The US Cyber Landscape with Chris Inglis

Show Notes

Host Frank Cilluffo speaks with Chris Inglis, who just finished serving as the country's first National Cyber Director. They discuss the current challenges confronting the US in today's cybersecurity landscape and explore new obstacles emerging with the rise of AI.

Show Notes:
https://www.washingtonpost.com/politi...
https://www.barrons.com/articles/ai-r...
https://thehill.com/opinion/cybersecu...
https://mccrary.auburn.edu/events/sol...

Transcript

00;00;00;00 - 00;00;28;04
Frank Cilluffo
Welcome to Cyber Focus from the McCrary Institute, where we explore the people and ideas shaping and protecting our digital world. I'm your host, Frank Cilluffo, and have the privilege of interviewing our First Nation cyber director Chris Inglis. On our first episode, Chris goes deep in terms of what he thinks are the greatest threats to U.S. cyber security, as well as what questions A.I. developers need to ask before it's too late.

00;00;28;06 - 00;00;35;09
Frank Cilluffo
You won't want to miss this episode.

00;00;35;11 - 00;01;04;15
Frank Cilluffo
I'm thrilled to welcome Chris Inglis this morning. Chris needs no introduction to anyone in the cyber community. He recently served as the first national cyber director, had a storied career at the National Security Agency, started out as a pilot, Air Force Academy and as an officer up to brigadier general and quite honestly, is the culmination of a lot of what we now call cyber.

00;01;04;20 - 00;01;13;07
Chris Inglis
I'm delighted to be back with you, Frank. So enjoyed our time together on the Solarium Commission and I certainly appreciate your voice in the larger cyber cyber ecosystem.

00;01;13;14 - 00;01;44;13
Frank Cilluffo
Well, I'm thrilled to have you. And I do want to pull a little bit on solarium in a little bit. And I also want to look to the top priorities for 2024 and some of the big issues the country faces. But before we look forward, why don't we step back a teeny bit and just out of curiosity, since we have students listening and viewing as well, when did you sort of realize cyber matters and what was your pathway way into that to what is now the cybersecurity field?

00;01;44;16 - 00;02;13;03
Chris Inglis
So I think that that's a great question. I first realized that cyber mattered long after it did matter. It turns out that cyber only matters because the things we already care about, whether that's banking online, whether that's the delivery of critical functions, whether that synchronizing supply chains you'll never physically touch. All of those things have been important for a very long time and very long ago, 20, 30, 40 years ago, those became dependent on what we call cyberspace.

00;02;13;03 - 00;02;32;18
Chris Inglis
We might have called it the telecommunications sector in the early days, the Internet, perhaps after that, digital infrastructure might be a fancy word for that, but we've always cared about that. I think what we've realized is as transgressors, whether they're criminals or rogue nations, have understood our dependance on that and held us at risk because of that dependance.

00;02;32;21 - 00;02;45;09
Chris Inglis
All of a sudden we've realized that that importance has always been there and we're playing catch up. So for students, I would say that the lives that you lead are the things that make cyber important. It's not important for its own sake.

00;02;45;11 - 00;02;58;10
Frank Cilluffo
Well said, Well said. And given your role and was it 25, 28 years at NSA and leadership position? 28 years. God bless. 41 Total government service. Federal service.

00;02;58;10 - 00;03;00;04
Chris Inglis
At that time it was 43 years.

00;03;00;10 - 00;03;11;01
Frank Cilluffo
I'll be 43 years. So but given your time at NSA, anything in particular there that prepared you for what you were stepping into as national cyber director?

00;03;11;01 - 00;03;39;25
Chris Inglis
What I learned at NSA is that most truly great work is horizontal in nature, not vertical. Meaning if you can bring together diverse talents and capabilities, authorities all arrayed against a common shared aspiration, there's nothing you can't do. You can do anything. And I learned that at the National Security Agency, which is not the vertical that most people think it is, It's it's for all practical purposes, this profoundly rich and diverse, horizontal.

00;03;39;28 - 00;04;00;25
Chris Inglis
You look around the room at the National Security Agency and any problem that you're trying to work, and you see great cognitive diversity. You see a difference in backgrounds, a difference that you can see, but more importantly, a difference that you can experience. And when you bring that to bear, there isn't a problem you can't solve. I think that that lifts and shifts nicely into cyberspace.

00;04;00;27 - 00;04;06;08
Chris Inglis
It's a place where we've not crowdsource the threats that have been crowdsourcing us, and that's what we have to do.

00;04;06;15 - 00;04;32;19
Frank Cilluffo
It's a great point. And when most people think of NSA, they think technology and they're people behind the technology. And that's the purpose of these the series of these discussions is to actually get to the people behind those making the decisions around around cyber. There have been some who've been critical saying too much NSA in cyber leadership. I sort of counter back.

00;04;32;25 - 00;04;46;18
Frank Cilluffo
Who else has the experience? What are your thoughts on that? And then sort of going future or going into the future, do you think that will change or do you think NSA will always be at the vanguard and that the lead on some of these issues?

00;04;46;18 - 00;05;11;05
Chris Inglis
I think what we've seen is that the experience, the people who've gone through NSA have is useful experience. It matters, but you don't have NSA people leading SIS or for that matter, the national Office of the National Cyber Director or any of those other organizations. They happen to have that experience. They also happen to be Americans. They also happen to have had rich lives across America, in the private or public sector experience.

00;05;11;08 - 00;05;20;26
Chris Inglis
And so we should hold them accountable for what they are at the moment, deploying and leveraging where they have been. And if that experience from NSA is useful, so be it.

00;05;20;28 - 00;05;39;11
Frank Cilluffo
And you know that you touched on what I think is the most important question, and that's the why. What motivates the women and men to public service and in general and cyber in particular. Just curious, since you're leading the effort, what's your why, Chris?

00;05;39;17 - 00;05;56;21
Chris Inglis
Public service generally, I think it motivates people because they want to do something beyond themselves. They want to make a difference to something other than themselves. When I was at the office of the National Cyber Director, I would ask a question of everybody that wanted to join that team. And we had some extraordinary people who did join that team.

00;05;56;28 - 00;06;12;26
Chris Inglis
But the question was, what's the purpose of your power? And if the person would say something along the lines of I want to do something good with that, I want to do something beyond myself with that. Then I knew that we were on the road to a higher. I didn't know quite what we would apply that person's time and talent to.

00;06;13;03 - 00;06;30;15
Chris Inglis
But. But you train, you hire for aptitude, you train for skills. And if a person shows up and says, I just want to make a difference in the world, they're already in a public service role. They may or may not be in what's literally described as the public sector, but but they're already acting as a public servant.

00;06;30;18 - 00;06;53;18
Frank Cilluffo
There are students watching and listening. I think that's that's terrific advice and the reality is, is none of us knew 20 years ago that the discussions we'd be having today were as pertinent, pertinent as they, in fact, are. But I'm reminded of the Yogi Berra quote, How do you the best way to predict the future is to shape it?

00;06;53;18 - 00;07;13;22
Frank Cilluffo
And and the reality is the future ain't what it used to be. So with that in mind, let's go a little bit to the future and let's look to 2024. What what unfinished business do we need to get our arms around? If you had to rack and stack your or your three 3 to 4 priorities, what would they be right now?

00;07;13;24 - 00;07;31;20
Chris Inglis
But let me kind of borrow a line from you, which is let's look back to actually think forward. You know, I think that we need to remember that cyberspace or digital infrastructure or whatever your term of art might be is not simply technology. And for 40 or 50 years, I think that we have imagined on our worst days that that's it.

00;07;31;27 - 00;07;50;20
Chris Inglis
It's just technology. And the only thing we need to get right is the technology. That's not how transgressors think. The transgressor, whether that's a criminal or a rogue nation state or anything in between, when they look at you and they want to hold you accountable or at risk because you're dependent on cyberspace. They actually look at three things.

00;07;50;28 - 00;08;21;17
Chris Inglis
The first thing they look at is have you assigned the roles and responsibilities such that, you know, I have to actually find a way to beat everyone in this place. I have to get past everyone who's watchful and executing the responsibilities they have. If nobody's guarding the front door, I'll just come right through the front door. The second thing they look at, if that's solid, is they look to see whether people are up to speed that day, whether they're complacent or whether they're on the front balls of their feet, actually kind of not making mistakes and thinking thoughtfully through what they should do.

00;08;21;19 - 00;08;38;09
Chris Inglis
If we were driving a car that kind of say, do you have your hands, hands at the ten and 2:00 position, have you been drinking while you're driving? Are you speeding? Are you reckless? Are you texting while you drive? If any of those are problems for somebody who's manning the front lines of cyberspace, then a transgression will take advantage of that.

00;08;38;16 - 00;08;58;25
Chris Inglis
And if they have to, they will then go after technology. They will actually try to figure out how do I overwhelm your technology? But it turns out that the opportunities are very rich. On the first two, we don't have the roles and responsibilities properly assigned. We don't have our skills up to speed, and our technology is not actually doing as much as it can to support the people in that system.

00;08;58;27 - 00;09;30;11
Chris Inglis
So those then for me line up against the three priorities. When you get the roles and responsibilities right, we need to make transgressors beat all of us to beat one of us. For so long we've been defending alone in our individual stovepipes individuals defending small businesses without any material assistance, either in the providers who give them that technology or the government that might hold them accountable for executing their responsibilities in a certain way for so long, we've not been teaching our kids as much about cyberspace as we teach them about managing a hot stove or crossing a city street.

00;09;30;13 - 00;09;53;29
Chris Inglis
And for so long, technology has essentially been a caveat emptor proposition that the principal providers of that at the commodity level have not been investing in inherent resilience and robustness. So that what's then inherited by those who live at the edge is something that's not defensible, it's not been built to be defensible. And their proposition of having to defend it from a cold start, it's an impossible turn.

00;09;54;01 - 00;10;14;22
Chris Inglis
So in this year, 2024, when they get serious about roles and responsibilities, the National Cybersecurity Strategy lays those out and they get serious about helping people get their skills up to speed, not so that they can literally defend cyberspace. So but so that they can ensure that cyberspace meets their expectations. And finally, we need to bend technology to that purpose in that order.

00;10;14;25 - 00;10;43;05
Frank Cilluffo
Now, that's great. And I do want to touch a little bit more on the National Cyber Strategy, which a lot of blood, sweat and tears went into to getting that over the goal line. And and one of the quotes you often referred to is to be you have to beat all of us to beat one of us. And when I look to sort of cyber related issues, trust is the coin of the realm.

00;10;43;08 - 00;11;05;01
Frank Cilluffo
It takes a long time to build. It can evaporate and disappear in nanoseconds. How are we doing in terms of the interagency getting getting the field? Say you've got quarterbacks, you've got running backs and you also have linebackers and a strong line and everything else. Are we starting to field get the right players on the field?

00;11;05;01 - 00;11;26;02
Chris Inglis
I think so. I think we have we have a very talented group of people currently running the show in places like the FBI, the National Security Agency, the Department of Homeland Security, the White House. The challenge is how do you take those very impressive verticals and connect them so that we have a broad, coherent front that to your point, we make it.

00;11;26;03 - 00;11;43;27
Chris Inglis
We make a transgressor beat, all of us to be one of us. That then means that we have to figure out not how to achieve a division of effort, which is oftentimes an agreement to not collaborate, but how do we achieve a collaboration? And we need to think more broadly about how does collaboration come into being? I think there are three essential parts.

00;11;44;00 - 00;12;10;02
Chris Inglis
One is a collaboration is marked by everyone in the collaboration understands that they have a common goal. They're not trying to solve similar problems. They're trying to help solve the same problem. I think that the National Cybersecurity Strategy lays that premise out as much as Solarium laid that premise out, we're up against a common adversary. Or more importantly, we're actually trying to achieve a common aspiration to make cyberspace work for us.

00;12;10;05 - 00;12;30;02
Chris Inglis
That second part of a collaboration is that everyone understands beyond what the shared aspiration is, what their contribution to that might be, And they actually get up in the morning and they try to make that contribution to those shared goals. And the third is they all act like owners. Now that might seem like a moment of incoherence, but if you act like an owner, you actually don't stand on ceremony.

00;12;30;02 - 00;12;52;07
Chris Inglis
If something actually falls on the floor, you don't wait for somebody to come and pick it up. You bend over, you pick it up and you essentially take that forward. Everyone acts with the common cause foremost in mind. If we can achieve that, then then we can achieve our wildest expectations, our wildest positive expectations. And then through cyberspace, we can make it such that it transgressor has to beat all of us to beat one of us.

00;12;52;10 - 00;13;07;00
Chris Inglis
And I know we'll talk a little bit about the Ukrainian Russian kind of affair in a minute, but I think that's what the Ukrainians have done in and through cyberspace. They've essentially achieved a degree of collaboration across the broad front that has kind of killed the Russians at every turn.

00;13;07;02 - 00;13;33;27
Frank Cilluffo
And in years of work to get to that point. And I do want to pull the thread on that in a second, but we have a mutual friend in Harry Coker who's going to take the keys to that national cyber director role. And what advice, without getting into what you've actually discussed with him, but what what advice would you be providing Harry, as he sort of takes takes, takes us to that?

00;13;33;29 - 00;13;56;24
Chris Inglis
I think for your audience, Harry is a good person. He's got great, great experience. He's a good leader. He's in public service for all the right reasons, wants to make a difference. And he has for many, many years. And the advice I would give him is pretty plain spoken, which is to use that power. The purpose of his power in this job would be to ensure that the sum of the parts adds up to something greater than the arithmetic.

00;13;56;24 - 00;14;21;11
Chris Inglis
So take the National Cybersecurity Strategy and its implementation and move that forward and not try to create yet another vertical in that space, but try to make the horizontal more powerful, more capable. And I think Harry will do that naturally. And I think Harry will realize that most organizations who exceed expectations do so because they're inspired, not simply because they're compelled.

00;14;21;13 - 00;14;40;12
Frank Cilluffo
Well said. And you brought some very strong talent and leadership to the office of the National Cyber Director. Anything in particular you wish you got over the goal line that that Harry and the rest of the team can can push it over the goal line in the red zone.

00;14;40;14 - 00;15;01;24
Chris Inglis
So I learned a long time ago that if you want to understand an organization's priorities, you shouldn't simply read what they kind of they say or what perhaps they write down, but how they spend their money. And I think that the budget authority of the national the Office of the National Cyber Director, which is heading in the right direction, and it gave Brennan, Dudley and a few others huge credit for that.

00;15;01;26 - 00;15;25;07
Chris Inglis
But I think I would take that further. How do you follow the money? By with and through cyberspace. Understand what our collective priorities are. Understand how they've been assigned to agencies and departments and follow that money and bias that money. It's an OMB responsibility. It's in congressional responsibility, but bias that money so that we actually achieve what we intend to achieve, not simply an extension of what we have been achieving.

00;15;25;09 - 00;15;47;29
Frank Cilluffo
Boom. I mean, there is an old saying policy without resources is rhetoric. And and when you look at NCD where it can have massive impact and effect, it is on the spending because I don't know how much is enough. I'm not sure if there's an empirically based scientific answer to that, but we know we need to be spending more and we need to be spending it smartly.

00;15;48;00 - 00;16;10;10
Frank Cilluffo
And and when you look at cyber, they're cyber specific spends, and then there's everything else. You can't you can't divorce cyber from air, land, sea space. And just like space, you can't separate from cyber as well. So it gets complicated. But I think Brennan has done some really good work there, and I hope that she.

00;16;10;10 - 00;16;31;27
Chris Inglis
Has and continues as has been working with her and OMB has been a full partner in it from the start. But I take those two points you made and actually kind of double, double tap them. You know, one is I'm not sure how much is enough, but I know that the first step to that is understanding how you spent the dollars you already have or those dollars aligned against your your expressed purposes.

00;16;31;29 - 00;16;50;15
Chris Inglis
So I'd actually want to account for all the dollars I have. I'd want to know how I'd spend the next dollars so I can make a full and fair justification of that next dollar. And if I do that, then I think that we can convince the Congress and the constituents from whom this money comes that this is a worthy expenditure of the resources.

00;16;50;17 - 00;16;53;11
Chris Inglis
But we have to do that work. We have to make the case.

00;16;53;14 - 00;17;20;09
Frank Cilluffo
So you've you've been writing a lot recently, which is great. You got to keep keep magnifying that. And we're going to include your articles in the show notes here. But you had a piece recently with our solarium colleagues, Jim Land, Jovan and Mark Montgomery, looking at some of the SCC regulatory questions, anything, anything front and center there that that our audience ought to hear.

00;17;20;15 - 00;17;42;26
Chris Inglis
I'd say three things if you're going to kind of take the center line of the SEC, the recent actions and I think you're probably referring to the SEC rule that says if you're a publicly traded company and you have a cyber incident that creates materiality, meaning it's material to the interest of the shareholders, that you have to report that that shouldn't be a surprise and that you have to report it within four days.

00;17;42;28 - 00;17;45;27
Chris Inglis
That might be the surprise, you know, the quickness of that.

00;17;45;29 - 00;17;47;16
Frank Cilluffo
I think that is a tough one.

00;17;47;19 - 00;18;11;09
Chris Inglis
And reasonable people can argue about whether it's, you know, 2 hours or 26 days. But the point is, is if a company has determined through its own resources that there's a material event that's occurred, it does have an obligation, a longstanding obligation to tell the shareholders. That should not be a surprise. That's been with us since the dawn of publicly traded companies or maybe since the dawn of the SCC.

00;18;11;11 - 00;18;34;17
Chris Inglis
The idea that you have to report that within four days you actually are in charge of the clock, it's the moment you determine it's material. Now, I think there's a reasonable discussion to be had about whether you describe that publicly in a 10-K such that you're now putting the transgressors on notice that there's this opportunity maybe not to go after this company, but a company that's adjacent that might have had a similar deficiency.

00;18;34;20 - 00;18;38;17
Chris Inglis
And so we need to kind of continue to noodle that and think our way through.

00;18;38;17 - 00;18;40;15
Frank Cilluffo
And we don't want to put a kick me sign.

00;18;40;16 - 00;18;57;07
Chris Inglis
That's right. What what exceptions are there. And the FBI has just come out with some kind of extension of the exceptions that the SCC allowed for national security purposes. But what I think is most interesting about that is the SEC is doing what I think it can and should, but it's focused on only one end to the problem.

00;18;57;12 - 00;19;24;04
Chris Inglis
It's focused on the operational end of the challenge. Public companies essentially, for the most part inherit commodity infrastructure. They might add some infrastructure on top of that, but they're operators and they're operating at the edge of that supply chain, which essentially is where kind of, you know, the the wheel comes to ground and you have traction way upstream of that or commodity providers, organizations who provide the commodity software, hardware, firmware.

00;19;24;06 - 00;19;41;05
Chris Inglis
And if they're not investing in inherent resilience and robustness, you set those public companies up for a very hard problem. Private entities as well for very hard problem. So we need to focus as much, if not greater time and attention on the supply and as much as the operational end of that.

00;19;41;08 - 00;20;05;05
Frank Cilluffo
Yeah, that's well said. And the reality is when we start looking at supply chain issues, that is a blinking red set of issues right now and not to pick exclusively on on China, but but, but clearly, when you look at existential threats and look at the supply chain considerations and concerns, it clearly is one of these blinking red issues.

00;20;05;05 - 00;20;17;22
Frank Cilluffo
And not to go back to solarium, but one of our colleagues, Mike Gallagher, is doing some phenomenal work there. And his select committee on the CCP on on China.

00;20;17;24 - 00;20;39;11
Chris Inglis
I'm a huge Mike Gallagher fan. I'm not sure I know what parties, and I just know he's a patriot and he's terrific in every way that matters. But let me talk about that supply chain. We we have two concerns perhaps about the supply chain. You know, one is, is that we would levy a burden on the suppliers, not simply because they can pay the bill, but because nobody else could pay the bill.

00;20;39;17 - 00;21;04;21
Chris Inglis
And I don't mean in terms of the dollars. There's no other point in the system where you have the leverage than you do when you're innovating, when you're kind of creating, when you're building and deploying at scale. That's where this inherent resilience and robustness might be built in, in the same way that automobile manufacturers are accountable for engineering and installing air safety bags and seatbelts and anti-lock brakes, you can't do that in a shed in the back of a consumer's house.

00;21;04;27 - 00;21;05;19
Chris Inglis
You just can't.

00;21;05;21 - 00;21;34;06
Frank Cilluffo
You're right. You're right. And and and I think there's recognition that we need to be doing more there. But but the reality is it's we've got to pony up the resources. We got to put the effort into it. And semiconductors being a case in point. But it goes much further. And I had the opportunity without hijack in the discussion here, but to lead an effort for DHS at the time to look at economic security.

00;21;34;06 - 00;22;01;19
Frank Cilluffo
And it was shockingly difficult to get visibility across our supply chains. And when we talk public private partnerships, that ain't going to be Uncle Sam. That has to be the private sector that really steps up. And I know there have been initiatives such as bombed to be able to get bills and ratings and but those are sort of analog solutions to a digital problem.

00;22;01;19 - 00;22;06;03
Frank Cilluffo
So I'd be curious what you think and where you think NCDs role is.

00;22;06;03 - 00;22;40;04
Chris Inglis
And I know I agree. I think it's a pay me now or pay me later proposition. And if you wait to pay until we pay more and more expensive, it's going to be the least efficient application of dollars or time and attention. And so we have to understand that if we at long ago, folks who manage physical estates realize that if you do something called real property maintenance, that your cost in the longer term are reduced If you're kind of managing some physical plant and it's got fan belts kind of on various motors and you replace those when they get to the 90th percentile of their useful life expectancy, you don't suffer the downtime when

00;22;40;04 - 00;23;01;06
Chris Inglis
the thing snaps or the machine doesn't kind of fly apart and all of a sudden you have to repair the innards of the machine. Real property maintenance nicely lifts and shift into the world of cyber. How do you actually invest at a moment when you can actually prevent harm? You can actually kind of stay that off because you've actually attended to the internal resilience or robustness of these systems.

00;23;01;08 - 00;23;17;11
Chris Inglis
We have to do that. If we have any expectation these systems will meet our expectations. Will it be more expensive than the system that we have now in terms of the provisioning certainly will be less expensive than the system we have now in terms of kind of running around and fixing all the problems that exist at the edge?

00;23;17;13 - 00;23;25;02
Chris Inglis
Absolutely right. We have to figure out how are we going to pay for this? Because at the end of the day, the consumer actually pays the whole of that bill.

00;23;25;04 - 00;23;55;14
Frank Cilluffo
Yeah, you're absolutely right. And that gets lost in the discussion one way or another. It is borne out by the consumer. And and just to to touch one more second on sort of the FCC reporting and just sort of stepping back and looking at it. I think, you know, I came into a lot of the solarium discussions with very much of a free market position and not to suggest that's the right answer and what I wanted, but I thought economically it's the viable approach.

00;23;55;16 - 00;24;17;26
Frank Cilluffo
What do you think? And I've changed my tune a little bit. I was always very supportive of incident reporting because I do think that that is a response ability not only to your shareholders but also to your to others in the sector that that that the U.S. economy and citizenry pays the price if you if you don't take steps.

00;24;17;26 - 00;24;26;10
Frank Cilluffo
But what do you think that right balance between regulation and maybe scalpel and so that is sledgehammer because it'd be market.

00;24;26;13 - 00;24;45;24
Chris Inglis
Yeah it's a really good point. And I'm in the same place I think, as you are now, which is if at the end of the day these systems of interest, cyber systems of interest that operate at scale provide life critical health, critical kind of, you know, security, critical services, then there are three ways that they can deliver the goods.

00;24;45;24 - 00;25;17;08
Chris Inglis
There are three ways that they can meet the expectations, the necessary expectations of the consumer self enlightenment. There are companies that essentially say, I know that this should be done and they do it market forces where companies compete against one another to essentially appeal to the interest of the consumer. But those two forces, however robust they might be and they're increasingly robust, are never enough to guarantee that these systems will be what they need to be when health hangs in the balance, when life hangs in the balance, when national security hangs in the balance.

00;25;17;10 - 00;25;39;07
Chris Inglis
And so we have always in this society said, well, let let self enlightenment and market forces have their play and we will determine then what is required in terms of that additional push to identify the non-discretionary, the mandatory features, and to ensure that they come about. We've done that for cars, we've done that for airplanes, we've done that for therapeutics, for drugs.

00;25;39;09 - 00;25;56;14
Chris Inglis
Cyber should not get a pass. Cyber is not so exceptional that it should be accepted from that. Again, this should be done with the lightest possible touch and a lighter should be done with a high degree of consultation with the private sector and it should be harmonized so that we don't have all the would be regulators standing in doing this job ten times.

00;25;56;16 - 00;26;29;18
Frank Cilluffo
Harmonization is key that that's often bandied around. But I think we really need to scrutinize that and and when you look at some of the other examples you gave, Uncle Sam, in essence becomes the insurer of last resort, though, should something go beyond if a nation state act of war, There are a whole host of difficult questions that I know I had to grapple with a little bit when I was in the White House with TRIA and some of the questions Terrorism Risk Insurance Act.

00;26;29;18 - 00;26;38;11
Frank Cilluffo
And I do think that the role that the insurance reinsurance sector plays can be improved.

00;26;38;13 - 00;27;04;13
Chris Inglis
I do, too. At first, I would emphasize that an ounce of prevention is still worth a pound of cure. And so we need to actually do those things that make it less likely that will have those catastrophic events. And we've not done enough of that investment in the inherent resilience and robustness. But to that point, there will be moments when, you know, this thing comes apart, whether it's for an individual, an organization, maybe even sector wide across society.

00;27;04;15 - 00;27;42;10
Chris Inglis
And the government has to at that point step in and actually act to restore the resilience, the robustness of those functions that the citizens depend on. The government for insurance has always been something that assists in doing that, both in terms of understanding before the event. What are those risks that perhaps we should mitigate through the application of practice or maybe technology in in the event transferring risk from one party to another party who perhaps can't bear that risk in a sharp and kind of significant way to a collective that might be the kind of the insurance company.

00;27;42;12 - 00;28;18;01
Chris Inglis
But but in cyberspace days, the risks are sometimes so catastrophic that you need what we think is a backstop. You know, something that says I'll take the significant risk off the table in the same way that the federal government or a quasi entity, the federal government, takes flood risk off the table. If we want development to occur in areas where that risk is too high and the government needs to stand in to say I will actually kind of ensure that to some reasonable degree and make sure that I understand what the sidewalls are of how much risk is too much, that there is that proposition that the federal government can and should consider becoming the

00;28;18;01 - 00;28;32;22
Chris Inglis
backstop for cyber insurance so that what then comes into being is a viable marketplace for the cyber insurers in the private sector. We've actually done a really good job in so many other instances and I think would have a lot to teach us about how insurance should work in the cyber marketplace.

00;28;32;23 - 00;28;41;12
Frank Cilluffo
And they do induce changes in behavior as well in terms of consumer based and the like, which I think is important to this desk.

00;28;41;13 - 00;28;45;11
Chris Inglis
I know if I get a couple of traffic tickets, I don't buy insurance.

00;28;45;11 - 00;28;46;17
Frank Cilluffo
Premiums are better than May.

00;28;46;17 - 00;28;55;14
Chris Inglis
So I'm motivated to at least some degree to be mindful of the insurance premiums. When I think about how I'm going to behave in an automobile, I think the same thing pertains to cyber.

00;28;55;16 - 00;29;29;07
Frank Cilluffo
But let's jump not to go in a completely different direction, but you sort of teased out a little bit about the conflict we're seeing right now, the war and the Russian aggression in Ukraine and some of the lessons learned there. And and firstly, I don't think we will ever see a form of conflict that doesn't have a cyber dimension to it, whether to collect for collection purposes or even in conjunction with kinetic means or even cyber specific.

00;29;29;07 - 00;29;55;01
Frank Cilluffo
I'd be curious what your thoughts are there. And then specifically getting into Ukraine. And we're not the only ones observing this. I'm sure President Xi is is is taking very close note of what's playing out in in Ukraine as pertains to potential concerns in in Taiwan. So there's a lot to unpack there. But but sort of starting with conflict in general.

00;29;55;01 - 00;30;11;03
Frank Cilluffo
And I don't know if you remember this, Chris, but just before you were tapped to be national cyber director, you and I were going to write a piece on deterrence. And a lot of what we're discussing here had to do with Conflict of Tomorrow.

00;30;11;06 - 00;30;13;18
Chris Inglis
You're right. There's a lot to unpack. Yeah, it's too much.

00;30;13;18 - 00;30;14;12
Frank Cilluffo
And it's a.

00;30;14;12 - 00;30;15;13
Chris Inglis
Wonderful set in a few.

00;30;15;13 - 00;30;15;27
Frank Cilluffo
Minutes.

00;30;16;00 - 00;30;45;19
Chris Inglis
So it's only maybe I'll take that in reverse order. Let's talk about first about cyber deterrence. Yeah, I think that, you know, cyber deterrence often gets conflated with nuclear deterrence or deterrence of an absolute kind where the goal in some other form of deterrence is to absolutely prevent something from happening that's not possible in cyberspace. The cost of entry is so low, the assets you might kind of avail yourself up are too lucrative that you're never going to keep the offense right, the transgressors completely off the field.

00;30;45;22 - 00;31;14;22
Chris Inglis
But if you kind of back up and think about what deterrence really is, it's changing the decision calculus of a presumed adversary, somebody that was going to otherwise come after you, I think it's still possible we can, in fact, make ourselves a harder target that might deter them from even trying in the first place. We can catch them in the bargain by being proactive and kind of observant about what the systems are actually doing so that we can find them, box them, evict them at the earliest possible moment, again, change their decision calculus about how much they want to invest in that.

00;31;14;25 - 00;31;33;13
Chris Inglis
And if they still come at us and if they succeed, we can then impose a significant cost on them. Again, changing the decision calculus of at least others who would say, I don't want that to happen to me or this kind of particular adversary when they think about doing it the next time. So so I think all of that choice play.

00;31;33;15 - 00;31;35;16
Chris Inglis
Having said that kind of you also.

00;31;35;16 - 00;31;37;27
Frank Cilluffo
Mentioned we imposing enough cost right now.

00;31;38;00 - 00;32;02;12
Chris Inglis
I don't think so. But that's not because I think we should bring hell and damnation on our adversaries. I just don't know that we're joined up enough because this is not a cyber on cyber play. Right. There's this is how do we actually kind of use all the instruments at our disposal. We've not made our systems resilient and robust enough so that we would deter some of the presumed transgressors from even trying in the first place.

00;32;02;15 - 00;32;18;06
Chris Inglis
If you lock your car and you kind of shine a bright light on it and you have a red light that's flashing on the dash for Lord knows what reason, most kind of adversaries, criminals who walk by would say, Not this car mean maybe the next car. I'm not going after this one. Right. So we've not done enough of that in cyberspace.

00;32;18;12 - 00;32;31;21
Chris Inglis
And that's a role for individuals, for organizations, for governments. But all of those parties to play. I don't think we're observant enough and we're not joined up enough in cyberspace to kind of create that deterrent that you've got to beat all of us to be one of us.

00;32;31;21 - 00;32;55;17
Frank Cilluffo
So your poll in a pet rock issue and I know one we can't get into great depth on, but now SPM 13 National Security presidential memo 13 sort of articulate some of the authorities because we're never going to simply firewall our way out of this problem. We need to be able to also look at what some of our offensive capabilities are.

00;32;55;17 - 00;33;22;05
Frank Cilluffo
And I know you and I have had discussions and we can't get into the specific parts of the documentation. But one thing that I have been very impressed with and that is in terms of General Nakasone and utilize some of our capabilities because let's be serious, we do have significant cyber capabilities, but what are your thoughts, their decision making and and authorities, are they.

00;33;22;07 - 00;33;44;11
Chris Inglis
To the extent that we can talk about that here, I think it's a really useful thing to to it's a third strand of what I was going down the road to discuss in terms of cyber deterrence or cyber response. So 2018 was a watershed year. That's the year that inspired national security. Presidential Memorandum 13 was defined and it was part of a trifecta.

00;33;44;14 - 00;33;50;03
Chris Inglis
Remember, the first part of that was the Department of Defense said we are going to persistently engage, are known as disparagement.

00;33;50;03 - 00;33;50;12
Frank Cilluffo
Defense.

00;33;50;12 - 00;34;15;09
Chris Inglis
And we will defend forward, meaning we will engage them at the earliest possible moment when we have the highest possible leverage and we can make something that was on the rise essentially stop in the moment of its inception. The second part was that the U.S. Congress described military cyber operations as a traditional military activity, no longer so extraordinary, so exceptional that the president alone could authorize that.

00;34;15;12 - 00;34;33;05
Chris Inglis
And the third part of the trifecta was granting under NSP 13 the authority for United States Cyber Command or others. It's not unique to Cyber Command, but others to essentially use cyber on cyber capacity for well-defined situations. Now that's where quickly it's classified. Yeah.

00;34;33;06 - 00;34;33;25
Frank Cilluffo
Are those whether.

00;34;33;25 - 00;34;55;13
Chris Inglis
Or not to negotiations. But in my view, that was not as extraordinary as people think was what it was essentially doing is saying to cyber, you're another instrument of power. You're an instrument of power. So get up to the front lines. The way diplomacy has been on the front lines, the way legal attachés have been on the front lines, financial sanctions have been on the front lines, the way the private sector has been on the front lines.

00;34;55;18 - 00;35;16;16
Chris Inglis
Join the fray so that we can use all those instruments of power to essentially not simply create the resilience and robustness, not to sustain it kind of in the kind of the royal and toil of the daily bumping grind. But to apply those instruments of power in combination to impose costs on transgressors in that space, if we did that, I think we will.

00;35;16;16 - 00;35;30;13
Chris Inglis
We are changing the decision calculus of adversaries, not to the point where they'll completely stay off the field. So cyber deterrence is a risk at not a switch. And I'd like to get it kind of somewhere below 11 down, maybe two for one or two.

00;35;30;13 - 00;36;01;11
Frank Cilluffo
Yeah, and not to belabor the point, but these incidents occur quickly. And if you have a very analog decision making process and no one's suggesting you don't need the guardrails in place, of course you do. But at the end of the day, I think pushing some of the decision making down to the field also led to less of a chilling in the community to actually act.

00;36;01;13 - 00;36;20;24
Chris Inglis
What is the best practice of the use of every other instrument of power? The don't tell a police department at the beginning of the year who they can arrest specifically? They can arrest. You say under these circumstances, if you find somebody behaving this way, kind of conducting this transgression, you're authorized to use your police powers under these constraints in a certain way.

00;36;21;01 - 00;36;42;02
Chris Inglis
And the same thing applies to the kinetic military. You don't tell an Air Force commander or a combatant commander that this F-16 can only fire these rockets or these bullets in this specific situation. Say, look, I'll give you a kind of a field of an envelope within which to operate. I'll give you restraints, constraints on what perhaps the collateral effects can be.

00;36;42;04 - 00;37;05;15
Chris Inglis
And I'm going to do you accountable for that. And SBM 13, in my view, does nothing more, nothing less than that. It not simply authorizes, but it applies constraints in the same way we apply constraints to our legal authorities, our financial authorities, the private sector authorities I with and through cyberspace. Again, cyber is an instrument of power. It's not the only instrument of power that we can use in cyberspace.

00;37;05;16 - 00;37;52;12
Frank Cilluffo
Well said. Well said. And it is very emblematic or reminds me of some of the synchronization after 911 of Title ten authorities, military armed Services, arm Powers and Intelligence Title 50. And I was often asked big successes, post-9-11. And I mean, there were a lot of good people doing so much good in our country, but I think a lot of it was not the creation of the Department of Homeland Security per se, or the stand up at the National Counterterrorism Center per se, or even armed base, which I think did have tactical significance in a in a very important way.

00;37;52;12 - 00;37;59;14
Frank Cilluffo
To me, it was really synchronizing it. It culminated in what J SOC is doing today, and that's an authorities thing.

00;37;59;20 - 00;38;04;29
Chris Inglis
I agree with you, and I credit you and your colleagues at the time for actually having the vision in the tenacity.

00;38;05;00 - 00;38;07;21
Frank Cilluffo
That's General Downing wide may he rest in peace.

00;38;07;24 - 00;38;26;23
Chris Inglis
But at the end of the day, if all of these instruments of power are used only as kind of siloed instruments of power, perhaps perceived as one off kind of applications of this or that authority, then that silo will essentially be a weakness for us because an adversary knows that they can pick one off without the others kind of coming to play.

00;38;26;26 - 00;38;52;18
Chris Inglis
They essentially all stand idly by because we're all defending inside of our silos. We need to apply those in combination concurrent so that they actually achieve a multiplicative effect, each understanding what their constraints are at each understanding that this is a shared aspiration, a shared challenge, in that a division of effort would actually be an agreement to not collaborate in an agreement to be weaker in the presence of something that's already crowdsourcing us.

00;38;52;20 - 00;38;58;14
Frank Cilluffo
Terrific. And not to go back to Ukraine, What what do we need to be thinking there?

00;38;58;15 - 00;39;07;05
Chris Inglis
Well, first and foremost, I think we need to express some humility about what we didn't think. What we didn't think the art of the possible was what the Ukrainians have achieved.

00;39;07;10 - 00;39;10;21
Frank Cilluffo
I literally thought five days, seven days, I thought it was going to be.

00;39;10;21 - 00;39;34;13
Chris Inglis
Unfortunately, I was in the same camp, had enormous respect and appreciation for the stout hearted and courageous efforts that the Ukrainians were about to put in, and they've done nothing but exceed those expectations. But I thought that the Russian let's talk about in cyberspace alone, what the Russian capability was numerically superior and technologically superior.

00;39;34;15 - 00;39;39;02
Frank Cilluffo
And they own the the original infrastructure in the face of RIP and replace some of that in the.

00;39;39;02 - 00;40;00;16
Chris Inglis
Face of that, know who could prevail. Right. You know, even the Ukrainians fighting for their very existence. But what they've shown us and some of this I get by kind of discussions with and around Digital Minister Federoff and what is important what he said he said we realized technology mattered and so we got it close enough to Right to have something we could then defend.

00;40;00;18 - 00;40;31;18
Chris Inglis
Right. It's not perfect. It is not the architecture you want to go to war with. But but it's close enough. It's got enough agility and it's got enough redundancy in it. It's got enough firebreaks, segmentation, and that it can be defended. We realize that technology mattering, that expertise matters more and they've got world class expertise. And I would observe from the side that part of the way they got there was they ran exercises every day from 2014 forward conducted by the Russians, who knew that the Russians were actually training the Ukrainians, perhaps inadvertently.

00;40;31;18 - 00;40;56;26
Chris Inglis
But nonetheless, the Ukrainians are world class in their expertise. But the third thing, the thing that matters most of all is that they have a world class doctrine. What the Ukrainians have done is to set up a proposition where the Russians have to beat the Ukrainians and Microsoft. And he said it's Cisco, NATO's national security and any number of entities all operating within the rule of law, within their terms of service, not as co combatants, but as co defenders.

00;40;56;29 - 00;41;15;29
Chris Inglis
You have every right to lean on a coalition to help defend yourself. You know, when there's a transgressor that is capriciously, arbitrarily, wantonly bringing kind of, you know, death and destruction to your to your town. And so the Ukrainians have mobilized that. So the Russians have to beat all of that to beat the one thing that they want to beat, which is the Ukrainians.

00;41;16;02 - 00;41;33;11
Chris Inglis
But the reason I mention Federoff is that he says that. But there's one thing more. He says the most important thing of all is to remember the fourth thing, at which point kind of an idle question, you might say, what is that? And he would say to remember what cyberspace is for. So we get up every morning, we try to figure out what we're going to do with cyberspace.

00;41;33;13 - 00;41;51;00
Chris Inglis
We're not going to go into a fetal crouch to simply defend cyberspace, because the purpose of cyberspace is not to tee up something to be defended, but to alert to to allow you to do the things that you want to do in life while serving this society within the United States, where we're not kind of in a literal war with another nation state.

00;41;51;03 - 00;42;12;23
Chris Inglis
We want to get up in the morning and do banking or our social media or follow our children kind of through social media and so on and so forth. And all of those should what should condition us should motivate us to want to make the investments in it so that it will meet those expectations and to not wait around for some accident to have been some fire to break out, which is why I would say I wouldn't elevate cyber is priority.

00;42;12;26 - 00;42;27;18
Chris Inglis
I should subordinated, which is what the Ukrainians have done, subordinated it to the larger national interest, which means that everybody now is motivated to say, I now know why I care about cyber. I'm willing to put my shoulder to the wheel, make that investment. Let's make them beat all of us to be one of us.

00;42;27;21 - 00;42;43;03
Frank Cilluffo
While you preempted a question, I always ask in that what does success look like? I think you perfectly captured what success is and and it's not cyber for its own sake. It's not cyber for everything else.

00;42;43;03 - 00;42;49;26
Chris Inglis
Success is cyber meets our expectations. You know what I want to do in my life of it is dependent upon digital infrastructure.

00;42;50;01 - 00;43;03;02
Frank Cilluffo
What should Taiwan glean from Ukraine? And I still think the initiative remains with the attacker. But the read on blue, this gives blue a fighting chance, doesn't it?

00;43;03;06 - 00;43;14;10
Chris Inglis
Well, any time the initiative kind of, you know, is is settled in on the attacker side, that that's a moment for the presumed defender to think about deterrence. How do I convince them that this is not what you want to do?

00;43;14;10 - 00;43;16;08
Frank Cilluffo
Dissuade, deter, compel, If that's right.

00;43;16;08 - 00;43;38;08
Chris Inglis
So so how do I actually prepare myself so that I can change their decision calculus or to prepare to be able to respond and recover should deterrence fail in the absolute sense. And so Taiwan should be and I know is kind of working that very hard at the moment and creating a coalition that would assist in that defense not as co combatants, but but to help them in their defense.

00;43;38;10 - 00;43;59;26
Chris Inglis
What's an equally interesting question is what is mainland China? What's the PRC thinking its way through? And they're presumably watching what the Russians are doing and trying to determine is that the right objective, the acquisition of physical territory to extend the national sovereignty, national pride, national identity, I would imagine that they still think that that is the right answer.

00;43;59;28 - 00;44;27;04
Chris Inglis
The question is the means by which they would achieve it. The second question then is what means to use soft power? Do you convince kind of, you know, or perhaps to use hybrid power to perhaps begin to coerce what is kinetic hard power to begin to force? Right. And that's the question that then lies before the kind of PRC as to how do they bring about that, what they view as an important reconciliation of the Taiwan and the mainland Chinese people.

00;44;27;07 - 00;44;55;29
Chris Inglis
We need to convince them that kind of by force, hard power is not the way. Hybrid powers, not coercive powers, not the way soft power, where we entangle and perhaps try to achieve common interests, common aspirations. That's a reasonable course where two nations might collaborate, they might compete, but they shouldn't be in a conflict where one party or the other is essentially setting its people up to lose, which I don't think is is a fair proposition at this point in time.

00;44;56;02 - 00;45;27;22
Frank Cilluffo
I hope you're right on that. I people referred to China as a pacing threat, quite honestly. There are some areas that I think we have some hubris there to take. They're ahead of us and a couple of areas we just can't afford to lose, whether it's some of the advent of A.I. or in its application and often it's how these technologies are used.

00;45;27;27 - 00;45;30;15
Frank Cilluffo
They don't have the same constraints we do in.

00;45;30;15 - 00;46;03;07
Chris Inglis
Terms of I agree, but there's a very important nuance. I couldn't agree more. There's a very important nuance in what you just said, which is how they use these technologies. You know, oftentimes, you know, it said that that as an autocracy, they don't have to worry about individual privacy interest or the liberties of their people, which I think you can take that a little bit further to say, I'm not so worried about Chinese installing a backdoor in things like tick tock or kind of the Huawei kind of technology that is so often the topic of discussion at this moment.

00;46;03;10 - 00;46;14;20
Chris Inglis
I think we're in the right place at saying that we don't want that widely introduced into our society, not because of a backdoor, because I worry about the legal front door, right. That government has the.

00;46;14;22 - 00;46;15;17
Frank Cilluffo
Authority to do.

00;46;15;17 - 00;46;36;01
Chris Inglis
It, that government has the authority to, at their beck and call kind of say, I need this information for some presumed national security purpose. And it doesn't it doesn't meet the rule of law that we've become so accustomed to in the United States articulated by kind of things like the Fourth Amendment, which says that collective security can stand in to privacy interest.

00;46;36;01 - 00;47;04;03
Chris Inglis
But there's a very high bar, a probable cause bar, and that doesn't exist within the Chinese government. And we need to insist that on behalf of our citizens, that that be the rule of law that pertains no matter where your technology comes from. And so short of a kinetic war, short of something that's a kind of a full out competition, I want to, in times of peace and tranquility, ensure that our citizens get the technology that works as they think it should work according to our rule of law.

00;47;04;05 - 00;47;12;21
Chris Inglis
The rule of law that they signed up for, by and have either be born into or intentionally coming to these shores and essentially living under the Constitution.

00;47;12;23 - 00;47;43;25
Frank Cilluffo
I still think the American dream is the American dream and an opportunity for a way of life and prosperity and everything else. But you can't give a pass to autocratic regimes right now because they are I mean, let's talk I know you've been giving that a lot of thoughtful perspective on this issue, but let's close with that because Asia is not it's not over the horizon.

00;47;43;25 - 00;47;52;15
Frank Cilluffo
That's a here and now set of issues. And there are a lot of cultural and ethical conundrums that we've got to get over. We what are your thoughts there, Chris?

00;47;52;17 - 00;48;11;28
Chris Inglis
Well, I think the most remarkable thing about the eye of the moment, generative AI and large language models, is not what it is, but the speed at which it came at. Now, there have been people who've been working it for years and their aspirations perhaps have not been exceeded by the present instantiation of what that technology is. But for the rest of us mere mortals, it's it's bedazzling.

00;48;11;28 - 00;48;30;22
Chris Inglis
It's shocking, stunning, amazing in many ways. Yeah, but but it's the speed of the thing. And I think if it's a car that just raced by this dog, me being the dog, and I'd chase it and catch it when I catch it, it's not going to be general AI anymore. It's going to be a completely different thing. It won't be a car, it'll be something completely different.

00;48;30;29 - 00;48;48;18
Chris Inglis
And so we need to think about that speed. How do we actually adjust humankind to the speed of this technology transformation and not kind of get lost in the moment of how do we actually get our arms around the moment? We need to do both, but we need to ride the wave, not simply stop and control the wave because we can't hold back the tide.

00;48;48;19 - 00;48;50;28
Chris Inglis
Absolutely. So I would think either get.

00;48;50;28 - 00;48;55;27
Frank Cilluffo
On the bus or get run over. I mean, that's a reality to go with your dog in the bus. It's the truth.

00;48;55;27 - 00;49;14;22
Chris Inglis
Three things we need to make sure that we protect kind of AI make sure that we understand what we want it to do and that we invest the time and attention. This not unlike the cyber play, which is if you have expectations of it, make the investments necessary to ensure that it delivers on those expectations to make sure that you understand what you've authorized it to do.

00;49;14;23 - 00;49;32;21
Chris Inglis
Maintain a connection to the human being. Because the human being remains the accountable party and build in the resilience, not just in the software, in the hardware that underpins the gender of AI at the moment. But the data that you're feeding it right, the things that you teach it and train it will essentially influence, largely influence its behavior too.

00;49;32;23 - 00;49;57;11
Chris Inglis
We need to make sure that we protect humans from the abuse of AI. Human beings need to know how I works and what AI is. Capabilities are a bit a broad kind of set of Our population doesn't know that if you give a generative AI model access to your voicemail, just a short snippet of that, maybe 1530 seconds, it can almost perfectly emulate your voice and its cadence, its diction, its selection of words.

00;49;57;13 - 00;50;10;14
Chris Inglis
And then if you get a call tomorrow morning from your presumed boss that says, Hey, I know this is a little bit unorthodox, but I need you to wire $500,000 to kind of an Emily this afternoon. And here's the account number. Yeah, you might be tempted to do that. Unless, of course.

00;50;10;15 - 00;50;13;07
Frank Cilluffo
I wish I had 500000 hours. The wire. But that's your.

00;50;13;07 - 00;50;28;25
Chris Inglis
Business, mate. You might be tempted to do that unless you know. this is. This could be general AI, and I need to actually operate according to the protocols that I've been told that, you know, kind of, you know, stand in. But but the third thing I think we need to do is, double down on the human being.

00;50;28;27 - 00;50;48;28
Chris Inglis
We need to kind of appreciate what it means to be human. What are the essential components of what it means to be human in society? That's where accountability lies. That's where aspirations. I need to make sure that we get the critical thinking skills and the sense of who they are and confidence that they actually exercise authority in their lives and in this world so that they don't actually give up.

00;50;49;03 - 00;51;08;19
Chris Inglis
Right. That autonomy, that that degree of individual aspirations to a machine. And I lived in the last few weeks through a couple of anecdotes to give me concern about whether we're on that course. Well, I was with a company not long ago that showed me a generative A.I. machine and a voice interface, and they said, Tell it to do something.

00;51;08;19 - 00;51;27;14
Chris Inglis
I did and it did it. It was amazing. It generated Python code very quickly. And then this person stepped in and said, But watch this. And it told the machine to improve it, period. It didn't say in what way? The machine didn't hesitate. The machine improved it. At which point I said, What did that mean? Did it make it faster?

00;51;27;14 - 00;51;48;18
Chris Inglis
Did it make it more secure? Did it make it more intelligible to me in reading the Python code? And the person said, I'm not completely sure the machine had a value system, but not knowing what it is, it was left to devise what make it better meant. We need to make sure we don't make that mistake. We need to go forward understanding that these things have to remain under our control.

00;51;48;20 - 00;52;04;12
Chris Inglis
We don't have to actually understand moment by moment exactly how it's doing it. We have to understand what we authorized it to do. My car has 50 million lines of software code in it. I have no idea how it works, but I know what I've authorized it to do. And if I'm speeding in that car, I'm the accountable person.

00;52;04;14 - 00;52;36;23
Frank Cilluffo
No, that's so deep set of issues that could take hours to unpack. But to to simply there's certain decisions. You only want someone who's sworn to the Constitution to make in a government setting. In the private sector setting. I'm happy that you are sitting down with someone who actually had the gumption to to to sort of say, hey, there are some ethical questions, but what what you know, they're going to be the outliers in all this.

00;52;36;23 - 00;52;39;27
Frank Cilluffo
And we can't let the exception become the rule.

00;52;39;27 - 00;52;44;11
Chris Inglis
Right through with that. Some of this is cultural. So, you know, for the last 40, 50.

00;52;44;11 - 00;52;45;08
Frank Cilluffo
Years, culture.

00;52;45;08 - 00;53;04;14
Chris Inglis
In the kind of generation of what we know is the Internet and then the Internet plus and the Internet plus plus plus AI going from kind of, you know, handheld dumb phones to kind of semi smartphones to what we now call the smartphone. The two things that have driven that revolution at every turn have been innovation and market efficiency.

00;53;04;17 - 00;53;27;24
Chris Inglis
We want to know that this thing actually is titillating and more functional than the thing it replaced. But it has to work at scale. It has to be something you can deploy at scale and it will carry its own weight in terms of the revenue. The third thing that was has been playing tail in Charlie. All that distance has been safety and might be trust, might be privacy protections, but let's just use the word safety as that standard, you know, adjective.

00;53;27;26 - 00;53;44;24
Chris Inglis
We need to install that third leg under the stool permanently if to do that upfront, because you can't do that as an applicant at the back end, you have to do that upfront in the same way that I mentioned early bacon. So we don't want people who buy cars to then have to go to their basement or their shed engineer an air safety bag or a seat.

00;53;44;25 - 00;54;03;28
Chris Inglis
They don't know how, they don't have the resources to do that, and if they did, they wouldn't get it close to right And they certainly wouldn't deploy it broadly across the ecosystem. So we need to install that upfront. That is a cultural phenomenon where kind of the self enlightenment and market forces that live in the private sector need to embrace that and take that forward.

00;54;04;00 - 00;54;24;12
Chris Inglis
But at the end of the day, the government needs to ensure that it kind of declares that as a mandatory feature because the technology again is moving at speed where we'll never double back and actually catch up. If we do this as something in the aftermarket, we have to do it at the at the moment of innovation of kind of design, build deployment and sustainment.

00;54;24;14 - 00;54;40;23
Chris Inglis
And so if the government has to put its thumb on the scale to say, I'm going to insist that that safety be the third leg under the stool, so be it. Do it in the late as possible, touch, do with a high degree of consultation, do it in harmonization with other kind of regulatory entities internationally, but do it.

00;54;40;25 - 00;54;57;09
Chris Inglis
Comforted that the Bletchley Park Declaration, the executive order out of the White House have done just that. They were not present 50 years ago at the dawn of the Internet. We've learned our lesson is a little bit awkward and clunky at the moment about how we're going to harmonize all that. You betcha. But but it is the game afoot.

00;54;57;09 - 00;54;59;01
Chris Inglis
It's the thing we must do.

00;54;59;03 - 00;55;24;03
Frank Cilluffo
Chris, Anything? I didn't ask that I should have. I mean, you provided a tour de force on and a whole bunch of issues and, and I hope that these conversations know it certainly was in, in your case, shed more light than heat and really do zero in on on the pressing matters but anything I should have asked that I didn't.

00;55;24;10 - 00;55;43;10
Chris Inglis
What you didn't ask me, Frank, about was the Recovery Institute, which I am so humbled by your leadership of that and by the assembled talent and what they do on a daily basis, cyberspace, just like every other domain of human interest within a free and open society, cannot be must not be controlled, directed by the government. The government has responsibilities.

00;55;43;17 - 00;56;02;10
Chris Inglis
The government needs to exercise those responsibilities with the lightest possible touch and no later. But most of this has to be borne by the private sector. That's where the talent is. That's where the innovative capacity is, that's where the generative capacity is. And what you've done at Auburn on the MacQuarrie Institute, I think is a really good case in point.

00;56;02;10 - 00;56;22;19
Chris Inglis
It's a poster child for how other institutions can and should help us move forward. We're going to get this right if all of us lean in and contribute our individual collective effort. We cannot get this right if we rely upon a single champion. The government, while it is beginning to stand in, is not that champion. All of us have a have a part to play, a role to play.

00;56;22;19 - 00;56;24;02
Chris Inglis
And thank you for playing yours.

00;56;24;05 - 00;56;51;01
Frank Cilluffo
Well, Chris, thank you for your leadership. Thank you for your kind words. Thank you for spending so much time with us today. And thank you for all you've done, not only for the cyber community, but in in national interest in our national security interest. At the end of the day, technology changes. Human nature remains the same. It's great to know we have great people fighting the good fight.

00;56;51;01 - 00;56;54;22
Frank Cilluffo
And thank you for that. And thank you for joining us today. Chris.

00;56;54;22 - 00;56;56;29
Chris Inglis
Thank you, Frank. It's a team sport. Good luck to us.

00;56;57;00 - 00;57;04;20
Frank Cilluffo
Thank you.