Contextualizing the National Cybersecurity Strategy
In this episode, host Paul Roberts chats with Devin Lynch, Director of Supply Chain and Technology Security for the Office of the National Cyber Director, about the National Cybersecurity Strategy released by the White House last month.
EPISODE TRANSCRIPT
PAUL ROBERTS
We're back for another episode of the ConversingLabs podcast here at ReversingLabs. I'm your host, Paul Roberts. I'm the Cyber Content Lead at ReversingLabs, and we're very pleased to have in the studio Devin Lynch, who is the Director for Supply Chain and Technology Security at the Office of the National Cyber Director or ONCD.
Devin, welcome to ConversingLabs.
DEVIN LYNCH
Thank you very much for having me. I look forward to our conversation.
PAUL ROBERTS
Me too. I think first order of business, Devin is, tell us a little bit about, the ONCD and about the work that you do there as Director of Supply Chain and Technology Security. What's in your portfolio as it were?
DEVIN LYNCH
Absolutely, let's start with the big ONCD question. ONCD is a new office in the Executive Office of the President. We were created, established by Congress in 2021, so very much new. And our mission is to advance national security, economic prosperity, and technical innovation through cybersecurity policy leadership.
My boss's boss is acting director Kemba Walden, and she is, by Statute, an advisor to the President on cybersecurity policy and strategy and efforts to increase ICTS security, national supply chain risk management and vendor security. And I direct the supply chain portfolio for ONCD, so there's anything within supply chain trickles down my way.
PAUL ROBERTS
So first, the inaugural national Cyber director was Chris Ingles. He stepped down actually just last month in February, after really standing up the director. And you've got an acting National Cyber Director now. What were some of the challenges, of standing up this organization, and, what did Chris leave behind?
DEVIN LYNCH
The challenges, I think are many because we haven't created an executive office within the EOP in 30 years. There's no manual, there's no turnkey, there's no YouTube video for how to do this. So very much trying to build a ship as it sails or the plane while it flies. But with that are a lot of opportunities as well.
Chris worked to establish relationships and establish the office. And Kemba was beside him for much of that journey. And with his transition to her, I don't see, I see that as seamless. I see her vision slightly different because her perspective, her experiences, her diversity brings,
are brought to bear and brings strengths that Chris didn't have. But at the same time, the foundation on which we rest is quite strong.
PAUL ROBERTS
Could we just talk a little bit about your own kind of journey to cyber? Often these are really interesting stories. In your case, you've spent most of your career in the military, in the Navy in particular, for 17 years, went out, did some work in the private sector for Security Scorecard.
Just talk about your own path. Did you start out with kind of cyber in your sites or did you find your way to Information Security/Cybersecurity?
DEVIN LYNCH
I found my way simply. So I have two careers that I'm in the Navy Reserve still. I'm approaching, I guess I'm closer to 18 than 17 years now. Always as an intelligence professional and through those 18 years, we've had the profession go from intelligence to information dominance to information warfare.
So the profession itself has taken a cybersecurity journey, I think, but certainly the Navy and the DOD can be counted as premier cybersecurity organizations. They have funding, technology, training, and tools that many do not. And I've benefited greatly from those opportunities. Concurrently, I've had a policy career, a public policy career that's largely focused on national security.
17 years ago we didn't have- the Facebook turned into Facebook and we were two years away from the first iPhone. So it was a really different environment then, and we did not expressly identify cybersecurity as national security. That evolution has taken time. As in my policy roles, I was able to sit on Capitol Hill in the executive branch at Homeland Security and the Department of Defense and also in the private sector as you mentioned at Scorecard.
And those opportunities to shape and discuss and influence homeland security or national security brought in cybersecurity in their own way. And I think that's been an interesting evolution for us all.
PAUL ROBERTS
What did you learn? You were working at Security Scorecard, they focus on like layer eight threats a lot, right? Fishing and so forth. What did you take away from that experience?
DEVIN LYNCH
A lot, the chief among that was the power of data and the level of visibility the private sector can and could have on either an attack surface, or just online. When we are discussing threats like phishing, those are real, and, largely unsophisticated but successful and one of the most prominent threat vectors online.
What is interesting with the power of data is I didn't before appreciate how much data is available online. Through scrapers and scrubbers, port scanners, the public facing websites or databases. This is all available to the private sector and leverage for, recommendations on your favorite online shopping store.
And it is used by threat actors to sharpen their phishing attacks. Threat actors also siphon, collect, interrogate, and exploit the data that is found online. And I didn't think, I thought I understood data security and the power of data before, but a different perspective from the private sector, I think.
PAUL ROBERTS
One of the big products of ONCD, Office National Cyber Director, came out recently, which is the National Cybersecurity Strategy or National Cyber Strategy Document. It's a blueprint document, really interesting one. And I think in some ways, revolutionary one, at least in the context of federal cybersecurity. Could you talk first of all about what that strategy document is, and also like the role that ONCD played in assembling it from, working across government.
DEVIN LYNCH
Absolutely, so the ONCD coordinated and led the development of the National Cybersecurity Strategy, but it is certainly the work of many. And it builds off of the work this Administration and the National Security Council have engaged since day one, since maybe most notably Executive Order 14028 on Improving the Nation's Cybersecurity as well as National Security Memorandum Five, which is which improves cybersecurity for critical infrastructure control systems.
The cybersecurity strategy advances the nation's cybersecurity across five pillars. It's organized across five pillars. The first of which is we will defend critical infrastructure. The second is we will disrupt and dismantle threat actors. We will shape market forces to drive security and resilience.
We will invest in a resilient future and we will forge international partnerships to pursue shared goals. Now, all of these are...
a new way, not maybe per, not a new way of thinking, but an interesting new approach and a bold agenda for what's to come, I think.
And as we implement this strategy, we will make the investments in the technologies, in the people, and in the structures and processes needed to achieve those aspirations.
PAUL ROBERTS
I think one of the big, I don't know if it's a shift in strategy, but it's definitely a position that's articulated in the Strategy that I think, First of all needed to be said and is probably overdue, is this notion of shifting liability away from end users, from consumers of technology, whether that's federal agencies or just businesses or ordinary consumers to the producers of the software.
And one of the points the document makes is that, we've really haven't done a good enough job holding software producers to account when their, the security of their software fails and people are victimized. Talk a little bit more about that shift in thinking and language and practically what it will mean in terms of the, regulations that maybe emerge from this strategy.
DEVIN LYNCH
Absolutely. And I think you have a spot on reading of the fundamental changes. To the earlier point about phishing campaigns, phishing attacks are successful because it does devolve risk down to the individual, the small business or the local government. And that's troubling. So what the Strategy does is calls for two fundamental shifts.
The first is, as you said, we must rebalance the responsibility to defend cyberspace, and the second is we must realign incentives to favor long-term investments. So to the first point, the digital ecosystem too devolves a risk to the, not the lowest denominator, but the least capable and the least well-resourced to fight against the world's most malicious cyber actors.
And we think the security and resilience of cyberspace should not rest on a single person's constant vigilance. The digital ecosystem's biggest, most capable, best positioned actors, and that includes the federal government can and should assume a greater share of the burden for mitigating cyber risk.
And that in turn, I think, elevates our expectations of cyber space's most capable actors, and provides a pathway to re-architect the digital ecosystem so that, the responsibility and security and resilience is more deeply woven into its technical and policy foundations. To the second change, realigning incentives to favor long-term investments.
Look, cybersecurity is hard and it can be very expensive, especially when you don't know the exactly what data, what your attack surface is, or from where the threats might arrive. So we must shift incentives so that when entities across the public and private sector are faced with trade-offs between an easy or temporary patch or fix, and the durable long-term solution, the Secure by Design option, for example, that they will have the resources and the capabilities and the incentives to consistently choose the latter, choose to do the hard thing.
The Strategy recognizes existing shortcomings quite simply, and it caused for change.
PAUL ROBERTS
So talk if you could, about what parts of the Strategy can be implemented, just within, executive branch agencies for example, and which require congressional action and basically legislation to happen. Is there, cause often with these announcements oh, it's a big announcement what's changed?
And it's like nothing's really changed. Like it's a policy position. It's, important in that it reveals thinking, but practically, everything is business as usual. Are there parts of this plan that the Biden Administration can put into effect without congressional approval?
Or is it all basically a blueprint for congressional lawmakers in the House or the Senate to take and then turn into laws and regulations?
DEVIN LYNCH
I love this question because I could put on just briefly my experience as a Senate Staffer.
PAUL ROBERTS
Yeah. you've worked on, You've worked on, the Hill, yeah. Yeah.
DEVIN LYNCH
And I don't work on it now. So like the simple answer is, I don't know the answer, but there are, throughout the Strategy, you will find phrases like the federal government will blank.
And these to my mind and my legislative eye will say these are the clearest instances of where the executive branch will leverage either existing authorities or bring certain resources to bear, around a specific strategic objective. I read throughout the Strategy references to Biden-Harris initiatives of the CHIPS and Science Act, the IJA, the Infrastructure Investment and Jobs Act, the Bipartisan Infrastructure Law, the Inflation Reduction Act.
These four bills passed by Congress, championed by the Administration, are part of our strategy and must be implemented. They are the law and we must execute and implement those laws. So those are certainly opportunities for the executive branch to press forward in line with the strategy and in concert.
But there are also phrases, one comes to mind, there are instances where we call on working with Congress and certainly will need Congress', either new authorities or agreement alignment. One objectives in the third pillar, talking about shifting liability for insecure software products and services.
There's a lot to unpack there. There's a lot to clarify, debate and Congress must and will be a key voice and partner in meeting that objective. We can't just say we're gonna shift liability, establish liability for software products and services and prevent manufacturers and software publishers with market power from disclaiming liability by contract, and establish higher standards of care for software,
without a dialogue with industry and with Congress, an agreement at the end of the day among us all.
PAUL ROBERTS
Yeah, that is the fly in the ointment right there, is how to work with industry, which you obviously want to do. You don't want to just, impose regulations from on high without really understanding the impact of those. And at the same time you want to you don't want to be solicitous of those affected by the legislation or the regulations that in fact, in effect, they become toothless and meaningless and just scoff laws, things that may be on the books, but practically have no impact on how anybody does business.
And that would seem to me to be the challenge. Do you think just taking the temperature there in Washington DC that there is an appetite to yes, consult with industry, but at the end of the day, say, things gotta change and and we're gonna make sure that they do change.
DEVIN LYNCH
There's absolutely an appetite and I would argue there's also an imperative to do so. I think it's 1.2, strategic objective, 1.2, in the first pillar, it talks about increasing public-private partnerships, not just championing existing partnerships, but also creating new ones.
And, we don't operate in a vacuum. We have to do this together. The dynamic evolving, undulating world that is cyberspace and the threats within are not going to stop because we disagree or it's hard. We have to do the hard thing and we have to do that I think in concert and together.
PAUL ROBERTS
So supply chain security, software supply chain security's been a big emphasis of the Biden Administration going back to the Executive Order and some of the other regulations and guidance that have come out from NIST and others since then. What do you see happening with regard to federal oversight of software supply chain?
And so we know for federal contractors, companies selling, software and services into the federal government, they're looking for software bills and material and, kind of accountability on what's in the software. Do you see that maybe expanding from the federal sector out just generally into the private sector?
DEVIN LYNCH
I do. I think there's been a lot as you said, the, and especially from the Executive Order 14028, there has been a movement and the champion within that is Dr. Allen Friedman over at CISA, now at CISA, previously at NTIA and there is, I think there are a lot of opportunities within the software supply chain and also the hardware supply chain, but especially in the software supply chain to rethink, rearchitect, reconsider security first rather than after or as a bolt on.
One of the initiatives we are working on from the White House stemmed maybe a year, almost a year and a half ago. EO 14028 came out I think in May, and then later that winter Log4shell, zero-day, I guess day one occurred. And then the White House convened the open source software community and leaders led by, on our side, led by Deputy Natural Security Advisor Ann Newberger and Director Ingles at ONCD.
And we brought in the community to discuss just the breadth and depth of the challenge before us. The open source ecosystem is open. It's the foundation of 80 to 90% of code that is written, of software that is used, whether it's open or proprietary. So that is a, it's literally the bedrock to my mind of the software supply chain.
PAUL ROBERTS
Yeah.
DEVIN LYNCH
So we brought in those groups and identify among other things, the risks, the opportunities before us. And one of those opportunities surfaced at the time was centered around memory saved languages. Now remember, I led with not being an engineer, but being on a cybersecurity journey. So correct me if I'm wrong here but one of the key risk drivers we surfaced was that memory unsafe programming languages are a leading and underinvested cause of much of the world's software vulnerabilities. So what is memory safety? To my understanding, memory unsafety describes the underlying property of a programming language that allows programmers to introduce certain types of cybersecurity bugs that affect how the memory is used both spatially and temporally.
So a simple example, if you have a list of 10 items and you wrote a program that says, find me the 11th, a memory unsafe language will look top to bottom, back and forth and into the memory for that
PAUL ROBERTS
It's like
For overflow exploits, which are...
DEVIN LYNCH
Exactly, it won't immediately return an error unless that-
but a memory safe language would.
PAUL ROBERTS
Mm-hmm.
DEVIN LYNCH: Or it doesn't allow for that,
to look for the data where it shouldn't be looking or where it isn't. But then when you think about this at scale, that is pretty catastrophic from a cybersecurity perspective. And to what blew my mind the most was, yeah, there were the slammer worm in oh three, the heart bleed vulnerability in open SSL, and then the WannaCry
ransomware attack are like big memory, safety vulnerability examples. But what blew my mind is this is fixable. There's a technical solution to memory safe languages. There are memory, safe and memory unsafe languages across the tech stack.
PAUL ROBERTS
Yeah.
DEVIN LYNCH
For an operating system kernel, you could use Rust.
Or for an iPhone app you use Swift. There's 15 different examples of that up and down the stack, but it'll be hard. It's not, C and C + have been around as long as I've been on this planet, and that's long enough to be embedded and they're again, 80, 90% of code use includes most of that, not least of which, Microsoft.
And I think YouTube runs on it as well, 'cause there's performance, there's function, there's a lot of good and a lot of, possibility. But at the same time, all of that good and impossibility increases the attack surface, to the initial point of the data, the visibility that's out there.
And the second reason I'm excited by this concept is the switch to memory safe languages would have an outsize impact. There was research from, I believe Microsoft and Google in the last few years that identified for software written in memory, unsafe languages mitigating, excuse me, migrating into a memory
safe language can eliminate up to 70% of the software's critical vulnerabilities. 70% of the 90% of the code pie. This is a huge opportunity, I think, and one with a technical solution. And that I think is the key for- it is something to highlight that this is good engineering practices driving
better cybersecurity policy. And that is something we haven't always seen, but with the Biden-Harris Administration and my team in particular, there are engineers, there are coders there, there are cryptographers who explain to me what memories safe languages are-
PAUL ROBERTS
Mm-hmm.
DEVIN LYNCH
And I help explain to them ways in which the executive branch or the legislative branch might be able to surface, champion and promote solutions that they've identified.
So that's exciting.
PAUL ROBERTS
That speaks a lot to the question of tech, what they sometimes refer to as technical debt, in the federal government's case, just a lot of legacy software and services and hardware too that run on, vintage code, let's call it.
And in some agencies like the IRS that is truly vintage, they got applications dating back to the early 1970s.
DEVIN LYNCH
Paul, there are even examples though of a leading edge. So there are four algorithms of the last year from NIST for post quantum cryptography, the PQC algorithms. At least the two of which I'm, two of the four that I know of run on C or C and assembly. And that is a product to my mind, you unpack that, that is a product as well as the only OpenSSL is FIPS 140-3 approved. So if the request for a PQC algorithm must be FIPS 140-3, then it must also have OpenSSL. So we're also having conversations with NIST, what does that mean?
What is the long-term, near term implication of that? Are there other alternatives to OpenSSL? Other alternatives that could apply for FIPS audit and be FIPS certified? There are and those are I think, opportunities for industry to raise their hand and promote memory safety in their own way.
And alternatives too, like how Rust and Swift are safe.
PAUL ROBERTS
Shifting to memory safe languages better scrutiny of open source components in, you know, software and services. Those are really, those are boil the ocean type assignments. How do you- and which doesn't mean they can't happen, it just means it's gonna be a process, right?
It's gonna take time and hopefully over time, you're making the overall environment more secure. Less vulnerable.
DEVIN LYNCH
Absolutely, and you, and we can do hard things. We just need to start doing that. And from our perspective, showing that the federal government is invested and aligns incentives toward these goals is worthy. And that's also annotated in the Strategy.
PAUL ROBERTS
One of the big sticking points for industry is on the issue of attestation, right? And I know Executive Order 14028, and 2218, so on... they focus on self attestation. So let's let software publishers basically, say to us that they have, reviewed the security of their own wares and attest to their, compliance with the guidelines that the federal government has laid out.
Obviously some people say that's the fox guarding the hen house that you know, you need independent attestation of these, but that presents all kinds of problems with bottlenecks and, who's gonna do the attestation and so on. What do you, what are your thoughts on the requirement as it stands, around self attestation and where do you see that conversation going in the future?
Could we get to a point where we move to more of an independent attestation model for some of this stuff?
DEVIN LYNCH
Yeah, what I think self attestation began to do is to elevate from the IT shop into the C-suite that cybersecurity is not an engineering problem. It is a business quality problem. And I actually think that bears repeating. Cybersecurity is not an engineering problem.
It is a business quality problem. And the market and the federal government through 14028 and M-22-18 are soon going to demonstrate, I think, and will eventually show that products of low quality will not be purchased or will not beat out those of higher quality. So what I mean by that is products that don't use secure software development lifecycle practices, which are to these documents of lower quality, are then of lower value.
So what more needs to be done, I think is not- is again, to move the ones and zeros out of the CSO or the CTO shop and to the boardroom, to the CEO's office and turn those ones and zeros into dollar signs in the black ink and not the red ink. This is also what I learned from the private sector.
The black ledger is better than the red ledger here. But so if the cybersecurity improvements are driven from the top then and the CEOs, I identify that the quality of their product is driven by the security and design, then the inclination we hope is that products built fast or cheap will not be of as good value and will lose out a against market forces.
And again, that makes cybersecurity a business problem, which I think is a huge win for self attestation. However, it, however it's taken...
PAUL ROBERTS
To create that kind of market pressure, right.
DEVIN LYNCH
Exactly.
PAUL ROBERTS
Okay, final question. Companies may be inclined to dismiss this of a, it is a policy statement, but it doesn't really change anything. But that's obviously a big risk because, sometimes these things actually turn into laws and regulations.
So if you're out there, you're making software and services, maybe you are selling into the federal space, maybe not, but what would your recommendations be for how to start moving the battleship, you know, steering the sort of ocean liner of your software development process and your company towards compliance, towards where these regulations and guidelines are headed.
What would you recommend for producers out there?
DEVIN LYNCH
Admitting the problem is a huge first step. I f you're boiling, we're boiling the-
PAUL ROBERTS
Personal lives as well as in the business context.
DEVIN LYNCH
We're trying to boil the ocean. We recognize that, but there are identifiable solutions to many of these challenges. The earlier example for open source switching to Swift or Rust isn't impossible.
It will take time. But recognizing that there is a net benefit and that is the compass rose direction that this Strategy identifies is valuable. And at the same time, to the pillar one option of or objective to engage in the public-private sector more. We need to do that.
We need to recognize that, cybersecurity is a team sport. There, there are CISA, NSA, the NSC, there are all the acronyms around town. There are excellent champions and resources available to learn and to request for help, phone a friend, across the tech stack, across the hardware and software supply chains.
But if you're gonna bury your head in the sand, you're gonna get buried, and that's not gonna be a successful outcome for any business.
PAUL ROBERTS
Okay, final question. So you're Director of Supply Chain Technology Security at the ONCD. What's on your agenda for 2023? What are you gonna be focusing on, Devin?
DEVIN LYNCH
My thesis statement is the National Cybersecurity Strategy. When I read the Strategy, I look at pillars three, four, and five. In those pillars, I see supply chains the best represented, most represented. So there are four lines of effort I'm gonna focus on. Number one is the software supply chain, as we identified with the Open Source Software Security Initiative, the OS3I effort and the memory safe languages.
That'll be one of the principle projects in my job jar. The hardware supply chain is also critically important, and with those investments identified across the strategy in chips, IJABIL and the IRA. CHIPS production in particular is going to roll out quickly and invest in a supply chain here or near that
has not occurred before. And that is really exciting and an exciting opportunity as well to build by design some security baked in so that the resilience and the defensibility sought by the act in investing locally and not internationally is manifests. The third line is global supply chains, and the fifth pillar identifies international partners and allies as a critical part of our ability to secure global supply chains.
And that is also the clearest expression of supply chain in the strategy. So I'm excited to be begin working with the state's CDP ambassador Fix Shop there, the new of bureau for cybersecurity Diplomacy, as well as the USTR, the United States Trade Representative and the Department of Commerce at the state, USTR and Commerce have footprints all over the world and are actively engaged in with the international community in cybersecurity.
And the administration's interests need and want to come back into those standards organizations. And our overarching theme to harmonize regulation will need to occur in across borders as well. And the fourth line is, more boring and wonky is related to policy and budgets.
There have been 16 executive orders in the last 10 years on supply chain or ICTS. 16 Executive Orders, none of which have the same phrasing. So from my role as. To support Ms. Walden is to figure out what is the through, what is the through line? What is the, what are the principles in all of these EOs and how can we make those clear and identify also, are there any gaps or what gaps might exist?
That, that's a paper exercise. But for a policy shop, that's our bread and butter
PAUL ROBERTS
Yeah. Devin, is there anything I didn't ask you that you wanted to say?
DEVIN LYNCH
You had made a comment earlier that both that were boiling the ocean and that there will be resistance across the across industry or even pockets of the industry that have either prevented these ideas from succeeding or will prevent them in the future.
And one of the things my coworkers had mentioned to me is, we don't get easy problems. The easy problems don't land at the White House. So there's something, I don't know that's not an easy question and that's, I suppose also a humble brag that I'm not interested in promoting. But the idea, just between the idea that any of this is easy is no, like all of this is hard.
I've got four very hard lines of effort headed my way. Or just a commentary on
PAUL ROBERTS
Yeah, Yeah. this is the kind of big challenge of our democracy right now, which is, trying to, balance the needs of the few versus the many, especially when the few are pretty well, healed and can afford to pay lobbyists and stuff to go and talk to lawmakers. And
I think it is the consumers and the small businesses and the communities... I work on my local community's IT advisory committee, just the scourge of ransomware and all this stuff.
It's really being felt at the local level the scourge of cyber attacks on the elderly and things like that is just... is just epidemic. But those folks don't have a lobbyist there in Capitol Hill. So trying to keep that in focus, when you're having these policy conversations.
I've been covering this space for 20 years and this sort of, public-private partnership, it's a it's a friendly sounding phrase. Yes, of course we want public-private partnerships, but at the end of the day you gotta set a bar.
DEVIN LYNCH
Yes.
PAUL ROBERTS
You gotta set a bar and really ask people to clear it.
And that has been hard. It's been hard to do that.
DEVIN LYNCH
It is hard. I heard, and one of the analogies I think Ms. Newberger likes to make is related to cars and how the automotive industry took. It was hard to move to seat belts and airbags, I, seven years ago, my son was born. And the, a week before that I was looking at the car magazine that said, what is the safest suv, family friendly suv?
And I drive a CRV now, like there is...
Because I know experts thought about it and I know that if that, the smartest person to my mind on car safety is the CEO of a car manufacturer because it matters to them. Same to our earlier point of trying to get cybersecurity to matter to everyone, not just CISA.
PAUL ROBERTS
And if you, but if you roll back the clock to the 1950s and sixties right? The automakers were fighting seat belts, tooth and nail,
saying that, oh, it's gonna make people associate cars with danger and it's gonna ruin our market. And and it took federal legislation in the 60s.
And then I grew up in the 70s and 80s, which was the sort of period where yes, seat belts were required, but nobody used them. And then, in the 80s and 90s you started to get state level laws that said actually you have to wear those when you're driving. And that, that the combination of that was what led us today to
most people being like, if I don't have my seatbelt on, I feel like naked and exposed. It changed behavior, but it was, it started with laws, it started with just government regulations, put 'em in the car and then wear 'em.
DEVIN LYNCH
But even then though the timeline there, we often walk over, but just identified, two, three decades.
PAUL ROBERTS
On a fairly simple like, it's really dangerous, you get in a car accident without a seatbelt, all the data tells us that you're gonna get a lot more injured. It's like there was no ambiguity about it...
DEVIN LYNCH:
mm-hmm.
And it
PAUL ROBERTS
still took decades. Yeah. I think that's right.
That's exactly the point. And here in, in this context of cyber, threats and attacks, again, the data's pretty clear, but the impact is easier to wave your hands at and, these cyber attacks happen and they make headlines, but then they fade into the background.
DEVIN LYNCH
At the same time the speed of cyber.
A world of... I'm still on a four wheel car as my great, whoever would've been, relation would've been. But cyber, I mean
PAUL ROBERTS
10, 20 or
DEVIN LYNCH
AI-
PAUL ROBERTS
in the context of cyber crime and threats. Yeah. That's... I I think about what they're going to look like
DEVIN LYNCH
Complete completely different world. Yeah, 20 years ago we had the Facebook and no
PAUL ROBERTS
Exactly. Exactly. Yeah.
DEVIN LYNCH
What horror did we live in?
PAUL ROBERTS
How do we even get by? Devin Lynch, Director of Supply Chain and Technology Security at the Office of the National Cyber Director, thank you so much for coming on and speak to us on ConversingLabs podcast.
DEVIN LYNCH
Thank you for having me, Paul. Have a good day.
PAUL ROBERTS
You too.