Welcome to CyberFocus from the McCrary Institute, where we explore the people and ideas shaping and defending our digital world. I'm your host, Frank Cilluffo, and have the true privilege today to sit down with Sue Gordon, a titan of the intelligence community, someone I've
held in the highest regard and respect for so many years. She most recently served as Principal Deputy Director of National Intelligence and also served as Deputy Director of the National Geospatial Intelligence Agency and spent many years at the Central Intelligence Agency in a whole host of different roles. Sue's known for many things. Two that I admire most is a straight shooter, which you would think is common in the intelligence community, but
it's not always that common. It's pretty difficult to sometimes tell the emperor they have no clothes or things that they don't want to hear. And she's also known as an innovator. And I don't want to suggest that's an oxymoron in the intelligence community, but the reality is she spearheaded a lot of the good work in Q Tel and just brought a whole host of positive energy to the intelligence community. So, sue, thank you for joining us today. It's a real privilege to sit down with you.
It's an absolute, absolute delight, you know, talking intelligence, cyber, national security. It's just fun. So. And you're the best. And you're the best. So, you know, before we jump
into the substance of the discussion, I'm not sure everyone is aware that you are a three time captain of the Duke women's basketball team. And we've all seen the movies around sports and yes, the outcomes matter, what happens in the field, what happens on the court matters. But there's a lot that goes into building a team. How did that prepare you for your work in the intelligence community? Well, what a great
question and one so fun to be a former basketball player when Caitlin Clark has burst on the scene. And I just have to say this out loud, one of these things is not like the other. She's remarkable, transcendent. It's just fun watching the game. I think actually basketball taught me everything that I. So much of what I know about leadership and performance and probably two things I keep in mind. One, I think playing a sport teaches you how to depend on others and how to be
depended upon, which is rare. The second part, right. How do you trust your outcome in the hands of someone else and how do you bear the weight? I think learning how to do those things and the other thing that I think athletics do for you is if you can commit to the point of failure, you'll grow. And so many people get almost there, and then they hold back because they don't want to reveal a weakness or they don't want to show what they can't do because
they're afraid to expose that. But it's really in that last little bit. And I think that's true in the workforce, too. And if I think about my career, both of those come into play, particularly on the innovation side. And in the other, you know, if you've been at this for a long time, we start out with some expertise, but by the end, if you don't know how to set a course and trust your women and men, you're not going to get very far. 10, 4 on
that. And, and that is not just in the intelligence community, but in life. Right. So a father of four daughters, my, my girls have respected your work for, for all these years. And, and they've all played sports, and I've been a coach forever, but not at the level that you've played at. So it's fun, right? It's just the best it is. And, and seeing people work as a team and it is the breaking point where it actually becomes exciting. And you see that in our Special
Forces development and pretty much everything that requires elite capability, you have to, you. Have
to go all the way because otherwise you just won't find that limit. And like I said, it's that I think it's what I loved about the CIA from an ethos perspective is there was an expectation of if you owned a space, you were supposed to prosecute it. And that just was attractive to me. And we can't tell anyone of all their accomplishments. All their accomplishments are basically born of that moment. 104
on that. Let's jump into cyber. So, lot of discussion around the public private partnership, and I've been a little bit of a broken record saying long on nouns, short on verbs. The reality is we all recognize the importance that doesn't always translate into getting things done. Just like we all want to win, but it's going to take a lot of effort to get to that point. What do you think are the big criteria that we need to be thinking about to enhance and turbocharge the public
private partnership when it comes to cyber. So I think the first thing is that
we need the private sector and the populace to understand that when the world became digital, they became not only part of the threat surface, but actually they became national security decision makers. Whether they knew it or not, whether. They knew it or not. Right. So individuals in a world of influence that is affected through cyber, if you can't discern true from false, if you aren't an active critical thinker, we can be
shaped. And then companies, they are making national security decisions. Our telecommunications industry, when they decided that they were going to offload the high revenue but low profit base ban stuff, that's how China came in. And you see the rise of Huawei and the
domination of 5G, that has become what a national security issue. And so I think if our private sector understood that our adversaries and competitors understand where the strength of America is, whether that is the ideas that can be stolen, the industries that can be shaped, they would think about from whom they take their money, how hard they protect their data, and how well they understand what the threats of their operations are.
Well said. And I do want to touch on the threat, but you sort of mentioned intellectual property in many different sorts of ways. And the reality is, is I'm kind of worried about the day the Chinese stop stealing our secrets. Is that a fair statement? Because they've already got everything they need. But what are your thoughts there?
So I love that statement because it's a great kind of antidote to hubris. So I think the day used to be that one of our strategic advantages was our technology, and it still is because of the vibrance of that combination of democracy and capitalism that just is this really energetic engine. But I would say that now every technology is available to everyone. And when that happens, it isn't just the technology that is the differentiator, it's the use of technology. If we decouple too much, we will
lose insight into how things are being used. And so I think it is an interesting challenge not only to protect our industries to be competitive globally, but also the wisdom and insight we have into what the state of play on technology is so that we can do our best protection. And with that in mind, it's really difficult
to differentiate our national security from our economic security today. Right. I think that's the
other part of this digital connectivity is economic security became national security. Threats and opportunities are not only to and through information, but that information has economic impact. It made the world smaller. It made protection be less about political, military. It changed the nature of partnership. It gave rise to pesky sovereignty of our allies who are looking for economic partnership. And depending on who's offering that partnership and who's not offering it, they
have bought into a set of interests that they may or may not understand. And
I do want to get to that. But let's start with the threat landscape. How do you, I mean in your role as pdnni, you obviously had a major role, the most senior civilian role to both the President and Congress. In terms of intelligence perspective, how do you see the threat today? How would you unpack that? Well, I,
you know, as recently as I'm going to say 2010 and maybe even before that, the real big players in cyber activity were the major nation states. It was the US and Russia who were the most capable by far. And because we had integrated systems, we could do a lot of things with it. Then there was the Johnny come lately of China. But they have just, and it used to be that they were capable but a little obvious in their activities. Clumsy. Yeah. And in the past
15 years you see that China has become incredibly capable. And then you see Iran and North Korea being able to acquire the expertise and then use it for their interests. And I think if we just take those four countries, Russia, China, Iran and North Korea, there is some differentiation in their capabilities, usually in how integrated it is
with their own national security apparatus. But there's an equivalence technically. But if we all remember that cyber threats are just a manifestation of the interests of our allies and competitors, I mean our adversaries and competitors, then you're going to see it differently. So Russia is incredibly capable, but they use cyber to undermine democracies. So you see them as certainly capable of the war fighting effects, but also you see them very good
at the influence. China disproportionately economic and again, they'll use lots of tools, but that's their thought. Iran, regional interests and using their reach in order to dissuade or encourage people to get out of what they consider their business. And then North Korea, you see them as a projection of how do they get around the disadvantages of their,
both the sanctions regime and their landmass. And so I guess one of the things I'd leave the audience with is when you think about cyber, think about it not just technically, but what the intention behind that. And when you do, you'll be much more thoughtful about seeing risk. And that's really well said. So technology changes, human nature
remains consistent and you can't treat cyber in isolation of the broader geopolitical context of what we're dealing with or whatever the intentions, hostile or otherwise. Our adversaries may have it. To me it's sort of obvious, but I'm not sure we treat it as such just yet. So I mean, you know, just if. I can jump in on
that Frank, I think that's because cyber is a bit still in ungoverned space. Right. The treaties and laws and norms that affect the physical geographic warfighting are well understood and constrain us. Digital has fewer norms, fewer standards, fewer constraints. And so you see the interest moving. To that space and greater plausible deniability. But you also see self governance by your adversaries competitors as though they don't want to cross a line
to inspire kinetic response. A kinetic response. And no one really knows what that is. So the capability is increasing, but you still see this dance of what can I get away with before I get something unattended? And that is a great point. And
when you look at Iran and North Korea, what they lack in capability they may make up for with intent. But that's different than a sustained existential sort of threat, which I think China is that existential threat. And they have so many,
they have so much technical capability and so such broadcast areas of desire to affect their will on somebody else's environment. So we certainly see the economic plays and we see the combination of economic plays with political coercion. We absolutely know of their intention to place themselves in critical infrastructure so that if it does come to war fighting they can and Covid was a great instantiation of theft and manipulation of ideas. When
you saw them supply chain issues. Right. When you saw them going after that whole
pharmaceutical industry. So anything that they might want to do to advance their interests, they now have the capability to do it. And I think then the stated intention.
To do it and I think we're finally turning the corner to recognize. I've often said that we've been blaming the victim and to some extent we have. But the reality is is we are starting to impose some cost and consequence on bad behavior. It's probably not where I'd like to see it. I mean if we were robbed physically as often as we are robbed digitally, obviously I think we would have seen some change. But. But we're getting there, I think. Would you agree with that? Yeah,
I think that. Well one, I think the last administration and a half, and it really started in the previous administration with the cyber solarium of which you were a part where I thought there was this real intention to take a look at a situation that we were just not making headway. We hadn't defined all the domains in which it was dimensions in which it was playing out. We hadn't talked about our goals and we hadn't really thought about this intersection between the government and the private
sector. And I Think it was started there. I think the three headed, I was going to say monster. The three headed powerhouse of Anne Neuberger was Chris Enlist. Now Harry Coker and Jen Easterly has really moved the ball not only in terms of strategy but beginning to look at implementation in partnership with the private sector that seems to be throwing their lots. So I think we're headed in the right direction. I
still think we haven't quite embraced the extent of what could happen. I think people still think that if I cover enough end points with whatever the brilliant products are out there, that that's enough. Not recognizing that technology alone will never be. You don't recognize what's at risk. Yeah. In essence we'll never firewall our way out of this
problem, quite honestly. Endpoint security in the traditional way of thinking about attack surface has to change. Yeah, we can't tie our shoelaces tighter. And I think you see things,
I mean, so zero trust is a move down the architectural thing. But I think you said it, let's impose some costs. I think you see the FBI and the private sector working closely in order to identify things early to take them down. I think that's a really bold move in that direction. I think where we still have some distance to travel the intersection between policy and allowed action that crosses domain. It feels to me that we still think that the solution to cyber has to be
cyber. Exactly. And that's a great point because cyber is its own domain, but it
transcends air, land, sea, space. I mean it's inextricably interwoven and we're still fighting with 1, 1 fist behind our back to one extent or another. In that until we rethink some of that and my view. And disagree with me, please. To me, the real solutions are going to reside in the collaboration between the public and the private sector. Most of these companies are on the front lines whether they want it to
be or not. They are defending against foreign intelligence services whether they wanted to or not. That is the distinct reality. The question is how do we level that playing field? And I don't want the private sector punching without any rules of the road. I think they have to be doing that in conjunction with government, someone who sworn to the constitution to protect and advance their interests. Yes. No, no, I think I
agree. So I think I agree with everything you said. Let me. Except. No, no, no, let me pick a part of it. Early days of Ukraine. Yeah, we did see the hacktivism which was recognition that these tools and techniques are available and we had a bunch of people who were really motivated to help. Man, helping when your only view is through a soda straw is not always help. And so I think in general I am, I am anti hacktivism in part because of coordination, in part
because of just viewpoint. I just. You can. I'm not gonna escalate. I'm not, I'm not sure you, I'm not sure you should. I do think the answer has to be in collaboration, but I think we need to. We, we've grown. Remember back in the day when collaboration was the government sharing some IP address. That they thought was
government lead, private sector follow and you know, and we'll. Provide that to you. And
I think we've grown beyond that because that just wasn't enough. I think the private sector is figuring out how to share more of the information that they naturally have because they live in that environment. And we figured out ways to share it. Where I don't think we've gotten yet is sharing the keys of the kingdom, which is intent and trusting that the government is not going to over regulate you when you participate with them. I think it's those two last pieces, it's like the bastions
of each entity's identity. It's in their DNA. Right. But if we can. But it feels to me that that's the pie will make a difference. If the government can share more information on intention and trust that the private sector is going to say, okay, I understand that intention, I know how to protect myself. You don't have to tell me how to. We've got that partnership. And the private sector will say, I'm going to tell you exactly what's happening and I'm not going to be worried that
you're going to do something untoward with it. If we can figure that we trust each other, I think we'll get that last distance. That's a great point. Let's get
into some of the governance related issues and I mean firstly before we jump fully into that in Q Tel was sort of a really creative approach within the Central Intelligence Agency to try to harness some of the capabilities of the private sector and Silicon Valley. And I think in the very, very beginning the not invented here issue was a bit of a challenge inside the Agency. But that's changed. And you were a big driver in all that. Can you shed? Because I'm not sure our audience
has a full appreciation for what you were able to do. Yeah. So in the summer and why you. Did it in the summer of 98 with the help of,
interestingly enough, I'm a big advocate of bringing in people who are not just of your culture. We had a director of science and technology that came from Sandia Labs, Dr. Ruth David. And she was. Ruth was at the heart of the labs, right? She was and she was. She had this vision of an agile intelligence enterprise. She imagined the world we're experiencing now. So she knew how important those technologies were going to be to the future of the intelligence community. But we also had a problem
with Silicon Valley which was the real hotbed of. Of change in that area. It wasn't the big people that we knew how to deal with. It wasn't even coming
out defense contractors. They didn't want to deal with us and they didn't. And for
many of the same problems that we haven't completely overcome, they didn't want, they couldn't break through our contracting processes. And by the way, they weren't sure that we were like them. They were a little crunchy and we were a little spooky. Right. And that was just a bad combination. So I call it Sandals meet wingtips. Culturally there
is a bit of a divide there, right? Exactly. And George Tenet was the director
and, and he listened to Ruth and they asked this kind of young GS15 they said figure out what we should do. And we came up with this idea with a lot of conversation with everybody. It felt like I talked to everybody of we were forming a 501C3 that an FFRDC wasn't the right model. Mostly because we didn't want to hold the talent. Right. That's what the FFRDC model was. It couldn't be inside because we didn't know how to make investments. So we'd form an ffrdc. I
mean form a non profit that was kind of venture capital. We would get a group of private citizens to form it for us and then they would hire people who could adjudicate what was going on in the private sector and identify things would be great. And so it was a brilliant idea. It took the strength of the government. And the government is really good at three things. I know people might not. Is government good at anything? It's really good at three things. It has long time
horizons, big problems and deep pockets. True that. So that's what the government brought to in Q tel. What the private sector brought was just living in the technology and the ability to say what the match between the two are. And so the brilliance of in Q Tel was let's give them the tough problems, let's make it unclassified.
Which in 1998 was heresy. Huge challenge. Yeah. Let's not own the intellectual property and let's have in our mindset that if we take our problems and keep commercial companies alive long enough to be commercially viable, they will meet our standard and we'll be able to buy them. And that model has given us huge advantage. Oh, my gosh. Google Earth, Palantir, Cloudera, I mean, you can keep going through things. And it was
just that idea of let's do what we're each good at. And I think you could squint at this moment of cyber threat and cyber response and say, if we could go back to that, as undifferentiated as that was, I think we'd come up with some great solutions. And that's why I asked that, because there are. Whereas history
may not repeat itself, it does tend to rhyme. I feel like we're at that moment here and let me just say, and you can disagree, I think one of the other things that work there is trust. Trust takes forever to build and you're not going to build it unless you're on the court, playing as a team or even in opposition, even your competitor. You need to be part of the day to day and it takes nanoseconds to lose. So how do we sort of build, how
do we take that model? Obviously you can't just completely supplant it for where we are today, but I think there's a lot of there there for. For what we can be thinking right now. Yeah, I think there were. I agree with you. I
think it was fundamentally trust and the big elements of trust were this. We're going to trust you with what we're worried about. Yeah. Which is a big deal. And
going back then, huge deal. Right. And I would say if you talk to the
private sector today, they would probably still say, could you just tell us a little bit more about what you really care about and then we could really take you somewhere. So I think revisiting that is a good idea. The other thing is, we gave them a bag of undifferentiated funds and we didn't give them a specification. We said with this, make some decisions about with whom you're going to invest, because you're good at that. We're not. And I think there's an element too. So let's take
it to the cybersecurity. Right now, I'm lucky enough to be associated with a company called Security Scorecard. I want people to know that I'm on their board of directors. What I love about them is they're a cyber ratings company. And what's interesting about that is it allows you to see so you can measure, so you can act.
I mean, it's not a very good measure, gets done. It's just not a. It's
not a super difficult concept. Well, in a weird sort of way, if you date back to 1929, when we had the stock market crash, you see a similar problem where we figured out as a nation that fraud in the private sector was a national security issue. So you see the rise of the sec, and then here's what's cool. The SEC turns to the private sector and says, what should be the accounting
practices? Fast forward reviews that. I think there's kind of a moment there where it would be best if the US Government could say, here's the standards, here's the framework, and then turn to the private sector and say, what should those practices look like? Because the government articulating practices, I think, is hard, but I think that combination could give us some insight. And I don't know how companies know what's enough if there's
no way for them to have. Government can figure how much is it? Yeah. That feels like a governmental action a little bit. Yeah. The question I have, though, it's
not about widgets though, right? It is not. It's not. So it's taking that esprit de corps and applying it in collaborative kind of way. Because at the end of the day, I do think it's. It's operational collaboration sort of. CISA stood up the Joint Cyber Defense Collaborative. Department of treasury has an initiative called Project Fortress. Look what
NSA has done. NSA's done amazing. By moving their center outside. Yep, yep. Outside the
wall. Yep. We're trying to get there. It still feels that we're trying to maintain
some sort of air gap that it's feels to me, I think. I think the UK has a different governmental, different legal framework, but they've done some really interesting things within csc, which. Was part of gca, which is part. Of gchq, but has a little bit different ethos. I think we're better every day, but I think there's still. And we've talked a lot. I always talk about what the government needs to do because I'm so of them and I. I feel that they have so much responsibility.
I think in our companies, though, there are some interesting structural aspects that they might want to look like. So we have CISOs who are responsible for cybersecurity. That is basically a technical discipline. They are reporting To a board of directors directly, that's a pretty tough leap to have meaningful conversations where the board. Should care about risks like
any other risk. What are the choices you're making and what risk is that given?
But that's a pretty big gap between a CISO and a board. I'm wondering if companies there's not some sort of more serious risk officer on the technical side. That might be an interesting transportation to that conversation. And that is a great question. And
we had Phil Venables on recently. Who sort of explained some of that. As he was a CISO who became a cheap risk officer. And when he was at Goldman Sachs before he went to Google, that is how they looked at it. And I think that's a solid model because at the end of the day what you want from a governance in my perspective, and please disagree, is risk is risk. Is risk
is risk. Whether it's technology, whether it's markets, whether it's exposure and different. At the end of the day you're not expecting them to be experts in cybersecurity, but they need to recognize what's important and how to batten down risk. Yeah, I think generationally
we're going to get better. I think you still have leadership that is a little less comfortable with technology. So they say technology is additive risk, not as sometimes something that can help manage risk. And they just want someone to take care of it for them. And that's a lot of pressure to put on our CIOs. Yeah, yeah,
yeah. And it's not just a technology issue as you've said a couple times. So you can't put it all on the shoulders of the women and men doing this.
Yeah. So I think we have distance to travel in lexicon, in the questions we ask. And again executive leadership should ask questions. Manpower always has the power to go further. So ask some questions of your team. What more do you need? What risk have you? You know, just, just instead of just give me a report so
I can feel like I've taken care of and. Check the box which is. Yeah, I think there's a conversation that would help us a company understand how much money they need to put in data protection because their relative strength is data versus my relative weakness is continuity of operations. And that's a difference set of choices you make given that you and I know you can't be perfect. And are we involving our workforce enough? I tell people all the time the kind of secrets of the CIA
is we view security as a three legged stool. Our people, our technology and our Premises. And I think if we look at some of the cyber attacks, if you went into the companies, you would say, did you understand what you provided for national security? Did you understand what you were doing? And you made that choice. And the answer is, heck, no, I did not understand. So how do we build that sort of heft? No, that's. That's actually really important set of points and I do want
to get to workforce. But before we do that, on the governance side, anything else you think that leaps out and part of it is communicating. So you'd sort of mentioned the Chief Information Security Officer, Board of Directors, I call it talk and squawk meets, beep and squeak. They don't always translate directly. One's going to be a little more technological in nature. That's improving dramatically from 10 years ago, but it still has
a bit of a ways to go. But anything else that sort of leaps out. And then I think very similar to the intelligence, sometimes you have to be the bearer of bad news. And quite honestly, no one wants their CISO knocking on the door. Right. So what other thoughts do we have? Compliance isn't enough. Like, compliance is
so wonderful because it's measurable and we can say we've done all those things. We know compliance is enough. You can't comply your way out of it. You must be compliant. And there's some really wonderful standards that help people, but that isn't enough. You really do need to evaluate and you need to continuously evaluate, especially as we're introducing new data and information technologies all the time. All the time. You know, there's some
good news here. I think the lessons of cyber can be learned by the space domain. But the lesson that I. That I think is looming, that we haven't totally embraced, is that AI just explodes this problem. And I'm not sure the solution in a company is to put that on the, on the audit committee to do. I think there's a much more fundamental understanding we have to have of these technologies. And again, it's not just cyber, it's not just AI, it's how are we adding risk?
And then the last thing I'd say, this is just so practical, you know, what we used to talk about all the time, and it's still good hygiene really will save the day mostly. But the thing that will save organizations is to exercise, exercise, exercise. Imagine disruption. If you want to know what the military is really good at, is typically they imagine disruption and they prepare for it. Yeah, I think, I think if we had a bit more about how you'd make decision making. You would find
more gaps and we'd find some answers there. Well said. You goaded me. I have
to ask. Space should be designated a critical infrastructure, right? No, no, that was a missed opportunity recently with national security memorandum 22 and designation of critical infrastructure. To me it's just so obvious you. And I are in such violent agreement on this. And
I'll add two other practical matters, one on the threat side and one on the implementation side. On the threat side is space is such a disproportionate advantage that it is a disproportionate target. Yep. Right. It. Everything from pnt. Everything. Yeah, pretty much everything. We have had our way in that domain. I mean. Yep. The Russians, the Soviets before them and the Russians. But in terms of just straight up using it for
advantage we have, that makes it a huge target. But the other thing is new is always best applied in new. Space is still a warning in terms of viewing it as a critical infrastructure. We could look at it with some of the new technologies that we know are available to protect our infrastructures. Yeah, I need to back into it for all the other aspects of critical infrastructure. I love healthcare as an element and that is so bereft and we need to work on it. Energy, we
all know telecommunications, but those are old and hard. And getting all the things we know we could do into them is hard. But space is still new. It's interesting, it's obvious and it's available. We got to do it. And you can bake it
into the design. You can. The idea of the newness and every infrastructure you mentioned is also dependent upon space. Whether it's for gps, whether it's for. Whether it's for communications, whether it's for transportation. Are we there yet? If, if you don't. But I
think the. I guess what I see is not only is it critical, but the opportunities to significantly make change now. Yep. Are more available today than they will be tomorrow if we don't start addressing. 10, 4 on that. And, and, and, and that
also is not to take away. There's good work being done in the title 10, title 50, military but commercial space is, no pun intended, taking off. And that's very similar. I feel like I've seen this movie and it's the cyber sort of discussion of 15 years ago and we can get it right if we do it. You
know, Chris Inglis was so good at this when he was the National Cyber Director, always reminding us. And I feel this way. We have too many policies that keep bad things from happening and not nearly enough that allow good things to happen. I think this is an area where we really do imagine that there's an opportunity for us to really make this better. And you have a space force and you have a vibrant commercial economy and you have the existing national security apparatus and they're trying
to work together. Let's make cybersecurity part of that. Trying to work together. Well said.
And not to be curious because I. Gotta tell you, no one's gonna shoot in
space if they don't have to. Exactly. And the old Kennedy quote, time to fix
your roof is when it's sunny, not when it's raining. And we have a chance to do this. I think so. And I just hope that that is something that the obvious need is recognized soon. And again, I'm not suggesting nothing's being done, but if you don't designate something, it's not going to get done. And the thing is,
they can go to school on the things that have done. I mean, there are a number of things, and I would say even space policy, cyber policy is further along than it was. Space policy is still, still one of the ungoverned spaces. Early
days. Yeah. Yeah. So I, I think it's a great area. One, I think it's
necessary. It is so obviously tied to our advantage and everything we want to do, but it's also, there's an opportunity here. And we can't take it for granted because
China and others are investing not only in their own space capabilities, but in technologies to stymie our capabilities. Yeah, I didn't give you that. The second half of my
saying, which is every technology is available to everyone. But here's the critical part, the one that puts it to clever use faster is the one that's going to win. We know there are things we could do. Let's put it to use. Well said.
I mean, actually you can go back to gunpowder and bow and arrow on horse. It is in the application. And that to me gets lost in some of the discussion around cyber. It's not the capability, it's how do you integrate it into your doctrine, into your ttps and to your war fighting strategy. And I kind of feel like we can lose our advantage if we don't do it fast because others will apply. And whether they're imitators or innovators, it doesn't matter. They're doing it. Yeah. Just
thinking about this use thing. Boy, I. You and I were both out at RSA recently and wow, what a vibrant. Oh yeah. Well, one, it's just still have a
headache. But there were a lot more users and practitioners than even last year and
before. So I think it's moving that direction. But I have this dream what are there 3,300 companies there? @ least I don't even at least I think more. How does anyone adjudicate? I would love to see someone say this is your problem. These are the things you need. Yep, yep. Right. It's, it's. We've got to help not just what they are but what they can do and not just what they can
do, but how I can put them into place. And I think, I think that's an area that when I talk to my industry colleagues that isn't their strong suit because they're so focused on the advance of the technology. But I do think it's what narrowly will create more sales. But two as a collective will be more successful if we think about that. Well said workforce. Yes sir. So we all see
the numbers. I'm not sure I can have great confidence in what those numbers are but I think I'm smart enough to realize we are woefully behind in terms of some of the skills that are needed from a cybersecurity standpoint. What are some of your thoughts there? What should we be looking for and what sort of traits that are not only technical but also critical thinking skills? I think so one, I think
talent is the supply chain problem that we're not talking about and it is the most in trouble and we need to address it. So that's 1. 2. Totally agree with you. As the world has moved more technical we have more people doing technical work. But as technology becomes more the commodity than it's critical thinking and it's almost like bring back liberal arts because it's like oh you wanted to use it. Well that takes something else. So I think stem, I think that's an arc. We need
to keep going. And I think while I totally love what the DoD has done in terms of certification and expanding the definition of what is the proper education beyond just a four year degree, I do think we don't want to just turn everyone into botanologists or technologists. I think it's the use is going to be where the
advantage is and that requires thought too. Also just the whole world's technical and so the intersection of technology, data and governance, big governance, not just cyber governance is going to be important. Here's why I'm. Here's some I'll offer my domains where I think we could pursue it. Man, even in this country we have such a rich base of humans that aren't going to come to the two coasts to work. Absolutely.
Heather Wilson is the former secretary of the Air Force, is the president of UTEP and you don't need to spend much time with her to understand exactly what she's sitting on top of with that population disproportionately first generation, not only first generation college students but first generation Americans at this research university. Boy, I wish I could convince our big Microsoft, Google, Oracle, Amazon create a national cloud
located globally and you would then inspire workforce to get into this place. You would have technical draw of demands using the whole of our national population. The other thing
I would say not enough women too. Right. I mean they're so. Listen I just.
People aren't going to. People aren't going to come to Washington or they're just. They're just not. And so why are we excluding that from it? Exactly two. I think, I think we could do way more interesting things with people who are leaving military service. Yep. You know we. There are some good things going on but those are people who love living life of purpose. Let's give them life of purpose but let's give them skills that they can compete. I think we underuse our allies and partners
overseas. It may be in the national security space that citizenship is a limitation on some things they do but they have talent and we have infrastructure that could be applied. I just think we need to think much more creatively about this matching between the things we're building and the things that we could inspire people to participate in. And let's think allies and partners because that's always been our strength. Absolutely Very, very
eloquent and well said and just wanted to double tap the upskilling of vets. That to me is a no brainer. They're doing it already every day and. Yeah I'd
take that last year they have in the service. My son was an enlisted marine and when he knew his contract was ending they spend a whole lot of time I would get them security clearances during that time that they're out processing. So when they come out they're available to work in industries that are clamoring for it without the time that it takes to get new. I think we just need to be more creative. I think we could come up with a national national security information based
ROTC like thing. And all I would say is you don't have to come and work the government, you just have to work in the national security space that is now so much bigger than it was. I just think time to be seriously creative.
And you know, that's always been the American way. Right. I mean, that is our greatest strength is curiosity, creativity, and actually doing things. And I know that you and.
You and I both go and talk to a lot of groups. Have you ever talked to a group that didn't want to? Wasn't inspired by what you said? We did. You're right. Right. We need to get out there and talk more about this. And. And plus the kids coming today. So smart. They are, yeah. So smart, so experienced. But they do want to do something meaningful. This is meaningful. Well said. Make
a difference on something that matters. I think we have to invest in it. Sue, we're at the end of our time, so the question I have. What questions didn't I ask that I should have asked? Well, you asked a lot. I did. It was. Sorry if I was all over the place, too. You were perfect. And, you
know, I want to be Paul Nakasone because I love the way he does interviews. You know, he listens to a question, he gives a top line summary, and then he gives one sentence of detail. That is not me. I'm like, oh, I could go this and this. So I think between you. I've never had an unspoken thought,
as he knows. I think between you and me, I think we covered the waterfront.
I think what I'm left with, Frank, is we shouldn't be hopeless because we've come a distance, but we can't be complacent because we're not far enough. We are better than we've ever been. We're not good enough to beat the turn of the earth right now. And as long as we are who we are, we are going to be attractive to adversaries and competitors. And the digital space allows them to cross any distance in relative stealth for no cost and create volumetric effects. Well, well said. Sobering,
but inspiring ending. Sue, thank you for not only spending so much time with me today, and our viewers are definitely going to love your. Your insights here, but also for your public service for all these years. Thanks for being an inspiration and thank you. You. Thanks, Ray. Thank you, sir. Bye.