Congressman , I might have put you in a box by saying what's left to be done in data sharing . So I'll step back more broadly and just say , from your experience on the Solarium Commission , what are some of the recommendations that you would like to see still be implemented and need to be implemented ?
Sure . So the things that were left undone before I left Congress and I wish we could have got across the finish line . One , creating a Bureau of Cyber Statistics . That's very wonky , but we don't have an entity really that collects and aggregates all of this data , and I think that would be a real value add on a host of levels .
Again , aggregating data and then anonymizing and and making available to the public for everyone to use . It would really help a lot of ways in also helping CISOs , for example , make the business case of where we spend our next cybersecurity dollar , and they have to get better at being able to make that case both to the CEO , to the boards .
I think that would help us to get to a much stronger place in cybersecurity . The other thing is , I wish we could have gotten across the line the joint collaborative environment although , don't worry , I'm going to compliment CISA and the JCDC .
They're actually creating the joint collaborative environment or using that , creating that entity even without absent the legislation .
Getting across the finish line intelligence people working side by side with private sector critical infrastructure so intel , government , private sector so that you're seeing the challenges and the vulnerabilities in real time and also putting context to what both sides are seeing .
So kind of answering that question of why should , when the government says you need to patch this or there's a vulnerability here , and private sector saying , well , why do you want us to do this so quickly , why is it so urgent ? So the joint collaborative environment would get us there .
But I'll turn it over to Chris for a comment about the great work that JCBC is doing , and so it's both cyber planning , joint cyber planning , but also working with private sector infrastructure more closely .
Yeah , so the joint cyber planning office was another one of the Solarium recommendations and thank you again for working on that commission .
And so the joint cyber planning office was really kind of the formation and the starting point for our JCDC team that does most of our information sharing , our publications , our joint planning with actual industry partners and such to actually do joint cyber defense together .
And then , you know , working with our different engineering teams to try to , you know , fulfill the vision of the joint collaborative environment . And really what we're trying to do there is be able to ingest all these different data sources .
And I talked about federal cybersecurity earlier , but you know , critical infrastructure cybersecurity is a much bigger space , a much less defined space , a much you know less , much more unique space , all the different types of environments , when we can start getting into operational technology and such in those environments .
So the amount of data that we might be getting , either from SIRS-EA reporting , from volunteer reporting or just from partners actually working with us together on different initiatives or sharing information with us , is pretty a unique authority for us to actually be able to kind of collect and aggregate and analyze these different data sources and correlate them , and we
want to be able to do that at , you know , really , at machine speed , and actually make the machines do a lot of this work as well , instead of you know how we used to do work about 10 years ago , sharing spreadsheets of indicators together that Congressman kind of alluded to .
So you know , really that's the vision for the joint collaborative environment and making sure that we can actually share those insights and some of the data sources , after they've been sanitized and such , back to our industry partners and into the research communities to help kind of the broader cybersecurity ecosystem .
Great .
So , neil , I'm going to give you a question . We kind of talked about it on the call , but it wasn't exactly . But , as you just mentioned , you've changed roles , yeah , so you went from supporting cybersecurity to now research . So what does new Neil need to do to support old Neil ?
Yeah , so , yeah , yeah , that comes up a lot actually in the last few weeks . So in NSA research , we're trying to advance NSA missions and the missions of cybersecurity and intelligence with science , and I feel like there's a lot of room for growth there . We still face a lot of challenges in cyber analytics .
A good example of that would be some of our adversaries in the last couple of years a year or two have started using a lot more living off the land tradecraft . I think we collect a lot of the data that might help us to find those activities , but are we analyzing it in a way that will let us find it ? I don't think so .
That is an active area of research how to do that form of analysis .
We face continued challenges in protecting our systems and understanding the software that they rely upon , and so we have active research going on in that area and we need to be able to drive that with mission understanding that we get from places like NSA , cybersecurity , cisa , nist , our private sector partners , right , our international partners , and then the
cybersecurity environment is continuously changing right . New technologies are coming out in the mobile space , in the cloud space , in space space , and Understanding how those technologies interact and how they may be exposed or how they can be protected is an ongoing area of research .
And then , of course , as the crypto authorities for national security systems , we have active research in all aspects of cryptography as well . So , yeah , we're working on all those areas , thanks .
All right Well . I guess old Chris or old Neil needs to get new Neil to get moving on those things . So you know , several of the panels have talked on workforce and it's an important topic . So I also want to go there with this group .
You know , on behalf of Periton , one thing I wanted to share was that , you know , picking up on what Bob Costello talked about and the need for more diversity in the cyber workforce , you know we support the Cyber Camp at Dakota State , which is a great program and it's a force multiplier , because not only are they bringing in middle school girls but they're also
creating curriculum that is used across the state . Right , we're working with George Mason on the Commonwealth Cyber Apprentice Program , which is bringing folks that don't have cyber backgrounds into a cyber training program and then we give them entry level opportunities .
So those are some examples , but again for each of our panelists and I'll start with the congressman other novel ways to expand our cyber workforce .
So kind of right up my alley and leaving Congress .
One of my other projects was I took on creating an institute of cyber and emerging technologies , so looking at AI and machine learning , training the next generation of cyber professionals , cyber defenders , uh , and we , of course , um want to get into things like stackable credentials , so that you know , yeah , a four-year degree is great , but you don't necessarily need
a four-year degree to get your foot in the door in this , in this field , and there are a lot of incredibly talented young people who , like many of you , growing up kids , take to technology like fish to water , and I joked earlier that some of the most capable people if you have a problem in technology ask a 12-year-old to fix it .
So we need to harness that energy , that talent , early on at Rhode Island College and other college universities doing this too . But at Rhode Island College , we're working with some of the local high schools and kids in their senior year .
We get them into a program where they're earning college credits in cybersecurity so that when they graduate they already have , you know , they're part of the way there and getting their foot in the door and getting them into going into this field potentially . So we added a Rhode Island College added a minor in cybersecurity .
Now we have a major and two minors , and a major now and then , in the fall , we'll be adding a major and a minor in artificial intelligence as well . So we're looking to educate the next generation of cyber and AI professionals . It's something that we're focused on and , to your point , rhode Island is a Hispanic-serving institution and to your point .
Rhode Island is a Hispanic-serving institution , and so more than 20% of our population are Hispanic-speaking students , and this is a field where , in cybersecurity and AI in underserved populations , this is a path forward to a pathway to success for those communities as well , and it benefits all of us , all of society as a whole .
Absolutely . Thank you , neil . You talked about , you know , and one of the earlier panels talked about as well the need for data literacy as a skill for some of our new hires . But what else has happened with NSA in terms of workforce ?
So NSA is very active in this area . Of course there's now a federal workforce cyber workforce strategy that ONCD worked on . Of course we had people on that committee not me personally , but close colleagues were on that .
Of course there are aspects of that strategy that are looking at how do we bring people into this workforce other than the pathways through a traditional four-year degree . That pathway is still good , but you know you got to have other pathways too .
We're continuing to support the GenCyber program , which is a program of summer camps for students and teachers in the K-12 arena . This summer I think we had well over 200 camps running and we go out and visit every single one of those . I'll be going to visit one next week and doing my part , and we have one of those at Rhode Island College too as well .
Yeah , Are they hosting one ? Excellent , I wish I was going to one that close .
But you know we continue to work with our National Centers of Academic Excellence in cybersecurity education at the two-year , four-year and doctoral level . But the data science literacy aspect is a particularly important one . I think We've been talking with our Centers of Excellence schools about that for a while now , and that's one where we're .
The academic community needs to come together and we've talked to them about this to say how do we get the right amount of sort of basic data science familiarity into cybersecurity educational programs so that folks graduate from those programs having the sort of right key concepts to jump into this datarich environment that cybersecurity has become ?
And we're also working with National Science Foundation on their efforts for AI education and they are looking at what was done in the National Centers of Excellence for Cybersecurity and seeing whether some of those lessons can be adopted to help accelerate and strengthen AI education in the country . So lots of stuff going on .
We're continuing to work on the National Cyber Workforce Implementation Plan with Mr Coker's organization , oncd . So hey , watch this space . A lot of activity coming that will affect both public and private sectors .
Chris , add to that .
Yeah , I mean I think that I would just want to double tap on the diversity of backgrounds . I've , you know , managed quite a few different teams at CISA and I've really valued having just a diversity of backgrounds of people on my team .
So , you know , right now I run a pretty small team called the Office of the Technical Director that really works on a lot of different strategic tasks , and on my team I have people with international studies backgrounds , finance backgrounds , design backgrounds , as well as your kind of historical computer science and cybersecurity and kind of other engineering backgrounds ,
and mixing those backgrounds together to work on some of these problems you get different viewpoints . That helps you do different and unique problem solving . That really is kind of the basis of a lot of the cybersecurity challenges we face today .
So , you know , for folks who are looking to jump into the cybersecurity field , don't think you have to go down the traditional degree path in those areas . You know it's just about a passion for learning , a passion for problem solving and also to touch on the centers of active academic excellence .
If , for those that don't know about the scholarship for service program , it's a really fantastic program that our organizations work together on .
We use that like crazy .
We use it like crazy to bring people in . You get two years of university or community college paid for for years of government of service following your graduation , and they've extended that program to community colleges in the recent years so you don't have to have a four-year degree as well .
So it's a really fantastic program that we value for both for bringing people in on internships and trying to get people more introduced to cybersecurity , but also bringing on people after they graduate as well .
And you get paid $30,000 a year , over $30,000 a year , while you're in the program .
It's a fantastic program . I wish I would have known about it when I was in studies .
Yeah , yeah , many people do .
And I'll . I'll just add within my portfolio . We have a program that supports the National Insider Threat Task Force , a lot of behavioral scientists and bringing them into cyber operations and information warfare . We've seen a lot of value there as well , just bringing those different points of view and skill sets to the table .
Oh , hey , tom , if I could add one little thing , one of the other things we're doing at NSA and I know other federal agencies are doing this too is where we have locations for us Maryland , texas , colorado , hawaii , georgia . We are trying to partner with minority serving institutions in those areas .
Just a good example would be our laboratory for analytics sciences in North Carolina . There's a lot of good HBCUs in that area . They're starting to partner with them and introducing students there to cybersecurity and cybersecurity research and we've . You know it's a fairly new program for us , but we think it's going really well .
Yeah , yeah , we've done the same . We've partnered with UT San Antonio . They're doing some of our research work on information warfare and we've just hired one of their grads . So yes , let's see , we've got a little bit of time . We'll do one or two questions from the audience , so I'll open it up .
You were that thorough , huh ?
Oh , there we are All right , I couldn't tell whose hand was up first . Go ahead .
As a separate security professional , I appreciate the I guess importance or the encouragement for others to come through a different path , but since Snowden , I just don't see that happening right . Don't we require four-year degrees in the federal government because of his breaches ?
The condition , at least at NSA , for four 40 degrees was historically long before Snowden and NSA has certain restrictions . But in larger DOD I know they're looking carefully at that . It's not like we're going to change the requirements for getting clearances right . Those are going to stay .
But for military folks who are you know , they've served in the military , they've reached the end of their service , they want to come back as civilians . Many of them don't have degrees , but they have incredibly valuable work experience and certifications and we need to find a path to take advantage of that .
Yeah , and the National Cyber Director who was here earlier , Harry Cook , was talking about how some of those requirements for the four-year degree are now being relaxed and we're looking for talent , not necessarily the degree .
Yeah , we had a question over there .
Hi , I'm Rachel . We are finding in our interviewing I'm actually on a recruiting tiger team that the requirement of being in a skiff is really , you know , minimizing . Do you guys run into that and how are you talking about it and thinking about it ?
I mean I can see the easier question for me , I guess , Although I did work seven years in a skiff in my threat hunting role , a lot of our teams don't work in the skiff every day . So I visit the skiff a couple times a week but I don't work in a SCIF . My whole team doesn't work in a SCIF , so a lot of this is a workforce .
Most of all of our operations are unclassified . We do rely on classified intelligence to help with our unclassified mission space , so for us it's not really as big of a problem as it is for some of the clear defense contractors and certainly for the intelligence agencies .
Yeah , but even at an intelligence agency like ours , we are doing much more in what we call the low side , in the unclassified environment .
A particularly good example of that would be our cybersecurity collaboration center , right , where most of the employees there are sitting in the in the internet environment most of the time because they're trying to collaborate within our defense industrial base , cyber security and government partners . So I'd say nsa , we're making progress in that regard .
In the research directorate , we've always had a significant presence on the internet side because you know if you're going to be doing research , you got to collaborate with other researchers at academic institutions , at research institutions , and so we do that .
So , nsa , yeah , we still have a very significant classified TSSI kind of culture , but we are working to make that easier on our employees so that they can work seamlessly across any domain that their mission needs them to work .
And I'll just add that , with the ability to do some low side work , the difference between 100% in the SCIF and 80% in the SCIF gives people that 10% of flexibility to work from home that morning because their kid is sick or the plumber is coming or whatever else . So we found that just that in and of itself makes a big difference for people .
All right , we're just about out of time , so I'm going to wrap up with one question , but since one of our earlier speakers brought his mom into the conversation , I'm going to do the same thing . So bear with me on a quick story . So I call my mom every night . She's 80 .
She's definitely not using Chris Inglis when he was the national cyber director , and that is when he introduced the . To beat one of us , you must beat all of us . And I mean I don't have any tattoos , but if I'm going to get a tattoo , it may be that I just that . That is such a rallying cry .
So you know , I told my mom about it and she was like oh my God , that that is great . That's what government is all about . So she kind of became a fangirl for Chris English , like I'd call her , and she's did you have any more meetings with that nice gentleman who had that thing . So just a nice thing about Chris .
So I went to we had an industry event right before he retired and I told him this story and he pulled out one of the coins that they've made from the White House . They had spare wood in the White House and he made the coins , the plank holder coins , and he gave me one to give to my mom .
So I thought that was really great and so my mom is an extension of our cyber defenders . But the reason I bring this up is again and we talked about this in our prep sessions about to beat one of us , you must beat all of us .
So I wanted to add on a positive note with anything you would like to add as far as collaboration with industry and collaboration across government . So closing remarks Thanks .
I'm a big Chris Inglis fan too , and a cyber plank holder too , and I've always believed that this is not a problem that we can solve on our own . It's got to be a collaborative effort . It's not just a US problem .
It's an international problem and challenge and now more than ever , we need partners and allies that we can work with , collaborate with and defend ourselves against the bad actors and there's no short list of bad actors out there . So we are stronger together and I think , on Chris's line as well , we need all of us to be one of us . It's the way to go .
Yeah , so I had the privilege of working on and off with Chris during his many years at NSA incredible individual , wonderful national leader . And even before that I was saying in public speeches and things like that that each of us can see a lot , but none of us can see as much as we can all see together .
And so that's about bringing together data , bringing together the visibility that each of our organizations has and they're all different to cover the waterfront and see what our adversaries are up to . And once we can see what they're up to , we can defeat them and give them a bad day .
So I will stick with that Bringing our data , bringing our visibility together is what will lead us to being successful against our cyber adversaries .