Myths About Getting Into Cyber Security Debunked By The National Cyber Director

Here in Washington DC at the Information Technology Industry Council's Internet Technology and Policy Summit and I'm joined by US National Cyber ​​Director Harry Ker, thank you very much for the time, sir. I'm jealous because he's wearing Air Force or Jordans and I'm not right, I didn't get the note, but I definitely appreciate that you're still skating around here, especially after that remarkable opening, opening that you did here in the sum, thank you, it's a pleasure to me to join you, so thank you for the opportunity, I know you haven't had it, you weren't on stage for long, right?

But during your morning wreck here, did you learn anything new, something new that you know this Summit is doing and obviously this is the second time it's happened? Imagine it will be about three more years, yes, but anything new I've learned so far encouraged me to talk to some of the attendees because they understand that

cyber

security

is a key component of

national

security

and that's encouraging. from the private sector, uh, which are partners that we must have to make the nation safe, unlike when I was a child, uh, they did not put on uniforms, uh, in private sector entities, they were not on the front lines, but today. uh with

cyber

security, they're on the front lines, as are our state and local tribal and territorial governments, you're all, we're all on the front lines, yeah, yeah, well the agency's only been around two years. , TRUE?

I mean, it was established by Congress and you're the second

director

here, what's the most important thing you've learned? I know you haven't been on the job long, but what's the most important thing you've learned? Listen, your background says you're perfect for this. position and now he's taking over, but the most important thing he's learned so far in the short period he's been in, well, I've only been in the job about seven weeks and Congress created the Office in 2021, a big move by Congress many times. We don't give Congress credit, they did it, they realized the importance of bringing consistency to the federal cybersecurity enterprise, we've had for several years a number of large federal entities that are doing excellent work, but this. office the

national

cybersecurity office uh

director

what was implemented to bring us all together uh Unity of effort if you want, you talked about my uh military background and we were raised recognizing the strength of teams and that and that's what I've learned, seen and prospered in the seven weeks I have been in the position.

Yes, how is it? If you've been there for seven weeks, right? Do you feel pressure because cybersecurity is an important thing for us? I'll talk about that in a minute. I know you were the one who knows that infrastructure is at risk and I know you preached that I saw your testimony at the Select Committee hearing in January and you know that's brilliant to hear. A lot was learned, um, but what do you feel? Any pressure? Because that depends a lot on your strategy and policy. Yeah, yeah, um, there's pressure, um, and I like the pressure.

Yes, it allows us to focus and we have successes but we will not become complacent and that's what pressure does, it keeps us on our toes um and it's a good kind of pressure some people some entities are not made to put pressure U our office is uh I am and that's the kind of environment that we thrive on its pressure because we know how important it is and that people are counting on us, so we welcome that, similarly, we welcome transparency and accountability , you know, we'll talk about what we're doing and what we have. to solve the difficult problems, um, and that's so that others know the challenges and know what we say we're going to do and can hold us accountable for it absolutely fine, hear that in that same hearing, you know it opened up. and it was a line that got me uh and you said, quote, the American public needs to be aware of the threat to our critical infrastructure, right, yeah, you mentioned Typhoon Volt, you mentioned you know, explaining why people should know what that is. .

Polite when I heard that, but you were dead serious when you said the American people need to do it. It's gotten to that point, what specifically do they need to know? Yes, and I'm glad you said I preached it, because I have to deliver the message. For everyone, what the public needs to know is that there is an acceptable risk to our critical infrastructure, that we are at risk right now and that is one of the reasons why our office has been here to focus on those challenges, something else that the public needs. to know and I talked about the national cybersecurity strategy that has two important changes: it is recognized that individuals face bad actors in any form, nation states or malicious actors of some other kind and we recognize that there are others that are better. adequate to support what some people call cybersecurity load.

I call it a cybersecurity liability. The federal government has a responsibility to protect our citizens. Our residents. On that front. High technology industries. Key components of the private sector have a responsibility. uh to protect those who are less capable, individuals, schools, young people, uh, hospitals, we've seen them all give in to some vulnerability, so we're counting that the first big change is having those who are more capable of handling that. responsibility, do it, yes, you said critical infrastructure, what infrastructure I'm talking about and I want you to break it down. I think I know what it is, correct me if I'm wrong guys, power grids, things we control water. true, uh, all the things we can take for granted.

I take the train to New York all the time. I take the New Jersey Transit. I'm looking for all that space. I mean, what's to stop someone from coming to this thing at night and just ruining it? and what would that be, it would basically derail the entire rail system in the New Jersey, New York area, what a catastrophe that would be. Yes, you need to give yourself more credit because you achieved the critical infrastructure sectors. There are approximately 16 and you hit the energy and transportation facilities, communications, healthcare and we can go on and on. You did it, and they're called critical infrastructure because if they were disrupted, it would have a massive impact on the way of life we've become.

I'm used to it and you hit it again when you said we've taken it for granted, we usually don't recognize how important these things are until they don't work, because the nation has done a decent job of protecting our critical infrastructure, but you and we We are in this, we are taking an unacceptable risk at this time. Yes, I have a 10-year-old girl and I am nervous. I haven't received her phone number yet, but you know I see reports all the time. talk about Ai and the companies that train these Ro Blast, even talk to children and play with children, is there a cybersecurity risk within that and if so what should people know about how to protect their children from that type of risk why aren't they going?

Anywhere my daughter is online, she's a digital world, she'll be there, but as long as she's there, like on a playground, you want to make sure she's safe. Yeah, well, I'm glad you gave me a two-year boost. I, my wife and I, raised two daughters, they are adults now, but I have an 8 year old granddaughter, so I will follow you and see how you handle it. I'm calling you to ask for advice. but you know we can come back to that change again, we shouldn't rely on children having to protect themselves online, that's the responsibility of the private sector, those social media companies, governments and parents as well, but that's a big change that removes it. of his 10-year-old daughter, my 8-year-old granddaughter and transfer that responsibility to entities that are more capable of doing it, in this case, social media companies, high-tech companies, parents and grandparents, so that's what it's about.

That first big change, yes, I mentioned it before, but for those people who may not know it and I'm sure they may not know it, because listen, everyone has lives, right? on social networks. Vault typhoon, why should people get scared when they hear that, freeze, well, and that was it? One of the best things about that hearing last week and one of the main purposes was to raise public awareness. People in the business have been aware of the threats to our critical infrastructure, but we need the American public to understand. that we are at risk and that some of the measures that need to be taken are taken to protect the American public in critical infrastructure, it's easy and again I have to go back to what you said to take things. for granted, it's not safe, it's just not wise to think that things will always be there when we need them, yes, our adversaries are conspiring, as I said today, to disrupt in some cases military mobilization, so that's what the public needs.

I mean, we've been warned about it. I know we haven't seen him for a few years. I guess it could be, but is that spyware you know malicious software that has the capability? capacity for us if we don't take it seriously, well, we are taking it seriously now and one of the best things about that hearing is that Director Ray of the FBI spoke that morning about the downing of Typhoon Vol, so we have made a tremendous progress in mitigating that risk by returning to pressure and complacency we are not going to be complacent uh we will have successes and we will continue to have some but the adversaries are not backing down yeah uh and that's part of what the public needs to know yeah here again with national cyber director Harry Cerer and at the ITI Technology and Policy Summit event, the intersection, take me back to when you were growing up, right after the military, did you always know what cyber would be? management and I want to take advantage of that because there are a lot of misnomers about even

getting

into cyberspace and I know we want to talk a little bit about the workforce because it's a very interesting statistic, but did you always know you wanted to? to do this no I didn't um uh growing up my dad was also in the Navy so we grew up on submarine bases all over the country U and I was always decent at math um and I was kind of a funnel into a mathematical science uh Academic Program programs um, but back then it wasn't called right, frankly, we didn't have computers back then, when I was a kid, I think it was slide rules, um, then we got to calculators, um, but it's been called different things. ways, but the time I went to the Naval Academy there was information security, which is essentially the same thing, different name, yes, and I didn't realize that was what I wanted to do, but I like difficult problems and I could see the world was going. digital and I was able to go to graduate school and I got a master's degree in computer science and that was further enlightenment for me on the importance of what we call computing SE or information insurance and now cybersecurity uh and it's uh fascinating, It's a digital world, yeah, and we're all involved in it and the other point, you ask how I got into it, so I didn't always realize it, but also back then there was a misnomer that you needed to be, uh. a technologist uh to get into cybersecurity um that's inaccurate uh we need creative thinkers we need persistent people we need people who care uh and then you can you can make contributions so you don't have to be good at math so because I'm not good with math words in English.

I love it, but not as good as math. If someone isn't good at math they can still get into the field, yes, but you've already fallen short a couple of times, you're probably good at math, but you don't have to be a mathematician, root is great, but there are a lot of people who they make contributions in cybersecurity that have no experience at the root, yes, well, let's talk about that well, because we were talking about Miss numerous 500,000. jobs and maybe more by the end of this year that will be available in the department, right. I called my aunt because she knew she was looking for a career change and I said: Hi, did you know Cyber ​​and she was quick with the information? but I heard you say that you went to a community college in Baltimore, to preach this at that audience, you know, you also mentioned it to the congresswoman and you said whatever we were doing isn't working, how can you get more? people and because it's black history, more specifically black people, to enter this space because, again, I don't think they even know that position is open.

There are 500,000 jobs open for you to apply for, get the right training, learn and then acquire that skill set and get out and it doesn't look like investing in a cyber world is going to go anywhere. Yes, it is a point that needs to be addressed regarding the black community and any underserved community. I'll just give you a personal example. about how we reach those communities. I mentor at a high school in Baltimore every Tuesday night or when my knee is good and I expose thosechildren to the impact they can have and I also let them know that it doesn't.

You have to be the best math student in your class to do it, but it's really exposure to opportunities to make a living, but also to make a contribution to society, and we often overlook kids' desire to make an impact. . uh they care about things, they need to find the right things and then position them to be able to make a contribution, so I tell you that anecdote, but it's making people aware of the challenges and the opportunities and the contributions that they can make. We generally haven't taken enough risks with people. Now one of the points we talked about was uh uh.

With college degree requirements for some of the cybersecurity jobs, you don't need them. Bingo, there you go again, you don't need them and people need to know what learning is and the opportunity to develop and that's where we. Come in, we can find people and we need to do a better job of finding people, but we're going to develop them, yeah, like you said in an Aon, diversity is about achieving, it's about achieving positive Mission outcomes, you know, and I guess to fill that 500,000 job. making sure it's diverse is a positive outcome, yes there are talent pools we haven't looked at, yes you I'm a country boy.

I was lucky when a recruiter from the Naval Academy came to my small rural Kansas town, there are urban communities. In the entire country there probably aren't people coming to talk about cybersecurity education, that's one of the other great things about this office. We have a national cyber education and workforce strategy that speaks exactly to the point she made. You know, going places we haven't gone before, taking risks and having people take the time to develop them and let them go. I just don't find many old, young or middle-aged people who don't aspire to make an absolute contribution and better themselves and their family and cybersecurity is a great place to step in, yes, speaking of diversity, coming to you here Same thing, Black History Month, we're sitting here in February, someone stands out maybe. from the technology field in terms of fans you've had, you know the African Americans who made a contribution, not the notable ones, we always talk about the notable ones, does anyone stand out well?

And I'm glad you said no to the notables because that's my Answer, you know, my family members and your family members are just ordinary people who have been through trials and tribulations but they haven't been in the books of story individually. Certainly, their experiences are there, but I love the everyday people who keep their heads down and are doing it without the benefit of notoriety and celebrity and, in many cases, monetary compensation, but they do more than persist, they thrive, so I won't at all avoid naming a name, but we call them unsung heroes, they are Heroes and they are a song to me, uh again, seven weeks in your position, um, I'm surprised we do it in that Senate, ohc, in that Congress.

Hi, I'm looking, I'm looking and I'm thinking, why did you take this job? Like you're being grilled, I mean, look, it's a bipartisan rule, it looks like it was created by Congress, do you feel like you're sitting there, do you feel the pressure of being grilled by both Democrats and Republicans, or is it like that? ? part of it is, um, worth it, yes, the opportunity to contribute to our great nation, uh, it really is and I'll also be frank, it comes with a territory, um, when FKS people are offered positions like this , it is clear that the confirmation process is going to be painstaking and it is not going to be pleasant until you have launched it and that was accurate for me now in hindsight, those experiences when at the time they might not have been pleasant, were worth it and I I'm glad I went through this, but I can also add that cybersecurity is as bipartisan an issue as there will ever be, you know, the hearing we had last week was my most recent experience seeing firsthand the bipartisan nature of uh, cybersecurity, why, because it's a threat to all of us, it doesn't matter, you know what party you're in, where you're from, race, ethnicity, preferences, cybersecurity touches each and every one of us, yeah, listen to it , I don't know. yes it was cyber security related but I only go on the trains because I couldn't get my ticket on my phone it kept logging me out telling me my information was wrong and I'm thinking man imagine Typhoon Vol hits and we can.

I won't do anything, I'm serious, it would set us back a few more things before we get you out of here. I don't want the president to call me and sell me that you're late for a meeting or something, um, but the first one. one is that it is an election year um again your position seemed to be protected uh you were present in the last administration and yet um we are going to go to the ups and downs who is who is not I saw, do you know one official saying what is the difference between his job and the next.

I think you guys created this work, but um, does an election year change your thinking at all? I mean, I don't know if they'll be around. The next administration will tell you that you will, um, but does it change the way you think about how you do your job or do you put it aside like I put it aside and the reason it's relatively easy for me to put it aside was because I served 20 years in the Navy? and uh uh the Navy like all military services should be and are largely apolitical no matter who the president is what party has control of Congress uh we have orders and we follow them I lost count of the numbers I used to tell the people when they asked a question like that.

I have served under several presidents and I think there were eight and from both parties and that never changed my desire to serve and protect at all. the United States um so 20 years in the military I was apolitical and that works for me um so I'm election year doesn't impact me or my office one way or another we have a big challenge and we want to stand up and do it like you said, working on your office cyber director is like serving your niche CU. This is another part, people think it's just putting on a uniform, that's the physical side, but the information side, which is a bigger side today, is that's probably more critical at all and you know you mentioned put on a uniform again uh uh when I was a kid, you know the way we served our nation protected our nation was to wear a uniform and those who didn't do well their contributions to the National Security was to vote and pay taxes yeah , but now let's go back to where we started in this conversation.

Cybersecurity is an integral part of national security, so those people who are out there, who are not in uniform, are still contributing to the security of our nation based on how they are contributing to cybersecurity absolutely, uh, get you out from here, geopolitics and then well, great, um, in that same committee here and you said the goal, uh, and this is for other countries, specifically China, the goal is to supplant the U.S. We're in a competition with China and, frankly, they are the only nation that has the means to reshape the international order, that is, diplomatic, economic, military, we are in a competition, we have to recognize it and not lose sight of it, which part of cyber plays what.

What role does Cyber ​​​​play in this competition? Well, the goal of that hearing was to talk about the cybersecurity threat to our nation's critical infrastructure, so the hearing was about cybersecurity and the security of our nation. The key point that Director Ray talked about. It was Vol Typhoon, uh, that takedown was the result of our cybersecurity firm's work across the federal and private sector landscape, um, so it's comprehensive, yeah, well, I hope we have the competition that you know it should be. the first on this thing, um, well, it's a We had a great time and I invite you to listen to this, good for us, we are good, we have a great community here on the force platform and I know you love the leadership stuff, and you know, Jim Collins wrote a great book called Bringing Good to Great and you're a phenomenal collaborator because you have to play both sides as a politician um what's the difference between a good collaborator and a great one?

The association must be equal. A lot of times we call someone a partner and uh and they. We are giving so much and we are only giving the amount that should be equal and I will also add that no one should be keeping track of how much someone has given but it is still necessary. be equal, then you could take a partnership and a personal relationship or a professional relationship, but it really needs to be a true partnership, it needs to be equal, you need to have empathy and see it from the other partner's perspective, a lot of times you know we'll see it. from our perspective and we'll say you know that's wrong or that's not right, but you know, it happens there and when we look at things from a different perspective, we generally understand equality better.

We answer the additional question, although spring is approaching. above, any books you would like to read, leadership books you could pass on, maybe you read in military school while you were in the middle of the office or when you were in the military, I should say not in school, um, any books, leadership books. that you might recommend someone read it this spring, well, you know, the kind of leadership that I'm focused on right now is related to cybersecurity and, uh, I've been reading, actually listening to, sorry, one which has been out for several years and it's the fifth domain and the fifth domain yeah and I recommend people give it a little bit of time um it's about cybersecurity and the importance to our nation and frankly to the world uh, that's a good overview of cybersecurity Yeah, I appreciate the time, Director Coker, here at the Information Technology Industry Council Policy, on technology, and listen, I want to learn more, so I hope you can come back if They have it again in the third year.

I'll be there, and hopefully. We will learn more about that point and the elections will be behind us, we can move on. I'm waiting excited. I've enjoyed our conversation and, uh, and your perspectives again, you weren't giving yourself enough credit on several points. you know, you know what you're talking about, listen, I like Jordan's ear, so you like the information. Jordan's hearing is fine, I appreciate that. CER here in the I.