Can America’s Travel System Handle What’s Coming? U.S. Travel's Ryan Propis on the Road Ahead

Last year, TSA screened 3 million travelers on two different days. In 2026, when we host the World cup, we're gonna have 3 million travelers a day on 50 days, which is much bigger. And then in 2028, when we had the Olympics, it's going to be on 100 days. The system is just not there. We're not ready yet in terms of efficiency, the security.

Welcome to CyberFocus from the McCrary Institute, where we explore the people and ideas shaping and defending our digital world. I'm your host, Frank Cilluffo, and this week I have the privilege of sitting down with Ryan Propass. Ryan is vice President for Security and Facilitation at the US Travel Association. Spent over a decade on the halls of Congress, both as general counsel and deputy staff director at House Homeland Security Committee and also as Chief of Staff at tsa. Excited to have a discussion around the travel industry, which my head hurts when I start thinking about it. So many moving parts. But thrilled to have Ryan join us today. Ryan, thanks so much for joining us. Thank you, Frank. Really excited to be here. I'm excited to talk about this today, especially in the lens of cyber and critical infrastructure security. Even though I'm a Florida gator, I appreciate Auburn's indulgence and bringing me on. I'm excited to be all about the sec. This is going to be fun. Absolutely. March Madness is with us. Ryan, thanks so much. So, you know, I thought it would be helpful just to give our viewers and our listeners a sense of what the sector itself, itself entails. I, I mean, clearly when you think about travel and, and the growing dependency upon digital means, it, it transcends and touches so many different issues. And I, I, I think also for our viewers, just to give a sense of what your members, how much of the economy is impacted by the travel sector. So let's start with the, the softball and, and, and sort of framing some of the discussion. Yeah, absolutely. No, happy to do it. Yeah. So U.S. travel association, we have a very broad membership. We represent all, all facets of the

travel sector, all pieces of it. When you think about airlines, when you think about airports, cruise lines, destinations, hotels, gaming, casinos, stadiums, stadiums, when you think convention centers, visitor bureaus, destination folks. So a lot of folks think of, know, visit Florida, visit California, the entities in the states that are promoting visitation to that state, all of those are members of ours. So really massive. And, and I, I think I saw a stat that it's about two and a half percent of the nation's gdp that's Right. It's pretty significant. So economically it's, it's absolutely massive. And that's one of the things that we, you know, continue to prioritize and emphasize, certainly with policymakers up on the Hill, certainly with the new administration coming in, to recognize that, yes, most people view travel as a fun thing to do or, you know, maybe take a business trip here or there. But in reality, nowadays, especially in the post Covid environment, travel is absolutely essential to the economy, to our national security, and really the American way of life. And that's what we continue to emphasize and advocate for. So the dependency upon digital systems is growing just like every other sector of the economy. But I think that the potential for disruption at scale is a significant set of issues. And

recently we've had incidents at CTAC. We've had ransomware incidents. Obviously, CrowdStrike was not a good day for some of your members in particular. What does that underscore, from your perspective? Well, I think really it underscores that the risk is growing. And I think obviously that's the case with a lot of areas

of critical infrastructure, but specifically in the, in the travel space, you know, we really break down, mostly our membership breaks down into two main sectors of critical infrastructure, the transportation system sector and the commercial facilities sector. And what covers commercial. Okay, you're going to get there. I'll get there. Yeah, I'm dumping the guy. So on the transportation side, obviously, you know, you think of the airports, you know, you think of airlines, you think of, you know, transit systems, you think of metros, you think of subways, you know, that makes sense. You know, highways and bridges and roads sort of that transportation infrastructure, that tangible infrastructure. Commercial facilities, much broader. Right. You've got hotels, convention centers, casinos, stadiums, museums, public sites, parks. So that is a much broader, more massive sector when you think about it. And also the nature of those sectors, especially on the commercial facility side, is much different. It's naturally open. You know, there's not natural barriers or hardened security across the space. You know, it's almost not tenable to do that in terms of the economic impact and for the, for the, for the processes and for these operations, you know, to take place as they normally would. You know, you can't, you can't close up outdoor parks. You can't enforce, you know, massive security gates around every single thing that happens, whether it's a hotel or. And supply chains, I think, come into play here as well. Right behind the scenes. Yeah, absolutely. So there's challenges there, I think, especially on the, on the, on the the nature of the operation of commercial facilities, for one. But then in terms of the security risk, as we're talking about, the risk continues to grow. And we've got this, you know, we call the mega decade of events coming up here. You've got this summer, the Ryder cup and the Club World Cup. Next summer, you've got America's 250th anniversary with the FIFA World cup, the largest they've ever had. More teams than they've ever had. It's across the U.S. canada and Mexico, 11 cities in the U.S. which is absolutely massive. Yeah. The Olympics in 28, Olympics in LA, we had Olympics in 20, 31 in Salt Lake. So it just continues to grow and grow. The number of international folks coming to the US and the number of Americans who are going to travel around the country just going to continue to grow. The interest is really silly peak. And we're going to get into

sort of special events and the implications for that, because the scale and scope is massive and they're all coming pretty fast. But before doing that, I'd like to sort of. So we've seen a lot on regulatory harmonization around cyber security. And when you think about your members, you've seen one, you've seen one. They all have different sort of footprints and sectors and industry and concerns. But do you see the need for harmonization around some of these issues? Because whether it's GDPR on the European side or CCPA in California or obviously SEC regs, what does that look like? And what are your members saying? No, absolutely. Great question. I mean, I think just take the airline example. If you're a major U.S. u.S. Carrier, you are. You are regulated. You know, whether it's incident reporting or just general cyber regulations that you're required to follow by

TSA and Department of Homeland Security, which would include, of course, CISA and Cyber Incident reporting, DOT and FAA and any regulations that they're going to have. Our airlines, the large airlines, are publicly traded, so they're subject now to sec, who's dabbled into cybersecurity. So they're subject to those. They're going to be subject to, you know, at the state level, obviously, they operate in every state. And then as you raised internationally, you know, our airline partners are operating all across the world and multiple countries in all regions. So EU regulation at the regional level, at the state level, you know, in terms of, you know, specific countries in Europe. And then you start asking about some challenging locations, maybe, you know, in China, and some of those regulations and what those incident reporting requirements will look like in a country like that. You know, the data, the data risks, the cybersecurity risk from American companies operating in China having to report and share certain information just to operate opens up a whole other can of worms that obviously I know we're all concerned about. Absolutely. And we've spent a lot of time talking about the People's People's Republic of China and the Communist Party of China and the threat and risk it poses. But, but even beyond that, when you think of data breach notifications,

every state has a different, it just must, it must be a huge shop that has to handle all of this. And I'd be curious, you have very big companies, but you also have smaller companies and communities that are part of your membership. Have you taken a position on Circia or any of these sorts of issues? And then I'd love to sort of get to the question, how do you, I don't want to say burden share, but how do you advocate when you have big companies that are spending a lot and smaller ones that have the same risk exposure? Sure. Yeah, no, great question. You know, putting on my, my former congressional hat was lucky enough to be part of the team at

House Homeland Security Committee working on CIRC on a bipartisan, bicameral basis. We had a great team across, across the board. And the key, you know, interest and intent from Congress really was to streamline all incident reporting through CISA and make them sort of the belly button, if you will, on all of that. We've obviously seen where other agencies over the last few years have, have leaned in. Sec. TSA and others have really leaned in. I think you take the case of tsa, they've, they've sort of address adjusted by bringing in industry a little bit more, focusing a lot more on outcomes rather than, you know, specific requirements that maybe are not the requirements that would, would fit the entire sector. So they've turned more to an outcomes. Focused approach, which I think is a positive development. Definitely a positive, absolutely. They've leveraged the capabilities of CISA and said, you know, you don't have to report to TSA and to cisa, report to CISA and that will check the box, if you will for reporting to tsa. So I think that's a good approach, that's a smart approach. If we can see more of that, I think that would be really helpful. But you raise a good point on not only just incident reporting, but know, regulations across the board, not only at the federal level, of course internationally and at the state level. How do we make sure that these are streamlined. I think Congress, rightfully so, is in the new administration. Take a really hard look at this and make sure that, you know, we get these agencies back to, you know, focus on the, the core mission. I think at cisa, it looks like that's where a lot of the focus is. Focus is going to remain, which I think is strong. And then having the other agencies sort of under that CISA umbrella in terms of critical infrastructure, whether you're a sector risk management agency or not, you know, really kind of following up as a partner with CISA and a partner with the industry and really understanding your sector. Well, because to your second point, which. Is why it can't sit in one agency. Exactly. Right. God help us. Right, yeah, yeah. They would be completely overwhelmed. So you have to leverage the expertise of the SRMA to understand their sector to those, to know those capabilities, you know, to know those pieces of critical infrastructure. How many are amazed do you touch? Actually as an association, Probably a bunch, right? A lot. But you know, and it's funny because. Sector, risk management agencies. Yes, yeah. But when you look at it, you know, and maybe it's time PPD21 gets a refresh. That was what, 2013, when those sectors were spelled out. I know you've talked about a lot about space and some other areas. Thank you for bringing that up. You're not, I'm not going to. Not my area that right now. But yes, I'll make the case. But when you look at it, you know, look at a sector like commercial facilities, you know, does that make sense? Everyone kind of jokes. It's sort of the catch all. But there's a lot of really, really important, you know, critical infrastructure there. You know, is it worth streamlining that a little bit? DHS in itself, CISA specifically is the SRMA for I think at least half of these critical infrastructure sectors. That's still a pretty big burden on one agency. Yeah. And I'm not sure CISA is the one that really understands commercial facilities the best. You know, could you leverage other agencies, departments like Department of Commerce, I think in the way, you know, transportation sector leverages the expertise of Department of Transportation, the Coast Guard, tsa. I think that makes sense. Is there a way to sort of break that down a little bit more to make sure there's a better understanding. Of the sector and, and to look at it from a principal perspective, I think you said the key word outcome based, agnostic. So you also said

another word, check the box. That's my fear when it comes to regulations that it is sort of a check the box exercise, not an outcome based exercise. Right. But I think streamlining should, if there were a DNA for what, anything agnostic to the particular agency or, or regulation, it should be outcome based. Absolutely. And I think there's an appetite both on Capitol Hill and the executive branch to actually get some things done there. So. Yeah, I think you're right. And that, and that is, is very heartening because I think exactly to your point, the check the box exercise is sort of a, you know, another way of looking at the lowest common denominator approach where, you

know, there could be entities. And we're a perfect example of this in our industry where you probably don't need to worry about the, you know, the major international airlines and hotels, you know, they obviously are prioritizing this from a security standpoint, from an economic standpoint. For them, from a business standpoint. Certainly there are going to be. They've been impacted. They have been. Yeah. And everyone and no one is immune, you know, but can they, can they, can they prioritize cybersecurity? Can they prioritize hardening their systems? Can they mitigate vulnerabilities when they arise? And then can they recover? Can they get back to business? We saw that done actually very well in the case of Seattle. Seattle, yeah, yeah,

yeah, yeah. Port of Seattle, I think, recovered quite well. I mean, that was, they had told us and testified before Congress that they mitigated numerous attacks leading up to that attempts previously. Unfortunately, this one got through. It was a ransomware attack. So they were sort of locked out. They did not pay the ransom. You know, we're generally, there were

some tough days there, you know, of falling back to kind of manual processes with, you know, signage around the airport going manual and handwritten boarding passes, which I think a lot of people have never seen before. But manual sorting of baggage, which certainly shows the importance of the digitization of this. Yeah. But they were able to recover and I think they handled that well. I think some of the other folks are going to have some potentially could have some challenges. But I think to your back to your question about, you know, where the federal government can play a role here is we need to manage the risk appropriately. You know, certainly an airport, a port, an airline, major hotel chain, especially when we look at the amount of events coming, the risk profile is going to go up. You know, there's going to be more concerns. But for, for others, you know, that's where we can serve, support and prioritize risk management. But for others, you Know, maybe that sort of ebbs and flows depending on what the risk picture looks like, you. Know, and you said one of my key words, it's managing risk. We're never going to be in a position to stop everything, everywhere, all the time from every

perpetrator and every form of attack. But we should be able to manage and we should be able to build some resilience or recover fast, to be able to bounce back. And I think that should be another principle. And not to lead the witness, but we stood up new task force we're doing in partnership with the Chamber of Commerce looking at regulatory harmonization. And I think everyone agrees conceptually, but we're trying to really peel back the onion and come up with three to five actual regulatory approaches that can be helpful. But I think you need principles behind that. Absolutely agnostic to what that is. What steps should policymakers take to sort of ensure that cybersecurity remains a priority as we modernize? Because we are going to modernize. We have to modernize to keep, keep pace. But what are some, some thoughts that come to mind there? Yeah, great question. I think, you know, key to that is really making sure that these agencies, you know, that have roles

and the 16 critical infrastructure sectors, whether that's CISA or SRMA, are really focused on being a resource and a partner to the industry. Whether that's, you know, sharing timely and actionable information as soon as, you know, as earliest as they possibly can to, to certain threats and vulnerabilities, making sure that it's prioritized. Nothing moves the needle like real time data about, hey, there's an incident that's happened in your sector or another sector that we think, you know, could, relevant, yeah, could have cascading impacts on your sector or you know, potentially you could face the same, the same threat or the same vulnerability that will move the needle for, for sure. And then making sure that things like, you know, I think CIS has done a really good job and standing up, you know, free resources, focusing on cyber performance goals, you know, really establishing baselines for sectors not having to feel like they have to start from scratch. So to your point, if you're a, if you're a smaller entity and you know, and coming, coming online to, to, to put cybersecurity at the forefront of your operation, you're not starting from scratch. You've got partners in the industry, partners in the government that have done these things. You can, you can sort of lean on them and borrow the best practices and really get up to speed on things. I think that should really be the focus. My concern is if we dive too much into your earlier point, regulating immediately of we need to regulate these standards and put things in place to be. Overtaken by events anyway on it, it's. Going to be overtaken. Folks are just going to, you know, they're going to play to the regulation and not actually the outcome, which is what we want, which is to, you know, to, to mitigate risk, to harden systems and to really be smarter about this rather than just reactionary to a regulation or a specific incident right in front of you. And, and we're going to transition soon to this mega event set of issues. But before that, third party vendors and I mean a lot of that data is not held or even managed by the

big providers of travel. But are you starting to see smarter questions being asked of third party vendors when it comes to travel? Yeah, and I think, you know, you're really going to see it too. As we talked about the, the digitization of a lot of this, you know, advancing more technology, the benefits

that come with that. We'll get into that. I know on the security side, the efficiency side are good things like, you know, incorporating more biometrics and AI, automation, things like that. That's great. That with that though does come a lot more back end IT integration, you know, and a bigger attack surface. Exactly. So I think, you know, if you're Congress and you're looking at prioritizing the efficiency and security of the transportation system, whether that's FAA and air traffic control reform of a system that is sorely in need of modernization, or the TSA checkpoint in an area where you can really automate a lot of those processes with technology, with AI and biometrics. Let's not forget the back end piece of that, which is you need to be able to provide a large infrastructure backbone for integration that is secure, that is segmented. If anything ever happens, it's not say, impenetrable, but it's able to be neutralized or segmented and it's not going to bring down the entire operation, whether that's FAA or TSA checkpoints or an airport operation completely, for example. And I just hope that they voice that there's an old Marine Corps ad. Amateurs talk, strategy professionals, logistics and logistics matter. That back end stuff is what gets you from A to B. Yeah, yeah. It's not the, maybe always not the most interesting, sexiest or. But it is critically important. Yeah, absolutely. Let's talk about these high profile events and, and I think you touched on them. You've Got the Olympics coming. You've got the World cup in multiple cities of the United states. You've got America 250. Where do we stand in, in all of this? It's much more than a logistical set

of challenges. It' huge security set of challenges and mass aggregation and, and of, of people. So big events. We have national security, special event planning that we've done over the years. But how prepared do you think we are? And I know that's a loaded question.

Yeah, I mean, no, but it's, it's a fair question. And this is one that US Travel has been looking at over the past year. We still have this commission on seamless and secure travel headed by, you know, experts from, you know, former government folks, folks in private industry across the travel system, you know, security, technology, transportation. Really great minds, chaired by Kevin McAleenan. That's great. Yep. Former commissioner of CBP and acting secretary of DHS. Yeah, great. And so I think the challenge that we've seen is when going back and looking at this from start to finish, you know, especially focused on the air travel system. If you're a foreign visitor and you want to come to the US for the World cup, for example, and it takes you currently, right now hundreds of days to secure a visa, you're going through lots of manual processes. It's really difficult to get one. If you do actually get one, then you come in and you're waiting a couple hours at CBP customs. The, the technology footprint is going to be very inconsistent. Am I going through, you know, biometric capture today or not? Do I have to have an interview? Do I not? Returning Americans are treated basically the same as a first time foreign visitor to the US which doesn't make a lot of sense. You go through a TSA checkpoint, largely, we're still there. There is technology out there and they're trying to lean in with what they have, but their resources are, are slim. So, you know, a lot of this is manual processes, manual bag searches, pat downs. People still have those. You still got to dump out your water bottles, you know, so the efficiency piece is a huge, huge challenge. And candidly, as we came out in our report that was just released last month, you know, we're not ready. We're not ready for these mega events. And we really need to wake up to the fact that we're not ready for these from a logistical standpoint, from a security standpoint, as you noted, the increased volume that is going to come our way is something that we rarely see now. So for, for example, last year TSA screened 3 million travelers on two different days. And that was over Thanksgiving and over July 4th. To be expected that it's higher. They've never screened 3 million before. So that's record breaking. That's only two days. Yeah. In 2026, when we host the World cup, we're gonna have 3 million travelers a day on 50 days. Wow. Which is much bigger. And then in 2028, when we had the Olympics, it's going to be on 100 days. And by the. Within the next decade, almost every day is going to be 3 million travelers a day. That's insane. If

you look at the math, the. System is just not there. We're not ready yet. In terms of efficiency, the security, the scope of this is going to be a big challenge. So I think we need to do whatever we policymakers, you know, in industry to really lean in on. Okay. How do we increase security and efficiency at the same time? And you know, luckily we found is a lot of things

in the, in the technology space and modernization space, you could actually get both of these things done. And I don't need to tell you this, you know, you know, for a long time, if it meant more security, it meant less efficiency. If it meant more efficient and you. Were risking it shouldn't be either or propositions. Right. How do we. So the only time you can really make those changes is when you're modernizing or you're coming up with

new systems or around big events. We, we have that opportunity. I, I think now is it falling on receptive ears? Yes, we definitely think it is. We had a great, we were, we did a sort of a press conference release. Big, big event at, on Capitol Hill in the Senate. And it was, it was great standing

room only, lots of attendance. People, people were really plugged in. We've had a lot of great conversations on Capitol Hill about this already and it's only been out a month. Good. You know, from the administration standpoint, I don't. You've probably seen President Trump talks relentlessly about the golden age of travel. He's had, you know, the, the World cup, the head of FIFA in his, in his office. He's got the trophy in his office. He's talking about it a lot. He established the America 250 task force. He established the World cup task force. So we're really excited to see that that World cup task force was one of our top recommendations. Saying we need to have a very senior led, White House led interagency task force to focus on this. I think you look back at, you know, last time we hosted these events to this scale, the 1996 Olympics in Atlanta, the 94 World cup, and then of course, the 2002 Olympics in Salt Lake. There were really coordinated federal interagency processes established years in advance. Well, in advance. Yeah, well in advance. So we're actually behind the curve on a lot of this stuff. So, you know, kudos the administration for doing this. Now, we would have loved to have seen this happen candidly over a year ago if we could have in the last administration we tried. So I think seeing that prioritization is, is really, really important right now. And it's going to take all of these relevant departments, you know, State, Transportation, Homeland Security, Commerce, really getting together and figuring out, okay, we need to see this as a seamless process across the board from start to finish. We all have a role to play here. If we keep siloing little efforts here and there and keeping them separate, we're never going to get across the finish line. And I think, to your point, is a perfect opportunity to do that.

And with crisis does come opportunity. And I think we are at that crisis point if we don't get our act together and mobilized soon. Where does AI ML? I mean, not to throw a buzzword here, our listeners hear a lot about that, but I think technology to improve efficienc around travel and the like can play a significant role, can't it? Yeah, absolutely. I mean, I know you talk a lot on this show about, you know, AI in a defensive. We talk red, blue, a lot. Attack. Absolutely. Yeah. But, but, you know, on our side, we talk a lot about it in our report of, you know, you can really leverage

AI to do a lot of really amazing things. And the technology is out there now. You know, I think the application of AI and ML into this space, into transportation, into travel, has really come online in the last few years. And we're excited about it. But we, we talk a lot about this. I think from, you know, whether you're talking about, you know, domestic screening at tsa, I mean, you can, you can incorporate biometric technology. They're doing that today. It's not across the entire system, but they're trying to roll it out as much as they can. You incorporate biometric technology, certainly, obviously a big, big element leveraging AI there, incorporate that across the, the system. You could automate identity verification. You can remove the, the risky sort of what I like to call the bartender method of, you know, looking at an ID and looking at a person. That's impossible. I mean, We've got, we've got fraudulent, fraudulent IDs coming from China that are impossible to the naked eye to detect. But biometric technology, especially the ones that are used at DHS, the CPP and TSA especially, 99% accurate, you do a manual ID check, at best, you're probably looking at 50 accurate. I mean it's just an impossible task. So why put that on an individual? So you can automate that. It's much better for security. It's way more efficient. Process. Travelers love it. We did surveys last year that, you know, 80% of travelers across the political spectrum, across, you know, whether you're a trusted traveler, pre check or just, you know, every so often I take a trip, people love it. They, they want more of that technology. I think they recognize the security value, but they certainly recognize the, the efficiency and the experience piece of it. And then when you look at things like the on person screening or the baggage scanning technology that's out there, these new computed tomography machines, that's what, that's what your carry on bag is going through. The image is much better. The hardware improvements are vast compared to the old ones. The old 2D screens that looked like an old video game. The new 3D CT machines are much better. What you can see. But the most exciting thing that we think about that is the software potential there because you can layer on AI and automated algorithms to detect anomalies in bags without the officer having to look at every single image, looking at every single bag. You can automatically detect that or release those bags, send those through, and then the officer only has to engage or manually check a bag that's flagged, that, that flagged an anomaly and the anomaly is probably pinpointed exactly where they need to look. You can save time that way. It's much more secure than have an overwhelmed officer trying to look at, you know, all these bags coming through. So you can really have a major, major impact to the system. And I think you touched on, there's a lot of concern that this is Robocop, but there's still a human in the loop. Right. So at the end of the day you're just

managing risk again. And, and you do have someone who is ultimately trained and, and hopefully has experience to be able to respond to that. Yeah. Am I wrong, but I kind of feel like identity management and biometrics are sort of, that's the next way. They seem a little further behind the rest of the tech sector is that, am I. And that's a gut check. Am I right about Thinking that or. Yeah, I don't know if I would say it's behind and there's a lot. Of comfort of use. Yeah, I think there you still see, you know, whether it's on Capitol Hill or certain, you know, segments

of. Even some travelers or other folks are still a little hesitant. I think there's unfortunately a concern, you know, whether justified or not. I think there's the concern of, you know, this, you know, surveillance state or, you know, some of the things that you would see in a place like North Korea or China where they've got, you know, cameras on every corner and they are actually surveilling, literally, folks. We're not doing that in the U.S. that's not what, for example, TSA or CPP would be doing in an airport environment. It is for identity verification and security confirmation. That's. That's the intent of it. You know, if we need to put some guardrails around it. I know there's been some conversations in Congress around maybe putting some guardrails around it. You know, that's a conversation to have, but we don't need to, you know, throw everything out. There's so many benefits. So just. I think there's a way to get a handle on it. But, you know, interestingly, I think that's another area that's ripe for federal leadership, though, I would say in this space. I think, you know, to their credit, DHS and CBPTSA have really going as. Far as they can with their authority. And they've really led the way in terms of looking at standardization. You know, NIST has done a lot of work in this area with ISO, international standards body, looking at standards across the board. TSA is really the most common use of biometrics. TSA and CBP for identity management and for biometrics. So they're kind of leading the way by default, almost, if you will. And I don't necessarily think that they want that role. I think it's just sort of happened. But if you look in financial sector, a lot of other areas, you know, identity verification, identity management has been key, and biometrics have been a part of that. So I think there needs to be a little bit more of a federal leadership interagency approach here to say, hey, we can't just look at transportation as its own or finance as its own. There's a. There's a lot of overlap here, and I think you could use that technology across multiple sectors. Well said. And it. It seems to always fall down. What's the perfect biometric? Eyes, fingerprint, whatever it is. That's the wrong question. Yes, it's literally the wrong question.

So I think it is about identity management before moving on from, from big events. I, I mean, what. So with the Olympics, World cup, that the numbers are going to be. Yeah, gargantuan. And, and what are the most significant security risks? And how do you think cyber security fits into that? Yeah, well, yeah, real quick in the numbers. I

think you're, you're spot on. I mean, if this is done well and we're actually able to kind of modernize our system, we could be seeing up to 40 million international visitors. And the impact from the economy. Significant. Huge. Yeah. An economic impact of almost $100 billion. So this is not, you know, this is not some, you know, Taylor Swift tour that we want to capitalize on. This you're talking, which is pretty big, which is also actually pretty big in a lot of these cities. Having a daughter is with. But, but it is a massive, massive impact across the entire country at the state, local level and will have a huge economic impact. But the risks to your point are there. I mean, we, we can't shy away from them. I think recently we saw the Conference of Mayors put out a letter request to Capitol Hill asking for additional Homeland Security grant money, about 600 million for these, for these World cup host cities and some of these base camp cities, the cities that basically host the teams and where they're going to be in train, because they recognize this. They're, you know, I think they see that their resources are going to be stretched then at the local level. And I think the biggest challenge is the federal government is probably going to be stretched pretty thin. As you, as you noted earlier when we started talking, I think every World cup match, which there's almost 80, I want to say, that are taking place in the US all across 11 cities. Every single one of those is going to be rated a Sear 1 or Sear 2 event, which is basically a Super Bowl. So you think about that, we're going to be having multiple Super Bowls for over a month, month and a half, straight to back, back to back to back, sometimes simultaneously across the country. So dhs, who's the lead on all the, you know, the security management piece of that, that's going to be a heavy lift on them, you know, and that's, that's certainly on the physical security side. We see, we saw things, you know, like, unfortunately, the unfortunate attack on New Year's Eve in New Orleans, the Sugar bowl with the vehicle ramming that, you know, is obviously a terrible tragedy. We've seen more of those types of attacks really have an uptick in Europe which, which is concerning because you know, as you know. Well, we saw that a lot obviously in kind of the isis. Difficult to defend unless you

have intel on the perpetrator. Right. We saw that more in the ISIS days and they kind of went away for a while. But now we're starting to see a revamp of that which is, is, which is obviously very concerning. And then from the cybersecurity side, another thing that the, the mayor has asked for was cybersecurity. Cybersecurity resources to harden defenses, you know, enhanced training, focus

on resilience and certainly emergency management. So I think all of those pieces, I mean the risk is just going to go up those, these have become targets. You know, you think about it. On July 4, 2026 during you know, America's 250th anniversary, there's a World cup match taking place in Philadelphia. You know, you're doing your homework. You're

already parting that out. Yeah, you can't really get more, you know, if you, if you're looking for a, for a target rich environment, you know, and you really want to get after the United States of America, that's probably a prime target. One that we're very concerned about and one that you know, we continue to raise. And I know that at the state local level our members and at the state local level they're very concerned about as

well. But we can, we can do it right and the government can absolutely do it, be it good partner and prioritize the risk here I think it's, we. Can be okay and you have the opportunity to forward deploy new technologies if it is a tier one. Absolutely. The nsse. But, but these things don't just happen. It's a lot of

blood, sweat and tears go into to making that happen and resources. So let's be honest, policy without resources is rhetoric. So this is going to cost money. Yeah. And at the end of the day I hope that you're getting those receptive ears because now is the time to double down on that planning anything we can learn from previous large scale events to sort of improve our posture because I, and not to get wonky, but I have a hard time differentiating it from ot. So if we're talking in the cyber, so physical cyber is converging really fast and honestly it's irrelevant whether it's a well placed IED improvised explosive device or a cyber attack. If it's taking down a particular critical node or sector. I think we've got to start looking at this more holistically. But anything we can learn from previous Olympics, previous World Cups. Are your members weighing in on some of this? Yeah, absolutely. And I think your point is very well taken. I think the impact of whether it's a physical threat, a cyber threat, I mean, the impact can be the same, and I think we need to treat it that way. And I think you're seeing a lot more in, in critical infrastructure space, certainly across our membership, folks are recognizing that and I think prioritizing it in the same way, which

I think is great. And the more the government obviously views it that same way and is a partner, that's, that's critically important. But I think from previous events, you know, the biggest thing is sort of the federal government leadership and preparation early on. You know, again, I go back to the, we're excited to see the creation and the executive order about the White House creating the task force for the World Cup. You know, really prioritizing interagency coordination, planning ahead of time, making sure that all the relevant departments and agencies are there. You know, they're doing the security assessments, they're doing the vulnerability assessments from both the physical and the cyber side. They're, they're coordinating not only across government, but really with the private sector and with a lot of these entities. As I talked about in the commercial facility space, you know, these are largely privately owned and operated, you know, separate open spaces. When you think about arenas and venues and, you know, World cup watch parties that are going to be happening potentially in the National Mall or in other large cities, I mean, there's a lot of, there's certainly risks there to manage. But I think if we start planning appropriately early enough and take the leadership as we've started to see that we're hopeful with this task force that we can really make some, some great progress and be well prepared. You know, Ryan, and you bring up, I think, a very important point and I

don't know if it was intentional or unintentional, but, but the point is we don't want just leave behind one and done expenditures, whatever it is, needs to have secondary tertiary opportunities. And I, again, with big events, you have that opportunity. Very easy to conceptually say that, very different to operationalize that. But I, I hope that that's the approach that, that people take. And, and, and it really is about people, too. So we shouldn't be exchanging business cards when the balloon goes up. Yeah, I mean, the, the training, the lessons, learns that lessons Learned that happens, you know, certainly in cities

and areas and within the government that are preparing for the World Cup. Those don't just go away. You know, those same folks would be involved in, you know, planning for other major events. You know, not far around the corner is LA 2028 Olympics and then Salt Lake Olympics. Salt Lake Olympics. So I feel like we always reinvent wheels in that respect. We don't need to do that. We don't have to. You know, we're coming near the end of our time. But a couple of very quick questions. How do you see cybersecurity in the travel industry sort of evolving over the next five years? And are there any policies or investments that you think we ought to prioritize here?

Yeah, and we touched on many of them. Yeah, yeah, I think I would touch on, you know, a few of them. But I think, you know, I think the. The big piece is cybersecurity risk is obviously real and it's now impacting multiple sectors. But to include, you know, obviously transportation, which I think folks have recognized that for a while, on the physical side, obviously transportation has always

been a target. From the cyber side, I think, you know, we're seeing it as you, as you noted on the vulnerability standpoint from, from CrowdStrike, that was obviously a challenge. But in terms of, you know, ransomware attacks at SeaTac, everybody, you know, you're just seeing it really across the board, salty food and other things. You know, transportation was a huge, you know, focus there. So that is concerning. But I think in the rest of this space, you know, in areas where folks not within the industry or within the sector, but I think probably folks in the outside, I mean, probably from general American public looks at this, said, well, you know, maybe there's not really a risk for, you know, a hotel or a stadium or things like that. Well, you know, when Vegas. Yeah. When you, when you look at it in the way that it's prioritized internally, it absolutely is a real concern. So I think it's. It's on the federal government to really lean in on those partnerships as well. And yes, it's important that we prioritize. Certainly, you know, water sector, energy, transportation. But I think we really need to think a little bit broader and be risk focused to see where the risk is coming. And I think with these events coming up, the risk is going to maybe not shift, but it's at least going to grow into all these other areas, especially in the commercial facility sector, where, you know, these major events, these stadiums, these sites are going to Be, you know, front and center and maybe they hadn't seen, you know, the cyber risk like they, like, you know, previously. But I think that's something that's going to have to be taken seriously. So I think making sure that the resources are there, that the federal government is there as a partner, you know, back to, you know, not just being there focused on regulating, but I think really being an outcome focused partner. Work on, working on basic cyber hygiene and standardization of a lot of this. I think that can really get us, you know, to a much better spot.

Penultimate question. If, if you had one piece of advice you could give your members around security, whether it's looking at these mega events or cybersecurity, what would that be? That's a great question. I think communication, I think it's going to be communicate certainly with the government, right? I think certainly communicate with the government

and, you know, reach out. You know, the CTAC example is perfect. You know, Port of Seattle, I think to their credit, were immediately on the phone with, with dhs. They were talking to, with tsa, with, with cisa. FBI was, was pulled in to do the investigation to determine, you know, the attacker and the expanse of the, of the attack. But also other. Yeah, but I think also communicating internally as well. I mean, obviously no surprise in a lot of sectors there's competition within those sectors, especially ones that are largely private, privately owned and operated. But was really heartening about CTAC's approach was, you know, not only did they come and testify about it before Senate Commerce, but they talked about, hey, we're going to share this information far and wide with our partners, with other airports, you know, with their competitors, frankly, to. Make sure none went into the business thinking security was their day job. Right. But it's all. But they prioritized it and they're now sharing information with, with others to say, hey, I want to make sure that you don't go through this and if you do, this is what happened, this is how we handled it. Maybe you could take something off the shelf from us and incorporate that into your system, into your planning, into your, you know, continuity planning. So, Ryan, last question. What questions didn't I ask that I should have? No, I think we covered it. We covered all the, all the great pieces of technology. You know, the economic impact piece, I think, is one that I would. It cannot be overstated when you talk about $100 billion economic opportunity with these. Events and they can't be looked at in isolation. Right. Two sides of the same coin. Right. I think, yeah. And that is probably one of our biggest challenges, I think, when. When communicating not only to policymakers, but even, you know, to the general public of look, travel, I think used to be viewed for a long time as sort of a nice to have. I think people started to view it differently during COVID when you couldn't do it, whether it was for personal, you know, personal travel, business travel, whatever that was. When folks started to see that being taken away and realizing, wow, this is really. I feel that travel is essential to my life. Right. You know, I want to see family, I need that, you know, business meeting or whatever that is, and then realizing the economic impact. You look at places like Asheville after the hurricane, totally devastated. You know, you look at LA with the wildfires, you know, the recovery is going to come from certainly localized investment. But when you look at what travel can do, when you start bringing folks back in, Asheville is a huge, you know, travel tourism market. The more folks that come in there and, and visit Asheville, that's going to expedite the recovery. So you start talking about the economic impact in that way and the jobs that are provided at the state and local level, the trade balance, benefits of exporting travel, in a sense, by bringing more foreign visitors into the U.S. that's a major economic advancement. So I think, you know, it really is, and I said earlier, but I think it's really something that we, we feel strongly about. We want others to view that travel is really essential to, you know, the national security of the country as we've been talking about today, to the economy as we're talking about and then really the American way of life. Because if, you know, when you take that away, that really kind of hits at the heart of American way of life, of getting out there and traveling. Ryan, thank you for spending so much time with us today. Your members are fortunate to have someone with your experience and know how and really appreciate it. Thank

you. Thank you for the time. It was great. Yeah, I appreciate it. Thanks so much. Thank you for joining us for this episode of Cyber Focus. If you liked what you heard, please consider subscribing your ratings and reviews. Help us reach more listeners. Drop us a line if you have any ideas in terms of topics, themes or individuals you'd like for us to host. Until next time, stay safe, stay informed, and stay curious.