2024 Air, Space & Cyber: Cyber Dominance
September 16, 2024
The “Cyber Dominance” panel at AFA’s 2024 Air, Space & Cyber Conference featured Chris Cleary, vice president of ManTech’s Global Cyber Practice; Stephanie Domas, chief information security officer at Canonical; and Jen Sovada, president of global public sector at SandboxAQ. The panel, held on September 16, was moderated by Venice M. Goodwine, chief information officer for the Department of the Air Force. Watch the video below:
Panel Moderator: Venice M. Goodwine, Chief Information Officer, Department of the Air Force:
So, I’m going to ask the panel to introduce themselves. And in that introduction, they will also tell you what cyber dominance means to them. So, I will start with Chris to my left.
Chris Cleary, Vice President, ManTech’s Global Cyber Practice:
Thank you. So, my name is Chris Clear. I’m currently, uh, vice president of Global Cyber Operations with ManTech. Uh, previous to that I was the principal cyber advisor for the Department of the Navy. Juan, good to see you up front. Glad you could come to this.
Uh, and I know many in the room, I’m sure, uh, has heard my rant once or twice before. Um, you know, cyber dominance to me is the ability to project power in this space. And I think one of the things that we, we tend to forget with this space is it is a war fighting community. It’s a war fighting discipline, and how the services are going to embrace that to achieve, you know, all the flashy words that we like to say, but, you know, it’s about keeping the bad guy from doing what they want to do.
Jen Sovada, President of Global Public Sector, SandboxAQ:
Thank you. Hi everybody. I am Jen Savada. I’m at Sandbox AQ and we are an AI and quantum company. The A stands for AI, the Q stands for Quantum. And what to me is cyber dominance is the ability to maintain the advantage in the technology that enables us to do the things that we need to do from both an offensive and defensive cyber perspective. And that’s everything from looking at zero trust to post quantum cryptography to quantum encryption and quantum communications in the future.
Stephanie Domas, Chief Information Security Officer, Canonical:
Hi everyone. I’m Stephanie Domas. I’m the Chief Information Security Officer at Canonical. Uh, we’re most prominently known for our Linux operating system, Ubuntu, and I’m pleased to say that Ubuntu is celebrating its 20th birthday this year. Um, woo-hoo. Yeah. Yeah.
Um, to me, cyber dominance is having full transparency, choice and control over your security journey. And so, your security journey is exactly what you need it to be, to meet the unique needs of every scenario.
Panel Moderator: Venice M. Goodwine:
Well, that’s great. So, let’s frame our scenario here. You’ve heard the secretary talk today. You’ve heard our chief of staff talk today. So, the question becomes, as we frame this around re-op, optimizing for great power competition in our four, four lines of effort, we talk about developing people, developing capabilities, projecting power, and definitely for readiness. So, when we think about the cyber domain, keep in mind the people that will enable and execute the cyber domain, the capabilities required to prevent the adversary from doing, as you say, Chris, what they want to do in this domain, but also projecting power in a non-kinetic way as well as important. But the key also is readiness. Are we ready to fight in this domain?
And when, so I’m going to start with you, Chris, with your question. So, in the past I’ve heard you say, um, that cyber warfare you’ve used, the analogy is, um, Moneyball mindset. So, when you think about that, can you explain what does that mean in this cyber domain, but focus on how do we balance our investments so that we can maximize return on investment, but still have the capabilities?
Chris Cleary:
Yeah, I, and uh, the Moneyball pitch is for anybody who’s seen the movie, uh, you know, there’s so many good analogies to be taken out of that, you know, and the, and the scene that I’m referencing is the very beginning of the movie when Brad Pitt’s talking to Jonah Hill down in the lobby of the, of the parking garage. And Jonah’s like, it’s not about buying players, it’s about buying wins, right? When you think about the United States government of the Department of Defense, our mindset is traditionally around buying players. And we call those players the Columbia class submarine, the Ford aircraft carrier that joined Strike Fighter, the Abrams tank. You know, we buy equipment, we put it on the field, and I think China to one degree, or another read the Moneyball book 30 years ago and they said, look, I’m not ever going to compete with you the way that you want me to compete with you.
I’m never going to be able to build a Ford class aircraft carrier, although I’ll steal your plans and try to figure it out eventually. Um, but I have to figure out other ways to compete with you. And I’m gonna do it through long range kinetic fires. The DF 21, the DF 26, which is now is changing our game, right? The investments we have to put into capabilities to sort of go after, um, these systems that threaten the way that we traditionally want to present and project power in those, in those areas.
So going down this path of being, you know, once again, I’ll reflect on the principle cyber advisor time, time in the Pentagon. And Wanda helped me shape a lot of these thoughts. And Wanda’s, unfortunately, heard me say this probably a thousand times. The investments that we have in this area is really sort of this opportunity space. And again, using the Moneyball just one more time, when you go to the end of that movie and the owner of the Red Sox is talking to Brad Pitt and he’s basically saying, look, you are fundamentally challenging the way this game is played. You are threatening people’s livelihood. You are threatening the way that this, that industry, uh, or in this case, you know, recruiters or how we’re going to play baseball.
You know, I think we’re seeing a fundamental shift in what we would call warfare, right? Transitioning away from the kinetic, which we all see and we all like, and we see it in the movies, and we like to do it to this potential opportunity of the non-kinetic.
But this is where the crux comes in. Again, I know I’m speaking to a lot of cyber people in the audience, um, and when we were talking about this, the Navy in particular, we came up with this secure survive strike mantra. And when the CIO and the PCA were trying to figure out the lanes in the road for each other, well the CIO, which is, hey, the underpinning of everything that happens in our service begins with the CIO, begins with our ability to connect systems from point A to point B. And this is where zero trust and identity management and RMF and a TO and all of those things, zero. You know, all of those things live to do the secure mission of what we do. You know, and unfortunately, a lot of that is compliance based.
When you move to the right of that, you start getting into the things that the services become a little more concerned about. In our instance, we called it survive. This was our ability to ensure there’s survivability, which is a much different word than security or resiliency or compliance. Survivability is something that an adversary intentionally wants to degrade your ability to do something. You know, the Navy, it’s easy for us to do this. We have damage control parties at sea. You know, we set material conditions during general quarters. It’s something that’s, it was easy for us to get our minds around because it’s about keeping that platform in the fight, not just securing it, because you got to learn to fight hurt. There are things that are not going to work the way you want them to. There are things you have to do, continuity of operations. There are things that you’re just going to have to acknowledge, you know, at some point in this conflict, I’m not going to have this, this thing with me. So how do I learn to fight hurt?
And then when you move to the right of that, which is the thing that I really think this community is in the beginning of grasping across all of the services, is the strike component of this. You know, I would like to say that this community has every bit as much to delivering lethality, albeit non kinetically as everything else that we do in any of our services. But this community really needs to begin to embrace themselves as true war fighting. Um, one more little Moneyball thing, it’s not in the movie, it’s in the book. Uh, when the Oakland Athletics were teaching their philosophy of this on-base percentage, I mean, everybody’s seen the movie, right? So, I’m not, I’m not, nobody’s not seen the movie.
Well, it turns out the hitting coach of the Oakland Athletics was actually a retired marine colonel, my boy, that’s interesting. I didn’t know that. And when the Oakland Athletics had a philosophy and they said, look, um, your rules on hitting are as follows. Every player needs to come to the plate like they’re a leadoff hitter. You know, my son played baseball. I’m sure many of your children played baseball. We all know that the number four hitter is the home run hitter, right? The one that puts it over the fence and seven, eight, and nine, those are the ones that are really fast that all strike out.
Well, no, you got to come to the plate like you’re a leadoff hitter. Your jobs to get on first, not necessarily put the ball over the fence, but you have to come to the plate with the ability to put the ball over the fence. Because if the pitcher gives you your pitch, he has to be afraid of that. He or she has to be afraid of that, that if I put the ball where you want it, it’s going to go over the fence. So, I’m going to make you chase pitches. So, there’s a discipline to it.
And then the third rule was hitting was much more of a mental game than a physical one. I could teach a, I couldn’t necessarily teach a strong hitter to have a better eye, but I might teach somebody who has a good eye to be a stronger hitter. Okay? So why do I say all that? Alright, information warfare community, you know, and I’d say this to the Navy all the time, and I say to the Air Force in here, you have to come to the plate like you’re a leadoff hitter. You’re every much, every bit is in the game as the joint strike fighter pilot, uh, the long-range strike teams, the B 20 like this, you are a player on the field, not a support element in the back office, but you have to demonstrate you can hit with power.
And this is part of the place when we start talking about the strike community, where there are people in our respective services that still think a lot of what happens in cyber is a little bit of a parlor trick, right? I see it in the lab, but I’m not necessarily convinced that that effect can be delivered in the time and place of our choosing that can support, you know, other kinetic things that we’re going to do. Can I, can I, is it a, is it a credible capability? Can I integrate it with other things? And can it be on call? Can I get it when I need it? Not necessarily when it can be provided to me.
So, I think where the commercial industry, I’ll pivot to, and I’ll end with this. The commercial industry is always going to be really good at bringing capabilities, because think about it, the Department of Defense at the end of the day, makes nothing shoelaces, uniforms, bullets, guns, tanks, airplanes, ships, everything that you use almost every day is provided to you by industry.
Well, what’s the requirement for industry to make these things? But I think the innovative side of how we build future capabilities is really this return on investment. How can non-kinetic things that are theoretically less expensive, theoretically quicker to market and theoretically unconstrained by range? How can I go to the rest of the people that do traditional war fighting missions and convince them that these are good investments, which then industry can put their R&D dollars against making capabilities that they think the service wants? And then be the ones that are really traditional to build these things at scale and provide them to you when you need them, and sustain and support, like everything we do with airplanes, submarines, and ships. I’ll end there.
Panel Moderator: Venice M. Goodwine:
Thank you for that. So how many of you, show of hands, know what you bring to the fight as a cyber warrior? I, I don’t think there’s any doubt, right? We understand in the cyber domain what we can do in a non-kinetic fight. Yes. So, when you think about that and we’re thinking about dominance, what word comes to your mind? If I tell you that you have been successful at cyber dominance, I want you to hold that, cause I’m going to ask you to tell me that.
But one of the things you talked about in survivability, we talk about resiliency all day. You know, while under attack, can I still meet objectives? Cybersecurity is not about compliance, right? Cybersecurity is about enabling the mission in a secure way. But also, as we think about how we can be resilient, I think we’re going to have to use some emerging technologies that have come to bear, but we also need to protect our way. And so let’s talk about quantum and artificial intelligence.
And then I’m going to do a commercial here real quick. So, the Department of the Air Force is all in on artificial intelligence. Yes. I know you probably saw it on LinkedIn, that’s not true. Yes, we enable AI. You can use AI, there’s a whole panel on it. So, but can you talk to us about artificial intelligence in quantum and how that enables our cyber dominance?
Jen Sovada:
Absolutely. So how many people even know what quantum is in the room? Uh, there’s a fair amount of people that know about quantum, which is great because quantum is an emerging technology, but quantum is also here today, and it is a blessing and it’s also a threat. And so, we need to see and look at this type of emerging technology on both sides of the aisle.
First, let’s talk about the threat. And let’s talk about our favorite threat, which is the PRC. The People’s Republic of China has been spending billions and billions of dollars, upwards of 15 to $16 billion in quantum technology over the last several years. That is double what the rest of the world is spending, or half of what the rest of the world is spending. If they’re spending about $30 billion, they are developing and trying to develop quantum computers that can crack encryption on one hand. And on the other hand, they’re developing a quantum secure network in order to protect their own communications from external threat. All of the things that our offensive cyber capabilities may be trying to do.
And if you think about that, it’s a 10,000-kilometer secure network right now that is a quantum network that goes from the top of China down to the bottom of China on the eastern shore, connecting their military, their government, and their university systems altogether. And why do I bring that up? I bring that up because we need to look at how we use quantum technology and artificial intelligence together to enable our cyber capabilities in the same way that the Chinese are looking at their cyber capabilities.
First and foremost, quantum computing. We need to be able to look and think about how we will use quantum computers when quantum computers are here to crack modern-day encryption. That’s RSA, elliptical curve, Diffie-Hellman, and all of the current modern cryptography standards. On the flip side, we need to understand that we must protect against quantum attacks, and that’s what the White House and the Air Force and, um, OSTP and many others are doing at the moment, uh, OMB, in order to try to make sure that we are ready for that.
So, think about National Security Memo 8, National Security Memo 10, the Cybersecurity Quantum Computing Cybersecurity Preparedness Act, which all direct and mandate that we need to be doing automated inventories and other inventories of all of our encryption. So, we know what our encryption looks like right now, and we can move to the standards that were approved by NIST in the last month or so. And those standards then also need to be implemented. But we need to make sure that we implement in a way that is crypto agile so that we can continually update our standards as the standards continue to change. We shouldn’t have to rip and replace as we do in the modern world. You know, crypto mod two, crypto mod one that we have done take a long time. So, we need to try to shorten that cycle in the future when we’re looking at modernization.
And then from a quantum networking standpoint, I already talked about what the Chinese are doing. We have very nascent capabilities that are mostly in the laboratories right now related to quantum networking. And quantum networking is that ability to really not enable anyone to crack your encryption. The challenge with it is, is that you don’t necessarily know who you’re talking to on either end of your communication. So, you still need to be able to authenticate, which is post-quantum cryptography. So, you need to have post-quantum cryptography and then quantum secure communications so that we can be just as protected as our adversaries from a quantum perspective. And the AI wraps all the way around that because it enables us to process data that much faster, gain insights into what’s going on, and also find new avenues and ways and attack vectors that enable us to maintain and control that dominance.
Panel Moderator: Venice M. Goodwine:
But as you talk about quantum and we think about quantum-resistant computing as well, and you think about AI, when you look at our airmen and guardians here, you have those that are on keyboard. I have decision-makers here, I have industry senior leaders that make the policy. What skills should we have that if you had to grade us today, where are we lacking in some skills to address the challenges that you think will be brought about in the quantum realm?
Jen Sovada:
I think people need to understand the basics of quantum and what they actually mean. You don’t need to be a quantum expert. When I joined Sandbox three years ago, I did not know quantum, besides the word quantum. I had to actually learn it, read it, and study it. I now teach a class at Georgetown about quantum information science and national security. So, it is not something that is out of reach. You just need to be able to understand it and be able to apply it. The application of the technology and understanding the use cases is more important than understanding how the photons move or how any other type of quantum capability functions and works.
The other thing that we need to be looking at is how do we maintain the cyber training that we need to understand modern cryptography. The cryptographic standards that exist today are not based on factored math, meaning putting two prime numbers together, multiplying them, and coming up with a larger number that you then try to reverse engineer. It’s actually based on what I call 3D math. So, think of a lattice structure and having points or dots on the lattice structure and now being able to interpret what that means and try to figure out how you put the patterns together. So, understanding the differences is really important and being able to keep up with that.
Panel Moderator: Venice M. Goodwine:
And so, I asked you to think about what the word, your one word for cyber dominance. I’m going to get to you after I talk with Stephanie, but if I can just have a volunteer, talk to me about what does that actually mean when you hear that phrase and where do you think we need to go as a department to get there?
Stephanie, let’s talk with you. As we think about delivering capabilities on the reoptimize for great power competition, delivering capabilities faster, better, cheaper that our warfighters need at the edge, how is it, um, when you think about open system software, how does that enable cyber dominance and how we are thinking about making changes in the Department of the Air Force?
Stephanie Domas:
Awesome, thank you. So first, you know, one of my goals up here is to really demystify open source. And so, one of the things I’ll start is just quite literally what is it, right? So open source to me is capturing the world’s innovation as code. It is a pursuit of what is possible. It is people having an idea of, I have a new way to solve this, and I want to work with really smart people anywhere to try and bring this to life.
So open source, right? By its nature, it’s free, it’s available to all. And that’s part of what helps drive this world of open innovation.
So, I mentioned it earlier in my intro, but to me, security is about transparency, choice, and control. So, I want to talk to you a little bit about how I think open source has a critical role to play in this.
Transparency hopefully goes without too much qualification, right? Transparency is about transitioning from trust to truth. It is no longer about you having to trust something blindly. It is no longer about you having to trust somebody’s word. Truth is about you having the ability to look as deep in that code base as you want, and to become comfortable with it—to discover the truth of what is in that code base, right? I often think of movements like SBOM (Software Bill of Materials) as really interesting. First and foremost, I support the movement of SBOM, but it’s interesting to me because when you think of the whole reason the SBOM movement arose, it’s because of this lack of transparency. It’s because of users not having the ability to know what is in their systems. And the way they’re trying to solve that is by asking for SBOMs. But going back to how I think transparency is a critical part of security and open source, it was never opaque to begin with. So again, transitioning from trust to truth through transparency.
The next one is control. When you think about your ability to control your security journey, it’s your ability to turn all the knobs, flip all the switches to whatever it is that gets you that perfect outcome, right? In open source, because you have full access to everything, you have full control of your security journey. If you don’t like the encryption library that’s being used, just replace it. If you don’t like that it’s using 1024 keys and you prefer 4096, go ahead, change it. If you don’t like the relational database that it’s using, switch to the one you like. It’s your ability to control your journey that is associated with you having full access to what is there.
So choice is the next one. Nobody likes vendor lock-in, and that just kind of goes without saying. But I think there’s another level of choice that comes with open source, and its choice of consumption. When you choose to go out and consume a fully baked solution, oftentimes you are sort of stuck in a rigid way—this is how this solution works, and I have the ability to consume it at this level. Now obviously, control and transparency may be limited, but I also want to talk about the consumption model. You are consuming it in usually one fashion.
One of the beautiful things about open source is the ability to consume it however you want. I love cake, so I’m going to make a cake analogy. If you decide that you need some cake, right? You’re going to a birthday party, and you need a cake. You might be the type of person that wants to go to the store and buy a cake that already says “Happy Birthday” on it, and it’s decorated—and that’s great, you can choose to consume cake that way. You might decide, “Well, I don’t want to bake it, but I do want to decorate it.” So, you buy a blank cake, and you decorate it yourself. You might decide, “Okay, I want to do a little bit of baking, so I’m going to buy a box and I’ll mix a couple of ingredients, and I’ll decorate it.” Or you may be the type of person who wants to get all of those ingredients from scratch, build it yourself, and do the whole thing.
The beauty about choice of consumption and open source is that open source is all of these things, right? You can focus on fundamental building blocks, which are the raw ingredients of that cake, and you can choose to assemble it yourself. You can get things that are sort of halfway there, and you put the decorations on top. Or open source has the ability to consume at the solution and platform level, where if you’re just somebody who wants to consume the cake as it’s already done, by all means that solution is there. So, you have that choice in how you consume.
So, one of the things I want to sort of address is what some people might think is an elephant in the room if you do follow open source. So, I do want to hit on the XE utils incident that happened earlier in March of this year. For those not familiar with it, in March of this year, there was an SSH backdoor introduced into basically a fundamental compression library that is used by essentially every single Linux distro out there.
Some people, when this first happened, looked at this and thought, “Oh my gosh, this is the risk with open source, right? The ability for somebody that I don’t know and haven’t had the chance to vet to contribute something to it.” And I think that’s the wrong thing to take away from it. I actually looked at what happened at XE utils and thought this is exactly the poster of why open source is amazing.
I want to read for you a headline that came out in Politico the day after this happened: “Hackers spent years to infiltrate an open-source tool, but an angry mob of nerds stopped it in 24 hours.” I love that headline—I literally belly-laughed when I read it. But that’s exactly the right takeaway to take from something like the XE utils incident. Because that piece of code was open source, because there are millions of people in the open-source community, as soon as one curious engineer at Microsoft saw some erratic behavior and sent it out to a mailing list saying, “There’s something kind of strange here,” there weren’t NDAs to negotiate, there weren’t intellectual property sharing things to work out. That code was open source. And in days—not weeks, not months, not years—in days, the entire security community rallied to figure out what happened and to shut it down.
So, I think that was the perfect example of this sort of rally cry. And in the open-source community, you’re not limited to those security people on your payroll, it’s actually the entire world. Because there is an equality and a purity that comes from open source. And when somebody tries to mess with it, that angry mob of nerds is going to show up.
I can barely do a pushup, but I promise you, if you make us angry, we will be a problem. So, I thought XE utils was the perfect example, and I wanted to address that head-on. For people who are familiar with that incident, they might have taken away the wrong impression. I actually think that was the poster of why open source is more resilient to cybersecurity threats, precisely because of that “angry mob of nerds.”
Panel Moderator: Venice M. Goodwine:
But Stephanie, let me hold you for a minute. As you talk about transparency and control, you think about the value that open source can provide in terms of delivering capabilities faster. I have developers in the room, I have defenders in the room, I have authorization officials under the risk management framework. Still, having been a CIO myself, and yourself a CIO, there is still this mystery about, “Is it safe? How can I trust it?” What’s the one-line answer that I could use to calm the fears and remove all doubt that open-source software is a way to start, and that it is, in fact, a force multiplier?
Stephanie Domas:
Yeah. So, I’m going to bust one more myth here about open source. I think a lot of people have this perception that to leverage open source, you have to lower or change your security expectations. And one of the things I want to make very clear is that you do not have to. The same compliance, the same risk management, the same security expectations that you would hold to proprietary software—open source can meet. It is not about lowering your bar; it’s about holding us to the same bar. Understanding that open source is not one-size-fits-all, it doesn’t mean every single piece of open source out there is highly secure. But what I can say is there is a tremendous amount of open source out there that does meet those bars. We’ve got FIPS, we’ve got DISA STIGs, we’ve got an SSDLC that matches the NIST SSDF, we’ve got support, we’ve got SBOMs. All of the normal security ways that you would measure trust in your software, open source can meet those.
Panel Moderator: Venice M. Goodwine:
So, let’s go to the audience really quickly. Who’s the brave soul? What’s your one word—cyber dominance—what does it mean to you?
Brave soul: Freedom. Freedom of maneuver.
Freedom.
Okay, anybody else? You came here, you wanted to hear something. What did you want to hear from this panel?
Fortification.
Winning.
Okay.
Confidence.
Oh, confidence. Right? And so, cyber dominance—again, you all described how, from your individual viewpoint, what that means to airmen and guardians. So, as you get off the stage, so to speak, I always ask the question to industry: “Is the message sent, message received?” You understand the problems, the problem set that we have, the wicked problems we’re trying to solve. So, for you, what is it—I’m going to start with you, Jen, this time—what is the message you want to tell airmen and guardians around AI, the role it has with quantum, and cyber dominance from your perspective? Because you’ve done a lot of work in this area.
Jen Sovada:
The big thing to know about AI, cyber dominance, and quantum is that it is a force multiplier. It does help you with fortification. It does help you with your confidence. It helps you with that freedom. It helps you with all of the things that were called out because it provides more detailed information in a faster way—often, better collaborated and with better results—that enables you to make better decisions. The airmen shouldn’t be the ones doing the day-to-day work. They should be the ones figuring out what that information is and how to apply it. It’s the “why” that they should be concerned about. Airmen and the Space Force guardians—they’re experts in the “why.” What is the impact of the information that we have, and how do we protect our networks, our systems, and our weapon systems?
Panel Moderator: Venice M. Goodwine:
Chris, from your perspective, we know that using AI is going to help us in the cybersecurity realm. Can you talk to our audience about the best ways we can think about using AI to help us to achieve specifically decision advantage in the cyber domain?
Chris Cleary:
Yeah, I’ll admit I’m not an AI expert in this one. But what I will say is, it’s another tool for the toolkit. I liked what the airman here said about—it’s about winning, right? So, when we talk about cyber dominance, the Department of Defense exists fundamentally for two reasons: to deliver lethality or to prevent lethality from being delivered upon us. If you really boil it down, people say, “Oh, Chris, you get really aggressive with the offensive cyber stuff.” Well, let me ask you a question: What do the B-21 Raider, the Columbia-class submarine, and the Abrams tank all have in common? None of those platforms were designed to deliver humanitarian aid. That’s the laugh it gets, because people go, “Yeah, that’s right.” That’s the business, right? And it’s a nasty business.
When we talk about cyber dominance and the way that we’re going to achieve it, Google, Microsoft, and Amazon are going to help us with cloud. And there are lots of technology providers that are going to do other things for us. But again, the B-21 Raider was built for a very specific reason—to do a very specific job. When we talk about cyber dominance, the things that you can’t get from most of the industry are the ways to equip this force for that specific mission. Marines—and there’s one in the room who I’m going to look at, who’s a very good friend of mine—Marines are very, very simple creatures. I mean, the simplest of all life forms, and I mean that in the most complimentary way that I can. If you ask a Marine what their job is, it is to “find, close with, and destroy the adversary through fire and maneuver,” period. That’s the way Marines see their job. It is a warfighting discipline. This is a warfighting domain.
And for all the goodness, because we need these technologies to enable that, right? At the end of the day, we can’t do any of it without the technology you’re going to bring to us. But it’s about the warfighter who will figure out how to take this rock, whatever we call this rock, and turn it into a way that can bring some punishment to the adversary or prevent them from doing something to me.
When I think about cyber dominance, it’s exactly that—war fighting. Your warfighters must embrace it for that domain and do the things that I can’t ask the rest of the commercial industry to go do.
Panel Moderator: Venice M. Goodwine:
And so, Jen, we talked about re-optimizing for great power competition. I’m sorry, not Jen. I’m going to go to you Stephanie, Jen, I’ll come back to you. We talk about reoptimizing great power competition. In your space of open system software, what do you think the government is doing—or is not doing—that while we say we need to reoptimize, what should we do differently, from your perspective, to use the capabilities to their maximum extent?
Stephanie Domas:
Yeah, one of the keys is obviously partnership—partner with the open-source community. There’s a lot of good work going on with CISA right now, regarding partnership in the open-source community. One of the things I’ll point to again is XE utils. The reason XE utils happened is because there was a burned-out maintainer of a very prominent library.
So, one of the things that we’re working on in a partnership with CISA is trying to identify these critical assets that a lot of technology relies on. They are the underpinnings of so much of the critical technology out there. Are there methods for us to provide aid, provide funding, provide resources, and provide brainpower to some of these critical libraries so that we can continue to have this great innovation in the open-source space? There’s also partnership with the academic community. There are so many bright, talented software developers out there, and they want to contribute to open source a lot of times, but they don’t know where they’re needed.
There’s a lot of effort in partnership to try and identify the critical need, get the resources in the right place, so we can continue to innovate in a way that we can trust, and maintainers don’t have to burn out to be able to bring something great to the community.
Panel Moderator: Venice M. Goodwine:
And if you’re not familiar, in the Air Force, we have the Software Bill of Material (SBOM). We have a program called “Eagle Eyes,” and I don’t know if PEO Bess or Joe Bessman is in the room. I encourage you to take a look at that program, because they’re doing good work in this area, both software and hardware bills of materials, so that we understand what’s in the open-source code we are using and can make risk-based decisions. So, thank you for bringing that to bear.
In our last couple of minutes, I want to make sure I give you an opportunity to look in the eyes of each and every one of our defenders here—airmen and guardians—and say, “This is the one thing I need you to do in this space.” Chris, one minute—what would that be?
Chris Cleary:
Look, it’s going to sound repetitive, but advocate for the things that you need. Tug on the shirt tails of the acquisition and resources that you all roll up to, and get them to come to industry and say, “Help me do these things.” I’ll be honest, particularly when it comes to offensive cyber, there aren’t a lot of offensive cyber contracts out there, so we’re trying to anticipate what you might need as a capability, rather than you directly telling us. Conferences like this are the “sugary cereal” moment—I’m hoping each of you go back to your respective leaderships like Saturday morning cartoons and go to mom and dad saying, “I want this,” or “Help me get that.”
You know better than they do what it is that you want. The “Ender’s Game” philosophy—many of us on this stage are here to bring you what you need, but you probably know better than us what that is. So work to get us the requirements, and we’ll bring back to you what you need.
Panel Moderator: Venice M. Goodwine:
Jen?
Jen Sovada:
Be curious. Don’t get stuck in the past. Don’t rely on the technology of yesterday. Look to what’s coming, be conversant in it, understand it, and advocate for it. If you are able to do that, you will continue to progress our cyber domain both offensively and defensively and enable us to be prepared for our adversaries and what they’re going to do. Because we know that the first sign of an attack will be a cyber-attack, and we need to be ready.
Panel Moderator: Venice M. Goodwine:
Stephanie?
Stephanie Domas:
Are you consuming open source in the way that meets your needs? I say, “Are you?”—not hypothetically, “Should you?” Every one of your computing environments probably already has open source in it. It’s about being intentional about consuming it in a way that best meets your needs. For your unique needs, do you want an already made cake? Do you want to decorate it yourself? Or do you want to start from scratch? And how does open source play a role in that journey?
Panel Moderator: Venice M. Goodwine:
For the audience, in our last couple of minutes, I want to give you the opportunity to ask the panel a question. Brave soul—what’s your question for the panel?
We talk all the time about this public-private partnership. That’s why events like this are important. So, you have the opportunity to ask tier the renowned experts in their area about cyber dominance. What’s your question, please?
[Audience member question about government scale and safety.]
Partnership and scale of quantum capabilities.
Chris Cleary:
The 15-second answer for me would be that this is really what the defense contractors—the integrators—are good at. The Lockheeds, the Boeings, the Northrups—they’re really good at taking individual technologies and putting them into much bigger solutions. I’d argue that’s the bread and butter of a lot of the companies represented here.
Jen Sovada:
I’ll just plus-one that and say that NSA has said on numerous occasions that they’re the ones who validate and approve the technology, but they cannot scale. They need partnerships to do that, and that’s what companies like us on the stage do, as well as many others.
Stephanie Domas:
And we need central collaboration to build out that building block that can enable others. To have that library where people have put effort so that people don’t feel the need to roll their own, have a central trusted place where that collaboration and innovation happens, and then enable free use of that so that it can be widely adopted.
- This transcript was auto-generated, and may not be 100 percent accurate. The source audio and video can be accessed above.