00:00okay well in the interest of keeping on
00:03the schedule we're gonna get started
00:05this is dr. ash Carter a deputy deputy
00:08secretary of defense and Alex Stamos
00:10who's the size of Yahoo I'm John Jack
00:13I'm a board partner at Andreessen
00:15Horowitz I'm 59 years old and yesterday
00:20I was reading the paper listening to
00:23Frank Sinatra and at the same time I
00:29opened my mail and I had and this this
00:31part's true I was actually I was
00:34actually listening to ac/dc but he
00:36wouldn't know that so I I opened my I
00:41opened my mail and I did have a new
00:44charge card from visa as a result of the
00:47Home Depot breach and as we've seen in
00:49the news there's the home depot breach
00:52there's the target breached which the
00:54cost to target is now 236 million
00:57dollars direct costs and rising and we
01:00know what happened to a few people's
01:01jobs there and and now we have JP Morgan
01:04Chase so my first question to you ash is
01:09III think that as long as I've been in
01:13the technology field and then five and a
01:15half years in the in the Department of
01:17Defense and just to be clear I'm the
01:18former Deputy Secretary of Defense as of
01:20a few months oh you were just promote I
01:21had but we had all of our systems and
01:26our technology and obviously NSA
01:29reported to me and all that and I was
01:33consistently disappointed with our
01:36security even though we spent awful lot
01:40on it we're probably more aware than
01:41others and as long as I've been in this
01:43field I have had the feeling that this
01:46was a an area in which demand was
01:49inadequately articulated and so
01:51investments weren't being made and year
01:55after year after year would go by now I
01:57hate to see demand stimulated in this
02:00way through the target thing but I think
02:02it is the beginning of a wake-up call
02:05that said I think a lot of people at the
02:08top don't know what to do at that point
02:12they have a big installed legacy base a
02:15lot of that's old and they may climb on
02:18top of that problem technically and then
02:20then they say oh geez I didn't know
02:22about the SAS and mobile and cloud and
02:26all these things that add whole a whole
02:28different layer to things and then many
02:31of them and this is especially true of
02:32small you know Jack not JPMorgan Chase
02:35not Target but go down a tier they don't
02:40quite know why it could be detrimental
02:43to their business to be an insecure they
02:47understand the reputational part of it
02:48but not necessarily the instrumental
02:50part and these are real real one of the
02:53threats to them is real-world
02:54competitors elsewhere in the world who
02:57are stealing their intellectual property
02:58so it's not a joke and it's not really
03:01an abstract thing but any rate that
03:02short answer your question is I've been
03:04waiting for godot here for for for many
03:07years I'd certainly hope that this is
03:09the beginning of a wake up call but I am
03:12skeptical Alex are you awake I'm okay so
03:20on the credit card issue I think there's
03:22a micro no macro so the micro issue is
03:24you were on the verge of a transition
03:27away from the magstripe sixteen digit
03:29credit card model and just at the
03:32beginning of that transition some bad
03:34guys figured out the real fundamental
03:36problem that the CIOs and the CSO these
03:38companies have which is they have a huge
03:40physical plant with fifty sixty seventy
03:42thousand deployed point-of-sale systems
03:44many of which are still running Windows
03:45XP and that are almost impossible to
03:49secure right and so you have kind of a
03:52micro issue of often in the security
03:54industry the bad guys figured that out
03:56they have a very notable success and
03:59target was the first success and then
04:00you have the follow-on and now with the
04:02EMV transition especially these guys who
04:04have had probably access for a long
04:05period of time we're trying to slam it
04:07through and make as much money as
04:08possible before EMV comes next year and
04:11NFC and all that stuff I mean the macro
04:13issue is dr. Carter said the unfortunate
04:16truth is that if you look at the fortune
04:17500 I would say 470 those companies are
04:22kind of screwed because they're they're
04:25what what's happened is is that the
04:27level of adversary has caught up to a
04:29level that's well beyond their ability
04:31to play and so when you look at like the
04:33people who are okay shape are that the
04:35big tech companies because we have big
04:37diverse teams and we have over a hundred
04:38people on my team and a couple others
04:40working on security and I have the
04:43ability to hire Windows kernel experts
04:45and reverse engineers and Bower experts
04:47and people who you know we write a bunch
04:49of our own software to go find malware
04:50to manage systems and I have the ability
04:53to hire those people and to keep them
04:54employed and interested and then you
04:56have like the defense industrial base
04:57and those guys can just throw money at
04:59the problem but for everybody else and
05:01the bank's right the bank said throw
05:03money at the problem no it wasn't you
05:04know and they can hire good people they
05:06have a ton of money they're able to
05:07spend on product but outside of that
05:09like if you're just a industrial company
05:12in the Midwest and you have 5,000
05:15employees and a couple billion dollars
05:16in revenue it used to be that security
05:19was you know you keep the viruses off
05:21the network and stuff and now it's that
05:22you have a competitor in China or Russia
05:24or another developing country where
05:27there's a a loose line between the
05:29government and industry and all the
05:31sudden you're facing people who've been
05:33trained by those countries intelligence
05:34agencies from an industrial espionage
05:36perspective who have cut their teeth
05:38breaking into Lockheed and Northrop
05:39Grumman and Google are now turning to
05:41Midwest industrial manufacturer and
05:43those guys are really in trouble because
05:44as an industry we don't have much to
05:46give them because they can either build
05:48the people like we can or they can't
05:49spend the budget like the banks in the
05:50defense industrial complex can so it
05:53sounds a little scary so if you if you
05:55think about one of the thesis of
05:58andreessen horowitz is that software is
06:00eating the world meaning that there's
06:04more and more software deployed to
06:05disrupt current industry or in my it
06:08what I tell CIOs and and silos is
06:11software is essentially the
06:13manifestation of your competitive
06:15advantage you build software in order to
06:17keep your business ahead of your
06:19competitors so we have a new class of
06:22bad actors who know how to go after
06:25anywhere from the largest enterprises
06:27down to small medium enterprise yet we
06:29have a continued need to publish more
06:32software in order to maintain a
06:34competitive advantage and with more
06:36software we have more
06:38back surface so what would you what
06:41would you say to the CMOS and CIOs in
06:44this room about how to think about the
06:46problem and think about what to do
06:48given that CMOS are more concerned about
06:51the brand and reputation and CIOs of
06:54course are often have this ISO reporting
06:57to him or her or or side by side it's a
07:00big problem what what guidance would you
07:02give I'll go to Alex first yeah for the
07:04CIOs you mean you said the word the
07:07magic words attack surface right so
07:08attack attack surface is you imagining
07:10what's a company look like to the
07:12outside to a bad guy or what's a piece
07:14of software look like an attack surface
07:15minimization is by far the cheapest and
07:17most effective way to reduce your
07:19security risk it's the reason why
07:20Microsoft has spent probably a billion
07:22dollars on security in the last decade
07:24and they still haven't gone anywhere
07:25it's because they're not willing to do a
07:27TAC Service minimization due to the way
07:28they do backwards compatibility and so
07:31if your CIO one move to the cloud who
07:34here works at Microsoft great nobody
07:37nobody in this room is qualified to run
07:39exchange at their enterprise no CIO and
07:41here's qualified or an exchange right
07:42like if there's anything the cloud and
07:44kind of the DevOps revolution has taught
07:45us it's that things are way more secure
07:47if you write the software and you
07:48operate it yourself so I moving to the
07:51cloud into trusted cloud providers who
07:53are doing a good job for all of the
07:55functions where you're not writing your
07:56own software I think is the best way to
07:58reduce the tax surface and for the CMOS
08:01engage on security issues before it's an
08:03emergency right that promise for most
08:05companies they only trot the seaso out
08:08to be that sacrificial lamb to have
08:09their head chopped off in public
08:11after there's a and that's that's one as
08:14like the Union my union rep says that's
08:17not a good thing for CISOs overall but
08:19also it's a lost opportunity for for
08:21companies to engage the press and engage
08:23their users to talk about positive
08:25things about security and to build up
08:27some trust because the truth is we're
08:29all going to have security incidents if
08:30you only talk about security when it's a
08:32bad thing you have no ability you have
08:33nothing built-in with reporters and the
08:36people who give quotes and the experts
08:37in the field to rely upon when the bad
08:39things happen so get more proactive
08:41about talking about positive things
08:42about security and how users can keep
08:43themselves safe so when the bad day
08:45happens that you've got a little bit of
08:49I agree with everything Alex said and
08:51Menino he has a company that has
08:54capabilities not all companies can do
08:58what they do or not all companies have
09:01an Alex famous working for them and
09:03they're not going to so that the the
09:06challenge for the what I'll call some
09:08were average company with a big
09:10installed legacy base and a kind of IT
09:15department is how do you is you look out
09:19and I talked about the market what does
09:23the supply chain look like for security
09:26it's hugely fragmented there are lots of
09:29you know you have to have this and you
09:31have to have that we all know what all
09:32the pieces of a of an overall security
09:35architecture is depending upon you or
09:37what you're trying to protect and the
09:39attack surfaces that you're dealing with
09:42but it falls on the company and its own
09:46staff to assemble that architecture and
09:49so somebody's gonna make in a hell of a
09:52lot of money who figures out how to
09:54brand that architecture and can credibly
09:58say all put together an architecture for
10:01you non tech company as good as the one
10:04alex is going to put together for a tech
10:06company and here's how you'll know it's
10:09it's good right now they're having to do
10:11it themselves and they got ten vendors
10:12coming in with pieces of it and they're
10:15trying to put these pieces of puzzle and
10:16they're just not capable of doing it
10:18it's a very hard thing to do
10:20intellectually to do and they're there
10:22the IT departments aren't up to it do
10:25that do the CMOS in the room have to
10:28change their mindset around security in
10:30this regard so for the past 12 years
10:33when I've been in this industry and I
10:35have a successful sale to a big
10:38financial services firm their first
10:40thing they tell me is you'll never use
10:41my name it better not appear on your
10:44website will never be a reference this
10:47is top-secret stuff is that is the
10:50landscape changing where to your point
10:53of being proactive means that companies
10:56should talk about their security
10:58strategy so they're out in front of it
11:00yeah I totally agree I mean the idea
11:02the bad guys are getting the information
11:04from public sources like they know what
11:07your info is the the truth is I think
11:09one of the things CMOS need to realize I
11:11think CIOs hopefully get at this point
11:13a breach isn't just a breach as a breach
11:16right like we have this idea that if any
11:18machine gets broken into it's the same
11:20as a hundred million credit card numbers
11:22the truth is for any reasonably large
11:24enterprise every day your security team
11:26is running two or three or four security
11:28incidents that's malware dropping this
11:30amis machine somebody who is tricked and
11:32fished that was an external machine that
11:34didn't get patched you got compromised
11:35that's just day-to-day for us right and
11:38so I think simos need to realize that
11:39there's kind of a give-and-take in
11:40security that happens and it's important
11:43to talk about the fact that if you know
11:46we for example had a security incident
11:48just a couple weeks ago where we had
11:50three machines broken into and there was
11:53a young man who's trying to make a name
11:55for himself by publicizing this and it's
11:57a it's a big deal and we're glad that
11:59these machines were found and caught but
12:00because of the way we build things
12:02there was no user impact there's no user
12:04data impact and it was important for us
12:06to kind of go out and publicly say this
12:09is what this means and we could do that
12:10because we talk about our security model
12:12openly and so I totally agree that you
12:15need to go out and talk about that
12:16because the bad guys know you know no
12:19Enterprise with more than a couple dozen
12:20people is gonna keep the bad guys from
12:22first getting a foothold in their
12:24network that's impossible
12:25it's about what happens after that so
12:27there's there's no real loss to talking
12:28about your security plans ash director
12:31Comey of the FBI said everyone is owned
12:34by the Chinese what did you think of
12:36that statement and I don't think he
12:38meant like equity owners no no no no we
12:42didn't and I think I think Jim combi is
12:46basically telling the truth the Chinese
12:51government sponsored and at kind of one
12:55arms-length proxy IT aggressor services
13:02are large they're smart and they're
13:08largely unopposed in this country so I
13:11think that you and I certainly I
13:14tell you JJ I even felt this way about
13:16our networks in the Defense Department
13:19and if anybody thinks that we did a very
13:22good job of protecting defense networks
13:24take a look at Edward Snowden classic
13:27whatever you think of that it was a
13:28classic insider threat realized to the
13:31huge detriment of the of the country
13:40I always felt had penetrated are the
13:45government networks we know and we see
13:47all the time them and it they're small
13:50there they go after little companies
13:52that make a little component a specialty
13:57component of a specialty alloy or
13:59something or a paint that that it took
14:03somebody somewhere in this country
14:04decades to perfect that formula and they
14:08steal that formula and thereby overnight
14:11become a competitor for a company it's
14:13serious business they it also allows
14:16them to get into the supply chain so if
14:18they can break into that little paint
14:20suppliers systems they can get into the
14:24supply chain and worm their way up to
14:25where they might want to get to Alex
14:28what do you think about you touched on a
14:30little bit again for the CMOS in the
14:33room how do you how do you make a
14:35decision what to talk about if you
14:37indeed you have been breached I mean
14:39there's two extremes right there's the
14:41one machine or three machine example you
14:43have and then you know a hundred million
14:45credit cards but what about that area in
14:48the middle how do you think about that
14:49yeah unfortunately it seems like most of
14:52decisions are made by lawyers right who
14:54are all about we're gonna hide as much
14:55information as possible because we're
14:57not gonna give it out you know obviously
14:58each one of these breaches comes with
15:00its own special set of shareholder
15:02lawsuits and and user class actions and
15:05there's a Shakespeare quote that I think
15:08is relevant here I'm not gonna repeat
15:10but you can guess what it is but uh you
15:13know that letting the lawyers make the
15:16decisions by default I think is is not
15:18great I mean obviously having your
15:19general counsel and your legal team part
15:20of it is totally critical but that's why
15:22you have to have that discussion with
15:23them ahead of time and I think wargaming
15:26this out is actually not a nun reason
15:27thing to sit and do a tabletop exercise
15:29and there are consulting companies that
15:31do this where you can just do it on your
15:32own with your own security team where
15:34you could wargame out with your CMO with
15:36their general counsel with your law
15:37enforcement team the share the people
15:40who do all the Investor Relations and
15:42securities law and game out like what
15:44would we do in this scenario so that
15:45you're not making the decision in a
15:47four-hour window I just had one thing
15:49that that is another dimension of this
15:51that I think bears mentioning it came up
15:53this morning and the the when folks were
15:57talking about the 2-way nature of
16:00transaction in which I share data with
16:02an enterprise and the need to give back
16:05and therefore the question of trust and
16:09the personal cost associated with being
16:12active on there I think that's another
16:15dimension of security it's not about bad
16:18guys hacking and and stealing things but
16:20it is about trust and reputation in a
16:22certain sense I think these two things
16:24are kind of gonna come together I think
16:27people not malefactors but people are
16:31gonna be more demanding that they
16:34understand what is being done with their
16:36information that it's not going off
16:38somewhere not China necessarily but
16:41often somewhere where there could they
16:42can't control it and aren't getting
16:44anything back I think from the point of
16:47view of the the corporation leadership
16:50those two things are they're they're
16:53somewhat separate but operationally they
16:56overlap quite a bit you know on a thread
16:58there is what is the role of the
17:02government and commercial enterprise in
17:04sharing information about threats okay I
17:07don't it's we have some pockets of
17:10success there we have FSI sack you could
17:13argue has a pocket of success but why
17:15isn't there just a the government shares
17:19everything they know every commercial
17:20enterprise shares everything they know
17:22except for the lawyers everything they
17:25know and we have this universal
17:27knowledge base of of bad behavior
17:31there's more going on there than you
17:33might think but a lot less than there
17:35so now the question is why and these
17:37aren't these are not excuses to me
17:41there's no excuse but the explanations
17:44are that a lot of the threat information
17:49that the government collects in the
17:51counterintelligence area
17:53counterterrorism protect our networks
17:55area some of its germane but a lot of it
17:59is not really germane to these
18:01commercial attacks said differently the
18:03government isn't collecting a lot of
18:04information about these these attacks
18:06that's that's that's thing one thing too
18:08which is less acceptable is in this in
18:14the u.s. federal government has still
18:16not made a decision in the manner of
18:19cyber defense of the kind that it had to
18:23make in the area of counterterrorism
18:24which is is this a an attack a crime or
18:30a disaster now why do use that matter
18:32because it's all three if it's an attack
18:33then you expect your defense
18:35establishment to take care of it if it's
18:37a crime then you expect your law
18:39enforcement establishment to take care
18:41of and if it's a disaster than you
18:42expect your homeland security apparatus
18:45to take and so there's been this sort of
18:48threefold struggle over this and you add
18:52a huge layer of lawyering government
18:55lawyer even worse on top of that and you
18:58have stasis and and paralysis so even
19:02said that what that's another way of
19:04saying JJ is that the even that which is
19:06collected and could profitably shared is
19:10inadequately shared because of those
19:12basically trivial bureaucratic can we
19:14break that logjam yeah I think that
19:17you've we've we've got to and I the the
19:21I I think you see Jim Comey actually
19:23trying to do that in my attitude when I
19:27was representing the Defense Department
19:29to Jim and his predecessor Bob Muller is
19:32my attitude was I'm not going to try to
19:34claim this go for it and I'll I'm a
19:38hundred percent behind you I could never
19:41get homeland security quite honestly
19:43because I thought they had the attitude
19:46that they wanted this bureaucratically I
19:49mean all bureaucracies want things and
19:51they wanted this but they didn't have
19:53ability Comey had the authorities and
19:57some reasonable technical capability we
19:59had a lot of technical capability but I
20:01didn't feel like we were the right
20:03so my attitudes this is a national
20:05problem let me just get in behind Jim
20:07and tell all my bureaucrats to stuff it
20:09and stop fighting with them and trying
20:11to seize it yourself but I never got
20:13homeland security to that point of view
20:15we better talk to them what's the the
20:18corporate view on on the sharing and
20:20collaboration yeah I mean we'd like to
20:23collaborate more on the national
20:25intelligence threats it feels like it's
20:28a one way that we send data to the
20:30government and they say thank you and we
20:32talk to these folks it's not like
20:33they're being malicious the the problem
20:35is kind of over classification right
20:37that you'll have a sorcerer method that
20:39gives them data that's useful and and
20:41then everything that that touches
20:43becomes classified and then the process
20:45to get this stuff from you know if it's
20:47if it's sei you know compartmentalized
20:49information to get that Declassified to
20:51be able to share with us like completely
20:53you know up to the no foreign level or
20:55something is extremely hard even though
20:56you know I have employees who have STS
20:59sei clearances who have the ability to
21:00work the government but then we can't
21:02take data that then we can't use
21:04elsewhere right and so for me to be able
21:05to take an IP address to put it into my
21:07Splunk search has to be declassified and
21:09there's no real good process for that
21:11and so most of the data sharing that
21:12happens it's useful for us is between us
21:14and our partner companies FSI sacs a
21:16great example of how the banks have done
21:18that we're a member of FSI sac because
21:19we do billions of dollars in credit card
21:21transactions and I think that's great I
21:25think the tech industry needs to do that
21:26I mean it's a little harder for us
21:27legally the bank's basically have no
21:30privacy laws which is how credit unions
21:31exist and stuff so they can just take
21:33all of your information and share it
21:34that's not true for us with echo and a
21:36couple of their laws and I think that's
21:38fine that those laws exist but we need
21:39to figure out like the legal framework
21:40that allows us to share information in
21:42real time to be able to say you know
21:44this this Android phone that has malware
21:47on it is pretending to be other users on
21:50Google Facebook Twitter and Yahoo at the
21:52same time it would be great for us
21:53instead of each one of us determining
21:55that separately that one of us figures
21:57it out and then that person is locked
21:58out from the rest okay well we have
22:00eight more minutes and 11 seconds and
22:03what I'd like to do is ask you each a
22:07that's very specific to your domain and
22:10not necessarily completely on topic
22:13great Alex I'd like to ask you as
22:17individuals in this room how do we think
22:20about our own personal security cyber
22:22security so the kind of inconvenient
22:26truth of the tech industry right now is
22:29that there's pretty much nothing a
22:31individual person can do to be safe
22:33online if they're targeted by a bad guy
22:36and the way we can tell us for sure is
22:38from the iCloud hack so we talked about
22:40Target at Home Depot which has hundred
22:41millions accredit card numbers but who
22:42really cares right like lots of people
22:44get their credit card numbers change and
22:45Target loses a couple percentage point
22:46of their market cap at the human impact
22:49of that is minimal whereas with the
22:50iCloud photo leak you know we have
22:52dozens of celebrities with their most
22:53intimate videos and photos being on the
22:57and you know the first reaction from a
22:59lot of people the tech industry was like
23:00oh well you shouldn't take naked
23:02pictures of yourself on your camera
23:03which is like a totally reasonable thing
23:05to tell your teenagers right but it's
23:07not an appropriate reaction from the
23:09tech industry and that the truth is is
23:10that all of this technology in our lives
23:12we put this huge edifice that is
23:14completely unsupported by the fact that
23:16if you are targeted by a bad guy that
23:19are going to get in right either they're
23:21going out first they're just gonna buy
23:23your username and password off the black
23:24market from a third party breach or then
23:27they're gonna step up to doing a spear
23:28phishing attack of you or they're gonna
23:30do password reset questions which are if
23:32they research any individual you can get
23:33somebody's credit report which you can
23:35purchase from choice point or something
23:36like that or they'll go and put malware
23:39on your personal machine right and so
23:41that that's a real problem for the tech
23:44industry and so I mean the best things
23:46people can do is they can protect
23:48themselves against kind of the mass
23:49takeover which means don't you need to
23:51use a different password every single
23:52site you need to earn two-factor
23:54authentication on everywhere that
23:55probably means using a password
23:56management tool like a LastPass or
23:58dashlane or one password but beyond that
24:02it's incumbent on us to the next five
24:05years we need to redesign how technology
24:06works so it actually people are safe if
24:08they're targeted it not just that
24:09they're lucky okay I was kind of hoping
24:12for like this magic just do this but
24:16I mean you could you could join the
24:17Amish and raise bar I mean that's
24:19honestly the safest thing ash while we
24:27have you on stage a little bit higher
24:29level than cybersecurity is national
24:31security and I'm just curious on your
24:35views on at all that's going on in the
24:37Middle East and what what's the path
24:39from here well say something that might
24:44might surprise you which is that yes the
24:48Middle East is very important I fought
24:51two wars there Iraq and Afghanistan a
24:54lot the bin Laden raid lots of things
24:57have been going on there and likewise
24:59with Russia Putin Ukraine and so forth
25:02but if you step back a little bit from
25:05those and you say what is would really
25:07be consequential for us as a country and
25:12us in this industry writ large your eyes
25:18have to go back to East Asia where for
25:22you know 70 years largely because of the
25:27there's been stability and prosperity
25:30that's the environment in which Japan
25:33first rose and prospered and then South
25:35Korea and in Southeast Asia and today
25:39China and India and that's a great thing
25:41and it's a huge asset to our world and
25:44to humanity and to those those people
25:46but it is also a region in which where
25:49the wounds of World War two never healed
25:51they all hate each other if you haven't
25:54noticed and the United States has been
25:59kind of a counterweight to that and a
26:01balance wheel and the the rise of China
26:07is okay and I'm not one of these people
26:10who believes that conflict with China or
26:12a cold war with China is inevitable it's
26:14certainly highly undesirable but you
26:16don't get what you want in this life
26:18just by wanting it we have to work that
26:21result and there is a tendency in
26:24Chinese strategic thinking and you hear
26:28- you know be a little it nails our
26:31place in the Sun our time to shine and
26:34said within bounds that's okay when it
26:37shades into hubris and risk-taking it's
26:41a problem and I just say that because
26:43that can ruin everything
26:44Putin can't ruin everything and you know
26:47Isis can't ruin everything that could
26:49ruin air and everything the other thing
26:51I came to mind which is very important
26:54to him to me personally and I'm kind of
26:56devoting myself to now and this has been
26:59mentioned several times in this room and
27:01that is the the ability of our people in
27:06the United States to partake of the
27:09digital economy do they have the skills
27:13do they have to succeed and because our
27:17business success will depend upon their
27:19ability to do that and the social
27:23cohesion of the country will depend upon
27:25the sensation that the American Dream
27:27isn't just a dream and that the
27:30escalator is still there and and once
27:33again that's not something you can just
27:34take for granted generation after
27:36generation we have to work on it and say
27:38well what does that gonna mean in this
27:40new world it's not going to mean what it
27:42meant for our parents it's gonna mean
27:45something different but there there has
27:47to be that sense that you can get ahead
27:50by and that the system is fair and gives
27:54you a chance and that we have the best
27:57workers therefore you know top-flight
28:00industry and so forth and I I think
28:03there are enough worrisome indicators
28:05there that it's something we need to
28:07take seriously about because you know
28:08you're leaders of the society here
28:11leading into this new future I think we
28:14have to have a philosophy towards that
28:16and I'm I'm now having left defense and
28:18I don't have that to preoccupy me
28:20anymore that's I'm turning myself to
28:22that puzzle I don't have the answer to
28:24it but it's like I think it's something
28:25that I'm thinking about so interesting
28:27perspective you're saying that part of
28:29the way to think about this is very
28:31inwardly focused right is it is our own
28:34world we live in that we drive versus
28:37just thinking about how we can quell the
28:40turf etc so yeah I mean I'd like to have
28:42the luxury of saying everything's okay
28:44here and we'll still have all the
28:47technology and the money that we need to
28:51defend ourselves you know and be the
28:54best and so forth but you can't take
28:56that for granted in defense any more
28:59than you can take it for granted in any
29:00other field of technology other people
29:02are good they're smart they're working
29:05on their development of their own people
29:06and their own technology and that's fine
29:09it's fair but I want I want us to be
29:13doing that for ourselves too
29:14great well thank you both very much