Baked-In Security with Col. Frost at U.S. Cyber Command

Carolyn:

Welcome to Tech Transforms, sponsored by Dynatrace. I'm Carolyn Ford. Each week, Mark Senell and I talk with top influencers to explore how the US government is harnessing the power of technology to solve complex challenges and improve our lives. Hi, thanks for joining us on Tech Transforms. I am Carolyn Ford here with Mark Senell. Hello, Mark.

Mark:

Hello, Carolyn.

Carolyn:

Today we welcome Colonel Candice Frost, Joint Intelligence Operations Center Commander, JIOC, at United States Cyber Command. And we're excited to get Colonel Frost's insight on the Cyber Command, how it's working to create a center focused on all source intelligence, and how the JIOC enables the DOD to continuously stay ahead of the adversary. Welcome to Tech Transforms, Colonel Frost.

Candice:

Thanks so much for having me. It's great to be here.

Mark:

Yeah, we're happy to have you.

Carolyn:

And how are you doing today?

Candice:

I'm doing good. Things are moving along in Cyber Command today. Yep.

Carolyn:

Well that's good to hear. Well, I am fascinated by your career. So I've done a little cyber stalking, and learned that you were with the Army for 20 plus years in various parts of the world, and have worked your way to being the JIOC Commander of the United States Cyber Command. And would you mind taking a minute and just sharing with our audience your journey to becoming JIOC Commander, and your role at JIOC?

Candice:

Sure, and thanks for having me on here, and it's great to get to tell your listeners about how awesome it is to work in Cyber Command, and the impactful and meaningful work that we do. I started as a very young padawan near Muscatine, Iowa, and I never in the world imagined I would end in my career right around Washington DC, and have such an impactful job, as I've maneuvered throughout this space in the military. I was very fortunate to go from Iowa to West Point New York, and go to school at the United States Military Academy. And after graduating from such a transformative leadership laboratory, and in an environment that really sought out how to challenge oneself in totally different ways, it sparked in me the sentiment to really seek out hard jobs that challenged me.

Candice:

But through those multiple challenges, I had a chance to learn by doing, in each step and each iteration of the different jobs that I was in, and the environments of growth that I got to maneuver around in. So whether it was deployments to Bosnia, a couple to Afghanistan, being in a really tough combat environment, I took the opportunity to focus in my world that I live in, which is military intelligence, to look at those threats to our national security. And that's really the common thread that's weaved throughout my career, is where have I leaned into? And it's been in national security, all the way from counterinsurgency operations to where I'm at, and cybersecurity. I've had a dynamic role as it's changed, and I've had a really good ride throughout my entire career.

Mark:

So was the start more around intelligence? Was that the core of what you did? Because I imagine as you think about over the course of your career, cybersecurity, IT, the cloud, all these things, they probably didn't really even exist like that, in that fashion, when you started.

Candice:

Exactly. Yeah, exactly. And I think that's one thing I tell young professionals. I'm really lucky to get to teach as well. The things that you are seeing right now in your studying at your undergrad or graduate level, they might not even exist 10 years from now. There may be a totally different and dynamic threat, but if you understand how to be a learner, and look at new problems, and think innovatively, you'll find great success in that. And you're absolutely right. There's no way I would've thought in my computer science class that I would've ended up at this really wonderful, dynamic command. I started in my very first assignment was really with counter-narcotics and looking at different arenas there.

Mark:

Oh, interesting.

Candice:

So yeah, it has moved in all sorts of different areas, and that's where you've just got to be able to lean in to think about how do threat actors act.

Mark:

I got to put you on the spot here. What was the language that you learned in that first computer science class?

Candice:

Oh my gosh.

Mark:

Was it C+?

Candice:

Yeah. Oh, that was the grade I got. Yeah. Yeah. Again, I joke with other people, I'm a Poli Sci person, and that's again why I keep telling audiences, look, there's a big tent in cybersecurity and we need people from all different walks of life to come join us, because it's just such a... It's a hugely dynamic environment, but we've got to have people that think in totally different ways, and that's what I bring to the table.

Mark:

So your path went from intelligence, military intelligence into cybersecurity, which I mean, you see the journey and how that applies. Do you see a lot of the folks in the military going from the intelligence into this, or is it more the IT direction where you're getting people?

Candice:

Great, great question. I really think it's a bifurcation of both. I think you have that heavy tech skill that comes in, and they grapple with the really hard both engineering, computer science, data problems. We have amazing data scientists that are on board that do this as well. And then you have the people that kind of critical, creative thinking from a different perspective of, they understand how do malicious actors act? It's not that different from understanding a criminal that's breaking into a house, as to how does malware and ransomware work? Once you understand the mechanism and the delivery of different means and methods to obscure their actions, or collect information, there's a very linear path that you can follow that lends itself into this space.

Mark:

Oh, that's interesting.

Carolyn:

Yeah. So first I need to... I don't even know if Mark caught this, but you made my day by referring to yourself as padawan, who has now gone full Jedi. Thank you.

Mark:

I didn't catch that.

Carolyn:

And I don't think so. It's okay, Mark. It's okay. I want to know more about JIOC, and how it enables the DOD to stay ahead of the adversary. I guess let me pause there and have you respond to that.

Candice:

Absolutely. So our short term for the calling of this organization, the JIOC, because we have an acronym for everything, and definitely in the cyber community they have more acronyms than you can imagine in the Department of Defense. They win. But my role as a commander, I have about 300 phenomenal employees from both the Department of Defense, all the uniformed service members, that makes up about 25% of my organization. But about 75% come from the intelligence community, and the Defense Intelligence Agency and the National Security Agency, and we even have some NGA employees, some wonderful GON teammates that are with us. And those great analysts come together to really look at how do we look at really dynamic problems in this ecosystem of threats that exist in the cybersecurity world.

Candice:

And we provide, whether it's advice to the operators that are on the physical networks doing things for offense or defense, and we also, writ large on a larger scope, provide advice all the way up to both the Joint Staff, and then the National Security Council, on here are the large threats and these are areas that we should pay attention to. So it's really great to lead an organization of incredibly dynamic individuals who really want to make sure our networks stay safe and secure, and it's a fun ride that the JIOC has been able to really grow and serve the community well.

Carolyn:

I like JIOC. It's better than J-I-O-C. JIOC sounds like a Star Wars name too, so-

Mark:

It is cool.

Candice:

Thank you, yeah, there you go.

Mark:

So it seems like this journey, from an industry person looking in, it seems like that the government agencies tackled this stuff all their own, and then we created the US Cyber Crime-

Carolyn:

Individually you mean, different-

Mark:

Yeah.

Carolyn:

Yeah, yeah. Okay.

Mark:

How has the communication and collaboration morphed over your time seeing the development of this stuff? Because it seems like a bigger issue than just one agency being able to tackle it. It seems like we'd be much better doing it this way, obviously, but...

Candice:

Right. So our work and our role at the Department of Defense, we are truly external facing. Those threats that are coming in from other nation state actors. We have great partners with the Cybersecurity Infrastructure Security Agency, and CISA, and Homeland Defense, and also the Federal Bureau of Investigation. So both the FBI, CISA, ourselves, the intelligence community, NSA, it's a true collaboration, but it's not just in government. This isn't a problem that merely government employees can solve. We need to partner absolutely with... And we have found great strides with partnering with academia, and also partnering with the private sector and businesses. Not only those that we hire for what we do, but also for collaboration.

Candice:

The Cyber Collaboration Center is a great example of that, hosted by the National Security Agency, and they do, Morgan Adamski runs just a phenomenal organization of reaching out to businesses to talk about, "Hey, these are things that are upcoming and potential threats, but we want to also make sure things that come into the defense industrial base are really secure." And so that work, that effort, has grown in just leaps and bounds over the last couple of years. Cyber Command is, were truly teenagers. We've only been around for so many years, so as one of the truly youngest, not counting Space, but as one of the younger combatant commands, we have found a different way of doing business, and supporting the other land holding combatant commands in a different and unique perspective.

Mark:

When you talk about partnering with academia and industry, I see the positives that you leverage there, but I'm a natural cynic, so I've got to say this. How do you grade the risk of working with the two, like industry, and what kind of risks there could be? There was that-

Carolyn:

You're opening up vectors, right?

Mark:

Like solar winds. Like solar winds and even academia where people now are saying, oh, where there could be foreign influence in there. How do you grade that out?

Candice:

So I think it's not necessarily grading out, but it's looking at, "Hey, what do you do best?" We have to understand, and it takes a person that leans into different sectors, things that are done in business, there's a different motivation and initiative for that sector versus the academic sector. There may be people that are very motivated by sharing information with someone else, collaborating or writing a book, or writing papers, or even working towards tenure. That's something that we see very differently. So it's understanding where we can harvest the best parts, and not...

Candice:

ening all the way back to the: 2016

Carolyn:

Can you talk more about... Okay, so you just talked about one threat trend is that disinformation. Can you share what you think the trends are, especially coming up with the elections, what you see the biggest risks and trends?

Candice:

So when we look at different nation states and the work that we have done with great power competition, we really truly see the laboratories and businesses across the globe. They're reaching almost a critical inflection point. And I'll speak specifically to China and Russia because their reliance on adversary, truly microelectronics to accomplish their state goals, to modernize, and there are big areas. Not just the elections and the information domain and that ecosystem, but also in quantum science, biotechnology, artificial intelligence, and then automation. Those are really big areas that we see going forward that we have to pay attention to in our world, that looks at different threats. China does a very unique way of looking at a whole of nation approach, much different to the way we do whole of nation, of the greatness of democracy and our capitalistic formula of business.

Candice:

They are very focused on how their tech develops, and then also obviously sharing with the People's Liberation Army and how they behave, both integrating tech. We know that they're really looking at AI and how that can constitute an almost major revolution of military affairs. I'll geek out in the army terms on you. What would be a truly changing tipping point into how we fight our nation's wars. China is leaning into that, but I'd be remiss to not mention Russia, and how they've worked with China incorporating AI, but the applications that they've seen in both getting speed and effectiveness by using different types of technology. We've seen their attempts at strides in Ukraine, but at the end of the day when we really harken back to what the nature and character of war, that nature of war really has remained the same. The characteristics may change with its looking at quantum computers, something like that, but really the nature of why states fight each other has remained really the same. And we see that in Russia-Ukraine right now.

Mark:

So that's interesting. And if I heard that right, it sounds like maybe the psychology of the nature of cybersecurity, offensive and defensive, is critical. Understanding the psychology, and that helps tremendously.

Candice:

And we've had some great academics come and help us shape our strategy. The goal of persistent surveillance is that area that we have put the stake in the ground, to say there's a method to how we see the world with respect to great power competition, and we've got to constantly remain aware. Dr. Goldman is one of those thought leaders in this area, that she is someone that the research that she's done, and looking at this is worthwhile to really look at.

Carolyn:

Her research in AI, or in-

Candice:

Oh, her research in how we view ourselves in strategy and cybersecurity, and how we leaned into the doctrine of persistent engagement and what it really means.

Carolyn:

What's been one of the most effective ways you've seen China and Russia implement AI?

Candice:

I think the most effective way we've seen both of them work together, not per se always in AI, but in different areas when we look in this technological domain and the silo, they really require foreign equipment. They require materials and intellectual property that comes from all around the world. This isn't internal to them. And for ourselves, protecting that is... It's incredibly tough, and we've seen things of this administration with respect to sanctions, but that still isn't able to always answer and stop off all the demand and need they have for, whether it's microelectronics, or different chips. We've tried to stop this, but it's an area that's really tough to cut off.

Carolyn:

Well yeah, and to your point, trying to stop... So the FCC, I hope I'm getting this right, it's pretty recent, they put a ban on Chinese components, right? What do we do about the Chinese components that are already embedded in all of our systems? And that might be more than we have time to address.

Mark:

You're talking TikTok, right?

Carolyn:

Well TikTok, but also Chinese components in our technology. But yes, TikTok too. We can go there.

Candice:

Well, what I'd say is number one, I don't let my kids download TikTok. I'm unpopular mother of the year. But number two, I think that was addressed really in the CHIPS Act, and we have the aforementioned, the great work of Ms. Adamski and the work that she's done in the Cyber Collaboration Center. We are trying to lean forward, especially the National Security Agency is, and saying, "Hey, we need to help, and let's talk through this. Let's have a conversation and make sure our networks are as secure as possible, and also the components that are used, especially in things that service the national security." So it is a continual conversation that we're having.

Carolyn:

Have there been any trends in security, or cyber threats that have surprised you, or that delight you? I mean, I know stories that actually I think are very funny when it comes to cybersecurity, but also serious. Are there any that you can think of?

Candice:

I think one of the more serious ones that I have seen propagate is that the good news is that hard targets are getting harder to maneuver in and towards, and that's the strength of hundreds of thousands of people that are working in this field. The bad news is-

Carolyn:

What do you mean by hard targets?

Candice:

Harder targets with respect to the banking industry.

Carolyn:

Got it.

Candice:

Some of those areas that are really, when we look at critical infrastructure, we're not 100% there, but some of those areas that were persistently targeted by either nation states, or bad criminals and actors. They've done a great job of growing their resiliency and hardening themselves, and that's really phenomenal to see in a short period of time. But the bad news is that sometimes cyber bad actors, malicious cyber actors are going for the easier wins, and that's targeting things like school districts, targeting and holding unfortunately children's information hostage, and asking for ransomware payments. And to me, we have seen such an exponential growth in that area targeting schools that it's just really shameful. And we'll have to figure out how do we really crack this nut.

Candice:

It's a growth opportunity for students, I think, to see where do you start and understand that maybe 100% trust isn't awesome, and putting all your information out there may not be the way to go in life, those small steps. But we also don't want to live in an environment of fear, and I think by teaching kids about cybersecurity early, just as we used to teach kids about buckling their seat belts when they got into a car. As a mom, I threw my hands up in great glee the first time I heard both kids buckle themselves in. I want to have that kind of cyber moment in our heads, of security, when each of our users on any platform at all buckles their seat belts in for safety. We've got to make that... MFA, multifactor authentication, we've got to understand, things like that have just got to become second nature, and look at-

Mark:

That's a bigger task than you realize.

Candice:

Yeah, yeah, but so were seat belts back in the day, right? There were a lot of protests against that, and people didn't want to have to do something. The government was telling them to do that. So how do we encourage companies to bake safety in before the product is launched? That's another pivot that we can go down, because you run the risk of having all of your intellectual property stolen. Nobody likes to be robbed. So how do we encourage that? Again, this is a process, because this dynamic environment constantly shifts and changes, and that's why it makes it such a wild ride.

Carolyn:

I would love-

Mark:

Is this the strategy-

Carolyn:

Oh, sorry, go ahead.

Mark:

I'm sorry, Carolyn. I was going to say, is this a strategy of nation states to distract us from other things, and go after those softer targets that you had mentioned? Or is it more like what you might say law enforcement, right, criminal element?

Candice:

We're seeing it as a lot of cyber criminals that are out there, but we would be very remiss not to point to, we know that Russia has used proxy actors in the past, especially to target the seams in our culture, between different groups in America. To really dive into in the information domain, and to try to bifurcate us, and split us as Americans. And they've been pretty... There are some great CISA documents out there that talk about how disinformation has been used by different groups.

Candice:

So I'm remiss to point the finger and say this is exactly one thing, but I'd say it's things we should pay attention to, because even if it's a script kiddie, that somebody is just learning for the first time and wants to test their hacking skills, it's still illegal, and we need to make sure that we're protecting the vulnerable that are out there. I protect the nation as a total, especially our Department of Defense information network with my amazing peers here, but we all have a part to play in this, and I think that's a pivot we're going to have to start to take as a nation.

Carolyn:

What would be your top, easy hits, best practices for protecting against some of the biggest cyber threats that you see? And you kind of started to go down the path a little bit a minute ago, but...

Candice:

Yeah, I think, gosh, boy, Director Easterly and the work that CISA puts out, you'd start there. And then you go with the top shelf, you're going to get the top shelf answer, because they have really put out great insights into whatever size business you are, the individual user. CISA works with small, medium and large size businesses to really ensure that they are working in a way that protects themselves, but also they can continue with their business. And they're not so hard to get to that they've shut off the valve to making money and making a profit for themselves. So I think that would be my starting point for everybody listening.

Carolyn:

Okay. I'm not going to lie, when I start digging into CISA documents, I can feel a little overwhelmed. There's a lot. There's a lot. But it sounds like you can zero in on what applies to you the most. So if you're a small to medium business, go to those sections of the assistive documents.

Candice:

Absolutely. It is a process, and sometimes I feel like you have to have a PhD in information technology and cybersecurity. It's exhausting. So I always tell people, bite-size pieces, whether it's a five minute podcast you listen to or you just say, "Hey, I'm going to allocate so many minutes of my day to look at this," or I'm going to look at, "Hey, do we need to hire somebody in cybersecurity or on the resiliency side?" Those aspects are easier thought of ahead of time rather than when you need to sound the 911, all the alarms, and all the bells and whistles. If you're thinking about that ahead of time and it becomes a part of your corporate culture and your board, it's so much easier to do in advance.

Carolyn:

Yeah.

Candice:

And you're safer.

Carolyn:

You mentioned earlier, you said how do we bake this in from the beginning? So how do you bake it in from the beginning? The cybersecurity?

Candice:

I think absolutely you have to look at where the highest layers of risk are, and whether, if you're in the tech world, where those areas are that... We use a tremendous amount of open source code. And so what parts need to be protected? When you look at your business, where are the crown jewels? Obviously I'm going to make a reference to Kentucky Fried Chicken, KFC, their secret spices. They protect those crown jewels like no other. So each business is unique in what is incredibly important, and then where those are areas that you can either hire out, or are not needed to be as guarded. We do the same thing in the military. Where are those areas that we have to have a large, huge area of defense for our nation's most critical secrets, all the way down to areas that we still don't want to share, but it's not as important. And I think really prioritization is a starting task for that.

Mark:

Colonel Frost, so you mentioned this a little bit, but how do you utilize newer technologies like, for example, observability in everyday cyber operations, as you deploy effective cyber defense strategies?

Candice:

So I think one area that we have found, and I'm going to say less so of the things that we use now, but things that we knew we were missing, how about that? And holes in our swing. We had to reflectively look at ourselves, and Russia-Ukraine was a great example of where are areas that we just don't have information on. And that's truly foundational intelligence we found in this sector. Akin to that, I can make a comparison for myself and the army. If I look at a T72 tank and I can tell you the range, the speed, every nut and bolt of that system, and all the different bits, components, who makes up the order of battle, all the way down to the lowest level possible. We don't have that, unfortunately. And that was a big hole in our swing in this domain, in cybersecurity.

Candice:

It's not for the lack of want, it's just for the fact that each of the services has their own portion and piece of the intelligence community that's theirs. That dives into science, technology intelligence, and then order of battle. So by noticing that and working with the Defense Intelligence Agency, and sending up a lot of requests of how do we get this information, it was very evident that the need for a center to provide this information was an area we had to maneuver into. So whereas we had provided great, wonderful intelligence to help out those ethical hackers that were out there doing offensive cyber operation, there's just so much information that one JIOC, as mighty as the 300 people that we have are, couldn't contain all of it. The same thing with the defensive aspect. There's just so much info that was left on the cutting room floor.

Candice:

So we put that up through a request to the Department of Defense, and luckily we were able to get the concurrence of the Defense Intelligence Agency, and the National Security Agency to go up to the office of the Secretary of Defense for intelligence and surveillance, and really get them to say, "Yes, we are seeing this is a need," and they formed an executive steering group. So what it will look like in the future, that's the beauty of this. When will it exist, where will it be? We don't have answers to that yet, but we do have the acknowledgement of the absolute need that a service intel center is needed for this domain. And I think that's a huge step in the all source world, because things that are observed, the silo of signals intelligence that the NSA provides us, is phenomenal and very deep, but we need the entire picture. And it's going to be quite the journey for future people that are coming into this space to take that torch on and move forward.

Mark:

The growth of US cyber command me seems like probably, if I were a youngster coming into this field, that would be such a fascinating place to be. It seems like that's where a lot of things are going.

Candice:

There are a lot of things maneuvering in this area, but we're also just a component of the larger part of the military, and I think that's the most exciting part is that you come and work here, you get to serve your nation and learn incredibly exciting technical aspects of this domain. It's quite the journey, and I'm at testament to, you don't always have to come in with a computer science degree. You can come in with very creative ways of solving problems, and there's a place for you here.

Carolyn:

Does the new center have a name?

Candice:

It does not yet. We're looking at the Cyber Intelligence Center writ large, and then I think down the road they'll start to look at how this individual center will grow and expand. But what we recognize, there are lots of individual businesses out there that deal in open source information and intelligence, and we have to be able to find ways to incorporate that into the work that we do. Because so much, especially we've learned from Russia-Ukraine, is in open source intelligence.

Carolyn:

So how do you see it impacting the public sector, this new center?

Candice:

So I see the work that's done through, especially in the public sector, less so it would be more of the defense industrial base that it would have a focus on, and less the larger... Again, we are just a piece of the puzzle of the work that Cyber Command does to protect the Department of Defense Information Networks. That's our number one remit, but in larger areas that bleed into that, it's the critical infrastructure. That's another job that we do. And I've spoken before about the elections. That's just one part of critical infrastructure in our country that we lend a hand to and work hand in glove with CISA and FBI.

Carolyn:

Will you lead that center?

Candice:

Probably not. That center will stand up several... Who knows when? Again, it's moving along the path of our Department of Defense, so I will probably not be in uniform when that thing kicks off.

Carolyn:

Oh, wait a minute. What does that mean?

Candice:

Yes, I am gleefully headed towards the wonderful world of transition out of the military and towards concluding my military career after 25 years, and pivoting into the next sector. And it's an exciting journey that I'm looking forward to.

Carolyn:

Congratulations.

Mark:

Yeah, congratulations. And I see a perfect segue here. Going to help industry make that connection, right?

Carolyn:

I mean, what-

Candice:

Yeah, yeah.

Mark:

What a resume for that.

Carolyn:

Okay, let's just go crazy here. There have to be things that you just feel like you're banging your head against the wall that maybe you think once you get into the private sector, maybe you'll be able to influence, at least from a different angle. What would be your first wish to make things better from the private sector angle?

Candice:

I think one of the areas from the private sector angle that I bang my head on, and this is almost a... It's a personal thing as well. Wouldn't it be nice to have someone, you have a trusted agent? And we've got a lot of things going on, but we have an app now that I can order groceries and it comes to my door. Wouldn't it be nice to give all of my computers, all my cell phones, "Hey, could you just look on these, all of them, run through everything, and make sure it's safe and secure?" It's almost like a seatbelt for my family. Something that really you expect the end user...

Candice:

And I think a lot of companies do this, they expect us to have a PhD level, or a legal degree, to understand what we are clicking. Or sadly, and I don't think it's intently done maliciously, but just we bypass a bunch of things that don't necessarily keep us as safe and secure as one would hope or wish. That's one big area. How do we keep kids secure? I work in this arena, and yeah, I'm the evil mom that doesn't let their kid on TikTok. Well, there's a reason for that. So we can say these things, but where's the way to really show people this is how it's done, and make it easy? That's the other part. Just make it really easy.

Carolyn:

Exactly. If it's not easy, we're going to figure out a way around it.

Candice:

Especially our kids are.

Carolyn:

Yeah.

Mark:

We do all this type of training in industry and the private sector. You would think that they would be doing the same thing in schools, just like they have sex education, right? You would think that-

Carolyn:

Yeah, but come on, Mark, this training, come on. We're just like, how do we get through this? How do we beat the system to not do the training?

Mark:

Yeah. Well.

Carolyn:

Maybe we gamify it.

Mark:

You mean like AI?

Candice:

Well, it's that, and we have to look at our educators. I come from... Gosh, I'm a fifth generation teacher in my family, and so we have a long lineage of teachers. And when you look at how much is put into a kit bag of an individual teacher, and the expectations, there's just so much that's added on. And they've got to say, "What give? Where are the areas that I can scrape off and where are the areas I've got to pay attention to?" I think the Department of Education's done a good job of leaning in. We've really, a ton of nonprofit organizations have taken this mantle on, of increasing the ability to do robotics and coding in schools.

Candice:

But it just can't be left for kids that are an A plus in math, because people that think in ways of design, or they want to be something very creative, or work in music, you don't want to be a musician that gets all your music stolen from you. So teaching them those kind of things with respect to safety would be a great way to just incorporate it into your everyday. We used to, way back in the day, we would climb under our desk to do drills for a nuclear blast. Some of your listeners may remember that.

Carolyn:

They do those still for earthquakes, but yes, I remember the nuclear blast drills.

Candice:

Right. So if you know how to go under a desk for a tornado, or an earthquake, or some kind of natural disaster, why shouldn't we say, "Okay, kids, open your phones and let's make us safe, make us the most secure that you can be." Or, "I'm going to walk through these things." I think there's a space for that, and I am absolutely sure there are a ton of nonprofit organizations that have done this, and want to do even more in our country to keep our kids safe.

Carolyn:

I love that. I love that idea of doing a cyber drill, because I think it would be more useful than saying, "Get under your desk. Your desk will protect you from a tornado." I think that a cybersecurity drill would actually be useful.

Mark:

Well, for kids today, it's as easy as getting under their desk because they know how to navigate devices and technology.

Carolyn:

Probably easier. Yeah, exactly. Exactly. All right.

Mark:

I like it.

Carolyn:

We get to move to our tech talk questions, Mark. You know I love this part, so I get to ask the first one. Colonel Frost, if you could go back and give your 18 year old self a piece of advice, what would it be?

Candice:

I do love this question, and the fact that I had to think way back to 18 years old when I was leaving Iowa, for the journey forward into the great unknown. And I would whisper in my own ear, "Give yourself grace. Give yourself the ability to take pause and reflect on situations you're in, because you're going to be challenged in many different ways, and in ways you never could imagine. And you're going to do things that are going to be not only life changing for you, but for generations that follow you, with respect to the advent of changing laws, to allow more doors to be opened for women." I mean, it's been really incredible to see this change in our military, but along the way, I tend to be a person that breaks the rules and then asks questions later, and sometimes you have to just take a pause and a deep breath and say, "Okay, on to the next challenge," and give yourself the grace that it's not always a linear path. Sometimes your trail is going to be pretty messy and tough to cut through, but gosh, it's a great end result.

Carolyn:

I love that, and I love that little piece of advice for yourself as you start this new chapter of your life.

Candice:

Definitely. Yeah, for sure.

Carolyn:

All right, Mark, you get the next one.

Mark:

Okay, so if you had to describe a skillset or a personality trait that would best suit people moving into this industry, what would you say it would be?

Candice:

Absolutely, no doubt, you had to be a lifelong learner. You can't just learn Python and be good. You can't just learn C+ or Net Plus or Security Plus. I think that, for some people with high anxiety, it makes this job really hard. And for those with depression, they just want to put their heads under the covers. But if you're a lifelong learner, and you're the type of person that has an insatiable appetite for something that's new, and to take on new challenges, and to realize you're never going to be the expert, you can't possibly be the person that knows 100% of the information. But you're willing to learn and learn new skills and do new things, that is what is so incredibly pertinent to being successful in this field. Absolutely.

Mark:

Great. Nice.

Carolyn:

Yeah. All right. I'm always looking to build my entertainment list, so give me stuff that you like to listen to, or read, or watch on your downtime. I mean, it can be techy, but it doesn't need to be, I mean, it can be just total trash novels. I really like those.

Candice:

I didn't expect the trash novels. So I'm going to go, I have a couple of techie things. I'll do techie last, but I would start, gosh, the show Severance on Apple TV?

Carolyn:

I just started it.

Candice:

Oh my god, that's my life. Anybody in the intelligence community, I'm like, "You've got to watch this show. It's-"

Carolyn:

Ultimate air gapping.

Candice:

It's really true.

Carolyn:

Right?

Candice:

Yes, but I just literally started, so I don't know.

Candice:

Okay. I won't give anything away, but it is pretty fascinating in the fact that they're pretty spot on, in how you have to bifurcate the way your life is. So I appreciated that, and I'm going to bring out the Biblio follow me. So I'm a book reader. Oh, I'll hit podcasts next. Afternoon Cyber Tea is great. I think that's-

Carolyn:

What is that? Afternoon...

Candice:

Afternoon Cyber Tea. Okay. It's a Microsoft sponsored product. Ann does a great job of walking us through, "Hey, how are things seen?" And she's got a real depth in the field, so it's fun to hear people that she's interviewed, and changes that are trying to be made in cybersecurity. I'd be remiss to mention, I have listened to Cyber Wire for two straight years, coming up to Fort Mead. Cyber Wire's a phenomenal podcast that just constantly keeps you up to date and then Click Here is just fun. The storytelling ability, grabbing somebody from NPR and putting Erin into your podcast. Brilliant move by the record and the work that they've done at Recorded Future for that.

Candice:

So moving lastly to, I am a total Geek, I'm a book person. That's the way I think best. And I would say so the three that I have read that have been kind of techy, most impactful, Amy Zegart's Spies, Lies, and Algorithms. She's a Stanford professor. She teaches about the intelligence community and also kind of how we've used this space that I'm in now. It's insightful for someone who has never been a part of the IC. It's like, man, she picked up on a lot of stuff.

Mark:

We got to get that book.

Candice:

akdown. An older one, I think: 2018

Candice:

And last but not least, Jacob Helberg's The Wires of War. He does a really good job. When I look at where we're at right now, and how we need to maneuver forward in this space, The Wires of War is one I give to a lot of people because it really talks to, we've got to be aware of where Russia and China, especially China, is in this space, and we can't continue down the same path. I don't want to be a warmonger here, but it really talks to the whole of nation approach and especially how they view things. It's good for anyone to read and understand why it's so critical right now at this juncture to lean into this space. And those are my entertainment areas.

Mark:

Wow, that's a pretty good list, Carolyn. We got to get those all in the show note.

Carolyn:

It's a great list. We'll get them in the show notes and good recommendations. I started Severance, I don't know, maybe a couple of months ago, and the first 15 minutes of it just made me really... It kind of scared me, and I was just like, "I can't watch this." So I stopped and then I started watching it again a couple of nights ago and I got through the full first episode and I'm in. I'm just thinking, man, this is ultimate air gapping right here. This is the way we do it. So well, before we end, is there anything that you would like to say to our listeners? Anything more? I mean, you've given us so much, but...

Candice:

No, thank you. It's been a real honor to be a part of this. I've enjoyed participating and speaking with you all. And my last bit of advice I give to a lot of people I speak with is, be a mentor to someone out there that doesn't look like you, walk like you, and talk like you. You got there by somebody else gripping in on your hand and helping pull you up. Each of us out there has a responsibility, whether you're a high school student, to reach out to another friend, or all the way up to college, starting your first job, there's somebody out there that could look to you for advice. So be that person.

Carolyn:

I love that.

Mark:

That's great.

Carolyn:

And I just want to, this is personal and we may have to cut this out, so I just want to say thank you. When I was in high school, I told my dad, who was a colonel in the Army, that that's what I was going to do, that I was going to be the first woman general. That's what I told him. He was a Cold War Colonel, and he trapped me in the car to my grandparents, which was a 45 minute drive. Seemed like the longest drive in the world when I was a kid. And he just told me all the reasons why I would not be doing that. And there was nobody at the time that looked like me. There were no role models, there were no yous. And so in another life, maybe I'll be you. I just thank you, I really... This has been...

Mark:

Yeah.

Carolyn:

It's been good talking to you and seeing all of your success, and seeing what you've been able to accomplish. It's incredible.

Candice:

men: doing great things since: 1976

Carolyn:

Yeah.

Mark:

That's inspiring stuff. We really thank you for being on the podcast. It was really entertaining, as well as inspiring.

Carolyn:

It was very entertaining. We really appreciate your time. Thank you to our listeners. Share this episode, like this episode, and we will talk to you next week on Tech Transforms. Thanks for joining Tech Transforms, sponsored by Dynatrace. For more tech transforms, follow us on LinkedIn, Twitter, and Instagram.