Rethinking Offensive Cyber: Strategy, Deterrence, and Real-World Impact with Adm. Mike Rogers (Ret.)

When you think about how you potentially use cyber offensively, why don't we consider putting at risk the same infrastructure in their nations that they are penetrating?

Welcome to CyberFocus from the McCrary Institute, where we explore the people and ideas shaping and defending our digital world. I'm your host, Frank Cilluffo, and this week I have the privilege of sitting down with one of Auburn's great Admiral Mike Rogers, who also served as National Security Agency director as well as commander of U.S. cyber Command. Prior to that, he also ran Navy's 10th Fleet, which is their cyber element, and comes to this issue with an incredible background and dare I say, is also on my board of advisors. So I will be careful how we talk about today's issue. In all sincerity, Mike, thanks so much.

It's great to be. Hey, and remember Auburn University class of 1980, graduated in 1981. War Eagle.

War Eagle. So I thought we'd start with lot of discussion these days coming from National Security Advisor Mike Waltz and and many other leaders on the fact that we need to be more proactive and lean forward in, in our cyber posture. And, and I think it's important that people also recognize when you were at Cyber Command, you also played a significant role in the defense strategy that did lay out persistent engagement, defend forward. And if I'm not mistaken, even in your commander's intent, you highlighted the significance.

Check it out.

Looking at it holistically, right?

And I was very fortunate. I served under both President Obama and President Trump. I felt that we needed to be more aggressive in cyber. I utterly failed to convince President Obama and the team to do that, but I worked hard and was successful in convincing President Trump that we needed to change that. So, you know, I, because I do believe, look, we need to inject more uncertainty into the calculation of the individ of these entities that are conducting attacks and penetrations against us. And the more we kept publicly saying, well, we think cyber's escalatory, we're just not going to do cyber. I thought why would we automatically take something off the table, we should decide on a situational basis is offensive cyber applicable, rather than just saying to ourselves, hey, we're not going to even consider it. I just thought that was a little ridiculous personally.

And I would agree, I my sound bites been we're never going to firewall our way out of this problem alone, so we have to look at it in totality. But, but what do you think that looks like? I mean, it's easy to sort of from a policy standpoint and strategic Perspective, explain what offensive capabilities are. And I think it's fair to say we have been leaning forward a little bit. Yes.

Yes. Yeah. So what you saw at the end of the Biden administration was their public acknowledgment that they were doing cyber offensively. Now, what they were doing is important when you think about how you potentially use cyber offensively to preclude an adversary's ability to conduct cyber against you. Let's take Salt Typhoon, for example. To me, you got two broad options. Number one, you can try to go after the commercial infrastructure that the adversary is using. So in this case, the Chinese, the Russians, rather than attack directly from infrastructure in the PRC to attempt to obfuscate themselves, they will use commercial infrastructure. And the previous administration announced they were going after that infrastructure. But my view always was, look, the adversary can always go get different commercial infrastructure.

Exactly.

It's not really going to stop them. My view was, in specific targeted instances on a very defined condition. And it's a major policy decision. It's not something you just would automatically delegate you don't just push a button my old life, to the Cyber Command commander to say, hey, execute this whenever we see it. I believe that what we ought to authorize is not just going after infrastructure, but directly going after capability within those nations that are generating these effects against us, that we should be able to go after specific targets, whether it be those actors that are executing this kind of activity. Second, pla, Ministry of State Security, the gru, the FSB in Russia. Do or do you also consider potentially, well, why don't we consider putting at risk the same infrastructure in their nations that they are penetrating in ours now, again, it's a specific policy discussion. Cyber is only one dimension of the potential range of options that you consider. I'm the first to acknowledge that. But my sense is don't take them off the table. Right. My sense is, number one, don't take it off the table. Number two, another argument I always used to make is you just don't do these overnight. We need to prepare. We need to understand the battlefield. We need to do reconnaissance. Which again, goes to your previous comment about one of the ideas that we were always pushing at Cyber Command was this persistent engagement and engagement forward. We said, hey, let's understand the terrain forward outside the United States and its networks, and let's also understand the adversary's activities in some of those terrains outside. Because we could also learn about, well, if they're doing this in Ukraine, if they're doing this in Europe, we're likely to See the same kinds of techniques, the same kinds of methodology used against the US and our view is if we got smarter about the adversary, it would increase the probability of successful defense for us.

Absolutely. And not to point fingers because I think all administrations, but it's also a policy making challenge. Right. At the end of the day, do we have the bright lines, the red lines in the silicon? Do you think we need.

No, the reality is we don't have red lines. When you see it, the reality is right now we don't have those deadlines.

Should we?

Red lines. I think what we need to do is try to do a better job of articulating what is acceptable and what is unacceptable behavior. Behavior and then tying response to specific behavior. The part that would used to frustrate me was, and I can remember losing this one time in the sit room where I was just getting frustrated about a discussion. And again,

that only happened once?

And again, no disrespect to the team, this is during the Obama administration and we're having a discussion, National Security Advisor, the president, the national security leaders. And when we were having a discussion about what was the appropriate response to much of this cyber activity that we were seeing that nation states and criminal groups are directing against US infrastructure, US companies, targets within the government. And the, the conversation I kept hearing was we don't want to respond. This is, this would be escalatory. And Mike and I got a little frustrated over time and I said, could you guys help me understand why is it that we are sending the signal to the Russians, the Chinese, the Iranians and the North Koreans that this is almost acceptable behavior on their part and we're not going to respond and at least respond in a meaningful, effective way that's going to change your calculus and.

In a way that's almost visible in public. Because I would argue there's been some saber rattling that happens in the clandestine world. But at the end of the day, you also want to induce changes in other people's behavior. Right. If you don't respond to X, North Korea is going to respond, say, hey.

That'S because part of the concept of deterrence is if you're going to deter an entity, they have to have some level of awareness of both capability and intent.

Yeah, exactly.

You want them to understand you have both capability, have intent, and just the one, well, communicating that you have intent. On the other hand, they might say, sure, right. We've heard this before. You know, what do you really got?

And that gets to a question. You teed up with the people's Republic of China and the Communist Party using commercial entities. You also have a big, big issue now with proxies. It gets difficult to discern sometime who's the puppet, who's the master. And in China's case, maybe there's some moonlighting going on for non government activity.

Because you saw that with Volt type Volt Typhoon, which is Chinese penetration. Emplacement of destructive malware within segments of the US Electrical grid, where it was.

And water and transportation.

Government developed malware that was provided to a non government entity in China and they were given a target and the malware to upload.

Whereas in Russia's case, it's sometimes criminal enterprises who are given sort of the protection of. Right.

They're always. Our view, always seemed to be. There was a bit of a quid pro quo. Hey, look, we'll leave you alone as long.

As long as you're willing to engage.

In the following kinds of activities.

Well said, by the way, since you brought up Volt Typhoon. To me that seems like a line was crossed in the sand.

Yeah. Now, I'd be. I would be the first of it if you had asked me five years ago when I left Cyber Command, would an. Would a foreign entity, in this case a nation state, upload destructive malware into critical US Infrastructure in a time of peace or short of conflict? I would have said to you, highly escalatory. Boy, I would think there's a low probability. Boy, I got that wrong. I mean, clearly we're seeing the PRC's risk calculus is very different.

And. And I do think that's very different than espionage and very like salt Typhoon. I mean.

Right.

In a weird way, you say hats off. I mean, not acceptable.

Well, I think that goes to what types of behaviors? Look, I don't think realistically you're going to get nations to stop the use of cyber for espionage.

Yeah.

In fairness, we're not gonna.

Exactly.

We're not going to stop doing it. I wouldn't expect the Chinese.

Don't be shocked there's gambling going on in the casino.

Right. So to me, if we think focus on behavior, it's. While we may not like it, I suspect we're going to define that as acceptable or something. We don't think we're going to be able to determine. On the other hand, things like we're seeing with emplacement of destructive destructive malware in critical infrastructure. Going after health.

Exactly.

Hospital, potential light loss of life or injury, you're going. Wait, that, you know, going after search, for example, a nation's Ability to reestablish cyber functionality, network connectivity. That to me falls, hey, that's not acceptable behavior.

Exactly.

That's the kind of behavior to me we're going to focus on trying to deter.

And I think it requires a little precision in how we discuss these matters. Because not all hacks are the same, not all hackers are the same, not all intentions are the same, not all capabilities are the same. And I still feel like we're playing kid soccer when we talk about this issue. Cyber attack. Everything is an attack.

Well, right now I'm the first to admit, as a military, I would always say, could we be a lot more precise around the word 'attack' as a military individual attack has a specific legal connotation to me. And scanning is not the same, is not the same thing. Etc, But I do think it goes to. So we need greater precision and greater definition in terminology and intent. We need to realize there is a public communications component to a strategy. We need to.

The bad guys understand too.

Right. We need to realize that there is precursor activity so you can actually conduct offensive. You just don't wake up one day and say, hey, I'm going to conduct an offensive. It takes preparatory work. So there's precursor activities that you need that enable success. There's the techniques that you will use, plus the specific targets you're going after. There's a broader policy discussion about what's appropriate in a particular serial, what's not an effect space. There is attribution concerns about, hey, what's your confidence level that we truly understand? Have we accurately identified who the actor is that we are responding to? And we have high confidence. Those are all very valid concerns. And then lastly, remember the idea that a response to an event executed via cyber, say salt typhoon or volt typhoon as examples. The default does not have to be on our part. Well, if they came at us in cyber, we have to go back. My attitude always was case by case basis. And let's consider a spectrum of capabilities that we include Cyber. My biggest thing was, but could we just consider cyber rather than taking it off the table.

Well said. And one thing that I've been impressed with, and tell me if I'm just being foolish here, but the fact that you're starting to see attribution with multiple logos on it, all five eyes, maybe minus the kiwis, but, but, but at the end of the day you're starting to. That's a good thing. Yeah, it means we're getting comfortable.

You've seen a journey where there's both increased Cooperation among multiple nations and even within nations to include government and the private sector about. Let's come to a broad consensus as to exactly who this actor was that did this. Let's come to a consensus about how they did it so we can learn from it and potentially share that knowledge with others so it doesn't happen again. And then let's also think how we might act in a coalition or a multinational kind of framework to identify it because it's much more effective that way. So it's not just the US beating the drum about hey, China is always bad. That's not an effective exact strategy for us.

And attribution is getting better and better and better and better. And now that we're actually naming names, you better have some consequences for to.

Induce changes, I always thought was the first step in a process that's designed to generate an outcome. Now in and of itself.

In itself, it can be dangerous.

Yeah, that's it. Well, we attributed it and that's it. I always thought, come on, this is the first step in something longer here.

Well said. Well said. Another issue. And, and just before we transition and pivot to another topic, I, I mean I think you were at, at Cyber Command when NSPM 13 was promulgated. National Security Presidential memory.

Right. So I. That the memo itself was.

So you helped shape it.

One of the last things I did was I attended the last principles community meeting where we, where we got the authority to. We were going to change. And then it was actually signed out in August. I left in April, did the last PC and then we actually between April and August. General Nakasone, my relief, you know he and the team and others worked on. Okay, so let's rewrite. And it was actually then promulgated In August of 18 if my memory is correct.

And I would just foot stomp here that I think that was probably the most significant piece of guidance coming from the White House to enable some of our.

Yeah. My view was it was an embodiment of an argument recognized we needed to go for it. Come on.

Exactly. Exactly. Let's jump to another hot button issue that's being debated as we speak right now. It is. You are uniquely qualified, one of only four who's been in those two hats. This is what it gets when you were commander of U.S. cyber Command, but you also had the four star billet in as director of the National Security Agency and CSS and all of that discussion.

Four of us that have done it.

What do you think? Some of the pros and cons and I'M not going to put you on the spot to decide.

So generally first let's ask ourselves, frame it right. Why did they decide to go that route? The Department of Defense didn't have to do it that way. The thought process at the time was number one, we're creating this new military organization to execute this cyber function in order to accelerate its development. Can we align it with wherever we think in the department? We have already made the greatest investment and have the greatest set of cape of existing capabilities. The idea being that if you could partner with those existing capabilities, that existing expertise, you can in fact accelerate the development of Cyber Commission, it would be done faster. Hence the decision we're going to put it at Fort Meade, we're going to co locate it with the National Security Agency. Then we also got into a broader discussion about, okay, so, well, what if one person was to lead both different authorities, different budgets, but one individual to execute both functions. The thought process as to why the department went down that line of thought was broadly along the following lines. One, one commander could ensure unity of effort between these two organizations and could help deconflict because one of the challenges is two different organizations, two different set of authorities. So slightly different missions, but they're operating in the same battle space. They're both out there in the same.

Networks and one might be stringing them up, the other stringing them along. So taking them out this view that.

Hey, look, they're to be operating in the same battle space as we would say in the military lexicon, it would be really good to have a deconflict or one individual who could make the priority about okay, this is more important than that. The second big reason I thought was speed. If you had one person shaping the activities of both action, both organizations, you would gain speed and by and increase the probability of success. You can be faster than the amateur.

What do you really need inside? It's not get back to you in a day.

Thirdly, it was designed to. So if you didn't, if you each had a separate individual leading them and there was fundamental disagreement as to some activity they were doing, if you couldn't get them to agree, then you'd have to kick everything up to their mutual boss. Their mutual boss happens to be the secretary of both U.S. cyber Command and the director of NSA work for the Secretary. And there was a thought about, given the scale of activity in cyber, look, this is just not going to work if we have to kick everything up to the secretary to speed, certainly not to make these decisions. So again, the decision Was well let's, let's put it one level below the secretary. And the idea being also hey, with a four star is the accountable individual, you theoretically at least get someone of maturity, experience, perspective, which we've had and you supposedly get a benefit out of that. So that was kind of broadly the thought process that led to the current structure. One individual, the so called dual hat who is both the commander of U.S. cyber Command and the director of NSA. And I also remind people, look, the four star billet, it comes not from NSA, it comes from U.S. cyber. U.S. cyber Command is a four star job.

Yep.

Derns are the director of NSA is the three is traditionally been a three star billet. Over time the discussion has included because this was a big deal during, during my time. Okay, so get the theory of the case. In the execution of this you started to get questions like is one organization holding the other organization back? Is will you get, will you get a better outcome if you. In some ways competition is the wrong word.

But there's always some healthy.

Right, there's some healthiness in this. And then the other big issue got to be well span of control. So you got one person who is both going to be one of the 11 combatant commanders in the Department of Defense with global responsibilities and that same person is going to run the largest intelligence organization in the free world. I'm not just talking about the United States. It is the largest intelligence organization in the free world. And there was questioning about can one person really do all this? And I used to kid people, hey, there's a reason why I didn't get much sleep for four and a half years.

There you go.

It's just what it takes to get to get the job done. So this has been an issue that in terms of this assessment of is the current structure appropriate? We've had multiple reviews on this. It's come up again potentially as a, hey, should we look at it? The bottom line that I always used to, I have an opinion. But what I used to tell people is you need to start with the following question. So tell me what the problem is we're trying to fix and tell me how whatever course of action you're pursuing that you're recommending is going to address the problem you're going to fix. I always said, could we step back and take the emotion out of this dual hat thing and start with the fundamental question.

Actually that's very well said. And it's so I used to think that the Title 50 agencies, the intel business would never want to compromise a Source, a method, and sometimes we shouldn't at the expense of Title 10. But you did bring a Title 10, which is a more traditional military approach. What good is cyber if you're not, if you don't have the net effect and outcomes that you're kind of.

It's interesting. I didn't find the greatest challenge as a title, as the director of NSA is a title. Leader.

Yeah.

I didn't find the. Not that there weren't challenges. I didn't find the greatest challenge was between NSA and Cyber Command. To be brutally honest, I found at times the greater challenge was between Cyber Command and the broader intelligence community, some of whom also operate in that same cyberspace. Yeah, My frustration was, and I particularly had this with my friends at Langley where I said, so could you guys help me understand this? We're dropping ordinance in Iraq and Afghanistan in the same environment in which you are operating human networks. And we're able to deconflict that and we're able to coordinate that.

Yep.

Could you tell me why we can't do the same thing in the world of the network? I don't understand why we can't deconflict and we can't prioritize just like we do in the physical. Why is this all about either control my perception or, well, you military guys will. Just because I used to then say, you do realize you're talking to the individual who is running the organization that conducts more Title 50 operations in cyberspace than any other element in the title 50 world. So could you help me understand why your view is that that structure would be, you know, incapable of making these kinds of trade offs?

Yeah, no, very insightful.

They are trade offs.

I'm the first and they are trade offs. And that's sort of what JSOC Provided In a post 911 counterterrorism environment where you sort of had covert action, military, all that was kind of blurring. But deconfliction, trade offs and all that were being addressed.

And I would say the good thing is, in the ensuing six plus years since I left the organization, as Cyber Command has matured, as the number of operations it executes continues to grow, to grow, I mean into the thousands, there's a much greater sense of, okay, we can in fact conduct title 10 and title 50 operations in the same battle space, but for very different objectives under different authorities. And we can coordinate and we can in fact deconflict. I'm not going to pretend for one minute that at times there aren't differences, opinion and disagreement sometimes in the same.

Person's head if you've got both. So yeah, no, that's, that's and, and there is another argument that other combatant commands, since NSA is also a combat support agent for all the other comms, are they getting second fiddle? I guess is some sometimes what you would hear, I don't necessarily buy that.

But right now you would hear that. My response that always was NSA is a combat support agency, executes the priorities as defined by the Secretary of Defense who executes, who defines those same priorities for all the cocoms.

Yeah, yeah, well said.

Because I can remember for example when we did the fight against ISIS the first time I really did offensive.

Yeah, yeah, that was, that was on your watch.

And the Secretary said to me, Mike, this is the, this is, this is the priority. I want you to understand that. And what I told the combatant commanders was I'm going to shift resources, I'm not going to walk away from you, but I'm going to have to reprioritize. On the other hand, I also told the NSA team six months, yep, we're going to do this for six months and then we're going to realign because I acknowledge we can't alter our priorities to such an extent for you know, for years I said the guys were.

Not doing that but it was a use case and it demonstrated potential and I would say lessons learned and success that we can lean in that.

Oh yeah. It's funny because many people in the world of cyber and I think they forget about that. Right?

They forget.

Their view is well nothing started before 2018. And I often tell my friends, do you know how we got that ns, that presidential decision memorandum? We got it because we managed to show in an actual operational environment that we could execute offensive cyber fires.

Boom.

Against valid targets in a manner that didn't disrupt no fratricide. We were able to show we could do it and we used the ISIS campaign to develop our tactics, techniques and procedures and structures is why we created JTF Aries for CyberGAN which still and that the confidence that that generated is what got us those authorities in 18.

And demonstrated how it can be utilized. You know, I, I, I do think history gets lost. So I think that is an important chapter that even in the cyber community we live in, I'd say maybe 10% have that recognition and awareness. And I think it is important to be.

Well I often kid people, hey, it's not unique to cyber. That's the arrogance of the. Now remember in generally most of our experience that we're doing right now is it's never been this hard. It's the most important thing. It's just the nature of the human experience in some way.

I do hope that we can learn from.

But you always want to learn from.

Yeah. My dad used to always say, obviously learn from your mistakes, but even to learn, even better to learn from the mistakes.

Remember, those who fail to appreciate and learn from history are doomed to repeat. And that is not necessarily a good thing.

Well said. I'm going to put you on another hot button.

Okay.

And that's Cyber Force. A lot of discussion. We recently had your the other Mike Rogers talking a little bit about this. I'd be very curious what your thoughts are there, Jake.

So this was an issue during my time I can remember I've discussed this with the two presidents I worked for as well as the Secretaries of Defense that I worked for in my position then. And it still hasn't changed that much for me was our number one focus should be creating operational capacity.

Mm.

I'm not enthusiastic about creating structure that doesn't directly do that.

Yep, yep.

So for example, in the whole idea of a service, or I said guys, we can either actually create we're fighting teams in capacity or I can create higher headquarters with nice built, nice buildings. I just don't want to go down that the latter route. I think we issued the former for me. I also argued, look, the model to use is socom.

Boom.

This idea of empowering a operational commander with a series of responsive of service like functions so they not only control the employment of these assets, but they have the authority to direct the services and the man train and equipment of these resources. I said look, there is a great model there. And we went again, if you're a fan of history, 1980, the abortive attempt to free the hostages, desert one leads to a fundamental review of special forces discussion at the time about are these so of such small number, of such high importance, of such very specific technical and operational knowledge that the majority of the force doesn't have experience with. Does that merit a separate service?

Yeah.

Many of the arguments you would hear made about cyber and the decision made ultimately, I think SOCOM was founded in 1989, if my memory is correct, was no, let's not create a service. Instead let's come up with a construct that ties together both the operational commander and grants them acquisition, budget, control and service like authorities and responsibilities. Now that's the journey Cyber Command has been going on in the last couple of National Defense authorization acts. Those capabilities those authorities have actually been granted. So my recommendation to people is could we actually execute what we've just laid out and see if it works before we just decide, hey, we made all these changes, well, let's just blow it all up. I said let's give. We're pivoting to a new, to a different model. Having said that, it was the model that we envisioned when we created this. One of the things that I really am proud of about Cyber Command is this has played out the journey in Cyber and the DoD has been exactly the way I thought. I can remember having these discussions with the secretary, with the Chairman. Here's how this is going to play out, here's how we're going to do these incremental changes that are going to give us the authorities that are going to keep building and this is what the end state's going to look like. And you know, as we get to what Cyber Command is calling Cyber Command 2.0, which is now that these authorities have been granted, what are those implications in terms of Cyber Command structure, its manning its processes? My view would be hey, let's actually implement that and see how it works and then make an assessment rather than we're right in the middle of this thing and you just want to blow it up. That doesn't seem very smart to me.

Very, very well said. And, and since you brought up history, we have to have, I have to do a quick nod to an old friend and mentor, General Wayne Downing. Yeah, yeah, very instrumental and he was. There was actually shy Meyer who going back to where army built some of its SF capabilities. So I'm glad you sort of, sort of went there. That just touches home for we all.

Go, we all build on the efforts and the insights of those who come before us. I've always been big believer in that.

Well said, well said. I'm gonna put you on yet the spot again. Let's do it under C cable. So it seems to be.

Never heard of them. Do we have such a thing?

And why does it matter? A and B, why are we seeing more of it? And see what do we do?

Check. So first, undersea cables as, as we've switched to fiber and you know, optics is the primary long haul method for the transmission of communications and information cables. The method that we use to flow these optical pathways under the oceans of the world have become more and more important because they represent the single greatest volume, not that there aren't. You can use microwave, you can use satellites and overhead and those are all components of long haul passage of, you know, big Data links. The reality is cables give you the greatest capacity, the greatest throughput, the greatest speed and the greatest amount.

And they're there.

Right. They're all in place and we're, we're continually adding more.

Exactly.

Now the nice thing is between what is on orbit, between what we have terrestrially in the form of cable, we have some backup and redundancy. So we've created a system, knock on wood, right now, where we don't have single point failure, broadly speaking, and we have enough capacity that we've been able to flex. The, the reason you're. And at the same time we're seeing more adversary activity around cables. You're seeing the Russians, you're seeing the Chinese, you've seen multiple instances of cables in the Baltic, for example, that have been cut. The assessment being, hey, intentionally cut in. And also it's a reflection of a broader context. Hey, we've got an ongoing conflict in Europe with, between Russia and Ukraine. Spot the Europeans supporting that. The United States has been supporting them. Not surprising them in some ways that suddenly the infrastructure that helps support that effort in some ways is, is being, being, you know, they're going after it. The thing that I think we need to do differently is I compare cables to space. If you look at space, we have spent a lot of money to create a level of awareness that we know what's happening in space and we're not surprised by activity directed against infrastructure in space.

Surprised at some of the gall, but that's different.

But we're not surprised by activity. We see it between the radar systems we've developed, the imagery systems we've developed, the capabilities we've developed to generate situational awareness about what's happening in orbit. I compare that to cables where I'm going. We have no situational, broadly speaking, and we don't become aware of something until the cable's broken. Yeah, My view is one of the first steps we need to do, we have got to create situational awareness around those cables just like we've done in space. We needed to do the same thing.

I think you're right.

In cables that then gets land, sea.

Space, so you have full visibility.

It gives us enhanced situational awareness. It gives this potential speed of response, whether it's to do activities that would potentially shape and warn an entity. Hey, you don't want to do that. We're aware of what you're doing, you want to do it. It perhaps, perhaps would speed up our ability to respond to activity and it also would feed, I think, and enable a Better policy discussion.

Yeah, I, I couldn't agree more because I feel like that is still unknown. Visibility is lacking.

We only know about it once we get a break when it's too late. And I'm like, this is not the.

Way, it's not the way to go about it. Yeah, I hope people are listening. And I do think it's that full picture. The Brits would call it the rich picture at all. Last question. Because I know there's so much we can, we can discuss here, but a lot of talk over the years on public private partners, partnerships and I've been sort of, I feel like long on nouns, short on verbs. Every once in a while we're starting to see it. What, what, how do you think we can think about this issue a little more creatively? And I want, while you're thinking about that, you are in the midst of advising some really cool startups and, and, and new tech. How does that come into, into play in all, all this?

So I, I think a couple things. First of all, there's going to be different levels of interaction between the private sector and government. I don't think it's going to be a one size fits all and, and shouldn't. And that's not a criticism. Yeah, I don't think it's just like.

Private sector is not monolithic anyway, nor is government.

It's gonna be a one size fits all. Secondly, to your point, which I would only reinforce when we say the private sector, I mean that goes from, you know, commercially owned infrastructure to these large cybersecurity firms that are generating the software and the hardware that we're all using to actually execute both the operation of IT and OT systems as well as the tools from a cyber extra.

Points for bringing up OT that we're.

Trying to defend both of those segments to the defense industrial base, to startups that are kind of, hey, we're looking at specific problems, we're doing it from the ground up, brand new. So I think we got to acknowledge that just as in government, it's not a monolith in the private sector. My biggest frustration is when it comes to real time cybersecurity, I. E. Defending networks in the private sector, traditionally what the government has talked about is what we are going to collaborate. And generally that has been defined as. I will share with you the private sector, what I in government am aware of in terms of patterns and activity on the part of these actors. I will try to give you warning if I have specific information, I'll try to inform and educate in terms of here's our level, government's level of awareness. But then basically we say you're on your own, you own and operate the network and it's your responsibility. Now I look at that and go, so it has not worked in 30 years. So could you tell me why you think it's going to work now?

Yeah, yeah.

I think Ukraine shows you a very interesting model about how do you create cyber resilience in a contested cyber domain. And the answer, among the answers that I see is you got to move to a different model. And one of the changes in the model for me is I'm not interested in collaboration, I'm interested in integration. I'm interested in a real time situational awareness between government and the private sector. I'd start with a subset of critical infrastructure to try to prove the concepts, but I'm interested in real time situational awareness, not just I'll share what I'm, what I see. And oh, by the way, if you become aware of something, let me know. Real time problem solving. Hey, so if, if this is our situational awareness picture and we're seeing this kind of activity, what can you do and what can I do perhaps to address this either to preclude its effectiveness or respond if it has been effective. If you define effectiveness as a network was penetrated and potentially some sort of effect was achieved, hey, extraction of information, locking down of the network, disabling the network, etc. And I think it also shows you what in the Ukraine we brought together the government, brought together the network owner, the information, if you will, intelligence that the Ukrainian government has been able to generate, as well as the deep technical knowledge and intelligence that the broader western commercial cyber security firms like Microsoft, you know, like cloud Strike, just to name a couple that have publicly acknowledged, hey look, we're working directly with the Ukrainian government. I'm going, guys, that's a model for success. Now I'm the first to acknowledge America is a nation of 335 million, which, with a much bigger set of infrastructure, which is why I would argue start with a subset. Personally for me, I go for power and water, healthcare maybe, but pick one or two, three if you want to go that far. Let's develop and operationally some concepts and let's see if we can make this work rather than trying to do it all at once.

Exceedingly well said. Not only to speak to a navy, we don't want to boil oceans, but we also want to look very specifically to what operational. If we're talking collaboration, it has to have the word operation.

That's why I want integration. I'm like collaboration to me is the way we've been using it just is not.

It's a little loosey goose, right?

The collaboration to be effectively has been. I'll tell you what I know and oh by the way, if you're the network owner, well when I have the time or if I have the insight, I'll share it with you. I'm going, guys, we, we cannot work like this. And it just hasn't worked. Doesn't mean that people aren't working hard, doesn't mean that there isn't information flowing. But my attitude would be, look, let's be honest, it just is not working. So we've got to try to do.

Some things differently on that one thing. Technology races we cannot afford to lose. And I know AI Quantum, obviously they're more than buzzwords but we can't afford to lose those races, can we? Because they're inextricably interwoven with pretty much.

Because it's a combination of there are a set of corporations, core technologies in the world of today and in the near term that will both significantly shape national security but will also drive economic advantage. Which I'm going in the world we're living in now, in this digital world in which we're hyper connected, in which our business models, our supply chains are all integrated, this is the way that we've got to do things. We've got to look at what are the core enabling technologies. Now you can't do this with everything. I'm the first, first of all and you got to ask yourself, so what do we need to do to retain competitive advantage? And what do we potentially also want to ask ourselves? What do we want to make sure that we absolutely protect so an adversary can't gain access to it or potentially use it against us. And the two are somewhat related and intertwined and AI and Quantum clearly are two technologies. You know, there's been multiple reports I, I just was a co chair of a Quantum report trying to provide an input to the new administration on Quantum with CSIS about, hey look, we need to think about a strategy. I was just looking at some data that suggest in 2024 in the United States we had about $200 billion in AI associated, you know, development activity. Quantum we had about $8 billion. So not surprising in some ways because the perception is AI is out there, it's happening now, it's now. And while it's not exactly accurate broadly I think it's fair to Say there is a perception. Well, perhaps quantum is a longer term challenge. Now my argument. Wait, wait, wait a second. Quantum is a spectrum of capability we tend to focus on. So you mean the capability to break commercial encryption. Right? When you say quantum, that's what you mean?

That's part of it. That's part of it, yeah, yeah.

And also potentially defend or strengthen basically cryptographic capability.

Blinding yourself and deafening yourself.

Right. But that's only one element and it is, it is probably the portion of Quantum that's going to take the longest to generate. So we should not tie our strategy, level of investment, operational concept of development purely to that component or that aspect of Quantum. There's a whole modeling and simulation, navigation, health, there's a whole lot of other use cases that are ongoing right now.

And DoD historically has been an innovator in areas beyond just battlefield applications. Oh yeah, Admiral, what questions didn't I ask that I should have? No, this was a tour de force. I mean, you covered so much territory here.

But the key moving forward to me is, number one, a good strong dialogue, realizing that not one single entity is all the answers and not one single entity is going to be the solution. It's not going to be the government doing all of this in terms of cybersecurity, in terms of technology policy. It's not going to be the government doing it by itself. It's not going to be the private sector doing it by itself. It's what is the, what is the integrated my, My Word team based model that's going to get us the outcomes we need. Acknowledging that we got legal concerns and they should be addressed. We need to make sure we're comfortable with the solutions we're proposing as we move forward. But my number one frustration is, look, we can't keep doing the same thing over and over and thinking we're going to get a different solution. We have literally now have decades, not just years, but now we got a few years. We got decades of experience in this hyper connected digital world about both the challenges that cyber presents as well as, you know, some potential things we could be doing. I just think we need to step back and say, okay, what have we learned and what might we do differently?

Admiral, thank you for your many years of service to our country. Thank you for your continued leadership and stewardship on these issues. And you talk teams. I am privileged and fortunate to have you on our team. So thank you and keep fighting the good fight.

Thanks, Ray. Thanks very much.