Welcome to CyberFocus from the McCrary Institute, where we explore the people and ideas shaping and defending our digital world. I'm your host, Frank Cilluffo, and have the privilege to sit down today with Steve Kelly. Steve serves as the Chief Trust Officer at the
Institute for Security and Technology. Came to that role from the National Security Council where he was a special assistant to the President, and if I'm not mistaken, it was his second tour of duty at the NSC and came into that position as a longtime FBI agent and member of the Cyber team. Steve, pleasure to have you join us today. Frank, thanks for having me. It's a
pleasure. No, it's great. And you and I have known each other a while and
I forgot to mention, you're a senior fellow of ours as well, so always good to bring family into the discussion. But, but I thought we could start with. And because it's a primary focus of your role at IST and some of your previous work as well is looking at emerging technology trends and generally this ever expanding attack surface, whether through Internet of Things, industrial Internet of Things. Why don't you paint us
the landscape there to start, Steve? Sure. The trend of kind of increased attack surface
is all across the board, from within our homes with connected devices, doorbells and home automation and everything in between automobiles and such, to even the critical infrastructure side of things with the administration's clean energy agenda. That's creating a lot of what is called inverter based resources that are out there in the field, devices like a home solar array that then has to convert from the direct current to what a house would
use, batteries to store it. And there's a lot of automation within those sorts of systems. And then as those get connected to the grid, there's an additional connection point. And so the old model of what critical infrastructure looks like is changing rapidly where instead of having a couple of large power plants connected to distribution center system connected to homes, now you've got smart meters, you've got home solar, you've got wind farms
large and small. And all of these things are connected, they're connected to the Internet. And then of course the power is connecting. And so it creates an opportunity for bad actors to take advantage of these systems, kind of perturb the signaling to disrupt as well. So all of this new stuff has to be protected. And so it's a category of equipment that one might call the industrial Internet of things. And then of course, on the consumer side of things, there's lots that can be done there.
All of this has to Be protected. Otherwise, we're taking a situation where we have lots of cyber vulnerabilities out there and then we're adding a zero to the end of it or two of them or multiple. Yeah, because there's just so much out there to protect, and I feel like behind the power curve and even protecting what we have. And Steve, I think this requires a rethink of some of the traditional
models in terms of endpoint security and ITOT as being completely separate physical cyber domains. That's all kind of converging, isn't it? No, it's very difficult. Like in the old
days, one would have literally an air gap network. So you've got critical. What does
air gapping look like today? Well, yeah, so air gap means for those that don't
track you, that. That there's nothing connecting this to this. You have an air in between. And so in the old days, you used to have a computer network within your office and it didn't connect anywhere because the public Internet didn't exist, perhaps. And then, of course, in the US Government and in other governments, you've got your highly sensitive and classified networks that these are entirely separate systems that are in large part
disconnected from the outside world so that they can be more easily secured. Well, that's very difficult to do in a scenario where you've got all of these distributed assets that are connected through the cloud to wherever it is they need to be connected. And so. So there is no perimeter. Yeah. What does the perimeter look like in
the era of software defined networking? And so I think the. There's a need to kind of fundamentally rethink network architecture from a security standpoint so that we do not have vulnerable assets connected to the public Internet that can be found by bad actors. There's lots of ways to do it. And there's a program called Shodan where you can search for the types of devices out there, but if it's discoverable, it will
be exploited. And so we've got to figure out a way, pulling from Harry Potter, we need to find a way to throw the invisibility cloak over the assets that we do not want found or exploited, because if they are, they will. And I
think it's hard to differentiate hardware from software these days as well, isn't it? Because all hardware is kind of driven by software. No? Yeah, absolutely. And that kind of
reminds me of a program that the White House had rolled out not too long ago, and then the Federal Communications Commission just had a unanimous vote within about a month ago, affirming a New rule that would create a security label for Internet of
things devices. And so this is the US Cyber trust mark. And it's intended to be something of a good housekeeping seal of approval for consumer networked connected devices, which will help consumers then to be able to identify products that are more secure than others. And inside of a program like that, you have to recognize that there's hardware and software, and really the software security is where it's at. That's where a lot
of work needs to be done. And of course, there are also default configurations. There's also understanding in a product what does it do, what sensors does it have, what kind of data is it collecting. So it's a little bit of a privacy side to it as well. But part of this is just transparency. What's under the hood and making sure that the products are safe and secure by design and they're being shipped safe and secure by default. And so little things like, let's not have a
default password. Instead, every device shipping in the box has a, a unique password that helps a lot. And I think it's fair to say you put a lot of
blood, sweat and tears into that particular effort. Getting the trust mark over the goal line. Where do we see it going from here and what sort of impact could it have? I know Singapore and some other countries have done some interesting work around this, but what's your thinking? Right, It's a big meaty topic. And yes, Singapore has
come out with their labeling scheme. Other countries are looking at this as well. This is a topic that's been kind of beating around a bit in the US Government for years. We've talked about it, but you and Ann and others got it over
the goal. Ann Neuberger got it over the goal line. So. And I don't. It's
hard to actually put a finger on when did the conversation start? But certainly during the Cyberspace Solarian Commission proceedings, which was a congressionally created commission that had members of Congress, it had executive branch executives, and it had commissioners that were designated from the private sector and civil society as well, coming together and thinking forward on what should the nation's posture be and what can we do to institute reforms, and then taking
advantage of the fact that it was a congressional connected committee to find legislative proposals that can get passed. This was a topic that came up in that context as well, which was, you know, connected device security having some sort of a labeling scheme. The Biden administration took this up with the executive order on cybersecurity that was, that
was signed and issued early in the administration. This topic came up and tasked NIST to do some, some planning and some, you know, multi stakeholder consultations to develop a publication what would be a consumer baseline set of requirements for consumer IoT and then moving forward. When I was in my last role on the NSC staff working for a deputy National Security Advisor Neuberger, we were trying to figure out who could be
the champion of a program like this. And so looking at some of the places one might expect CISA or because some of the devices we kind of care about are kind of, as I mentioned earlier, a bit in the energy sectors, maybe Department
of Energy can have a role. And we ended up dnsa. Neuberger ended up having some wonderful conversations with the Federal Communications Commission Chairwoman Jessica Rosenwarzel and that team to find out whether there's ways to leverage their authority because these are all wireless emanating and there's an aspect where FCC could jump in and they in fact did that.
So we partnered with them to share what we had done kind of to get things launched and then they took the baton from there and we saw a draft rule come out and of course the final rule came more recently. So they're taking it down the path. But it's also, there's a bit of a grassroots effort to this. There are a number of organizations and companies that are, that were interested in this anyway, companies that want to differentiate their products in the global marketplace as being
trustworthy and secure. The word trust continues to come up in these, in your title too where. Trust is the coin of the realm. If I'm, if I'm a large online retailing site kind of searching through, looking for whatever the device is, a web camera, a doorbell, it's mind blowing how many options there are and the product, the manufacturer names, I've never heard of them. So like how do I find the product
I'm looking for that I can trust? And Carnegie Mellon has done some very interesting research around this, their SCI lab and they've done some work as well, kind of mocking up and creating a kind of a nutrition facts style label to help consumers
understand what's in the box. And their research shows that consumers are very much willing to pay more for, for a secure technology product and for some of these things that just aren't that expensive in the first place, very easily people are willing to pay 30% more, which is pretty significant to get a product that they have some assurance that is not creating a problem for them. What do you think it means
for legacy Systems because what makes OT in particular industrial control systems and the like, many of them have been in the wild for a long time. They're not being manufactured today. Well, that's a challenging environment. And yes, in the industrial context there are
devices out there that are old as the hills. You could have something that's been in place and operating for 10, 20 years and by modern standards it's not patchable. It's running old operating systems. And it's not so easy just to push a patch to it. You might break it, it might not work. And so really there are more than one ways to skin that cat. There are ways to create compensating controls is a term that's used. And so one might put a device in between the
unpatchable device and external networks to be able to manage some of risks. So there's, there's always more than one way to do it. But you know, when possible to patch and maintain or for equipment that is beyond the service life to swap stuff out. But it's not always possible. And in the, it's hard to critical drip and replace manufacturing and critical infrastructure. That's oftentimes the case that compensating controls are needed. And
it's hard sometimes for companies to even have visibility into their supply chains, including some of these devices that have been in operation for a long time. And take energy sector sometimes it would require brownout to actually go in to change some of this. So it is a challenge. But I'm biased because I was a commissioner on the Solarium Commission, as you know, and I was a big proponent of this. I wrote this one off. I thrilled and it's in large part because good people in the
nsc, notably Steve Kelly making this a reality. But, but where, where do you think? What are next steps here? What impact could it really. Yeah, so I think a
key point that I do want to circle back to, I don't want to get away yet from the consumer technology side of things because it is about, it's a big market. And so what needs to happen next is the way that the program is built. It leverages organizations and efforts that are across the commercial sector. And so for instance, the Consumer Technology association, you know, not too far down the street, right across the river from here, has working groups and is developing approaches for running a
labeling program that potentially might be licensed by the FCC under this regime. And they have a great kind of foray into their stakeholder group of companies that are trying to, you know, bring their products forward. So what we need is more organizations to get involved. We need manufacturers, OEMs to, to want to participate in the labeling program. And then as the US program gets legs and people start to see that, that,
that green, I think there's multiple color versions. I'm not sure where they're landing exactly. When people start to see that logo or, or if they're searching on Amazon for the product, perhaps the search results sort by default to the green shield items coming up, then that will help with the uptake. But we need participation. And then as the US program is on firm ground, it gives us the ability to shape globally
as well. Because the idea is we want to have American products being marketable and trusted on the global marketplace as well as foreign products that are trustworthy to be acceptable here. And so we need some sort of reciprocity which means we need to start iterating towards some common international standards around what right looks like. And the US isn't in the conversation if we don't have our own program and we do now.
Roger that. And that is an exciting opportunity. And my gut tells me, disagree with me if I'm wrong but especially where you're having investments in new technologies, whether it's clean energy or you name once you, if you have an opportunity to shape it at its outset, I think it could have significant impact. And one of the challenges we're dealing with here is a lot of the onus and the National Cyber Director and its National Cyber Strategy last year identified. We want to push it from the
end user to entities that perhaps can shoulder the burden a little better. And I think that the individual, the end user, if they do have a check mark, may actually be more likely to turn to that. Yeah. Oh absolutely. If we're relying on
the end user to unbox a device and go in and change a password and make whatever, it's not going to happen. That's not a winning solution. I'm interested to hear. There's so many kind of leverage points within the ecosystem where we can implement
broad sweeping improvements. And I've heard I was talking to a startup not too long ago that is partnered with one of the major US telecoms where their security client is on all of that company's routers and it manages the risk of all of the home devices that are on the network and it's got tailored profiles for the different kinds of devices. That's leverage. So if we can have more secure smart homes.
Yeah, if we can have more secure devices from the start and then we can manage risk at the Router level in the home and then we can manage risk even higher up in the stack. We're going to make this environment quite inhospitable to bad actors. It's going to be hard to do what they're doing with multi factor authentication. Just all this stuff making it default, making it not optional and making it.
Harder for the bad guys. Right. I mean, at the end of the day we're talking about managing risk here. We're not going to prevent everything everywhere, all the time from every perpetrator and every modality of attack. But we can make their life a little more difficult. And I think that's moving in the direction we want to move in. Let's pivot a little bit to AI and sort of the big discussion. Offense, defense, red, blue. I think historically we've always, or at least I've come from the
school of thought that the initiative remains with the attacker, but applied right. AI can be an incredible. And machine learning and other sorts of technologies to enhance the defender's role. What are your thoughts there at the meta level? Well, that's a million dollar
question. And actually the pivot to AI is not hard even from consumer technology. It's there we just moved and I just bought a new washer and dryer and I discovered that we've got AI in our driver. It's like do I, is ET calling
home? Do I need AI? Well, apparently it'll, it'll. Maybe it saves electricity. Yeah, smart
sense. Yeah. Fantastic. So, you know, the relevance of AI to, you know, cybersecurity and the impact on the offense defense balance is the million dollar question. It is interesting that those of us that have been cybersecurity for a while kind of have this general recognition that the advantages to the attack in the rest of human history, that's
not the case. One would need a massive offensive force to overcome a smaller defensive force because of the, you know, the natural advantage of moats and walls and you've got to overcome it is interesting. And, and the, and the idea that the attacker only needs to be one right once and the defender has to be, has to be perfect all the time. I think that was Maggie Thatcher who said the good
guy, the bad guys only have to be right once, good guys all the time.
I think that's certainly been our experience in watching everything from, from state sponsored, you know, espionage operations to certainly the scourge of ransomware which is, which is affecting us today is it almost feels in a disheartening way that it's a losing battle and how do we get past it? AI? I've heard people argue on both sides of that, whether AI is going to amplify the attacker's advantage or whether this is an
inflection point, whether this is an opportunity to turn the tables. And I'll credit friends and colleagues of mine at Google that we were having a conversation around this and they shared kind of some of their thoughts and their framing around it, and it was really compelling to me. And so I'll borrow liberally from some of the thinking
because it solidified in my mind as well. You know, one of the challenges in the network defense realm is this kind of data deluge that the average network defender is experiencing. That there's just more telemetry, more signaling, more alerts, more events that can possibly be looked at and interpreted and actioned. And it's just this, we are
alert fatigue. Yeah, yeah. If you're always on alert, you're never on alert. And then
so it creates these additional consequences of just wearing out the human behavior. And it's not, it's not sustainable. So is it possible that AI can help to turn kind of the data dilemma, the defender's dilemma, into an opportunity, the data advantage? Because, you know, nobody knows the inside of the network better than, well, hopefully than, than, than
the defender. And in terms of the, the observables of what normal looks like and what, what traffic and activity should be authorized, that is something that the defender has the advantage on. Then how do we turn AI into the difference maker in understanding and sensing at machine speed with the most advanced logic what's happening and what's normal
and what's not normal and doing automated. Some of this has been happening for years, but we can take it to the next level with automation and orchestration of, of defensive actions 24 hours a day, seven days a week, at a scale that humans can't possibly keep up with. And that's an incredible opportunity. And then that has the opportunity as well to better leverage the human, to allow the human defender to do
things that the human is better at. Judgment ethics, hopefully goes both ways and. Maybe it improves their quality of life, maybe they don't get burned out so quickly. We've got a burnout problem within, within cybersecurity and in some cases we don't have enough people to go around. So I think this is a leverage point that could really help. How do we realize, you know, the full potential of that? Is it organization
by organization? Is there some, some ideas for best practices? Do we need to mobilize in some way and have like a AI cyber defense coalition idea where we, where we share ideas and we, and we rally. Because it's not just about. Well, I want my organization to be, say, I want everybody to be able to take advantage of some of these approaches. I don't know. But that's an interesting area to explore, which is how do we make sure that what I just said becomes reality going
forward. And not to move from the AI discussion, but given your background in FBI
and given the hard work you've done for years, is law enforcement tapping AI's benefits in as aggressive a way as you think ought to be? That's a great question.
It's a controversial one as well. So I would suspect that the law enforcement community, and perhaps the intelligence community as well, in terms of using those types of capabilities to better interpret the intelligence that's been collected or the law enforcement evidence. I think there's some opportunities there, but I think that the movement would be steady and intentional to make sure that the community is not overstepping and creating other issues in terms
of privacy concerns. Privacy concerns. Staying, for instance, within, within the context of law enforcement, when you're, when you're collecting information under a search warrant, there's a scope of what it is that you can look at and what you can use it for. And so, you know, even, even when you seize a computer from a suspect. Sure. On a fraud case and, and you start to, you give it to your forensics lab and they plug it up and they do all their stuff and then, and then
the investigator begins to use search terms to look for whatever they're looking for. You know, there, there's kind of things you, you can be looking for and, and there's paths that actually are not within the scope of the warrant. So one would need to be very careful in terms of using highly capable tools that might be finding things that are not within the scope of your warrant. But that's. We'll have to see. I, I don't actually know where things stand right now on that topic, but
I would, I would urge a little bit of caution there and, and, and. Good
set of points. And quite honestly, we're all grappling with this particular issue, society's grappling with this particular issue, but I can promise you the bad guys aren't thinking. Well,
that's, and that, that, and maybe that's another part of the defenders dilemma. We on this side play by law, are constrained by, by the rules and the laws and abuse act and mission authorities, oversight, and you're right, the attacker's not. They've got none of that. There's no boundaries. They just do their thing. In fact, they seek. Seems
to be able to exploit. Oh, absolutely. So sticking sort of with that broader law enforcement theme, going outside maybe the AI discussion, there have been some successful operations, clawing back ransom, taking down ransomware providers, seizing websites. I don't mean to be pejorative here, but we need to scale that. I want to see more of this. There's some really interesting creativity that we're starting to see coming out of the Department of Justice, out of FBI, out of Secret Service, out
of other law enforcement agencies. But I still feel like it's a onesies and twosies sets of, of issues. So how do we scale that and, and paint the picture? We've had other agencies and guests talk through sort of what a day in the life looks like at some of these agencies. What does it look like from FBI cyber perspective? Well, and just, just for clarity for the audience. So I'm no longer
with the FBI. I retired as an FBI agent back at the end of last year. And so but my experience is still. They can speak your mind a little
bit. But yes, I'm not an official spokesperson. There's been kind of a nice evolution
arc of how law enforcement authorities are considered and how we take on, you know, cyber threats. And you know, traditionally US Law enforcement would kind of stay within, you know, stay within the boundaries of the US Working cooperatively with, with other countries through kind of liaison and, and, and joint investigation type of bureau did get its. A
lats, which is good. So, so it's, it's very important that we have cyber. Right.
The way that the US refers to it is the legal attaches in an embassy is, is an FBI office. And so they're, they're there for, for relationship building, joint efforts, liaison with foreign police and intelligence services. And that pays massive dividends in advancing DOJs and FBIs and secret services missions overseas and also to serve as a conduit for needs that those countries have back here at home in terms of evidence
and such. And then sort of separate and apart from that, one of the problems in, in cyber investigations is that you have, you've got computers that are all over the world that are infected by malware or being used by the bad actors. And sometimes we don't even know where those are, depending on what kind of obfuscation networks are being used. And there might be a need to deal with some of those things. And so as an example, and this is not restricted to the cybercrime space.
We've actually seen some of these authorities used in and some Chinese espionage investigations as well, where in the course of investigation, the malware in question, in one case it was a Microsoft Exchange server issue. And working cooperatively with Microsoft, most of the servers out there in the world that needed to be patched have been patched. But then there's this kind of inconvenient leftover group of computers that the bad actors are still
using. They're still vulnerable and there might be something that needs to be done. And so we've begun to see, and this from my recollection started in 2011 with the core flood botnet takedown where it was just this intractable problem. And the Justice Department of the FBI used a clever kind of piecing together a frankensteining of some authorities, temporary restraining orders and civil actions to actually decide to issue a sleep command to
the malware that was on. I can't remember how many of them, a million or two infected hosts and basically turn it off, turn off the botnet helping victims. All
of these infected hosts, these are victims out there. That was pretty forward leaning. And more recently the committee within the judiciary branch that manages the Federal Rules of Criminal Procedure updated Rule 41, which is the rule that governs kind of how criminal search warrants are managed so that a judge in a district can sign an order to allow for a remote search and seizure operation across any and all districts within the
United States. Of course, there needs to be jurisdiction in that district as well. And so more recently, similar operations where FBI would issue some sort of a command to turn off and perhaps in some cases to identify the victims so that we can help them have been, have been executed. And there's other examples of where, where the FBI and foreign partners have also taken over ransomware infrastructure, the lot. Bit lock, bit
takedown more recently is an example of that. And it's, it's an all tools approach. In some cases you're using human sources to get into some of these trust groups to get admin credentials for whatever it is, the server, the system, the panel, and maybe infiltrate an undercover officer into it or maybe some sort of other operation. So we're seeing much more clever and creative use of law enforcement authorities to be able
to go after some of these issues. And one of the kind of the theories, and I'm a non lawyer maybe speaking about some things that are sort of quasi legal legal is, is this concept that. And it's an interpretation as well that is in a office of legal counsel opinion from the Justice Department that, that with the authority to investigate violations of the US Code. So crime inherently includes the authority to
prevent said crimes. So law enforcement doesn't only have to sit around and wait for it to happen and watch it happen in some cases, if they have an opportunity to prevent it from happening. I think crime victims or prospective crime victims would expect that to happen. And so there's examples of that, the hive ransomware example, where law enforcement had infiltrated the system that the bad actors used to manage their business process.
And we're extracting and generating decryption keys and sharing them secretly with. And so like, that's the kind of thing that helps victims and also denies the bad actors the ransom payments that they would have otherwise gotten. So we've got to find ways to interrupt their business cycle. And whether it's taking their money, whether it's taking their infrastructure,
seizing their domain names, whether it's turning off their malware. And of course, we want to arrest the actors and put them on a Gulfstream jet and bring them back to. The US where we have extradition. Yeah, yeah, exactly. And so it's an all tools approach. And then maybe taking it even a step further, the cybercrime problem in the national cybersecurity strategy, the president called out that it has now risen to the level of a national security threat. So no longer is it just this penny ante
irritant. It is now kind of identified as to the scope and scale when you see ransomware actors interrupting the function of major hospital groups. That's a national security public
safety issue. I think the gloves need to come off. And, you know, to the extent that maybe some other authorities from other agencies come into play, intelligence authorities, military authorities, I think the American people should expect that if we have an opportunity to prevent whoever the actor is from taking a hospital offline, that we would absolutely do that. So a little bit more of a thinking of kind of channeling the energy
from the global war on terrorism. How do we bring that FBI to. The rancher,
refocused and re energized some of its efforts from what some would say reactive to more proactive or at least preventative. And I do think we're starting to see inklings of that coming into play vis a vis cybercrime. Well, but you, but you asked
the. Question, how do we, how do we scale? We need more. Yes, but. And that, and that was kind of a key feature of the global war on terrorism is we are constantly, every day, all over the world, contesting synced operations, you know, taking people off the battlefield, denying areas, dealing with the money, just every possible piece of that ecosystem. And having them look over their shoulders. Less time to fall. They see a little shadow on the ground waiting for the. Yeah, yep, we need, we
need to scale to that level and we're not there yet. And I think that there's been a lot of efforts around this kind of public private operational collaboration concept where how do you take the insights that the private sector has because of they're managing the network. Cloud providers have unbelievable visibility into what's happening. The telcos, the cybersecurity firms, the endpoint, the companies that basically just have, have a, have a global view.
They're sitting on unbelievable information and then can tip and cue law enforcement operations. There's actions they can take that the government would have a very difficult time taking. How do we kind of mesh these things to deny bad actors the ability to do what they're doing? And it requires, and we haven't quite gotten there yet. I think we've seen examples of where it worked, but it almost feels like every time we
do it, we're reinventing it. And maybe it's a little bit personality based because, you know, these five people work well together because it's all about. A trust network and
a team. Yeah. And the bad guys rely on that same trust. Right. So if we could erode and undermine. That, that, well, that, that kind of gets into also
the kind of the old tools approach. Yep. And so going after them doesn't always mean seizing infrastructure, taking money and arresting them. It could be, how do we, how do we so mistrust, how do we undermine their trust network? Because it, you know, in order for our cooperative efforts to work, in order for us to have this
conversation here. I have to trust you. Exactly. Otherwise it won't be happening. And as well, on their side, there's criminal forms where you have to be vouched in or you have to be double vouched in or you have to approve your bona fides. And if you can undermine that trust network. And they're looking over their shoulders and they're wondering who ratted them out. You know, that that gets in the way of their business network because this is no longer. Well, it has. It's been a long
time since it ever was. There's a lot of specialization in the cybercrime market and, and actors need the services of each other. And so there's very few actors that can do all the pieces of the scam exactly by themselves. And so if they can't trust essentially their supply chain, then they're going to have a hard time doing business. And we still have the challenge of dealing with safe havens and being able
to get our arms around that. But I think one big differentiator with the global war on terrorism in cyber is the private sector is at the front lines of all this. They're the target, they're the victim. And I think figuring out how to genuinely scale JCDC at cisa scale public private partnerships with not only federal law enforcement, but also state, local, tribal, territorial, that was a big piece of looking at defending
our homeland is state and local law enforcement in particular. Lots of eyes that could be part of the solution set. But I do think we have a ways to go and then obviously syncing up with all the national security tools that can be a little more forward facing and hopefully forward leaning. But we're not there yet. We're still. And maybe it's a good thing. Maybe we want to get this just right, but hopefully we do get to that point. And I think FBI plays a critical
role in all this. Yes. Oh, absolutely. Yes. And I think that the state and
locals, one advantage they have is, is. Kind of trust in the community. Trust in the community. And covering and covering the domestic surface. FBI and Secret Service combined have lots of field offices and smaller kind of satellite resident agencies, hundreds of them. But still there's parts of the country that there are no feds around. And so we do need to have capable state and local agencies that are able to work, you
know, with the federal agencies, work with CISA's regional reps. In some cases you'll have regional reps from some of the sector risk management agencies out there, like the Department of, sorry, EPA for the water sector and others to be kind of a cohesive team for whatever that area of responsibility is, that piece of a state, that region, to be able to have good coverage, good relationships with the, the key entities that
are there and to cover that surface. Because when bad things are happening, we do want the cavalry to be able to get to them. And it requires a big team to do that. Absolutely. Steve, what big issues are you working on at ist?
Anything you'd like to shed some light on? We've got so much that's going on.
My gracious. So ist is we're a small 501c3 nonprofit think tank based in the Bay Area. And we kind of bridge the gap between policymakers and technologists and study issues that. I mean, our name implies security and Technology. Under my umbrella we have our AI work. And so that includes what we just described, the, the, the cyber kind of question, the cyber security question. In AI, we have another line of effort looking at the risk. We published a study back in December on the implications of,
of AI foundation model openness. So what are the risks that are driven when you make this technology available to all, including bad actors? And so we identified six categories of risks at a number of levels of openness, from fully closed to fully open
with things in between. And then from that report we're trying to generate, then what are the fixes, what are the mitigations that one can put in place for these variety of risks, Whether they're kind of upstream interventions that have to do with how you design the model in the first place, or downstream risks, which is what are the controls that you might put on when you're trying to implement and use and
deploy a model. And then there's policy levers, there's technical levers. We're trying to put some clarity around that. So we're in the second phase of that study. And then the third phase will be to pick a handful of those and really try to dig into what would implementation plan look like to do that. So we're trying to inform the global kind of AI governance conversation with, with some good thinking there. So we're spending a fair amount of calories on that. And then we have a trust
and safety practice as well. And so there's an upcoming AI summit, you know, soon where we'll be talking about AI and trust and safety. So there's companies out there that want to incorporate AI into a consumer facing product or service, but they're not, but they're not experts at AI. Well, what should you be thinking about? It could be something very simple as a customer service chatbot, or it could be the AI capability in my dryer at home or who knows what. Well, what are the things
one should be thinking about? Because there's a whole universe of trust and safety practitioners. Oftentimes it's separate from the security teams. So how do we enable them? And for smaller companies or startups that haven't matured to the point where they have trust officers and trusted safety teams, how can we help them with templates and a leg up to be able to start to think about these things and manage some of these
risks up front. So that's kind of the thrust of our trust and safety approach. And then kind of my third bucket of interest, which kind of pulls from my previous history, is the critical infrastructure and key services issues and making sure that what can we do to help shape the future so that we're not laid bare to the adversary and vulnerable? Steve, last question. What question didn't I ask that I should
have? Oh, my. Yeah, I think a good question would be, are you an
optimist for the future or a pessimist? You know, what does the future look like and how. And is technology fundamentally improving our lives or is it creating, as with some of the challenges with children and adolescents with social media and phones in their hands? And, you know, really, I think that there's opportunities for commerce and knowledge and connections, the fact that we can connect all over the world. But then as well,
I think there's an erosion of social cohesion. And also, and part of the social cohesion, it kind of comes down to a very individual level where younger people not always are having personal relationships. And I am concerned for the future in that area. So these two things are kind of working against you. How do we realize. How do we realize the full potential of technology without falling into some of the traps
and allowing the downsides to overcome the good sides? I've always been told a pessimist
is an optimist with experience, but I am still optimistic on this side. But we just can't take it for granted. We just can't take it for granted. A lot of hard work to ensure that we can seize the benefits and minimize the risk.
But we need to have smart, thoughtful people thinking about these and helping to kind of chart the path forward. Well, Steve, thanks for being one of those smart, thoughtful
people trailblazing in a bunch of these areas. Thank you for joining us today, and always great to have you. So thank you, Steve. You're welcome, Frank, it was a
pleasure.