Tech Transforms — Interview Transcript (Formatted)
Carolyn Ford: I am really excited to welcome Mark Montgomery, one of the sharpest and most practical minds in cybersecurity policy. Mark is a retired rear admiral, and you might know him as the executive director of the Cyberspace Solarium Commission. And now 2.0, or the guy shouting from the rooftops that Uncle Rufus's rail switch is what's going to take us down in the cyber war.
Mark joins us to talk through the urgent cybersecurity risks we're ignoring, why the cyber insurance market is failing, and what it will take to fix this before the next crisis, not after.
Welcome to Tech Transforms, Mark.
Mark Montgomery: Hey, thank you very much for having me.
________________


Uncle Rufus and Military Mobility
Carolyn Ford: Well, you recently, um spoke on a panel at our evolution Summit, and one of my favorite quotes was you talking about Uncle Rufus, and how this is how, you know, this is where the bad guys are gonna get in. Talk to us about Uncle Rufus.
Mark Montgomery: Thanks, Carl.
It takes a lot, you know, for inviting me to the summit. I had a great time there. It was an honor to be there speaking alongside, you know, some fellow, retired general officers and it was just a really good experience.
Look, what I was talking about there is military mobility, and you, from my perspective, like, our national infrastructure is generally, insufficiently protected. We've made a strong argument that throughout the cyberspace sla vision. I think that's generally understood to be true, that some infrastructures, like financial services are doing great, you, big money invested them.
Some technologies are doing well, but, you know, broadly, at the state and local utility, critical infrastructure level, we are unvested. And nowhere is this more important for national security than military mobility, and military mobility is the critical cybersecurity and physical security of our rail, aviation, and port infrastructures, you know, those things that allow us to get tanks and striker units and brigades and missiles from forts and bases to ports and overseas.
And so the best example I have is, like, if I'm a US. Army tech, I probably live in at Fort Hood, Fort Kvasas. We keep changing the name down there in the middle of Texas. But I'm probably needed in Korea or the Baltics.
The question is, how do I get there? And the answer is, Ed Fort Hood forbasses, I get on board I'm loaded on board a rail car that's built for tanks. And on that base, it's great.
There's two telecommunication systems, two power systems, two water systems. It's Noah's Ark infrastructure. The Department of Defense tries hard to have security structures on their basis and China knows that.
But as that rail car leaves the base, you know, in a long railroad line, and there's a bunch of tanks on there, it enters a series of smaller rail lines. And I call one I like Uncle Rufus's Rural Rail Collective number 34, I own, three kilometers a rail. But are no longer part of the Department of Defense.
Carolyn Ford: That's right. You're off the base now.
Mark Montgomery: Yeah, this is out in a Wild, Wild West.
This is critical infrastructure that does not have the redundant backups that you just mentioned on the bases.
Carolyn Ford: That's exactly it.
Mark Montgomery: In fact, what I would say is it goes from, like, Noah's Ark of K structure to, you know, a Mad Max Underdome, right?
And they're out there running around And so, Uncle Rubus is like, "Hey, my job is to keep, like, dead steer off the track." And you're like, "No, your job is to keep the whole track secure, and that includes the rail switching network, which is often cyber enabled, operating under there, and, you know, it's unlikely that they have the cyber, even if they had the intent to protect it, that they had the necessary cyber knowledge, the tools, to assess, mitigate and protect their cyber networks and we have 20,000 miles, or what are call strategic Rail Network in America. We have 69 strategic airfields, and we have 19 strategic sea lift ports.
The reason I can say this out loud to you and not get arrested is that this is unclassified information that we publish.. And so if the Chinese didn't know for sure where to attack, we publish it for. And then we updated every couple years in case there were changes.
And let me tell you, you know what we learned in Volt in is that they're there. The Chinese figured this out..
Carolyn Ford: Of course they are.
Mark Montgomery: And so this is where they put their either malware or their axes, their hooks to get back in in a crisis, so that they can disrupt or destroy these critical infrastructures in the time of a crisis to either signal to us, don't get involved in this crisis, or if the crisis is started to actually disrupt our ability to support U.S. forces during a crisis.
So, to me, critical infrastructure sometimes we struggle to get things done in critical structure because it's seen as like, well, that's a private sector problem or an economic parity problem.. even sometimes people would say, what's a public health and safety problem? That's for the state local utilities.
No. This nation will be more involved if we care about the military mobility of our forces, and by all indications, no President has ever said, "I don't care about the military mobility of our forces." So I really think this is something we need to attack.
________________


Doomsday Scenario and Who Fixes It
Carolyn Ford: So let's go dooms Day scenario here a little bit. We get the tank off the base. It hits Uncle Rufus's rail station, and somehow that rail station has been shut down.
The tank can't move past that rail station for, I mean. I guess I'm gonna downplay it a little bit. Like, how serious is it?
Isn't the military going to come in and move it? It might delay a couple of hours. blow this scenario out for me.
Mark Montgomery: So, first, I will tell you, trans Com sequencing of military movement is actually a ballet. In many ways, it is a highly orchestrated, well planned out movement, so if I can start to put perturbations into that, I can offset that.
You know, and you, it's like, as a Navy officer, I think about running flight deck operations on aircraft carrier. Each Mitchell thing is a component of a larger operational movement, and so that's how transplants it. So it is bad to have these delays.
And by the way, I don't know that DOD can come to it. I don't think DOD has any knowledge. They have no special knowledge of how to fix the rail network.
What What' happened is the people responsible and you'll like this, the people responsible for the cybersecurity, the rail lines are TSA, the transportation Security Agency, the people who grow at an airport in a friendly way, are the same people who are responsible for both pipeline and rail cybersecurity, and they are grossly underfunded for this responsibility, and they don't have the kind of DOD pots of money to do grant programs and incentivization to get things right.
So I actually feel that, like, once this problem starts, there is not a good solution to it. We don't have the tools to remediate the problem once it's in crisis, and we don't have alternative methods of moving these tanks and munitions and things like that.
Carolyn Ford: We have a rail system, we have an airport system, we have a port system, and we have clearly identified where we can operate from. And once one goes down, it's like a domino effect.
Mark Montgomery: Exactly.
________________


Grant Programs and How to Fund Fixes
Carolyn Ford: You've talked about a grant program, is could that help this problem, and what would it look like?
Mark Montgomery: Yeah, so it's part of we wrote at FDD, Financial Deroxies, where I work. We wrote a paper on military mobility, and we've written underlying papers on aviation, ports, and rail, the rail ones's about to come out.
But beforehand, we wrote all the kind of legislation that would support this, and what we determined was, as your reply, that we need some authorities to do assessments, and then we need some appropriations to set up a grant program to fix what we see in the assessments.
And so the grant program is not for, you know, a Fortune 50 company that happens to own some rail network. No, you're not invited.
But for the if you' it's a needs basis and that says, look, if you do, you know, there's an authority that was. So we did pass one law in this NDA, and it's actually that you'll do the rail assessment as part of the rail networks strip network in the on a recurring basis.
So that will generate a risk list, and then will do a gap assessment, and then you have an incentivization program that pays the you know, small, medium sized businesses that run a lot of these rail junctions and rail networks.
They can access this grant program to help pay only for a product approved by the U.S. government, to fixate gap that the government agrees as a gap from an assessment the government helped do.
So that's, you know, the good news is you're not like buying, like,, you know, uh, 50 inch TVs for some, you, for the office, you're buy actual cybersecurity tools to fix, remediate problems. might be a patching tool, something like that, upgrade of a software, things like that.
So you need so far, we've got authorization, the next year you go get the grant program.
I did not get the authorizations in Port and aviation, but we'll go for them again next year. But I wanted to get my foot in the door with one piece legation, look, this is right. We all know what Wright looks like now.
Let's go read and address this in the next year. And in my experience, we're getting legislation done that doesn't hit a home run in year one, you hit a single in year one, you hit a double in year two, a triple in year three, and then the home run in year four. You know, that's the normal progression of this.
And so I feel good that we're starting to move here.
The tricky thing here is jurisdiction. What I'm talking about is a DOD National Security problem.
It has to be solved in the commerce transport. Reese water, you know, all the different subcommittees, Homeland Security. Five or six different subcommittees in the house, three or four different committees in the Senate have to address this. none of which are armed Services.
And that is that is a definition of like, the hardest thing to do in Congress is to get someone to handle a problem that solves an issue, not in their jurisdiction. They handle a problem in their jurisdiction, that solves a problem outside of their jurisdiction.
And, but we're gonna do it, and we've got the first piece done, and we'll get all six or seven authorizations and all three or four appropriations over the next three years.
Carolyn Ford: The Grant program is in place for rail?
Mark Montgomery: No, the assessment program is and then the grant will be there. We'll come after. next year.
Carolyn Ford: Got it.
Mark Montgomery: Usually. If I try to sell something with an appropriation in the first year, you'll never get it packed.
I have to sell the authorization, then come back and say,W, you know that thing we did last year actually cost money. Here's the money for.
All right.
________________


Cyberforce: What It Is and Why It’s Controversial
Carolyn Ford: Also, I'm thinking about, you know, getting people to own something, even on military bases, I've heard that it's kind of up in the air who owns what? Because you've got your operational technology, you've got your cyber, well, who is responsible for what, who owns, what? Would a cyberforce help solve this problem?
Mark Montgomery: Yes. Look, a cyberforce is necessary for lotteries. I'll first say, let me say what a cyberforce is.
We have force generation in the military. That's where you generate forces, you train, maintain, equip them, both the people and the weapons systems, the tools. And then you have force employment.
That's how I use the force to impose America's will on another country. So the Forced employment, we all know what that is called U.S. Cyber Command, and then there's limited cyber capabilities in some of the geographic commands like Indo Pay Com, SCO, US European Command. And we all know that.
That's forced employment. That's probably, if I'd give it like a gentleman's C as a grade, right? It's not doing great.
But the reason it's not doing great is because it relies on forced generation, and the for generation, in our model, only our model, not the Chinese model, not the Russian model, not the Israeli model, and our American model is all the different services, the Army, Navy Air Force Marines, recruit cyber people, train cyber people, maintain them, you know, through paying things, and then try to retain them through retention efforts.
And all of our services struggle because if I went to the head of the army and said, "Hey, General George, General Randy George, they had a great guy, but if I said to him, "Hey, what's your normal priority?" He'd be like, "Mud's infantry today.
What's your number two, logistics? What's your number three? Long range strike?
What's your number four Rangers? What's your number five armor? What's your number six?
When I Cyber would be 11 or 12.
If I went to the Navy, it'd be like submarines, aircraft carriers, Cyber would be 12 or 13, the Air Force same thing.
And the problem is, here's how missions feed to the trough.
One through five, eat all they want. hmm. priority, 6 through 10 kind of get the scraps that fall aside. 11 through 15 are at risk of starving to death.
And is at risk of starving all these agencies, you see it in recruiting.
So if I'm recruiting, you know, it's very important to recruit, you know, the right people for the military, you have to have the right physical standards, the right emotional standards, the right intellectual standards.
And when you look, there's 5 million kids who graduate from high school every year, we need about 200,000, so you say to yourself, "Well, that's only like 4% for the military.We're gonna be great."cept 50% go to college, so take them off.
Now, the other 50%, 70% of that 50% are not physically or emotionally qualified for the military won't be. So that gets you down to 50%.
Then there's a group of people who don't want to join the military, and you're suddenly down to about 10 or who have a felony conviction, something like that, where you can't take.. Not eligible.
Carolyn Ford: Yeah., way, way too much drug use.
Mark Montgomery: Okay. So now you're down to what I found is we're down to about 10% of the high school class, and we need a 12% of the high school class, and we need to get 4% of them to join the military. Well, that's a big job.
I have recruiting, I work in Dupont Circle at FDD, in our basement recruiting officers. I talk to recruiters all the time. I know exactly what they do.
They go hang out, they've got to get kids who are physically qualified. And if they're army guys are kind of looking for infantries, the big number.
If you're if you're Navy, you need smart kids, nuclear is your big number.
And they go to the high schools, and they hang out outside the locker rooms, and they get the kids who are fit, the men's the women's, I'm joking, they don't hang out in theer rooms, but you know,field, they're looking at athletes. They're looking for the men who can pass that.
They're not like sitting there going, hey, by the way, who can code Python here?
You know,Hey, show a hands.? That's not going on.
If we want to recruit a cyber, if we need about a thous on that operators a year, you, offensive cyber operators, defensive cyber operators, to join the year, maybe 1,500.
To get those, I would be hanging out outside all the high schools, robotics clubs, e gaming clubs, you know, chess clubs. I would be there's a specific kid. I'm men or woman I'm looking for.
I'm not going to get overly worried about body weight. I'm not going to get overly worried about the number of pushups they can do. I'm not going to get overly worried about face tattoos, or excessive weed usage.
All these things are correctible, or adaptable.
And I would recruit a cyberforce, and here's how I can do that. I don't need the normal thing of, like, for every, you know, you know, 90, you know, uniform people, I hire 10 civilians.
Like I do in the Army, Navy Air Force Maris. It's like it's more like 95 to 5.
I'm going to hire about 50 50. and 50 people I recruit are going to come in as civilians, 50% will come in through this military thing.
So through uniform services.
There's all these kind of things I can do on the recruiting end. There's all these things I can do on the trade, you know, now I can save money on training by only having one training command instead of four.
Give higher end training. Now I can do more on maintenance. I won't have this.
I got to tell you. So my son's a junior officer in the Navy, and he makes maybe 45,000 a year as an ensign. He doesn't think it's a problem, right?
Till he finds out that, you know, his girlfriend's making $200,000 a year. Now he's like, "What the hell? work in a private sector company five times.
We both graduate at the same time. What's
Now, in other words Navy sailors don't get mad about their pay unless they're told what somebody else makes, right?
Now it's like, well, this is what we have in Cyber.
You sit down at your console as a Navy guy or a Navy woman, and you're doing the job, you're doing great, someone with the same number of years and same qualifications, but they're in the Army, and they're on a different assignment paid, a different attention bonus, and they're making 40% more than you.
My pay was absolutely fine till I heard you made 40% more than me. Now my pay is completely unacceptable.
I'm unhappy, and I'm not going to retain.
So we don't maintain them properly. And then we don't let them move back and forth into private sector.
So what I want to do is allow a lot more civilians who can go back and forth into the private sector, even the military people, allow that, make that a governing principle that I'm okay with you doing that, because that way will pollinate the skills both from the military and from the intelligence community and in the private sector across each other, in a way that you just don't get in the current military circuit, the military service don't accept this.
Carolyn Ford: Are you suggesting that, while they're working in the military, they can also hold a private sector job, or you're saying they go back and forth? Like, how would that work?
Mark Montgomery: Yes, both. So they go back and forth, that is the traditional thing. But they can also, let's say they're done with the military.
They can go into the reserves, a cyber reserve. or a Cyber Guard. There. uniquely align to the cyberforce. And then they can go into the private sector, and they're equally recable.
They maintain their know this will solve so many clearing and class clearance and classification issues in the private sector by having a fulsome reserves.
We've tried to figure out how to have a cyber reserves, you know, at least five. For a while.
Carolyn Ford: Yeah, I've heard about a cyberforce for years now. And I'm just, why is it. So why, why has it taken so long?
Well, it's still not. Yeah. We still don't have it.
But also, why is it so controversial and, and maybe this is why. With the other branches, how would they work with the other branches?
Do they have jurisdiction over the other branches, cyber functions? Like, how does that work?
Mark Montgomery: So the first reason, it doesn't do it is the Department of Defense hates change. They actually oppose the Department of Defense.
They opposed the creation of the Air Force. They opposed integration. They opposed the creation of the Goldwater Nichols.
They opposed the creation of a special operation. They opposed the creation of the space Force. I mean, they're like 0 for seven.
Carolyn Ford: Would they oppose special os?
Mark Montgomery: Yeah, the original Special Operations Command. They were going to do it with their own services.
The reason we had special Operations Command is Desert 1.. The failure in the desert got a special operation.
Yeah.
Usually, they oppose things until catastrophic failure, like, you know, the Air Force came out of the failure, the property developed Air Force in the prewar years, and then happened to go, you know, we Air Force did the Army Air Corps did fantastic during World War II, but from a very low starting position.
They were artificially at because of, you know, the Army's domination over the Army Air Forces.
So, you know, there's a series of these.
This is not typical for large organizations, or not fantastically enamored to someone else coming up with an idea for change.
So that's the first problem.
The second problem is, now you are at a good point.
They still will need network defense.. That remains with them. What I'm talking about is the high end kind of offensive side operations and defense operations.
I think there's like 200,000 people in the Department Defense for network defense, a mix of military civilians.
I'm talking about the currently 6,000 to 8,000 doing offensive and defensive cyber operations that should grow as you bring them across with training and a few things, be 12 to 15,000 when you start to force up.
Now here's the other trick.
We created the off offensive cyber operator, kind of the cyber mission force, cyber operating force, in 2010, 2011, with a handshake agreement between the services of about 2000 apiece from the Army Navy and Air Force at about three or 400 for the Marine Corps, about 6,400.
In the interim 13 years, that was based supposedly on the Chinese and Russian threat in 2012.
So he fast forwarded 2025.
The Chinese and Russian threat has grown unbelievably, exponentially. Right.
The Guys of the Chinese operating Force, we think, has grown from 6,000, about the size we were, to 60,000.
Our force has gone from 6,400 to 67.. You, So we've grown 3% in 13 years, and they've grown 1,000 percent.
I'm not saying 1,000 percent's right.
I'm not saying their people are better than ours. I'm not saying any of that.
But I'm saying a 3% growth in this mission area, over the last 13 years, indicates only one thing, which is that the military services were unwilling to give up bodies to the cyberforce for its expansion.
And that's. Because if they give up bodies, that means they can man less ships, less aircraft, less aircraft squ, less battalions, less marine regiments. And they're not interested in that sort of sort of trade space.
So, you know, from my point of view, you start out with 12 to 15,000, probably grow to $25,000 to 30,000 over a decade.
But that means you' a really good recruiting, because you have to get the right people in to grow, because right now, even with the low number we have, we're low and unqualified.
Carolyn Ford: Mm hmm. hmm.
It's so interesting that you said, " cyber is so low on the priority list, because I realize I live in this space, so, you know, I might be in a little bit of a, you have a little bit of tunnel vision, but going back to Uncle Rufus's real station, Cyber is the weak link.
Not only the weak link, but it is the spot where there's millions of entry points, literally millions of entry points. I don't understand how it can be so low on the priority list.
Mark Montgomery: So it's not low on DODs priority list. Okay. Department of Defenses.
It's low on the individual services.. That's what the service would say,W, do youD, you don't tell me it's my number one priority. You tell me what submarines are.
The Navy go, you tell me submarines are. I got to get submarines, got to fix submarines. Gotta fix aircraft carriers, got to fix the new six generation fighter.
The problem with DOD is they themselves have 50 no more priorities, but if you ask them to pin cyber, they would pin it higher than the individual services, but that's because the services are held accountable, and then one other group, Congress, Congress like the services the way they are now.
So when you say, I'm going to prioritize cyber over buying some infantry fighting vehicle, the Senator from the great state of Infantry Fighting vehicle production is going to be like, oh, not so fast should I. We're going to slow that one down.
You know what I mean?
There's all these equities out there, other than Secretary Hanks's priority list.
So even though I suspect he has Cyber high on the list, it doesn't reflect that way in a subordinate command.
Carolyn Ford: Well, you just said it. They have 50 number one priorities, so they have no priority.
Mark Montgomery: Yeah.
You can''t have 50 number ones. I mean, thank God we have a 900 billion budget so we can make a lot of mistakes, because I mean, I'm being slightly facetious, but.
Yeah, the truth is with the $900 billion budget, we should be able to get a priority list and figure things out and be able to handle two major war theaters at once, but somehow we can't.
And it's because prioritization, and cyber is a big bill pay is a big victim of that. It is just not our number one priority for any of the services.
If you created a cyberforce, here's where I do think of that.
The general wakes up in the morning, and cheer he would their number one priority would actually be cyber.
I'm confident that the cyberforce cyber Liber commander. That's right. probably have cyber number.
If they don't, that we need a new commander, and here's my other trick.
I would actually have the Cyber Force commander served for three years and then come the Cyber command commander for three years.
So we would say to him or her, "You get to build a force that you utilize.
If you screw up here, you're gonna be unhappy there.
I mean, I'd actually do that, and I think we should do the same with Space Force personally.
On the smaller services like that, where you want like concentrated, you want consistent leadership, you need the smaller the smaller you actually need the consistent leadership.
the large organizations, you have the kind of Borg of generals keeps things kind of moving.
It's harder cyber space forces.
So.
There is a good solution to this.
At this point, we're past Congress, it's the Pres. This is a decision that actually requires the president to make a decision.
I just don't think it's been brought to him in a meaningful way.
Carolyn Ford: So your sense of how possible this is, how close this might be, a cyber cyber force. Is it even close to reality right now?
Mark Montgomery: I think it's gonna happen.
Look, there's two ways it's gonna happen.
It's gonna happen proactively, because we do the right thing, and it needs to be.. The president really needs to do it in the spring or early summer of next year, because you're going to need two and a half years of implementation by one administration.
One of the problems with the space forces, they started too late the administration, then too many decisions had to be held up because there's a change administration, everything's held up. And then Rought, and so there was this whole like Colorado versus Alabama for the headquarters of Sp for, things like that. Space Command Space Force.
We need to avoid that by making a decision here.
Now look, the one way is proactive.
The other way is we get humbled inside..astrophe.. in a way that causes people to go, this system's not functioning properly. Right.
And to me, this would be easy, you know.
So the legislation's written to support the president's decision.. a man named Josh Steiffel used to be a House Armed Services Committee staffer, a friend of mine.
He's actually written the legislation. It's ready to go, but it really takes presidential leadership, either proactively or reactively, but we're gonna get this.
Carolyn Ford: So we just need to get you in the room with the president, is what you're saying.
Mark Montgomery: If I got in the room with the president, this is the one thing I would bring up. Is it? This is your number one.
This is what you would say to the President. 100%.
I just think that this is.
Look, I do a lot of work with Taiwan, Ukraine, with other things. None of them is  uniquely a presidential issue.
I mean, I was president different in those areas but that.
Mm hmm.
That's not this is an actual presidential policy decision.
Wow.
I think is logical, It's bipartisan. It's not a Biden did it wrong, you do it right, you did it right, you do it wrong, you did it right. This is none of that.
This is purely, you're the president of the United States, this is an actual national security need, logically look at it.
I'd be happy to have the people who disagreed with me, like General Naki in the room, making their counter argument. I don't think it will.
Carolyn Ford: What does General Nakasoni think we should do?
Mark Montgomery: Well I think he thinks that we can iterate on the current system. You know, but we've done and you know, that we should allow cyber Command 2.0 to take its force.
My answer is that Cyber 2.0 that Cyber command 90. We've iterated Cyber Command 8 or nine times from the Congress, from North from the Department of Defense, and none of those changes have stuck. None of those changes have made the kind of significant improvement and forced generations that are necessary.
Plus, in the end, a combatant command, the forced employer, cannot also be the driver of force generation. That's the service driver, and every other wharf area, maritime, ground, space, it's driven by the force generation. Cyber's not different in that context, and then finally, I would say, at the same time, the same people who opposed me on this also insist on keeping the dual hat, which I do as well.
The NSA Cyric brand dual hat. So what they're arguing for is we want one four star to be NSA, National Security Agency. Cyber Command, the force employer, and the driver of For Generation. through Cyberet.
That's just not realistic. We don't build that kind of, we don't have that kind of someone with that kind of bandwidth to do that. You'd have to have a 36 hour day and not sleep.
I mean, this truly is way too much.
If we're trying to empower one person to do it.
So there's a lot of reasons why I think you need this.
But I'd be happy to have that discussion in front of the president. I don't think I'd lose.
Carolyn Ford: Yeah.
I think you would have. I think the odds would be in your favor, Mark.
________________


Cyber Insurance: Underinsured, Hard to Price, Hard to Get
Carolyn Ford: So let's talk about what cyber can do to our economy. You've talked about cyber insurance.
From what I've read with cyber insurance, it seems. not effective. Um. So talk to me about what the blind spots are, what we should do.
Mark Montgomery: I think we have two really big issues.
One is we're under insured broadly. In other words, if I were to look at companies, take a thousand companies in in an index, the stock exchange, or in a fortune listing.
And then look at the amount of fire insurance, and flooding insurance, or fraud insurance theft insurance they have they's cyber insurance.. They're they're under index there. They don't have near the paper against cyber, they do everything else.
Part of it's a lack of understanding of the market, part of it is a willingness to take risk in cyber, because you don't see the threat. And so there's a cinema challenge there.
And by the way, this is reflected in like law enforcement.
If I were to tell you that, hey, 98% of all Crib, 99% of all criminal robberies, you know, physical robberies of banks went unsolved, you'd be shocked.
I mean, they're not.
I mean, we solved, like, 80 plus percent of them, if I even higher than that in most states.
And in addition, we aggressively pursue bank robbers. Right. And we even shoot them as they leave the banks, on occasion, we wouldn't get back at the street.
But cybercrime, it's the reverse, 98% goes unsolved.
And when they say we solve it Really? Oh, yeah, and what you find out is oh, we solved 45 in this one area.
You'll find out it's we arrested one human who did 45, you know, criminal acts, right?
Not 45 different bank robbers.
I mean, just the juxtaposition of how that law enforcement has an impact on people's decision making on insurance.
But I wrote about this with Nicolson, is a very smart, former staffer, in IST. Now, about the issue of reinsurance, and the idea of, like, are we ready for a very big incident?" And the answer to that is also, for the same reason, it's also no.
And there, we don't have a government backup like we do in terrorism.
So we had the terrorism reinsurance Act, which was put in place after 9/11 to allow real estate construction to happen in downtown Manhattan. So that we could build, they could do the insurance on the big skyscrapers, so they built them back up after 9/11.
And what it says is the government will get involved in this kind of terrorism or act of war kind of activity.
But we don't treat cyber the same way. People don't believe cyber would be covered under that.
And when we ask when the terrorism insurance Act, it's up for a reauthorization right now, we're pushing to get cyber included as part of it.
The committee's not. The staffers will say, yeah, we understand what you're saying, but the members are not wasting any political bandwidth to get cyber re added in, added into it.
I think it's a big risk, right?
Because if we're being cyber und insured, is a to me, is a is a bad message. And I think this really applies to small medium sized business with very little cyber insurance.
But it'd obviously be a big risk for a large company.
I think most are starting to insure themselves in cyberspace. I still think they're underinsured.
Carolyn Ford: I guess we're getting under them. I've heard that it's hard for them to get insurance, too.
So under insured and hard to get it, why is it hard to get it?
Do insurance companies just feel like the right measures are not in place?
Mark Montgomery: Yeah, that's it. Also, assessing risk is hard..
You know, and obviously, insurance is one large risk management, risk assessment, risk mitigation, risk management. And so, you know, I think that gets into it. I think there's a lack of understanding.
I think the best, the coolest insurance to me, is the one where you go to a company and to assure you, they go, look, the first thing we're going to do is we're going to run a series of penetration testings, you know, live assessments of you. not train, but live assessments are you.
And you're then going to invest in your cyber defense security to fix those gaps.
So up front, there's a bill, but then we will give you a reasonable cyber insurance quote, right?
But we get to come back every year and reassess you. Are you patching? That's right.
Are you updating properly?
To me, that combination, I'm starting to see some insurance companies that have that model of, we're going to insure you, but only after we assess you.
Only Well, you know, that's what you do with life insurance, right?
They come take your blood, they make sure that you're in reasonable health before they're going to offer you this life insurance.
But they don't.
They don't.
They don't come back.
But they don't, make you lose 50 pounds. What they say is I' charge you more, right?
That's right.
I don' companies, I kind of say, like, if you don't lose the weight, we're not going to church.
And they get you down because they don't want the risk, right?
The whole risk they've been run this lower cost paradigm is if they are actively reducing the risk in their customer base.
And so that's to me, that's a really interesting insurance, it might work.
I think still the terrorism insurance for the the big event, but I like that.
Look, we've got to get the insurance worker.
To me, that would be the sign that we're helping, is if the cyber insurance worker's working.
Because here's the deal in small, medium size businesses.
They do have fire insurance, they do have flooding insurance. They don't have cyber insurance.
Now I'm gonna tell you, Ibervangel is more likely than fire flooding. for them who ransom.
And here's the real kicker, small medium sized businesses have real risk here.
The risk is if I have a cyber incident, I mean, a ranch, it's usually six to 10 to 12 days till I get the keys right either from the criminal or from another source to get my systems up, up.
Then it takes three to four weeks to get everything integrated and aligned. It could be a very simple firm. It might be two to three weeks, but it still takes time.
Here's the challenge.
Most small medium spice vis, particularly small woods carry like four weeks afloat.
So I describe a four or five week process where you're not generating income.
What happens in two weeks, you have to start laying people off.
In three weeks, you have to start selling assets, or inventory.
And at four or five weeks, you have to consider bankruptcy.
So you're going to constantly have a race between a ransomware recovery and bankruptcy.
That is not a recipe for successful sp mediumized business, so they need to be cyber insurer so that they have that. And that will keep them afloat..
Carolyn Ford: Yeah, we saw this challengecare. challengecare.
The pharmacies and small medical providers were at significant riskcause they had to continue, if you wanted to keep providing local community services.
So we actually had to bumped for it, basically a gift without receipts, $4 billion in Medicare Medicaid payments.. And I'll just say the fraud normally is 25%.
So I met as an American taxewers, we lost about a billion coming back. But we had to push in the money or we'd lost all these small medium sized businesses. I think are no longer processed their administrative paperwork anyway.
It's.
Carolyn Ford: So is the cyber insurance problem being addressed by individual insurance companies? You said some of them are starting to do this vulnerability testing and retesting.
Mark Montgomery: I think the industry is starting to take this kind of proactive look at it' because you' got to get on board this. If you're a cyber insurance company and the other ones are offering this, hey...
Because part of it's also isn't just the insurance, it's the reputational damage. Hey, you were attacked. So.
Yeah.
If someone offers you, hey, there's a down payment up front to make yourself more secure, and then lower cyber insurance premiums..
Or you can pay the higher premiums and get the event and get the reputational damage. have the risk of the reputational damage people will take. I think a lot of companies will create the conditions where they can do the upfront work.
Mm hmm or premiums, and fight and win.
________________


Cyberspace Solarium 2.0 and What’s Changed
Carolyn Ford: All right, before we run out of time, I want to talk about cyberspace solarium, and what's going on with 2.0.
I feel like I read that you'd gotten your 80s pieces of legislation. You'd gotten 75% through Congress. Is that accurate?
Mark Montgomery: Yeah.
So, either. we had initial recommendations, another 30 or 40 in white papers, but for both those numbers, we got about 35%, either in legislation or in executive, you know, some of them didn't lend them such legislation a small number. range. But we're about 75%.
Now, look, some are still 75%, but not fully done, of the 75%, some weren't fully done. Some were fully done, like create a national cyberdirector, create a cyber cyber diplomacy, authorizations for SZA.
And so we were in a pretty good position, I would say we were generally slowly, you know, we were accomplishing things, but a much slower rate, because when you have a lot done, it's harder to get more done.
But I was comfortable with it, and plus, we had a much smaller staff now as a nonprofit versus a federal commission, but still with Senator Angus Kane and representative Jim Langman being on our board, kind of pushing his house, you know, his former house partners. I felt we were moving stuff along.
but I would tell you, and look, anytime you have a presidential transition, you're gonna have a stall. That's inevable.
And if it's between different parties, it's a stall. It's a step back. It's a step back. Maybe a couple.
But I think we've experienced a little more than what we've expected. I think we called it in our latest assessment, backsliding.
And it's backsiding because of the removal it's because we got rid of 2,000 people at National Security Agency.
And we got rid of 2,000 people at the cyber Security of Social Security Agency, or a cyber over defense agency.
It's because we haven't properly manned the cyber diplomacy team and State Department.
And, you know, getting rid of support to the, what was called, the multistate ISAC, which does a lot of great work with state local governments, but also helped with election security, which was a politically sensitive issue to the incoming administration.
We got rid of all our disinformation teams. Again, there's a logic, there is a logical argument for being mad at some of the work they did.
There is not a logical argument for removing all five or six teams from state, FBI, justice, Department of Homeland Security, and the Intelligence Com community.
We believe, Russia, China, and Iran are all aggressively practicing foreign malign influence operations and conducting formalizing influence operations in our country, particularly China and Russia.
And we should be fighting and pushing back against that, and we lost some of that.
So I would call it backsiding.
It's eminently recoverable.
The president has three more years.
At the end of this, he can be known as a cyber president. He creates a cyber force, he certainly will be. And that's probably not a bad part of your legacy, is to be the president that really moved the ball forward on Cyber.
Look, we've hit 25 years. I've been working on this from when I worked at the National Security Council in 1998 on the original Presidential Decision directors and National infrastructure Assurance plans.
The stuff we identified in 1998, 1999, 2000, at the National Security Council, 75% of it's still wrong.
So no administration's done a great job.. Since, you know, the Clinton administration through today.
Carolyn Ford: Mm hmm.
Mark Montgomery: So Trump 47 can be that cyber administration if they want to, if they properly empower Sean Cross, if we get Sean Plankey in it at SZA.
I think we can be in a good position. But that's a lot of ifs in there.
And then you got to put the resources in this..
Carolyn Ford: What are some measurable outcomes that you have seen come from the commission?
Mark Montgomery: Well, I mean, more authorities in appropriations for SZO, which needed to be a brand new agency at the beginning of our commission.
a creation of the National Cyber Directors, we have a kind of a quarterback of the White House to run things.
The creation cyber digital policy bureau at the State Department to kind of run our international.
The empowerment, a law that actually defines what federal agencies have to do, is sector manage agencies to work with critical infrastructures.
So there's a lot of law in there, but the success of those laws is incumbent on the executive brands to execute them fully.
You know, the creation of a joint cyber Planning office to plan for our defensive cyber operations in the United States. Some changes to how cyber command is organized and employed.
All those things have happened.
I feel very good about them, but we are not secure in cyber space.
So, you know, the government's work isn't done, the United States, National Security interests are not yet met.
And so the commission has more work to do, and we'll keep working it.
We'll work with the administration.
We could be both frustrated, but optimistic, right?
Carolyn Ford: Yes.
Frustrated about what's happened, but optimistic that there's three and a half more years of opportunity to get things up.
And what you have done is impressive.
So It was fun, and it was good, commissions are hard.
A lot of commissions have great, like, five inch thick reports and achieve that we had a one inch report, and I think achieved a lot.
But we also were very lucky to have congressional leaders on the condition.
________________


Tech Talk: Rapid Fire
Carolyn Ford: All right, well, I'm gonna take us to our favorite part of the show.
These are our tech talk questions. So rapid fire questions, just to answer from your gut, that's just kind of the fun part.
So if you could appoint a fictional character to lead Cyberforce, who would it be?
Mark Montgomery: I think it's gonna be Batman. I mean, it's got to be someone with, like, a pro cynicism in him, you know, we gotta have a little bit of a vigilante, right?
Carolyn Ford: Yeah. Vigilante. There we go. All right.
What's one cyber threat that keeps getting downplayed, but shouldn't be?
Mark Montgomery: This operational preparation of the battlefield in Kaif. So you, putting in the hooks into our critical infrastructure, just it was, you know, FBI director mentioned it within a couple weeks it was cut out of the news.
If they had put 1,000 backpacks with, like, Sec explosive in it, put it on the same infrastructures, and then we found them, we might be at war with China, but because of the manner of intrusion with cyber, it's been dismissed.
It is fascinating to me that we refuse to...just say to China no more. At least just say no.
We don't even do that.
Carolyn Ford: So, all right, what piece of World War II or Cold War infrastructure would you love to upgrade with today's tech?
Mark Montgomery: You know, I say this carefully because President Trump has talked about bringing the battleships back, and I don't think we can bring the battleships back.
But if you happen to have four battleships with today's tech, you would have this armor belt that are very hard for anything that penetrates.
So you'd actually have a very durable capable system that could operate in the laurels and do it, in a weird way, this is less about cyber and more about defense tech.
There's a unique composition to the battleship or construction to the battleship that would make them pretty cool.
Having said that, I'm not for bringing back the battleship..
Carolyn Ford: All right, noted. Noted.
All right, for leaders listening today, running government infrastructure, business, what's one step they should take this week to start reducing their uninsured or unprepared cyber risk?
Mark Montgomery: So I would practice cyber hygiene from the top down. I mean, I know it's basic, but you know, add new burgers to say this and she was right.
What you have to do, it's not that cyber practicing good cyber hygiene makes you 100%, uh pricing good cyber he doesn't make you 100% able to avoid attack.
But it does make you a less desirable target than the person next door.
When I'm talking about there is, good passwords which don't need to be changed, right?
Good, heart complex passwords.
Good, multifactor authentication, and good fishing training, you know, you know, the kind of what we would say is don't answer emails from Nigerian princes, but really it's more training than that.
But if you do those three things and it starts at the top, in other words that the CEO has multifactor identification and doesn't have it taken off because, quote, "I'm too important, I have to get on faster, which is how generals and admirals and CEOs tend to take a look at multi factor authentication.
You're not just, you are important. In fact, you're so important, your target set number one.
Carolyn Ford: Yes, yes.
Mark Montgomery: And so, you know, the sea suite and the administrators, the IT administrators had to take the lead on having the best, and I know cyberhygiene is a tough word, maybe data care., you know, had the highest level of data care.
That will drive that good habit will drive an institution's good habits and make you worse.
Carolyn Ford: Yeah, lock your doors, get a dog.
When the bad guy comes, he's gonna move on to an easier target.
Where can our listeners connect with you and follow you with your ongoing work?
Mark Montgomery: So, the best place to go to fdd.org, Foundation for Defense of  Democracies.
That's what we post. I have cyberforce papers on there. You know why you need it, how you do it, and everything has executive submarines.
Got a good piece on military mobility in there.
We've got good pieces on like, six of our critical instructions, you know, water, rural healthcare. ports, aviation rails, that kind of stuff is in there.
And then I'm on Twitter @MarkCMontgomergy
Carolyn Ford: All right, all of that is in the show notes.
Mark, thank you so much for joining us today.
Mark Montgomery: Aaron, thank you very much for having me. This was a lot of fun.
Carolyn Ford: It was a lot of fun, and listeners, thank you for joining. Please tune in next time. share this episode. smash that like button. Tech Transforms is produced by Show & Tell until next time, stay curious and keep imagining the future.
Thanks for joining us on Tech Transforms.
If you enjoyed this episode, please smash that like button and talk about it with a friend.
I'm Carolyn Ford, and this is Tech Transforms.