Please join industry experts to discuss the implications of the order, how agency department heads are reacting today, and share their insights into what to be on the lookout for from a policy, management, and cyber defender operator perspective.
Speaker 1: Thanks for joining our executive perspective series following the White House executive order and more. Today's session is called White House executive order on improving the nation's cybersecurity the first 30 days and anticipating what's next. Our speakers for today are Grant Schneider, former US chief information security officer from the White House. Ken Kartsen, Senior VP of public sector sales from McAfee, Thomas Gann, Chief public policy officer for McAfee, and Jason White, Senior security architect for McAfee. At this time, I'd like to pass it off to them.
Ken Kartsen: Thank you. Welcome. And thank you to everyone who's joining us today. We very much appreciate your time and consideration. Now that we were approximately 30 days into responding to the actions outlined in the EEO we felt this was a good time to get some executive level perspectives from those who have served in CIO leadership positions in the government, and McAfee's experience working with our customers on their EO response plans. We'll discuss the technical implications of the EO around EDR sharing of cyber threat intelligence and Zero Trust, we'll have a lively discussion on where the EO stops short and has room for improvement. And finally, we'll share a perspective on what additional actions may be coming next from the administration says a GSA nest and others, the format will be a panel session that I will moderate, asking a series of prepared questions to our participants. With all that said, let's move right into the questions for our panel members. And Grant, we'll start with you. First question, given your previous background and experience as a former CIO. So a two part question for you. First, how did you react to the EO after reading it for the first time? And second, given the current state of the industry, recent PACs ransomware cases etc.? Does the E o go far enough in its attempt to create a wakeup call for both private and government entities?
Grant Schneider: Thanks, Ken. Great to be here with you today and looking forward to our conversation. So I guess after reading it the first time I really needed to read it a second time. We knew that the or anticipated, I guess that the EO is going to be long and dense. And indeed this executive order is both long and dense. There's a lot of in it. It's a little bit of a mapping exercise to figure out exactly, you know, who's doing what, to whom and what the deadlines and timelines are. And so it really did take a bit of a second read. But I think, you know, as far as does the CEO go far enough? You know, I think the CEO is a really good start, I think there's additional opportunity, I view this executive order, as you know, a bit of a reaction to solar winds, Microsoft hafnium, and some of the other incidents that we've had recently. And so it's very focused on kind of reacting to those, some areas that I would like to see additional fall on would be, you know, in agency's ability to really understand everything that is happening on their networks and their ability to, you know, detect and mitigate for incidents as quickly as possible. And we definitely need to prevent whatever we can. But we also need to be prepared to assume that things are going to happen, whether it's a supply chain, a user, you know, whatever it is, things are going to happen on our networks, and we need to be able to detect them very quickly and mitigate for them as rapidly as possible after that.
Ken Kartsen: Thank you, Grant. I really like that perspective. Tom, this one's for you. From a policy perspective, do you think that he was primarily being reactive, responding to the SolarWinds Microsoft compromises or learning from the past and creating a proactive plan for the future? The EO compromises? A couple questions for you. First, how are agency department heads reacting to the proposed response timelines? And can they meet these dates? Second, the government has identified its intent to make investments to back up the hill. As you and I have discussed the budget contains 9.8 billion in cybersecurity funding to secure federal civilian networks protect the nation's infrastructure and support efforts to share information standards and best practices when critical infrastructure partners and American businesses. Second, the budget provides 500 million for the technology monitors modernization fund an additional 100 and 10 million for the cybersecurity and infra infrastructure security agency, and 750 million in additional investments tailored to respond to lessons learned from the solar wind incident CDM will get 200 million in funding. And third, the budget also provides 15 million to support the Office of the National Cyber director established in the William M. Thornbury National Defense Authorization Act for Fiscal Year 2021. The investment strategy on the surface appears sound, what seems to be missing in is the definition of success. Once the collective we put 10 billion to work, how do we recognize success? And how is that decided? One additional thought? How do we also make sure we don't overthink the problem and just keep studying the issues and end up with analysis paralysis?
Thomas Gann: Well, that's a great question. Indeed. It's a set of questions. So I'll do my best. So the first thing is the EEO primarily reactive? Well, I think, in part it is I think the administration has said a number of times that solar winds and other hacks, the Microsoft One, two, weighed heavily on their minds as they thought about this executive order. That hack did expose some unique vulnerabilities in the government, for example, the whole question of middleware, the ability of hackers to use middleware, and similar type of software capabilities to further infect, you know, on a horizontal basis, agencies and other entities in a big way, in a way that was very hard to discern. I think that's an example of how the government did learn from the solar winds hack. That said, You know, I think one of the easiest things in the world to do is to criticize, I think this administration is populated with a number of senior leaders, technologists and others, from other administrations that have really studied cybersecurity, I think they were chafing at the bit to get in these roles, to actually drive the kind of change that needs to be driven. And on the upside, I see a lot of detail in this executive order very, very specific areas of focus. So I'm actually really quite optimistic about the long term prospects of the EEO. But I would also agree with grant, but it's the EEO is a very, very important building block. It's a foundation on which other structures can be built, you know, on the question of how agencies are responding, I've really heard two perspectives. One perspective was Geez, sounds good. But as we read further, we see many unfunded mandates. So I think the burden on the administration working with Congress is to true up budgets as needed in the current year, and indeed, in the out years to make sure that the really aggressive objectives of EEO can be met. I think the other piece of the equation on the EEO for agencies is the timelines, many of those timelines really are very aggressive. For some agencies, those timelines will be doable for others, it's really going to be a stretch there, I've heard that nest will have to reorient many of their people to focus on this EEO from other projects. So I think some real load balancing needs to be done to achieve success with the ICO. Now, on the question of investments, again, it's easy to criticize that said, these are large blocks of money that are dedicated to specific objectives. Can you mentioned, you know, the true up on the it modernization fund, that's a order of scale, maybe 510 times larger than that fund has had in the past, the 750 million, a lot can be done. CDM can be modernized, it can be made more functional, that money can be used to create a better relationship with agencies. So real progress can be driven on consensus on endpoint and other type strategies to ensure success. I'm really quite optimistic. That said, I would say that a good deal of focus needs to be done by this administration on Congress, make sure cyber stays very bipartisan, make sure that their budget gets funded, and then really think hard about the out years 2022 2324. Let's keep up the focus so we can achieve the kind of success we need. In terms of a good definition of success. I think that'll come out more as the rules are written to implement the various parts of the EEO. For me success is operational outcomes that you can feel and touch and smell with real metrics driving real performance to achieve the kinds of outcomes we need.
Ken Kartsen: Thank you, Tom. That was very insightful. Jason, let's shift focus to the technical side of the deal, specifically sections to removing barriers to sharing threat information. Section three, modernizing federal government cybersecurity, Section seven, improving detection of cybersecurity vulnerabilities and incident on federal government networks, section eight, improving the government's investigative and remediation capabilities. So here's your question. Clearly your portfolio is aligned extremely well to the EU. And you're ideally positioned to help our existing customers as well as new prospects looking to advance their cybersecurity posture. Can you highlight for a more technical audience today, your perspectives on where our audience should start related to EDR sharing threat intelligence and Zero Trust architectures that really can make a difference and improve our nation's overall security fair??
Jason White: Yeah, thanks, Ken. So, you know, one of the things I probably read this, like grant, I probably read this executive order two, three, maybe even four times and, you know, one of the things I think it's, it's important to realize when you're looking at kind of each of these areas is that they shouldn't really be taken independently, I think it's gonna be really easy to say, well, we were compliant with this, we're compliant with that. But I think you need to kind of look at the overall intent. And as we take a look at the technical areas, whether it's sharing threat intelligence, or enhancing incident response, or date identification, and Zero Trust, they're all really interconnected pieces, quite honestly, I think the first three are all just building blocks of a successful Zero Trust architecture. So while they may be, they may have different uses within the context of the executive order, I think going forward, they're going to drive the effectiveness of Zero Trust architecture. So if we operate under the assumption that Zero Trust is really the end goal, then we, you know, we kind of have to look at the individual pieces of that architecture first. So Zero Trust isn't just going to be a flip of the switch, it's going to be a process. And it's going to require a lot of planning and understanding of kind of what your desired outcome really is. So we look at kind of the individual pieces, you know, for example, sharing threat intelligence, well, obviously, the more intelligence we have a better adversary, the smarter we are. But if you don't really apply context to the data that you're collecting, all you really have is a lot of interesting information. So in addition, if you're not really coordinating your incident response around the intelligence that you have, you're not really using it to the highest degree of effectiveness. So it really has to provide clear context to the agencies who are relying on it. So things like early detection warnings, as well as platform mitigation capabilities and prescribed proactive response actions are taking that intelligence and actually making it actionable and making it specific to your organization, so that you can stay ahead of threats that are potentially targeting you. But it ultimately has to be integrated with your detection and response platform. So when you're looking at how we're going to share threat intelligence data, how is that shared threat intelligence data going to drive our ability to more effectively respond to threats that are emergent emerging in our platform? How do we harness the power of that to effectively understand how we're potentially being compromised? So because the earlier you can identify a change and trust, the more effectively more effective, you'll ultimately be in protecting your assets. Just like the earlier you can identify and implement threat mitigations, the less mission affecting threat to ultimately be. So in addition, endpoint detection response is a really great starting point, I understand why the executive order is specifically calling that out as a technology. But when you start to look at what's happening in the endpoint detection response market, or in the industry, it can be fairly limited in scope unless you're adding additional context like network and cloud data into your detection response capabilities. So when organizations are looking at how they're going to fill that requirement, I think they need to not only understand a company's current EDR capabilities, but really what is their path to better leverage threat intelligence, but also their path to a broader xDr solution. When you view that, you know, again, as a capability of Zero Trust, the ability to provide AI derive user and entity trust across multiple security domains and then coordinate an effective response strategy through either human machine teaming or automation. I think you have a much more effective solution than you do if you're just relying on endpoint telemetry data alone. So to answer the question, if I were a CIO or a Cisco, I would probably start with my end state in mind and work backwards by identifying specific security partners that had a clear vision of how they're going to help me reach my end goal and not just focusing on simply the best solution from each of the individual requirements defined in the executive order.
Ken Kartsen: Jason, it was really helpful. Okay, Grant, back to you. Two part question. First, in your opinion, where did the EO fall short, what could be improved or added in a follow on action. And second, the government is always careful not to be too prescriptive and relies on guidance, best practices, and perhaps copes a little too much everyone behaves with the best intentions. Unfortunately, our adversaries don't follow straight lines operate within constraints of a system or have political agendas other than successfully attacking their targets. Is it time? Or when is it time for the collective weak to be more authoritative? And prescriptive?
Grant Schneider: Thanks, Ken. Um, so I think on the falls short part, I don't know that I would say that EEO falls short, I think, and Tom alluded to this and mentioned this earlier, you know, the EEO was, you know, largely a response to a set of activities, and I think it's putting a lot of good things in place. And it sort of sets the foundation, it sets the table, if you will, for a lot of ideas and a lot of work that agencies need to, to move forward and to do. But at the same time, you know, the ICO is the beginning of the work, right. And having worked in the White House, getting an executive order out of out the door is a ton of work and a ton of effort. And everyone's excited when it gets signed. But really, it's the starting gun, right? It's not the checkered flag at the end, it's starting gun. And I think how the inner agency responds to and reacts to and really implements the initiatives there in the CEO is going to be critically important for our national security, and for how the CEO gets carried out, you know, I share some concerns about sources. You know, you mentioned areas where the budget has some cybersecurity dollars, those are great and really helpful, but I don't think they cover the breadth of what's needed for agencies, both agencies, implementing directly, you know, parts of this CIO, and then other agencies like DISA in this who need to support the entirety of the federal government. Because as Tom mentioned, you know, they're looking to possibly have to, you know, Rob Peter, to pay Paul to be able to, you know, react to the things that are in the executive order. So I think it's really how do we see the implementation go forward, is going to drive, what needs to happen next, and the CEO, you know, it isn't the response to every single cybersecurity activity that's out there, you mentioned ransomware, early on, I think there's some foundational things the CEO gets after that will help, you know, agencies and anyone who implements the guidance, protect themselves use something like ransomware. But this certainly doesn't get around deterrence and other aspects of ransomware. And so I definitely think there's, there's a lot more work that can be done there. As far as being prescriptive, or, you know, a little more guidance versus being really directive with agencies. Um, you know, that's a challenge when writing policies and policies by their very nature need to be a little bit of, you know, something that can apply to everyone, what I think is an opportunity in the CEO is there's a lot of follow on reports a lot of additional frameworks and, and work that CISA and OMB and others need to develop, to really guide agencies on the implementation. And so I think there's an opportunity, and one of the things we started doing when I was at OMB is have the policy documents be pretty high level, so they apply and then let's just come in, and really provide a little additional level of granularity from an implementation standpoint, so that it's, you know, less of a hope as a strategy and a little more directive and something you can then measure and hold agencies accountable to as they progressed, implement this EEO and, and really hit on, you know, both the actions that are in here from a compliance standpoint, but really the spirit of the EEO, you know, which is hand enhancing everyone's cybersecurity posture moving forward.
Ken Kartsen: Thank you, Grant. Your experience helps to give a lot of perspective. To Tom, two part question for you. First, where do you think the EEO perhaps fell short or could have included more? Second question, what can we expect next from the administration, and the usual authoritative sources, secessionist GSA, etc.
Thomas Gann: So on the coming up a bit short side, again, overall, I would praise the administration for the EEO that said there's no piece of work that's ever perfect or complete. Cyber Security is definitely an example of an area that's an iterative process. Two areas come to mind. One is the area of information sharing The executive order does a fine job of focusing on the need for the private sector to improve information sharing with the government, creating some incentives, putting a focus on it. That's important needs to be done. Indeed, we're already doing a lot of that with the cyber threat Alliance. I'd like to think that the cybersecurity companies in that Alliance are leading the charge. Unfortunately, the EEO is lighter than I would have liked. On the question of enhancing government sharing information with the private sector. You know, information sharing at its best is a two way street, ideally done, you know, in a classified environment, sharing classified threat data from the government sharing threat data, global threat intelligence from multiple vendors, with the government from the private sector, so that these hacks can be discovered as rapidly as possible, integrating advanced technologies machine learning in the bike so that we can speed up reaction times we can speed up sharing of information, we can speed up remediation, and dealing with the challenges. The other area is operational technology. It's alluded to, there's a scheme for labeling for IoT, these are all good things. But we see more and more with our customers is that there are hacks into such things as HVAC systems that then bleed into IoT systems. The classic example is the target hack. You know, the government's not immune from that either. What we see in the government is in the building area, for example, the CIOs don't have a lot of insight. The folks that run the buildings for agencies oftentimes don't think about cyber, I would have liked to seen some operational focus on shoring up the authorities and capabilities of those that manage facilities on the cyber front. What to expect for these other agencies, I think, working the timelines, making sure the reports are done, making sure that this order is executed. And then thinking about the next steps were early in administration, I think we'll see additional executive orders, budget requests. And so I think this is a foundation on which to build.
Ken Kartsen: Thank you. Jason. Zero Trust appears to be at the center of the EEO and several other conversations. NSA also recently released its Zero Trust guidance, God released its Zero Trust reference architecture. And this NCC Oh, he is working on refining their 800 deaths 2070 Trust use cases. So there's a lot of energy around Zero Trust. And to be honest, it's not a new category, can you put on your consultant hat for a moment and walk our audience through how they might approach adopting Zero Trust and not be confused that it's a product they just go purchase, but actually an architecture approach towards a defined outcome?
Jason White: I can do my best. So I spent a lot of time reviewing both the NSA Zero Trust guidance as well as NIST 800 dash 207. And one area I'm really drawn to in the NSA document is one of their stated goals, which is to simplify security architecture. And then they go on to identify all the pillar pillars necessary to provide for an entity trust evaluation, whether it be user device network applications and workloads data visibility and analytics, automation and orchestration. So while I agree that simplifying security architecture is incredibly important, because we're already dealing with overly complicated architectures, in a lot of places, and as a result, visibility and response times, can suffer. What I think is important in order to maintain that simplicity, is organizations as they plan their Zero Trust approach they really need to keep in mind, you know, really, you know, how do you effectively implement Zero Trust while also simplifying security architecture? And there's really only one real answer given the breadth of coverage and evaluation required. And it's really going to be building a platform approach to how you address developing a Zero Trust architecture. And I really think that's going to take clear alignment to a security partner that has a plan to get you there. Whether it's through their portfolio or a network of partners, I think the reality is, is no single vendor is going to have all of the answers to Zero Trust. But if you can pick a vendor who has a proven track record of building platforms, or integrating solutions together to drive outcomes, and that's really what you should be looking for in a Zero Trust partner and Zero Trust strategy for that matter.
Ken Kartsen: Thank you, Jason. That makes a lot of sense. Okay, Grant over to you. Multi part question this time. First, humor me for a moment. Let's make believe you're now back in the White House, and you just helped craft the EO and send it out to your constituents. What are you and your colleagues doing right now, as a follow up to this action? How will the White House measure success and determine what happens next?
Grant Schneider: Don't tell my family put me back in the White House? No, I think so I imagined the team after, you know, a short bit of celebration, you know, did two things, one started to put in the mechanisms that are going to track the requirements of this CEO. And again, from a compliance standpoint, but it really needs to be more than that it needs to be enduring. But quite frankly, I'm sure the team is also, you know, looking at what are the next challenges, you know, what else is out there that needs to be focused on? And so, you know, I'll get to that in a second. But I think on the first, you know, first and foremost, you know, the National Security Council is certainly, you know, driving this initiative and this effort, I'm certain that they are going to be checking and regularly checking in with agencies on the timelines and deliverables and seeing where they're at. I would also hope, though, and expect that the Office of Management and Budget will be implementing some kind of longer term, you know, reactions to the CEO and perhaps integrating efforts from this into the cross agency priority goals into perhaps the President's management agenda, but into some of the places where you know that OMB does a really good job of tracking agencies and unable to track hopefully towards outcomes over the long term, right, use the Federal Information Security Modernization Act, metrics and performance measures, to hold agencies accountable and be sure that they're actually hitting the security targets that they need to as a result of, of the CEO. And really, you know, I guess what I'm saying is bake it into the institutional mechanisms The White House has for tracking performance, because by the very nature, the boss who's going to look to, you know, we mentioned or I mentioned, ransom, you mentioned ransomware, earlier, and there have been additional ransomware incidents since the CEO came out. And certainly since it was first being drafted, I think the administration is going to have to have a strong focus there. And that's going to take some cycles from people that might be you know, watch plants here. And they're going to have to work on what are the policy responses to those new, you know, to not that new threat, because it's not a new threat, but the, you know, in a resurgence, or surgence, of ransomware that we've seen, and what is the policy response going to be there?
Ken Kartsen: Thank you, Grant, I think I clearly understood that your work life balance in the private sector is probably a little better than at the White House. So Tom, from your policy perspective, where are the landmines, the administration and their supporting authoritative sources need to be cautious about when releasing the next pieces of guidance, right?
Thomas Gann: Well, so, in guidance, you know, there are different pieces of it. There's short term guidance when the deadlines are met, when the reports are issued, and then the focus is done on implementation. So I think one thing, and I know this administration will do a good job on is to be cautious about over listening to interests, you know, on things like Zero Trust on the issue of EDR and others. The need is to make sure the guidance stays true to the vision of the EO. And that is that these are general guidelines, their architectures say on Zero Trust, that then various vendors will compete against each other to win the business. And that is as it should be. One of the great risks for an agency is the idea of regulatory capture, right, where those that are being regulated, capture the regulator's and then shape the rules to the advantage of a few large vendors. I think the administration this one in particular is mindful of that. But it's important to be careful of that. The second area is the area of resources, making sure that the various agencies have are given the right resources to do the studies. So they can meet their timelines. From a longer term point of view, making sure that is the administration continues to build the right support with Congress in a bipartisan way for additional funding additional alignment on cyber, cyber at its best is a bipartisan activity and making sure that it stays that way so that we can really maximize the national interest and protect the country across the board. That's definitely where the focus should be.
Ken Kartsen: Thank you, Tom. Insightful. Okay, Jason. Now that the agencies have submitted their initial reporting on how they intend to respond to implementing the EO guidance. And given your vast technical experience in working with just about all the federal civilian agencies over the last 16 years, what three pieces of sage advice would you share with our audience today to help them move to the next phase of implementing solutions for EEO compliance? Sure, yeah.
Jason White: So you know, one of the things I've noticed is a lot of a lot of our customers, you know, they have regular conversations with their platform partners, and their infrastructure partners, and they do a lot of planning together to try and kind of map where they're going to be going in the future. One of the things I'd like to see more organizations do is to treat their security partners like they do those infrastructure and platform partners and start involving them in your planning, give specific security outcomes that you're trying to dry drive, which are very clear, clearly defined in this executive order, I think the closer you are to a preferred security partner, the more effectively you can be in helping to drive the security capabilities that you're looking for, and ultimately deliver those outcomes that you need. I also think that there's a, there's a tendency to, you know, amongst, you know, not just our government customers, but a lot of a lot of our customers as well as you know, things in our personal life, we kind of get drawn to the, to the new and shiny sometimes, right. And I think it's important to know that the industry does catch up resilient security vendors, like McAfee that have been around for close to 30 years, you know, we do eventually catch up. And what ends up happening when we catch up is we integrate capabilities into an existing platform that allows us to, to more effectively serve our customers. And oftentimes, we've, we've evaluated kind of the gaps in the market, and, you know, continue to deliver innovation around some of those capabilities. So one of the things I would also say is, you know, choose a partner that has a track record of platform integration and consistent execution, that are quick to catch up to what's going on with market trends, that again, are only going to help you drive those outcomes Don't be drawn necessarily to something that's new and cutting edge when you've got a trusted partnership with an existing security vendor. And I think the last piece of advice that I would offer, and maybe it's a little simplistic, I mean, it's something I tell my kids all the time when they're doing their schoolwork, which is slow down, take your time, there's really no prize for finishing first, I think a lot of times when these executive orders come out, there's this, you know, there's a sudden burst of energy and urgency that drives us to figure out how we're going to meet compliance and be compliant with the requirements that are that are laid out for us. But I think that while that that is helpful, I think oftentimes it can introduce risk. And when you're dealing with something that has the breadth and the scale of this particular executive order, I think it's important to give yourself enough runway in order to succeed. And I do know that the executive order has some pretty stringent timelines that are pretty aggressive. But from what I've seen, most of those timelines are focused on the reporting of your plan to you know, execute, rather than a final execution date. So I think as people are submitting those reports as to how long it's going to take and what they're going to do to get to that compliance state, they need to make sure they give themselves enough opportunity to ultimately be successful.
Ken Kartsen: Thank you, Jason. Those are some really good points. Okay, Grant, final question. Today, we have discussed a lot about the intent, the market reaction, technical direction, but the administration perhaps could have done to improve the order, and what may be next, we even discussed the fact that our culture tends to be more reactive than proactive, given your background and previous experience with a true understanding of the complexities of big government, politics, etc. The one question that I'm sure everyone would agree that needs to be asked is this, what critical things must the collective we need to do. And we're change to finally get ahead of our adversaries?
Grant Schneider: Yeah. Can? That's a great question. And it's, of course, not one with an easy answer, right? I think and Jason touched on a number of the real core things that we need to do that agencies need to do that small, midsize and large businesses need to do are a lot of fundamentals and a lot of basics, right, we need to have a modern it architecture. So modernizing government, technology is absolutely critical. Along this path. I mean, right now, the government spends in excess of $90 billion a year on information technology. And you know, most of that is you know, maintaining and maintenance and oh nm of the existing system, some legacy, some not but of existing systems. And then we spend something like 15 or $16 billion on site. Cybersecurity, the majority of which is inside the Department of Defense's budget, we really need to focus on what do agencies need to take care of the basics day in and day out, the vast majority of incidents and solar winds may be a bit of an anomaly. But the vast majority of incidents that we see, there are adversaries, as creative as they might be, or using a lot of the same playbook. So they exploit previously known vulnerabilities that were not only previously known, but in most cases actually had a patch or a solution to them, or mitigation that was known and had been published and just hadn't yet been implemented. And, of course, you know, as network defenders, we need to be right 100% of the time, and the adversaries only need to be right once, right, they just need to find one, one server that wasn't patched one person who, you know, for whatever reason, couldn't have multifactor authentication installed and therefore didn't and then they were able to potentially exploit those. And so we really got to focus on, you know, what are those basics? And what are the resources that we need to meet those basics? And then how are we holding agencies accountable? Now, how are we evaluating and assessing them and doing it in a way where we're providing them tools and solutions, perhaps more moving toward shared services, moving towards cloud services, and cloud delivery, as we mentioned, here today, you know, all of those are things that are foundational and are going to help agencies, there's not a silver bullet, we also need to expect that adversaries are going to get into our systems, I was really excited in the EEO to see the move and the push towards Zero Trust. As Jason said, you know, Zero Trust is not a thing. It's not a product, it is an architecture in a bit of a journey. I also think the enhancement of encryption of data that's mandated in the EEO and certainly the expansion of multi factor authentication, which the government's doing, done a pretty good job line, but we need that to be 100%. And so you know, all of those are things that I think taken together are really going to be able to help the government, you know, perhaps get ahead of, but certainly be able to deal with malicious adversaries as they try to get into and perhaps do get into systems and be able to respond and recover very, very quickly to those types of incidents.
Ken Kartsen: Yeah, I couldn't agree more grant. I think it all starts with good cyber hygiene. Without that we get nowhere. Well, I want to thank all of you for all your time today. Grant, Jason Tom. This was really informative. I really appreciate everyone's time.
Speaker 1: I'd like to take the time to thank our speakers for joining us today. And if anyone has any follow up questions, please reach out to McAfeeMarketing@carahsoft.com. Thank you for listening in and have a great day.