Application Security , Next-Generation Technologies & Secure Development
Behind Agency Doors: Where Is Security Progress Being Made?Air Force Chief Software Officer on Info Sharing, Executive Orders and More
Nicolas M. Chaillan knows a lot about securing U.S. government applications. He's the first chief software officer for the U.S. Air Force and Space Force, a former special adviser for cloud security and DevSecOps at the Department of Defense, and former special adviser for cybersecurity at the Department of Homeland Security,
On the important topic of information sharing between the public and private sectors, which is key for protecting critical infrastructure, he says current federal CISO Chris DeRusha has made "definitive progress when it comes to the adoption of zero trust and the ability to start sharing threat intelligence." But more automation is needed in the process, Chaillan adds.
In this episode of "Cybersecurity Unplugged," Chaillan also discusses:
- The "forcing function" of executive orders, and how - although "all executive orders are just unfunded mandates" - President Joe Biden's cybersecurity executive order on software will likely lead to companies fixing critical vulnerabilities;
- How "China is embracing agility" and whether the U.S. can fight against pushback from legacy suppliers and make technology decisions faster;
- The need for "continuous learning" evolving at the speed of technology and not allowed to go "stale."
Chaillan, the first chief software officer for the U.S. Air Force and Space Force. previously served as special adviser for cloud security and DevSecOps at the Department of Defense, and special adviser for cybersecurity at the Department of Homeland Security. He previously worked as a serial entrepreneur and senior C-level executive with over 22 years of domestic and international experience in security, software development and risk management. He founded the company WORLDAKT at the age of 15 to pioneer the use of the PHP programming language.
Steve King: Good day, everyone. This is Steve King, the managing director of CyberTheory and I welcome you to another podcast today with Nicolas M. Chaillan. He is the first chief software officer for the United States Air Force and Space Force and a former special adviser for cloud security and DevSecOps at the Department of Defense within the Office of the Secretary of Defense. Nic was also the former special advisor for cybersecurity, and chief architect for cyber.gov at the Department of Homeland Security. In addition to that, and prior to that government service, Nic was a serial entrepreneur and senior C-level executive with over 22 years of domestic and international experience, strong technical and subject matter expertise and innovation, security, software development, in particular, governance, risk management, and has been recognized as one of France's youngest entrepreneurs after founding the company WORLDAKT at the age of 15 to pioneer the use of the PHP programming language. I could go on for a while here describing Nic's accomplishments, but will suffice to say that the US government no longer has the pleasure of his company. We do instead. So, welcome, Nic. I'm glad you could join us.
Nicolas M. Chaillan: Thanks for having me. Very excited.
King: Sure. That's great. Let's jump right in here. I wanted to get your perspective on a couple of things that you have a unique perspective on, having most recently been involved with many Alphabet agencies that we know and love were engaged in a war in Eastern Europe. And even though our apparent direct involvement has been limited, what, in your estimation, might we be doing differently? And what's the likely end result of all of this? And most importantly, what do we have to do to end it?
Chaillan: Absolutely. It's been a lot of lessons learned. I'm afraid that some of the Pentagon leaders are stating the fact that Russia is not able to take over Ukraine, like we had predicted, in a week, to start saying that maybe we overestimated Russia, but also China as well, to stop being even more complacent, reducing the eagerness to innovate in the department. And that's a concerning thought because China is different from Russia. Also, Russia is not using all of their arsenal to go after Ukraine. And that's different from what you would see in the other kind of circumstances. And that's something to pay attention to that the cyber offense side has not been leveraged, mostly because they know, and that we've seen in the past, and back in 2017, when Russia went after other critical infrastructure, and with Petya and that spread to US companies costing billions of damages, both to European and American companies. They know they don't want to give excuses both to Europe and America for them to get more involved in this world. And so, they are now using a lot of the capabilities that often can have a ripple effect right across nations by accident. And so that's limiting their options. There's also the fact that many of the Russian people are not fully invested and excited about this war. So, the fact that Russia has tremendous issues with basic capabilities involving communications - but there are troops at risk. And every time we did a type of war room scenario with China in attacking Taiwan, we were also on the same boat, where we lost communications after 24 hours in most use cases that we predicted. So communications is tough because there's a lot of jamming capabilities, a lot of ways to disrupt. And what you see right now is the fact that mostly due to what happened in Afghanistan and the debacle of leaving that way, with no accountability, no one taking proper action during that debacle, you see now Russia eager to continue the fight and not too scared about this current administration. That compounds the problem with what's happening in Ukraine, and we keep giving more money, warfighting capabilities, which is probably also why they are still able to fight back. People keep saying, "Russia should have been able to take over Ukraine in a week." Sure. But we'll also charge them billions of weapons to keep firing. Without that, I would bet they will be long gone by now.
King: So, why are we doing it?
Chaillan: I think the administration believes we should be involved and we should be providing weapons to stop the Russians from getting further into Ukraine. And there's a whole debate that most people don't understand that Ukraine is not the democracy we believe it is. It always cracks me up when I saw that the LGBTQ community of the United States added the Ukrainian flag colors on their flags, not realizing that Ukraine does not allow gay marriage. So, it's interesting. But people are not educated. They don't know where all this stuff is happening. They just feel the main media narrative. They don't know the history. They don't travel. That's part of the issue, unfortunately. We don't see enough people trying to get to the bottom of things without just listening to the news.
King: Because it wasn't that long ago - three, four years ago - that it's clear to everybody on the planet that Ukraine's government was corrupt and nefarious and self-serving and then we went from that profile to this current profile, which is very sympathetic, underpowered, and in need of help and all that stuff. So, from a PR point of view, I guess they did something right in there, but I don't know how we got from A to B. I understand why Putin wants to continue this, because he's quickly becoming the richest man in the world during all of this. Given his holdings in the oil and gas industry, and what has forced Europe to do, you have to wonder what's in it for us here. And why we continue to keep walking that thin wire between giving lots of stuff and giving almost as much stuff as they need.
Chaillan: Very dangerous, because there might be a point where Russia starts to think of it as us being actively part of the engagement and start attacking us as well. And that's probably the last thing you want. So, there's a fine line that's been crossed already. I think Vladimir Putin knows that he doesn't want to fight too many fights at once. Otherwise, he would probably have already taken more significant action, even against some of the European countries as they are dependent on Russian energy, which is exactly why we're concerned here with China, particularly when it comes to the dependency we have on everything, from basic supply chain things to not even being able to produce penicillin in the United States any longer, having to buy masks during the pandemic, directly from China.
King: And there's soon to be chips.
Chaillan: You've seen the chips also. I've been pushing for years now to wake up the government on the lack of access to American supply chain for chips. Taiwan being the second producer of chips, China directly forcing companies like Apple, telling their producers in Taiwan to re-label their chips to say 'made in China', so they can be shipped to China. So then, they can be put into the iPhones we love to buy every year, despite the fact that they can't bring any new features to life and we keep spending thousand bucks a pop, for no reason, made in sweatshops in China. And China now mandating Taiwan to swap their labels so they can be imported into China, effectively letting them win the fight already, just by basic custom restrictions. It's concerning.
King: Yeah, it doesn't appear as though either country has much respect for this current administration, or fear of reprisal would be a better way to put that. On a different front directly related to cybersecurity, a lot of people in our community have been applauding Biden's executive orders and what they characterize as decisive action on cybersecurity protocols. But some of us don't see actual progress as this has been just a theatrical exercise. And when, if ever, do you anticipate some changes coming out of the White House or the Pentagon?
Chaillan: I was part of the team that helped create and write some of the language and all executive orders are all just unfunded mandates. So, by definition, they're going to be a whole bunch of nothing but it is a forcing function. Already, Congress is trying to fund some of the GeoTrust work and some of the software, a bit of material work. So it is a forcing function that doesn't happen overnight. But it is creating some momentum, particularly what I've seen is several commercial companies now getting more excited about the market, providing services, software solutions, and more importantly, some of the company's selling software, having to stop waking up to look at their current cyber poster. It's mind boggling to me and I sit on many boards of companies innovating, and some other, during my time as a chief software officer. I have access to about a thousand open-source and commercial software bits, all to see way too many times, particularly in soft cyber products, funny enough products with hundreds of CVs, and little work done to proactively address them, you would think a cyber company would know better that they have no problem sending you their cyber capabilities, all to create more risk in your network at the same time. And with this executive order off-site to see at least people be like, "If we're going to have to provide the list of CVs and dependencies and issues we have, maybe we won't be able to get away with stuff anymore. So we already see a big move to start addressing it. And it's got to the beauty of the government nowadays. The government is so incapable of getting things done, and are wasting, 90 cents on the dollar. It's better at the end of the day to let the commercial companies figure it out. But the government needs to be some sort of forcing function. The issue is way too often the language in law, all the requirements are way too stringent, stacking time and still, to end up creating, trying to solve problems all to effectively make the problem worse, or try to bring solutions that are way too complex or cumbersome to set in place and creating more problems than they are solving.
King: So, question for you who's been in it now intimately for several years. We've been talking about sharing information among the private and public sector for a long time. And it hasn't happened. And if there ever was a time for whole of state initiative or solution to become activated, now seems to be that time. Is there anything like that going on behind the agency doors that we're just unaware of that you can share?
Chaillan: So, I got to say DHS used to be bad at their job and for years. It's not an administration thing, to be fully honest. Though, with a recent appointees by the White House, they stepped up the game. And despite the fact that I'm a conservative, the fact is I also recognize good work. And the fact is the new leadership, the CISO, has been able to bring some progress. It's not where we want to be, but I've seen definitive progress when it comes to both the adoption of zero trust and the ability to start sharing threat intel. The issue remains the fact that DoD overclassify everything, so we don't know how to decouple the who and the why. And so we're going to end up overclassifying the whole thing and to make information available for consumption both ways. We end up creating too much work. There is no automation. It's a manual process that is going to create massive bottlenecks, which, by the time you have it in the system, it's already out of date and useless. So, they have improved drastically, compared to what it used to be. It's certainly still far from what I would have done, or what I would want to see. But I think the key now is going to be about automating the decoupling of what's classified and what's not classified in terms of the indicators and making it clear that, by the way, if something has a very limited lifespan, why do we even classify it to begin with if we know it's going to be obsolete by the time you're done typing your email.
King: I'm sure that was one of the frustrations that you had, coming from private industry into the public sector like this. Can you characterize some of the other reasons that drove you to ultimately resign your post?
Chaillan: So it's interesting. Because this job was the most infuriating and the most frustrating ever, but at the same time, it was also the most rewarding and impactful I've ever had in my life, particularly since I had kids. And I started to realize how bad the situation was compared to what we're told, particularly when it comes to China. And the fact that they had no fighting chance that my kids and your kids and grandkids will win against China, 20 years from now. The urgency was tangible for me. When I started at the DoD, and that made it real to the point where I was losing sleep. Because you're like, "Well, you know, we're talking, we're bringing solutions, we're demonstrating, we can do this with a small group of people to move the behemoth that is DoD. And finally, get some wins. By the end, the department talks the talk, and they refuse to make it the way to do business. And so, it's an anecdotal, compared to how much money we spent in the department. And the money is still massively wasted on the wrong things with the wrong waterfall, outdated, anti-agile process with the same lot of primes that don't know how to get things done. With very little oversight and massive conflict of interest with government people ended up leaving their job to go work for the same price, they just awarded billions of dollars of taxpayer money so it's a lot of different things. I was excited with all the results we got, we saved 100 years of time in one year moving to DevSecOps. That's a massive win just with 27 programs. I always argue maybe we didn't save 100 years, we just didn't waste 100 years of time. And so, that's something to think about because China is embracing agility. And they have less bureaucracy and constrain, and they can force the companies to do business with them. What was also scary is it's a DoD bubble. But there's also a massive Silicon Valley bubble, a lot of these people live in a Kumbaya parallel universe, where it seems they don't realize that the freedom they enjoy is thanks to the deterrence and the sacrifices made by the warfighter. And they are becoming anti-military, refusing to engage and collaborate with us on all innovations. And then companies, particularly in AI, show up and try to get some of the large chunk of fundings of DoD, but at the same time say that, "While we're willing to take your money, but only if it's on the business side of DoD, we're not going to take your money, if it's on the weapons side." So I'm like, "Well, if you don't believe in the mission, why are you taking any money?" Seems a little convenient to decide when you want it or when you don't want it, even for things like using satellite imagery to recognize objects better. So we don't make the same mistake we made when we bombed the bus in Afghanistan, killing a bunch of kids, all because we have humans watching stuff, when all this stuff could be automated through AI, so we can make better decisions, more insights. So, it's also about saving lives. It's not just about killing people, and people will miss the point. And that's very frustrating. I would go to conferences and in California and attract a massive crowd of 2500 people. And then you will always have people waiting to shake hands and always in the group, you have five, six of them, waiting in line just to tell me they won't shake my hand because it's covered in blood and that she's going to have to go spend time in the puppy room because she's traumatized for the rest of the day. And you're messed up as a nation when you start having puppy rooms in in conferences. That's a good sign that something is going wrong. So it's a lot of things. It's the leadership talking and never getting things done. They appointed me as the chief software officer for the joint and staff that is one of this largest engagement in the world of Internet of Things, connecting all the weapons together to create a kind of the ultimate warfighting capability that's directly pushed by the Secretary of Defense and Dept SecDef. And all we were asking you was 30 million bucks to get the MVP, the minimum viable product done. They couldn't find the money after six months, so we were going to have to wait till 2023. And that's where they frustrated me. They told me, "We want to bring you in, and you have six months to do it. And in three months, we got half of it done. And then they couldn't get the rest of the money. And then they're like that we're going to wait a year. You asked me to do it in six months. We have three months in and now you're telling me you have to wait a year for money for 15 million, which is like a rounding error for the department. It's a rounding error for the department. What was happening is we had so much success with so little money, and so much tangible value brought to life both in zero trust implementation in the department, we did the largest DevSecOps implementation in the department, we did the largest cloud contract, where I put it and get anything done for four years, even today. Cloud one was a billion dollar a year, all done in under a year. And we have it up and running now for five years. So we got so much stuff done with so little money, but with a different model. The government was the Integration Office so, no prime. We had primes as subs effectively. So we had 37 companies effectively on contract. On platform one, the government was the Integration Office. And that's a very different model where we have diversity of talent, we have that diversity of options, we have the ability for the government to make decisions rapidly in an agile fashion. We buy capacity of work, we don't buy requirements stuck in time. So it's very agile contract. And we get stuff done. But so many of the primes complained to SecDef and Dept SecDef, that we weren't buying the usual legacy way of big primes, where you give them requirements for five years, and then you end up 10 years later with nothing to show for it. They didn't like the fact that they were losing some of the grip on the budget. And that if we were able to demonstrate we could do something, they would question about the rest of the funding they're getting of the 800 billion we're spending in defense every year.
King: Those are good reasons. What was your alternative? If you were going to stick around for a year? What would you do during that year?
Chaillan: That's the thing too. I was a chief science officer for the Air Force and Space Force. And I took this extra duty. I was already working 18-hour days, weekends. And so, I was never seeing my kids. So, I was kind of getting frustrated. One, I felt the pressure of China, then I felt a pressure of my kids are growing up. I need to spend time with my kids. So, I'm doing all this, making all these sacrifices, and now you're telling me this nonsense? Am I wasting my time? So I decided it was time for me to go back to my kids. And I had to turn when the new administration came in. So, I was ready reporting to appointees. And it's not Secretary Kendall because Secretary Kendall is good. But I think the lower tier of the administration was mostly picked by checking boxes on gender and other things. And I could already tell that competence and skills were not part of that checklist. And so, that was concerning. And that's where I felt like, "If I'm not going to see my kids, it better be for good reasons." And if that's not the case, then I should go back to my kids. The new administration was telling me - because I was already vocal on LinkedIn, but not as vocal as I am now, but vocal for a government person and also engaging with industry like no one else did. With thousand people live and answering questions live and getting the industry excited and engaged and so, we had great interactions with the industry, and not just industry, the defense industrial base, but I'm talking also the real commercial companies outside of the DoD bubble. And so, I was always pretty vocal, but then the administration said, "You have to turn it down and stop engaging." And that frustrated me. And so, I felt, "Hey, if I leave, then I can be a little more transparent, particularly when I felt like we're not disclosing enough to the citizen, how bad the situation is with China. If I'm able to, because we will reclassify everything. But if I'm able to, without breaking the law, it still raises awareness on what's going on and how bad it is, maybe I can get more people excited to join the fight. And I can effectively be more impactful on the outside than I am on the inside, although I will be back in 2025, I'm sure. But we shall see.
King: I know that you believe because we've talked before on what we're doing in the education front, you believe that education is a key component of our ability to continue to compete in this these marketplaces. Speaking of China, you want to describe a little bit about how you know what you did and DevSecOps for the service? Can you describe a little bit about what you're doing from an educational platform point of view? I think you're in the process of building one out.
Chaillan: I always realized rapidly when I started that I don't have a degree, created my company at 15. It's been mind boggling to see how much universities are charging altogether an updated set of curriculums, so even before I left, first I invested in the government geek, I was giving an hour a day to my people to learn. So, we have about 100,000 software, people in the department, 60 billion party spent on software, although we don't have an exact number. It's the largest organization on the planet. IT is so insane right now that if you don't spend an hour a day, at least to catch up and keep up, you're going to be far behind. I always felt like continuous learning was the answer, you cannot just be like, "Hey, we're going to send people to some type of training for a week, and then they're going to come back magically top-notch and we can wait another year before doing it again." That makes no sense nowadays. And that's also why duty's failing, the velocity has changed such that, back in the day, you could get away with slow cycles, because you would miss stuff, but you wouldn't miss too much. But now, it's so crazy in two, three years. If you take your four-year old phone, you're going to see what I'm talking about in terms of changes. We don't even realize how fast things change, particularly on the software side. And so, I think it's important to be able to keep up and enable continuous learning. So, we created the several learning platforms by using commercial solutions like Coursera, different content that we got online, commercial confidence, and I always push the fact that while the duty mission is special software, and we're not special when it comes to software, and just like SpaceX and others, we need to use best-of-breed commercial stuff and stop creating snowflakes. And creating custom, DoD nonsense that's only useful for DoD, which compounds the problem of the bottlenecks and the size of the company that can come and help you fix the challenges we're facing in software. And so, we created all this learning and stuff. And then when I left, the government had a lot of universities reaching out to me and said, "Hey, we love what you've done. A lot of banks, love telcos, lot of healthcare companies, can you come and help us? You could do it for nuclear weapon, you can probably help us for a bank." I said Okay, I'm willing to do it. But I want the content not to become stale, like you always do. And so you have to update every year. No, we do five years. So, I said, can we at least meet in the middle and do three years and they refused. And they only do five-year update of the curriculum. And I'm like, that's not going to fly for me. I'm not going to put my name next to something like this. It's a scam. And I'm not talking about small university. I'm talking about top-tier and Eurocities here. So I walked away from the universities but I still felt like we need to catch up. China is teaching AI to seven years old. They have honors in 12 median science and technology professionals. So, we're in trouble. And I believe that learning is probably the least disruptive space. And after trying to find the right fit with people. So I said I'm going to create my platform, because I couldn't find someone to do it. And so I created 'Learn With Nic' and we're launching this month and we have a lot of companies and governments that will get access, and we're committed to updating the content every year, but also adding more content every other week, and do a live Q&A session every other week with me live for two hours. And so, we're going to do a lot of cool stuff. And we're covering a lot of different topics, both on the cultural side, like how to fail fast, learn fast, don't fail twice for the same reason, all the way to technical subjects like Kubernetes, containers, service mesh, Githubs, all the way to acquisition best practices on how to buy agile, to be agile in an organization, what are agile for? So, we were bringing a lot of great expertise and a lot of great guests too. So it's going to be fun.
King: I'm not going to give up on reversing that, either. So you'll be hearing from me frequently. Question about focus on China's from an advanced technology point of view, or quantum Al, and AI and machine learning, I assume you think they have a lead in AI and machine learning, in spite of what our government would like us to believe and some media experts that claim that we're still leading in AI, which makes me laugh, but on the quantum side, do you have any insight into where they are and how much is out in front of us and what we need to do to catch up?
Chaillan: First, let me tell you why those people are often wrong saying that China is behind us. I think what people don't realize is the fact that American companies are doing well. And sometimes it's true that we are ahead of China on the commercial side. But what we don't realize is that China mandates their companies to do business with the CCP directly, so they have the best-of-breed of China. And because we're often stupid enough, we also let them steal our secrets and steal a lot of US data as well. So the CCP ends up having a much more comprehensive capability on the military side than we do. Compared with the US, some American companies are leading, but they refuse to work with the DoD and the government. And so, we don't have access to the technology. So, we're so far behind. If it was comparing commercial to commercial, I think the US will win, or at least it will be harder to compare. But when you compare the government side and the military side, it's a no brainer that we're so far behind. China created the Shanghai Stock Exchange back in 2016 to do some sort of a stock exchange for data. They convinced enough American and European companies to sell the data on the exchange. And the CCP gets a free copy of the data every time there's a transaction being made. Congress and people allegedly representing us don't even know yet, at least 50% of them don't know how to turn on the phone. So they didn't even understand yet the importance of data and the AI piece to that. And then you see Congress working on creating some type of ability to create to hire AI talent for DoD, right with special pay for they forget that we don't have cloud, we don't have software, we don't have their basics. Just think AI will magically solve all the foundational problems we have in networking and laptops and all the stuff that every company on the planet can buy for a buck, and so that's concerning. I think it's clear to me that we're far behind, particularly in AI, hypersonic quantum as well. Consumers, they don't disclose much in China, but from what I've been able to gather, there is no doubt that they are much ahead of us. The government is barely doing anything. First of all, with quantum, NIST just released their quantum proof crypto. Within a week, a couple of them were already hacked. It's just mind boggling to me how pathetic that was. After a week, all it took is a week with a single call, laptop, nothing fancy. So, we're just so far behind. It's so mind boggling, I wonder if it's the complacency, the incompetence, the silos, but it's bad overall, and we're not doing right by the taxpayer and citizen. We'll spend a lot of money for little outcomes. And I feel if the taxpayer knew how much money gets wasted and people get away with it with zero consequences. By wasting billions of taxpayer money, that means billions of taxpayer money every year, I would assume people will be pretty upset about it.
King: You would think so. You, having spent all that time in the service in those agencies would certainly know way better than my speculation would be, but if you don't, that's even equally or more frightening.
Chaillan: I remember my first week where we started to do some prototyping and I was trying to understand the cost. And so, I would see cost 50,000 bucks on the commercial side will be half a million duty. 10 times a cost, and seven times slower. So, you're paying more to get less speed. It's just mind boggling.
King: We got to put an end to the trail here, which appears to sort of endlessly lay out in front of us. And what we have talked about not being able to afford to let this happen the way it's happening. I'm not sure how we're going to do that. But I know that education is a big part of that. So even that you have to figure out how to force on people, even within the cybersecurity space, because what's happened so far isn't working either. And education, where we're very certification-focus for a certification-centric, not much durable skills beyond that. And when everything you teach is perishable, and it's targeted toward a piece of a stamper, badge or a piece of paper, then you're probably doomed to fail.
Chaillan: I was on the board of some certification, I was always pushing these certifications are just to pass when you hit 70%. And it's ABC questions and you get lucky, you pass. There's no hands-on anything. So you can literally read a book and pass the certification, and nothing about cyber, and never touch up any system whatsoever. It's still scary. That's how we test people. And more importantly, that's how we end up also not selecting people we hire. Now, I'm going to tell you a funny story. When I was at DHS, I applied, after being in a very senior role, I was in the role. And I applied to jobs, just to see what the process looked like. So, I went to the USA job, beautiful website, and I applied to a few cyber jobs, wherever qualified, but out of 150 jobs I applied to, I got picked for zero. It tells you all you need to know. I didn't check the boxes because I don't have a degree. I had certificates. But I would argue they're useless. I don't know if I even made it to people that could actually see my resume and see why it was because it's almost funny that the chief architect of DHS getting passed for jobs. People should wake up.
King: That one is not on my list of fix. But we have a lot of others. And so if there won't be a shortage of work, that's for sure. All right, Nic, sensitive as I always am at the clock here. And I think we've pushed beyond our limits. So as fascinating as it's been, and I want to bring you back in a couple of months to see where things are in terms of progress for you personally as well as for our endeavors in education. And hopefully, there's still a Ukraine and Russia at that time. And we'll have much more to talk about. But in the meantime, thank you for taking time out of your schedule to join us today. It was illuminating.
Chaillan: Thank you so much for having me.
King: Sure. Well, as I said, do it again. And thank you to our audience for spending 40 or so minutes with us again and this week, and hopefully, you did take get some takeaways here that are interesting and can help you with your perspective on what's going on in cybersecurity. Until next time, I'm Steve King, your host signing off.