>>The Cube presents UI Path Forward five. Brought to you by UI Path. >>We're back the cube's coverage of UI path forward. Five. And we're live. Dave Velante with Dave Nicholson. AJ Gupta is here. He's the Chief Digital Transformation Officer at the Motor Vehicles of California dmv. Welcome Jay. Good to see you. >>Thank you. >>Good to see you. Wow, you, you have an interesting job. I would just say, you know, I've been to going to conferences for a long time. I remember early last decade, Frank Sluman put up a slide. People ho hanging out, waiting outside the California dmv. You were the butt of many jokes, but we have a happy customer here, so we're gonna get it to your taste >>Of it. Yeah, very happy >>Customer, obviously transform the organization. I think it's pretty clear from our conversations that that automation has played a role in that. But first of all, tell us about yourself, your role and what's going on at the dmv. >>Sure. Myself, a j Gupta, I am the Chief Digital Transformation Officer at the dmv. Somewhat of i, one would say a made up title, but Governor's office asked me, Okay, we need help. And that's what >>Your title though? >>Yeah, yeah. So I'm like, well we are doing business and technology transformation. So that's, that's what I've been doing for the last three years at the dmv. Before that I was in private sector for 25 years, decided first time to give back cuz I was mostly doing public sector consulting. So here I am. >>Okay. So you knew the industry and that's cool that you wanted to give back because I mean obviously you just, in talking off camera, you're smart, you're very cogent and you know, a lot of times people in the private sector, they don't want to go work in the, in the public sector unless they're, unless they're power crazy, you know? Anyway, so speaking with David Nicholson, the experience has gone from really crappy to really great. I mean, take >>It from here. Yeah. Well, am I gonna be, I'm, because I'm from California, I was just, I was just, you know, we >>Got a dual case study >>Eloquently about, about the, the, the change that's happened just in, just in terms of simple things like a registration renewal. It used to be go online and pray and weed through things and now it's very simple, very, very fast. Tell us more about, about some of the things that you've done in the area of automation that have increased the percentage of things that could be done online without visiting a field office. Just as an >>Example. Yeah, what's the story? >>Yeah, so first of all, thank you for saying nice things about dmv, you as a customer. It means a lot because we have been very deliberately working towards solving all customer po pain points, whether it's in person experiences, online call centers, kiosks, so all across the channels. So we started our journey, myself and director Steve Gordon about three years ago, almost at the same time with the goal of making Department of Mo no motor vehicles in California as the best retail experience in the nation across industries. So that's our goal, right? Not there yet, but we are working towards it. So for, for our in person channels, which is what you may be familiar with, first of all, we wanna make sure brick and click and call all the customer journeys can be done across the channels. You can decide to start journey at one place, finish at another place. >>All that is very deliberate. We are also trying to make sure you don't have to come to field office at all. We would welcome you to come, we love you, but we don't want you to be there. You have better things to do for the economy. We want you to do that instead of showing up in the field office, being in the weight line. So that's number one. Creating more digital channels has been the key. We have created virtual field office. That's something that you would become familiar with if you are not as a DMV customer. During Covid, the goal was we provide almost all the services. We connect our technicians to the customer who are in need of a live conversation or a email or a text or a, or a SMS conversation or chat conversation in multiple languages or a video call, right? >>So we were able to accomplish that while Covid was going on, while the riots were going on. Those of your, you know about that, we, our offices were shut down. We created this channel, which we are continuing because it's a great disaster recovery business continuity channel, but also it can help keep people away from field office during peak hours. So that's been very deliberate. We have also added additional online services using bots. So we have created these web and process bots that actually let you do the intake, right? You, we could set up a new service in less than four weeks, a brand new service online. We have set up a brand new IVR service on call centers in less than a month for our seniors who didn't want to come to the field office and they were required certain pieces of information and we were able to provide that for our customers by creating this channel in less than less than four. >>And the pandemic was an accelerant to this was, was it the catalyst really? And then you guys compressed it? Or were, had you already started on the >>Well, we were >>Ready. I mean you, but you came on right? Just about just before the pandemic. >>Yeah. Yeah. So I came on in 2019, pandemic started in 2020 early. So we got lucky a little bit because we had a head start at, I was already working with u UI paths and we had come up with design patterns that we gonna take this journey for all DMV channels with using UiPath. So it was about timing that when it happened, it accelerated the need and it accelerated the actual work. I was thinking, I'll have a one year plan. I executed all of the one year plan items in less than two months out of necessity. So it accelerated definitely the execution of my plan. >>So when you talk about the chat channel, is that bots, is that humans or a combination? Yeah, >>It's a, it's a combination of it. I would say more AI than bots. Bots to the service fulfillment. So there is the user interaction where you have, you're saying something, the, the chat answers those questions, but then if you want something, hey, I want my, my registration renewed, right? It would take you to the right channel. And this is something we do today on our IVR channel. If you call in the DMV number in California, you'll see that your registration renewal is all automatic. You also have a AI listening to it. But also when you are saying, Yep, I wanna do it, then bot triggers certain aspects of the service fulfillment because our legacy is still sitting about 60 years old and we are able to still provide this modern facade for our customers with no gap and as quickly as possible within a month's time. How >>Many DMVs are in the state? >>Okay, so we have 230 different field locations out of which 180 are available for general public services. >>Okay. So and then you're, you're creating a digital overlay that's right >>To all of >>That, right? >>Yeah, it's digital and virtual overlay, right? Digital is fully self-service. Bots can do all your processing automation, can do all the processing. AI can do all the processing, but then you have virtual channels where you have customer interacting with the technicians or technicians virtually. But once a technician is done solving the problem, they click a button and bot does rest of the work for the technician. So that's where we are able to get some back office efficiency and transaction reduction. >>When was the last time you walked into a bank? >>Oh man. >>I mean, is that where we're going here where you just don't have to >>Go into the branch and that is the goal. In fact, we already have a starting point. I mean, just like you have ATM machines, we have kiosks already that do some of this automation work for us today. The goal is to not have to have to, unless you really want to, We actually set up these personas. One of them was high touch Henry. He likes to go to the field office and talk to people. We are there for them. But for the millennials, for the people who are like, I don't have time. I wanna like quickly finish this work off hours 24 by seven, which is where bots come in. They do not have weekends, HR complaint, they don't have overtime. They're able to solve these problems for me, 24 >>By seven. And what's the scope of your, like how many automations, how many bots? Can you give us a sense? >>Sure. So right now we are sitting at 36 different use cases. We have collected six point of eight point, well, we have saved 8.8 million just using the bots overall savings. If you were to look at virtual field office, which bots are part of, we have collected 388 million so far in that particular channel bots. I've also saved paper. I've saved a million sheets of paper through the bot, which I'm trying to remember how many trees it equates to, but it's a whole lot of trees that I've saved. And >>How many bots are we talking about? >>So it's 36 different use cases. So 36 >>Bots? >>Well, no, there's more bots I wanna say. So we are running at 85% efficiency, 50 bots. Oh wow. Yeah. >>Wow. Okay. So you, you asked the question about, you know, when was the last time someone was in a bank? The last time I was in a bank it was to deposit, you know, more than $10,000 in cash because of a cash transaction. Someone bought a car from me. It was more of a nuisance. I felt like I was being treated like a criminal. I was very clear what I was doing. I had just paid off a loan with that bank and I was giving them the cash for that transaction as opposed to the DMV transaction transferring title. That was easy. The DMV part was easier than the bank. And you're trying to make it even easier and it shouldn't, it shouldn't be that way. Yes. Right. But, but I, I have a, I have a question for you on, on that bot implementation. Can you give us, you've sort of give it us examples of how they interact. Yeah. But as your kind of prototypical California driver's license holder, how has that improved a specific transaction that I would be involved with? Can >>You, so well you as a Californian and you as a taxpayer, you as a Californian getting services and you as a taxpayer getting the most out of the money Okay. That the DMV spending on providing services, Right. Both are benefits to you. Sure. So bots have benefited in both of those areas. If you were used to the DMV three years ago, there was a whole lot of paper involved. You gotta fill this form out, you gotta fill this other form out and you gotta go to dmv. Oh by the way, your form, you didn't bring this thing with you. Your form has issues. We are calculated that about 30% of paper workloads are wasted because they just have bad data, right? There is no control. There's nobody telling you, hey, do this. Right. Even dates could be wrong, names could be wrong fields, maybe incomplete and such. >>So we were able to automate a whole lot of that by creating self-service channels, which are accelerated by bot. So we have these web acceleration platforms that collect the data, bots do the validation, they also verify the information, give you real time feedback or near real time feedback that hey, this is what you need to change. This is when you need to verify. So all the business rules are in the bot. And then once you're done, it'll commit the information to our legacy systems, which wouldn't have been possible unless a technician was punching it in manually. So there is a third cohort of Californians, which is our employees. We have 10,000 of those. They, I don't want them to get carpal tunnel. I want them to make sure they're spending more time thinking and helping our customers, looking at the customers rather than typing things. And that's what we are able to accomplish with the bots where you press that one button, which will have required maybe 50 more keystrokes and that's gone. And now you're saving time, you're also saving the effort and the attention loss of serving the best. >>Jay, what does it take to get a new process on board? So I'm thinking about real id, I just went through that in Massachusetts. I took, it was gonna be months to get to the dmv. So I ended up going through a aaa, had to get all these documents, I uploaded all the documents. Of course when I showed up, none were there. Thankfully I had backup copies. But it was really a pleasant experience. Are you, describe what you're doing with real ID and what role bots play? >>Yeah, sure. So with real id, what we are doing today and what I, what we'll be doing in the future, so I can talk about both. What we are doing today is that we are aligning most of the work to be done upfront by the customer. Because real ID is a complex transaction. You've gotta have four different pieces of documentation. You need to provide your information, it needs to match our records. And then you show up to the field office. And by the way, oh man, I did not upload this information. We are getting about 15 to 17% returns customers. And that's a whole lot of time. Every single mile our customer travels to the DMV office, which averages to about 13 miles. In my calculation for average customer, it's a dollar spent in carbon footprint in the time lost in the technician time trying to triage out some other things. So you're talking $26 per visit to the economy. >>Yeah. An amazing frustration, Yes. >>That has to come back and, and our customer satisfaction scores, which we really like to track, goes down right away. So in general, for real, id, what we have been, what we have done is created bunch of self-service channels, which are accelerated by workflow engines, by AI and by bots to collect the documentation, verify the documentation against external systems because we actually connect with Department of Homeland Security verify, you know, what's your passport about? We look at your picture and we verify that yep, it is truly a passport and yours and not your wives. Right? Or not a picture of a dog. And it's actually truly you, right? I mean, people do all kind of fun stuff by mistake or intentionally. So we wanna make sure we save time for our customer, we save time for our, for our employees, and we have zero returns required when employees, where customer shows up, which by the way is requirement right now. But the Department of Homeland Security is in a rule making process. And we are hopeful, very hopeful at this point in time that we'll be able to take the entire experience and get it done from home. And that'll give us a whole lot more efficiency, as you can imagine. And bots are at the tail end of it, committing all the data and transactions into our systems faster and with more accuracy. >>That's a great story. I mean, really congratulations and, and I guess I'll leave it. Last question is, where do you want to take this? What's the, what's your roadmap look like? What's your runway look like? Is it, is there endless opportunities to automate at the state or do you see a sort of light at the end of the tunnel? >>Sure. So there is a thing I shared in the previous session that I was in, which is be modern while we modernize. So that's been the goal with the bot. They are integral part of my transition architecture as I modernize the entire dmv, bring them from 90 60, bringing us from 1960 to 2022 or even 2025 and do it now, right? So bots are able to get me to a place where customers expectations are managed. They are getting their online, they're getting their mobile experience, they are avoiding making field off his trips and avoiding any kind of paper based processing right? For our employees and customers as well. So bots are serving that need today as part of the transition strategy going from 1960 to 2022 in the future. They're continue gonna continue to service. I think it's one thing that was talked about by the previous sessions today that we, they, they're looking at empowering the employees to do their own work back office work also in a full automation way and self-power them to automate their own processes. So that's one of the strategies we're gonna look for. But also we'll continue to have a strategy where we need to remain nimble with upcoming needs and have a faster go to market market plan using the bot. >>Outstanding. Well thanks so much for sharing your, your story and, and thanks for helping Dave. >>Real life testimony. I never, never thought I'd be coming on to praise the California dmv. Here I am and it's legit. Yeah, >>Well done. Can I, can I make an introduction to our Massachusetts colleagues? >>Good to, well actually we have, we have been working with state of New York, Massachusetts, Nevara, Arizona. So goal is to share but also learn from >>That. Help us out, help us out. >>But nice to be here, >>Great >>To have you and looking for feedback next time you was at dmv. >>All right. Oh, absolutely. Yeah. Get that, fill out that NPS score. All right. Thank you for watching. This is Dave Valante for Dave Nicholson. Forward five UI customer conference from the Venetian in Las Vegas. We'll be right back.

(electronic music) >> Hello everybody, welcome back to Boston. This is Dave Vellante and you're watching theCUBE's continuous coverage of AWS re:Inforce 2022. We're here at the convention center in Boston where theCUBE got started in May of 2010. I'm really excited. Lena Smart is here, she's the chief information security officer at MongoDB rocket ship company We covered MongoDB World earlier this year, June, down in New York. Lena, thanks for coming to theCUBE. >> Thank you for having me. >> You're very welcome, I enjoyed your keynote yesterday. You had a big audience, I mean, this is a big deal. >> Yeah. >> This is the cloud security conference, AWS, putting its mark in the sand back in 2019. Of course, a couple of years of virtual, now back in Boston. You talked in your keynote about security, how it used to be an afterthought, used to be the responsibility of a small group of people. >> Yeah. >> You know, it used to be a bolt on. >> Yep. >> That's changed dramatically and that change has really accelerated through the pandemic. >> Yep. >> Just describe that change from your perspective. >> So when I started at MongoDB about three and a half years ago, we had a very strong security program, but it wasn't under one person. So I was their first CISO that they employed. And I brought together people who were already doing security and we employed people from outside the company as well. The person that I employed as my deputy is actually a third time returnee, I guess? So he's worked for, MongoDB be twice before, his name is Chris Sandalo, and having someone of that stature in the company is really helpful to build the security culture that I wanted. That's why I really wanted Chris to come back. He's technically brilliant, but he also knew all the people who'd been there for a while and having that person as a trusted second in command really, really helped me grow the team very quickly. I've already got a reputation as a strong female leader. He had a reputation as a strong technical leader. So us combined is like indestructible, we we're a great team. >> Is your scope of responsibility, obviously you're protecting Mongo, >> Yeah. >> How much of your role extends into the product? >> So we have a product security team that report into Sahir Azam, our chief product officer. I think you even spoke to him. >> Yeah, he's amazing. >> He's awesome, isn't he? He's just fabulous. And so his team, they've got security experts on our product side who are really kind of the customer facing. I'm also to a certain extent customer facing, but the product folks are the absolute experts. They will listen to what our customers need, what they want, and together we can then work out and translate that. I'm also responsible for governance risk and compliance. So there's a large portion of our customers that give us input via that program too. So there's a lot of avenues to allow us to facilitate change in the security field. And I think that's really important. We have to listen to what our customers want, but also internally. You know, what our internal groups need as well to help them grow. >> I remember last year, Re:invent 2021, I was watching a talk on security. It was the, I forget his name, but it was the individual who responsible for data center security. And one of the things he said was, you know, look it's not at the end of the day, the technology's important but it's not the technology. It's how you apply the tools and the practices and the culture- >> Right. That you build in the organization that will ultimately determine how successful you are at decreasing the ROI for the bad guys. >> Yes. >> Let's put it that way. So talk about the challenges of building that culture, how you go about that, and how you sustain that cultural aspect. >> So, I think having the security champion program, so that's just, it's like one of my babies, that and helping underrepresented groups in MongoDB kind of get on in the tech world are both really important to me. And so the security champion program is purely voluntary. We have over a hundred members. And these are people, there's no bar to join. You don't have to be technical. If you're an executive assistant who wants to learn more about security, like my assistant does, you're more than welcome. Up to, we actually people grade themselves, when they join us, we give them a little tick box. Like five is, I walk in security water. One is, I can spell security but I'd like to learn more. Mixing those groups together has been game changing for us. We now have over a hundred people who volunteer their time, with their supervisors permission, they help us with their phishing campaigns, testing AWS tool sets, testing things like queryable encryption. I mean, we have people who have such an in-depth knowledge in other areas of the business that I could never learn, no matter how much time I had. And so to have them- And we have people from product as security champions as well, and security, and legal, and HR, and every department is recognized. And I think almost every geographical location is also recognized. So just to have that scope and depth of people with long tenure in the company, technically brilliant, really want to understand how they can apply the cultural values that we live with each day to make our security program stronger. As I say, that's been a game changer for us. We use it as a feeder program. So we've had five people transfer from other departments into the security and GRC teams through this Champions program. >> Makes a lot of sense. You take somebody who walks on water in security, mix them with somebody who really doesn't know a lot about it but wants to learn and then can ask really basic questions, and then the experts can actually understand better how to communicate. >> Absolutely. >> To that you know that 101 level. >> It's absolutely true. Like my mom lives in her iPad. She worships her iPad. Unfortunately she thinks everything on it is true. And so for me to try and dumb it down, and she's not a dumb person, but for me to try and dumb down the message of most of it's rubbish, mom, Facebook is made up. It's just people telling stories. For me to try and get that over to- So she's a one, and I might be a five, that's hard. That's really hard. And so that's what we're doing in the office as well. It's like, if you can explain to my mother how not everything on the internet is true, we're golden. >> My mom, rest her soul, when she first got a- we got her a Macintosh, this was years and years and years ago, and we were trying to train her over the phone, and said, mom, just grab the mouse. And she's like, I don't like mice. (Lena laughs) There you go. I know, I know, Lena, what that's like. Years ago, it was early last decade, we started to think about, wow, security really has to become a board level item. >> Yeah. >> And it really wasn't- 2010, you know, for certain companies. But really, and so I had the pleasure of interviewing Dr. Robert Gates, who was the defense secretary. >> Yes. >> We had this conversation, and he sits on a number, or sat on a number of boards, probably still does, but he was adamant. Oh, absolutely. Here's how you know, here. This is the criticality. Now it's totally changed. >> Right. >> I mean, it's now a board level item. But how do you communicate to the C-Suite, the board? How often do you do that? What do you recommend is the right regime? And I know there's not any perfect- there's got to be situational, but how do you approach it? >> So I am extremely lucky. We have a very technical board. Our chairman of the board is Tom Killalea. You know, Amazon alum, I mean, just genius. And he, and the rest of the board, it's not like a normal board. Like I actually have the meeting on this coming Monday. So this weekend will be me reading as much stuff as I possibly can, trying to work out what questions they're going to ask me. And it's never a gotcha kind of thing. I've been at board meetings before where you almost feel personally attacked and that's not a good thing. Where, at MongoDB, you can see they genuinely want us to grow and mature. And so I actually meet with our board four times a year, just for security. So we set up our own security meeting just with board members who are specifically interested in security, which is all of them. And so this is actually off cadence. So I actually get their attention for at least an hour once a quarter, which is almost unheard of. And we actually use the AWS memo format. People have a chance to comment and read prior to the meeting. So they know what we're going to talk about and we know what their concerns are. And so you're not going in like, oh my gosh, what what's going to happen for this hour? We come prepared. We have statistics. We can show them where we're growing. We can show them where we need more growth and maturity. And I think having that level of just development of programs, but also the ear of the board has has helped me mature my role 10 times. And then also we have the chance to ask them, well what are your other CISOs doing? You know, they're members of other boards. So I can say to Dave, for example, you know, what's so-and-so doing at Datadog? Or Tom Killelea, what's the CISO of Capital One doing? And they help me make a lot of those connections as well. I mean, the CISO world is small and me being a female in the world with a Scottish accent, I'm probably more memorable than most. So it's like, oh yeah, that's the Irish girl. Yeah. She's Scottish, thank you. But they remember me and I can use that. And so just having all those mentors from the board level down, and obviously Dev is a huge, huge fan of security and GRC. It's no longer that box ticking exercise that I used to feel security was, you know, if you heated your SOC2 type two in FinTech, oh, you were good to go. You know, if you did a HERC set for the power industry. All right, right. You know, we can move on now. It's not that anymore. >> Right. It's every single day. >> Yeah. Of course. Dev is Dev at the Chario. Dev spelled D E V. I spell Dave differently. My Dave. But, Lena, it sounds like you present a combination of metrics, so, the board, you feel like that's appropriate to dig into the metrics. But also I'm presuming you're talking strategy, potentially, you know, gaps- >> Road roadmaps, the whole nine yards. Yep. >> What's the, you know, I look at the budget scenario. At the macro level, CIOs have told us, they came into the year saying, hey we're going to grow spending at the macro, around eight percent, eight and a half percent. That's dialed down a little bit post Ukraine and the whole recession and Fed tightening. So now they're down maybe around six percent. So not dramatically lower, but still. And they tell us security is still the number one priority. >> Yes. >> That's been the case for many, many quarters, and actually years, but you don't have an unlimited budget. >> Sure >> Right. It's not like, oh, here is an open checkbook. >> Right. >> Lena, so, how does Mongo balance that with the other priorities in the organization, obviously, you know, you got to spend money on product, you got to spend money and go to market. What's the climate like now, is it, you know continuing on in 2022 despite some of the macro concerns? Is it maybe tapping the brakes? What's the general sentiment? >> We would never tap the breaks. I mean, this is something that's- So my other half works in the finance industry still. So we have, you know, interesting discussions when it comes to geopolitics and financial politics and you know, Dev, the chairman of the board, all very technical people, get that security is going to be taken advantage of if we're seeing to be tapping the brakes. So it does kind of worry me when I hear other people are saying, oh, we're, you know, we're cutting back our budget. We are not. That being said, you also have to be fiscally responsible. I'm Scottish, we're cheap, really frugal with money. And so I always tell my team: treat this money as if it's your own. As if it's my money. And so when we're buying tool sets, I want to make sure that I'm talking to the CISO, or the CISO of the company that's supplying it, and saying are you giving me the really the best value? You know, how can we maybe even partner with you as a database platform? How could we partner with you, X company, to, you know, maybe we'll give you credits on our platform. If you look to moving to us and then we could have a partnership, and I mean, that's how some of this stuff builds, and so I've been pretty good at doing that. I enjoy doing that. But then also just in terms of being fiscally responsible, yeah, I get it. There's CISOs who have every tool that's out there because it's shiny and it's new and they know the board is never going to say no, but at some point, people will get wise to that and be like, I think we need a new CISO. So it's not like we're going to stop spending it. So we're going to get someone who actually knows how to budget and get us what the best value for money. And so that's always been my view is we're always going to be financed. We're always going to be financed well. But I need to keep showing that value for money. And we do that every board meeting, every Monday when I meet with my boss. I mean, I report to the CFO but I've got a dotted line to the CTO. So I'm, you know, I'm one of the few people at this level that's got my feet in both camps. You know budgets are talked at Dev's level. So, you know, it's really important that we get the spend right. >> And that value is essentially, as I was kind of alluding to before, it's decreasing the value equation for the hackers, for the adversary. >> Hopefully, yes. >> Right? Who's the- of course they're increasingly sophisticated. I want to ask you about your relationship with AWS in this context. It feels like, when I look around here, I think back to 2019, there was a lot of talk about the shared responsibility model. >> Yes. >> You know, AWS likes to educate people and back then it was like, okay, hey, by the way, you know you got to, you know, configure the S3 bucket properly. And then, oh, by the way, there's more than just, it's not just binary. >> Right, right. >> There's other factors involved. The application access and identity and things like that, et cetera, et cetera. So that was all kind of cool. But I feel like the cloud is becoming the first line of defense for the CISO but because of the shared responsibility model, CISO is now the second line of defense >> Yes. Does that change your role? Does it make it less complicated in a way? Maybe, you know, more complicated because you now got to get your DevSecOps team? The developers are now much more involved in security? How is that shifting, specifically in the context of your relationship with AWS? >> It's honestly not been that much of a shift. I mean, these guys are very proactive when it comes to where we are from the security standpoint. They listen to their customers as much as we do. So when we sit down with them, when I meet with Steve Schmidt or CJ or you know, our account manager, its not a conversation that's a surprise to me when I tell them this is what we need. They're like, yep, we're on that already. And so I think that relationship has been very proactive rather than reactive. And then in terms of MongoDB, as a tech company, security is always at the forefront. So it's not been a huge lift for me. It's really just been my time that I've taken to understand where DevSecOps is coming from. And you know, how far are we shifting left? Are we actually shifting right now? It's like, you know, get the balance, right? You can't be too much to one side. But I think in terms of where we're teaching the developers, you know, we are a company by developers for developers. So, we get it, we understand where they're coming from, and we try and be as proactive as AWS is. >> When you obviously the SolarWinds hack was a a major mile- I think in security, there's always something in the headlines- >> Yes. But when you think of things like, you know, Stuxnet, you know, Log4J, obviously Solarwinds and the whole supply chain infiltration and the bill of materials. As I said before, the adversary is extremely capable and sophisticated and you know, much more automated. It's always been automated attacks, but you know island hopping and infiltrating and self-forming malware and really sophisticated techniques. >> Yep. >> How are you thinking about that supply chain, bill of materials from inside Mongo and ultimately externally to your customers? >> So you've picked on my third favorite topic to talk about. So I came from the power industry before, so I've got a lot of experience with critical infrastructure. And that was really, I think, where a lot of the supply chain management rules and regulations came from. If you're building a turbine and the steel's coming from China, we would send people to China to make sure that the steel we were buying was the steel we were using. And so that became the H bomb. The hardware bill of materials, bad name. But, you know, we remember what it stood for. And then fast forward: President Biden's executive order. SBOs front and center, cloud first front and center. It's like, this is perfect. And so I was actually- I actually moderated a panel earlier this year at Homeland Security Week in DC, where we had a sneak CISA, So Dr. Allen Friedman from CISA, and also Patrick Weir from OWASP for the framework, CISA for the framework as well, and just the general guidance, and Snake for the front end. That was where my head was going. And MongoDB is the back-end database. And what we've done is we've taken our work with Snake and we now have a proof of concept for SBOs. And so I'm now trying to kind of package that, if you like, as a program and get the word out that SBOs shouldn't be something to be afraid of. If you want to do business with the government you're going to have to create one. We are offering a secure repository to store that data, the government could have access to that repository and see that data. So there's one source of truth. And so I think SBOs is going to be really interesting. I know that, you know, some of my peers are like, oh, it's just another box to tick. And I think it's more than that. I definitely- I've just, there's something percolating in the back of my mind that this is going to be big and we're going to be able to use it to hopefully not stop things like another Log4j, there's always going to be another Log4j, we know that. we don't know everything, the unknown unknown, but at least if we're prepared to go find stuff quicker than we were then before Log4j, I think having SBOs on hand, having that one source of truth, that one repository, I think is going to make it so much easier to find those things. >> Last question, what's the CISO's number one challenge? Either yours or the CISO, generally. >> Keeping up with the fire hose that is security. Like, what do you pick tomorrow? And if you pick the wrong thing, what's the impact? So that's why I'm always networking and talking to my peers. And, you know, we're sometimes like meerkats, you know. there's meerkats, you see like this, it's like, what do we talk about? But there's always something to talk about. And you just have to learn and keep learning. >> Last question, part B. As a hot technology company, that's, you know, rising star, you know not withstanding the tech lash and the stock market- >> Yeah. >> But Mongo's growing, you know, wonderfully. Do you find it easier to attract talent? Like many CISOs will say, you know, lack of talent is my biggest, biggest challenge. Do you find that that's not the challenge for you? >> Not at all. I think on two fronts, one, we have the champions program. So we've got a whole internal ecosystem who love working there. So the minute one of my jobs goes on the board, they get first dibs at it. So they'd already phoning their friends. So we've got, you know, there's ripple effects out from over a hundred people internally. You know, I think just having that, that's been a game changer. >> I was so looking forward to interviewing you, Lena, thanks so much for coming. >> Thank you, this was a pleasure. >> It was really great to have you. >> Thank you so much. Thank you. >> You're really welcome. All right, keep it right there. This is Dave Villante for theCUBE. We'll be right back at AWS Re:inforce22 right after this short break.

(upbeat music) >> Hey everyone. Welcome back to theCUBE's live coverage of Women in Data Science, WiDS 2022, coming to live from Stanford University. I'm Lisa Martin. My next guest is here. Nandi Leslie, Doctor Nandi Leslie, Senior Engineering Fellow at Raytheon Technologies. Nandi, it's great to have you on the program. >> Oh it's my pleasure, thank you. >> This is your first WiDS you were saying before we went live. >> That's right. >> What's your take so far? >> I'm absolutely loving it. I love the comradery and the community of women in data science. You know, what more can you say? It's amazing. >> It is. It's amazing what they built since 2015, that this is now reaching 100,000 people 200 online event. It's a hybrid event. Of course, here we are in person, and the online event going on, but it's always an inspiring, energy-filled experience in my experience of WiDS. >> I'm thoroughly impressed at what the organizers have been able to accomplish. And it's amazing, that you know, you've been involved from the beginning. >> Yeah, yeah. Talk to me, so you're Senior Engineering Fellow at Raytheon. Talk to me a little bit about your role there and what you're doing. >> Well, my role is really to think about our customer's most challenging problems, primarily at the intersection of data science, and you know, the intersectional fields of applied mathematics, machine learning, cybersecurity. And then we have a plethora of government clients and commercial clients. And so what their needs are beyond those sub-fields as well, I address. >> And your background is mathematics. >> Yes. >> Have you always been a math fan? >> I have, I actually have loved math for many, many years. My dad is a mathematician, and he introduced me to, you know mathematical research and the sciences at a very early age. And so, yeah, I went on, I studied in a math degree at Howard undergrad, and then I went on to do my PhD at Princeton in applied math. And later did a postdoc in the math department at University of Maryland. >> And how long have you been with Raytheon? >> I've been with Raytheon about six years. Yeah, and before Raytheon, I worked at a small to midsize defense company, defense contracting company in the DC area, systems planning and analysis. And then prior to that, I taught in a math department where I also did my postdoc, at University of Maryland College Park. >> You have a really interesting background. I was doing some reading on you, and you have worked with the Navy. You've worked with very interesting organizations. Talk to the audience a little bit about your diverse background. >> Awesome yeah, I've worked with the Navy on submarine force security, and submarine tracking, and localization, sensor performance. Also with the Army and the Army Research Laboratory during research at the intersection of machine learning and cyber security. Also looking at game theoretic and graph theoretic approaches to understand network resilience and robustness. I've also supported Department of Homeland Security, and other government agencies, other governments, NATO. Yeah, so I've really been excited by the diverse problems that our various customers have you know, brought to us. >> Well, you get such great experience when you are able to work in different industries and different fields. And that really just really probably helps you have such a much diverse kind of diversity of thought with what you're doing even now with Raytheon. >> Yeah, it definitely does help me build like a portfolio of topics that I can address. And then when new problems emerge, then I can pull from a toolbox of capabilities. And, you know, the solutions that have previously been developed to address those wide array of problems, but then also innovate new solutions based on those experiences. So I've been really blessed to have those experiences. >> Talk to me about one of the things I heard this morning in the session I was able to attend before we came to set was about mentors and sponsors. And, you know, I actually didn't know the difference between that until a few years ago. But it's so important. Talk to me about some of the mentors you've had along the way that really helped you find your voice in research and development. >> Definitely, I mean, beyond just the mentorship of my my family and my parents, I've had amazing opportunities to meet with wonderful people, who've helped me navigate my career. One in particular, I can think of as and I'll name a number of folks, but Dr. Carlos Castillo-Chavez was one of my earlier mentors. I was an undergrad at Howard University. He encouraged me to apply to his summer research program in mathematical and theoretical biology, which was then at Cornell. And, you know, he just really developed an enthusiasm with me for applied mathematics. And for how it can be, mathematics that is, can be applied to epidemiological and theoretical immunological problems. And then I had an amazing mentor in my PhD advisor, Dr. Simon Levin at Princeton, who just continued to inspire me, in how to leverage mathematical approaches and computational thinking for ecological conservation problems. And then since then, I've had amazing mentors, you know through just a variety of people that I've met, through customers, who've inspired me to write these papers that you mentioned in the beginning. >> Yeah, you've written 55 different publications so far. 55 and counting I'm sure, right? >> Well, I hope so. I hope to continue to contribute to the conversation and the community, you know, within research, and specifically research that is computationally driven. That really is applicable to problems that we face, whether it's cyber security, or machine learning problems, or others in data science. >> What are some of the things, you're giving a a tech vision talk this afternoon. Talk to me a little bit about that, and maybe the top three takeaways you want the audience to leave with. >> Yeah, so my talk is entitled "Unsupervised Learning for Network Security, or Network Intrusion Detection" I believe. And essentially three key areas I want to convey are the following. That unsupervised learning, that is the mathematical and statistical approach, which tries to derive patterns from unlabeled data is a powerful one. And one can still innovate new algorithms in this area. Secondly, that network security, and specifically, anomaly detection, and anomaly-based methods can be really useful to discerning and ensuring, that there is information confidentiality, availability, and integrity in our data >> A CIA triad. >> There you go, you know. And so in addition to that, you know there is this wealth of data that's out there. It's coming at us quickly. You know, there are millions of packets to represent communications. And that data has, it's mixed, in terms of there's categorical or qualitative data, text data, along with numerical data. And it is streaming, right. And so we need methods that are efficient, and that are capable of being deployed real time, in order to detect these anomalies, which we hope are representative of malicious activities, and so that we can therefore alert on them and thwart them. >> It's so interesting that, you know, the amount of data that's being generated and collected is growing exponentially. There's also, you know, some concerning challenges, not just with respect to data that's reinforcing social biases, but also with cyber warfare. I mean, that's a huge challenge right now. We've seen from a cybersecurity perspective in the last couple of years during the pandemic, a massive explosion in anomalies, and in social engineering. And companies in every industry have to be super vigilant, and help the people understand how to interact with it, right. There's a human component. >> Oh, for sure. There's a huge human component. You know, there are these phishing attacks that are really a huge source of the vulnerability that corporations, governments, and universities face. And so to be able to close that gap and the understanding that each individual plays in the vulnerability of a network is key. And then also seeing the link between the network activities or the cyber realm, and physical systems, right. And so, you know, especially in cyber warfare as a remote cyber attack, unauthorized network activities can have real implications for physical systems. They can, you know, stop a vehicle from running properly in an autonomous vehicle. They can impact a SCADA system that's, you know there to provide HVAC for example. And much more grievous implications. And so, you know, definitely there's the human component. >> Yes, and humans being so vulnerable to those social engineering that goes on in those phishing attacks. And we've seen them get more and more personal, which is challenging. You talking about, you know, sensitive data, personally identifiable data, using that against someone in cyber warfare is a huge challenge. >> Oh yeah, certainly. And it's one that computational thinking and mathematics can be leveraged to better understand and to predict those patterns. And that's a very rich area for innovation. >> What would you say is the power of computational thinking in the industry? >> In industry at-large? >> At large. >> Yes, I think that it is such a benefit to, you know, a burgeoning scientist, if they want to get into industry. There's so many opportunities, because computational thinking is needed. We need to be more objective, and it provides that objectivity, and it's so needed right now. Especially with the emergence of data, and you know, across industries. So there are so many opportunities for data scientists, whether it's in aerospace and defense, like Raytheon or in the health industry. And we saw with the pandemic, the utility of mathematical modeling. There are just so many opportunities. >> Yeah, there's a lot of opportunities, and that's one of the themes I think, of WiDS, is just the opportunities, not just in data science, and for women. And there's obviously even high school girls that are here, which is so nice to see those young, fresh faces, but opportunities to build your own network and your own personal board of directors, your mentors, your sponsors. There's tremendous opportunity in data science, and it's really all encompassing, at least from my seat. >> Oh yeah, no I completely agree with that. >> What are some of the things that you've heard at this WiDS event that inspire you going, we're going in the right direction. If we think about International Women's Day tomorrow, "Breaking the Bias" is the theme, do you think we're on our way to breaking that bias? >> Definitely, you know, there was a panel today talking about the bias in data, and in a variety of fields, and how we are, you know discovering that bias, and creating solutions to address it. So there was that panel. There was another talk by a speaker from Pinterest, who had presented some solutions that her, and her team had derived to address bias there, in you know, image recognition and search. And so I think that we've realized this bias, and, you know, in AI ethics, not only in these topics that I've mentioned, but also in the implications for like getting a loan, so economic implications, as well. And so we're realizing those issues and bias now in AI, and we're addressing them. So I definitely am optimistic. I feel encouraged by the talks today at WiDS that you know, not only are we recognizing the issues, but we're creating solutions >> Right taking steps to remediate those, so that ultimately going forward. You know, we know it's not possible to have unbiased data. That's not humanly possible, or probably mathematically possible. But the steps that they're taking, they're going in the right direction. And a lot of it starts with awareness. >> Exactly. >> Of understanding there is bias in this data, regardless. All the people that are interacting with it, and touching it, and transforming it, and cleaning it, for example, that's all influencing the veracity of it. >> Oh, for sure. Exactly, you know, and I think that there are for sure solutions are being discussed here, papers written by some of the speakers here, that are driving the solutions to the mitigation of this bias and data problem. So I agree a hundred percent with you, that awareness is you know, half the battle, if not more. And then, you know, that drives creation of solutions >> And that's what we need the creation of solutions. Nandi, thank you so much for joining me today. It was a pleasure talking with you about what you're doing with Raytheon, what you've done and your path with mathematics, and what excites you about data science going forward. We appreciate your insights. >> Thank you so much. It was my pleasure. >> Good, for Nandi Leslie, I'm Lisa Martin. You're watching theCUBE's coverage of Women in Data Science 2022. Stick around, I'll be right back with my next guest. (upbeat flowing music)

>>Good morning live from Las Vegas. It's the Q with AWS reinvent 2021. This is our fourth day of coverage. The third full day of the conference. Lisa Martin here with Dave Nicholson. Dave, we had had a tremendous number of conversations. In fact, we've two live sets over a hundred guests on the program, and I have another web. I've got two Dave's for you for the price of one. Dave trader joins us the field CSO client advisor at Presidio. We're going to be talking about ransomware and security, Dave, welcome to the program. Thank you for having me. So it's looking at your background. You've got a very cool background. You hold numerous cybersecurity certifications, including CIS SP you've received numerous endorsements from the department of Homeland security, the FBI and NSA. And in 2018, you graduated from the FBI's CSO academy in Quantico. Wow. Yeah, it sounds like he's a man with a very special set of skills. I think you're right. I think you're right. One of the things that we have seen the cybersecurity landscape has changed dramatically in the last year and a half 22 months or so. I was reading some stats ransomware and the check happens delivery once every 11 seconds. It's now a matter of when not, if talk to us about some of the things that you're seeing, the threat landscape, changing ransomware as a service what's going on. >>The last part that you mentioned was ransomware as a service is key. The access to be able to launch a tax has become so simplified that the, the, the, uh, the attacker level doesn't have to be sophisticated. Really. You can get down to the 100 level brand new hackers that are just getting into the space. They can go to a help desk and they can purchase ransomware, and they can run this ransomware that has the comes with quality assurance, by the way. And if they didn't run correctly, they've got a help desk support system. That'll help them run this in a, you know, as a criminal enterprise. Um, the access is really what is, what has made this so prevalent, and it really exacerbated the problem to the massive scale that we're seeing today. Yeah. >>And of course, we're only hearing about the big ones, you know, re you know, Conti colonial pipeline. But as I mentioned, an attack occurring every 11 seconds, I also was reading the first half of calendar, 21, that ransomware was up nearly 11 X. So the trajectory it's going the wrong way, it's going up into the right and the way that we don't want it to go, are they becoming more brazen? Is it easier? Ransomware is the surface, but also they're able to be paid in Bitcoin and that's less traceable. >>Yeah. So, um, exponential is not even fair, right? Cause it, that's not even a fair assessment because that up and right, it's just, it's been so pervasive that we just see that continued growth. Uh, you know, there's how, you know, different ways and how we're going to stop that. And what we're, what we're doing from a national perspective is all coming into play and what we're going to do about it. You know? So the, one of the things that I'm seeing, that's kind of new is the taunting aspect. So the taunting aspect is, uh, you know, they've been in your network for a little while, the dwell times extended and they're collecting intelligence, but what they're doing is, you know, they used to let you, after they would present you with the ransomware note, they would let you kind of circle the wagons. And then you would come to a decision point as an organization. >>Is, am I going to pay or am I not well? And they would give you a little bit of time to deliberate. Well, now during your deliberation time, they're actually sending texts to the CEO and the CFO and there's, and they're, they're, they're showcasing their, their, uh, technical prowess and that they've got you, they own you at that point. And they're, they're texting on your personal device. And they're saying, you should go ahead and pay us, or we're going to make this worse. The taunting aspect is even twisting the knife and it's, uh, you know, out of box isn't even from a criminal aspect, I expect that to be out of bounds, no >>Crazy. And of course, you know, some of the things that we've seen, um, uh, the, the white houses, counter ransomware initiative, a coalition of 30 countries aimed to ramp up global efforts to attack that it's like, are you seeing cyber crime with the rise and the proliferation, you think there's gonna be more regulations and organizations that are going to be having to deal with? What do you think? Some of the things that we're going to see on that legal? >>Yeah. So we have to, we have to leverage compliance, and there's a lot of really great frameworks out there today that we are leveraging. And there's, there's good methodology on how to stop this. The issue is it's the adoption and really the, the, the knowledge, the subject matter expertise, and really that consultant side, that's the message that I try and get out to, to, to our customers and our clients. And I'm trying to really get them to understand what that evolution looks like and what, what is needed in each discipline, because there's various disciplines across the board and you almost have to have them all, um, you know, in order to be able to stop ransomware and solve for that ransomware problem. And I do think the regulation is going to be key. I also think that I need some air support from not only the federal government, but our internet service providers and, and we as a free country, we need to be careful of, you know, on, on some of that, some of those fronts. But I, I, I still think that I would appreciate, you know, my ISP doing a little bit of block and tackle for me, you know, and helping me out, even though I want the freedom to do and be able to do whatever I want. I still like them to say, you know, we're gonna block known that because, you know, it would just be nice to have a little bit of support even on that side. So how does >>An ISP prevent me from panning out my password and being fooled in a, in a, in a phishing attack is the, is the question that, is, that, is that still a real issue? >>So I wouldn't put that. I wouldn't put that on the ISP. I would put that more on the end point and some personal responsibility, right. Knowing, and I do, I do stress that a little bit, but relatively early >>Morning sarcasm in my bag. >>Yeah. So I do put that on, but there, but there are tremendous partners that I work with that are able to do that and automate a lot of that for you. And I need to make it simple, but simple as hard. And that's what you know is, especially in cybersecurity, we want to make it simple for it and really be able to remove the threat to the end user and protect the user. But in order to do that, there's a ton of things on a ton of sophistication and innovation that happens in the background. And we really need to be able to showcase how that's done. And, um, I, it's, obviously I'm excited about it, but we need more people that are able to just specialize in this. We need more good guys that are able to come in and help us on this front. >>I also think we need to break down some barriers for on the competition with, you know, market share and the partners we need to, we need to kind of elevate the conversation a little bit and we all need to work together because we're all in the same boat when it comes to how we're being attacked. Um, you know, from a national perspective on a global scale. And I think that if we elevate the conversation, our collective, uh, mindset in that, that, that, that, uh, that, that mind share is going to be able to really help us innovate and, and put a stop to this. >>So then how is Presidio and AWS, how are you helping them until you get to it? Ransomware and mitigation can talk to us about that. How are you going to be helping, especially there's cyber security skills gap that's gone on like five years. >>Sure. Yeah. That skills gap is going to continue to, we're going to continue to see that grow as well. And we're efforting that on many fronts, but I'm really excited about the ransomware mitigation kit that got, uh, unveiled yesterday. Um, I got a call earlier this year from, uh, AWS and, and, uh, we basically, the question was posed to me, you know, what are we going to do about this is from an AWS perspective, what can we do? Um, you know, cause th the cyber adversaries are, uh, are, are relatively unchecked and, and, and their attitude is what are you going to do about it? So AWS posed the question, what are we going to do about it? And what we came up with was, you know, as, as an isolated organization, or as an isolated discipline as with like a managed detection and response or endpoint protection, um, that silo could not by itself accomplish and the solve to eliminate ransomware or to make a dent in eliminate ransomware. >>So what we had to do was combine disciplines, and we reached over to BCDR disaster recovery and, and, and, and our backup teams. And we said, let's put together endpoint protection, MDR, and let's, let's merge the two of these. And let's automate that. So that what happens is, is when we detect the ransomware attack, there's, there's a specific indicators of compromise that happened in the attack, the end point protection, which is CrowdStrike in our case can see that and can notify that, and then can tell the backup and recovery team, Hey, we know that this is a, this is an indicator of compromise. We know that this system is, has been owned. And then there's an inflection point where we can ask the user if they want to manually intervene, or if they want us to automate that and intervene for them. So it really keeps production going full-time and, uh, it doesn't, it takes away the cyber adversaries ability to hold our data hostage. So this is an, it was this one, and I don't use PI verbally, uh, frequently, but this is a monumental, uh, uh, evolution of what, of what we're going to see and how to prevent ransomware. >>Wow. I was reading that, that ransomware is backups, or you talked about backup, the backup backup attacks are on the rise as well. How can organizations, how can they work with Presidio in AWS? You described this as monumental kind of game-changing, how can they work with you guys to, to implement this technology so that we can start dialing down the threats? >>Yeah. So we would love to, we would love to hear from you, right? Give us a, give us a call. Um, but, uh, our teams, you know, with, with CloudEndure and AWS CloudEndure and CrowdStrike and what they've really come up with, and, and you have to have these two things ahead of time. So I sit on our critical incident response team, and, you know, I, I do work with, you know, the, the bureau as often as I can on attribution, but you have to have these ahead of time. So your, your, your, your, uh, critical response plan needs to be in place. And if you have the two things that we, that we've really put a lot of effort into over the last eight months, if you've got CrowdStrike and you've got cloud on, on the backend, we can establish all of those, um, and, and really set this up for you to eliminate that threat. And, and that's what we're excited to showcase this week, and, you know, in the coming months, and we're going to, and we've also got additional things in additional features that we plan to add to that in the, in the coming months, Dave, >>Your thoughts on the partnership between private industry and government entities. Uh, you mentioned that the level of sophistication to engage in this bad behavior doesn't necessarily have to be the, have to rise to the level of state sponsored. Um, but can we do this in the private sector, by ourselves? What are your, what are your sort of philosophical? >>I will give you my, I will give you a statistic on this and it will, it'll be self-explanatory. But, um, 80% of our critical infrastructure in the United States is privately held. So we're unique in that perspective, we aren't like some other countries where they can just mandate the requirement that the government will control critical infrastructure. It's privately held here in the United States. So you almost have to invite the federal government to come in, even though you are a critical infrastructure, they still have to be invited to come help you. And that partnership is key in order to be able to defend yourself, but also to defend the nation. Our power grids are our water sources. I mean, you'll see those are private private companies, but we need that federal help. And I try and evangelize that partnership. I mean, you know, there's always the, um, you know, when you think about working with federal agencies, like the, like the FBI, um, there's a little bit of hesitation and you're not really quite sure. >>I will tell you that those, those men and women are, um, uh, they're amazing. They're amazing to work with they're, they're really good at what they do. And, and you're certainly it's a partnership and they have a whole division set up there's the office of the private sector is designed to have these conversations and help you prepare. And then in the unfortunate instance where you might have an attack there, right. They're trying to figure out who did that to you, you know, and, and you're a victim, you're a victim of a federal crime at that point. And they, they treat you with such care and, you know, they're, uh, they do such a great job. So I think we have to engage them in order to, and we should actually be able to help them with the technology and how, and make it easier for them to do their job, but something I'm also very interested in. >>Talk to me about your interests as the last question, in terms of what's going to go on here, we are wrapping up 2021 entering 2022, which hopefully will be a much better year for on many fronts, including the decrease in ransomware. What are some of the things that you're excited about? There's so much technology, there's so much opportunity and innovation going on with AWS and its partner ecosystem. What excites you, what opportunities do you see as we head into 2020? Yeah. >>So I do see some, I do see some threats that are going to evolve. Um, ransomware is certainly going to be more of the same until we get this out in this new methodology and what we've built until that becomes widely adopted. I think we, you know, we're not going to make a dent in the numbers that we're seeing just yet, but I'm hoping that that will change when, you know, when the industries do start to adopt that. The other thing that I'm seeing is I think operational technology is going to take a hit in 2022 because the bad guys have started to figure out how, um, you know, that, that, that, that operational technology is not as, uh, it's not front and center. And it's not top of mind for a lot of CSOs. So they're, they're targeting that weakness and going after that. So I think we really need to brace for that and, and really, uh, get in front of that. Uh, so that's one of the things that I'm prepping for is really the operational IOT conversation, and then how I can help, uh, organizations and even, even home users, you know, with some of the stuff that you've got, you know, maybe in your own home that could be used again, >>Right? Cause that work from anywhere is going to persist for quite some time. Dave, thank you so much for joining Dave Nicholson and me on the program this morning, talking about what's going on in the threat landscape ransomware, but also this monumental shift and from, from a technology and a partnership perspective that Presidio and AWS are doing to help customers and every industry, private and public sector. We appreciate your insights. Thank you >>For having me. Thanks >>For being here. Very Dave and Dave I'm Lisa you're watching the cube, the global leader in live tech coverage.

(upbeat music) >> Live in Washington, DC. This is day two of two days of coverage. I'm John Furr, your host. We're in person face-to-face event it's kicking off day two. Dave Levy's here, Vice President of US government Nonprofit and healthcare businesses for AWS Public Sector. Dave, great to see you again, welcome back. >> Dave: Great to see you, John. >> So, great time last time we were in person, 2019, looks like the event, the last year was virtual, what's new? >> Well, first of all, I think it's just exciting. I mean, I'm excited to be back and in-person and so much has happened in our personal lives in our communities and so I'm really glad that we can all be together and it's been great so far. >> I was talking yesterday with some folks and I saw people doing some networking. I heard someone, "Hey, I'm want to hire someone." So, the face-to-face is back, we're also streaming. Max Peterson told me they're pushing it everywhere on Facebook, LinkedIn, Twitter, everywhere, Twitch, so free content, but still a lot of registrations here in person, good stuff. >> Yeah, great registrations. We're thrilled with the support from partners and customers. And also too, like you said, the connections that people are making, so it does feel good that things are flowing and people are having conversations and- >> Well, you got healthcare, nonprofits, US government, healthcare has been a big focus so far in this show. A lot of action, local governments, governments and healthcare seem to be like pandemic enabled to change. What's the update? What's the highlights so far for you? >> Well, I think the highlights are in those areas that, what we've been able to help our customers with is the ability to respond and that's what Cloud is all about and their ability to react and to respond to things that they don't necessarily know is going to happen and the big thing that none of us knew was going to happen was the pandemic. And so that ability and agility and preparedness to respond has really been great to see from a lot of those customers. >> You know, Max Peterson had the CIO from the Air Force up on stage and she's known for her comments about data and data's our data, the US Air Force and so data's big part of it. They are having a transformation and the how's that project going? What's the update there? What's your impression on that? >> Yeah, well, it was great to see the Air Force on stage and great to see Laura up there and we're really proud to support the DOD and the Air Force. And the Air Force has a lot to be proud of in their transformation journey and what they're doing with Cloud One is pretty substantial and amazing transformation for them. And then they've got 35 applications running on AWS. And so we think their progress is really good and they're thinking the right way in terms of their software factories and other types of projects. >> What's interesting is it's watching like who's adopting, it's like you look at like the pandemic has really opened up the view of the projects, which ones are doing well. And how do I say this politely? The projects that were being blocked or hidden, or the KPIs camouflaging the value were exposed because I mean, once that pulled back the curtain, people realized, "Oh my God, we're stuck," Or "we're inadequate, we are antiquated. We need to change," because now the pressure to deliver shifted to digital. I mean, this literally exposed the good, bad, and the ugly. >> It did and some were more prepared than others. There are great examples. We worked with the SBA to help expand the portal for the payroll protection program to get more lenders access faster. And that was a great project. They were able to respond really quickly and we were able to support them in that. Others, not so much. I think it you're right, it did expose that there's an opportunity. There's an opportunity to accelerate some of the things that they were doing already in terms of digital transformation. >> How about the GovCloud and the federal customers that you have, what's the traction point? How has that going? Is there a new generation here? >> GovCloud has been a great success. GovCloud it's our- >> John: 10-year anniversary. >> It's our 10-year anniversary, so we're thrilled to celebrate that. I can't believe it's 2011. >> EC2 is 15. Is that 315? I guess 15, too is SQS, the original building blocks. >> So, we've got a lot of great success through GovCloud and GovCloud was really something that was born out of what customers wanted, primarily federal customers. But we've also seen over the last few years, real adoption from regulated industry, real adoption from partners that are going into GovCloud that really want to take advantage of the security and compliance that federal customers need and the larger defense industrial base organizations need. So, GovCloud's been a fabulous success and expect I expect a lot of growth going forward. >> Yeah, is there a cultural shift in the federal government now? I can imagine some countries have been exploring this. I did talk briefly about it with Ms. Shannon Kellogg and John Wood, about how, if you're under the age of 40 and you work in the federal government, you got to be like, "Why aren't we doing this?" Like there seems to be like a cultural shift, younger generation coming in and be like, looking at the old way and be like, "Why are we still doing that?" >> Well, I think look bipartisan support for digital transformation, for making sure that we have the competitive edge for generations and generations to come in the US both in business and in defense and national security, I think is an imperative. I mean nobody I've talked to disagrees that we need to do this. And I think that younger workforce coming in behind I'm jealous of the 40-year olds, I wish I was under 40, but none of workforce really sees the obstacles that maybe previous generation saw these emerging technologies are becoming, the basic unit of computer's getting smaller, the cost to do these things is coming way down and I think that younger workforce says, "Why aren't we doing this?" >> Yeah and I think the Air Force projects are interesting too because that shows us not just about the CIA or the DOD that you have, they're leaning into production workloads, and the mission critical workloads too, the DOD is also now continuing to adopt. What else are you guys doing with the DOD? >> Well, we're partnering with GDIT on milCloud and that's going to give DOD mission owners access to a whole suite of AWS services. So, we're really excited about that. And those are available now. We're the only Cloud provider that's making that accessible to them on milCloud. And so this is going to open up the opportunity for them to start doing that mission work that you described. A good example of that are programs like ABMS, Air Force's Advanced Battle Management System. It's part of their effort around JADC2 and a great set of capabilities that they're delivering there. We're happy to have participated. We did some testing and some show intel, if you will at Ramstein Air Force Base and we're really proud to support that effort and we're excited about what the Air Force is doing. >> You know, I've always been impressed with the DOD when the tactical edge concept came out, that was very impressive because they're really using the data properly and I know Amazon has been doing well in this area because you've got things like Outpost, Wavelength, Snowball products. How's that edge piece developing? Do you see that becoming more critical now? >> It's absolutely critical. It's not becoming critical, it is critical and I think if you look at what the DOD and all of their partners are trying to accomplish, it's really moving all of that data around from the very edge in theater, back home to where it needs to be analyzed, doing it fast, doing it secure, being able to deliver on their missions and that's what this is all about. So, we see huge, huge opportunities to really innovate around the edge. >> Yeah, the data equation really is fascinating to me. Just when you think about things like words, highly available versus high availability means something 'cause you're going to want real time, not just on available data, you got to have it real time so the pressure around these projects are high. And so technically, you've got to have low latency on all this stuff. >> That's true, that's true. You've got to either have near real time or real-time availability and in many cases there's high stakes. So, the ability the DOD to pull this off is really, really important and we're a big supporter of that. >> Dave, I want to get your perspective because you've been in the industry, you've seen that the ways, we talked before cameras about the '90s and data centers and stuff. 10 years of GovCloud, look at public sector, just to look at the 10 years, interesting evolution. I mean, you couldn't give Cloud a wait 15 years ago. They weren't moving, glacier speed of adoption, now, massive adoption, uptakes there, the transformations are happening, migrations are huge, healthcare, which is like silo the data, HIPAA compliance lock everything down, everything's opening up. This is causing a lot of change. What's your reaction to that? >> Well, my reaction to that is I think customers are starting to connect what their outcomes are, whether it's a business outcome or a mission outcome or both to what Cloud can actually do. And I think that's freeing them up to make decisions about enabling Cloud in their environment, enabling experimentation, because that's what you want. You don't know what you're going to be faced with. We don't know what the threats are. We don't know if there's going to be another major pandemic. We hope there's not, but we don't know and if you set goals around your outcomes for mission and tie those, Cloud becomes such an enabler for that. And I see customers embracing that. Customers across the spectrum, nonprofit, healthcare providers, everybody, Homeland Security, VA, they're all thinking about, "What are the mission outcomes we're trying to drive?" >> Yeah, what's interesting too on that is that, just to point out is that the applications now aren't as complex to build relatively to the speed. In other words, you can get the time to value. So, the pandemic showed people that if you were in the Cloud and had that agility or optionality to be agile, you could write software 'cause software is the key in this, and not let's do the waterfall, 12-weeks assessment, 10-month rollout. Now people are doing it in 10 days, new applications. >> Sure, sure. Well, I tell customers a lot, "Think about McDonald's during the pandemic and think about customers like that who had to react to a new environment of delivery and your fast food fresh and how quickly companies like that are able to roll out capabilities." And I don't know that federal customers will be able to do it in a week or two weeks, but it's certainly possible. And it certainly will shorten that lead time that they have now in their software development. >> Well, great to see you, Dave. Is there any customers you want to highlight and you want to talk about, get a plug in for? >> Yeah, a lot of great customers here representing today and we're really appreciative also just want to say it was really great to see Max on stage for his first summit and think it was great to see Laura and others as well too. We've got some great customers coming here, The Veteran's affairs is going to be here as well as the Navy presenting on a lot of their capabilities today. So, I'm really excited about that. >> Yeah, a lot of action and education, healthcare, really blooming, really changing and modernizing. Big-wave migration, modernization, all kinds of the big wave. >> Yeah, it is. Yeah, big things coming and some of these systems are ready, so these systems are 40 and 50 years old and we're here to help these customers deliver on the agility and the extensibility of these systems to really serve citizens. >> What's your outlook for next year? What are you seeing next year so happening? How do you see everything unfolding? So you mentioned the pandemic, we're still in it, Delta Virus, who knows what's going to happen next, the world stage is changing, the global economy, space. >> I see customers really leaning in and starting to see the benefits of moving their data to the Cloud, number one, and then also to getting the insights using AI and ML to really drive the insights that they need to make the decisions on that data and I see more and more customers doing that. I did a panel this week, moderated a panel with some great customers around that and getting started is probably the biggest thing that I see and we're going to have more and more customers getting started. >> Yeah, getting into the Cloud. Congratulations to milCloud by the way, too. That was a good call out. All right, thanks for coming, I appreciate it. >> John: Yeah, thanks, Sean. >> Okay, keep coverage here. The Public Sector Summit, live in Washington, D.C. in-person event also hybrid we're streaming out. We're doing remote interviews and Amazon is streaming all the keynotes and key sessions for the digital folks out there. Thanks for watching. (upbeat music)

>>Welcome back to the cubes coverage of AWS public sector summit live in Washington D. C. A face to face event were on the ground here is to keep coverage. I'm john Kerry, your hosts got two great guests. Both cuba alumni Shannon Kellogg VP of public policy for the Americas and john would ceo tell us congratulations on some announcement on stage and congressional john being a public company. Last time I saw you in person, you are private. Now your I. P. O. Congratulations >>totally virtually didn't meet one investor, lawyer, accountant or banker in person. It's all done over zoom. What's amazing. >>We'll go back to that and a great great to see you had great props here earlier. You guys got some good stuff going on in the policy side, a core max on stage talking about this Virginia deal. Give us the update. >>Yeah. Hey thanks john, it's great to be back. I always like to be on the cube. Uh, so we made an announcement today regarding our economic impact study, uh, for the commonwealth of Virginia. And this is around the amazon web services business and our presence in Virginia or a WS as we all, uh, call, uh, amazon web services. And um, basically the data that we released today shows over the last decade the magnitude of investment that we're making and I think reflects just the overall investments that are going into Virginia in the data center industry of which john and I have been very involved with over the years. But the numbers are quite um, uh, >>just clever. This is not part of the whole H. 20. H. Q. Or whatever they call HQ >>To HQ two. It's so Virginia Amazon is investing uh in Virginia as part of our HQ two initiative. And so Arlington Virginia will be the second headquarters in the U. S. In addition to that, AWS has been in Virginia for now many years, investing in both data center infrastructure and also other corporate facilities where we house AWS employees uh in other parts of Virginia, particularly out in what's known as the dullest technology corridor. But our data centers are actually spread throughout three counties in Fairfax County, Loudoun County in Prince William County. >>So this is the maxim now. So it wasn't anything any kind of course this is Virginia impact. What was, what did he what did he announce? What did he say? >>Yeah. So there were a few things that we highlighted in this economic impact study. One is that over the last decade, if you can believe it, we've invested $35 billion 2020 alone. The AWS investment in construction and these data centers. uh it was actually $1.3 billion 2020. And this has created over 13,500 jobs in the Commonwealth of Virginia. So it's a really great story of investment and job creation and many people don't know John in this Sort of came through in your question too about HQ two, But aws itself has over 8000 employees in Virginia today. Uh, and so we've had this very significant presence for a number of years now in Virginia over the last, you know, 15 years has become really the cloud capital of the country, if not the world. Uh, and you see all this data center infrastructure that's going in there, >>John What's your take on this? You've been very active in the county there. Um, you've been a legend in the area and tech, you've seen this many years, you've been doing so I think the longest running company doing cyber my 31st year, 31st year. So you've been on the ground. What does this all mean to you? >>Well, you know, it goes way back to, it was roughly 2005 when I served on the Economic Development Commission, Loudon County as the chairman. And at the time we were the fastest-growing county in America in Loudon County. But our residential real property taxes were going up stratospherically because when you look at it, every dollar real property tax that came into residential, we lose $2 because we had to fund schools and police and fire departments and so forth. And we realized for every dollar of commercial real property tax that came in, We made $97 in profit, but only 13% of the money that was coming into the county was coming in commercially. So a small group got together from within the county to try and figure out what were the assets that we had to offer to companies like Amazon and we realized we had a lot of land, we had water and then we had, you know this enormous amount of dark fiber, unused fibre optic. And so basically the county made it appealing to companies like amazon to come out to Loudon County and other places in northern Virginia and the rest is history. If you look today, we're Loudon County is Loudon County generates a couple $100 million surplus every year. It's real property taxes have come down in in real dollars and the percentage of revenue that comes from commercials like 33 34%. That's really largely driven by the data center ecosystem that my friend over here Shannon was talking. So >>the formula basically is look at the assets resources available that may align with the kind of commercial entities that good. How's their domicile there >>that could benefit. >>So what about power? Because the data centers need power, fiber fiber is great. The main, the main >>power you can build power but the main point is is water for cooling. So I think I think we had an abundance of water which allowed us to build power sources and allowed companies like amazon to build their own power sources. So I think it was really a sort of a uh uh better what do they say? Better lucky than good. So we had a bunch of assets come together that helps. Made us, made us pretty lucky as a, as a region. >>Thanks area too. >>It is nice and >>john, it's really interesting because the vision that john Wood and several of his colleagues had on that economic development board has truly come through and it was reaffirmed in the numbers that we released this week. Um, aws paid $220 million 2020 alone for our data centers in those three counties, including loud >>so amazon's contribution to >>The county. $220 million 2020 alone. And that actually makes up 20% of overall property tax revenues in these counties in 2020. So, you know, the vision that they had 15 years ago, 15, 16 years ago has really come true today. And that's just reaffirmed in these numbers. >>I mean, he's for the amazon. So I'll ask you the question. I mean, there's a lot of like for misinformation going around around corporate reputation. This is clearly an example of the corporation contributing to the, to the society. >>No, no doubt. And you think >>About it like that's some good numbers, 20 million, 30 >>$5 million dollar capital investment. You know, 10, it's, what is it? 8000 9000 >>Jobs. jobs, a W. S. jobs in the Commonwealth alone. >>And then you look at the economic impact on each of those counties financially. It really benefits everybody at the end of the day. >>It's good infrastructure across the board. How do you replicate that? Not everyone's an amazon though. So how do you take the formula? What's your take on best practice? How does this rollout? And that's the amazon will continue to grow, but that, you know, this one company, is there a lesson here for the rest of us? >>I think I think all the data center companies in the cloud companies out there see value in this region. That's why so much of the internet traffic comes through northern Virginia. I mean it's I've heard 70%, I've heard much higher than that too. So I think everybody realizes this is a strategic asset at a national level. But I think the main point to bring out is that every state across America should be thinking about investments from companies like amazon. There are, there are really significant benefits that helps the entire community. So it helps build schools, police departments, fire departments, etcetera, >>jobs opportunities. What's the what's the vision though? Beyond data center gets solar sustainability. >>We do. We have actually a number of renewable energy projects, which I want to talk about. But just one other quick on the data center industry. So I also serve on the data center coalition which is a national organization of data center and cloud providers. And we look at uh states all over this country were very active in multiple states and we work with governors and state governments as they put together different frameworks and policies to incent investment in their states and Virginia is doing it right. Virginia has historically been very forward looking, very forward thinking and how they're trying to attract these data center investments. They have the right uh tax incentives in place. Um and then you know, back to your point about renewable energy over the last several years, Virginia is also really made some statutory changes and other policy changes to drive forward renewable energy in Virginia. Six years ago this week, john I was in a coma at county in Virginia, which is the eastern shore. It's a very rural area where we helped build our first solar farm amazon solar farm in Virginia in 2015 is when we made this announcement with the governor six years ago this week, it was 88 megawatts, which basically at the time quadruple the virginias solar output in one project. So since that first project we at Amazon have gone from building that one facility, quadrupling at the time, the solar output in Virginia to now we're by the end of 2023 going to be 1430 MW of solar power in Virginia with 15 projects which is the equivalent of enough power to actually Enough electricity to power 225,000 households, which is the equivalent of Prince William county Virginia. So just to give you the scale of what we're doing here in Virginia on renewable energy. >>So to me, I mean this comes down to not to put my opinion out there because I never hold back on the cube. It's a posture, we >>count on that. It's a >>posture issue of how people approach business. I mean it's the two schools of thought on the extreme true business. The government pays for everything or business friendly. So this is called, this is a modern story about friendly business kind of collaborative posture. >>Yeah, it's putting money to very specific use which has a very specific return in this case. It's for everybody that lives in the northern Virginia region benefits everybody. >>And these policies have not just attracted companies like amazon and data center building builders and renewable energy investments. These policies are also leading to rapid growth in the cybersecurity industry in Virginia as well. You know john founded his company decades ago and you have all of these cybersecurity companies now located in Virginia. Many of them are partners like >>that. I know john and I both have contributed heavily to a lot of the systems in place in America here. So congratulations on that. But I got to ask you guys, well I got you for the last minute or two cybersecurity has become the big issue. I mean there's a lot of these policies all over the place. But cyber is super critical right now. I mean, where's the red line Shannon? Where's you know, things are happening? You guys bring security to the table, businesses are out there fending for themselves. There's no militia. Where's the, where's the, where's the support for the commercial businesses. People are nervous >>so you want to try it? >>Well, I'm happy to take the first shot because this is and then we'll leave john with the last word because he is the true cyber expert. But I had the privilege of hosting a panel this morning with the director of the cybersecurity and Infrastructure Security agency at the department, Homeland Security, Jenness easterly and the agency is relatively new and she laid out a number of initiatives that the DHS organization that she runs is working on with industry and so they're leaning in their partnering with industry and a number of areas including, you know, making sure that we have the right information sharing framework and tools in place, so the government and, and we in industry can act on information that we get in real time, making sure that we're investing for the future and the workforce development and cyber skills, but also as we enter national cybersecurity month, making sure that we're all doing our part in cyber security awareness and training, for example, one of the things that are amazon ceo Andy Jassy recently announced as he was participating in a White house summit, the president biden hosted in late august was that we were going to at amazon make a tool that we've developed for information and security awareness for our employees free, available to the public. And in addition to that we announced that we were going to provide free uh strong authentication tokens for AWS customers as part of that announcement going into national cybersecurity months. So what I like about what this administration is doing is they're reaching out there looking for ways to work with industry bringing us together in these summits but also looking for actionable things that we can do together to make a difference. >>So my, my perspective echoing on some of Shannon's points are really the following. Uh the key in general is automation and there are three components to automation that are important in today's environment. One is cyber hygiene and education is a piece of that. The second is around mis attribution meaning if the bad guy can't see you, you can't be hacked. And the third one is really more or less around what's called attribution, meaning I can figure out actually who the bad guy is and then report that bad guys actions to the appropriate law enforcement and military types and then they take it from there >>unless he's not attributed either. So >>well over the basic point is we can't as industry hat back, it's illegal, but what we can do is provide the tools and methods necessary to our government counterparts at that point about information sharing, where they can take the actions necessary and try and find those bad guys. >>I just feel like we're not moving fast enough. Businesses should be able to hack back. In my opinion. I'm a hawk on this one item. So like I believe that because if people dropped on our shores with troops, the government will protect us. >>So your your point is directly taken when cyber command was formed uh before that as airlines seeing space physical domains, each of those physical domains have about 100 and $50 billion they spend per year when cyber command was formed, it was spending less than Jpmorgan chase to defend the nation. So, you know, we do have a ways to go. I do agree with you that there needs to be more uh flexibility given the industry to help help with the fight. You know, in this case. Andy Jassy has offered a couple of tools which are, I think really good strong tokens training those >>are all really good. >>We've been working with amazon for a long time, you know, ever since, uh, really, ever since the CIA embrace the cloud, which was sort of the shot heard around the world for cloud computing. We do the security compliance automation for that air gap region for amazon as well as other aspects >>were all needs more. Tell us faster, keep cranking up that software because tell you right now people are getting hit >>and people are getting scared. You know, the colonial pipeline hack that affected everybody started going wait a minute, I can't get gas. >>But again in this area of the line and jenny easterly said this this morning here at the summit is that this truly has to be about industry working with government, making sure that we're working together, you know, government has a role, but so does the private sector and I've been working cyber issues for a long time to and you know, kind of seeing where we are this year in this recent cyber summit that the president held, I really see just a tremendous commitment coming from the private sector to be an effective partner in securing the nation this >>full circle to our original conversation around the Virginia data that you guys are looking at the Loudon County amazon contribution. The success former is really commercial public sector. I mean, the government has to recognize that technology is now lingua franca for all things everything society >>well. And one quick thing here that segues into the fact that Virginia is the cloud center of the nation. Um uh the president issued a cybersecurity executive order earlier this year that really emphasizes the migration of federal systems into cloud in the modernization that jOHN has worked on, johN had a group called the Alliance for Digital Innovation and they're very active in the I. T. Modernization world and we remember as well. Um but you know, the federal government is really emphasizing this, this migration to cloud and that was reiterated in that cybersecurity executive order >>from the, well we'll definitely get you guys back on the show, we're gonna say something. >>Just all I'd say about about the executive order is that I think one of the main reasons why the president thought was important is that the legacy systems that are out there are mainly written on kobol. There aren't a lot of kids graduating with degrees in COBOL. So COBOL was designed in 1955. I think so I think it's very imperative that we move has made these workloads as we can, >>they teach it anymore. >>They don't. So from a security point of view, the amount of threats and vulnerabilities are through the >>roof awesome. Well john I want to get you on the show our next cyber security event. You have you come into a fireside chat and unpack all the awesome stuff that you're doing. But also the challenges. Yes. And there are many, you have to keep up the good work on the policy. I still say we got to remove that red line and identified new rules of engagement relative to what's on our sovereign virtual land. So a whole nother Ballgame, thanks so much for coming. I appreciate it. Thank you appreciate it. Okay, cute coverage here at eight of public sector seven Washington john ferrier. Thanks for watching. Mhm. Mhm.

from the cube studios in palo alto in boston connecting with thought leaders all around the world this is a cube conversation hey welcome back everybody jeff frick here with the cube coming to you from our palo alto studios with a cube conversation with a great influencer we haven't had him on for a while last had him on uh in may i think of 2019 mid 2019. we're excited to welcome back to the program he's kevin l jackson he is the ceo of gc globalnet kevin great to see you today hey how you doing jeff thanks for having me it's uh it's been a while but i really enjoyed it yeah i really enjoy being on thecube well thank you for uh for coming back so we've got you on to talk about citrix we had you last on we had you on a citrix synergy this year obviously covet hit all the all the events have gone virtual and digital and citrix made an interesting move they decided to kind of break their thing into three buckets kind of around the main topics that people are interested in in their world and that's cloud so they had a citrix cloud summit they had a citrix workplace summit and now they just had their last one of the three which is the citrix security summit uh just wrapped up so before we jump into that i just want to get your take how are you doing how you getting through the kind of covid madness from you know the light switch moment that we experienced in march april 2. you know now we're like seven eight months into this and it's not going to end anytime soon well you know it's it was kind of different for me because um i've been working from home and remotely since i guess 2014 being a consultant and with all my different clients i was doing a lot more traveling um but with respect to doing meetings and being on collaborative systems all day long it's sort of like uh old hat and i say welcome to my world but i find that you know society is really changing the things that you thought were necessary in business you know being physically at meetings and shaking hands that's all like you know although we don't do that anymore yeah i used to joke right when we started this year that we finally got to 2020 the year that we know everything right with the benefit of hindsight but it turned out to be the year that we actually find out that we don't know anything and everything that we thought we knew in fact is not necessarily what we thought and um we got thrown into this we got thrown into this thing and you know thankfully for you and for me we're in you know we're in the tech space we can we can go to digital we're not in the hotel business or the hospitality business or you know so many businesses that are still suffering uh greatly but we were able to make the move in i.t and and citrix is a big piece of that in terms of enabling people to support remote work they've always been in remote work but this really changed the game a lot and i think as you said before we turned on the cameras accelerated you know this digital transformation way faster than anybody planned on oh oh yeah absolutely and another one of the areas that was particularly um accelerated they sort of put the rockets on is security which i'm really happy about because of the rapid increase in the number of remote workers i mean historically companies had most of their workforce in their own buildings on on their own property and there was a small percentage that would remote work remotely right but it's completely flipped now and it flipped within a period of a week or a week and a half and many of these companies were really scrambling to make you know their entire workforce be able to communicate collaborate and just get access to information uh remotely right right well david talked about it in the security keynote you know that you know as you said when this light switch moment hit in mid-march you had to get everybody uh secure and take care of your people and get them set up but you know he talked a little bit about you know maybe there were some shortcuts taken um and now that we've been into this thing in a prolonged duration and again it's going to be going on for a while longer uh that there's really an opportunity to to make sure that you put all the proper uh systems in place and make sure that you're protecting people you're protecting the assets and you're protecting you know the jewels of the company which today are data right and data in all the systems that people are working with every single day yeah yeah absolutely they had to rapidly rethink all of the work models and this uh accelerated digital transformation and the adoption of cloud and it was just this this huge demand for remote work but it was also important to uh keep to think about the user experience the employee experience i mean they were learning new things learning new technologies trying to figure out how to how to do new things and that at the beginning of this uh trend this transition people were thinking that hey you know after a few months we'll be okay but now and it's starting to sink in that this stuff is here to stay so you have to understand that work is not a place and i think actually david said that right it's really you have to look at how the worker is delivering and contributing to the mission of the organization to the business model and you have to be able to measure the workers level of output and their accomplishment and be able to do this remotely so back to office is is not going to happen in reality so the employee experience through this digital environment this digital work space it's critical yeah i think one of the quotes he had whether i think was either this one or one of the prior ones is like back to work is not back to normal right we're not going to go back to the way that it was before but it's interesting you touched on employee experience and that's a big piece of the conversation right how do we measure output versus you know just time punching the clock how do we give people that that experience that they've come to expect with the way they interact in technology in their personal lives but there's an interesting you know kind of conflict and i think you've talked about it before between employee experience and security because those two kind of inherently are going to be always in conflict because the employee's going to want more access to more things easier to use and yet you've got to keep security baked in throughout the stack whether it's access to the systems whether it's the individual and and so there's always this built-in kind of tension between those two objectives well the tension is because of history security has always been sort of a a second thought an afterthought uh you know you said due to work oh security we'll catch up to it when we need to but now because of the importance of data and the inherently global connectivity that we have the the need for security has is paramount so in order to attract that in order to address that the existing infrastructures had this where we just bolted security on to the existing infrastructures uh this is when they when the data centers and we said well as long as it's in our data center we can control it but then we with this covet thing we'll just burst out of any data center we have to rely on cloud so this this concept of just bolting on security just doesn't work because you no longer own or control the security right so you have to look at the entire platform and have a holistic security approach and it has to go from being infrastructure-centric to data centric because that's the only way you're going to provide security to your data to those remote employees right right and there's a very significant shift we hear all the time we've got rsa uh all the time to talk about security and that's this concept of zero trust and and the idea that rather than as you said kind of the old school you put a a wall and a moat around the things that you're trying to protect right you kind of start from the perspective of i don't trust anybody i don't trust where they're coming from i don't trust their device i don't trust that they have access to those applications and i don't trust that they have access to that data and then you basically enable that on a kind of a need to know basis across all those different factors at kind of the least the least amount that they need to get their job done it's a really different kind of approach to thinking about security right and but it's a standardized approach i mean before present time you would customize security to the individual or 2d organization or component of the organization because you know you knew where they were and you would you would say well they won't accept this so we'll do that so everything was sort of piecemeal now that work is not a location you have to be much more standardized much more focused and being able to track and secure that data requires things like digital rights management and and secure browsers and some of the work that citrix has done with google has really been amazing they they looked at it from a different point of view they said okay where people are always working through the cloud in different locations from from anywhere but they all work through their browser so you know we could and i think this was something that the vice president at google said uh sunil potty i believe uh vice president of google cloud they said well we can capitalize on that interface without affecting the experience and he was talking about chrome so so citrix and and google have worked together to drive sort of an agent-less experience to order to enhance security so instead of making everything location specific or organizational specific they set a standard and they support this intent-driven security model yeah it's interesting sunil's a really sharp guy we've had him on thecube a ton of times uh over the years but there's another really interesting take on security and i want to get your your feedback on it and that's kind of this coopetation right and silicon valley is very famous for you know coopetation you might be competing tooth and nail with the company across the street at the same time you got an opportunity to partner you might share apis you know it's a really interesting thing and one of the the items that came out of the citrix show was this new thing called the workspace security alliance because what's interesting in security that even if we're competitors if you're suddenly getting a new type of threat where you're getting a new type of attack and there's a new you know kind of profile actually the industry likes to share that information to help other people in the security business as kind of you know us versus the bad guys even if we're you know competing for purchase orders we're competing you know kind of face-to-face so they announced this security alliance which is pretty interesting to basically bring in partners to support uh coopetition around the zero trust framework uh yeah absolutely this is happening across just about every industry though you're going away from uh point-to-point relationships to where you're operating and working within an ecosystem and in security just this week it's been highlighted by the uh the trick trick bot um activity this uh persistent uh malware that i guess this week is attacking um health care uh facilities the actual the u.s department of homeland security put out an alert now and this is a threat to the entire ecosystem so everyone has to work together to protect everyone's data and that improves that that is the way forward and that's really the only way to be successful so uh we have to go from this point-to-point mindset to understanding that we're all in the same boat together and in this uh alliance the workspace security alliance is an indication that citrix gets it right everyone has workers everyone's workers are remote okay and everyone has to protect their own data so why don't we work together to do that yeah that's great that's interesting i had not heard of that alert but what we are hearing a lot of um in in a lot of the interviews that we're doing is kind of a resurfacing of kind of old techniques uh that the bad guys are using to to try to get remote workers because they're not necessarily surrounded with as much security or have as much baked in in their home setup as they have in the office and apparently you know ransomware is really on the rise and the sophistication of the ransom where folks is very high and that they try to go after your backup and all in you know your replication stuff before they actually hit you up for the uh for the want for the money so it's it's there's absolutely that's right yeah go ahead i'm sorry i was just saying that's indicative of the shift that most of your workers are no longer in your facilities than now and at home where companies never really put a lot of investment into protecting that channel that data channel they didn't think they needed to right right one of the other interesting things that came up uh at the citrix event was the use of uh artificial intelligence and machine learning to basically have a dynamic environment where you're adjusting you know kind of the access levels based on the behavior of the individual so what apps are they accessing what you know are they moving stuff around are they downloading stuff and to actually kind of keep a monitor if you will to look for anomalies and behavior so even if someone is trusted to do a particular type of thing if suddenly they're you know kind of out of band for a while then you know you can flag alerts to say hey what's going on is that this person did their job change you know why are they doing things that they don't normally do maybe there's a reason maybe there isn't a reason maybe it's not them so you know i think there's so many great applications for applied machine learning and artificial intelligence and these are the types of applications where you're going to see the huge benefits come from this type of technology oh yeah absolutely i mean the citrix analytics for security is really a um security service right um that monitors the activities of of people on the internet and it this machine learning gives you or gives the service this insight no one company can monitor the entire internet and you can go anywhere on the internet so bob working together leveraging this external service you can actually have automated remediation of your users you can put this specific user security risk score so um companies and organizations can be assured that they are within their risk tolerance right right and of course the other thing you've been in the business for a while that we're seeing that we're just kind of on the cusp of right is 5g and iot so a lot more connected devices a lot more data a lot more data moving at machine speed which is really what 5g is all about it's not necessarily for having a better phone call right so we're just going to see you know kind of again this this growth in terms of attack surfaces this growth in terms of the quantity of data and the growth in terms of the the the rate of change that that data is coming in and and the scale and the speed with the old uh you know velocity and and variety and volume uh the old big data memes so again the other thing go ahead the other thing it's not just data when you have 5g the virtual machines themselves are going to be traveling over this network so it's a whole new paradigm yeah yeah so the uh once again to have you know kind of a platform approach to make sure you're applying intelligence to keep an eye on all these things from zero trust uh uh kind of baseline position right pretty damn important yeah absolutely with with edge computing the internet of things this whole infrastructure based data centric approach where you can focus on how the individual is interacting with the network is important and and uh another real important component of that is the um software-defined wide area network because people work from everywhere and you have to monitor what they're doing right right yeah it's really worked from anywhere not necessarily work from home anymore i just want to you know again you've been doing this for a while get your feedback on on the fact that this is so much of a human problem and so much of a human opportunity versus just pure technology i think it's really easy to kind of get wrapped up in the technology but i think you said before digital transformation is a cultural issue it's not a technology issue and getting people to change the way they work and to change the way they work with each other and to change what they're measuring um as you said kobe kind of accelerated that whole thing but this has always been more of a cultural challenge in a technology challenge yeah the technology in a relative sense of you is kind of easy right but it's the expectations of humans is what they're used to is what they have been told in the past is the right thing no longer is right so you have to teach you have to learn you have to accept change and not just change but rapid change and accelerated change and people just don't like change they're uncomfortable in change so another aspect of this culture is learning to be adaptable and to accept change because it's going to come whether you want it or not faster than you think as well for sure you're right well that's great so kevin i'll give i give you the final word as as you think about how things have changed and again i think i think the significant thing is that we went from you know kind of this light switch moment where it was you know emergency and and quick get everything squared away but now we're in this we're in kind of this new normal it's going to be going for a while we'll get back to some some version of a hybrid uh solution at some point and you and i will be seeing each other at trade shows at some point in time in the in the future but it's not going to go back the way that it was and people can't wait and hope that it goes back the way that it was and really need to get behind this kind of hybrid if you will work environment and helping people you know be more productive with the tools they need it always gets back to giving the right people the right information at the right time to do what they need to do so just kind of get your perspective as we you know kind of get to the end of 2020 we're going to turn the page here rapidly on 2021 and we're going to start 2021 in kind of the same place we are today well to be honest we've talked about a lot of these things but the answer to all of them is agility agility agility is the key to success this is like not locking into a single cloud you're going to have multiple clouds not locking into a single application you have multiple applications not assuming that you're always going to be working from home or working through a certain browser you have to be agile to adapt to rapid change and the organizations that recognize that and uh teach their workers teach their entire ecosystem to operate together in a rapidly changing world with agility will be successful that's a great that's a great way to leave it i saw beth comstack the former vice chair at ge give a keynote one time and one of her great lines was get comfortable with being uncomfortable and i think you nailed it right this is about agility it's about change it's we've seen it in devops where you embrace change you don't try to avoid it you know you take that really at the top level and try to architect to be successful in that environment as opposed to sticking your head in the sand and praying it doesn't absolutely all right well kevin so great to catch up i'm i'm sorry it's been as long as it's been but hopefully it'll be uh shorter uh before the next time we get to see each other yes fine thank you very much i really enjoyed it absolutely all right he's kevin l jackson i'm jeff frick you're watching thecube from our palo alto studios keep conversation we'll see you next time you

from around the globe it's thecube covering space and cyber security symposium 2020 hosted by cal poly hello and welcome to thecube's coverage we're here hosting with cal poly an amazing event space in the intersection of cyber security this session is defending satellite and space infrastructure from cyber threats got two great guests we've got major general john shaw combined four space component commander u.s space command and vandenberg air force base in california and roland cuello who's the ceo of maverick space systems gentlemen thank you for spending the time to come on to this session for the cal poly space and cyber security symposium appreciate it absolutely um guys defending satellites and space infrastructure is the new domain obviously it's a war warfighting domain it's also the future of the world and this is an important topic because we rely on space now for our everyday life and it's becoming more and more critical everyone knows how their phones work and gps just small examples of all the impacts i'd like to discuss with this hour this topic with you guys so if we can have you guys do an opening statement general if you can start with your opening statement we'll take it from there thanks john and greetings from vandenberg air force base we are just down the road from cal poly here on the central coast of california and uh very proud to be part of this uh effort and part of the partnership that we have with with cal poly on a number of fronts um i should uh so in in my job here i actually uh have two hats that i wear and it's i think worth talking briefly about those to set the context for our discussion you know we had two major organizational events within our department of defense with regard to space last year in 2019 and probably the one that made the most headlines was the stand-up of the united states space force that happened uh december 20th last year and again momentous the first new branch in our military since 1947 uh and uh it is a it's just over nine months old now as we're making this recording uh and already we're seeing a lot of change uh with regard to how we're approaching uh organizing training and equipping on a service side or space capabilities and so i uh in that with regard to the space force the hat i wear there is commander of space operations command that was what was once 14th air force when we were still part of the air force here at vandenberg and in that role i'm responsible for the operational capabilities that we bring to the joint warfighter and to the world from a space perspective didn't make quite as many headlines but another major change that happened last year was the uh the reincarnation i guess i would say of united states space command and that is a combatant command it's how our department of defense organizes to actually conduct warfighting operations um most people are more familiar perhaps with uh central command centcom or northern command northcom or even strategic command stratcom well now we have a space com we actually had one from 1985 until 2002 and then stood it down in the wake of the 9 11 attacks and a reorganization of homeland security but we've now stood up a separate command again operationally to conduct joint space operations and in that organization i wear a hat as a component commander and that's the combined force-based component command uh working with other all the additional capabilities that other services bring as well as our allies that combined in that title means that uh i under certain circumstances i would lead an allied effort uh in space operations and so it's actually a terrific job to have here on the central coast of california uh both working the uh how we bring space capabilities to the fight on the space force side and then how we actually operate those capabilities it's a point of joint in support of joint warfighters around the world um and and national security interests so that's the context now what el i i also should mention you kind of alluded to john you're beginning that we're kind of in a change situation than we were a number of years ago and that space we now see space as a warfighting domain for most of my career going back a little ways most of my my focus in my jobs was making sure i could bring space capabilities to those that needed them bringing gps to that special operations uh soldier on the ground somewhere in the world bringing satellite communications for our nuclear command and control bringing those capabilities for other uses but i didn't have to worry in most of my career about actually defending those space capabilities themselves well now we do we've actually gone to a point where we're are being threatened in space we now are treating it more like any other domain normalizing in that regard as a warfighting domain and so we're going through some relatively emergent efforts to protect and defend our capabilities in space to to design our capabilities to be defended and perhaps most of all to train our people for this new mission set so it's a very exciting time and i know we'll get into it but you can't get very far into talking about all these space capabilities and how we want to protect and defend them and how we're going to continue their ability to deliver to warfighters around the globe without talking about cyber because they fit together very closely so anyway thanks for the chance to be here today and i look forward to the discussion general thank you so much for that opening statement and i would just say that not only is it historic with the space force it's super exciting because it opens up so much more challenges and opportunities for to do more and to do things differently so i appreciate that statement roland your opening statement your your job is to put stuff in space faster cheaper smaller better your opening statement please um yes um thank you john um and yes you know to um general shaw's point you know with with the space domain and the need to protect it now um is incredibly important and i hope that we are more of a help um than a thorn in your side um in terms of you know building satellites smaller faster cheaper um you know and um definitely looking forward to this discussion and you know figuring out ways where um the entire space domain can work together you know from industry to to us government even to the academic environment as well so first would like to say and preface this by saying i am not a cyber security expert um we you know we build satellites um and uh we launch them into orbit um but we are by no means you know cyber security experts and that's why um you know we like to partner with organizations like the california cyber security institute because they help us you know navigate these requirements um so um so i'm the ceo of um of maverick space systems we are a small aerospace business in san luis obispo california and we provide small satellite hardware and service solutions to a wide range of customers all the way from the academic environment to the us government and everything in between we support customers through an entire you know program life cycle from mission architecture and formulation all the way to getting these customer satellites in orbit and so what we try to do is um provide hardware and services that basically make it easier for customers to get their satellites into orbit and to operate so whether it be reducing mass or volume um creating greater launch opportunities or providing um the infrastructure and the technology um to help those innovations you know mature in orbit you know that's you know that's what we do our team has experienced over the last 20 years working with small satellites and definitely fortunate to be part of the team that invented the cubesat standard by cal poly and stanford uh back in 2000 and so you know we are in you know vandenberg's backyard um we came from cal poly san luis obispo um and you know our um our hearts are fond you know of this area and working with the local community um a lot of that success um that we have had is directly attributable um to the experiences that we learned as students um working on satellite programs from our professors and mentors um you know that's you know all you know thanks to cal poly so just wanted to tell a quick story so you know back in 2000 just imagine a small group of undergraduate students you know myself included with the daunting task of launching multiple satellites from five different countries on a russian launch vehicle um you know many of us were only 18 or 19 not even at the legal age to drink yet um but as you know essentially teenagers we're managing million dollar budgets um and we're coordinating groups um from around the world um and we knew that we knew what we needed to accomplish um yet we didn't really know um what we were doing when we first started um the university was extremely supportive um and you know that's the cal poly learn by doing philosophy um i remember you know the first time we had a meeting with our university chief legal counsel and we were discussing the need to to register with the state department for itar nobody really knew what itar was back then um and you know discussing this with the chief legal counsel um you know she was asking what is itar um and we essentially had to explain you know this is um launching satellites as part of the um the u.s munitions list and essentially we have a similar situation you know exporting munitions um you know we are in similar categories um you know as you know as weapons um and so you know after that initial shock um everybody jumped in you know both feet forward um the university um you know our head legal counsel professors mentors and the students um you know knew we needed to tackle this problem um because you know the the need was there um to launch these small satellites and um you know the the reason you know this is important to capture the entire spectrum of users of the community um is that the technology and the you know innovation of the small satellite industry occurs at all levels you know so we have academia commercial national governments we even have high schools and middle schools getting involved and you know building satellite hardware um and the thing is you know the the importance of cyber security is incredibly important because it touches all of these programs and it touches you know people um at a very young age um and so you know we hope to have a conversation today um to figure out you know how do we um create an environment where we allow these programs to thrive but we also you know protect and you know keep their data safe as well thank you very much roland appreciate that uh story too as well thanks for your opening statement gentlemen i mean i love this topic because defending the assets in space is is as obvious um you look at it but there's a bigger picture going on in our world right now and generally you kind of pointed out the historic nature of space force and how it's changing already operationally training skills tools all that stuff is revolving you know in the tech world that i live in you know change the world is a topic they use that's thrown around a lot you can change the world a lot of young people we have just other panels on this where we're talking about how to motivate young people changing the world is what it's all about with technology for the better evolution is just an extension of another domain in this case space is just an extension of other domains similar things are happening but it's different there's a huge opportunity to change the world so it's faster there's an expanded commercial landscape out there certainly government space systems are moving and changing how do we address the importance of cyber security in space general we'll start with you because this is real it's exciting if you're a young person there's touch points of things to jump into tech building hardware to changing laws and and everything in between is an opportunity and it's exciting and it's truly a chance to change the world how does the commercial government space systems teams address the importance of cyber security so john i think it starts with with the realization that as i like to say that cyber and space are bffs uh there's nothing that we do on the cutting edge of space that isn't heavy reliant heavily reliant on the cutting edge of cyber and frankly there's probably nothing on the cutting edge of cyber that doesn't have a space application and when you realize that you see how how closely those are intertwined as we need to move forward at at speed it becomes fundamental to to the to answering your question let me give a couple examples we one of the biggest challenges i have on a daily basis is understanding what's going on in the space domain those on the on the on the surface of the planet talk about tyranny of distance across the oceans across large land masses and i talk about the tyranny of volume and you know right now we're looking out as far as the lunar sphere there's activity that's extending out to the out there we expect nasa to be conducting uh perhaps uh human operations in the lunar environment in the next few years so it extends out that far when you do the math that's a huge volume how do you do that how do you understand what's happening in real time in within that volume it is a big data problem by the very definition of that that kind of effort to that kind of challenge and to do it successfully in the years ahead it's going to require many many sensors and the fusion of data of all kinds to present a picture and then analytics and predictive analytics that are going to deliver an idea of what's going on in the space arena and that's just if people are not up to mischief once you have threats introduced into that environment it is even more challenging so i'd say it's a big data problem that we'll be enjoying uh tackling in the years ahead a second example is you know we if i if i had to if we had to take a vote of what were the most uh amazing robots that have ever been designed by humans i think that spacecraft would have to be up there on the list whether it's the nasa spacecraft that explore other planets or the ones that we or gps satellites that that amazingly uh provide a wonderful service to the entire globe uh and beyond they are amazing technological machines that's not going to stop i mean all the work that roland talked about at the at the even even that we're doing it at the kind of the microsoft level is is putting cutting-edge technology into smaller packages you can to get some sort of capability out of that as we expand our activities further and further into space for national security purposes or for exploration or commercial or civil the the cutting edge technologies of uh artificial intelligence uh and machine to machine engagements and machine learning are going to be part of that design work moving forward um and then there's the threat piece as we try to as we operate these these capabilities how these constellations grow that's going to be done via networks and as i've already pointed out space is a warfighting domain that means those networks will come under attack we expect that they will and that may happen early on in a conflict it may happen during peace time in the same way that we see cyber attacks all the time everywhere in many sectors of of activity and so by painting that picture you kind of get you we start to see how it's intertwined at the very very base most basic level the cutting edge of cyber and cutting edge of space with that then comes the need to any cutting edge cyber security capability that we have is naturally going to be needed as we develop space capabilities and we're going to have to bake that in from the very beginning we haven't done that in the past as well as we should but moving forward from this point on it will be an essential ingredient that we work into all of our new capability roland we're talking about now critical infrastructure we're talking about new capabilities being addressed really fast so it's kind of chaotic now there's threats so it's not as easy as just having capabilities because you've got to deal with the threats the general just pointed out but now you've got critical infrastructure which then will enable other things down down the line how do you protect it how do we address this how do you see this being addressed from a security standpoint because you know malware these techniques can be mapped in as extended into into space and takeovers wartime peacetime these things are all going to be under threat that's pretty well understood i think people kind of get that how do we address it what's your what's your take yeah you know absolutely and you know i couldn't agree more with general shaw you know with cyber security and space being so intertwined um and you know i think with fast and rapid innovation um comes you know the opportunity for threats especially um if you have bad actors um that you know want to cause harm and so you know as a technology innovator and you're pushing the bounds um you kind of have a common goal of um you know doing the best you can um and you know pushing the technology balance making it smaller faster cheaper um but a lot of times what entrepreneurs and you know small businesses and supply chains um are doing and don't realize it is a lot of these components are dual use right i mean you could have a very benign commercial application but then a small you know modification to it and turn it into a military application and if you do have these bad actors they can exploit that and so you know i think the the big thing is um creating a organization that is you know non-biased that just wants to kind of level the playing field for everybody to create a set standard for cyber security in space i think you know one group that would be perfect for that you know is um cci um you know they understand both the cybersecurity side of things and they also have you know at cal poly um you know the the small satellite group um and you know just having kind of a a clearinghouse or um an agency where um can provide information that is free um you know you don't need a membership for and to be able to kind of collect that but also you know reach out to the entire value chain you know for a mission and um making them aware um of you know what potential capabilities are and then how it might um be you know potentially used as a weapon um and you know keeping them informed because i think you know the the vast majority of people in the space industry just want to do the right thing and so how do we get that information free flowing to you know to the us government so that they can take that information create assessments and be able to not necessarily um stop threats from occurring presently but identify them long before that they would ever even happen um yeah that's you know general i want to i want to follow up on that real quick before we go to the next talk track critical infrastructure um you mentioned you know across the oceans long distance volume you know when you look at the physical world you know you had you know power grids here united states you had geography you had perimeters uh the notion of a perimeter and the moat this is and then you had digital comes in then you have we saw software open up and essentially take down this idea of a perimeter and from a defense standpoint and that everything changed and we had to fortify those critical assets uh in the u.s space increases the same problem statement significantly because it's you can't just have a perimeter you can't have a moat it's open it's everywhere like what digital's done and that's why we've seen a slurge of cyber in the past two decades attacks with software so this isn't going to go away you need the critical infrastructure you're putting it up there you're formulating it and you've got to protect it how do you view that because it's going to be an ongoing problem statement what's the current thinking yeah i i think my sense is a mindset that you can build a a firewall or a defense or some other uh system that isn't dynamic in his own right is probably not heading in the right direction i think cyber security in the future whether it's for our space systems or for other critical infrastructure is going to be a dynamic fight that happens at a machine-to-machine um a speed and dynamic um i don't think it's too far off where we will have uh machines writing their own code in real time to fight off attacks that are coming at them and by the way the offense will probably be doing the same kind of thing and so i i guess i would not want to think that the answer is something that you just build it and you leave it alone and it's good enough it's probably going to be a constantly evolving capability constantly reacting to new threats and staying ahead of those threats that's the kind of use case just to kind of you know as you were kind of anecdotal example is the exciting new software opportunities for computer science majors i mean i tell my young kids and everyone man it's more exciting now i wish i was 18 again it's so so exciting with ai bro i want to get your thoughts we were joking on another panel with the dod around space and the importance of it obviously and we're going to have that here and then we had a joke it's like oh software's defined everything it says software's everything ai and and i said well here in the united states companies had data centers and they went to the cloud and they said you can't do break fix it's hard to do break fix in space you can't just send a tech up i get that today but soon maybe robotics the general mentions robotics technologies and referencing some of the accomplishments fixing things is almost impossible in space but maybe form factors might get better certainly software will play a role what's your thoughts on that that landscape yeah absolutely you know for for software in orbit um you know there's there's a push for you know software-defined radios um to basically go from hardware to software um and you know that's that that's a critical link um if you can infiltrate that and a small satellite has propulsion on board you could you know take control of that satellite and cause a lot of havoc and so you know creating standards and you know that kind of um initial threshold of security um you know for let's say you know these radios you know communications and making that um available um to the entire supply chain to the satellite builders um and operators you know is incredibly key and you know that's again one of the initiatives that um that cci is um is tackling right now as well general i want to get your thoughts on best practices around cyber security um state of the art today uh and then some guiding principles and kind of how the if you shoot the trajectory forward what what might happen uh around um supply chain there's been many stories where oh we outsourced the chips and there's a little chip sitting in a thing and it's built by someone else in china and the software is written from someone in europe and the united states assembles it it gets shipped and it's it's corrupt and it has some cyber crime making i'm oversimplifying the the statement but this is what when you have space systems that involve intellectual property uh from multiple partners whether it's from software to creation and then deployment you get supply chain tiers what are some of the best practices that you see involving that don't stunt the innovation but continues to innovate but people can operate safely what's your thoughts yeah so on supply chain i think i think the symposium here is going to get to hear from lieutenant general jt thompson uh from space missile system center down in los angeles and and uh he's a he's just down the road from us there uh on the coast um and his team is is the one that we look to really focus on as he acquires and develop again bake in cyber security from the beginning and knowing where the components are coming from and and properly assessing those as you as you put together your space systems is a key uh piece of what his team is focused on so i expect we'll hear him talk about that when it talks to i think she asked the question a little more deeply about how do the best practices in terms of how we now develop moving forward well another way that we don't do it right is if we take a long time to build something and then you know general general jt thompson's folks take a while to build something and then they hand it over to to to me and my team to operate and then they go hands-free and and then and then that's you know that's what i have for for years to operate until the next thing comes along that's a little old school what we're going to have to do moving forward with our space capabilities and with the cyber piece baked in is continually developing new capability sets as we go we actually have partnership between general thompson's team and mine here at vandenberg on our ops floor or our combined space operations center that are actually working in real time together better tools that we can use to understand what's going on the space environment to better command and control our capabilities anywhere from military satellite communications to space domain awareness sensors and such and so and we're developing those capabilities in real time it's a dev and and with the security pieces so devsecops is we're practicing that in in real time i think that is probably the standard today that we're trying to live up to as we continue to evolve but it has to be done again in close partnership all the time it's not a sequential industrial age process while i'm on the subject of partnerships so general thompson's and team and mine have good partnerships it's part partnerships across the board are going to be another way that we are successful and that uh it means with with academia in some of the relationships that we have here with cal poly it's with the commercial sector in ways that we haven't done before the old style business was to work with just a few large um companies that had a lot of space experience well we need we need a lot of kinds of different experience and technologies now in order to really field good space capabilities and i expect we'll see more and more non-traditional companies being part of and and organizations being part of that partnership that will work going forward i mentioned at the beginning that um uh allies are important to us so everything that uh that role and i've been talking about i think you have to extrapolate out to allied partnerships right it doesn't help me uh as a combined force component commander which is again one of my jobs it doesn't help me if the united states capabilities are cyber secure but i'm trying to integrate them with capabilities from an ally that are not cyber secure so that partnership has to be dynamic and continually evolving together so again close partnering continually developing together from the acquisition to the operational sectors with as many um different sectors of our economy uh as possible are the ingredients to success general i'd love to just follow up real quick i was having just a quick reminder for a conversation i had with last year with general keith alexander who was does a lot of cyber security work and he was talking about the need to share faster and the new school is you got to share faster and to get the data you mentioned observability earlier you need to see what everything's out there he's a real passionate person around getting the data getting it fast and having trusted partners so that's not it's kind of evolving as i mean sharing is a well-known practice but with cyber it's sensitive data potentially so there's a trust relationship there's now a new ecosystem that's new for uh government how do you view all that and your thoughts on that trend of the sharing piece of it on cyber so it's i don't know if it's necessarily new but it's at a scale that we've never seen before and by the way it's vastly more complicated and complex when you overlay from a national security perspective classification of data and information at various levels and then that is again complicated by the fact you have different sharing relationships with different actors whether it's commercial academic or allies so it gets very very uh a complex web very quickly um so that's part of the challenge we're working through how can we how can we effectively share information at multiple classification levels with multiple partners in an optimal fashion it is certainly not optimal today it's it's very difficult even with maybe one industry partner for me to be able to talk about data at an unclassified level and then various other levels of classification to have the traditional networks in place to do that i could see a solution in the future where our cyber security is good enough that maybe i only really need one network and the information that is allowed to flow to the players within the right security environment um to uh to make that all happen as quickly as possible so you've actually uh john you've hit on yet another big challenge that we have is um is evolving our networks to properly share with the right people at the right uh clearance levels as at speed of war which is what we're going to need yeah and i wanted to call that out because this is an opportunity again this discussion here at cal poly and around the world is for new capabilities and new people to solve the problems and um it's again it's super exciting if you you know you're geeking out on this it's if you have a tech degree or you're interested in changing the world there's so many new things that could be applied right now roland will get your thoughts on this because one of the things in the tech trends we're seeing this is a massive shift all the theaters of the tech industry are are changing rapidly at the same time okay and it affects policy law but also deep tech the startup communities are super important in all this too we can't forget them obviously the big trusted players that are partnering certainly on these initiatives but your story about being in the dorm room now you got the boardroom and now you got everything in between you have startups out there that want to and can contribute and you know what's an itar i mean i got all these acronym certifications is there a community motion to bring startups in in a safe way but also give them a ability to contribute because you look at open source that proved everyone wrong on software that's happening now with this now open network concept the general is kind of alluding to which is it's a changing landscape your thoughts i know you're passionate about this yeah absolutely you know and i think um you know as general shaw mentioned you know we need to get information out there faster more timely and to the right people um and involving not only just stakeholders in the us but um internationally as well you know and as entrepreneurs um you know we have this very lofty vision or goal uh to change the world and um oftentimes um you know entrepreneurs including myself you know we put our heads down and we just run as fast as we can and we don't necessarily always kind of take a breath and take a step back and kind of look at what we're doing and how it's touching um you know other folks and in terms of a community i don't know of any formal community out there it's mostly ad hoc and you know these ad hoc communities are folks who let's say have you know was was a student working on a satellite um you know in college and they love that entrepreneurial spirit and so they said well i'm gonna start my own company and so you know a lot of the these ad hoc networks are just from relationships um that are that have been built over the last two decades um you know from from colleagues that you know at the university um i do think formalizing this and creating um kind of a you know clearinghouse to to handle all of this is incredibly important yeah um yeah there's gonna be a lot of entrepreneurial activity no doubt i mean just i mean there's too many things to work on and not enough time so i mean this brings up the question though while we're on this topic um you got the remote work with covid everyone's working remotely we're doing this remote um interview rather than being on stage works changing how people work and engage certainly physical will come back but if you looked at historically the space industry and the talent you know they're all clustered around the bases and there's always been these areas where you're you're a space person you're kind of working there and there's jobs there and if you were cyber you were 10 in other areas over the past decade there's been a cross-pollination of talent and location as you see the intersection of space general start with you you know first of all central coast is a great place to live i know that's where you guys live but you can start to bring together these two cultures sometimes they're you know not the same maybe they're getting better we know they're being integrated so general can you just share your thoughts because this is uh one of those topics that everyone's talking about but no one's actually kind of addressed directly um yeah john i i think so i think i want to answer this by talking about where i think the space force is going because i think if there was ever an opportunity or inflection point in our department of defense to sort of change culture and and try to bring in non-traditional kinds of thinking and and really kind of change uh maybe uh some of the ways that the department of defense has does things that are probably archaic space force is an inflection point for that uh general raymond our our chief of space operations has said publicly for a while now he wants the us space force to be the first truly digital service and uh you know what we what we mean by that is you know we want the folks that are in the space force to be the ones that are the first adopters or the early adopters of of technology um to be the ones most fluent in the cutting edge technological developments on space and cyber and and other um other sectors of the of of the of the economy that are technologically focused uh and i think there's some can that can generate some excitement i think and it means that we probably end up recruiting people into the space force that are not from the traditional recruiting areas that the rest of the department of defense looks to and i think it allows us to bring in a diversity of thought and diversity of perspective and a new kind of motivation um into the service that i think is frankly is is really exciting so if you put together everything i mentioned about how space and cyber are going to be best friends forever and i think there's always been an excitement in them you know from the very beginning in the american psyche about space you start to put all these ingredients together and i think you see where i'm going with this that really changed that cultural uh mindset that you were describing it's an exciting time for sure and again changing the world and this is what you're seeing today people do want to change world they want a modern world that's changing roy look at your thoughts on this i was having an interview a few years back with a tech entrepreneur um techie and we were joking we were just kind of riffing and we and i said everything that's on star trek will be invented and we're almost there actually if you think about it except for the transporter room you got video you got communicators so you know not to bring in the star trek reference with space force this is digital and you start thinking about some of the important trends it's going to be up and down the stack from hardware to software to user experience everything your thoughts and reaction yeah abs absolutely and so you know what we're seeing is um timeline timelines shrinking dramatically um because of the barrier to entry for you know um new entrants and you know even your existing aerospace companies is incredibly low right so if you take um previously where you had a technology on the ground and you wanted it in orbit it would take years because you would test it on the ground you would verify that it can operate in space in a space environment and then you would go ahead and launch it and you know we're talking tens if not hundreds of millions of dollars to do that now um we've cut that down from years to months when you have a prototype on the ground and you want to get it launched you don't necessarily care if it fails on orbit the first time because you're getting valuable data back and so you know we're seeing technology being developed you know for the first time on the ground and in orbit in a matter of a few months um and the whole kind of process um you know that that we're doing as a small business is you know trying to enable that and so allowing these entrepreneurs and small small companies to to get their technology in orbit at a price that is sometimes even cheaper than you know testing on the ground you know this is a great point i think this is really an important point to call out because we mentioned partnerships earlier the economics and the business model of space is doable i mean you do a mission study you get paid for that you have technology you can get stuff up up quickly and there's a cost structure there and again the alternative was waterfall planning years and millions now the form factors are different now again there may be different payloads involved but you can standardize payloads you got robotic arms all this is all available this brings up the congestion problem this is going to be on the top of mind the generals of course but you got the proliferation okay of these constellation systems you have more and more tech vectors i mean essentially that's malware i mean that's a probe you throw something up in space that could cause some interference maybe a takeover general this is the this is the real elephant in the room the threat matrix from new stuff and new configurations so general how does the proliferation of constellation systems change the threat matrix so i i think the uh you know i guess i'm gonna i'm gonna be a little more optimistic john than i think you pitched that i'm actually excited about these uh new mega constellations in leo um i'm excited about the the growing number of actors that are that are going into space for various reasons and why is that it's because we're starting to realize a new economic engine uh for the nation and for human society so the question is so so i think we want that to happen right when uh um when uh we could go to almost any any other domain in history and and and you know there when when air traffic air air travel started to become much much more commonplace with many kinds of uh actors from from private pilots flying their small planes all the way up to large airliners uh you know there there was a problem with congestion there was a problem about um challenges about uh behavior and are we gonna be able to manage this and yes we did and it was for the great benefit of society i could probably look to the maritime domain for similar kinds of things and so this is actually exciting about space we are just going to have to find the ways as a society and it's not just the department of defense it's going to be civil it's going to be international find the mechanisms to encourage this continued investment in the space domain i do think the space force uh will play a role in in providing security in the space environment as we venture further out as as economic opportunities emerge uh wherever they are um in the in the lunar earth lunar system or even within the solar system space force is going to play a role in that but i'm actually really excited about the those possibilities hey by the way i got to say you made me think of this when you talked about star trek and and and space force and our technologies i remember when i was younger watching the the next generation series i thought one of the coolest things because being a musician in my in my spare time i thought one of the coolest things was when um commander riker would walk into his quarters and and say computer play soft jazz and there would just be the computer would just play music you know and this was an age when you know we had we had hard uh um uh media right like how will that that is awesome man i can't wait for the 23rd century when i can do that and where we are today is is so incredible on those lines the things that i can ask alexa or siri to play um well that's the thing everything that's on star trek think about it almost invented i mean you got the computers you got the only thing really is the holograms are starting to come in you got now the transporter room now that's physics we'll work on that right right so there's a there is this uh a balance between physics and imagination but uh we have not exhausted either well um personally everyone that knows me knows i'm a huge star trek fan all the series of course i'm an original purist but at that level but this is about economic incentive as well roland i want to get your thoughts because you know the gloom and doom you got to think about the the bad stuff to make it good if i if i put my glass half full on the table there's economic incentives just like the example of the plane and the air traffic there's there's actors that are more actors that are incented to have a secure system what's your thoughts to general's comments around the optimism and and the potential threat matrix that needs to be managed absolutely so and you know one of the things that we've seen over the years um as you know we build these small satellites is a lot of the technology you know that the general is talking about um you know voice recognition miniaturized chips and sensors um started on the ground and i mean you know you have you know your iphone um that about 15 years ago before the first iphone came out um you know we were building small satellites in the lab and we were looking at cutting-edge state-of-the-art magnetometers and sensors um that we were putting in our satellites back then we didn't know if they were going to work and then um a few years later as these students graduate they go off and they go out to under you know other industries and so um some of the technology that was first kind of put in these cubesats in the early 2000s you know kind of ended up in the first generation iphone smartphones um and so being able to take that technology rapidly you know incorporate that into space and vice versa gives you an incredible economic advantage because um not only are your costs going down um because you know you're mass producing you know these types of terrestrial technologies um but then you can also um you know increase you know revenue and profit um you know by by having you know smaller and cheaper systems general let's talk about that for real quickly it's a good point i want to just shift it into the playbook i mean everyone talks about playbooks for management for tech for startups for success i mean one of the playbooks that's clear from in history is investment in r d around military and or innovation that has a long view spurs innovation commercially i mean just there's a huge many decades of history that shows that hey we got to start thinking about these these challenges and you know next you know it's in an iphone this is history this is not like a one-off and now with space force you get you're driving you're driving the main engine of innovation to be all digital you know we we riff about star trek which is fun but the reality is you're going to be on the front lines of some really new cool mind-blowing things could you share your thoughts on how you sell that people who write the checks or recruit more talent well so i first i totally agree with your thesis that the that you know national security well could probably go back an awful long way hundreds to thousands of years that security matters tend to drive an awful lot of innovation and creativity because um you know i think the the probably the two things that drive drive people the most are probably an opportunity to make money uh but only by beating that out are trying to stay alive um and uh and so i don't think that's going to go away and i do think that space force can play a role um as it pursues uh security uh structures you know within the space domain to further encourage economic investment and to protect our space capabilities for national security purposes are going to be at the cutting edge this isn't the first time um i think we can point back to the origins of the internet really started in the department of defense and with a partnership i should add with academia that's how the internet got started that was the creativity in order to to meet some needs there cryptography has its roots in security but we use it uh in in national security but now we use it in for economic reasons and meant and a host of other kinds of reasons and then space itself right i mean we still look back to uh apollo era as an inspiration for so many things that inspired people to to either begin careers in in technical areas or in space and and so on so i think i think in that same spirit you're absolutely right i guess i'm totally agreeing with your thesis the space force uh will be and a uh will have a positive inspirational influence in that way and we need to to realize that so when we are asking for when we're looking for how we need to meet capability needs we need to spread that net very far look for the most creative solutions and partner early and often with those that that can that can work on those when you're on the new frontier you've got to have a team sport it's a team effort you mentioned the internet just anecdotally i'm old enough to remember this because i remember the days that was going on and said the government if the policy decisions that the u.s made at that time was to let it go a little bit invisible hand they didn't try to commercialize it too fast and but there was some policy work that was done that had a direct effect to the innovation versus take it over and next you know it's out of control so i think you know i think this this just a cross-disciplinary skill set becomes a big thing where you need to have more people involved and that's one of the big themes of this symposium so it's a great point thank you for sharing that roland your thoughts on this because you know you got policy decisions we all want to run faster we want to be more innovative but you got to have some ops view now mostly ops people want things very tight very buttoned up secure the innovators want to go faster it's the yin and yang that's that's the world we live in how's it all balanced in your mind yeah um you know one of the things um that may not be apparently obvious is that you know the us government and department of um of defense is one of the biggest investors in technology in the aerospace sector um you know they're not the traditional venture capitalists but they're the ones that are driving technology innovation because there's funding um you know and when companies see that the us governments is interested in something businesses will will re-vector um you know to provide that capability and in the i would say the more recent years we've had a huge influx of private equity venture capital um coming into the markets to kind of help augment um you know the government investment and i think having a good partnership and a relationship with these private equity venture capitalists and the us government is incredibly important because the two sides you know can can help collaborate and kind of see a common goal but then also too on um you know the other side is you know there's that human element um and as general shaw was saying it's like not you know not only do companies you know obviously want to thrive and do really well some companies just want to stay alive um to see their technology kind of you know grow into what they've always dreamed of and you know oftentimes entrepreneurs um are put in a very difficult position because they have to make payroll they have to you know keep the lights on and so sometimes they'll take investment um from places where they may normally would not have you know from potentially foreign investment that could potentially you know cause issues with you know the you know the us supply chain well my final question is the best i wanted to say for last because i love the idea of human space flight i'd love to be on mars i'm not sure i'll be able to make it someday but how do you guys see the possible impacts of cyber security on expanding human space flight operations i mean general this is your wheelhouse this is urine command putting humans in space and certainly robots will be there because they're easy to go because they're not human but humans in space i mean you're starting to see the momentum the discussion uh people are are scratching that itch what's your take on that how do we see making this more possible well i i think we will see we will see uh commercial space tourism uh in the future i'm not sure how wide and large a scale it will become but we'll we will see that and um part of uh i think the mission of the space force is going to be probably to again do what we're doing today is have really good awareness of what's going on the domain to uh to to to ensure that that is done safely and i think a lot of what we do today will end up in civil organizations to do space traffic management and safety uh in in that uh arena um and uh um it is only a matter of time uh before we see um humans going even beyond the you know nasa has their plan the the artemis program to get back to the moon and the gateway initiative to establish a a space station there and that's going to be an exploration initiative but it is only a matter of time before we have um private citizens or private corporations putting people in space and not only for tourism but for economic activity and so it'll be really exciting to watch it would be really exciting and space force will be a part of it general roland i want to thank you for your valuable time to come on this symposium i really appreciate it final uh comment i'd love to you to spend a minute to share your personal thoughts on the importance of cyber security to space and we'll close it out we'll start with you roland yeah so i think that the biggest thing um i would like to try to get out of this you know from my own personal perspective is um creating that environment that allows um you know the the aerospace supply chain small businesses you know like ourselves be able to meet all the requirements um to protect um and safeguard our data but also um create a way that you know we can still thrive and it won't stifle innovation um you know i'm looking forward um to comments and questions um you know from the audience um to really kind of help um you know you know basically drive to that next step general final thoughts the importance of cyber security to space i'll just i'll go back to how i started i think john and say that space and cyber are forever intertwined they're bffs and whoever has my job 50 years from now or 100 years from now i predict they're going to be saying the exact same thing cyber and space are are intertwined for good we will always need the cutting edge cyber security capabilities that we develop as a nation or as a as a society to protect our space capabilities and our cyber capabilities are going to need space capabilities in the future as well general john shaw thank you very much roland cleo thank you very much for your great insight thank you to cal poly for putting this together i want to shout out to the team over there we couldn't be in person but we're doing a virtual remote event i'm john furrier with thecube and siliconangle here in silicon valley thanks for watching

>> Announcer: From around the globe, it's "theCUBE" covering Space and Cybersecurity Symposium 2020 hosted by Cal Poly. >> I want to welcome to theCUBE's coverage, we're here hosting with Cal Poly an amazing event, space and the intersection of cyber security. This session is Defending Satellite and Space Infrastructure from Cyber Threats. We've got two great guests. We've got Major General John Shaw of combined force space component commander, U.S. space command at Vandenberg Air Force Base in California and Roland Coelho, who's the CEO of Maverick Space Systems. Gentlemen, thank you for spending the time to come on to this session for the Cal Poly Space and Cybersecurity Symposium. Appreciate it. >> Absolutely. >> Guys defending satellites and space infrastructure is the new domain, obviously it's a war-fighting domain. It's also the future of the world. And this is an important topic because we rely on space now for our everyday life and it's becoming more and more critical. Everyone knows how their phones work and GPS, just small examples of all the impacts. I'd like to discuss with this hour, this topic with you guys. So if we can have you guys do an opening statement. General if you can start with your opening statement, we'll take it from there. >> Thanks John and greetings from Vandenberg Air Force Base. We are just down the road from Cal Poly here on the central coast of California, and very proud to be part of this effort and part of the partnership that we have with Cal Poly on a number of fronts. In my job here, I actually have two hats that I wear and it's I think, worth talking briefly about those to set the context for our discussion. You know, we had two major organizational events within our Department of Defense with regard to space last year in 2019. And probably the one that made the most headlines was the standup of the United States Space Force. That happened December 20th, last year, and again momentous, the first new branch in our military since 1947. And it's just over nine months old now, as we're makin' this recording. And already we're seein' a lot of change with regard to how we are approaching organizing, training, and equipping on a service side for space capabilities. And so, with regard to the Space Force, the hat I wear there is Commander of Space Operations Command. That was what was once 14th Air Force, when we were still part of the Air Force here at Vandenberg. And in that role, I'm responsible for the operational capabilities that we bring to the joint warfighter and to the world from a space perspective. Didn't make quite as many headlines, but another major change that happened last year was the reincarnation, I guess I would say, of United States Space Command. And that is a combatant command. It's how our Department of Defense organizes to actually conduct war-fighting operations. Most people are more familiar perhaps with Central Command, CENTCOM or Northern Command, NORTHCOM, or even Strategic Command, STRATCOM. Well, now we have a SPACECOM. We actually had one from 1985 until 2002, and then stood it down in the wake of the 9/11 attacks and a reorganization of Homeland Security. But we've now stood up a separate command again operationally, to conduct joint space operations. And in that organization, I wear a hat as a component commander, and that's the combined force-based component command working with other, all the additional capabilities that other services bring, as well as our allies. The combined in that title means that under certain circumstances, I would lead in an allied effort in space operations. And so it's actually a terrific job to have here on the central coast of California. Both working how we bring space capabilities to the fight on the Space Force side, and then how we actually operate those capabilities in support of joint warfighters around the world and national security interests. So that's the context. Now what also I should mention and you kind of alluded to John at your beginning, we're kind of in a changed situation than we were a number of years ago, in that we now see space as a war-fighting domain. For most of my career, goin' back a little ways, most of my focus in my jobs was making sure I could bring space capabilities to those that needed them. Bringing GPS to that special operations soldier on the ground somewhere in the world, bringing satellite communications for our nuclear command and control, bringing those capabilities for other uses. But I didn't have to worry in most of my career, about actually defending those space capabilities themselves. Well, now we do. We've actually gone to a point where we're are being threatened in space. We now are treating it more like any other domain, normalizing in that regard as a war-fighting domain. And so we're going through some relatively emergent efforts to protect and defend our capabilities in space, to design our capabilities to be defended, and perhaps most of all, to train our people for this new mission set. So it's a very exciting time, and I know we'll get into it, but you can't get very far into talking about all these space capabilities and how we want to protect and defend them and how we're going to continue their ability to deliver to warfighters around the globe, without talking about cyber, because they fit together very closely. So anyway, thanks for the chance to be here today. And I look forward to the discussion. >> General, thank you so much for that opening statement. And I would just say that not only is it historic with the Space Force, it's super exciting because it opens up so much more challenges and opportunities to do more and to do things differently. So I appreciate that statement. Roland in your opening statement. Your job is to put stuff in space, faster, cheaper, smaller, better, your opening statement, please. >> Yes, thank you, John. And yes, to General Shaw's point with the space domain and the need to protect it now is incredibly important. And I hope that we are more of a help than a thorn in your side in terms of building satellites smaller, faster, cheaper. Definitely looking forward to this discussion and figuring out ways where the entire space domain can work together, from industry to U.S. government, even to the academic environment as well. So first, I would like to say, and preface this by saying, I am not a cybersecurity expert. We build satellites and we launch them into orbit, but we are by no means cybersecurity experts. And that's why we like to partner with organizations like the California Cybersecurity Institute because they help us navigate these requirements. So I'm the CEO of Maverick Space Systems. We are a small aerospace business in San Luis Obispo, California. And we provide small satellite hardware and service solutions to a wide range of customers. All the way from the academic environment to the U.S. government and everything in between. We support customers through an entire program life cycle, from mission architecture and formulation, all the way to getting these customer satellites in orbit. And so what we try to do is provide hardware and services that basically make it easier for customers to get their satellites into orbit and to operate. So whether it be reducing mass or volume, creating greater launch opportunities, or providing the infrastructure and the technology to help those innovations mature in orbit, that's what we do. Our team has experience over the last 20 years, working with small satellites. And I'm definitely fortunate to be part of the team that invented the CubeSat standard by Cal Poly and Stanford back in 2000. And so, we are in VandenBerg's backyard. We came from Cal Poly San Luis Obispo and our hearts are fond of this area, and working with the local community. A lot of that success that we have had is directly attributable to the experiences that we learned as students, working on satellite programs from our professors and mentors. And that's all thanks to Cal Poly. So just wanted to tell a quick story. So back in 2000, just imagine a small group of undergraduate students, myself included, with the daunting task of launching multiple satellites from five different countries on a Russian launch vehicle. Many of us were only 18 or 19, not even at the legal age to drink yet, but as essentially teenagers we were managing million-dollar budgets. And we were coordinating groups from around the world. And we knew what we needed to accomplish, yet we didn't really know what we were doing when we first started. The university was extremely supportive and that's the Cal Poly learn-by-doing philosophy. I remember the first time we had a meeting with our university chief legal counsel, and we were discussing the need to register with the State Department for ITAR. Nobody really knew what ITAR was back then. And discussing this with the chief legal counsel, she was asking, "What is ITAR?" And we essentially had to explain, this is, launching satellites is part of the U.S. munitions list. And essentially we had a similar situation exporting munitions. We are in similar categories as weapons. And so, after that initial shock, everybody jumped in both feet forward, the university, our head legal counsel, professors, mentors, and the students knew we needed to tackle this problem because the need was there to launch these small satellites. And the reason this is important to capture the entire spectrum of users of the community, is that the technology and the innovation of the small satellite industry occurs at all levels, so we have academia, commercial, national governments. We even have high schools and middle schools getting involved and building satellite hardware. And the thing is the importance of cybersecurity is incredibly important because it touches all of these programs and it touches people at a very young age. And so, we hope to have a conversation today to figure out how do we create an environment where we allow these programs to thrive, but we also protect and keep their data safe as well. >> Thank you very much Roland. Appreciate that a story too as well. Thanks for your opening statement. Gentlemen, I mean I love this topic because defending the assets in space is obvious, if you look at it. But there's a bigger picture going on in our world right now. And general, you kind of pointed out the historic nature of Space Force and how it's changing already, operationally, training, skills, tools, all that stuff is evolving. You know in the tech world that I live in, change the world is a topic they use, gets thrown around a lot, you can change the world. A lot of young people, and we have other panels on this where we're talkin' about how to motivate young people, changing the world is what it's all about technology, for the better. Evolution is just an extension of another domain. In this case, space is just an extension of other domains, similar things are happening, but it's different. There's huge opportunity to change the world, so it's faster. There's an expanded commercial landscape out there. Certainly government space systems are moving and changing. How do we address the importance of cybersecurity in space? General, we'll start with you because this is real, it's exciting. If you're a young person, there's touch points of things to jump into, tech, building hardware, to changing laws, and everything in between is an opportunity, and it's exciting. And it is truly a chance to change the world. How does the commercial government space systems teams, address the importance of cybersecurity? >> So, John, I think it starts with the realization that as I like to say, that cyber and space are BFFs. There's nothing that we do on the cutting edge of space that isn't heavily reliant on the cutting edge of cyber. And frankly, there's probably nothing on the cutting edge of cyber that doesn't have a space application. And when you realize that and you see how closely those are intertwined as we need to move forward at speed, it becomes fundamental to answering your question. Let me give a couple examples. One of the biggest challenges I have on a daily basis is understanding what's going on in the space domain. Those on the surface of the planet talk about tyranny of distance across the oceans or across large land masses. And I talk about the tyranny of volume. And right now, we're looking out as far as the lunar sphere. There's activity that's extending out there. We expect NASA to be conducting perhaps human operations in the lunar environment in the next few years. So it extends out that far. When you do the math that's a huge volume. How do you do that? How do you understand what's happening in real time within that volume? It is a big data problem by the very definition of that kind of effort and that kind of challenge. And to do it successfully in the years ahead, it's going to require many, many sensors and the fusion of data of all kinds, to present a picture and then analytics and predictive analytics that are going to deliver an idea of what's going on in the space arena. And that's just if people are not up to mischief. Once you have threats introduced into that environment, it is even more challenging. So I'd say it's a big data problem that we'll enjoy tackling in the years ahead. Now, a second example is, if we had to take a vote of what were the most amazing robots that have ever been designed by humans, I think that spacecraft would have to be up there on the list. Whether it's the NASA spacecraft that explore other planets, or GPS satellites that amazingly provide a wonderful service to the entire globe and beyond. They are amazing technological machines. That's not going to stop. I mean, all the work that Roland talked about, even that we're doin' at the kind of the microsat level is putting cutting-edge technology into small a package as you can to get some sort of capability out of that. As we expand our activities further and further into space for national security purposes, or for exploration or commercial or civil, the cutting-edge technologies of artificial intelligence and machine-to-machine engagements and machine learning are going to be part of that design work moving forward. And then there's the threat piece. As we operate these capabilities, as these constellations grow, that's going to be done via networks. And as I've already pointed out space is a war-fighting domain. That means those networks will come under attack. We expect that they will and that may happen early on in a conflict. It may happen during peace time in the same way that we see cyber attacks all the time, everywhere in many sectors of activity. And so by painting that picture, we start to see how it's intertwined at the very, very most basic level, the cutting edge of cyber and cutting edge of space. With that then comes the need to, any cutting edge cybersecurity capability that we have is naturally going to be needed as we develop space capabilities. And we're going to have to bake that in from the very beginning. We haven't done that in the past as well as we should, but moving forward from this point on, it will be an essential ingredient that we work into all of our capability. >> Roland, we're talkin' about now, critical infrastructure. We're talkin' about new capabilities being addressed really fast. So, it's kind of chaotic now there's threats. So it's not as easy as just having capabilities, 'cause you've got to deal with the threats the general just pointed out. But now you've got critical infrastructure, which then will enable other things down the line. How do you protect it? How do we address this? How do you see this being addressed from a security standpoint? Because malware, these techniques can be mapped in, extended into space and takeovers, wartime, peace time, these things are all going to be under threat. That's pretty well understood, and I think people kind of get that. How do we address it? What's your take? >> Yeah, yeah, absolutely. And I couldn't agree more with General Shaw, with cybersecurity and space being so intertwined. And, I think with fast and rapid innovation comes the opportunity for threats, especially if you have bad actors that want to cause harm. And so, as a technology innovator and you're pushing the bounds, you kind of have a common goal of doing the best you can, and pushing the technology bounds, making it smaller, faster, cheaper. But a lot of times what entrepreneurs and small businesses and supply chains are doing, and don't realize it, is a lot of these components are dual use. I mean, you could have a very benign commercial application, but then a small modification to it, can turn it into a military application. And if you do have these bad actors, they can exploit that. And so, I think that the big thing is creating a organization that is non-biased, that just wants to kind of level the playing field for everybody to create a set standard for cybersecurity in space. I think one group that would be perfect for that is CCI. They understand both the cybersecurity side of things, and they also have at Cal Poly the small satellite group. And just having kind of a clearing house or an agency where can provide information that is free, you don't need a membership for. And to be able to kind of collect that, but also reach out to the entire value chain for a mission, and making them aware of what potential capabilities are and then how it might be potentially used as a weapon. And keeping them informed, because I think the vast majority of people in the space industry just want to do the right thing. And so, how do we get that information free flowing to the U.S. government so that they can take that information, create assessments, and be able to, not necessarily stop threats from occurring presently, but identify them long before that they would ever even happen. Yeah, that's- >> General, I want to follow up on that real quick before we move to the next top track. Critical infrastructure you mentioned, across the oceans long distance, volume. When you look at the physical world, you had power grids here in the United States, you had geography, you had perimeters, the notion of a perimeter and a moat, and then you had digital comes in. Then you have, we saw software open up, and essentially take down this idea of a perimeter, and from a defense standpoint, and everything changed. And we have to fortify those critical assets in the U.S. Space increases the same problem statement significantly, because you can't just have a perimeter, you can't have a moat, it's open, it's everywhere. Like what digital's done, and that's why we've seen a surge of cyber in the past two decades, attacks with software. So, this isn't going to go away. You need the critical infrastructure, you're putting it up there, you're formulating it, and you got to protect it. How do you view that? Because it's going to be an ongoing problem statement. What's the current thinking? >> Yeah, I think my sense is that a mindset that you can build a firewall, or a defense, or some other system that isn't dynamic in its own right, is probably not headed in the right direction. I think cybersecurity in the future, whether it's for space systems, or for other critical infrastructure is going to be a dynamic fight that happens at a machine-to-machine speed and dynamic. I don't think that it's too far off where we will have machines writing their own code in real time to fight off attacks that are coming at them. And by the way, the offense will probably be doing the same kind of thing. And so, I guess I would not want to think that the answer is something that you just build it and you leave it alone and it's good enough. It's probably going to be a constantly-evolving capability, constantly reacting to new threats and staying ahead of those threats. >> That's the kind of use case, you know as you were, kind of anecdotal example is the exciting new software opportunities for computer science majors. I mean, I tell my young kids and everyone, man it's more exciting now. I wish I was 18 again, it's so exciting with AI. Roland, I want to get your thoughts. We were joking on another panel with the DoD around space and the importance of it obviously, and we're going to have that here. And then we had a joke. It's like, oh software's defined everything. Software's everything, AI. And I said, "Well here in the United States, companies had data centers and then they went to the cloud." And then he said, "You can do break, fix, it's hard to do break, fix in space. You can't just send a tech up." I get that today, but soon maybe robotics. The general mentions robotics technologies, in referencing some of the accomplishments. Fixing things is almost impossible in space. But maybe form factors might get better. Certainly software will play a role. What's your thoughts on that landscape? >> Yeah, absolutely. You know, for software in orbit, there's a push for software-defined radios to basically go from hardware to software. And that's a critical link. If you can infiltrate that and a small satellite has propulsion on board, you could take control of that satellite and cause a lot of havoc. And so, creating standards and that kind of initial threshold of security, for let's say these radios, or communications and making that available to the entire supply chain, to the satellite builders, and operators is incredibly key. And that's again, one of the initiatives that CCI is tackling right now as well. >> General, I want to get your thoughts on best practices around cybersecurity, state-of-the-art today, and then some guiding principles, and kind of how the, if you shoot the trajectory forward, what might happen around supply chain? There's been many stories where, we outsource the chips and there's a little chip sittin' in a thing and it's built by someone else in China, and the software is written from someone in Europe, and the United States assembles it, it gets shipped and it's corrupt, and it has some cyber, I'm making it up, I'm oversimplifying the statement. But this is what when you have space systems that involve intellectual property from multiple partners, whether it's from software to creation and then deployment. You got supply chain tiers. What are some of best practices that you see involving, that don't stunt the innovation, but continues to innovate, but people can operate safely. What's your thoughts? >> Yeah, so on supply chain, I think the symposium here is going to get to hear from General JT Thompson from space and missile system center down in Los Angeles, and he's just down the road from us there on the coast. And his team is the one that we look to to really focus on, as he fires and develops to again bake in cybersecurity from the beginning and knowing where the components are coming from, and properly assessing those as you put together your space systems, is a key piece of what his team is focused on. So I expect, we'll hear him talk about that. When it talks to, I think, so you asked the question a little more deeply about how do the best practices in terms of how we now develop moving forward. Well, another way that we don't do it right, is if we take a long time to build something and then General JT Thompson's folks take a while to build something, and then they hand it over to me, and my team operate and then they go hands free. And then that's what I have for years to operate until the next thing comes along. That's a little old school. What we're going to have to do moving forward with our space capabilities, and with the cyber piece baked in is continually developing new capability sets as we go. We actually have partnership between General Thompson's team and mine here at Vandenberg on our ops floor, or our combined space operation center, that are actually working in real time together, better tools that we can use to understand what's going on in the space environment to better command and control our capabilities anywhere from military satellite communications, to space domain awareness, sensors, and such. And we're developing those capabilities in real time. And with the security pieces. So DevSecOps is we're practicing that in real time. I think that is probably the standard today that we're trying to live up to as we continue to evolve. But it has to be done again, in close partnership all the time. It's not a sequential, industrial-age process. While I'm on the subject of partnerships. So, General Thompson's team and mine have good partnerships. It's partnerships across the board are going to be another way that we are successful. And that it means with academia and some of the relationships that we have here with Cal Poly. It's with the commercial sector in ways that we haven't done before. The old style business was to work with just a few large companies that had a lot of space experience. Well, we need a lot of kinds of different experience and technologies now in order to really field good space capabilities. And I expect we'll see more and more non-traditional companies being part of, and organizations, being part of that partnership that will work goin' forward. I mentioned at the beginning that allies are important to us. So everything that Roland and I have been talking about I think you have to extrapolate out to allied partnerships. It doesn't help me as a combined force component commander, which is again, one of my jobs. It doesn't help me if the United States capabilities are cybersecure, but I'm tryin' to integrate them with capabilities from an ally that are not cybersecure. So that partnership has to be dynamic and continually evolving together. So again, close partnering, continually developing together from the acquisition to the operational sectors, with as many different sectors of our economy as possible, are the ingredients to success. >> General, I'd love to just follow up real quick. I was having just a quick reminder for a conversation I had with last year with General Keith Alexander, who does a lot of cybersecurity work, and he was talking about the need to share faster. And the new school is you got to share faster to get the data, you mentioned observability earlier, you need to see what everything's out there. He's a real passionate person around getting the data, getting it fast and having trusted partners. So that's not, it's kind of evolving as, I mean, sharing's a well known practice, but with cyber it's sensitive data potentially. So there's a trust relationship. There's now a new ecosystem. That's new for government. How do you view all that and your thoughts on that trend of the sharing piece of it on cyber? >> So, I don't know if it's necessarily new, but it's at a scale that we've never seen before. And by the way, it's vastly more complicated and complex when you overlay from a national security perspective, classification of data and information at various levels. And then that is again complicated by the fact you have different sharing relationships with different actors, whether it's commercial, academic, or allies. So it gets very, very complex web very quickly. So that's part of the challenge we're workin' through. How can we effectively share information at multiple classification levels with multiple partners in an optimal fashion? It is certainly not optimal today. It's very difficult, even with maybe one industry partner for me to be able to talk about data at an unclassified level, and then various other levels of classification to have the traditional networks in place to do that. I could see a solution in the future where our cybersecurity is good enough that maybe I only really need one network and the information that is allowed to flow to the players within the right security environment to make that all happen as quickly as possible. So you've actually, John you've hit on yet another big challenge that we have, is evolving our networks to properly share, with the right people, at the right clearance levels at the speed of war, which is what we're going to need. >> Yeah, and I wanted to call that out because this is an opportunity, again, this discussion here at Cal Poly and around the world is for new capabilities and new people to solve the problems. It's again, it's super exciting if you're geeking out on this. If you have a tech degree or you're interested in changin' the world, there's so many new things that could be applied right now. Roland, I want to get your thoughts on this, because one of the things in the tech trends we're seeing, and this is a massive shift, all the theaters of the tech industry are changing rapidly at the same time. And it affects policy law, but also deep tech. The startup communities are super important in all this too. We can't forget them. Obviously, the big trusted players that are partnering certainly on these initiatives, but your story about being in the dorm room. Now you've got the boardroom and now you got everything in between. You have startups out there that want to and can contribute. You know, what's an ITAR? I mean, I got all these acronym certifications. Is there a community motion to bring startups in, in a safe way, but also give them ability to contribute? Because you look at open source, that proved everyone wrong on software. That's happening now with this now open network concept, the general was kind of alluding to. Which is, it's a changing landscape. Your thoughts, I know you're passionate about this. >> Yeah, absolutely. And I think as General Shaw mentioned, we need to get information out there faster, more timely and to the right people, and involving not only just stakeholders in the U.S., but internationally as well. And as entrepreneurs, we have this very lofty vision or goal to change the world. And oftentimes, entrepreneurs, including myself, we put our heads down and we just run as fast as we can. And we don't necessarily always kind of take a breath and take a step back and kind of look at what we're doing and how it's touching other folks. And in terms of a community, I don't know of any formal community out there, it's mostly ad hoc. And, these ad hoc communities are folks who let's say was a student working on a satellite in college. And they loved that entrepreneurial spirit. And so they said, "Well, I'm going to start my own company." And so, a lot of these ad hoc networks are just from relationships that have been built over the last two decades from colleagues at the university. I do think formalizing this and creating kind of a clearing house to handle all of this is incredibly important. >> And there's going to be a lot of entrepreneurial activity, no doubt, I mean there's too many things to work on and not enough time. I mean this brings up the question that I'm going to, while we're on this topic, you got the remote work with COVID, everyone's workin' remotely, we're doin' this remote interview rather than being on stage. Work's changing, how people work and engage. Certainly physical will come back. But if you looked at historically the space industry and the talent, they're all clustered around the bases. And there's always been these areas where you're a space person. You kind of work in there and the job's there. And if you were cyber, you were generally in other areas. Over the past decade, there's been a cross-pollination of talent and location. As you see the intersection of space, general we'll start with you, first of all, central coast is a great place to live. I know that's where you guys live. But you can start to bring together these two cultures. Sometimes they're not the same. Maybe they're getting better. We know they're being integrated. So general, can you just share your thoughts because this is one of those topics that everyone's talkin' about, but no one's actually kind of addressed directly. >> Yeah, John, I think so. I think I want to answer this by talkin' about where I think the Space Force is going. Because I think if there was ever an opportunity or an inflection point in our Department of Defense to sort of change culture and try to bring in non-traditional kinds of thinking and really kind of change maybe some of the ways that the Department of Defense does things that are probably archaic, Space Force is an inflection point for that. General Raymond, our Chief of Space Operations, has said publicly for awhile now, he wants the U.S. Space Force to be the first truly digital service. And what we mean by that is we want the folks that are in the Space Force to be the ones that are the first adopters, the early adopters of technology. To be the ones most fluent in the cutting edge, technologic developments on space and cyber and other sectors of the economy that are technologically focused. And I think there's some, that can generate some excitement, I think. And it means that we'll probably ended up recruiting people into the Space Force that are not from the traditional recruiting areas that the rest of the Department of Defense looks to. And I think it allows us to bring in a diversity of thought and diversity of perspective and a new kind of motivation into the service, that I think is frankly really exciting. So if you put together everything I mentioned about how space and cyber are going to be best friends forever. And I think there's always been an excitement from the very beginning in the American psyche about space. You start to put all these ingredients together, and I think you see where I'm goin' with this. That this is a chance to really change that cultural mindset that you were describing. >> It's an exciting time for sure. And again, changing the world. And this is what you're seeing today. People do want to change the world. They want a modern world that's changing. Roland, I'll get your thoughts on this. I was having an interview a few years back with a technology entrepreneur, a techie, and we were joking, we were just kind of riffing. And I said, "Everything that's on "Star Trek" will be invented." And we're almost there actually, if you think about it, except for the transporter room. You got video, you got communicators. So, not to bring in the "Star Trek" reference with Space Force, this is digital. And you start thinking about some of the important trends, it's going to be up and down the stack, from hardware to software, to user experience, everything. Your thoughts and reaction. >> Yeah, absolutely. And so, what we're seeing is timelines shrinking dramatically because of the barrier to entry for new entrants and even your existing aerospace companies is incredibly low, right? So if you take previously where you had a technology on the ground and you wanted it in orbit, it would take years. Because you would test it on the ground. You would verify that it can operate in a space environment. And then you would go ahead and launch it. And we're talking tens, if not hundreds of millions of dollars to do that. Now, we've cut that down from years to months. When you have a prototype on the ground and you want to get it launched, you don't necessarily care if it fails on orbit the first time, because you're getting valuable data back. And so, we're seeing technology being developed for the first time on the ground and in orbit in a matter of a few months. And the whole kind of process that we're doing as a small business is trying to enable that. And so, allowing these entrepreneurs and small companies to get their technology in orbit at a price that is sometimes even cheaper than testing on the ground. >> You know this is a great point. I think this is really an important point to call out because we mentioned partnerships earlier, the economics and the business model of space is doable. I mean, you do a mission study. You get paid for that. You have technology that you get stuff up quickly, and there's a cost structure there. And again, the alternative was waterfall planning, years and millions. Now the form factors are doing, now, again, there may be different payloads involved, but you can standardize payloads. You've got robotic arms. This is all available. This brings up the congestion problem. This is going to be on the top of mind of the generals of course, but you've got the proliferation of these constellation systems. You're going to have more and more tech vectors. I mean, essentially that's malware. I mean, that's a probe. You throw something up in space that could cause some interference. Maybe a takeover. General, this is the real elephant in the room, the threat matrix from new stuff and new configurations. So general, how does the proliferation of constellation systems change the threat matrix? >> So I think the, you know I guess I'm going to be a little more optimistic John than I think you pitched that. I'm actually excited about these new mega constellations in LEO. I'm excited about the growing number of actors that are going into space for various reasons. And why is that? It's because we're starting to realize a new economic engine for the nation and for human society. So the question is, so I think we want that to happen. When we could go to almost any other domain in history and when air travel started to become much, much more commonplace with many kinds of actors from private pilots flying their small planes, all the way up to large airliners, there was a problem with congestion. There was a problem about, challenges about behavior, and are we going to be able to manage this? And yes we did. And it was for the great benefit of society. I could probably look to the maritime domain for similar kinds of things. And so this is actually exciting about space. We are just going to have to find the ways as a society, and it's not just the Department of Defense, it's going to be civil, it's going to be international, find the mechanisms to encourage this continued investment in the space domain. I do think that Space Force will play a role in providing security in the space environment, as we venture further out, as economic opportunities emerge, wherever they are in the lunar, Earth, lunar system, or even within the solar system. Space Force is going to play a role in that. But I'm actually really excited about those possibilities. Hey, by the way, I got to say, you made me think of this when you talked about "Star Trek" and Space Force and our technologies, I remember when I was younger watchin' the Next Generation series. I thought one of the coolest things, 'cause bein' a musician in my spare time, I thought one of the coolest things was when Commander Riker would walk into his quarters and say, "Computer play soft jazz." And there would just be, the computer would just play music. And this was an age when we had hard media. Like how will that, that is awesome. Man, I can't wait for the 23rd century when I can do that. And where we are today is so incredible on those lines. The things that I can ask Alexa or Siri to play. >> Well that's the thing, everything that's on "Star Trek," think about it, it's almost invented. I mean, you got the computers, you got, the only thing really is, holograms are startin' to come in, you got, now the transporter room. Now that's physics. We'll work on that. >> So there is this balance between physics and imagination, but we have not exhausted either. >> Well, firstly, everyone that knows me knows I'm a huge "Star Trek" fan, all the series. Of course, I'm an original purist, but at that level. But this is about economic incentive as well. Roland, I want to get your thoughts, 'cause the gloom and doom, we got to think about the bad stuff to make it good. If I put my glass half full on the table, this economic incentives, just like the example of the plane and the air traffic. There's more actors that are incented to have a secure system. What's your thoughts to general's comments around the optimism and the potential threat matrix that needs to be managed. >> Absolutely, so one of the things that we've seen over the years, as we build these small satellites is a lot of that technology that the General's talking about, voice recognition, miniaturized chips, and sensors, started on the ground. And I mean, you have your iPhone, that, about 15 years ago before the first iPhone came out, we were building small satellites in the lab and we were looking at cutting-edge, state-of-the-art magnetometers and sensors that we were putting in our satellites back then. We didn't know if they were going to work. And then a few years later, as these students graduate, they go off and they go out to other industries. And so, some of the technology that was first kind of put in these CubeSats in the early 2000s, kind of ended up in the first generation iPhone, smartphones. And so being able to take that technology, rapidly incorporate that into space and vice versa gives you an incredible economic advantage. Because not only are your costs going down because you're mass producing these types of terrestrial technologies, but then you can also increase revenue and profit by having smaller and cheaper systems. >> General, let's talk about that real quickly, that's a good point, I want to just shift it into the playbook. I mean, everyone talks about playbooks for management, for tech, for startups, for success. I mean, one of the playbooks that's clear from your history is investment in R&D around military and/or innovation that has a long view, spurs innovation, commercially. I mean, just there's a huge, many decades of history that shows that, hey we got to start thinking about these challenges. And next thing you know it's in an iPhone. This is history, this is not like a one off. And now with Space Force you're driving the main engine of innovation to be all digital. You know, we riff about "Star Trek" which is fun, the reality is you're going to be on the front lines of some really new, cool, mind-blowing things. Could you share your thoughts on how you sell that to the people who write the checks or recruit more talent? >> First, I totally agree with your thesis that national security, well, could probably go back an awful long way, hundreds to thousands of years, that security matters tend to drive an awful lot of innovation and creativity. You know I think probably the two things that drive people the most are probably an opportunity to make money, but beating that out are trying to stay alive. And so, I don't think that's going to go away. And I do think that Space Force can play a role as it pursues security structures, within the space domain to further encourage economic investment and to protect our space capabilities for national security purposes, are going to be at the cutting edge. This isn't the first time. I think we can point back to the origins of the internet, really started in the Department of Defense, with a partnership I should add, with academia. That's how the internet got started. That was the creativity in order to meet some needs there. Cryptography has its roots in security, in national security, but now we use it for economic reasons and a host of other kinds of reasons. And then space itself, I mean, we still look back to Apollo era as an inspiration for so many things that inspired people to either begin careers in technical areas or in space and so on. So I think in that same spirit, you're absolutely right. I guess I'm totally agreeing with your thesis. The Space Force will have a positive, inspirational influence in that way. And we need to realize that. So when we are asking for, when we're looking for how we need to meet capability needs, we need to spread that net very far, look for the most creative solutions and partner early and often with those that can work on those. >> When you're on the new frontier, you got to have a team sport, it's a team effort. And you mentioned the internet, just anecdotally I'm old enough to remember this 'cause I remember the days that it was goin' on, is that the policy decisions that the U.S. made at that time was to let it go a little bit invisible hand. They didn't try to commercialize it too fast. But there was some policy work that was done, that had a direct effect to the innovation. Versus take it over, and the next thing you know it's out of control. So I think there's this cross-disciplinary skillset becomes a big thing where you need to have more people involved. And that's one of the big themes of this symposium. So it's a great point. Thank you for sharing that. Roland, your thoughts on this because you got policy decisions. We all want to run faster. We want to be more innovative, but you got to have some ops view. Now, most of the ops view people want things very tight, very buttoned up, secure. The innovators want to go faster. It's the ying and yang. That's the world we live in. How's it all balance in your mind? >> Yeah, one of the things that may not be apparently obvious is that the U.S. government and Department of Defense is one of the biggest investors in technology in the aerospace sector. They're not the traditional venture capitalists, but they're the ones that are driving technology innovation because there's funding. And when companies see that the U.S. government is interested in something, businesses will revector to provide that capability. And, I would say the more recent years, we've had a huge influx of private equity, venture capital coming into the markets to kind of help augment the government investment. And I think having a good partnership and a relationship with these private equity, venture capitalists and the U.S. government is incredibly important because the two sides can help collaborate and kind of see a common goal. But then also too, on the other side there's that human element. And as General Shaw was saying, not only do companies obviously want to thrive and do really well, some companies just want to stay alive to see their technology kind of grow into what they've always dreamed of. And oftentimes entrepreneurs are put in a very difficult position because they have to make payroll, they have to keep the lights on. And so, sometimes they'll take investment from places where they may normally would not have, from potentially foreign investment that could potentially cause issues with the U.S. supply chain. >> Well, my final question is the best I wanted to save for last, because I love the idea of human space flight. I'd love to be on Mars. I'm not sure I'm able to make it someday, but how do you guys see the possible impacts of cybersecurity on expanding human space flight operations? I mean, general, this is your wheelhouse. This is your in command, putting humans in space and certainly robots will be there because they're easy to go 'cause they're not human. But humans in space. I mean, you startin' to see the momentum, the discussion, people are scratchin' that itch. What's your take on that? How do we see makin' this more possible? >> Well, I think we will see commercial space tourism in the future. I'm not sure how wide and large a scale it will become, but we will see that. And part of the, I think the mission of the Space Force is going to be probably to again, do what we're doin' today is have really good awareness of what's going on in the domain to ensure that that is done safely. And I think a lot of what we do today will end up in civil organizations to do space traffic management and safety in that arena. And, it is only a matter of time before we see humans going, even beyond the, NASA has their plan, the Artemis program to get back to the moon and the gateway initiative to establish a space station there. And that's going to be a NASA exploration initiative. But it is only a matter of time before we have private citizens or private corporations putting people in space and not only for tourism, but for economic activity. And so it'll be really exciting to watch. It'll be really exciting and Space Force will be a part of it. >> General, Roland, I want to thank you for your valuable time to come on this symposium. Really appreciate it. Final comment, I'd love you to spend a minute to share your personal thoughts on the importance of cybersecurity to space and we'll close it out. We'll start with you Roland. >> Yeah, so I think the biggest thing I would like to try to get out of this from my own personal perspective is creating that environment that allows the aerospace supply chain, small businesses like ourselves, be able to meet all the requirements to protect and safeguard our data, but also create a way that we can still thrive and it won't stifle innovation. I'm looking forward to comments and questions, from the audience to really kind of help, basically drive to that next step. >> General final thoughts, the importance of cybersecurity to space. >> I'll go back to how I started I think John and say that space and cyber are forever intertwined, they're BFFs. And whoever has my job 50 years from now, or a hundred years from now, I predict they're going to be sayin' the exact same thing. Cyber and space are intertwined for good. We will always need the cutting edge, cybersecurity capabilities that we develop as a nation or as a society to protect our space capabilities. And our cyber capabilities are going to need space capabilities in the future as well. >> General John Shaw, thank you very much. Roland Coelho, thank you very much for your great insight. Thank you to Cal Poly for puttin' this together. I want to shout out to the team over there. We couldn't be in-person, but we're doing a virtual remote event. I'm John Furrier with "theCUBE" and SiliconANGLE here in Silicon Valley, thanks for watching. (upbeat music)

from the cube studios in Palo Alto in Boston connecting with thought leaders all around the world this is a cube conversation hello and welcome to the cube conversation here in the Palo Alto studio I'm John four host of the cube we are here at the quarantine crew of the cube having the conversations that matter the most now and sharing that with you got a great guest here Phil Quaid was the chief information security officer of Fortinet also the author of book digital bing-bang which I just found out he wrote talking about the difference cybersecurity and the physical worlds coming together and we're living that now with kovat 19 crisis were all sheltering in place Phil thank you for joining me on this cube conversation so I want to get in this quickly that I think the main top thing is that we're all sheltering in place anxiety is high but people are now becoming mainstream aware of what we all in the industry have been known for a long time role of data cybersecurity access to remote tools and we're seeing the work at home the remote situation really putting a lot of pressure on as I've been reporting what I call at scale problems and one of them is security right one of them is bandwidth we're starting to see you know the throttling of the packets people are now living with the reality like wow this is really a different environment but it's been kind of a disruption and has created crimes of opportunity for bad guys so this has been a real thing everyone's aware of it across the world this is something that's now aware on everyone's mind what's your take on this because you guys are fighting the battle and providing solutions and we're doing for a long time around security this highlights a lot of the things in the surface area called the world with what's your take on this carbon 19 orton s been advocating for architectures and strategies that allow you to defend anywhere from the edge through the core all the way up to the cloud boom so with you know high speed and integration and so all the sudden what we're seeing not just you know in the US but the world as well is that that edge is being extended in places that we just hadn't thought about or our CV that people just hadn't planned for before so many people or telecommunication able to move that edge securely out to people's homes and more remote locations and do so providing the right type of security of privacy if those communications that are coming out of those delicate ears I noticed you have a flag in the background and for the folks that might not know you spent a lot of time at the NSA government agency doing a lot of cutting-edge work I mean going back to you know really you know post 9/11 - now you're in the private sector with Fortinet so you don't really speak with the agency but you did live through a time of major transformation around Homeland Security looking at data again different physical thing you know terrorist attacks but it did bring rise to large-scale data to bring to those things so I wanted to kind of point out I saw the flag there nice nice touch there but now that you're in the private sector it's another transformation it's not a transition we're seeing a transformation and people want to do it fast and they don't want to have disruption this is a big problem what's your reaction to that yeah I think what you're reporting out that sometimes sometimes there's catalysts that cause major changes in the way you do things I think we're in one of those right now that we're already in the midst of an evolutionary trend towards more distributed workforces and as I mentioned earlier doing so with the right type of security privacy but I would think what I think the global camp in debt endemic is showing is that we're all going to be accelerating that that thing is like it's gonna be a lot less evolutionary and a little bit more faster that's what happens when you have major world events like this being 911 fortunate tragedies it causes people to think outside the box or accelerate what they're already doing I think wearing that in that world today yeah it pulls forward a lot of things that are usually on the planning side and it makes them reality I want to get your thoughts because not only are CEOs and their employees all thinking about the new work environment but the chief information security officer is people in your role have to be more aware as more things happening what's on the minds of CISOs around the world these days obviously the pandemics there what are you seeing what are some of the conversations what are some of the thought processes what specifically is going on in the of the chief information security officer yeah I think there's probably a there's probably two different two different things there's the there's the emotional side and there's the analytic side on the emotional side you might say that some Caesars are saying finally I get to show how cyber security can be in an abler of business right I can allow you to to to maintain business continuity by allowing your workers to work from home and trying sustain business and allow you to keep paying their salary is very very important to society there's a very important time to step up as the seaso and do what's helpful to sustain mission in on the practical side you say oh my goodness my job's gotten a whole lot harder because I can rely less and less on someone's physical controls that use some of the physical benefits you get from people coming inside the headquarters facility through locked doors and there's personal congress's and personal identification authentication you need to move those those same security strategies and policies and you need to move it out to this broad eggs it's gotten a lot bigger and a lot more distributed so I want to ask you around some of the things they're on cyber screws that have been elevated to the top of the list obviously with the disruption of working at home it's not like an earthquake or a tornado or hurricane or flood you know this backup and recovery for that you know kind of disaster recovery this has been an unmitigated disaster in the sense of it's been unfor casted I was talking to an IT guy he was saying well we provisioned rvv lands to be your VPNs to be 30% and now they need a hundred percent so that disruption is causing I was an under forecast so in cyber as you guys are always planning in and protecting has there been some things that have emerged that are now top of mind that are 100 percent mindshare base or new solutions or new challenges why keep quite done what we're referring to earlier is that yep any good see so or company executive is going to prepare for unexpected things to a certain degree you need it whether it be spare capacity or the ability to recover from something an act of God as you mentioned maybe a flood or tornado or hurricane stuff like that what's different now is that we have a disruption who which doesn't have an end date meaning there's a new temporal component that's been introduced that most companies just can't plan for right even the best of companies that let's say Ronald very large data centers they have backup plans where they have spare fuel to run backup generators to provide electricity to their data centers but the amount of fuel they have might only be limited to 30 days or so it's stored on-site we might think well that's pretty that's a lot of for thinking by storing that much fuel on site for to allow you to sort of work your way through a hurricane or other natural disaster what we have now is a is a worldwide crisis that doesn't have a 30-day window on it right we don't know if it's gonna be 30 days or 120 days or or you know even worse than that so what's different now is that it's not just a matter of surging in doing something with band-aids and twine or an extra 30 days what we need to do is as a community is to prepare solutions that can be enduring solutions you know I have some things that if the absent I might like to provide a little color what those types of solutions are but that that would be my main message that this isn't just a surge for 30 days this is a surge or being agile with no end in sight take a minute explain some of those solutions what are you seeing whatever specific examples and solutions that you can go deeper on there yeah so I talked earlier about the the edge meaning the place where users interact with machines and company data that edge is no longer at the desktop down the hallway it could be 10 miles 450 miles away to where anyone where I'm telling you I'm commuting crumb that means we need to push the data confidentiality things out between the headquarters and the edge you do that with things like a secure secured tunnel it's called VPNs you also need to make sure that the user identification authentication this much is a very very secure very authentic and with high integrity so you do that with multi-factor authentication there's other things that we like that that are very very practical that you do to support this new architecture and the good news is that they're available today in the good news at least with some companies there already had one foot in that world but as I mentioned earlier not all companies had yet embraced the idea of where you're going to have a large percentage of your workforce - until a community so they're not quite so they're there they're reacting quickly to to make sure this edge is better protected by identification and authentication and begins I want to get to some of those edge issues that now translate to kind of physical digital virtualization of of life but first I want to ask you around operational technology and IT OT IT these are kind of examples where you're seeing at scale problem with the pandemic being highlighted so cloud providers etc are all kind of impacted and bring solutions to the table you guys at Foot are doing large scale security is there anything around the automation side of it then you've seen emerge because all the people that are taking care of being a supplier in this new normal or this crisis certainly not normal has leveraged automation and data so this has been a fundamental value proposition that highlights what we call the DevOps movement in the cloud world but automation has become hugely available and a benefit to this can you share your insights into how automation is changing with cyber I think you up a nice question for me is it allowed me to talk about not only automation but convergence so it's let's hit automation first right we all even even pre-crisis we need to be better at leveraging automation to do things that machines do best allow people to do higher-order things whether it's unique analysis or something else with a with a more distributed workforce and perhaps fewer resources automation is more important ever to automatically detect bad things that are about to happen automatically mitigating them before they get or they get to bad you know in the cybersecurity world you use things like agile segmentation and you use like techniques called soar it's a type of security orchestration and you want to eat leverage those things very very highly in order to leverage automation to have machines circum amount of human services but you also brought up on my favorite topics which is ot graceful technology though OTS you know are the things that are used to control for the past almost a hundred years now things in the physical world like electric generators and pipes and valves and things like that often used in our critical infrastructures in my company fort net we provide solutions that secure both the IT world the traditional cyber domain but also the OT systems of the world today where safety and reliability are about most important so what we're seeing with the co19 crisis is that supply chains transportation research things like that a lot of things that depend on OT solutions for safety and reliability are much more forefront of mine so from a cybersecurity strategy perspective what you want to do of course is make sure your solutions in the IT space are well integrated with you solutions in the OT space to the so an adversary or a mistake in cause a working to the crack in causing destruction that convergence is interesting you know we were talking before you came on camera around the fact that all these events are being canceled but that really highlights the fact that the physical spaces are no longer available the so-called ot operational technologies of events is the plumbing the face-to-face conversations but everyone's trying to move to digital or virtual eyes that it's not as easy as just saying we did it here we do it there there is a convergence and some sort of translation this new there's a new roles there's new responsibilities new kinds of behaviors and decision making that goes on in the physical and digital worlds that have to then come together and get reimagined and so what's your take on all this because this is not so much about events but although that's kind of prime time problem zooming it is not the answer that's a streaming video how do you replicate the value of physical into the business value in digital it's not a one-to-one so it's quite possible that that we might look back on this event to cover 19 experience we might look back at it in five or ten years and say that was simply a foreshadowing of our of the importance of making sure that our physical environment is appropriate in private what I mean is that with the with the rapid introduction of Internet of Things technologies into the physical world we're going to have a whole lot of dependencies on the thing inconveniences tendencies inconveniences on things an instrument our physical space our door locks or automobiles paths our temperatures color height lots of things to instrument the physical space and so there's gonna be a whole lot of data that's generated in that cyber in a physical domain increasingly in the future and we're going to become dependent upon it well what happens if for whatever reason in the in the future that's massively disruptive so all of a sudden we have a massive disruption in the physical space just like we're experiencing now with open 19 so again that's why it makes sense now to start your planning now with making sure that your safety and reliability controls in the physical domain are up to the same level security and privacy as the things in your IT delete and it highlights what's the where the value is to and it's a transformation I was just reading an article around spatial economics around distance not being together it's interesting on those points you wrote a book about this I want to get your thoughts because in this cyber internet or digital or virtualization of physical to digital whether it's events or actual equipment is causing people to rethink architectures you mentioned a few of them what's the state of the art thinking around someone who has the plan for this again is in its complex it's not just creating a gateway or a physical abstraction layer of software between two worlds there's almost a blending or convergence here what's your what's your thoughts on what's the state of the art thinking on this area yeah the book that I number of a very esteemed colleagues contribute to what we said is that it's time to start treating cybersecurity like a science let's not pretend it's a dark art that we have to relearn every couple years and what what we said in the in the digital Big Bang is that humankind started flourishing once we admitted our ignorance in ultimately our ignorance in the physical world and discovered or invented you can right word the disciplines of physics and chemistry and once we recognize that our physical world was driven by those scientific disciplines we started flourishing right the scientific age led to lots of things whether it would be transportation health care or lots of other things to improve our quality of life well if you fast forward 14 billion years after that cosmic Big Bang which was driven by physics 50 years ago or so we had a digital Big Bang where there was a massive explosion of bits with the invention of the internet and what we argue in the book is that let's start treating cybersecurity like a science or the scientific principle is that we ought to write down and follow a Rousseau's with you so we can thrive in the in the in a digital Big Bang in the digital age and one more point if you don't mind what we what we noted is that the internet was invented to do two things one connect more people or machines than ever imagined in to do so in speeds that were never imagined so the in the Internet is is optimized around speed in connectivity so if that's the case it may be a fundamental premise of cybersecurity science is make sure that your cyber security solutions are optimized around those same two things that the cyber domains are optimized around speed in integration continue from there you can you can build on more and more complex scientific principles if you focus on those fundamental things and speed and integration yeah that's awesome great insight they're awesome I wanted to throw in while you had the internet history lesson down there also was interesting was a very decentralization concept how does that factor in your opinion to some of the security paradigms is that helped or hurt or is it create opportunities for more secure or does it give the act as an advantage yeah I love your questions is your it's a very informed question and you're in a give me good segue to answer the way you know it should be answer yeah the by definition the distributed nature of the Internet means it's an inherently survivable system which is a wonderful thing to have for a critical infrastructure like that if one piece goes down the hole doesn't go down it's kind of like the power grid the u.s. the u.s. electrical power grid there's too many people who say the grid will go down well that's that's just not a practical thing it's not a reality thing the grades broken up into three major grades and there's AB ulis strategies and implementations of diversification to allow the grid to fail safely so it's not catastrophic Internet's the same thing so like my nipple like I was saying before we ought to de cyber security around a similar principle that a catastrophic failure in one partner to start cybersecurity architecture should result in cascading across your whole architecture so again we need to borrow some lessons from history and I think he bring up a good one that the internet was built on survivability so our cybersecurity strategies need to be the same one of the ways you do that so that's all great theory but one of the ways you do that of course is by making your cybersecurity solutions so that they're very well integrated they connect with each other so that you know speaking in cartoon language you know if one unit can say I'm about to fail help me out and another part of your architecture can pick up a slack and give you some more robust security in that that's what a connected the integrated cyber security architecture do for you yeah it's really fascinating insight and I think resiliency and scale are two things I think are going to be a big wave is going to be added into the transformations that going on now it's it's very interesting you know Phil great conversation I could do a whole hour with you and do a fish lead a virtual panel virtualize that our own event here keynote speech thanks so much for your insight one of things I want to get your thoughts on is something that I've been really thinking a lot lately and gathering perspectives and that is on biosecurity and I say biosecurity I'm referring to covet 19 as a virus because biology involves starting a lab or some people debate all that whether it's true or not but but that's what people work on in the biology world but it spreads virally like malware and has a similar metaphor to cybersecurity so we're seeing conversation starting to happen in Washington DC in Silicon Valley and some of my circles around if biology weapon or it's a tool like open-source software could be a tool for spreading cybersecurity Trojans or other things and techniques like malware spear phishing phishing all these things are techniques that could be deployed metaphorically to viral distribution a biohazard or bio warfare if you will will it look the same and how do you defend against the next covet 19 this is what you know average Americans are seeing the impact of the economy with the shelter in place is that what happens again and how do we prevent it and so a lot of people are thinking about this what is your thoughts because it kind of feels the same way as cybersecurity you got to see it early you got to know what's going on you got to identify it you got to respond to it time to close your contain similar concepts what's your thoughts on with BIOS we don't look with all due respect to the the the bio community let me make a quick analogy to the cyber security strategy right cyber security strategy starts with we start as an attacker so I parts of my previous career I'm an authorized had the opportunity to help develop tools that are very very precisely targeted against foreign adversaries and that's a harder job than you think I mean I think the same is true of anyone of a natural-born or a custom a buyer buyer is that not just any virus has the capability to do a lot of harm to a lot of people selling it so it's it's if that doesn't mean though you can sit back and say since it's hard it'll never happen you need to take proactive measures to look for evidence of a compromise of something whether it's a cyber cyber virus or otherwise you have to actively look for that you have to harm yourself to make sure you're not susceptible to it and once you detect one you need to make sure you have a the ability to do segmentation or quarantine very rapidly very very effectively right so in the cyber security community of course the fundamental strategy is about segmentation you keep different types of things separate that don't need to interact and then if you do have a compromise not everything is compromised and then lastly if you want to gradually say bring things back up to recover you can do some with small chunks I think it's a great analogy segmentation is a good analogy to I think what the nation is trying to do right now by warranty kneeing and gradually reopening up things in in segments in actually mention earlier that some of the other techniques are very very similar you want to have good visibility of where you're at risk and then you can automatically detect and then implement some some mitigations based on that good visibility so I agree with you that it turns out that the cyber security strategies might have a whole lot in common with biohazard I address it's interesting site reliability engineers which is a term that Google coined when they built out their large-scale cloud has become a practice that kind of mindset combined with some of the things that you're saying the cyber security mindset seemed to fit this at scale problem space and I might be an alarmist but I personally believe that we've been having a digital war for many many years now and I think that you know troops aren't landing but it's certainly digital troops and I think that we as a country and a global state and global society have to start thinking about you know these kinds of things where a virus could impact the United States shut down the economy devastating impact so I think Wars can be digital and so I may be an alarmist and a conspirators but I think that you know thinking about it and talking about it might be a good thing so appreciate your insights there Phil appreciated what one other point that might be interesting a few years back I was doing some research with the National Lab and we're looking for novel of cybersecurity analytics and we hired some folks who worked in the biology the bio the biomedical community who were studying a biome fires at the time and it was in recognition that there's a lot of commonality between those who are doing cybersecurity analytics and those reviewing bio biology or biomedical type analytics in you know there was a lot of good cross fertilization between our teams and it kind of helps you bring up one more there's one more point which is what we need to do in cybersecurity in general is have more diversity of workforces right now I don't mean just the traditional but important diversities of sex or color but diversity of experiences right some of the best people I've worked with in the cyber analytics field weren't computer science trained people and that's because they came in problems differently with a different background so one of the things that's really important to our field at large and of course the company my company fort net is to massively increase the amount of cyber security training that's available to people not just the computer scientists the world and the engineers but people in other areas as well the other degree to non-greek people and with that a you know higher level of cyber security training available to a more diverse community not only can we solve the problem of numbers we don't have enough cybersecurity people but we can actually increase our ability to defend against these things I have more greater diversity of thought experience you know that's such a great point I think I just put an exclamation point on that I get that question all the time and the skills gap is should I study computer science and like actually if you can solve problems that's a good thing but really diversity about diversity is a wonderful thing in the age of unlimited compute power because traditionally diversity whether it was protocol diversity or technical diversity or you know human you know makeup that's tend to slow things down but you get higher quality so that's a generalization but you get the point diversity does bring quality and if you're doing a data science you don't want have a blind spot I'm not have enough data so yeah I think a good diverse data set is a wonderful thing you're going to a whole nother level saying bringing diversely skill sets to the table because the problems are diverse is that what you're getting at it is it's one of our I'll say our platforms that we're talking about during the during the covered nineteen crisis which is perhaps there's perhaps we could all make ourselves a little bit better by taking some time out since we're not competing taking some time out and doing a little bit more online training where you can where you can either improve your current set of cybersecurity skills of knowledge or be introduced to them for the first time and so there's one or some wonderful Fortinet training available that can allow both the brand-new folks the field or or the the intermediate level folks with you become higher level experts it's an opportunity for all of us to get better rather than spending that extra hour on the road every day why don't we take at least you know 30 of those 60 minutes or former commute time and usually do some online soccer security treaty feel final question for you great insight great conversation as the world and your friends my friends people we don't know other members of society as they start to realize that the virtualization of life is happening just in your section it's convergence what general advice would you have for someone just from a mental model or mindset standpoint to alleviate any anxiety or change it certainly will be happening so how they can better themselves in their life was it is it thinking more about the the the experiences is it more learning how would you give advice to folks out there who are gonna come out of this post pandemic certainly it's gonna be a different world we're gonna be heightened to digital and virtual but as things become virtualized how can someone take this and make a positive outcome out of all this I I think that the future the future remains bright earlier we talked about sci-fi the integration of the cyber world in the physical world that's gonna provide great opportunities to make us more efficient gives us more free time detect bad things from happening earlier and hopefully mitigating those bad things from happening earlier so a lot of things that some people might use as scare tactics right convergence and Skynet in in robotics and things like that I believe these are things that will make our lives better not worse our responsibilities though is talking about those things making sure people understand that they're coming why they're important and make sure we're putting the right security and privacy to those things as these worlds this physical world and the soccer worlds converged I think the future is bright but we still have some work to do in terms of um making sure we're doing things at very high speeds there's no delay in the cybersecurity we put on top of these applications and make sure we have very very well integrated solutions that don't cause things to become more complex make make things easier to do certainly the winds of change in the big waves with the transformations happening I guess just summarize by saying just make it a head win I mean tailwind not a headwind make it work for you at the time not against it Phil thank you so much for your insights I really appreciate this cube conversation remote interview I'm John Ford with the cube talking about cybersecurity and the fundamentals of understanding what's going on in this new virtual world that we're living in to being virtualized as we get back to work and as things start to to evolve further back to normal the at scale problems and opportunities are there and of course the key was bringing it to you here remotely from our studio I'm John Ferrier thanks for watching [Music]

>> Announcer: Live from Chicago, Illinois, it's the Cube covering VeeamON 2018. Brought to you by Veeam. >> Welcome back to Chicago, everybody. This is the Cube, the leader in live tech coverage, and you're watching our exclusive coverage of VEEAMON 2018. #VeeamON. My name is Dave Vallante and I'm here with my cohost Stuart Miniman. Stu, great to be working with you again. >> Thanks Dave. Admiral, David G. Simpson is here. He's a former Chief Public Safety and homeland Security Bureau and CEO, currently, of Pelorus, a consultancy that helps organizations think through some of the risk factors that they face. David, welcome to the Cube. Thanks so much for taking time out. >> It's my pleasure to be here. >> So, as I was saying, we, we missed a big chunk of your keynote this morning cause we had to come back to the cube and do our open, but let's start with your background and kind of why you're here. >> Sure, well, I spent over three decades in the Navy where my responsibilities throughout included the resiliency of the ability to command and control forces in areas around the world not always so nice and often arduous and often at sea. So, that experience really has given me a very good appreciation, not only for how important economy of operations is, but how difficult it can be and how important the details are, so I am a natural fan of what FEMA's doing to make that easier for organizations. After DOD, I was recruited by the chairman of the FCC to lead the Public Safety Homeland Security Bureau for the Federal Communications Commission. And, in that position, I have responsibility for the nation's climate one system, emergency alerting, and the resiliency of over 30,000 telecommunication companies in the domestic market, so both experiences really have given me a very good insight into the need, the consequence of not getting it right, how to prepare to get it right, but also an ability to look at what's coming down the pike with the new telecommunications technologies that will really be game changers for functionality in the new internet of things environment. >> So, three decades of public service. First of all, thank you. >> Thank you. It's quite an accomplishment. And then, we had talked off camera that we, a couple of years ago, had Robert Gates on and we were gettin' detailed into how the experience that someone like you has had in the public sector translated to the private sector. It used to be there was just such a huge gap between, you know, what you did and what a, what a company had to, had to worry about. Do you see that gap closing? And, maybe, you could add some color to that. >> Sure, and in particular, in the cyber arena, you know, cyber, unlike the land, sea, and air domains, is a domain of Man's own making and the constraints around that domain are of our own choosing. And, we're not constrained by physics, we're constrained by the investment decisions we make and the contours of that expanding environment. But, the internet started out as a DOD research and development project, ARPA, so it has not been unusual for DOD to be out in front in some of the development aspects where counterintuitively we would, normally, see industry out in front. The same occurred I believe with cyber when our intelligence community over 10 years ago said, hey, this is a great thing, this internet thing. And, it's super that we're doing more and more communications, that we're talking with devices at the edge around the battle space, but it's vulnerable to attack and we need to organize, so that we are capable in the defense of that great cyber set of functionality that we've built. >> Could you expand? Just, so, you're doing some teaching in the cyber security world too. Maybe you could share a little bit what you're doing and what you see as kind of the state of this today >> Yeah, well, thank you for asking that about a year ago, the dean of the business school of Virginia Tech, asked me if I wouldn't consider building a cyber program for the business school. Tech has always had a strong engineering component to cyber security and it's led by a good friend of mine Dr. Charles Clancy with some superb research going on, but, increasingly, over two thirds of the work roles, in cyber security are not engineering. They really have much more to do with traditional business functions. Yet, most business leaders aren't well prepared to assess that risk environment, let alone appreciate it, and then, drive investments to address risk reduction. So, at Virginia Tech, we've built a series of four courses that in the MBA programs, the Masters of Accounting, the Masters of Business IT, we are now teaching prospective business leaders how to look at the risk environment and organize an investment structure using the NIST, or National Institute of the Standards of Technology, risk management framework, so that can be done in a repeatable way that communicates well with industry. And, companies like Veeam have an important role to play in that space because Veeam really translates much of the engineering complexities into business understandable conditions by which decisions about that data space can really be made. >> I want to share an observation that we had on the Cube last year, one of my favorite interviews was with a gentleman from ICIT, James Scott. He's a security expert, you may know him. And, we asked him what the biggest threat was to United States and his answer surprised me. I thought it was going to be, you know, cyber warfare or risks to critical infrastructure, he said the weaponization of social media was the number one threat, like wow. And, we had a really interesting discussion about that and, you know, I think of, you know, your background, loose lips sink ships, people on social give up there credentials, all of a sudden, you've got some outside bad actors controlling the narrative, controlling the meme and controlling the population without firing a shot. Wow, so what are your thoughts on social media and it's risk to our society and how to deal with it? >> Well, we're seeing in the last year, that he's very prescient, right, in that you can lockdown all the bits and the bytes and get the integrity, the confidentiality, and the availability of your data sets taken care of, but in a world where the public square, if you will, is now a virtual public square, if an adversary can change the perception of reality in that public square, or if they can cause our democracy to lose confidence in that public square, then an adversary can really achieve a kill, if you will, a desired effect in a way that is very negative for the country, so I don't see that though as being completely distinguished from cyber security. I see, in my mind, that we need to expand the universe, to protect the universe of cyber into that cognitive space. And, we need to understand, increasingly, the origin of comment in the social media arena. We need to understand therole algorithms have to play in amplifying a message and suppressing other messages. And, we need to, I think, have a greater accountability for businesses that are in that virtual public square line of business to help consumers and communities continue to have confidence in that public square and we're, we're challenged in that area. 'cause see Mark Zuckerberg's testimony, right >> Sure. >> Illuminated some big challenges there. >> Yeah, I mean, my heart went out to Zuckerberg, it was, I was like the poor guy, he's just trying to build out a social network and now he's getting, you know, attacked by politicians who are saying, wow you mean you use data for political gain, or you allowed somebody to do it. >> He was in a tough spot. >> And politicians themselves, I think, were a bit embarrassed in revealing their lack of tech savvy in a world where we should expect policy makers to be at least aware enough of the parameters around the virtual public square where they can help develop the right policy to ensure that this continues to be a net asset for the United States, for communities, and for consumers. >> Technology kind of got us into this problem, but, technology, in and of itself, is not going to get out of, get us out of this problem >> Right. >> It's others in the organization, the lines of business, the policies, the practices, some of the work that you do in your teachings, may be >> Yeah, absolutely and when I talk to aspiring business leaders, I communicate a couple of things to them. One, they need to get their heads out of being the decider as the CEO. Increasingly, they will be creating decision environments, right, where decision operations occur and are driven by algorithms, by machine learning, and AI, and so they've got to be thinking, about how do they create those environments to deliver the right kind of decision results that they're looking for. The second piece that I talk to them about, that's counterintuitive, is that they need to, as they bring in network functional virtualization and more and more software oriented things that used to be hardware, they've got to understand the risk exposure from that and bring in, they can, a way to address cyber risk as they introduce new functionality in the market. >> Well, it's interesting of an Admiral talking about network function virtualization, I'm very impressed. Admiral Simpson, thanks very much for coming on the Cube. >> Sure. >> Really a pleasure having you and best of luck in your work. >> Well, thank you and it's great to be here with the Veeam professionals that, I think, are really building a command and control layer of an enterprise of data space that will be very important for the future. >> Alright, okay, thanks for watching everybody. We will be right back, Stu Miniman and Dave Vallante from VeeamOn 2018, you're watching the Cube. >> Great thanks. (upbeat music)

(digital music) >> Welcome, everyone. Donald Klein here with CUBE Conversations, coming to you from our studios at theCUBE, here in Palo Alto, California. And today I'm fortunate enough to be joined by Paul Makowski, CTO of PolySwarm. PolySwarm is a fascinating company that plays in the security space, but is also part of this emerging block chain and token economy. Welcome, Paul. >> Thank you, thank you for having me. >> Great, so why don't we just start and give everybody an understanding of what PolySwarm does and how you guys do it? >> Sure, so PolySwarm is a new effort (audio fading in and out) to try to fix the economics around how threat (missing audio) >> Donald: Okay. >> So, we see a lot of shortcomings with (audio fading in and out) I think it's more of a economic concern rather than (missing audio) (laughs) Rather than a concern regarding (missing audio) >> Donald: Okay. >> So, what PolySwarm is (missing audio) and change how (missing audio) >> Okay. >> So, it is a blockchain project (missing audio) will govern tomorrow's threat-intelligence base and perhaps, ideally, generate better incentives (missing audio) >> Okay, so, generally if I'm understanding right, you're playing in this threat-intelligence area, which is commonly know as bug-bounties. Correct, yeah? But you guys have kind of taken this in a new direction. Why don't you just explain to me kind of where this threat-intelligence distributed economy has been and where where you see it going in the future. >> Sure, so bug bounties are, we had spoke earlier about HackerOne, for example. Bug bounties are an effort to identify vulnerabilities, and open vulnerability reports to arbitrary people across the internet. And incentivize people to secure products on behalf of the product owner. >> So, I can be an independent developer, and I find a vulnerability in something, and I submit it to one of these platforms, and then I get paid or rewarded for this. >> Yeah, and so the likes of HackerOne is a player in the space that conducts these bug bounties on behalf of other enterprises. >> Donald: Got it. >> Large enterprises such as Google and Microsoft and Apple, even, run their own bug bounties directly. >> Donald: Interesting. >> But, there's also these centralized middle men, the likes of HackerOne. Now, PolySwarm is a little bit different. We've discussed perhaps distributing the bug bounty space, but what we're focusing on right now at PolySwarm 1.0 is really just determining whether or not files, URLs, network graphics are either malicious or benign. >> Donald: Interesting. >> There's this boolean determination to start with, and then we're going to expand from there to metadata concerning, perhaps, the malware family of an identified malicious file. And then from there we'd also like to get into the bug bounty space. >> Okay. >> So, by PolySwarm being a fully decentralized market, us, as Swarm Technologies, will not be the middle man. We will not be in the middle of these transactions. We think that is going to make everything a bit more efficient for all the players on the market. And will best offer precision reward to be both accurate and timely in threat-intelligence. >> Interesting, okay, alright so I want to talk to you just a little bit more, because not everybody out there may be fully familiar with how a kind of decentralized app works. Talk to us a little bit about how blockchain fits in, how smart contracts fit in, and maybe just a little about, like, if I were to work on the PolySwarm platform, would I set up my own smart contract? Would somebody set it up for me? How would that work? >> Great question. So, in general, we see smart contracts as a new way to literally program a market. And I think this concept is applicable to a lot of different spaces. My background and the PolySwarm team background is in information (missing audio). >> Donald: Okay. >> So, we're applying smart contracts and market design specifically to a problem area that we are experts in. >> Okay, and what kind of smart contracts are these? What platform are you running on? >> We're running on Ethereum. We had previously discussed possibly expanding to Bezos, although there are perhaps some reasons not to do that anymore right now. But yeah, on Ethereum, we've been publishing our proof of concept code for our smart contracts right now which is available on github.com/polyswarm. More directly to your question concerning developing applications that plug into our platform or plug in to any platform, we've also released a opensource framework called Perigord. Which is a framework for developing Ethereum distributed applications using Go, which is a language developed by Google. So, I hope that answers a little bit, but >> So, you're really pioneering this whole world of moving to a decentralized, distributed app framework. >> Yeah, so, we're not the first people in this space, but we are expanding the ease of development to the Go language space, away from strictly programming in JavaScript. A lot distributed applications today are programmed in JavaScript. And there's pros and cons to each language, but we're hoping to get the Go language engaged a little more. >> So, let's go back now around to the people that are going to be participating in this marketplace, right. You were talking about unlocking the economic potential that's latent out there. Talk a little bit more about that. >> Exactly, so we had a spoken a little bit ago about HackerOne, and one of the things that I think is really cool about HackerOne is the fact that it's offered globally. What makes that really cool is that HackerOne gets a lot of great submissions from people in locales that may not indigenously offer sufficient jobs for the amount of talent that the local economies are producing. So, that's a sort of latent talent. HackerOne is particularly popular in India, China, Eastern European countries, we'd like to also direct that talent toward solving the threatened intelligence problem, namely accurately and timely identifying threats in files or graphic files. So, we'd like to-- We are operating in a eight and a half billion dollar per year space, the antivirus space, and we'd like to unlock this latent talent to broaden what threats are detected and how effectively enterprises defend themselves through a crowdsourced contributed manner that will cover more of the threats. >> Interesting, and so why don't you just talk a little about URLs and why those are important. We've seen a lot of hacks in the news recently, people going to sign up for a token sale and then being rerouted to the wrong place, et cetera. So, talk about malicious URLs. I think that might be an interest for people. >> Sure, everyone is trying to determine what URLs are malicious. Google has built into Chrome their safe browsing program that's also present in Firefox, Microsoft in some equivalent. Everyone's trying to determine and prevent people from being phished. You mentioned there were a few ICOs in this space that unfortunately had their websites hacked and their Ethereum contribution address changed, the hackers made off with some money. What PolySwarm does at a base level is it creates a market for security experts, again, around the world, to effectively put their money where their mouth is and say I think to the tune of 10 Nectar, for example, Nectar is the name of the PolySwarm note, that this URL or this file is malicious or benign. And those funds are escrowed directly into the smart contracts that constitute PolySwarm. And at a later time, the security experts who are right, receive the escrowed rewards from the security experts who were wrong. So, it's this feedback loop. >> It sounds like participants are kind of betting on both sides of whether something's malicious or not? >> Yeah, in effect. Legally, I definitely wouldn't say betting. (laughs) But it's >> Donald: Fair enough. >> The correct answer is there, right? The way that PolySwarm works is and enterprise has a suspect file or URL and decides to swarm it and what they do on the backend for that is they can either directly post this file or URL to the network, the network being the Ethereum blockchain. Everyone that's watching it and is cognizant of PolySwarm will be aware that there's a suspect file that perhaps I want to decide whether or not it's malicious as a security expert. Again, around the world, security experts will make that decision. If this is a particular file that I think I have insight into, as a security expert, then I might put up a certain amount of Nectar because I believe it is one way or the other. The reason why I say it's more of a-- The correct answer is in the file, right? It is in fact either malicious or benign. But what PolySwarm's economic reward is both timeliness and accuracy in determining that mal intent, whether or not that file is (missing audio). >> Interesting. And so the use of the smart contract is pretty novel here, right? Because the smart contracts then execute and distribute the bounties directly to the participants based on answer, is that right? >> That's correct. And that's the real key part. That eliminates the middle man in this space. A lot of the talk around blockchain in general is about restlessness, about not having middle men. In PolySwarm the core smart contract, again which are on github.com/polyswarm, they are able to actually hold escrowed upon. Though we're not in the middle and those escrowed funds are release to people who effectively get it right through the cost of people who got it wrong. So, we think >> And this is all automated through the system? >> This is all automated through the system. If I could take a step back real quick here, some of the shortcomings we're trying to address in today's market are if you imagine a Venn diagram, there's a rectangle that has all of the different threats in this space and you have large circles that cover portions of the Venn diagram and those large circles are today's large antivirus companies. Those circles overlap substantially. And the reason for that is pretty straight forward. Did you hear about perhaps WannaCry? It was a ransomware-- >> Absolutely, absolutely. >> If you're an antivirus company and you're not cognizant, you're not detecting WannaCry, then it's real easy to write you off. But the difficulty there is on the backend what that incentivizes is a lot of security companies doing duplicated work trying to detect the same threat. So there's a little bit of a clumpiness, there's a little bit of overlap, in what they detect and further it's very difficult although we've been speaking with people at those companies. They're always interested in the latest threat and uniquely detecting things, but it's sometimes very difficult to make Dell's argument that hey I detect this esoteric family of power >> Donald: Malicious URL, or et cetera. >> Exactly and by the way you're also going to get hit with it. That's a very difficult argument. >> So, you're sort of addressing the under served areas, then, within security. >> Precisely, so the way that PolySwarm will look in that Venn diagram, is instead of large, mostly overlapping ovals, we'll have thousands of micro-engines written by security experts that each find their specialty. And that together this crowdsourced intelligence will cover more. >> Interesting, very good, very good, okay. So, just last question here. Talk around a little bit of the background. How did PolySwarm come together? I know you talked about Narf Industries, et cetera. Why don't you just give us a little of the background here? 'Cause it's impressive. >> Sure, so again my background, and the entire PolySwarm technical team's background, is information security. We also run and work for a computer security consultancy called Narf Industries. Our more public work has been for DARPA, as of late. There was a large competition that DARPA ran called the "Cyber Grand Challenge" that was the-- they were trying to create the autonomous equivalent of a human capture the flag competition, which is a hacking competition. Anyway, we helped develop the challenges for that program and otherwise helped in that phase. So that's a public-facing project. >> And you won part of that competition, is that correct? >> Yeah, so we weren't competing in DARPA's Cyber Grand Challenge, but in the human capture the flags, we have won those. All the members of the core PolySwarm, and also Narf Industries, technical team have won DEF CON's capture the flag competition at least once. And some of us have helped run that competition. That's considered the world series of hacking (laughs). So, that's our background, and we're also all we've all previously worked directly for the U.S. government, so we're very much embedded in the cutting edge of cyber security. And, finally, the last thing I'll say, is Narf was recently awarded a contract with the Department of Homeland Security for investigating how to build confidentiality controls into a blockchain environment. The Department of Homeland Security was concerned about identity management. They wanted to apply a blockchain phase. But part of that, is obviously, you want to protect people's private information. So, how do you do that phase that, by default, is purely public. >> Got it, okay look we're going to have to end there, but let me just say, we would be remiss without mentioning the fact that your ICO's starting. When's that going to happen? >> So, we have an ICO that's going to go live February 6. Right now, we're just trying to generate buzz, talking to great people like yourself. After that lead up to the ICO, we'd like to encourage people to check out our website at polyswarm.io, we have a Telegram group that's growing everyday. And, again, a large part of what we would be funded by this ICO to accomplish is building the community around using PolySwarm. Fortunately, again, this is our space. So, we know a lot of people in this space, but we're always happy to be meeting people, so we'd love for all your viewers to join the conversation and engage with us. Our DMs on Twitter are open, et cetera. >> Okay, we hope they do. Probably just want to make one final point is that you guys are actually publishing all your code on GitHub ahead of the ICO, right? That kind of makes you unique in a very difficult space. >> It, unfortunately, does make us unique. I wish more projects did do that. But, yes, we are publishing our code in advance of the token sale. PolySwarm, if you're familiar with the conversation between securities and utility tokens, PolySwarm is very much a utility token. People will grade Nectar, which is the name of our Token, for threat intelligence. And part of that is we want to have a usable ecosystem on day one when people buy tokens. We want to make sure that you're not investing in some future thing. Obviously we're going to improve on it, but it will be usable from day one (missing audio). >> Alright, fantastic, so thank you, Paul. I appreciate you coming in. Alright, well thanks, everyone. Thank you for watching. This is Donald Klein with CUBE Conversations coming to you from Palo Alto, California. Thank you for watching. (digital music)

(clicking noise) >> Hello, I'm John Furrier, SiliconANGLE media, co-host of theCUBE. We are here on the ground in, here in Santa Clara, California, Centrify's headquarters, with Tom Kemp, the CEO of Centrify, and Parham Eftekhari, who's the co-founder and senior fellow of ICIT, which is the Institute of Critical Infrastructure Technologies, here to talk about security conversation. Guys, welcome to theCUBE's On the Ground. >> Thank you. >> Great to be here. >> Great to see you again, Tom. >> Yeah, absolutely. >> And congratulations on all your success. And Parham, GovCloud is hot. We were just in D.C. with Amazon Web Services Public Sector Summit. It's gotten more and more to the point where cyber is in the front conversation, and the political conversation, but on the commercial side as well. There's incidents happening every day. Just this past month, HBO, Game of Thrones has been hijacked and ransomed. I guess that's ransom, or technically, and a hack. That's high-profile, but case after case of high-profile incidents. >> Yeah, yeah. >> Okay, on the commercial side. Public sector side, nobody knows what's happening. Why is security evolving slow right now? Why isn't it going faster? Can you guys talk about the state of the security market? >> Yeah, well, ya know, I think first of all, you have to look at the landscape. I mean, our public and private sector organizations are being pummeled every day by nation states, mercenaries, cyber criminals, script kiddies, cyber jihadists, and they're exploiting vulnerabilities that are inherent in our antiquated legacy systems that are put together by, ya know, with a Frankenstein network as well as devices and systems and apps that are built without security by design. And we're seeing the results, as you said, right? We're seeing an inundation of breaches on a daily basis, and many more that we don't hear about. We're seeing weaponized data that's being weaponized and used against us to make us question the integrity of our democratic process and we're seeing, now, a rise in the focus on what could be the outcome of a cyberkinetic incident, which, ultimately, in the worst case scenario, could have a loss of life. And so I think as we talk about cyber and what it is we're trying to accomplish as a community, we ultimately have a responsibility to elevate the conversation and make sure that it's not an option, but it is a priority. >> Yeah, no, look, I mean, here we are in a situation in which the industry is spending close to 80 billion dollars a year, and it's growing 10 percent, but the number of attacks are increasing much more than 10 percent, and as Parham said, you know, we literally had an election impacted by cyber security. It's on the front page with HBO, et cetera. And I really think that we're now in a situation where we really need to rethink how we do security in, as enterprises and as even individuals. >> And it's seems, talking about HBO, talking about the government, you mentioned, just the chaos that's going on here in America, you almost don't know what you don't know. And with the whole news cycle going on around this, but this gets back to this notion of critical infrastructure. I love that name, and you have in your title 'ICIT,' Institute of Critical Infrastructure, because, ya know, and certainly the government has had critical infrastructure. There's been bridges, and roads, and whatnot, they've had the DNS servers, there's been some critical infrastructure at the airports and whatnot, but for corporations, the critical infrastructure used to be the front door. And then their data center. Now with cloud, no perimeter, we've talked about this on theCUBE before, you start to change the notion of what critical infrastructure is. So, I guess, Parham, what does critical infrastructure mean, from a public and commercial perspective? Tell me, you can talk about it. And what's the priorities for the businesses and governments to figure out what's the order of operations to get to the bottom of making sure everything's secure? >> Yeah, it's interesting, that's a great question, you know, when most people think about critical infrastructure as legacy technology, or legacy's, you know, its roads, its bridges, its dams. But if you look at the Department of Homeland Security, they have 16 sectors that they're tasked with protecting. Includes healthcare, finance, energy, communications, right? So as we see technology start to become more and more ingrained in all these different sectors, and we're not just talking about data, we're talking about ICS data systems. A digital attack against any one of these critical infrastructure sectors is going to have different types of outcomes, whether you're talking about a commercial sector organization, or the government. You know, one of the things that we always talk about is really the importance of elevating the conversation, as I mentioned earlier, and putting security before profits. I think, ultimately, we've gotten to this situation because a lot of companies do a cost-benefit analysis, say, "You know what? I may be in the healthcare sector, "and ultimately it'll be cheaper for me to be breached, "pay my fines, and deal with potentially even the "loss to brand, to my brand, in terms of brand value, "and that'll cheaper than investing what "I need to to protect my patients and their information." And that's the wrong way to look at it. I think now, as we were talking about this week, the cost of all this is going higher, which is going to help, but I think we need to start seeing this fundamental mind-shift in how we are prioritizing security, as I mentioned earlier. It's not an option, it must be a requisite. >> Yeah, I think what we're seeing now, is in the years past, the hackers would get at some bits of information, but now we're seeing with HBO, with Sony, they can strip mine an entire company. >> They put them out of business. >> Exactly. >> The money that they're doing with ransomeware, which is a little bit higher profile, ransomware, I mean, there's a specific business outcome, here, and it's not looking good, they go out of business. >> Oh, absolutely, and so Centrify, we just recently sponsored a survey, and nowadays, if you announce that you got breached, and you have to, now. It's 'cause you have to tell your shareholders, you have to tell your customers. Your stock drops, on average, five percent in a day. And so we're talking about billions of dollars of market capitalization that can disappear with a breach as well. So we're beyond, it's like, "Oh, they stole some data, "we'll send out a letter to our customers, "and we'll give 'em free Experian for a year." Or something like that." Now, it's like, all your IP, all the content, and John, I think you raised a very good point, as well. In the case of the federal government, it's still about the infrastructure being physical items, and of course, with internet a thing since now it's connected to the internet, so it's really scary that a bridge can flip open by some guy in the Ukraine or Russia fiddling with it. But now with enterprises, it's less and less physical, the store, and we're now going through this massive shift to the cloud, and more and more of your IP is controlled and run. It's the complete deperimeterization that makes things every more complicated. >> Well it's interesting you mentioned the industrial aspect of it, with the bridge, because this is actually a real issue with self-driving cars, this was on everyone's mind, we were just covering some content, covering Ford's event yesterday in San Francisco. They got this huge problem. Ya know, hacking of the cars. So, industrial IOT opens up, again, the surface area, but this kind of brings the question down to customers, that you guys have or companies or governments. How do they become resilient? How do they put steps in place? Because, you know, I was just talking to someone who runs a major port in the U.S., and the issues there are maritime, right? So you talk about infrastructure, container ships, obviously worry about terrorists and other things happening. But just the general IT infrastructure is neanderthal, it's like, 30 years old. >> Yeah. >> So you have legacy infrastructure, as you mentioned, but businesses also have legacy, so how do you balance where you are? How do you know the progress bar of your protection? How do you know the things you need to put in place? How do you get to resilience? >> Yeah, but see, I think there also needs to be a rethink of security. Because the traditional ways that people did it, was protecting the perimeter, having antivirus, firewalls, et cetera. But things have really changed and so now what we're seeing is that an entity has become the top attack vector going in. And so if you look at all these hacks and breaches, it's the stealing of usernames and passwords, so people are doing a good job of, the hackers are social engineering the actual users, and so, kind of a focus needs to shift of securing the old perimeter, to focusing on securing the user. Is it really John Furrier trying to access e-mail? Can we leverage biometrics in this? And trying to move to the concept of a zero-trust model, and where you have to, can't trust the network, can't trust the IP address, but you need to factor in a lot of different aspects. >> It's interesting, I was just following this blog chain because we've been covering a lot of the blog chains, immutable and encrypted, the wallets were targets. (laughing) Hey, this Greta the Wall, where they store the money. Now we own that encrypted data. So, again, this is the, hackers are fast, so, again, back to companies because they have to put if they have shareholder issues, or they have some corporate governance issues. But at the end of the day, it's a moving train. How does the government offer support? How do companies put it in place? What do they need to do? >> Yeah, well, there's a couple of things you can look at. First of all, you know, as a think tank, we're active on Capital Hill, working with members of both minority and majority sides, we're actively proposing bipartisan legislation, which provides a meaningful movement forward to secure and address some of the issues you're talking about. Senator Markey recently put out the Cyber Shield Act, which creates a type of score, right? For a device, kind of like the ENERGY STAR in the energy sector. So just this week, ICIT put out a paper in support of an amendment by Senator Lindsey Graham, which actually addresses the inherent vulnerabilities in our election systems, right? So there's a lot of good work being done. And that really goes to the core of what we do, and the reasons that we're partnering together. ICIT is in the business of educating and advising. We put out research, we make it freely available, we don't believe in com`moditizing information, we believe in liberating it. So we get it in the hands of as many people as possible, and then we get this objective research, and use it as a stepping stone to educate and to advise. And it could be through meetings, it could be through events, it could be through conversation with the media. But I think this educational process is really critical to start to change the minds of-- >> You know, if I can add to that, I think what really needs to be done with security, is better information sharing. And it's with other governments and enterprises that are under attack. Sharing that information as opposed to only having it for themselves and their advantage, and then also what's required is better knowledge of what are the best practices that need to be done to better protect both government and enterprises. >> Well, guys, I want to shift gears and talk about the CyberConnect event, which is coming up in November, an industry event. You guys are sponsoring, Centrify, but you guys are also on the ball, there's a brand new content program. It's an independent event, it's targeted to the industry, not a Centrify user group. Parham, I want to put you on the spot before we get to the CyberConnect event. You mentioned the elections. What's the general, and I'm Silicon Valley and so I had to ask the question 'cause you're in the trenches down in D.C. What is the general sentiment in D.C. right now on the hacking? Because, I was explaining it to my son the other day, like, "Yeah, the Russians probably hacked everybody, "so technically the election "fell into that market basket of hats." So maybe they did hack you. So I'm just handwaving that, but it probably makes sense. The question is, how real is the hacking threat in the minds of the folks in D.C. around Russia and potentially China and these areas? >> Yeah, I think the threat is absolutely real, but I think there has to be a difference between media, on both sides, politicizing the conversation. There's a difference between somebody going in and actually, you know, changing your vote from one side to the other. There's also the conversation about the weaponization of data and what we do know that Russia is doing with regards to having armies of trolls out there or with fake profiles, and are creating faux conversations and steering public sentiment of perception in directions that maybe wasn't already there. And so I think part of the hysteria that we see, I think we're fearful and we have a right to be fearful, but I think taking the emotion and the politics out of it, and actually doing forensic assessments from an objective perspective to understanding what truly is going on. We are having our information stolen, there is a risk that a nation state could execute a very high-impact, digital attack that has a loss of life. We do know that foreign states are trying to impact the outcomes of our democratic processes. I think it's important to understand, though, how are they doing it and is what we're reading about truly what's happening kind of on the streets. >> And that's where the industrial thing you were kind of tying together, that's the loss of life potential, using digital as an attack vector into something that could have a physical, and ultimately deadly outcome. Yeah, we covered, also that story that was put out, about the fake news infrastructure. It's not just the content that they're making up, it's actually the infrastructure fake news. Bionets, and whatnot. And I think Mike Rowe wrote a story on this, where they actually detailed, you can smear a journalist for 40K. >> Yeah. >> These are actually out there, that are billed for specifically these counter... Programs. >> As a service. You know, go on a forum on the Deep Web and you can contract these types of things out. And it's absolutely out there. >> And then what do you say to your average American friends, that you're saying, hey, having a cocktail with, you're at a dinner. What's going on with security? What do you say to them? You should be worried, calm down, no we're on it. What's the message that you share with your friends that aren't in the industry? >> Personally, I think the message is that, you know, you need to vigilant, you need to, it may be annoying, but you do have to practice good cyber hygiene, think about your passwords, think about what you're sharing on social media. We'd also talk, and I personally believe that, some of these things will not change unless we as consumers change what is acceptable to us. If we stop buying devices or systems or apps based on the convenience that it brings to our lives, and we say, "I'm not going to spend money on that car, "because I don't know if it's secure enough for me." You will see industry change very quickly. So I think-- >> John: Consumer behavior is critical. >> Absolutely. That's definitely a piece of it. >> Alright, guys, so exciting event coming up, theCUBE will be covering the CyberConnect event in November. The dates, I think, November-- >> Sixth and seventh. >> Sixth and seventh in New York City at the Grand Hyatt. Talk about the curriculum, because this is a unique event, where you guys are bringing your sponsorship to the table, but providing an open industry event. What's the curriculum, what's the agenda, what's the purpose of the event? >> Yeah, Tom. >> Okay, I'll take it, yeah. I mean, historically, like other security vendors, we've had our users' conference, right? And what we've found is that, as you alluded to, that there just needs to be better education of what's going on. And so, instead of just limiting it to us talking to our customers about us, we really need to broaden the conversation. And so that's why we brought in ICIT, to really help us broaden the conversation, raise more awareness and visibility for what needs to be done. So this is a pretty unique conference in that we're having a lot of CSOs from some incredible enterprise, as well as government. General Alexander, the former of the Cyber Security Command is a keynote, but we have the CSO of Aetna, Blue Cross involved, as well. So we want to raise the awareness in terms of, what are the best practices? What are the leading minds thinking about security? And then parallel, also, for our customers, we're going to have a parallel track where, if they want to get more product-focused technology. So this is not a Centrify event. This is an industry event, ya know. Black Hat is great, RSA is great, but it's really more at the, kind of the bits and bytes-- >> They're very narrow, but you are only an identity player. There's a bigger issue. What about these other issues? Will you discuss-- >> Oh, absolutely. >> Yeah, well-- >> Is it an identity or is it more? >> It actually is more, and this is one of the reasons, at a macro level, the work that we've done at Centrify, for a number of years now. You know, we have shared the same philosophy that we have a responsibility, as experts in the cyberspace, to move the industry forward and to really usher in, almost a cyber security renaissance, if you will. And so, this is really the vision behind CyberConnect. So if you look at the curriculum, we're talking about, you know, corporate espionage, and how it's impacting commercial organizations. We're talking about the role of machine-learning based artificial intelligence. We'll be talking about the importance of encrypting your data. About security by design. About what's going on with the bot net epidemic that's out there. So there absolutely will be a very balanced program, and it is, again, driven and grounded in that research that ICIT is putting out in the relationships that we have with some of these key players. >> So you institute a critical infrastructure technology, the think tank that you're the co-founder of. You're bringing that broader agenda to CyberConnect. >> That's correct, absolutely. >> So this is awesome, congratulations, I got to ask, on the thought leadership side, you guys have been working together. Can you just talk about your relationship between Centrify and ICIT? So you're independent, you guys are a vendor. Talk about this relationship and why it's so important to this event. >> Well, absolutely. I mean, look, as a security vendor, you know, a lot of, a big percentage of security vendors sell into the U.S. federal government, and through those conversations that a lot of the CSOs at these governments were pointing at us to these ICIT guys, right? And we got awareness and visibility thought that. And it was like, they were just doing great stuff in terms of talking about, yes, Centrify is a leading identity provider, but people are looking for a complete solution, looking for a balanced way to look at it. And so we felt that it would be a great opportunity to partner with these guys. And so we sponsored an event that they did, Winter Summit. And then they did such a great job and the content was amazing, the people they had, that we said, "You know what? "Let's make this more of a general thing and "let's be in the background helping facilitate this, "but let the people hear about this good information." >> So you figured out the community model? (laughs) No, 'cause this is really what works. You got to enable, you're enabling this conversation, and more than ever in the security system, would love to get your perspective on this, is that there's an ethos developing, has been developed. And it's expanding aggressively. Kind of opens doors on one side, but security's all about data sharing. You mentioned that-- >> Yeah, absolutely. >> From a hacking standpoint, that's more of a statutory filing, but here, the security space is highly communicative. They talk to each other, and it's a trust relationship, so you're essentially bringing an independent event, you're funding it. >> Yeah, absolutely. >> It's not your event, this is an independent event. >> Absolutely. >> Yeah, and so Tom said it very well, as an institute, we rely on the financial capital that comes in from our partners, like Centrify. And so we would be unable to deliver at a large scale the value that we do to the legislative community, to federal agencies, and the commercial sector, and the institute's research is being shared on NATO libraries and embassies around the world. So this is really a global operation that we have. And so when we talk about layered security, right, we're not into a silver bullet solution. A lot of faux experts out there say, "I have the answer." We know that there's a layered approach that needs to be done. Centrify, they have the technology that plays a part in that, but, even more important than that for us is that they share that same philosophy and we do see ourselves as being able to usher in the changes required to move everything forward. And so it's been a great, you know, we have a lot of plans for the next few years. >> Yeah, that's great work, you're bringing in some great content to the table, and that's what people want, and they can see who's enabling it, that's a great business model for everyone. I got to ask one question, though, about your business. I love the critical infrastructure focus and I like your value you guys are bringing. But you guys have this fellow program. Can you just talk about this, 'cause your a part of the fellowship-- >> Yeah, absolutely. >> You're on a level, and I don't want to say credit 'cause you're not really going to get credit. But it's a badge, it's a bar. >> Yeah, yeah, no-- >> Explain the fellow program. >> That's a great question. At the institute, we have a core group of experts who represent different technology niches. They make up our fellow program, and so as I discussed earlier, when we're putting out research, when we're educating the media, when we're advising congress, when we're doing the work of the institute, we're constantly turning back to our fellow program members to provide some of that research and expertise. And sharing, you know, not just providing financial capital, but really bringing that thought leadership to the table. Centrify is a part of our fellows program, and so we've been working with them for a number of years. It's very exclusive and there's a process. You have to be referred in by an existing fellow program member. We have a lot of requests, but it really comes down to, do you understand what we're trying to accomplish? Do you share our same mission, our same values? And can you be part of this elite community that we've built? And so, you know, Centrify is a big part of that. >> And the cloud, obviously, is accelerating everything. You've got the cloud action, certainly, in your space, and we know what's going on in our world. >> Yeah, absolutely. >> The world is moving at a zillion miles an hour. It's like literally moving a train. So, congratulations, CyberConnect event in November. Great event, check it out, theCUBE will be there, we'll have live coverage, we broadcast, be documenting all the action and bringing it to you on theCUBE, obviously, (mumbles) John Furrier, here at Centrify's headquarters in California, in Silicon Valley, thanks for watching. (upbeat electronic music)

>> Welcome back everybody. Jeff Frick here with theCUBE, we're at Security in the Boardroom. It's a Chertoff event, they go all around the country and have these small intimate events talking about security, and today it's really about the boardroom, and escalating the conversation into the boardroom. So it's not a tech conversation, it's not a mobile phone management conversation, but really how do we get it up into the boardroom. And I'm really excited for our next guest. He's Michael Chertoff, he's the Co-Founder, Executive Chairman of the Chertoff Group, with a long established career, and I'll let you go check out his LinkedIn. He's been Homeland Security, and it's a long, long list, so I won't even go there. And Jim Pflaging, he's the Principal, Technology Sector and Strategy Performance Lead also for the Chertoff Group. Thanks, Jim kicked it off this morning. And welcome both of you. So first off, Jim, a little bit about this event. What is this event? And what is Chertoff trying to accomplish with this little bit of a road tour? >> So I think it's important to know that we're passionate about the importance of security. I mean, with Secretary Chertoff and Chad Sweet's background, they were at the ground floor of seeing the importance to our country. So we created the firm to focus wholly on security, and to help firms with the whole lifecycle of issues. As a risk, as a business opportunity, as a catalyst for growth. And it was back in 2013 when some stakeholders around said, "Hey you guys have a bunch of ex-DHS folks, there's a bunch of interesting identity technology issues that are coming to the surface, and other technology issues, why don't you bring a group together and do it?" >> Jeff: Right. >> We said, well, we're not an event company. But we went ahead and had a conversation back in D.C. It was a big success, and then it was a little bit like that line from the Godfather, you know when they say, "They keep pulling me back, they keep pulling me back". (laughs) So here we are on our tenth event, we've been to Silicon Valley three times, New York, Houston, and then D.C. And each time, the idea is, make it topical to the local community, and make it topical for the issues at hand at the moment. >> Yeah, it's interesting, the relationship and security. Specifically between government and technology companies. You know, we do a lot of big technology shows, and at IBM and HP. With the customers that we have distributed around the world and the regulations and compliance issues, in some ways we know more from a broad base of these global international customers than the government. On the other hand, the government's driving the compliance, and has the privacy issues, and hopefully looking out for people, so how do the two work more closely together to deliver better solutions? >> Well, in fairness to the government, the government also has access to information and intelligence that the private sector doesn't have. >> That's true >> So each brings to the table a certain set of capabilities, and part of the challenge is to have people speak the same language. The government has tended over the years to develop a very rigid system of procuring, of interacting with the private sector. Out here in Silicon Valley and in other tech centers there's a lot of focus on being innovative and nimble, and sometimes those two cultures need to be bridged. And actually one of the things that we started out doing, was trying to bridge those cultures. Helping the technology companies understand some of the objectives that the government had in terms of security and the economy. And helping the government understand what's out there, what are the capabilities and the techniques that you might use. Because without an awareness of the art of the possible, it's very hard to lay out a strategy for securing cyberspace. >> Right. And the whole security space to me, we talked a little bit before we put the cameras on, feels like insurance. You know you got to do something, right, you can't go unprotected, but by the same token, you can't be 100%, but do you invest forever? Because at the end of the day, for a private company, you know you have limited resources, government too. So, when these conversations are happening, and then what we're talking about here, the boardroom, the worst way a board member wants to get involved is when he reads the Wall Street Journal on Monday morning and he sees that his company has been breached, and he's in big, big trouble. So, how is the relative importance of security investment changing in the boardrooms? What are you seeing? How is that evolving? >> So, from my standpoint, it's about, first of all, understanding that it's a risk, not security. You're managing the risk, you're not guaranteeing people nothing bad will ever happen. And now, GI uses, I say to people it's like physical health. You don't go to your doctor and say, "Doctor, I want you to guarantee I'll never get sick". The doctor would throw you out of the office, or he'd have you committed. What you do, is you say, "Look Doctor, I'd like to be healthy, I'd like to have a healthy immune system, I'd like to keep most of the bacteria and the viruses out of my body, but I'd like to know if I do get invaded by bacterial viruses, which will inevitably happen, I've got a system that can detect it and white blood cells will eliminate it. That's why I get vaccinated, that's why I do other things to keep my immune system up." And that sense of managing expectations I think is critical for the board. If the board wants a guarantee we will never get hacked, then it's not realistic. If the board wants to understand what are the most important parts of our body politic, or our corporate body, we have to protect, and how do we build layers of defense to keep us healthy, then I think you can have an intelligent discussion about how much investment is enough. >> Right. But then as you said, you want to be healthy, but then we still go to bars and have a drink, and we eat ice cream when we probably shouldn't. And the security, so many percentages of the security problems are caused by people didn't update their patches, or they're respondent to this great opportunity to get a bunch of money out of an African Prince. So how are we changing the culture on the people process? You made an interesting comment about culture. We always talk about people process and technology, but you threw the culture piece in it. Which I though was a pretty interesting twist on just people. >> I think that's a key piece, and it's an area where the board can actually lead. This is when it has to start from the top. You know, if management and the board says, "Hey this is a technical issue, we're just gonnna leave it for that security team down the hall". I think you've failed right out of the gate. You need a CEO-lead, cyber-conscious culture, security-conscious culture, that shows that we value it. And that ultimately, you're going to spend time and money to reward the behavior that you're looking for, to then retain and grow that organization. But it's then looking at it both as a risk, as Secretary said, but increasingly, it's part of an opportunity. It's part of an opportunity to engage your customers in new way. Show that you're really a trusted partner. You value, and will hold private, the information that you're collecting about them. As we hurdle into IOT and driverless cars, that are generating massive amounts of information, more and more, people are going to want to do business with people that are good stewards of that information. >> Right. And I think the interesting thing that came up, as well, is it's not even the technology is not even the breaches, you know we talked a little bit about the whole iPhone encryption thing. Now we all have Alexa sitting at our house, you know, is Alexa listening all the time? I heard of a case where they actually went back to the Alexa on a domestic dispute, or domestic violence to see if Alexa had collected evidence and listened in to this domestic violence attack. But the privacy issues are tremendous. So as all these things get weighed, again, you made an interesting comment, how do we define success? What does success look like? Cause it's not never. In the financial services industry, your worst nightmare is too many false positives, if your turning down people's bank account credit card. So what does success look like? How should people be thinking about success? >> I think there's a couple different dimensions to this. As Jim mentioned earlier, to the extent that you are a steward of other people's data, your ability to promise them that it'll be secure, it'll be private, and execute on the promise, is an important part of your business proposition. To the extent that you have your own business secrets, and your own business confidences you want to protect, that's important. But you raise a somewhat different issue, which is, we do make deliberate decisions sometimes to bring into our homes, into our lives, the kind of collection of information that is a feature, not bug. That's got to be a deliberate decision, because once you collect the information, as in the example of the Alexa recording some domestic disturbance, that's going to be there for somebody else to get using a lawful process or otherwise. So, part of, again, the process of culture and education is always asking, "Why do we want to collect?" Why do we want to hold? What are we connecting to?" You can make an intelligent decision, but you've got to ask the question first. >> Right. Although I heard an interesting twist on that one time. Even if you go through that analysis, and you say, okay, based on these, on yes, yes, and this is why, we're going to collect this data, which you don't know, is what someone else might do with that data in a different scenario down the road. So even if you're a responsible steward of that activity, there's always a chance that something else could happen. So there's even kind of a double whammy. >> I mean, this is one of the byproducts that people talk about with big data. And it's techy term, but people talk about a data lake, where we're collecting this, we're collecting this, we're collecting that. In and of itself, it's not sensitive information. But if you connect different breadcrumbs about a person's activity, and their identity, wow, all of sudden that could be incredibly sensitive. >> Right. >> So that's one of the issues that we've been dealing with in the tech community is how to enable us to collect that information, make good decisions from it, but understand the resulting security issues that come. >> Yeah, that's a fascinating issue because, I think that what a lot of people don't understand is although individual items collected may seem fairly benign, the ability to aggregate, and store all the amount of data is huge. And a perfect example is, you know, people are always walking around taking selfies, or pictures, or putting things in their social media, and the third parties and everybody get into that. And normally you'd say, "That's fine, somebody took a picture of me, it's going to be in their house or whatever, who cares." But if it's all up in the cloud, and someone has the ability to aggregate all that, and all of a sudden get a picture of everybody who's ever taken a photograph of me, or mentioned me, or have had some interaction with, all of a sudden, unbeknownst to me, someone could really get a 24/7 picture of all of my life. So how do you deal with those issues? Some of these are legal questions, some of them are technical questions, but I do think we're on the cusp of having some serious conversations about this. >> So they're going to come yank you guys back into the conference. So thank you for taking a few minutes to come sit down with us. So I just want to wrap up again with the board. As you talk to the boards, we've talked about things that are happening now, and things that are happening in the relative recent past, as you look forward, what's your take away for them as you've sat around, you've talked about all this crazy, scary stuff, and how they should think about it. As you tell them to look forward, what's your advice? >> Well, if I could start with that, so today we released some results from a study we did around this topic. What do boards really think about security? Is it discussed? Is it a boardroom competency? And we interviewed over a hundred senior execs, a vast percentage, forty percent, who were responding as a board member. And what we found was, there's a tale of two cities, two cyber cities. If you're in a large public, US company, in what would be called critical infrastructure, finance, healthcare, telecom, yeah, the directors and the board, they're very well versed in cyber, it's been discussed, it's part of a risk management program, and they have very good CSOs, good interaction with the board. Then there's everybody else. And I would say this actually reflects the boards that I sit on. Is that, you know, cyber's not discussed, it's maybe in reaction to a breach, but it's a technical discussion. And most directors self report, we're not where we need to be on education. So then, just quickly, as a finish, what we launched today was a seven point plan, a blueprint for directors, to help guide areas that they can ask questions, document, review. Kind of move them up their cyber-literacy curve. >> The other thing that I would say, is this, I really sympathize with that small and medium enterprises, which simply don't have the money to invest in terms of building up a whole stand alone security system. I think that takes is more and more to outsourcing some of these functions. Some of it is the cloud, because you put your data up there. Some of it is outsourcing the intelligence and information to know what's coming. It's managed services. Because most of these smaller companies, even if their heart is in the right place, they just don't have the scale to do what a major bank, for example, can do in terms of an operation center. >> Yeah, I think that's such a big piece of the cloud story, is sitting through some of the James Hamilton Tuesday night. If you ever get a chance to go to that He's talks about the investment, infrastructure, security, networking, you name it. That Amazon can make at scale, nobody else, except a very small group of companies can make type of investment. >> Exactly. >> There's just not enough money. Alright, we'll leave it there for now. Really appreciate you stopping by, great event, and thanks for having theCUBE. >> Michael: Great, thanks for having us. >> Okay, it's Michael, Jim, I'm Jeff, you're watching theCUBE. We'll be right back.