The Cyber Threat: Impacting Our Economy, Military, and Critical Infrastructure

Watch the Video

---

Read the Transcript

---

This transcript was generated with the assistance of AI. Please report inconsistencies to comms@afa.org.

Brig. Gen. Greg Touhill, USAF (Ret.):

Good afternoon. And I kind of feel like we are at a Pirates versus Cincinnati Reds game at the end of the season. I’d like to thank you, you, and you for coming to today’s game. And I’d like to say thanks and welcome to Brigadier General retired Bernie Skoch, the chair of the board of AFA and all of you who came today to this last session at the what seems to me having attended many of the great sessions throughout the the week, the AFA “Software-Defined” Warfare Symposium. And today we’re going to talk a little bit more about that software defined world that we live in and focus on that cyber threat that’s out there that is confronting not only national security, but our national prosperity. I’m joined by two distinguished panelists. And I’ll hand the mic over now to Mrs. Goodwine for her introduction of herself.

Venice Goodwine:

Good. So good afternoon, everyone. Aren’t you glad they saved the best for last? All your friends are going to have FOMO because they’re not here. So, so good afternoon. So Venice Goodwine, the department of the Air Force, CIO Air Force and Space Force. I have the probably the best job there is. But the one thing I just want to say is it’s not just me in my office besides myself and my deputy who is Jennifer Arasco. I also have the CISO Mr. Aaron Bishop. I have my CDAO Susan Davenport. And then I also have my derivative enterprise IT Dr. Keith Hardiman. I also have a senior leader, advisor, Ms. Odom. And then of course, I have a CTO Scott Hyten. I tell you that because if you cannot get to me, if you cannot get to me, I have an entire team that can work with you on any questions that you may have for the CIO. And what is it exactly I do? Strategy, policy, governance and oversight. My goodness. Excuse me. Strategy, policy, governance and oversight. That’s what I focus on. I rely on my two sixes, my service sixes of Air Force and Space Force to really bring forth the requirements for the workforce and we’re focused on really lethality. And how do I do that with putting at the edge the capabilities that we need? I don’t do enterprise IT. I do IT for the enterprise. So that’s the Cloud. Yes, that’s transport. Yes, that’s AI. So I look forward to our conversation today as we talk about how I’m actually enabling the warfighter today.

Brig. Gen. Greg Touhill, USAF (Ret.):

General, you’re up. Thank you, ma’am.

Maj. Gen. Matteo Martemucci:

Well, General Touhill and everyone. Thank you so much for the opportunity. My name is Matteo Martemucci and I have the incredible privilege of serving and taking care of the 40% of the National Security Agency’s workforce that happens to wear a uniform. So I get the privilege of leading perhaps the largest organization you’ve never heard of. And that’s the Central Security Service and stated simply the CSS is the military side of the NSA. And to that end, we enable the agency’s critical mission of cybersecurity and signals intelligence, the two components of what we call cryptology. And so those two equal halves of a critically important coin, both as a national intelligence producing organization and as a combat support agency. But first and foremost, I am an Airman in a joint world right now delivering pretty amazing cryptologic and in some cases cyber effects for the nation. So look forward to the conversation and let’s get at it.

Brig. Gen. Greg Touhill, USAF (Ret.):

Well, thank you very much. As a scene setter, I want to basically make a few disclaimers upfront. First of all, I do need to disclose that General Martemucci and I are both graduates of Penn State University. And that may come out because… in our talking. We are fiercely loyal to our country. We came through the same ROTC programs. And, you know, as Pennsylvanians, we have a unique perspective on the world. Secondly, Mrs. Goodwine said that she has the best job in the world. I think I have that, you know, as an Airman who got to even raise a hand and serve starting in 1979 and having over 30 years of active duty time, followed by several years as a senior executive in DHS helping start CISA and then serving as a federal government’s chief information security officer and now leading the Department of Defense’s applied research and development activities and cybersecurity at the birthplace of cybersecurity, the Software Engineering Institute in Pittsburgh. I think I’ve got I’ve got to run for you on that with the best job ever. But I also get to teach at the Heinz College, which is great. Alright, so now I’ve done all my brag. I’ve thrown the thrown things down. We’re going to start with General. General, you’re in mission critical spot for our nation. How would you characterize today’s cyber threat and the environment that we have today?

Maj. Gen. Matteo Martemucci:

Yeah, thanks, Greg. And that’s exactly what I’m going to do. I’m going to kind of sort of characterize the threat landscape for you with the idea of I have the easy job of kind of sort of characterizing the threat and then Mrs. Goodwine is going to tell us how the Air Force is mitigating managing and in some cases solving the challenges that that threat represents. But the bottom line is this, the threat is real. It is persistent. And it is growing period. And it comes largely from what our National Security Strategy and National Defense Strategy still assert is our pacing challenge. And that is China. Again, full stop. As the pacing challenge, China remains actively engaged in efforts to gain and maintain presence in our critical infrastructure in our Department of Defense information networks in the small office and home office networks of our citizens in order to gain and maintain that persistent access, both for the collection of intelligence, the prosecution of espionage, which as we all know is the second oldest profession sort of all’s fair in love and war. But what’s different is now we are talking about this persistent adversary, this capable adversary gaining access and operating in US critical infrastructure for the purpose of holding that infrastructure at risk. And that is a fundamentally different approach that we are seeing over these last few years. So the threat is real, it’s persistent and it’s growing. For those brave souls who’ve stuck around and thank you for sticking around. Good work, it gets more good work.

We’re going to give you some homework. I would commend to you all to read a very powerful document produced by our Department of State, Euro of Intelligence Research, entitled the elements of the China challenge. It was published almost four and a half years ago, written in November of 2020. But its offerings and its recommendations remain relevant today. And in that document, unclassified available at the State Department’s website or anywhere else called the elements of the China challenge, it describes the challenge of China, and specifically the economic espionage that is happening today and has been happening for some time to the tune of about $600 billion a year of estimated impact to the US economy at the hands of the Chinese alone. So $600 billion a year of intellectual property theft, leaving American shores every year, going to a nation state whose designs are to outcompete and dominate, certainly in the region, but also economically, informationally, diplomatically, perhaps, to be a significant player on the world stage. So I would commend to you that document. And I cannot help but quote from it, the single greatest illegitimate transfer of wealth in human history is how they characterize that IP theft that’s happening at the hands of the Chinese. So that’s on the economic side. Then on the sort of critical infrastructure side, I’ve mentioned to you their aims. And in last year’s congressional testimony, the director of NSA, the director of FBI, the director of CISA and the White House Cyber Security lead identified in particular malicious cyber actor, Volt Typhoon, as being that nation state sponsored entity that is gained and maintained persistent access to US critical infrastructure.

So in addition to looking at the elements of the China challenge, I would commend to you to Google Volt Typhoon and do your own reading on what we have now publicly begun talking about as a threat from a persistent nation state actor with nefarious aims. And then I’ll ramp up by discussing the threat by saying a little bit about what we’re doing about it from a, or excuse me, let me start by finishing by saying how they’re doing it. Many of you have heard of the concept of living off the land. This idea that basic cyber hygiene or lack thereof is allowing even advanced persistent actor to use pretty rudimentary means to gain and maintain this access that I’m talking about. So think about the most basic unpatched forward facing devices, routers, switches, printers, as an access vector, leveraging pretty basic state tradecraft to then allow a savvy adversary to escalate, get privileges, and then operate as if they were a legitimate user. And that’s living off the land. And that’s what our adversaries are doing. And so that’s how.

And then finally, what do you do about it? We’ll talk a little more about that. I think in the later part of the conversation, but I would offer that as Airmen, everybody in this room is part of the attack surface. Everyone in this room either owns or is part of the adversary’s attack terrain. So there are things that we can all do, whether it is mobile devices, or even understanding how we fit mission wise into a very long chain of networked activities that end in a kinetic platform delivering ammunition, whether you’re in a Spoe, or you’re in a RDT organization, or if you’re on the flight line, you do affect some element of that information chain that turns into a weapon system delivering an effect. So if you think about it that way, you think about yourself as part of the attack surface, and part of the defense in depth. I think we can have a pretty fruitful conversation.

Brig. Gen. Greg Touhill, USAF (Ret.):

Thank you, sir. I want to foot-stomp one of those last concepts that you were sharing with the audience. When I was a wing commander and subsequent assignments, I would tell my folks, my Airmen, my civilians, my contract partners, etc., we are all cyber operators. I double dog dare you to find a job in the Air Force that isn’t reliant on cyber, that doesn’t have some sort of reliance on cyber effects. You could be a loggy, but if you can’t get to that database, you’re not getting the supplies you need. I don’t care what my cap status you’re in. And the borders of cyber don’t stop at the gate. You take them home with you. You take them in your pocket with your cell phone. We are all cyber operators, regardless of where we are. And we are under relentless surveillance. We’re under relentless attack. And it has great impact on our national security and national prosperity.

So with that, and I may come like a Debbie Downer today, but we’re here to try to raise awareness. So ma’am, you know, as the CIO of the Air Force, you work across the not only the Department of Defense, but your roles take you in interactions across the interagency as well as one of the most senior leaders in our government. How is the military in particular working to improve our cybersecurity capabilities so that we buy down cyber risk, not only within our weapons system environment, but also the critical infrastructure all of our military force relies on.

Venice Goodwine:

And so let me pick up where you left off. So we talked about vault typhoon, you’ve heard salt typhoon, you’ve heard silk typhoon, all of those threat actors have a particular, I’m going to say vertical that they’re interested in, right? So when you think back to cybersecurity, I have the sizzle that works for me. The first thing we look for from a military perspective is what’s our key terrain? What is it that I need to protect to enable the mission? So we always talk about MRTC cyber, mission relevant terrain cyber. How do we do that? So I know most of you don’t like to hear the three letter word RMF, you don’t like to hear the three letter word ATO, I know it makes me shudder sometime. But really, the reason we use that framework is because that’s the point in time posture of a particular system based on a threat. So it’s important that we start there. It’s not a compliance drill. The bigger part of that is once you have an ATO is the continuous monitoring piece in which we rely on our 16th Air Force and our Delta six as our cybersecurity service providers to help us to monitor the network. And that is all domains. And that’s everything that touches on network, rather humans, rather devices, rather the cloud, rather its weapon systems, all of those things.

So when you hear of all these frameworks, rather the MITRE attack framework, rather it’s the supply chain, rather it’s the AI framework, the risk management framework, each of those are designed for a reason to help us identify a certain risk that we want to address and a particular outcome. But why we do that is because we have to understand what the enemy would like to attack, meaning risk is a function of threat time likelihood of consequence, which goes back to your conversation about what is the threat. We it’s important for us to understand that initially, but to also follow that through the continuous monitoring process. So within my office, we set the strategy, the risk tolerance baseline, if you will, for what connects to the DAPHIN, our department, Air Force Information Network. And then if you think about adding to that the different overlays in which we use, the reason I go to that tactical level for you is so when you’re interacting with us as a government, and we talk to you about these different frameworks, please understand, it is because we’re trying to get first at an initial posture point in time, and then understand the strategy required so that we can do the continuous monitoring. And so not only do we have the right tools, it’s important to have the right processes, it’s important to have the right TTPs. But it’s also most important to have the right sensors so we can understand what’s normal, and then what’s abnormal. So relying on both our Air Force and Space Force CSSPs to help us do that, we direct that from our, from my office.

But I want to foot-stomp the idea that it is threat informed, and it’s not a compliance drill. But if you are dealing with us with any of these frameworks and feel like there’s a policy barrier that’s preventing you from getting your particular capability in the department, I would love to hear that, because we’re really pushing hard to make our ATO a continuous ATO. We’re pushing hard to, to shrink in all of our timelines so that you can have access and we can move faster, better, cheaper, but also securely. So those are the things I think from a big picture. And to your point, yes, I interact with OSD, yes, I interact with the federal agencies to make sure that we have a good idea of where our threat vector threat vectors are, and how we can address them collectively.

Brig. Gen. Greg Touhill, USAF (Ret.):

Thank you, ma’am. So now we’re going to move to the adage that seems to be gaining some traction called cyber to the edge. As we’ve taken a look at cyber capabilities, they continue to evolve in delivery to today’s modern battlefield. You know, we, for those of us who were part of the drone conversation earlier today, there was talk about, you know, fielding software in minutes, as opposed to months. And certainly, you know, from cyber, we’ve taken cyber for months to milliseconds, because that’s all it takes for us to lose our competitive advantage. So as we’ve taken a look at today’s modern battlefield, the we’re no longer thinking about the forward line of troops analogy like we used to, but we’re really thinking of virtually any internet point of presence.

So based on that, you know, in our internet points of presence include that critical infrastructure that we rely on. We’re going to start with General Martemucci, and then we’re going to move to you, Mrs. Goodwine. What are we doing to become even more resilience in this globally contested cyber environment? Your thoughts, sir?

Maj. Gen. Matteo Martemucci:

Yeah, thanks for the question. And maybe I could start with a quick story. Prior to the job that I’m in now, I was the director of intelligence for US Cyber Command. This is the J2. Prior to that, I was the J2 in JTF OIR downrange in Baghdad. And when I was there in Iraq, in the counter ISIS fight, as the director of intelligence, I had organic ISR. And if I needed to know what ISIS was doing on the next hill over, I could throw an asset in the air, tactically manage that collection and understand the battle space and inform the commander to make operational decisions. Fast forward to my time at US Cyber Command. I was the director of intelligence of a combat combatant command, whose responsibility was to defend the DOD and defend the nation and enable joint ops around the world. So I had to defend the nation part. And then the colonial pipeline ransomware hits. That was the forward edge of the new battle space. Critical infrastructure brought down from a ransomware attack.

I, as the director of intelligence for the combatant command who had the word defend the nation in the title, did not see it. Could not see it. We were notified by fantastic industry partners. And goodness happened thereafter. But the point is that to your point, this is new and different terrain. And for very good and right policies, laws, authorities, etc. The Department of Defense does not and cannot sense the terrain the way I could when I was the director of intelligence in Iraq. We have to think differently about the partnerships and how we do it and that’s exactly what we’ve done. So to directly answer your question, the first thing we do from an NSA, the CSS standpoint is take part in the educate and inform. Here again, I’ve already given you all homework, please go to NSA.gov. NSA.gov. Unclassified website. On that site, every cybersecurity advisory that has been authored or coauthored by the agency and its partners is out there for consumption. Not just cybersecurity advisors for advisories to enable small, medium and large businesses to take action on known and identified vulnerabilities and threats and risks. But for individuals, there are straightforward, plain English products that help you harden your own small office, home office network routers. It helps you establish smart best practices, establishing a VPN and securing your mobile devices. That’s step one, educating and informing.

Then there are the partner efforts that I just hinted at through my story. We have over a thousand defense industrial based businesses as formal partners of the NSA through our Cybersecurity Collaboration Center, the CSC. And there are, the door is open for many, many more. And those partnerships, bi-directional, voluntary, enable a sharing and a threat informing that actually has hardened this landscape in a way that is certainly making it challenging for adversaries. And I’ll finish by saying, in addition to the Cybersecurity Collaboration Center, we’ve got an AI security center that is brand new, nascent, but growing rapidly. The NSA has invested heavily in artificial intelligence, machine learning. We have got our own homegrown AI capacity and capability. And under the leadership of Mr. Vin Nguyen, the chief responsible AI officer, we’ve established this AI Security Cooperation Center, as well as an academic engagement network that I know you’re very familiar with because there are hundreds of partner universities that have signed equivalent agreements for this kind of sharing, threat informing, and state of the art, state of the enterprise discussions that kind of is the tide that lifts all boats.

Brig. Gen. Greg Touhill, USAF (Ret.):

Thank you for that shameless plug of Carnegie Mellon and the Software Engineering Institute. Guilty as charged. We are working very closely with the Defense Department as its applied research and development center for all things software, cyber, and AI. And as we take a look, though, from the technology standpoint, one answer does not come from just one entity. It comes from the team. And thanks to NSA and the Department of the Air Force for the great leadership in bringing those teams together. Now, speaking of teams, we can’t do our job in the military without that critical infrastructure. Mrs. Goodwine, your thoughts on buying down risk not only within the weapons systems, but also the critical infrastructure.

Venice Goodwine:

Well, so a couple of things there. So most of you heard this week probably about our PEOC3BM, Luke Cropsey, Dr. Tipton, speak to the DAPA battle network. And they’ve also talked about the cloud-based command and control. What’s interesting about both of those is we share the digital infrastructure. So whenever you hear General talk about it’s really a whole nation issue between yes, we need our industry partners, yes, we need academia. Those things are also true in the CIO strategy that I have. Because one of the things, and I’ll talk to you about a couple things, yes, CBC2 and all those things, same digital infrastructure, ensuring that we have resilient infrastructure and that we have moved to a data-centric environment. And that matters because if I am implementing Zero Trust, which you know the whole department is on the Zero Trust strategy 2027 will be at our targeted level and then will be at our advanced level beyond that. But when you think about the infrastructure, I want to be able to use infrastructure regardless. We call it data agnostic. It chooses the path based on the type of data that it wants to send. In order to be successful with that, Zero Trust must be in place, meaning I need to have a back-in-place attribute space and I need to have our back-in-place.

And with you, I’ll share a story. I love it when I go on a trip. My family and I decided to take a cruise. We’re going to take a cruise. And when its ship docked, you go to all the different countries. But on your phone, I can just check my– when I left, I didn’t tell USAA that I was going to travel. So while I was out of country, I need to let them know that, hey, I’m out of travel, so don’t block my credit card. But I like the fact that I had that accessibility out the country. Geolocation is on for USAA. They know it. But the same experience that I would have in the states with them, I had in another country. That is what we’re trying to give our Airmen and Guardians, that they have the same experience when they are training, organized training equip in Garrison, and when they go downrange. And to do that, this is why investment in the right infrastructure is in place. But really, I want to leverage the investments of my industry partners in order to do that. But also, when we think about cloud, right now we have cloud requirements, government facilities, US personnel. I get it. We have edge devices that take us to the edge. I get it. But we’re pushing the envelope a little bit on that, that why can’t we use commercial cloud? How do we get after this data sovereignty issue? So that’s your challenge.

General gave you homework. I’m going to give you homework, too. How do we really get after this data sovereignty issue that we’ve talked about that? I just want to be able to use the same cloud that Walmart uses, because you think about it. Our partners, our coalition partners, they’re in the cloud as well. So we want to be able to make sure that we can do the same thing, and then still have all the protections in place. I think the zero trust in the data centricity model is going to help us do that. But when we think about expanding the cloud, that we’re not limiting ourselves from an infrastructure perspective to just conus, because I don’t want to have to pay the latency tax if I’m in Indo-Pay-com, and I need to have my data back in the states. I want it at the edge, but I don’t want to– only want to have to rely on edge devices. So that’s one thing. The other thing– so yes, infrastructure, less cloud, but also that data piece. When we think about data, right now we have the DAF data fabric, but we’re going to rebrand that. It’s called data on demand. And why are we doing that? Because we originally constructed, I’ll say, originally architected the data– our DAF data fabric. It was for a specific reason. It was small. But as you heard, we are a very data-rich environment. Think of all the sensors we’re talking about from space and Air Force. Where is all that data going to go? How do we architect ourselves in a way that that data actually can be used, and then insights can come from that data? So that’s where we’re going to build our data on demand.

So we’re reorganizing our data mesh, but also creating a self-service portion so that our Airmen and Guardians have the skills to create dashboards so they can make sense. But the other part of that from an infrastructure is our AI piece. Yes, everyone– I know you’ve heard AI throughout the conference all week. But we’re talking about AI at the edge, which is actually the wearable device that the Airman or Guardian, Soldier, Sailor, Marine are using, that AI can operate in that device. That it needs to have– use less power. It needs to be small. It needs to be nimble. These are the type of things that we’re wanting to partner with academia and industry on in you to say, how do we take this model that we’re looking at from an AI perspective productivity or looking at it from AI-enabled autonomy, but now actually using that AI on the wearable devices that our Airmen and Guardians actually use at the edge? So as a CIO, that’s what I’m pushing. I’m creating an AI center of excellence for the Department of the Air Force so that we can manage our AI investments. We can manage our AI adoption across the services and that we can also manage our AI workforce. Because we know that there needs to be a prioritization in the use cases. There needs to be a prioritization in our investment. So the AI center of excellence that we’re establishing is going to help us do that. And it’s in partnership with our industry and our academia.

Brig. Gen. Greg Touhill, USAF (Ret.):

Thank you, ma’am. I’m going to pile on just before we pivot so that you can take a swig of water if you’d like. As somebody who’s a professor at Carnegie Mellon, in addition to being a director at the Software Engineering Institute, I have a lot of students who come in and are asking me questions about zero trust and how to translate that. We use a lot of acronyms like our back being role-based access controls, CSSPs, cybersecurity, service providers. The thing about it is zero trust. And this is one of my fields of study. And I kind of kick-started that in the federal government. And my role is federal CISO, which Chief Information Security Officer. Maybe you should find us a beer for every acronym we use that we don’t define. Zero trust is a strategy, as Mrs. Goodwine said. But ultimately, what we’re trying to do as part of that strategy, both in government, in the military, and in industry, is it’s all about the data. Data is one of the most valuable assets we have. And with the zero-trust security strategy, we’re trying to make sure that Greg can only see the data Greg is authorized to see under the conditions that are spelled out as part of the access controls. So deliberate actions enabled by technology is zero trust new? Well, it’s kind of been– it’s been butchered by the marketing folks into kind of a buzz phrase. We’ve been doing zero trust in the military since Sun-Zoo was a corporal. We had physical guards.

You know, one of my favorite installations is Falcon. Now in Schriever, and I don’t know what it’s called now, but I remember going standing on the scale to make sure that I was the right way. I had my access controls where I had badging. I had a need to know. I had my retina scanned. We had zero trust in place. We had to make sure that Greg was Greg. And match up my authorization into the facilities I was going to. We’ve been doing physical zero trust for a long time. Now we’re using some of those same principles in the digital world, and we’re getting the granularity now with some of the software-defined capabilities that we can go down to the data level itself. We’re going to have great capabilities for defense. We’re going to harden the infrastructure as we get these zero trust principles put in place across the military, government, and industry. But, you know, I said data is one of the most valuable assets we have. Everybody who’s raised their hand and served knows that the most valuable asset the military has is the people.

And, you know, we technologists, we talk a lot about the software. We talk about the hardware. Let’s talk today about the wetware, the human elements. Yep, yep, you are part of the system, and arguably the most important part of any system we have. So we’re going to start with you, ma’am, and then we’re going to move to the general. And the question is, as we recapitalize and modernize our aging infrastructure, what are some of the lessons learned on how we are recapitalizing and modernizing our workforce, that wetware that is the critically important human component of our weapons systems and critical infrastructure?

Venice Goodwine:

It’s going to be important that we rescale, upscale, and retool our Airmen and Guardians for the current fight. You know, we always talk about NDS calls for the pacing challenge and the acute threat when you talk China and Russia and don’t forget the other actors. But from our perspective, I also have the privilege not only being the CIO, but also serving as the functional authority for the 12,000 cyber and IT civilians in the Department of Air Force and Space Force. And I love that part of my job because setting the strategy or how we’re going to identify, recruit, and retain, and develop those individuals is key. And so, one, identify. We cannot go to the same places to recruit that we always recruit. We either sit in our office and wait for them to come and ask to join the Air Force so we go to colleges and universities. What we’ve decided as a career field is, no, we’re going to go to the vocational schools, the technical schools, the trade schools, the high schools that also offer certifications for individuals when they graduate. We’re going to talk to the guy that’s, you know, he works at, you know, Lowe’s during the day, but at night he has an entire computer lab. So we’ve opened the aperture of how do we identify what is that talent pool for us. We’re tying it to the Defense Cyber Workforce Framework, the DCWF. If you’re on the outside, you’re familiar, it’s the NICE framework, the National Initiative for Cyber Education. It’s the same thing except, you know, DOD put our spin on it and added a couple of additional work roles. The reason that’s important, because when you talked about the colonial pipeline or whenever this cyber getting thing was supposed to happen, we created this framework and assigned work roles to the work that’s going to be done so that we would understand that the KSES, the Knowledge, Skills, Abilities and Task for each of the work roles would be universal. So that if something happened and you called, you know, if Cybercom said, hey, I need you to present forces to me that we’re 623 DCWF, they would walk in and have all the KSES. Because the difference is if I’m at 2210 at NSA or if I’m at 2210 at Scott Air Force Base, 2210s are different, they’re trained different. So we created this workforce framework so that we can actually universally train and understand not only the skills, but the different proficiency levels. So that’s going to be key for us and we do that and we train against that. The other thing that we do well is the Air Force and the Space Force, better than any other service, develops our civilians on par with the military equivalents. Just like you have career paths for all of your officers, we have career paths for all of our civilians. And not just in my own functional area, you will find the same thing in data scientists, you’ll find the same thing in logistics. And that’s key because that tells you that we are investing in our most critical resource, which is our people. We ensure that they have PME, professional military education. We send them to development classes. We’ve also sent them to leadership classes. So that’s important. And we also use to make sure they have breadth and depth of experience. We have career broadening assignments. We have key career assignments that help them grow into either functional leaders or they can be enterprise leaders. And functional leaders, hey, you could be a GS15 and decide, I want to stay technical hand on keyboard, similar to what we’ve done with the Warren R. F. Sockadre, right, that technical core. We’ve also done that with our civilians. So you’ll now have functional civilians that don’t have a desire to be an SES or a senior executive. They may desire to be a senior leader, which allows them to stay functional and key on that. But we also build and develop enterprise leaders, those that have really the broad view and that can implement the strategies and the policies. So I think for us, focusing on how do we reskill, retool and really retrain our civilian workforce so that we can deliver what we call skilled, ready, adaptable workforce. Because when our military counterparts leave, we’re going to be that mainstay, except for those that might be in the sixth, seventh wing that are presented forces to you, to you at Cybercom. But it is important that we make sure that they’re developed on par. And that’s the investment that our military counterparts do. Over to you.

Brig. Gen. Greg Touhill, USAF (Ret.):

Thank you. General?

Maj. Gen. Matteo Martemucci:

Yeah, thanks. For a quick lesson, since you asked about lessons learned. First lesson I learned a long time ago and it reinforces every day, I cannot, we cannot compete on salary for Airmen in uniform versus what can be offered on the outside. But I absolutely can compete on purpose, mission, opportunity. That’s our trade in, stock in this trade and that’s what we’re going to sell. And boy, do we get to do some amazing things on keyboard in the Cryptologic Enterprise and at US Cyber Command. So I’m thrilled that our junior enlisted got the pay bump that they got. That is necessary, but even that is not enough if you’re looking straight at the money to retain the talent in uniform that we need to enable the cybersecurity mission or the Cryptologic Mission overall. So we’ve got to apply our trade and sell our stock in that trade which is opportunity. You can do things in our enterprise and on keyboard that you absolutely cannot do on the outside. That’s a selling point, right? The second is that we’ve got to improve our initial skills training and our advanced skills training and we’re doing that in some pretty aggressive and deliberate ways. My boss, General Hawke, has approved a number of really strong initiatives to get quality training pushed down to the schoolhouses. The Air Force is the executive agent for Cryptologic Training, for the whole joint force. And the Air Force maybe is the executive agent for advanced skills training for Cryptologic capacity for the whole force. We are going to give those schoolhouses modern, capable tools, trade craft and content so that when they graduate, they can actually operate the systems and the tools and the trade craft that they’re going to touch when they come into the enterprise. That’s a big, big deal. Third, leveraging the whole AI environment. And then, we’re doing what we’re doing at the NSA with creating an AI, homegrown AI. And we’ve given access to our entire workforce and we’re doing sort of a wisdom of crowds sort of thing. We have over 12,000 of our Cryptologic professional, civilian and military who’ve got accounts and are kicking the tires on our own homegrown AI capacity. And I’m here to tell you, the AI is not going to replace any humans. It is going to focus our humans. And that’s really exciting to see how our workforce is using it in novel and creative ways. Both the large language models and the other algorithms we’ve got built. That alone is going to solve a good number of the challenges we have which are data challenges. We don’t have a data collection problem. We’ve got a data analysis problem. And the last point I’ll make about this, the way we’re managing our talent is expanding how we think about this. Data scientists are the single most powerful enabler that we’ve got near term. We’re marrying our data scientists and we’re hiring data scientists, marrying them up where they’re Intel analysts. And suddenly it’s not a needle in a haystack. It’s leveraging AI to narrow the fields of haystacks into a haystack, into a handful of hay and then handing that to the analyst and magic is happening.

Brig. Gen. Greg Touhill, USAF (Ret.):

Thank you.

Venice Goodwine:

Before you go, the one thing too when you talk about putting in its capability in the hands of the Airmen and Guardians, we did that with NIPRA GPT for the Department of the Air Force. But we didn’t just limit it to the Air Force. We leveraged it to all the other services. We also let OSD because NIPRA GPT is our experimentation to your point. I don’t want Airmen to learn and use AI in garrison. Or I don’t want to give it to them at the edge and they aren’t familiar with how to use it and how to interact. And so we’re doing this large experiment to make sure that they understand how to use the technology and how to gain insights from the technology.

Brig. Gen. Greg Touhill, USAF (Ret.):

Well, thank you very much to both of you for being on our panel today. This was a crash course in introduction to cyber threats. But one of the greatest lessons I learned during my military career was asking for help is a sign of wisdom, not of weakness. So if you need help in the cyber realm, contact us. Or you can go to NSA.gov. You can go to SEI.CMU.EDU. You can go to the Department of the Air Force—

Venice Goodwine:

DAFCIO.AF.MIL.

Brig. Gen. Greg Touhill, USAF (Ret.):

There you go. Ask for help because cyber is a team sport and our nation depends on it. Thank you very much.