>> Voiceover: From around the globe, it's theCUBE, covering Space and Cybersecurity Symposium 2020 hosted by Cal Poly. >> Hello everyone? Welcome to the Space and Cybersecurity Symposium 2020 hosted by Cal Poly and theCUBE. I'm John Furrier, your host. We have a great session here. Space cybersecurity, the Department of Defense perspective. We have Bong Gumahad, Director of C4ISR, Directorate Office of the Under Secretary of Defense for Acquisition and Sustainment for the DOD. And Chris Henson, Technical Director Space and Weapons, Cybersecurity Solutions for the National Security Agency. Gentlemen, thank you for taking the time for this awesome session. >> Thank you, John. >> Thank you. >> So we're going to talk about the perspective of the DOD relative to space cybersecurity. A lot going on, congestion, contention, freedom, evolution, innovation. So Bong, I'd like to have you start with your opening statement on how you see the space cybersecurity perspective. >> John, thanks for the intro, really appreciate it. First, let me give my thanks to Cal Poly for convening the Space and Cybersecurity Symposium this year. And despite the pandemic, the organization and the content delivery is pretty impressive. I really foot stomping what can possibly be done with a number of these virtual platforms. This has been awesome, thanks for the opportunity. I also want to recognize my colleague, Chris Henson from NSA, who is actually assigned to our staff at the OUSD, but he brings both policy and technical perspective in this whole area. So I think you'll find his commentary and positions on things very refreshing for today's seminar. Now space cybersecurity is a pretty interesting terminology for us all. Cybersecurity means protecting against cyber threats. And it's really more than just computers here on earth. Space is the newest war fighting domain and cybersecurity is perhaps even more of a challenge in this domain than others. I'm sure Lieutenant General Thompson and Major John Shaw discuss the criticality of this new Space Force. It's the newest military service in the earlier sessions and they're at the risk of repeating what they already addressed. Let me start by talking about what space means to DOD and what we're doing directly from my advantage point as part of the Acquisition and Sustainment arm of the Pentagon. Well, what I want to share with you today is how the current space strategy ties into the National Defense strategy and supports the department's operational objectives. As the director of C4ISR, I have come to understand how the integration of C4ISR capability is a powerful asset to enhance the lethality of the joint war fighter. Secretary Lord, our boss, the Under Secretary for Acquisition and Sustainment is diligent in her pursuit to adapt and modernize acquisition processes, to influence the strategy and to focus our efforts to make our objectives a reality. I think first and foremost, we are building a more lethal force. This joint force will project lethality in contested environments and across all domains through an operationally integrated and resiliency 4ISR infrastructure. We are also cultivating our alliances, deepening interoperability, which is very important in a future fight and collaboratively planning with those who partner with us in the fight. Most significantly for our work in acquisition and sustainment, we continue to optimize the department for greater performance and affordability through reform of the acquisition process. Now space is our newest fighting domain. And while it is indeed unique, it shares many common traits with the others, land, air and sea. All are important to the defense of the US. In conflict, no doubt about this, they will be contested and they must be defended. One domain will not win future conflicts and in a joint operation in a future fight and the future conflict they must all succeed. I see three areas being key toward DOD strategic success in space. One, developing our whole of government approach in close partnership with the private sector and our allies. Two, prioritizing our investments in resiliency, innovation and adaptive operations. And third, responding rapidly and effectively to leverage emerging technologies and seize opportunities to advance US strengths, partnerships and alliances. Let me emphasize that space is increasingly congested and tested and demanded as essential to lethality operational effectiveness and the security of our nation. Now the commercialization space offers a broad set of investments in satellite technology, potential opportunities to leverage those investments and pathways to develop cost efficient space architecture, for the department and the nation. It's funny, there's a new race, a race for space, if you will, between commercial companies buying for dominance of space. Now the joint staff within DOD is currently building an operational construct to employ and engage as a unified force coordinated across all domains. We call it the Joint All Domain Command and Control, JADC2. It is the framework that is under development to allow us to conduct integrated operations in the future. The objective of JADC2 is to provide the war fighter access to the decision making information while providing mission assurance of the information and resilience of the underlying terrestrial air in space networks that support them. Operationally, JADC2 seeks to maintain seamless integration, adaptation, and employment of our capability to sense signal, connect, transmit, process control, direct, and deliver lethal capabilities against the enemy. We gain a strategic advantage through the integration of these capabilities across all the domains, by providing balance space awareness, horse protection, and weapons controlled and deployment capabilities. Now successfully any ratings in these systems and capabilities will provide our war fighters overwhelming superiority on the battlefield in an environment challenged by near peer adversaries, as well as non state actors. In space, the character of its employment is changing, driven by increasing demands, not just by DOD, but by the commercial sector as well. You know, more and more we see greater use of small satellite systems to address a myriad of emerging questions, ubiquitous communications, awareness, sensory diversity, and many more. As I said before, the commercial world is pioneering high rate production of small satellites in their efforts to deploy hundreds, if not thousands of nodes. SpaceX Starlink Constellation is one example. Another one is Amazon's Kuiper. Kuiper just received FCC approval to deploy like over 3000 of these different nodes. While a number of these companies continue to grow, some have struggled. Case in point is OneWeb. Nevertheless, the appetite remains strong and DOD is taken advantage of these advances to support our missions. We are currently exploring how to better integrate the DOD activities involving small satellites under the small satellite coordinating activity, scholarly call it. We want to ensure collaboration and interoperability to maximize efficiency in acquisition and operation. When we started this activity on over a year and a half ago, we documented over 70 plus separate small sat programs within DOD. And now we've developed a very vibrant community of interest surrounding our small satellites. Now, part of the work we have identified nine focus areas for further development. These are common areas to all systems and by continuing to expand on these, our plan is to enable a standard of practice that can be applied across all of the domains. This includes lawn services, ground processing distribution, and of course, a topic of interest to the symposium space security and Chris will talk more about that, being that he's the expert in this area. One challenge that we can definitely start working on today is workforce development. Cybersecurity is unique as it straddles STEM and security and policy. The trade craft is different. And unfortunately I've seen estimates recently suggesting a workforce gap in the next several years, much like the STEM fields. During the next session, I am a part of a panel with president Armstrong at Cal Poly, and Steve Jacques, the founder of the National Security Space Association to address workforce development. But for this panel, I'll look forward to having this dialogue surrounding space cybersecurity with Chris and John. Thank you, John. >> Bong, thank you for that opening statement and yes, workforce gaps, we need the new skill space is here. Thank you very much. Chris Henson's Technical Director of Space and Weapons, Cybersecurity Solutions for the National Security Agency. Your opening statement. >> Thank you for having me. I'm one of several technical leaders in space at the National Security Agency. And I'm currently on a joint duty assignment at the office of Under Secretary of Defense for Acquisition and Sustainment. I work under Mr. Gumahad in the C4ISR area. But almost 63 years ago, on the 4th of October, 1957, Sputnik was the first artificial satellite launched by the Soviet Union and space history was made. And each of you can continue to write future space history in your careers. And just like in 1957, the US isn't alone in space to include our close partnerships and longterm activities with organizations like the Japanese Space Agency, the European Space Agency and the Canadian Space Agency, just to name a few. And when we tackle cybersecurity per space, we have to address the idea that the communications command and control and those mission datas will transverse networks owned and operated by a variety of partners, not only .go, .mil, .com, .edu, et cetera. We need to have all the partners address the cyber effects of those systems because the risk accepted by one is shared by all. And sharing cyber best practices, lessons learned, data vulnerabilities, threat data mitigation procedures, all our valuable takeaways in expanding the space community, improving overall conditions for healthy environment. So thank you for having me, and I appreciate the opportunity to speak to you and your audience. And I look forward to the discussion questions, thank you. >> Thank you, Chris, thank you, Bong. Okay, I mean, open innovation, the internet, you see plenty of examples. The theme here is partners, commercial, government. It's going to take a lot of people and tech companies and technologies to make space work. So we asked my first question, Bong, we'll start with you is what do you see as the DOD's role in addressing cybersecurity in space? It's real, it's a new frontier. It's not going away, it's only going to get more innovative, more open, more contested. It seems like a lot to do there. What's your role in addressing cyber security in space? >> I think our role is to be the leader in developing not only is it the strategy, but the implementation plans to ensure a full of cybersecurity. If you look at the National Cyber Strategy, I think published in 2018, calls for like-minded countries, industry academia, and civil society. Once you mentioned John, the support technology development, digital safety policy, advocacy, and research. You here today, and those listening are fulfilling their strategy. When you develop, enable use cyber hygiene products as examples and capabilities, you're pushing the goal to provision. When you know what's on your network, patch network, backup and encrypt your network, you're hardening and preventing cyber attacks. And we in government academia, in the case of Cal Poly, civil networks and in commercial companies, we all benefit from doing that. Cyber security, and I think Chris will definitely back me up on this, more than passwords encryption or firewall. It's truly a mindset and a culture of enabling mission to succeed in assured and in a resilient fashion. >> Chris, you're take and reaction to the cybersecurity challenge involved here. >> It's starting really at the highest level of governments. We have, you know, the recent security policy Directive-5 that just came out just a couple of days ago, recognize all the factors of cybersecurity that need to come into play. And probably the most important outcome of that as Mr. Gumahad said, is the leadership role. And that leadership blends out very well into partnership. So partnership with industry, partnership with academia, partnership with other people that are exploring space. And those partnerships blend itself very naturally to sharing cybersecurity issues, topics, as we come up with best practices, as we come up with mitigation strategies, and as we come up with vulnerabilities and share that information. We're not going to go alone in space, just like we're probably not going to go alone in many other industries or areas. That the DOD has to be involved in many spectrums of deploying to space. And that deployment involves, as Mr. Gumahad said, encryption, authentication, knowing what's on the network, knowing the fabric of that network, and if nothing else, this internet of things and work from home environment that we've partaken of these last few months has even explored and expanded that notion even more dramatically as we have people dial in from all over the different locations. Well, space will be that natural node, that natural next network in measure involvement that we'll have to protect and explore on, not just from a terrestrial involvement, but all segments of it. The calm segment, the space vehicle, and the ground portion. >> You know, Bong, we talked about this in our other segment around with the president of Cal Poly, but the operating models of the Space Force and of the DOD and getting to space. But it's a software defined world, right? So cybersecurity is a real big issue 'cause you have an operating model that's requiring software to power these low hanging satellites. That's just an extension to the network. It's distributed computing, we know what this is. If you understand what technology we do in space, it's no different, it's just a different environment so it's software defined. That just lends itself well to hacking. I mean, if I'm a hacker I'm going, "Hey, why not just take out a satellite and crash it down "or make the GPS do something different?" I mean, it's definitely an attack vector. This is a big deal. It's not just like getting credentials that are cashed on a server, you got to really protect. >> Right, because in one hand it space will carry not only focal national security information, but if you look at the economic wellbeing, the financial state of a lot of countries, institutions, you know, more and more John, they'll be using space assets to make all that happen. So, and if you look at the, you mentioned the attack vectors in space. It's not just the computers in the ground, but if you look at the whole life cycle for satellite systems in space, the tasking that you need to do, the command and controlling of the vehicle, the data that comes down in the ground, even when you launch the birds, the satellites, you know, they all need to be protected because they're all somewhat vulnerable to hacking, to cyber attacks. Especially as we grow into commercialization space, it's going to be a lot more people out there playing in this world. It's going to be a lot more companies out there. And, you know, it's hard to track, the potential of foreign influences as an example, and therefore the potential of being vulnerable in terms of the cyber threat. >> Gentlemen, like you guys said to move on to this leadership role, Bong, you mentioned it. You want to be a leader, I get it, the DOD is Department of Defense, it's a new frontier to defend war time zone, you mentioned war time opportunity potentially. But how do you guys assist that's term hat to getting done? Because there's public and private space operations happening, there's security challenge. What does being a leader mean? And how does the DOD, Department of Defense assist driving the public and private? Do you lead from a project standpoint? Do you lead from a funding standpoint? Is it architectural? I mean, you're talking about now a new end-to-end architecture. It's not just cloud it's on premise, it's in devices, it's offloaded with new AI technology and nix and devices. It's IOT, it's all this and all new. This is all new. What does it mean for the DOD to be a leader and how do you assist others to get involved? And what does that mean? >> Yeah, I think the one hand, you know, DOD used to lead in terms of being the only source of funding for a lot of highly developmental efforts. We're seeing a different story in space. Again, I keep going back to the commercialization of space. We're seeing a lot more players, right? So in many ways allies commercial companies are actually leading the R&D of a lot different technology. So we certainly want to take advantage of that. So from a leadership standpoint, I think leadership can come in, by partnering a lot more with the commercial companies. In 2020, the DOD released the Defense Space Strategy, as an example, that highlights the threats, the challenges and opportunities the United States has faced by setting example of how we counter the threats that are out there, not just the DOD, but the civilian and the commercial sector as well. Our current conditions are strong, but we want to use four lines of effort to meet our challenges and capitalize on our desire to state space. Our lines of effort include building a comprehensive military badges space, integrating space into a national joint and combined operations, like I mentioned before. Shaping that strategic environment and cooperating with allies, partners in industry and other US governmental departments and agencies to advance the cost of space. To take full advantage of what space can provide us in DOD and the nation. >> Chris as a domain now, what's your take on all of this? Because again, it's going to take more people, more diverse, potentially more security hauls. What's your view on this? >> Well, let's look at how innovation and new technologies can help us in these areas. So, and mentioned it a couple of topics that you hit on already. One of the areas that we can improve on is certainly in the architecture. Where we look at a zero trust architecture, one of the NIST standards that's come about. Where it talks about the authentication, the need to know a granular approach, this idea of being able to protect, not just data, but the resources and how people can get access to those, whether they're coming in through an identification, authentication credential, or other aspects of the idea of not just anybody should be able to have access to data or anybody should have access once they're on the inside of the network. So that zero trust architecture is one approach where we can show some leadership and guidance. Another area is in a topic that you touched on as well, was in the software area. So some innovations are coming on very rapidly and strong in this artificial intelligence and machine learning. So if we can take this AI and ML and apply it to our software development areas, they can parse so much information very quickly. And you know, this vast array of software code that's going into system nowadays. And then that frees up our human exquisite talent and developers that can then look at other areas and not focus on minor vulnerability, fix a vulnerability. They can really use their unique skills and talents to come up with a better process, a better way, and let the artificial intelligence and machine learning, find those common problems, those unknown hidden lines of code that get put into a software library and then pull down over and over again from system to system. So I think between an architecture leadership role and employee innovation are two areas that we can show some benefits and process improvement to this whole system. >> That's a great point, Chris, and you think about just the architectural computer architecture network attached storage is an advantage software defined there. You could have flash, all flash arrays for storage. You could have multiple cores on a device. And this new architecture, offloads things, and it's a whole new way to gain efficiencies. I mean, you got Intel, you got Nvidia, you've got armed, all the processors all built in. So there's definitely been commercial best practices and benefits to a new kind of architecture that takes advantage of these new things. It's just efficiencies. But this brings up the whole supply chain conversation. I want to get your thoughts on this because there is talk about predatory investments and access and tactics to gain supply chain access to space systems, your thoughts? >> Yeah, it's a serious threat and not just for the US space supply chain, if you will, is the supply chain you access with large, I think it's a threat that's this real we're seeing today. I just saw an example recently involving, I think our law and services, where there was a foreign threat that was trying to get into a troop through with predatory investments. So it is something that we need to be aware of, it's happening and will continue to happen. It's an easy way to gain access to do our IP. And so it's something that we are serious about in terms of awareness and countering. >> Chris, your thoughts? I mean, I'm an open source guy. We've seen it when I grew up in the industry in the '80s open source became a revolution. But with that, it enabled new tactics for state sponsored attacks and that became a domain in of itself. That's well-documented and people talk about that all the time in cyber. Now you have open innovation with hardware, software connected systems. This is going to bring a supply chain nightmare. How do you track it all? (chuckles) Who's got what software and what device... Where the chip from? Who made it? Just the potential is everywhere. How do you see these tactics? Whether it's a VC firm from another country or this, that, and the other thing, startup, big company-- >> Yeah, so when we see coal companies being purchased by foreign investors, and, you know, we can get blocked out of those, whether it's in the food industry, or if it's in a microchip. Then that microchip could be used in a cell phone or a satellite or an automobile. So all of our are industries that have these companies that are being purchased or a large born investment influx into those, they can be suspect. And we have to be very careful with those and do the tracking of those, especially when those, some of those parts and mechanisms are coming from off shore. And again, going back to the Space Policy Directive-5, it calls out for better supply chain, resource management, the tracking, the knowing the pedigree and the quantitative ability of knowing where those software libraries came from, where the parts came from, and the tracking and delivery of that from an end-to-end system. And typically when we have a really large vendor, they can do that really well. But when we have a subcontractor to a subcontractor, to a subcontractor, their resources may not be such that they can do that tracking in mitigation for counterfeits or fraudulent materials going into our systems. So it's a very difficult challenge, and we want to ensure as best we can that as we ingest those parts, as we ingest those software libraries and technologies into the system, that before we employ them, we have to do some robust testing. And I don't want to say that's the last line of defense, but that certainly is a mechanism for finding out do the systems perform as they stated on a test bench or a flat set, whatever the case may be, before we actually deploy it. And then we're relying on the output or the data that comes from that system that may have some corrupt or suspect parts in it. >> Great point, this federal views-- >> The problem with space systems is kind of, you know, is once you launch the bird or the satellite, your access to it is diminished significantly, right? Unless you go up there and take it down. So, you know, kind of to Chris's point, we need to be able to test all the different parts to ensure that is performing as described there, as specified with good knowledge that it's trustworthy. And so we do that all on the ground before we take it up to launch it. >> It's funny, you want agility, you want speed, and you security, and you want reliability, and risk management. All aggressive, and it's a technical problem, it's a business model problem. Love to get real quick before we jump into some of the more workforce and gap issues on the personnel side, have you guys to just take a minute to explain quickly what's the federal view? If you had to kind of summarize the federal view of the DOD and the role with it wants to take, so all the people out there on the commercial side or students out there who are wanting to jump in, what is the current modern federal view of space cybersecurity? >> Chris, why don't you take that on and I'll follow up. >> Okay, I don't know that I can give you the federal view, but I can certainly give you the Department of Defense that cyber security is extremely important. And as our vendors and our suppliers take on a very, very large and important role, one area that we're looking at improving on is a cyber certification maturity model, where we look at the vendors and how they implement and employee cyber hygiene. So that guidance in and of itself shows the emphasis of cyber security. That when we want to write a contract or a vendor for a purchase that's going to go into a space system, we'd like to know from a third party audit capability, can that vendor protect and defend to some extent the amount that that part or piece or software system is going to have a cyber protection already built into it from that vendor, from the ground floor up, before it even gets put into a larger system. So that shows a level of the CMMC process that we've thought about and started to employ beginning in 2021 and will be further built on in the out years. How important the DOD takes that. And other parts of the government are looking at this. In fact, other nations are looking at the CMMC model. So I think it shows a concern in very many areas, not just in the Department of Defense, that they're going to adopt an approach like this. So it shows the pluses and the benefits of a cybersecurity model that all can build on. >> Bong, your reaction. >> Yeah, I'll just add to that. John, you asked earlier about, you know, how do we track commercial entities or people into the space and cyber security domains? I can tell you that at least my view of it, space and cybersecurity are new. It's exciting, it's challenging, a lot of technical challenges there. So I think in terms of attracting the right people and personnel to work those areas, I think it's not only intellectually challenging, but it's important for the defensing and near States. And it's important for economic security at large for us as well. So I think in terms of a workforce and trying to get people interested in those domains, I hope that they see the same thing we do in terms of the challenges and the opportunities it presents itself in the future. >> Awesome, I loved your talk on intro track there. Bong, you mentioned the three key areas of DOD success, developing a whole government approach to partnership with the private sector. I think that's critical, and the allies. Prioritizing the right investments on resilience, innovation, adaptive operations, and responding to rapidly to effectively emerging technology seem to be fast. I think all those things are relevant. So given that, I want to get your thoughts on the Defense Space Strategy. In 2020, the DOD released dispense Defense Space Strategy, highlighting threats, and challenges and opportunities. How would you summarize those threats and those challenges and opportunities? What are those things that you're watching in the defense space area? >> Right, well, I think as I said before, Chris as well, you know, we're seeing that space will be highly contested because it's a critical element in our war fighting construct. To win our future conflict, I think we need to win space as well. So when you look at our near peer adversaries, there's a lot of efforts in China to take that advantage away from the United States. So the threat is real, and I think it's going to continue to evolve and grow. And the more we use space, for both commercial and government, I think you're going to see a lot more when these threats, some AFAs itself in forms of cyber attacks, or even kinetic attacks in some cases as needed. So, yeah, so the threat is indeed growing, space is congested, as we talked about, it will continually be contested in the future as well. So we need to have, like we do now in all the other domains, a way to defend it. And that's what we're working on within DOD. How do we protect our assets in space, and how do we make sure that the data information that traverses through space assets are trustworthy and free of any interference. >> Chris, exciting time, I'm mean, if you're in technology, this is crossing many lines here, tech, society, war time defense, new areas, new tech. I mean, it's security, it's intoxicating at many levels because if you think about it, it's not one thing. It's not one thing anymore. It spans a broader spectrum, these opportunities. >> Yeah and I think that expansion is a natural outgrowth from, as our microprocessors and chips and technology continue to shrink smaller and smaller. You know, we think of our cell phones and our handheld devices and tablets and so on that have just continued to get embedded in our everyday society, our everyday way of life. And that's a natural extension when we start applying those to space systems, when we think of smallsats and cube sets and the technology that's can be repurposed into a small vehicle, and the cost has come down so dramatically that, you know, we can afford to get rapid experiments, rapid exploitations and different approaches in space and learn from those and repeat them very quickly and very rapidly. And that applies itself very well to an agile development process, DevSecOps, and this notion of spins and cycles and refreshing and re-addressing priorities very quickly so that when we do put a new technology up, that the technology is very lean and cutting edge, and hasn't been years and years in the making, but it's relevant and new. And the cybersecurity and the vulnerabilities of that have to be addressed and allow that DevSecOps process to take place so that we can look at those vulnerabilities and get that new technology and those new experiments and demonstrations in space and get lessons learned from them over and over again. >> Well, that brings us to the next big topic. I want to spend the remainder of our time on, that is workforce, this next generation. If I wasn't so old, I would quit my job and I would join immediately. It's so much fun, it's exciting, and it's important. And this is what I think is a key point is that cybersecurity in and of itself has got a big gap of shortage of workers, nevermind adding space to it. So this is the intersection of space and cybersecurity. There is a workforce opportunity for this next generation, young person to person re-skilling, this is a big deal. Bong, you have thoughts on this? It's not just STEM, it's everything. >> Yeah, it's everything, you know, the opportunities we have in space, it's significant and tremendous. And I think if I were young again, as you pointed out, John, you know, I'm lucky that I'm in this domain in this world and I started years ago, but it continues to be exciting, lots of opportunities, you know. When you look at some of the commercial space systems are being put up, if you look at, I mentioned Starlink before and Amazon's Kuiper Constellation. These guys are talking about couple of thousand satellites in space to provide ubiquitous communications for internet globally, and that sort of thing. And they're not the only ones that are out there producing capability. We're seeing a lot more commercial imagery products being developed by companies, both within the US and foreign elements as well. So I think it's an exciting time to be in space. Certainly lots of opportunities. There's technical challenges galore in terms of not only the overcoming the physics of space, but being able to operate flexibly and get the most you can out of the capabilities we have operating up in space. >> Besides being cool, I mean, everyone looks at launch of space gets millions of views on live streams, the On-Demand reruns get millions and millions of views. There's a lot of things there. So, Chris, what specifically could you share are things that people would work on? Jobs, skills, what's the aperture? What's it look like if you zoom out and look at all the opportunities from a scale standpoint, what's out there? >> I'll talk to the aperture, but I want to give a shout out to our Space Force. And I mean, their job is to train and equip each air space and that space talent. And I think that's going to be a huge plus up to have a Space Force that's dedicated to training, equipping, an acquisition and a deployment model that will benefit not just the other services, but all of our national defense and our strategic way of how this company, country employees space altogether. So having a Space Force, I think, is a huge issue. And then to get to that aperture aspect of what you're asking and that addresses a larger workforce, we need so many different talents in this area. We can employ a variety of people from technical writers, to people who write and develop software to those who bending metal and actually working in a hardware environment. And those that do planning and launch operations and all of those spectrums and issues of jobs, are directly related to a workforce that can contribute to space. And then once that data gets to the ground and employed out to a user, whether it's a weather data, or we're looking at from a sensor, recent events on shipping lanes, those types of things. So space has such a wide and diverse swath that the aperture's really wide open for a variety of backgrounds. And those that really just want to take an opportunity, take a technical degree, or a degree that can apply itself to a tough problem, because they certainly exist in space. And we can use that mindset of problem solving, whether you come at it from a hacker mindset, an ethical, white hat approach to testing and vulnerability exploration. Or somebody who knows how to actually make operations safer, better through space situation awareness. So there's a huge swath of opportunity for us. >> Bong, talk about the cybersecurity enabled environment, the use cases that are possible when you have cybersecurity in play with space systems, which is in and of itself, a huge range of jobs, codings, supply chain, we just talked about a bunch of them. There's still more connected use cases that go beyond that, that are enabled by it, if you think about it. And this is what the students at Cal Poly and every other college and university, community college, you name it, who are watching videos on YouTube. Anyone with a brain can jump in if they see the future. It's all net news. Space Force is driving awareness, but there's a whole slew of these new use cases that I call space enabled by cyber secure systems. Your thoughts? >> Absolutely, I was had planned on attending the Cyber Challenge that's Cal Poly had planned in June. Of course, the pandemic took care of that plan, but I was intrigued by the approach that the Cal Poly was taking with middle school and high school kids of exposing him to a problem set. Here, you have a satellite that came down from space and part of the challenge was to do forensic analysis on the debris, the remaining pieces of the satellite to figure out what happened. It had a cyber cybersecurity connotation. It was hacked, it was attacked by cyber threat nation, took it down. And the beauty of having these kids kind of play with the remaining parts of the satellite, figure out what happened. So it was pretty exciting. I was really looking forward to participating in that, but again, the pandemic kind of blew that up, but I look forward to future events like that, to get our young people intrigued and interested in this new field of space. Now, Chris was talking earlier about opportunities, there're opportunities that you talk about, while I would like to have people come to the government, to help us out, it's not just focused on government. There's lots of opportunities in commercial space, if you will, for a lot of talent to participate in. So the challenge is immense, both government and the commercial sector, John. >> I mean, you get the hardcore, you know, I want to work for the DOD, I want to work for NSA, I want to work for the government. You clearly got people who want to have that kind of mission. But for the folks out there, Chris and Bong that are like, "Do I qualify?" It's like the black box of the DOD, it's like a secret thing, you got to get clearance, you've got to get all these certifications. And you got to take all kinds of tests and background checks. Is it like that, and will that continue? 'Cause some people might say, "Hey, can I even get involved? "What do I do?" So I know there's some private partnerships going on with companies out there in the private sector. So this is now a new, you guys seem to be partnering and going outside the comfort zone of the old kind of tactical things. What are some of those opportunities that people could get involved in that they might not know about? >> For NSA, there's a variety of workforce initiatives that for anybody from a high school work study can take advantage of to those that would like have to have internships. And those that are in a traditional academic environment, there's several NSA schools across the country that have academic and cyber sites of excellence that participate in projects that are shepherded and mentored by those at NSA that can get those tough problems that don't have maybe a classified or super sensitive nature that can be worked in and in an academia environment. So those are two or three examples of how somebody can break into an intelligence organization. And the other agencies have those opportunities as well across the intelligence community. And the partnership between and collaboration between private industry and the agencies and the Department of Defense just continue to grow over and over again. And even myself being able to take advantage of a joint duty assignment between my home organization and the Pentagon, just shows another venue of somebody that's in one organization can partner and leverage with another organization as well. So I'm an example of that partnering that's going on today. >> So there's some innovation. Bong, nontraditional pathways to find talent, what are out there, what are new? What are these new nontraditional ways? >> I was going to add to what Chris was mentioning, John. Even within DOD and under the purview of our chief information officer, back in 2013, the Deputy Secretary Defense signed the, what we call the DOD Cyberspace Workforce Strategy into effect. And that included a program called the Cyber Information Technology Exchange Program. It's an exchange program in which a private sector employee can work for the DOD in cyber security positions span across multiple mission critical areas. So this is one opportunity to learn, inside the DOD what's happening as a private sector person, if you will. Going back to what we talked about, kind of opportunities within the government for somebody who might be interested. You don't have to be super smart, dork in space, there's a lot of, like Chris pointed out, there's a lot of different areas that we need to have people, talented people to conduct the mission in space. So you don't have to be mathematician. You don't have to be an engineer to succeed in this business. I think there's plenty of opportunities for any types of talent, any type of academic disciplines that are out there. >> All right, thank you, and Chris's shout out to the Space Force is really worth calling out again, because I think to me, that's a big deal. It's a huge deal. It's going to change the face of our nation and society. So super, super important. And that's going to rise the tide. I think it's going to create some activation for a younger generation, certainly, and kind of new opportunities, new problems to solve, new threats to take on, and move it on. So really super conversation, space and cybersecurity, the Department of Defense perspective. Bong and Chris, thank you for taking the time. I'd love you guys just to close out. We'll start with you Bong and then Chris. Summarize for the folks watching, whether it's a student at Cal Poly or other university or someone in industry and government, what is the Department of Defense perspective for space cybersecurity? >> Chris, want to go and take that on? >> That's right, thank you. Cybersecurity applies to much more than just the launch and download of mission data or human led exploration. And the planning, testing, and experiments in the lab prior to launch require that cyber protection, just as much as any other space link, ground segment, trust rail network, or user data, and any of that loss of intellectual property or proprietary data is an extremely valuable and important, and really warrants cyber security safeguards. In any economic espionage, your data exfiltration, or denied access to that data, i.e. ransomware or some other attack, that can cripple any business or government endeavor, no matter how small or large, if it's left unprotected. And our economic backbone clearly depends on space. And GPS is more than just a direction finding, banking needs that T and timing from P and T or whether it just systems that protect our shipping and airline industry of whether they can navigate and go through a particular storm or not. Even fighting forest fires picked up by a remote sensor. All those space space assets require protection from spoofing date, data denial, or total asset loss. An example would be if a satellite sensitive optics or intentionally pointed at the sun and damaged, or if a command to avoid collision with another space vehicle was delayed or disrupted or a ground termination command as we just saw just a few days ago at T minus three seconds prior to liftoff, if those all don't go as planned, those losses are real and can be catastrophic. So the threat to space is pervasive, real and genuine, and your active work across all those platforms is necessary and appreciated. And your work in this area is critical going forward. Thank you for this opportunity to speak with you and talking on this important topic. Thank you, Chris Henson. Bong Gumahad, closing remarks? >> Yeah, likewise, John, again, as Chris said, thank you for the opportunity to discuss this very important around space cybersecurity, as well as addressing at the end there, we were talking about workforce development and the need to have people in the mix for future. (indistinct) We discussed, we need to start that recruiting early as we're doing to address the STEM gap today, we need to apply the same thing for cybersecurity. We absolutely need smart and innovative people to protect both our economic wellbeing as a nation, as well as our national defense. So this is the right conversation to have at this time, John. And again, thank you and Cal Poly host for having this symposium and having this opportunity to have this dialogue. Thank you. >> Gentlemen, thank you for your time and great insights. We couldn't be there in person. We're here virtual for the Space and Cybersecurity Symposium 2020, the Cal Poly. I'm John Furrier with SiliconANGLE and theCUBE, your host. Thank you for watching. (soft music)

>> from San Diego, California It's the queue covering Sisqo live US 2019 Tio by Cisco and its ecosystem Barker's >> We'll get back to the Cube. We are live at Cisco Live in San Diego. Study. San Diego. Lisa Martin with David Lantana and David Ayer. Super geeking out here, Susie, we is with us back with us. SPP in CTO of depth that Suzy Welcome back. Thank you. It's great to be back. So this event is massive. Cisco's been doing customer and partner events for 30 years now. What started as networkers? We? No, no, it's just alive. Something else you might not know that's also 30 years old. Dizzy. The movie, The Field of dreams. >> Wow, uh, kind of feels like the field does kind of feel like that that are one >> years yes, on ly five years. This has been so influential in Cisco's transition and transformation. You've got nearly 600,000 members in this community. Definite zone. It's jam packed yesterday today. Expect tomorrow as well? Yes, and you guys made simple, really exciting announcements. Yes, we didn't tell us >> about it, so it's fantastic. >> So basically what happens is the network has gotten very powerful. It has gotten very capable. You know, you can do intelligence machine learning you Khun Dio Intent based networking. So instead of the network just being a pipe, you can actually now use it to connect users devices applications use policy to make sure they're all connected securely. There's all sorts of new things that you could do. But what happens is, while there's all that new capability, it's in order to take advantage of it. It takes more than just providing new products and new technology. So our announcements are basically in two areas and we call it. It's like unleashing the capabilities of the new network and by doing it in to a So won is by bringing software practices to networking. So now that it really is a software based, programmable network with all of these capabilities, we wantto make sure that practice of software comes into a networking, and then the other is in the area of bringing software skills to networking because you need the right skills to be able to also take advantage of that. So if I just jump right into it, so the 1st 1 in terms of bringing software practices to networking. We've announce something that we call definite automation exchange. And so what happens is, you know, of course, our whole community builds networks. And as businesses have grown, their networks have grown right and they've grown and grown business has grown growing, grown right, and then it's become hardest, become unmanageable. So while you say there's all these great new technologies, but these things have grown in their way, so our customers biggest problem is actually network automation like How do I take my network? How do I bring automation to it? There's all the promise of it and definite automation. Exchange is built to basically help our community work towards network automation, so it's a community based developer center. What we say is that we're helping people walk, run and fly with network automation by walking. We're saying, OK, there's all these cool things you could do, but let's take it in three steps like first of all is let's walk. So first, just do a read only thing like get visibility, get insights from your network, and you can be really smart about it because you can use a lot of intelligence predictive modeling. You can figure out what's going on. So that alone is super valuable. >> Get the data. >> Get the data I learn on DH. Then next is an Okay, I'm ready to take action. Like so. Now I've learned I'm ready to take action, apply a network policy, apply a security policy, put controls into your network. That's you know. So, uh, walk, run, And then when you're ready to fly is when you're saying okay, I'm going to get into the full dev ops soup with my network. I'm going to be gathering the insights. I'm going to be pushing in control. I'm now optimizing managing my network as I go. So that's the whole slice it. So the wing fact, we want to go to them the walk, run, fly. >> And if I understand from reading your blood, Great block, by the way, >> Thank you. >> A lot of executives, right? Blog's and it's kind of short of yours is really substantively like, Wow, that was >> really something on. That's No, >> But if I understood a truck that you're gonna prime Sisko was gonna prime the pump A cz? Well, yeah, with a lot of ideas and code on DH. Yes, and then engineers can share. There's if they so choose. >> Exactly. So the key part of automation exchange beyond helping people take thes areas. The question is, how are we going to help them? Right? So what happens is what we've been doing with Definitive. We've been helping people learned to code, you know, in terms of networkers, we've been helping bring software developers into the community. We've been helping them learn to use a pea eye's all the good stuff a developer a good developer program should do. But what are networkers have said is I need help solving use cases. I need help solving the problems that I'm trying to solve, like how to get telemetry and monetary, how to get telemetry and insights from my network. How do I offer a self serve network service out to my, you know, customers line of business developers, you know, howto I automate it scale. And so what happens is there's a you know there's an opportunity or a gap between the products and AP eyes themselves and then solving these use cases so are now opening up a code repository, Definite Automation exchange, where the community can develop software that actually solves those use cases. Francisco is going to curate it. It's just going to be code on Get Hub. We'll make sure that it has the right, you know, licenses that, you know, we do some tests and it's working well with the FBI's, and then we're hoping it's going to become. We're hoping, you know, kind of the industries leading network automation code repository to solve these problems. >> Well, it's this key because big challenge that customers tell us that they have with automation is they got all these bespoke tools. None of them work together. So do you think something like this exchange can help solve that problem? >> It can. I believe it can. So the reason being is that you know, there are tools that people use and everybody's environments a little different. So some might want Teo integrate in and use answerable terra form, you know, tools like that. And so then you need code that'll help integrate into that. Other people are using service now for tickets. So if something happens, integrate into that people are using different types of devices, hopefully mostly Cisco, but they may be other using others as well way can extend code that goes into that. So it really helps to go in different areas. And what's kind of cool is that our there's an amount of code that where people have the same problems, you know, you know, you start doing something. Everyone has to make the first few kind of same things in software. Let's get that into exchange. And so let's share that there's places where partners are gonna want to differentiate. Keep that to yourselves like use that as your differentiated offer on DH. Then there's areas where people want to solve in communities of interest. So we have way have someone who does networking, and he wants to do automation. He does it for power management in the utilities industry. So he wants a community that'll help write code that'll help for that area, you know, So people have different interests, and, you know, we're hoping to help facilitate that. Because Sisko actually has a great community way, have a great community that we've been building over the last 30 years there the network experts there solving the real problems around the world. They work for partners, they work for customers, and we're hoping that this will be a tool to get them to band together and contribute in a software kind of way. >> So is the community begins to understand never automation and elect your pathway of of walk, run fly swatter. Soothe projected business outcomes that that any industry, whether it's utilities or financial services, will be able to glean from network automation. I can imagine how expensive from topics perspective it is all this manual network management. So what? Oh, that's some of the things that you projecting the future that businesses who adopt this eventually are going to be able to re >> Absolutely, I mean, just, you know, very simple. Well, so many, so many things. So, uh, in the in the case of what's a manufacturing, because you're talking about different industries? So there's a whole opportunity of connected manufacturing, right? So how do I get all of those processes connected, digitized and write. Now write things air being pretty much run in their way. But if you can really connect them in, digitize them. Then you can start to glean business insights from them. Right? Should I speed up? How's my supply chain doing where my parts Where's my inventory? Everything. You get all of that connected. That is like a huge business implications on what you can do. >> You have a kitchen, get start getting the fly will effect around all that data. Akeley. So I've always been fascinated that you see definite zone and there's these engineers ccs saying Okay, I want to learn more. I want to learn how to code numbers keep growing and growing and growing. And so you've got new certifications. Now that you're >> out of that was, >> this's huge. You need to talk about that, >> Yes, so that, you >> know, kind of the second part of our thing is like how we're bringing software skills to networking. So to get you know, the most of all this opportunity, you do need software skills. And of course, that's what Definite was originally founded on is really helping people to build those skills. But we've kind of graduated to the next level because we've teamed up with the Learning and Cisco team, which creates Cisco Start ification program. Cisco has, you know, an amazing certification program. So the C C. A is the gold standard and certifications and you know networkers around the world have that C C I status partners have built up. They pay people for that. You know any customer who's deploying now, which they will hire the CCS. So that was founded in 1993. The first see CIA, and that program in the next 26 years has grown to what it is. And what we've done is we've teamed up with them to now add a definite certification. So we're bringing in software skills along with the networking skills so that we have the Cisco certifications, the Cisco definite certifications sitting side by side and you know we believe it. You know, right now the people who you've seen in the definite Zone are the ones who know what's important. They come in there doing it. But they said, I want credit for what I'm doing. Like I get credit, I get a raise, I get bonuses. My job level depends on my networking sort of occasions. I'm doing this on my nights and weekends, but I know it's important. And now, by bringing this into the program, my company can recognise this. I'm recognized as a professional for my skills. It helps in all sorts of ways. >> So go ahead. Please >> think this just sounds way more to me than the next step. In Definite. It sounds like it's a revolution. >> It's a revolution. >> First addition in 26 years, that's bay >> now. I mean, there have been changes in the program, but it's the biggest change in those 26 years. Absolutely. And you know, like we'll see what what happens. But I think it is, Ah, step change in a revolution for the industry because we're recognizing that networking skills are important and software skills are important and critical. And if you want to build a team that can compete, that can really help your companies succeed, you're gonna want both of these skills together in your organization. And I believe that that's goingto help accelerate the industry, because then they can use all of these tools, right? So right now on it department can either hold the company down or accelerate a company to success because the question is, how quickly can you help someone adopt cloud? How can they do multi cloud? How convey innovative software speeds? And now we're here, hopefully catalyzing the network industry to be ableto work at that speed. >> I was joking. You wanna be the department of No or the Department of Go? Let's go. So is being a C C. A prerequisite to the definite certificate is not okay, so is not linear. So you're getting CC eyes obviously lining up to get certified to see him here So you could get kids out of college saying, Okay, I want in. >> Absolutely. And so the way that it works is that, um so actually you could. So what we have with the Cisco certifications for both the definite as well as the original Cisco started Take bath is that there's an associate level, which means you have about a years working experience. You know enough. So see CNN, Cisco Certified Network associate. They know enough about networking so that they can learn the fundamentals of networking and then be effective as part of a team that runs networks. So that's what that certification does for you. Way also now have a definite associate, which is ensuring that you have the software skills that you can also enter a team that's writing software applications or doing automated work flows for a network. And we have to know that all developers are not created equally. So just cause you wrote a mobile app doesn't mean that you can write software for, you know, running operational network. So the definite association is more like you need to be able to securely use AP eyes, right? So there's a lot of things that are within that. And then we have the professional in the expert levels. Um, and we have it on both sides now. Originally, way were thinking that there's the network engineer path. We're going to sprinkle a little software in there, and we'll have the definite path for a software developer, and it would be its own path. But we got feedback as we started presenting to our partners into our customers. And then they're like, No, this cannot be separate people. It's like it needs to come together. And so then we changed our how we thought about it, and we said that there's a set of engineering certifications and there's a set of software certifications. Anybody can get what they want, and you can start to combine them in very interesting ways. >> I could put together my own career, Mosaic. >> Absolutely so if you said, You know what? I am going to be that tick ass networker. And if we have the unicorn of like and I'm goingto you know over time, we're going to offer definite expert in the future. I said, I'm going to be a CC expert in the future. Be a definite expert. That's awesome. But we're not forcing folks to do it, because maybe you're going to be a CC. I get a definite associates so that you can speak the language of software and know what it does. But then you'll sit alongside a developer, and you guys will be able to speak the same language together. And we also make sure that our developers learn a bit about networking. So if you look at that associate, it's kind of 80 20 networking software, the other one's 80 20 software and networking so that they can actually work and talk to each other. >> So looking at these big waves that were writing right now and compute in network with G WiFi six s edge a prize anywhere, how is definite and the certification that you've just unleashed into the world? How is it going to enable not just the community members. Yes, who helped accelerate Companies take advantage of some of these big ways. But how is it going? Helps drive Cisco's evolution? >> And so and you bring up a great distinction, which is as we talk about a new set of applications. And we talked about this that create a definite create when you're there. Is that APP developers? If they understand the capabilities of the network, they can actually write an entirely new set of applications. Because you know, five g y fi six are better. If you understand EJ computing in the opportunity there, you know a networker will install a network that can host apse that makes edge computing riel. So there's another reason for the app developer a community to come together with the networkers. So when we talk about now, how does this help? Cisco is Well, first of all, it takes all of the networkers that are out there, and it insures that they're getting to that next level so that you're really fully using those capabilities and that worked, which can then accelerate business, you know. So it really is. The new capabilities are entirely different. Wayto look at networking that really do Tie and Dr Business On the other is the other part we're talking about is those APP developers that come in and write great applications can come in and now really be connected and actually use that whole network infrastructure and all its capabilities. So that really ties us to more kind of, you know, instead of a networker going in instead of going in and selling network kit and then figuring out the line of business things separately, you Khun, bring those applications into our ecosystem and into our offerings. So it's an integrated offering like here's a connected manufacturing offering that includes what you need to connect as well a CZ third party applications that are great for the manufacturing industry. And now you're looking at selling that whole solution >> and applications that we haven't even thought of a member in Barcelona walking into the i o. T Zone and seeing some programmable device from a police car on a camera. And, yes, some of these guys could just they're going to create things that we definite create, haven't even conceived, so you're creating sort of this new role. To me, it's like D B A You know, CC, it's now this new definite creator in a role that is going to have a lot of influence in the organization because they're driving value right there, going toe, bring people with them. People going to say, Oh, I want that. So now you think you're going to stand in Barcelona? The number of people that you've trained, I don't know, make many tens of thousands. I mean, where we have today with >> hundreds of thousands, wait half 1,000,000 5 100,000 Last year were at six >> 100,000. This was going 100,000 organic new members over the last year. So >> people here over half 1,000,000 now. >> Yeah. Yeah. So unbelievable. Yep, definitely So I know it's great. And just people are interested, right? So people are interested. People are learning, you know? And that's what makes it, you know, interesting to me is people are finding value in it, and they're coming. So s O. I think that, you know, kind of definite in the last five years has been kind of like an experiment, right? So it's just like, is the industry ready? Like do networkers really want to learn about software. What air? That we've been kind of prime ing it. And, you know, by now getting to this next level, you know, just the certifications. What we have learned from all of that is that it's really and that, you know, with the new capabilities in the network, we can really take our community and our bring new people into our community to make that opportunity really into Dr Business from the network. >> Everybody wants the code >> had they dio and some >> people >> are scared. Actually, some people are very scared. >> You mean intimidated, >> intimidated, intimidated. Yes. So there's the set of people who've come in early, right? And they're the ones who you've seen in the definite Zone. But everybody, of course, they start out scared. But then right after they get over that fear, they realize this really is a new future. And so then they start jumping in, and so it's both beer and then opportunity. >> Then they're on strike. That's what it's all about, Yang. And absolutely, I could do this for my business and >> absolutely, I would love to know the end that near future, how many different products and services and Maybe even companies have been created from the definite community for springing all these different Pittsburgh folks together. Imagine the impact >> it is. I mean, like, one really small things. You've been with us at our little definite create conference is we have something there that's called Camp Create, which is where they spend a week hacking, right? So and this It's kind of sometimes our most serious attendees because they're choosing Teo Code for the weak is what you know as well as to attend way. Didn't really add it all up yet. But what we found is there's about 25 to 30 people who attend. Met a bunch of them got promoted in that year. Wow. So in different ways, you know, not in ways that are necessarily connected but in their own ways, like in their company. This person got promoted to this to this one area. This other person, one person was a contractor. They got converted to a, you know, full time employee. So you know, we have to go and do the math on it. But what's amazing is that you know it just you know that bring that fills our hearts. >> It's organic too. Well, Susie, we Thank you so much for joining David. Me on the clean. You're going back with me tomorrow. And some guests. I'm looking forward to that. Excellent. Yes, Absolutely. More, More great stars. >> Your duel Co hosting a >> way. I didn't know that. No way. But I'll turn. I'll be the host is Well, I try something new. Way we're >> gonna have fun. I am looking forward to it. Thank you >> so much. And thank you for being with us in our whole vision of definite from the beginning. So thank you. >> It's been awesome. All right. We want to thank you for watching the Cube for David. Dante. I'm Lisa Martin. We will catch you right back with our last guest from Cisco Live in San Diego.

>> Announcer: Live from Nashville, Tennessee, it's theCUBE. Covering Commvault GO 2018. Brought to you by Commvault. >> Welcome back to Nashville, Tennessee. This is Commvault GO, and you are watching theCUBE. I'm Stu Miniman, with my co-host Keith Townsend. Happy to welcome to the program, this is a user conference, so we love digging in with the users. I've got David Mccurdy, who's the CTO from the great state of Colorado. Thanks so much for joining us. >> Great to be here. It's a great event, I'm happy to be here. We're here to evangelize the great work Colorado's been doing, with Commvault, and just in general. >> Alright great, so we're from Chicago, Boston, and Colorado, Denver. So we're not going to talk football, but tell us a little bit about, you know, you're CTO, love talking to the CTOs. What's your technology charter? Give us a little bit of the thumbnail, as to kind of, you know, what divisions you support, how many people you have, that sort of thing. >> Yeah, so the way the state's set up is I work underneath the Governor. We're an office of the Governor, so it's actually the Governor's Office of Information Technology. We support all the traditional branches of government, that people think of, in terms of agencies, like the Department of Health and Human Services, Medicaid, Department of Corrections, DMV, Department of Revenue. So all the big agencies all fall under our department. And then about 800 of the 900 staff inside of OIT report to me directly. And that's all the infrastructure and application stacks, all the strategy. Chief Data office, Chief Transformation office. A lot of responsibility, lots of fun, lots of long weekends, but it's been a good row for the last four years. >> David before we dig into some of the data protection stuff, I love, you talk about innovation. You talk about technology transformation. First of all, IT in general, and government specifically, often get, you know, labeled with the, oh well they do things the old way, and they've got no budgets, and they never make any changes. I've had some great case studies. I've talked with people in roles like yours, so give us a little bit of, what's it like to be working under state government this day and age, with 2018, with technology. >> It's very exciting. It's very exciting to work for Colorado specifically. I don't know if it translates to all other states. I've talked to other CIOs and CTOs around the country, but we have a very supportive governor. He just announced his campaign to run for president, maybe, we'll see how that goes. But outside of that, he's very innovative. He took a business trip to Israel, came back, and set up a cyber security lab in the state, because he thinks there's a major need for more cyber security and those disciplines. In Colorado, today, we're running negative 14% unemployment for security jobs, so it's just, huge opportunity. Outside of that, my boss, Suma Nallapati, is state CIO. Right underneath him, is all about innovation. How can we make Colorado number one in everything we do. And that's really the goal. What the governor said, the way he talks about technology, he wants technology to be elegant. That's not word you hear a lot. But when you think about that and apply it to technology, there's a very specific outcome you're trying to get out of that. >> Alright, well David, at this show, we're all talking about data. And everybody's, you know, it's what can I do with my data? And how do I make sure that things don't get wrong? Well, anybody that's been in the IT for a while is, Murphy's Law sometimes does play out. So you've actually had a couple of experiences. Some good things you've learned, but some challenges that you had, maybe share with us what happened. >> Yeah, I mean one of the things I'm here to talk about is we kicked off an initiative called Backup Colorado. And what it was is, it was consolidating all the backup and recovery services for all those agencies I just named, plus some more, right. Monster project, monster task. It was all born out of a major data failure the state had. We were a fairly new organization. We were immature. We were still running things in a siloed environment. Most of the country, most large organizations have gone down the IT consolidation path. We were a few years down the road, and we got hit with a major data loss event. And it was specific to marijuana data, which makes some people smile, some people frown, but it's a very interesting topic. It wasn't interesting to lose customer data though. I don't care if you're a private organization, or a public organization, this was real data loss. And it highlighted the need for a focused approach to solving those problems. So we went about just kind of transforming the whole space. First, put a proposal on the table. Going to the general assembly. Going to the Governor saying, this is what we need to do. They signed off on it, and then we implemented it, right. We got tens if not hundreds of people together around the state. We coordinated agencies. We got people on board that didn't want to be on board. They liked the silo approach. They liked their agencies doing their own thing. But you can't do anything right 16 different ways. You don't have to do it one way, but it can't be 16. But we took a standardized approach, and we worked with Commvault as our partner to deploy a complete backup and recovery system for the state. Highly successful project. Rolled out, standardized. Everything you could want. While we're doing that, we are completely changing our application and infrastructure stacks. We are consolidating all of our servers into three data centers in the state. We're bursting into the cloud. We're replatforming on software, the service. You know, all those. I'm responsible for each one of those stacks. My guidance was just go and change the world, right. In a very non-senile way, we went out there, and we were like, how can we do this thoughtfully. How can we do it, but push, blaze new trails, that type of thing. And the story that I've been sharing is, we got to see the end results of that. What kicked it off, was a public disaster, but the state was hit with a ransomware attack. Very targeted, very coordinated. They hit one of our larger agencies. We had good security in place, but there's always stuff that can happen, as you've kind of eluded to. And because of this project, because of the team coordinated effort, because of the technology, because of the stuff we were leveraging, we were able to bring that agency back whole. Which a lot of organizations cannot say. A lot of the technologies cannot say, with as many systems that were impacted for the time period they were, to bring that agency back whole, and actually have the executive director of that agency, doing very similar conversations as we're doing now. How can dots around the country, roll out a plan very similar to this? >> Well David, people process technology, you guys are changing processes, you're changing technology, extremely disruptive. Talk about the impact on your people. What mindset, or what changes did you have to make organization wide. 800 people was a lot of people to get in line. What did you start, what did you do? What was successful, well not so much. >> Well first I had to get my customers on board, right. And compelling events helped bring customers on board. I don't think that's the best way of doing it, but always leverage a compelling event. In this case, we had a compelling event. We had the onus from our executive branch and a legislative branch. So we had the hammer if we needed it to get it done. The team actually came together. We ran a very successful RFP. We baked off competitors in the space. And it was a beautiful thing to see all my server engineers, all my desktop guys, all my database guys and gals comin' in and working together to make this project happen. I didn't have to sell them on it. They came to me and said, we think this is the best technology stack for the state. When I recognized, when I heard them, they all got on board and we were able to roll it out. And so I think it was that team approach, not top down, but you know, let's all come together and find the right thing for the state. I think that was why it was so successful. It was a team approach, and we had executive buy in, we were able to get it done. >> You talked about how Commvault helped with that transition, 16 different backup products, if the state was like any other organization, there's at least 15, 16 different backup products, people like what they use. And transitioning to something new requires training, support. How did Commvault help you guys in that transition? >> You know, they were a great partner, all the way through the RFP process, to bringing it in and doing training. We have a big thing at the state, the technology stack, we do luncheon learns, so there's lots of training. Commvault brought a lot of resources. We had engineers specifically assigned from Commvault to help with the project, the roll out, and then the transition. So a very effective partner, in terms of helping us along the way. It never helps to have that kind of hammer, as I said before, to push it forward. I really couldn't have asked for anything more. I spoke a little bit about this the other day. When we had this compelling event with the ransomware this year, I picked up the phone, and I got an answer right away. And I said we're going to need you once again. And they showed up. Commvault showed up. The great thing was, we didn't need them, right. My engineers had an effective turnover and training. They got the initial alerts before anybody did, before any of our security groups, anybody, Commvault detected this ransomware really before any of my tool suites because of the way it came into our organization. Which was kind of cool. But just in general, a great partnership. They were there all the way through the recovery of CDOT as support for our team. Really weren't needed just because of the effective transition. >> That's an interesting point. You talk about, you would think it would be the security tool that would be alerting you. Commvault and companies like it, sit in an interesting position. You've got data, you've got metadata. That surprise you that that was the tool that helped alert you in the first? >> Shocked me, shocked me, right. I mean we spent a lot of money building stacks of tools to protect the state, and very effective tools. There's nothing against those tool suites specifically. We were actually rolling out another tool that week that ultimately would've prevented it. That being said, stuff happens and the way this ransomware came in, bypassed that visibility. But Commvault, looking at our backups every night, taking differentials of 'em, saw encrypted files on disk, sent out an alert. The teams knew exactly what to do. Got executives on the phone. Got security ops on the phone. And it kicked off from there, so yeah, shocked, you know, happy that we caught it. Not the way I would have wanted, but that's why you've got layers of security. That's why you've got layers of teams to support each other. >> So specifies, outside of the support capability that Commvault provided and one, helping you guys get alerted to the event, and then the support reacting to the event, talk to us. What did they take to recover from the event? Was this a multi-month thing? Multi-week, multi-hour? How did you guys recover and how much did you recover? >> It took us a little over a month to recover. It's actually a great conversation maybe for another time. But building a structure in an open attack. Like when you have a coordinated resources from other countries, trying to do the United States, or the state of Colorado harm, the first thing you're going to do is make sure they're outside of your environment. So for about the first two weeks, we had everybody from the National Guard to the Defense Department there, helping us evaluate the situation. Getting it to a place where we felt comfortable bringing the department back up. Once we reached that point, and there is never a clear line in the sand. There's a role for the CIO and the CTO in that place to say, hey, now's time we've done everything we can and then we've very methodically started bringing desktops online and servers online. And Commvault played a huge role in that as well as some other vendors. But, in all, we restored about 192 servers. Some were infected, some weren't, but just from a sensibility stake, we wanted to go back to clean backups, clean restores, a place where the customer felt comfortable. We were able to do it in a way that there was no data loss to the customer or at least manage data loss. Meaning, in some cases, their systems, they wanted to go really back on, because their data didn't change very much in there. My biggest pinpoint in this whole process is, I want to bring that department up much faster, right. There's two sides that you're looking at: How do you protect the department in the short term? And how do you protect them in the long term? So I had to look at both sides of it. Very interesting experience. Don't wish it on anybody. >> David, last thing I want to ask is, the role of data, how do you, inside the state of Colorado, look at the role of data and the changing role of data? And if you look at Commvault, they are really expanding where they play. They're playing in multi-cloud. They've got artificial intelligence helping them. They're helping with governance and compliance. How do you see them lined up? Where do you see your relationship going with them in the future? >> Well, obviously, I like to stay with partners that take care of me, so there's obviously an affinity there, in terms of how they've helped the state in the last year. The data is really two parts, the agencies data, and then the resident, and the customers of the state of Colorado's data, right. So you first got to look at who owns and who is the steward of the data. And as IT for the state, our role is protecting that data, both in the short and long term. But as it becomes more and more of an asset, and we all know data is an asset today, it's almost the most critical asset. So protecting it is just as important as how you're going to innovate with it. So we are very excited about how we're going to be leveraging data in the future. Some of the issues we're talking about, the Department of Transportation wants to take their data for Road X and change how people drive. You know, very similar as to how you may use Waze and stuff like that. The DOTs around the country want to take that data and leverage it all over the place. So you're not only taking an asset that was leveraged for a very different purpose 10 years ago and completely transforming industries, you're doing that all across state government, right. The impetus, the need for protecting it, using it, I'm very excited with where they're going and how they look at data, Commvault specifically. I had a great conversation with our CTO last year about, I'm storing all this data on FASTDISK anyway. Why can't I use this as a data lake? How can I get metadata for your customers? How can I take this in places where maybe the founders of this company didn't even envision 20 years ago. It's very exciting how they're looking at the technology and where they can take it. AI is one of my focus areas for the year. I'm going to listen to everybody's pitch and I'm going to choose the right ones, because I do think it's transformative. If they can do it correctly and ultimately lessen the burden on IT, that's what we're looking for, right. That's what AI should bring to the table, is the ability for IT to do more with less. So that's what we're looking for and I'm excited what they're going to do with it. >> Alright, well David Mccarthy, we really appreciate you joining us, sharing your story. For Keith Townsend, I'm Stu Miniman. We'll be back with more coverage here from Commvault GO in Nashville, Tennessee. Thanks for watching theCUBE. >> David: Thank you. (lively tech music)

(digital music) >> Welcome, everyone. Donald Klein here with CUBE Conversations, coming to you from our studios at theCUBE, here in Palo Alto, California. And today I'm fortunate enough to be joined by Paul Makowski, CTO of PolySwarm. PolySwarm is a fascinating company that plays in the security space, but is also part of this emerging block chain and token economy. Welcome, Paul. >> Thank you, thank you for having me. >> Great, so why don't we just start and give everybody an understanding of what PolySwarm does and how you guys do it? >> Sure, so PolySwarm is a new effort (audio fading in and out) to try to fix the economics around how threat (missing audio) >> Donald: Okay. >> So, we see a lot of shortcomings with (audio fading in and out) I think it's more of a economic concern rather than (missing audio) (laughs) Rather than a concern regarding (missing audio) >> Donald: Okay. >> So, what PolySwarm is (missing audio) and change how (missing audio) >> Okay. >> So, it is a blockchain project (missing audio) will govern tomorrow's threat-intelligence base and perhaps, ideally, generate better incentives (missing audio) >> Okay, so, generally if I'm understanding right, you're playing in this threat-intelligence area, which is commonly know as bug-bounties. Correct, yeah? But you guys have kind of taken this in a new direction. Why don't you just explain to me kind of where this threat-intelligence distributed economy has been and where where you see it going in the future. >> Sure, so bug bounties are, we had spoke earlier about HackerOne, for example. Bug bounties are an effort to identify vulnerabilities, and open vulnerability reports to arbitrary people across the internet. And incentivize people to secure products on behalf of the product owner. >> So, I can be an independent developer, and I find a vulnerability in something, and I submit it to one of these platforms, and then I get paid or rewarded for this. >> Yeah, and so the likes of HackerOne is a player in the space that conducts these bug bounties on behalf of other enterprises. >> Donald: Got it. >> Large enterprises such as Google and Microsoft and Apple, even, run their own bug bounties directly. >> Donald: Interesting. >> But, there's also these centralized middle men, the likes of HackerOne. Now, PolySwarm is a little bit different. We've discussed perhaps distributing the bug bounty space, but what we're focusing on right now at PolySwarm 1.0 is really just determining whether or not files, URLs, network graphics are either malicious or benign. >> Donald: Interesting. >> There's this boolean determination to start with, and then we're going to expand from there to metadata concerning, perhaps, the malware family of an identified malicious file. And then from there we'd also like to get into the bug bounty space. >> Okay. >> So, by PolySwarm being a fully decentralized market, us, as Swarm Technologies, will not be the middle man. We will not be in the middle of these transactions. We think that is going to make everything a bit more efficient for all the players on the market. And will best offer precision reward to be both accurate and timely in threat-intelligence. >> Interesting, okay, alright so I want to talk to you just a little bit more, because not everybody out there may be fully familiar with how a kind of decentralized app works. Talk to us a little bit about how blockchain fits in, how smart contracts fit in, and maybe just a little about, like, if I were to work on the PolySwarm platform, would I set up my own smart contract? Would somebody set it up for me? How would that work? >> Great question. So, in general, we see smart contracts as a new way to literally program a market. And I think this concept is applicable to a lot of different spaces. My background and the PolySwarm team background is in information (missing audio). >> Donald: Okay. >> So, we're applying smart contracts and market design specifically to a problem area that we are experts in. >> Okay, and what kind of smart contracts are these? What platform are you running on? >> We're running on Ethereum. We had previously discussed possibly expanding to Bezos, although there are perhaps some reasons not to do that anymore right now. But yeah, on Ethereum, we've been publishing our proof of concept code for our smart contracts right now which is available on github.com/polyswarm. More directly to your question concerning developing applications that plug into our platform or plug in to any platform, we've also released a opensource framework called Perigord. Which is a framework for developing Ethereum distributed applications using Go, which is a language developed by Google. So, I hope that answers a little bit, but >> So, you're really pioneering this whole world of moving to a decentralized, distributed app framework. >> Yeah, so, we're not the first people in this space, but we are expanding the ease of development to the Go language space, away from strictly programming in JavaScript. A lot distributed applications today are programmed in JavaScript. And there's pros and cons to each language, but we're hoping to get the Go language engaged a little more. >> So, let's go back now around to the people that are going to be participating in this marketplace, right. You were talking about unlocking the economic potential that's latent out there. Talk a little bit more about that. >> Exactly, so we had a spoken a little bit ago about HackerOne, and one of the things that I think is really cool about HackerOne is the fact that it's offered globally. What makes that really cool is that HackerOne gets a lot of great submissions from people in locales that may not indigenously offer sufficient jobs for the amount of talent that the local economies are producing. So, that's a sort of latent talent. HackerOne is particularly popular in India, China, Eastern European countries, we'd like to also direct that talent toward solving the threatened intelligence problem, namely accurately and timely identifying threats in files or graphic files. So, we'd like to-- We are operating in a eight and a half billion dollar per year space, the antivirus space, and we'd like to unlock this latent talent to broaden what threats are detected and how effectively enterprises defend themselves through a crowdsourced contributed manner that will cover more of the threats. >> Interesting, and so why don't you just talk a little about URLs and why those are important. We've seen a lot of hacks in the news recently, people going to sign up for a token sale and then being rerouted to the wrong place, et cetera. So, talk about malicious URLs. I think that might be an interest for people. >> Sure, everyone is trying to determine what URLs are malicious. Google has built into Chrome their safe browsing program that's also present in Firefox, Microsoft in some equivalent. Everyone's trying to determine and prevent people from being phished. You mentioned there were a few ICOs in this space that unfortunately had their websites hacked and their Ethereum contribution address changed, the hackers made off with some money. What PolySwarm does at a base level is it creates a market for security experts, again, around the world, to effectively put their money where their mouth is and say I think to the tune of 10 Nectar, for example, Nectar is the name of the PolySwarm note, that this URL or this file is malicious or benign. And those funds are escrowed directly into the smart contracts that constitute PolySwarm. And at a later time, the security experts who are right, receive the escrowed rewards from the security experts who were wrong. So, it's this feedback loop. >> It sounds like participants are kind of betting on both sides of whether something's malicious or not? >> Yeah, in effect. Legally, I definitely wouldn't say betting. (laughs) But it's >> Donald: Fair enough. >> The correct answer is there, right? The way that PolySwarm works is and enterprise has a suspect file or URL and decides to swarm it and what they do on the backend for that is they can either directly post this file or URL to the network, the network being the Ethereum blockchain. Everyone that's watching it and is cognizant of PolySwarm will be aware that there's a suspect file that perhaps I want to decide whether or not it's malicious as a security expert. Again, around the world, security experts will make that decision. If this is a particular file that I think I have insight into, as a security expert, then I might put up a certain amount of Nectar because I believe it is one way or the other. The reason why I say it's more of a-- The correct answer is in the file, right? It is in fact either malicious or benign. But what PolySwarm's economic reward is both timeliness and accuracy in determining that mal intent, whether or not that file is (missing audio). >> Interesting. And so the use of the smart contract is pretty novel here, right? Because the smart contracts then execute and distribute the bounties directly to the participants based on answer, is that right? >> That's correct. And that's the real key part. That eliminates the middle man in this space. A lot of the talk around blockchain in general is about restlessness, about not having middle men. In PolySwarm the core smart contract, again which are on github.com/polyswarm, they are able to actually hold escrowed upon. Though we're not in the middle and those escrowed funds are release to people who effectively get it right through the cost of people who got it wrong. So, we think >> And this is all automated through the system? >> This is all automated through the system. If I could take a step back real quick here, some of the shortcomings we're trying to address in today's market are if you imagine a Venn diagram, there's a rectangle that has all of the different threats in this space and you have large circles that cover portions of the Venn diagram and those large circles are today's large antivirus companies. Those circles overlap substantially. And the reason for that is pretty straight forward. Did you hear about perhaps WannaCry? It was a ransomware-- >> Absolutely, absolutely. >> If you're an antivirus company and you're not cognizant, you're not detecting WannaCry, then it's real easy to write you off. But the difficulty there is on the backend what that incentivizes is a lot of security companies doing duplicated work trying to detect the same threat. So there's a little bit of a clumpiness, there's a little bit of overlap, in what they detect and further it's very difficult although we've been speaking with people at those companies. They're always interested in the latest threat and uniquely detecting things, but it's sometimes very difficult to make Dell's argument that hey I detect this esoteric family of power >> Donald: Malicious URL, or et cetera. >> Exactly and by the way you're also going to get hit with it. That's a very difficult argument. >> So, you're sort of addressing the under served areas, then, within security. >> Precisely, so the way that PolySwarm will look in that Venn diagram, is instead of large, mostly overlapping ovals, we'll have thousands of micro-engines written by security experts that each find their specialty. And that together this crowdsourced intelligence will cover more. >> Interesting, very good, very good, okay. So, just last question here. Talk around a little bit of the background. How did PolySwarm come together? I know you talked about Narf Industries, et cetera. Why don't you just give us a little of the background here? 'Cause it's impressive. >> Sure, so again my background, and the entire PolySwarm technical team's background, is information security. We also run and work for a computer security consultancy called Narf Industries. Our more public work has been for DARPA, as of late. There was a large competition that DARPA ran called the "Cyber Grand Challenge" that was the-- they were trying to create the autonomous equivalent of a human capture the flag competition, which is a hacking competition. Anyway, we helped develop the challenges for that program and otherwise helped in that phase. So that's a public-facing project. >> And you won part of that competition, is that correct? >> Yeah, so we weren't competing in DARPA's Cyber Grand Challenge, but in the human capture the flags, we have won those. All the members of the core PolySwarm, and also Narf Industries, technical team have won DEF CON's capture the flag competition at least once. And some of us have helped run that competition. That's considered the world series of hacking (laughs). So, that's our background, and we're also all we've all previously worked directly for the U.S. government, so we're very much embedded in the cutting edge of cyber security. And, finally, the last thing I'll say, is Narf was recently awarded a contract with the Department of Homeland Security for investigating how to build confidentiality controls into a blockchain environment. The Department of Homeland Security was concerned about identity management. They wanted to apply a blockchain phase. But part of that, is obviously, you want to protect people's private information. So, how do you do that phase that, by default, is purely public. >> Got it, okay look we're going to have to end there, but let me just say, we would be remiss without mentioning the fact that your ICO's starting. When's that going to happen? >> So, we have an ICO that's going to go live February 6. Right now, we're just trying to generate buzz, talking to great people like yourself. After that lead up to the ICO, we'd like to encourage people to check out our website at polyswarm.io, we have a Telegram group that's growing everyday. And, again, a large part of what we would be funded by this ICO to accomplish is building the community around using PolySwarm. Fortunately, again, this is our space. So, we know a lot of people in this space, but we're always happy to be meeting people, so we'd love for all your viewers to join the conversation and engage with us. Our DMs on Twitter are open, et cetera. >> Okay, we hope they do. Probably just want to make one final point is that you guys are actually publishing all your code on GitHub ahead of the ICO, right? That kind of makes you unique in a very difficult space. >> It, unfortunately, does make us unique. I wish more projects did do that. But, yes, we are publishing our code in advance of the token sale. PolySwarm, if you're familiar with the conversation between securities and utility tokens, PolySwarm is very much a utility token. People will grade Nectar, which is the name of our Token, for threat intelligence. And part of that is we want to have a usable ecosystem on day one when people buy tokens. We want to make sure that you're not investing in some future thing. Obviously we're going to improve on it, but it will be usable from day one (missing audio). >> Alright, fantastic, so thank you, Paul. I appreciate you coming in. Alright, well thanks, everyone. Thank you for watching. This is Donald Klein with CUBE Conversations coming to you from Palo Alto, California. Thank you for watching. (digital music)