Download Otter for your meeting notes

SOTN2023-18 Fireside Chat with Kemba Walden | Otter.ai

SOTN2023-18 Fireside Chat with Kemba Walden

Joly MacFie18min

Ari Schwartz

00:14

Good afternoon. Thanks so much for joining us today. And thank you Kemba, for coming in to the state of the net with us.

Kemba Walden

00:20

Thank you. It's my pleasure to do this.

Ari Schwartz

00:22

I know you say you told me back there that you've actually done one of these before a while ago. But yeah, it's great to have you in your new official capacity. So the, I wanted to start, there's been a lot of talk on about the national strategy, in fact, cyberscoop when it came out and say, it's here. And I think it did come out to a lot of fanfare, and there's a lot of excitement about it, tell me what you're most excited about them with in the strategy. You know,

Kemba Walden

00:53

it felt kinda like when we released it Thursday, but like, National Cyber day, like National Cyber prom day, I'm really excited about it, because it's really forward leaning, I think it is practical. It addresses a lot of the, the some of the issues, we've been talking about time and time again over decades, but takes a new approach to it. So there are two primary approaches that are new, we're taking a positive view of the Internet, such that we're thinking about ways to lift and shift cybersecurity risk away from the end user and to those that can bear it and buy it down. And we're thinking of tools for adding resilience so that when there is downtime, uptime is swift and seamless. How do we do that? What are the investments we need to make to do that, not just in the technology, but in the people and in the roles and responsibility that creates cyberspace? So it's really positive? Look, it's how do we make what we have defensible? And then how do we make it resilient in a way that doesn't allow China, North Korea, Iran, etc, to set our agenda, we're not just playing whack a mole, this time. For those of us that have been in this game for a while. We know what, how to how to respond, right. We know that information sharing is important. We know that we have to defend what we have. But how do we make the right investments? What do we how do we make this durable? What do we need to change in order to, like I said, have a positive vision of the Internet?

Ari Schwartz

02:26

Well, one of the things that has caught most people's attention is, you know, it starts off with regulation. Yeah. And I just wanted to get kind of your view on that balance between regulation and innovation, and where we stand and how we keep security in the US has led on cybersecurity forever since the beginning of cybersecurity. So, you know, and how do we keep that moving forward and that way, and that same time, get to the point where we need to get to, as you were saying and get get that balance? Right?

Kemba Walden

02:53

Yeah, so regulation is one of the tools in the strategy that we point to, but it's in pillar one, as you noted. So we need to figure out a way to incentivize the proper cybersecurity investments. So one of the tools that we talk about in this strategy is leaning in a bit on regulation, but not just regulating for the sake of regulating making sure that it's targeted and focused on cybersecurity, raising that cybersecurity baseline for some industries, harmonizing what's required for other industries, right. So I've heard from industry, some sectors have, I don't know, 150 or so reporting requirements, or compliance regimes all around one thing, right, how do we harmonize it so that we can then invest in whatever the capital expenditures are for ensuring durable security, right, so harmonizing, regulating where things might not have been regulated before to really cause an even playing field so that we begin to reward those that seriously invest in cybersecurity. Some of the other tools that that are in there, acknowledge that we have been America's lead in r&d in so many spaces and so many ways. We need to think about how to creatively leverage that innovative thought, that innovative process. So cyber priorities and r&d is called for in in the strategy, right to really spark innovation in this space. If we get to a place where instead of having first to market sort of regime, we have a secured and market regime. My hope is that we spark innovation for security, building security in to some of our technology, focusing on security and our people skills, and really thinking about roles and responsibilities, but we want to get to a place where we have secured a market more so then first to market security is uplifted in this space. Yes.

Ari Schwartz

05:01

Well, I do want to just in general congratulate you on on the strategy, I think it is the best of the strategies, the cyber strategies, and I think it will be a model for the world. And it was created by your office, the Office of the National Cyber director, which is a relatively new office. And you know, where we're What do you think about how the office is growing? And how, where it's where it's headed? And where do you plan to take it while you're acting?

Kemba Walden

05:28

Well, thank you. First of all, that is true. I'm proud of this strategy, you would, you would have thought that I was personally responsible for writing every word and I wasn't right. But I'm proud of it. So

Ari Schwartz

05:40

that got it out the door.

Kemba Walden

05:41

I got out the door. Absolutely. But the National Cyber director's office really took it to heart when we were given the responsibility for creating the President's National Cybersecurity strategy. And it is just that it is a National Cybersecurity strategy. So it's not an lmct strategy. We had hundreds of stakeholders provide input table reads, not all of them agree with us, but all of them understand it. It's it's coherent. It reflects every part of the cybersecurity community. So large enterprises, not for profits, civil society, academia, etc. It is a National Cybersecurity strategy, all the departments and agencies were involved in this process. So that that's one of the reasons why, in my view, we have a really balanced forward leaning bull strategy, because we really took to heart. How are we going to make this work? Right? So the hard part begins, you have this implementation part now that we are leaning into, we are trying to craft our implementation plan now. Because we want these things to work. Some of these are going to be multi year ventures, they're going to involve everybody that we engaged in the strategy building process, and even more engaged in implementation. It's a whole of government whole of society activity. But the office growth we have, we have just two years old, we're toddlers, believe it or not. We so I used to be a musician. I don't play anymore. But I think of this as a symphony. Right? So you've seen the first three movements, we stood up the office, we've got great people, we've launched the national cyber strategy that is like Beethoven's Fifth. But we have the implementation plan to do. That's another movement, we have the Workforce Strategy, that workforce awareness and education strategy, that's where we have the API's built in to this strategy. That's another movement. So we're building the symphony, in order to make progress in cybersecurity and, and ultimately achieve those two fundamental principles, shifting risk and building resilience.

Ari Schwartz

07:57

So I mean, Chris Inglis soldier on to become the principal deputy, and to take over for him. Yeah, I'm just curious, like, how you see, you know, what he sold you on originally and the vision and what it is today and what you want it to be and kind of how that you see that moving on to?

Kemba Walden

08:13

Yeah, so true fact, the day after Russia invaded Ukraine is when Chris approached me about being his second in command. So and prior to that moment, I hadn't actually worked with Chris on a day to day basis. Of course, I knew he was I knew his body of work, he knew my body of work. But the thing that really sold me on this was he saw an opportunity for me to have value in cybersecurity in this cyber space, right. So I've done it. In the nonprofit world, I've done it in private sector, I've done it as a federal civilian employee, this is from a different vantage point. Now. He valued the type of experience that I was bringing into the into the position, he and I are like, apples and oranges, right? We're just different. Maybe not even apples and oranges, like apples and and broccoli. He's an engineer three times over. I'm a lawyer and all sorts of ways. We had different experiences, we're able to bring different problems, solutions to problems and get to the same place. But it was better than either one of us could have imagined. That was a fantastic partnership. And the staff is built out the same way. Right. So not everybody on staff were engineers. We clearly have some fantastic engineers, but we have strategists, we have those that come from enough nonprofit. We have a defense attorney that has done a lot of trial work in our own right. We have a lot of talent, a lot of skills that really allows us to leverage the strength of the office and and cause good things happen. One of our superpowers. One of the things that the geek in me really, really leaned into, said we have this enormous power in the statute to align budgets, side line, cyber priorities and budgets across an agency. That's a superpower that I really like. Because nothing works if you're not resourced properly. I mean, what a novel concept. So we're positioned to really be forward leaning and find practical solutions to some of these problems.

Ari Schwartz

10:30

That's really great. Well, one of the things you talked about the first day, you were asked when you were asked to come in was the Russian invasion of Ukraine. And you've talked quite a lot about the fact that the US government has handled how they work with the private sector on that issue and the operational collaboration on it truly making it a public private partnership different than what has been done in the past. I was wondering if you could elaborate a little more for this audience, which may not have heard some of those details? Yeah. So and how do we keep that going?

Kemba Walden

11:03

So one of the things that was so outstanding, to me was the fact that we finally figured out a way to take classified information and get it to those that are going to be able to action it in a realistic way. So for example, in Ukraine, we were we knew that we were going to sanction certain certain elements of the Russian government. And we, we thought about how that might impact our critical infrastructure at home. Maybe something might happen to the financial sector, we were able to take classified information and get it to the financial sector who was able to operate, operationalize it, right. And so we were able to protect ourselves at home. That's a new way of collaboration. That's operational class, professional intimacy, I think you've heard me say before, it's not just information sharing, we've evolved in the the aggression of Russia against Ukraine has helped us get there. So we've taken that felt like that was a pivotal moment. And we've really leaned into it. So we've used our convening power in the White House, for example, to bring in C suite, members, stakeholder members, right. So like the electrical vehicle market, the health, energy and others. We brought them in, given them threat briefing, sometimes threat and vulnerability briefings and one day classified readings to give them information that they can operationalize. They can imagine having a capital expenditure to address not just an operational expenditure, but capital. That's why it was important that we had CEO CEOs in these rooms and then had a public conversation and unclassified conversation among industry leaders and government leaders about what we can do to operationalize opportunities together, given the threat briefing, that AC DC does it in a different way than what we've done. But it's also effective. And NSS. Triple C does it in its own way. It's a one on one type of opportunity. But the bottom line is, we have opportunities now to operationally identifies problems, and then figure out ways to to address those problems together. Right. So we have better we have one plus one equals three, we have geometric outcomes from that kind of collaboration. That's new. I mean, like this, I left government for three years or something and came back and found pleasantly found a new way of public private partnership,

Ari Schwartz

13:38

and how do you make sure that you're not overlapping with what JC DC is doing or what the NSA is,

Kemba Walden

13:43

you know, I think overlap is not a bad thing. Honestly, there might be situations where if you are a part of the dev, defense industrial base, and you want a one on one opportunity to collaborate with NSA as the DIB that's the right place to do it, if you are trying to figure out the log for J problem, and you need an all of community approach, and you want to feed into that process. That's the right way to do it within JCTC. There, there isn't a mutually exclusive way to do it. We we in the government have figured out we need to meet our stakeholders, our constituents where they are, we have a duty to provide a platform, whatever that platform may be, for industry to be able to collaborate. That's that's what's important. That's what spreche we worry about on the back end how we share amongst ourselves that should not be a problem for industry to figure out that's, that's my problem. But we owe it to have variety of platforms to meet industry and civil society where they are however they want to share with us.

Ari Schwartz

14:51

I know you have to get back to anywhere else. We have one last question for you. Which I mean it's a topic that has come up at this forum and I The Internet Education Foundation forms for many, many years as the workforce problem we talked about a little bit, you know, and you're I know, you're working on the strategy and the national cyber strategy says, we're building as their strategy for the workforce. Look at that one. What can you preview a little bit about where it's going? And how it's gonna work? And what's gonna be different this time? Like, what, how are we going to make progress on this issue? That seems somewhat interminable, you know, looking back on the growth here.

Kemba Walden

15:29

So we were taking the many fewer approach. You might have heard this before, right? We're addressing not just the cyber and IP jobs that exist, but those that implicate cyber around it. So policymakers, lawyers, sembly, factory workers, and then the pipeline, the many the All right, how do we deal with K through 12? How do we deal with rescaling and upskilling? As we build out broadband, for example, as part of the bipartisan infrastructure law, how do we think about workforce as we build that out, to make sure not only that our broadband is secure, but that we are also offering opportunities for good paying jobs in cyber, there are a couple of things that come to mind that you'll see in the strategy eventually. One is that we have to this we have to help communities understand that cyber is not necessarily always technical, there are important technical jobs out there. But that it there really is a place for any skill set to be in cyber. That's that's one piece. The other is how do we build out curricula? For K through 12? for community colleges for universities? How do we build that in? How do we build in workforce, for example, in China chips in science act as we near shore on shore chip manufacturing that fabs centers? How do we do that? And then, the last piece is, what are the barriers that we're imposing on ourselves and and on cybersecurity community? Do we really need CISSP? Yes, for every job, do we need to have expensive certifications? Maybe we do. But have we thought about it? Have we thought about do we need that? Or do we need a certain set of skills? Do we need a college degree? Or do we need vocational programs to help implicate this right? So we're really challenging ourselves to figure out what barriers have we put up in the cybersecurity community that's causing part of the problem?

Ari Schwartz

17:34

And what should folks hear in the private sector and you know, others who want to engage in the workforce strategy, what should they be looking for, and how can they engage?

Kemba Walden

17:45

So we have we did have an RFI recently. This is not our only opportunity to engage with the private sector. We are also bringing polling and bringing in small communities the same way we did with the National Cybersecurity strategy, getting into communities at every level, getting into the stakeholder space at every level to be a part of the the process of building the strategy. But even on a practical matter, the Department of Labor has recommitted additional money for example to have registered apprenticeships and cyber industry could participate in those registered apprenticeships. It's one of those opportunities where there's an actual thing you can do now to address the issue as we're building up the strategy.

Ari Schwartz

18:29

Well, thank you so much for joining us. Really appreciate it and best of luck to you.

Kemba Walden

18:32

Thank you, Ari. Thank you

00:0000:00