Ep31 | Why Federal Cyber Leaders are Coming to Virtru

Welcome to Hash It Out, a podcast built by data security experts. We decipher the data security landscape through honest conversations about today's headlines and tomorrow's challenges, brought to you by Virtru. Let's dive in.

On this episode of Hash It Out, former FBI and NSA expert Wayne Chung and ex DHS zero trust leader Don Neske join Virtru's Shannon Bond to uncover why career federal employees are leaving their blue badges behind for Virtru's innovative tech and mission driven culture, fueling real impact in the defense arena and beyond. Let's hash it out.

Alright. Welcome, everyone, to today's episode of Hash It Out. I'm Shannon Vaughn, general manager of VirTra's Federal Practice. And today, we have a conversation with two special guests.

Our title says it all, you know, why federal cybersecurity leaders are coming to Virtru. So as I mentioned, our two guests, first is, Dawn Yeske.

Don served as the CTO of the Department of the Navy and most recently was the director of the national cyber or national security cyber directorate or division at DHS.

And Wayne Chung, who's our our CTO, he served at NSA's think tank, later on as the CTO of the FBI.

Today, he continues to serve, and advise DARPA as well as the FISA courts, on the future of technology and security. Gentlemen, thanks for joining us here today.

Thank you. Yeah. Nice. It's nice to be here.

Yeah. Alright. So first, you know, I kinda wanna dive into you guys' background. Don, I think first I'll open with you.

I I love your background.

You led cyber strategy both at the Department of Navy, and at DHS.

Be interested to see what were some of the biggest challenges or issues that kinda kept you up at night, and how did those experiences shape your view of protecting data, you know, that's what Virtru does, and not just the systems.

I'd be really interested to to understand your thoughts there.

Sure. So just by way of context, when I was, working with, Don CIO most recently as the CTO, I, had a hand in in standing up the, DOD's, zero trust portfolio management office.

And, so if anyone is to blame for getting it wrong, for for not, not focusing on the right things. And it's gonna sound like maybe maybe, I'm throwing some shade here. I want you to know upfront, I'm throwing it at myself.

And and I think we did what we knew how to do, and and we focused on some of the right things in standing up that office and outlining its its mission and its functions and and trying to get it equipped and organized. It was something that, I was one of several people, who who had a hand in that.

And and and I think they've done outstanding work. The most mature, widely used zero trust architecture in the federal government is the one that the DOD has put together. And Randy Resnick has done amazing work by putting an answer on the board saying, you know, hey.

We're going to define what it is that we intend to do in the name of zero trust, and we're going to define a a time line upon which we will do that.

All of that is amazing work.

The the thing that that worries me, that has worried me for a while, that that I've become worried about, is that we didn't focus on protect surfaces in setting up all of that. And and I've asked Randy this question.

You know, hey. Are you primarily thinking about the attack surface, or are you thinking about protect surfaces?

And his his answer, honestly, was I'm thinking about the attack surface. I wanna protect everything. I wanna be I wanna be good at protecting everything. And it's it's admirable, and it's it's what they've set out to do, and and it is as specific as we were going into this. Here's the problem.

The attack surface is and and I'll borrow a euphemism, from the guy who invented zero trust, John Kinderwag. The the attack surface is like the universe. It it's constantly expanding. You know? It it is large and unknowable.

And, you know, if that is what you were trying to protect I I agree.

You will fail. Like, by definition, the attack surface is too large to know and too large to defend holistically.

For that reason, when I was leading, zero trust implementation for DHS, We varied from that approach, and we wrote the first federal architecture ever that defined the term protect surface. Yep. Even though if you were to talk to John Kinderwag about zero trust for more than thirty seconds, that term would come up. Yeah. The the the the five step process that that John outlines for anyone implementing zero trust, the first step is figure out what your protect surface is. What is it that you're trying to protect?

And then everything else is based on that knowledge. And the journey itself is carved up into chunks that are measured by protect surface by protect surface. Right?

It makes, an an interminable journey, doable. Because if you understand what your protect surfaces are and you chunk through them one at a time, you can then break that journey up for the purpose of, you know, schedule management, resource management. Right? Managing your your investments, all of it.

What keeps me up at night, what worries me, is we just published that architecture for DHS right before I left.

Yeah.

And I think and the DHS components, it wasn't just me. Right? It wasn't there's a team over there, and they'll keep that going. But I worry that, that we're gonna miss the point again that, hey. The point of this was figure out what you're trying to protect, apply protections as closely as possible to that data, application asset or service. Right? And and, you know, pay attention to that and build your defenses outward from that outward from the center.

I I worry that we're just not gonna move into that phase, and we'll we'll remain stuck on the attack surface forever.

I think yeah.

I'd I'd I'll I'll have a question later for you, kind of talking about ZT mandates and kinda where we think we all are, but, I think your, your points are are well founded.

Wayne, over to you.

You know, you spent, your career across a number of different, you know, areas, you know, at at FBI specifically as the f t CTO.

You know, you guys dealt with some of the, you know, the highest stakes kind of missions. You know? All of us come out of kind of DOD and IC, but, you know, failure is never an option kind of in our line of work.

I also really appreciate what you're doing now with DARPA and the FISA cords.

Little pivot kind of, to what I asked Don, but, like, how have those experiences kinda changed the way you think about trust, securing sensitive data, accountability, visibility?

I'd be interested in in your thoughts there.

Alright. Thanks. So it's interesting because, each of those roles operate very differently.

Yep.

And they each have their own sensitivities. And, from intentionally being public to being extremely sensitive and close hold. Right? So it runs the gambit. And coming from the IC, the work from the FBI was actually a lot more different than, some of the previous work I had done.

At the CTO, we supported everything technology wise across the enterprise, and that covers the gamut developing data analytics.

We pushed out data analysts into the field. We supported cloud migration through commercial government secret, cloud service providers, as well as everything from, you know, helping the FBI build out new, you know, what we call network investigative techniques, and then more mundane, acquiring new multifunction printers and, cell phone plans. So it really did run the gamut from really whiz bang, high-tech stuff for the hostage rescue team to the more mundane, how do we get everyone, the taxpayer a better deal on self silence, as well as protecting that data. And everything at the bureau typically operates at the secret run class level.

And in criminal cases, the FBI is actually required to hand over that data to the courts and to the public as part of discovery, which is actually a really good thing if you support a functioning judiciary. Right? You want the defendant to actually have all the same information. Everything's out in the open.

You know what's, you know what happened. The facts are the facts.

And then it it it gets even more granular because, like, the need to know really drove an operational tempo. And you wanted to be able to say, hey. You're part of this case. You need to see this data. You're now the case has migrated or shifted. We need to bring some, different resources in. So it was a really mixed and dynamic workplace.

DARPA is also really mixed in that. Not all the performers are cleared. And in fact, many aren't even US citizens in in the rare occasion.

DARPA is really looking to bring the best or the latest in technology into the DOD, And, they don't really care where that technology comes from. They wanna enable it. They wanna support it, and they wanna make that world where technology is no longer the question, and provide that to the warfighter.

And then finally, FISA, the, foreign intelligence surveillance court, is extreme it's the exact far opposite. It's extremely sensitive, but the data has to transit between, various agencies as it merri merits its way through the system.

But the common thing with all of them is that the data only has value. The data only works when we can actually share it and share it carefully. Right? And so when the FBI has case data, they need to make sure that the right agents see it, the right agents, the wrong agents don't see it. For example, in the case of, Hansen. Right? They actually had where invest FBI was investigating itself, for insider threats.

And then it goes out to the prosecutor prosecution and then to the defense. And then the same with DARPA. They wanna be able to control this information, be it whether it's unclassified or sensitive or secret. They wanna make sure that only the performers have access, that it's not out there and about. And then the data is actually, the investments that DARPA makes on behalf of the DOD really have value to the DOD and aren't sort of lost to the, lost into the ether or to our enemies.

And so I think that's one of the the bigger things is sort of realizing, yes, in all forms of government from the ICE down to the sort of more public, FBI and and DARPA, it really is about the data, how you use it. It has to be out there. It has to be shared, but it has to be controlled and how it's shared. And that's sort of a common thread that, has come come throughout, those different roles.

That that's great. I, it's it it and I really appreciate that both of you are on this call because, I think you've both seen kind of that full cybersecurity vendor, landscape. Right? Everything from the most mundane IT function to the most sensitive of sensitive, you know, intelligence sharing.

Also, kind of the reason why I wanna bring this Hash It Out together is, you know, given your guys' impressive background, there's probably a lot of people kind of asking, like, you could've gone anywhere. Right? You could've gone to any company.

Selfishly, I'd kinda wanna know, you know, what was it about Virtru, with the tech stack or the culture? You know, was it was it the the TDF, kinda how I got introduced to Virtru, you know, you know, ten plus, fifteen years ago when when it was coming out of NSA?

I'd be interested in, you know, what kinda grabbed your attention or, you know, what kind of led you to kinda considering moving out of the federal, you know, government space and and coming to private industry specifically at Virtru? Don, I'll ask you first, I guess.

Sure. So, you're right. I I don't know that I've met every vendor under the sun, but I feel like I've met a lot of them in the last several years. And I've I tried as a government employee to be as available as possible to industry, you know, just for the purpose of not necessarily pitching their products, but, you know, we tried to build intentional partnerships, with with various, vendors, large and small.

And, you know, that's because you want to take onboard, a series of good ideas that can only come from multiple places. I and, you know, and I I I, I invested in that through various, public private partnerships.

And so you're right. I've I've met a lot of vendors.

Why Virtru?

Well, when they when it became clear that it was time for me to leave the federal government, you know, I was aware of Virtru. I wanna be clear. I've never been a Virtru customer. As a as a as a government employee, I never worked anywhere where we bought a Virtru product to my knowledge.

Yep. I did.

And and, but I was aware of Virtru. Shannon, you and I met, you know, through various, like, conferences and speaking engagements. But, also, I was aware of Virtru as a as a company and what Virtru has been doing for, you know, more than the last decade.

I was aware of openTDF as a standard. I even quoted openTDF as one standard to watch in in the DHS zero trust implementation strategy, which we published about four months after I took over zero trust at DHS a little more than a year and a half ago. Yep. And, you know, so I I I mentioned it by name because it is a government open standard, but also because it is unique.

It it it really should not be understated, how unique what Virtru does is in the marketplace.

I'm not aware of any other product offering that very specifically goes after, adding policy directly to an object in the form of layers of encryption protecting that object.

That's just brilliant.

And and, you know, Will Ackerley, by all accounts, incredibly brilliant guy came up with that concept, and a lot of brilliant engineers have followed after that, you know, and and added and added and added. But it is it is also the most difficult thing for the federal government. Right? We we we have depending on which version of zero trust architecture you subscribe to, if you're if you're looking at CISA's model, it has five pillars.

If you're looking at DOD's model, it has seven pillars. There are a couple out there that have eight pillars. All of them, though, have a data pillar.

Yep.

And and, usually, it's portrayed in the very center, because what we're trying to do is protect the data. Right? And I answered on behalf of DHS. I drove our answer to inquiries from from GAO, right, and from, you know, the various, other parts of the federal government that were empowered to ask us questions about how we were doing on zero trust.

And if you were to look at our answers in public, we we acknowledge the data pillars where we really struggle. Yep. There are there are reports out there that I'm sure we could link to here that that say that it's not just DHS. It's not just DOD.

In four or five years of conversations at, you know, at the the Committee on National Security Systems, at, you know, FSEA, at go anywhere, and talk to anyone from any other government agency and ask them what the hardest pillar is for them. Data will be it. Where have you made the least progress? Data. Yep. So so what Virtru does is unique, and it's also the most difficult thing that anyone has on their plate to do. And, this is a tragic flaw of mine.

I tilt at windmills, and, and this was a windmill. And so when it became clear to me that it was time to to move into the private sector, I was attracted to Virtru because it's an important problem, because it's the most difficult problem we face across government and really not just government, and because I'm attracted to really hard problems like that.

Well, that no. That's great.

I, so yeah.

I I I will say that, you know, whether you look at a a five pillar z t model, seven, eight, you know, I I think the a a lot of people think of z t in a network or endpoint application, you know, kind of security context, you know, kinda tying back into what I said earlier. I'd I'd be interested, Wayne, you know, if you look at the the government's you know, US government's, you know, ZT mandate in the twenty twenty seven deadline, you know, how do you think agencies are looking to meet that? You know, to Don's point, like, the data pillar is the hardest. I think every CIO and CSO would agree with that in in, USG.

Do do you think that agencies are on target? Are they gonna meet that twenty seven deadline? Or, you know, where can they play catch up, I I guess, if they're not?

I hope they will.

But I also you know, I'm, I am a bit of pessimist. So I I don't know if they'll make it all the way there, but at least they're gonna make some headway. I think all the agencies understand zero trust as a concept. And I think organizations like DOD and DHS is really as well as NIST, in putting out various guidelines have really been helping educate and helping folks understand, what zero trust really means for an enterprise.

And I I think most organizations really do get it. You still get some that that maybe think of they may kind of view it as, like, oh, it's like the early days of cybersecurity where you sprinkle encryption on and then you're done. Where it's really about how do you protect your data, what's the risk or what you accept, and then moving beyond to, you know, gone are the days of, well, the application administrator, the database administrator, or the, you know, SharePoint administrator. They're allowed to see everything because that's just how the systems work.

And so, you know, we've learned through various reasons, like, that that's just not the that's not the case. That's not how life should be, and, bad things can happen. And so I think a lot of organizations are really taken to heart what zero trust means. It's about letting the data and letting the right people work together in the right way. And so I think organizations can really, I mean, it's it's a long journey.

When I was at NSA, actually, Will and I were on the same development program, and that's where we met.

It was a multiyear journey for NSA to really understand. Like, once we had the TDF or TDF, what do you do with it? How do you integrate into your workflows? How do you integrate into your mission apps?

What do people do with it? But we we got to a place, eventually, where it was really, really nice where I could share data to another analyst, and the system just worked. It said, oh, they have the need to know. They're in the right mission space.

They have the right attributes.

Yes. That that link will resolve, or, no, they don't. It won't resolve.

You prevented a data spill. You've not prevented some, leak, and, you know, no harm, no foul. But it really enables folks to actively sort of work to say, can we get the right people right data in front of the right people?

And I think a lot of organizations are looking at that, and they're embracing how can we sort of accelerate our journey by looking to, how do we get bring in the right tools? Whether it's, how do we bring in some additional AI or folks to help us tag our data and put the right put the right attributes? How do we even think about our policies? And then then how do we then integrate our, applications to work with, you know, the policies themselves and then let them apply sort of acres and ACEs and sort of all the other access controls that you need to?

I think a lot of organizations are looking to the private sector, and I think, Virtru is actually uniquely positioned in both being built on an open standard that's it's also a soon to be, NATO c c CCEB standard, but also with our proprietary tools that enable you to really accelerate your journey and taking those open standards and making use of them and integrating them into your mission space. So I I'm hopeful, but I I I at least I I feel confident that the right organizations, they know where they wanna go. Now it's just a matter of getting there and getting their ducks in a row.

Yeah. I think it's about execution phase now. Yeah. One of the things I love that you talked about is, you know, the operational context.

I like to always say, like, you can have the best, you know, tool in the world, but if nobody uses it, it's worthless.

You know, what is the reason for why we employ these technologies? Well, it's it's to get after operations. Right? Like, the real things matter. You know, one of the things that I think we've seen concretely recently around, you know, zTDF or the zero trust data format, which is, an expansion off of TDF where it incorporates some of the NATO STANAGs onto the TDF spec, is allowing for partners and allies to come together and join up, and be, you know, interoperable. Right? So this idea of data centric interoperability, you know, I think we're seeing it right now actively being exercised in a thing called Operation High Mass led by, the United Kingdom.

I I love this I love this use case. Right? We we've been exercising for years under the Bold Quest series and then Project Olympus, and now we're we're seeing it, through High Mass led by a a partner nation.

What's great about it is, you know, it is ships underway, you know, transiting across different US combatant commands, areas of responsibility, and be able to share information, you know, freely so you can you kinda go on the offense, right, is one of the things we say. Like, cybersecurity doesn't have to be a defensive posture. You could be offensive in how you're sharing data.

I think one of the questions that I'd probably have to maybe Don or Wayne is speaking to kinda ZTDF and that interoperability, like, what do you think not only the immediate use case of, like, partners scaring, like, where where do you think this goes over the next, you know, one, three, five years? Right? I mean, this is this is as cutting edge of a technology there is in the cybersecurity space. Like, where where do you think we're going with things like this?

So I'll I'll start, Wayne, if you don't mind, and then Yeah.

Dive in. But, I read an article recently, that was quoting the Department of Navy, CDAO, chief data and analytics officer, I believe.

And, he was talking about unleashing our data that is currently locked up aboard ships. Mhmm. And and if you think about it, each each vessel that's out there is just a wash in data, sensor data. Right?

But also, you know, data that's generated aboard the ship. Right?

Logistical data about the ship, maintenance data about the ship, and and other kinds of data that are, you know, available through various links that the ship, you know, slips into and out of as it as it does its mission.

So there's just a ton of data out there. And and the point that that Don CIO as an organization was raising here is that all that data needs to be made available at speed to algorithms that needed to do things that we can't imagine yesterday that we need to do today.

Right? There there are, there are use cases that will emerge and change and reemerge in a matter of twenty four hours.

And, you know, we talked about this years and years ago in the, the Marine Corps enterprise network modernization plan. It opened with a vignette about marines, on a small island in the in the Pacific somewhere, who receive a software update. And, you know, the next day, they recognize that what they thought was just noise is actually a submarine. Right? Like, those kinds of things we were imagining, and then war broke out in Ukraine, and now the Ukrainians are living them. They're actually developing TTPs.

They're developing countermeasures.

They're developing, both offensive and defensive cyber, and cyberkinetic strategies Mhmm.

In in a matter of, you know, twenty four, forty eight, seventy two hours Yep. And going back and forth with a much larger, much better funded, right, presumably first world military, and holding their own because they're innovating at speed. It is an amazing, amazing thing to see. I think we always fight you know, we we always prepare ourselves to fight the last war.

Yeah.

And we have a unique opportunity right now to see what the next war actually looks like and to position ourselves to compete well. And I'll I'll I'll say finally that that we're not well positioned to compete so long as we are handcuffed, and we're handcuffed so long as our data is is trapped.

Do we really think that our strategic adversaries and competitors in the world are handcuffing themselves the way we are? That they're that they're holding their data in a bag, nobody can see it, right, and and not allowing, you know, this data to be processed on this network with this resource because it's too sensitive? Absolutely not. Absolutely not. And so long as so long as our adversaries and competitors are not constrained in that way, we have to figure out how to not be constrained in that way. And we have to do that without giving up the protections around that data. And I don't see another way for us to practically do that at scale or at speed other than by maturing this technology that's been coming on for, you know, twelve, fifteen years now.

That's very well said. Wayne, anything to add there?

Yeah. Yeah. Just building on that. Like, the world is increasingly a a dangerous place. The number of folks exposed to state based conflicts has increased exponentially.

And one of the side effects is that we actually have, this this notion of sort of non establishment coalitions being formed. Ukraine is a nice example. Right? They're not NATO.

They're not formally part of the EU. And so how do we, how these and increasingly this in the in in these in situations, how do you dynamically form these communities, create them rapidly, and moving away from our traditional, well, we need to set up infrastructure. We need to set up servers. We need to create identities, create credentials, and then expand and, wire out these networks where we can now start engaging with a brand new coalition is is just not realistic.

Right? Especially at the the pace and speed of of modern, combat. And, also, it even before combat, just intelligent sharing to prevent, conflict. How do we rapidly share data?

How do we do that, especially with folks that we normally don't engage with, more part of established, coalitions or communities. And I think, technologies like ZTDF are really gonna start to enable that where we can allow for third party sharing. We can much more rapidly. We can allow for new coalitions to form as well even, even, get getting down to granularies of who can read data elements, who can create data elements, and even specify, you know, what type of systems.

Because you asked, like, sort of where do we see this in the future? And I I totally see us in the future where not only can you sort of entitled data to types of users or types of coalitions, but maybe even dictating, hey. This is only for shipborne assets. Right?

This data, we don't want it leaving. We don't want it being used by ground based forces because we don't wanna be we don't want it potentially being exposed and things like that. So being able to sort of even, allow you to control the risk and what you accept will enable further sharing and also enables our, these organizations actually make use of their data rapidly regardless of where the more traditional, like, hey. Do we do we have a link sixteen set up?

Has it been set up? Has it been run? Do we have keys? All the all that sort of things that, you know, are the more traditional way we would establish out, allegiances and communities and data sharing protocols.

You know, Wayne, you you you triggered Assad, if I may.

I think we've been spending a lot of time talking about, you know, a military context, and that is important.

But, you know, let's also think about the rest of what government does.

You know, at at at DHS, for example, one of the hardest things to do is to organize and respond to a natural disaster at scale. Right?

And and, you know, think about what FEMA does. Right? They go into a place that has been annihilated by some disaster, some weather event. Right? There is no infrastructure to speak of.

You know, people are hopefully surviving.

Right? But they're surviving day by day. They don't have the ability to communicate. There is no hard infrastructure.

They don't have the ability to move around. That is a very similar use case to to military tech use case. And it presents many of the same problems as coalition operation in a far flung place. Right?

Where now I've got agencies and state and local government entities and private actors.

Yeah. NGOs.

That NGOs. Right. Yeah. Yeah. Civil society, right, who are now getting involved in the response and recovery effort, and all of that has to be coordinated.

That is a huge thankless undertaking, and it requires all of those entities to be able to share information, potentially very sensitive information, particularly, you know, PII pertaining to people who have been affected by a disaster as as one example, and, you know, information about their businesses, information about their personal finances very sensitive. All of that has to be kept secure, but it also has to be shared. So how do you do that? Right?

And how do you pull that coalition together on a Tuesday that you didn't have on a Monday?

That that that is it was eye opening working at DHS, if only for a couple of years, because, though it's not as large as DOD, it's the third largest department of the federal government, it actually interacts more with the American public than any other part of government. There are more interactions between Americans and DHS than any other part of their government. Every time you go through a an airport, you meet a TSA agent. Right? Every time you come back into the country, you meet CBP.

You know, anyone who's affected by a a natural disaster, odds are they're gonna work with FEMA at some point. They that that number of interactions, you know, it is is astounding, and it presents a whole different, ballgame than than militaries trying to interoperate with other militaries, which is important.

But, you know, let's not forget that, you know, we're here to serve everyone, and and those missions are very broad.

Yeah. That that that I think that's spot on. I I wish I could, foot stomp it harder, make sure everybody actually heard what you guys said because I I mean, you guys bring decades of experience in the federal government space.

Just knowing it firsthand, you know, and hearing from from, you know, leaders that have moved from from the government, into, you know, the private sector here at Virtru. I I just really appreciate you guys taking the time to to, shed some light here.

I do wanna, say say thanks for kind of, giving the the thumbs up to to zTDF and the capability. Like, as you all said, you know, it's a government open standard. It's it's Virtru doesn't own it. Right? It's a capability that agencies and companies, should be looking to because over those next, you know, one, three, five years, if you wanna do things like data level, you know, object security and be able to proactively share that data while maintaining positive control over it, like, it it's a great technology to look at.

So it I just appreciate that you guys, took your time to come on here today.

For everybody here, I I wanna say thanks, to Don and Wayne. Thanks for joining us to everybody.

Thanks for tuning in, and until next time. I'm Shannon Vaughn, and this is Hash It Out. Thanks for joining us.

Thanks for listening. If you enjoyed this episode, leave us a five star review, and don't miss us the next time we hash it out. Like, follow, and subscribe to us on YouTube, Spotify, and Apple Podcasts, all linked below.