a typical cyber event, regardless of how massive it seems and whatever national newspaper covers it, it starts in a community, it starts at the local level. And so being able to engage those individuals is crit critical. One of the things you asked earlier about accomplishments at cisa, I think one of the things that we
did really well was investing in our regional teams. They're modeled after the FEMA offices, but really creating leadership in cyber security advisors, physical security advisors, so that when something happens, we have a team from the federal government, with FBI, with others that can go right to the location and mobilize quick resources. There's a lot more happening there. There are now election security advisors which are helping with certainly creating safe and secure
elections. But I think it's a really important element of how the federal government can connect to the community level and have a team there ready to help the community.
And I can tell you from personal experience that the regional CISA officer representing Auburn, Alabama is very active, including Auburn, Alabama, very active in our work, and she's doing some phenomenal work. So, you know, when I look at volunteer opportunities, every once in a while we can pull some good ideas from other countries. And have you spent any time in Estonia by any chance? I have not. So they have a pretty
unique Cyber Reserve Corps. And keep in mind, there tends to be countries that are very strong in cyber, have. Have lots of experience. You've got Estonia, you've got Israel, you've got Singapore. They all have live in arguably tough neighborhoods and lots of scar tissue and experience. But there is a model there that I think is worth looking
at. The Cyber Reserve Corps that they stood up. But I think your bigger point is I think we tend to forget and you and I spent a Lot of time thinking through the initial homeland security work that the US Government stood up and same sort of sets of questions. Right. It, it can't be one from D.C. right. At the end of the day, the first to arrive and the last to leave are going to be local. Yes. And, and when I look at state, local, tribal
and territorial, I think there's, there's more that needs to be done there. And, and, and supporting that I think should be priority one, two and three. Yeah. So that also brings up. So you also were a founder of the Cyber Readiness Institute, which was really bringing capabilities to small and medium sized business. Just like sltt, small and medium sized business. They assume the same risk as the Fortune 100 do, but don't
have the resources that Fortune 100 firms do. What are some of your thoughts there around supply chain and then more generally? Well, it's so critical. I mean, so the
commission, we had eight issues given to us by President Obama and one of them was small and medium sized businesses. And it was a very, we started in March and we ended presenting the report to him in December. So it was nine months. And when we finished, two of the commissioners, the CEO of MasterCard at the time, Ajay Banga, and the retired CEO, the vice chair of the commission, Sam Palmisano at the time, we came together to say what more can we do with this commission?
Because it was a very active group. It's sort of like the groups always that
you lead, you get to, you engage everybody and with them. And the CEO of Microsoft at the time, because the head of research was on the commission and the former Secretary of Commerce, Penny Pritzker, came together to say, say let's create a nonprofit that helps and supports small businesses not by recommending technologies that they have to procure, but really getting to this place of what's the role of humans and people in
cybersecurity. So the premise of the recommendations and of the program is all based on human behavior. It's educating on doing multi factor authentication, a strong password software, updates, not falling victim to phishing emails. So it really looked at you as a small business. If you can do these basics, if you can educate your, your business on these
pieces, you can create a base level of cybersecurity. Because one of the things. So we started this in 2017 and then a couple years later with, with COVID we saw how everything went digital and supply chains. We had a member who's a Fortune 100 manufacturing company that at one point had a real challenge because one of their small Businesses got hit by ransomware and it was in their supply chain, in their assembly line. And I think that we have to appreciate that if you are a
large company, you could be doing everything to keep yourself secure. But if you're not making your ecosystem secure, then you're creating tremendous, then there are vulnerabilities. And how do we have greater visibility into supply chain is important. But really helping and providing resources to small businesses, this is where I think the information sharing and analysis centers, the ISACs, these sector organizations, can help by sharing resources and by becoming more collaborative. I
think they're doing a great job. But there's always opportunity to really raise the level for small businesses because we can't function, our sectors don't function without the security and safety and operationalism of small businesses. And small and medium sized businesses don't always have
a seat at the ISACs, understandably because they don't have the time and the bandwidth and the resources necessarily. So one of the big findings of the first National Cyber Strategy that Chris Inglis laid out is shifting some of the burden to those that can handle it better. Whether it was the big cloud providers or the Microsofts or the AWS's, or you name the big firms, what more do you think can be done there? Because at the end of the day, I don't think it's the Fortune
100. They're putting the resources out there and they're actually putting their money where their mouth is. They're spending. But how do we get to the point where we can get small and medium? They're on the front lines. And ransomware has truly democratized the risk. It's not just the People's Republic of China and the Communist Party of China or Russia or Iran. It's anyone trying to take advantage. What's a business model? I
mean, that's the challenge. And you got to disrupt that business model, right? Yeah, well, absolutely. I don't want to lead the way. Okay, well, and I remember it was several years ago. There was, I think it was a 60 Minutes show. It was on ransomware and it talked about a community in Arkansas. It was a local government that had a ransom attack. And they asked for $50,000 and the community said, we can afford 8,000. And they were like, okay, that's fine. I mean, we have to
remember that ransomware is a business model. And so what are we doing then to help mitigate that model? We know that there are basic things to prevent ransomware. Similarly with cyber hygiene. Right. When we find out that and you Know, going back a couple years to Colonial Pipeline, when we find out that major infrastructure is vulnerable because of a lack of multi factor authentication or the basics, how can we get this
into the culture? So there is the piece about the responsibility to industry which I very much agree with. You know, going back and really getting at the source of the problem, creating secure software, creating secure hardware, then we're in a place where how do we create a culture of safety and security so that consumers, and whether that's an entity that's procuring services or just a consumer like you and me, starts to
use security and safety as a differentiator for purchase. You know, if we start to look at cybersecurity as an element of what's important to us, it obviously can't be framed quite as that because to our point about language, it doesn't grab us. But it's like how can we get to that energy label type issue where we start to understand how secure is this entity? And it's not that they all need to be at a certain level, but it's what's my risk appetite for this type of
product for this company. If I see that they haven't done what they should be doing, how much do I want it versus another company that's put more forward? So I think it's that balance and. Trust Mark and some of the labeling. Any, any
thoughts there? Well, I do. I mean we actually talked about labeling in the commission
in 2016. I do think there's an opportunity because. I think labeling is push this
heavy in solarium too. Yeah, because there's also an education in labeling. Right. The reason
why we as a nation understand what saturated fats are, are not because we all have this like you know, private interest in nutrition. It's because we've all come to socialize nutrition labels labels and we know how to read them to be how am I evaluating sodium and carbohydrates. And you know, it doesn't mean I'm not going to have the chocolate cake. I'm just going to know what I'm getting. And so I do think because I see nutrition labels not just as a security piece, but I
see it very much as an education piece. It's an opportunity for us to reach a lot of people. And again, Singapore has been forward leaning in some of these
efforts and it's work. Grant, I mentioned countries that are much smaller, they're smaller than the United States, but they're models to build on. And that's a perfect sort of segue into human Behavior, I mean, all things said and done, technology changes, human nature remains consistent. Also, even from an adversarial, a red blue perspective, there's someone behind the clickety clack of the keyboard, or at least someone initiating automated attacks behind the clickety
clack of the keyboard. How do we get to the point? And I think we need to hit a tipping point, but I'm not sure I fully understand this. But at Wondros, you're doing some good work to be able to make change in communities. And I'd be curious, we kind of know what we need to do. How do we get to the point where we do it? Yeah, well, it's about understanding people.
And so we talk about human centered design at Wondrous, which is very much. It's not just sort of researching people, but it's actually talking to people and understanding what are their blocks around certain things. So we've done work in healthcare, Wondrous has in issues around addiction, around mental. Health, and I'd love to hear more about that because
I think that has pertinence. It all weaves together around poverty, but certainly healthcare. And
now we're doing a lot of work in cybersecurity and AI. And we launched this campaign a little over a month ago for Craig Newmark philanthropies called the Take 9 Campaign. And that came about because our researchers were really talking to people, both CISOs, CIOs, but also everyday people, organizations, and what we've learned, and we know this intuitively, but how do you translate it is right now the greatest challenge in cybersecurity. Why
so many people are falling victim to it is urgency. It's that sense of, you've got to do this now at the most senior levels of companies and just as pedestrians, I think, you know, each of us knows somebody, if not ourselves, who has received a call and it's that, that urgency. But we're losing so much money in our economy around cybersecurity. So the point is to come up with a way as we understand what people's fears are or what they see as opportunities, engage communities through
that, and then we can help to build out, educate, empower. I think one of the key pieces in cybersecurity right now is how do we help individuals appreciate that it's not beyond their control, that they can actually change something from a reaction to a response. We react to something quickly, but we can respond thoughtfully. And as we look at building out communities and ensuring that we're creating a culture of security, Craig
Newmark calls This a community of cyber civil defenders. What is each of our roles? What is our accountability and responsibility to help make our nation more secure when it comes to cybersecurity, as you said, it affects all of us. Awesome. And can you
maybe paint a picture on some of the previous campaigns and how you think that that may apply? Yeah. So we wondrous worked on the Stand up for Cancer campaign.
How do you engage people to understand how it's impacting everybody in an effort to both educate, inform, and then to create resources? We're working on poverty issues, on how to help educate on what's happening in poverty, and then to engage on mental health. We're starting. We've done some work with fentanyl, and we're doing an addiction campaign, but with fentanyl, a nonprofit called Song for Charlie, which was started by a couple who
lost their son. And when we see. And it was just in some of the campaign discussions around how fentanyl is really impacting everybody in some way. One, you know, first degree or second degree? I think, you know, a couple years ago, Secretary Mayorkas talked about fentanyl as one of the most challenging national security crises that we have. But I think the. The most representative campaign that Wondrous has worked on is with
the National Institutes of Health, the all of Us research program. It started seven years ago. The objective was to ensure demographic representation for clinical trials by engaging a million people across the country. And right now, we've got over 800. That's a serious end. It's a serious piece. And so right now, we've got over 800,000 individuals representing all congressional districts. But it's what they've done with that research. They've created over 100,000 genome
sequences. They're coming up with treatments and therapies for rare diseases. It's this appreciation that if we can engage more people in healthcare research, then we will do more to further healthcare research and how critical that is. And when I think about it, each
one of these items is, I don't want to say epidemic phase, but each one affects everyone in one way or another. And it's actually trying to induce some changes in behavior. Right. Because I think most of us know what we need to do on the cyber side, getting it done. And if I'm being honest, it's hard in my own household. Well, my daughter will laugh at me. She's like, you do this
for a living when I have something wrong with my phone. Exactly. Yeah, exactly. It's not natural, but I think it's this. How do we make this human so everybody understands that they're a part of it? One of the things in our research on the cyber campaign was the shame that's involved, which is fascinating. When people have been
a victim of something, they don't want to talk about it. Interesting. But when you talk about it and you share it and you appreciate that you're not alone and that there's more there, you create this massive community of support, but importantly of agency of empowerment, where people are like, okay, we've got to stop this. You go from being a victim to being an actor, and creating more of an activist culture in cybersecurity, as well as some of these other issues, really helps to turn the tide
and to create change. Well, that's awesome. And translating that into action is. It'll take
us a long way. And I think part of that really does step back to K through 12, where you're not coming into this issue, thinking about it for the first time at higher ed. Of course, we love higher ed and cyber, but it needs to go broader and more deeply and ultimately cause people to act. Kirsten, what questions didn't I ask that I should have? Ooh, that's a tough question. You know,
I think it might be a little bit sort of current, you know, flavor of the day, but it's, you know, what do we want in the next administration? I think one of the things that you led so well with the report, the transition report, is the nonpartisan nature of cybersecurity. And I think the most important piece is that we have to ensure continuity. We've had great work from several administrations going back to back in cybersecurity that we have to build off of. The continued good work
to really look at these problems. And they're getting more complex with nation state threats. These are getting more challenging, they're getting more urgent. And the importance of working together across the aisle, but just working across sectors, really across communities, has never been more critical. And that's what we have to lead with that right now. Couldn't have said
that better if I tried. I mean, the reality is these are issues that require. It's not likely a good thing. It's a must to ensure that they transcend parties, because these are issues that affect every American. Kirsten, thank you for continuing to fight the good fight. Thank you for joining us today and thank you for continuing to be a bright light to move things into the future. Wondros is lucky to have you on board and thrilled to have you as a senior fellow. Thank you. For
your leadership. Thanks, Frank. Thank you for joining us for this episode of Cyberfocus. If
you liked what you heard, please consider subscribing your ratings and reviews. Help us reach more listeners. Drop us a line if you have any ideas in terms of topics, themes, or individuals you'd like for us to host. Until next time, stay safe, stay informed, and stay curious.