Nicolas Chaillan, former Air Force Chief Software Officer, resigned from the DoD over frustrations with what he called a lack of innovation, collaboration and agility. He gets into those issues and talks about how the U.S. can invest more in technology to compete with China in artificial intelligence and cybersecurity.
Nicolas Chaillan, former Air Force Chief Software Officer, resigned from the DoD over frustrations with what he called a lack of innovation, collaboration and agility. He gets into those issues and talks about how the U.S. can invest more in technology to compete with China in artificial intelligence and cybersecurity.
---------
Why you should listen:
* Nicolas offers a candid and controversial view of the military's approach to the growing technological threat from China.
* He outlines his view for a Pentagon that is more agile, collaborative and competitive.
* Hear from a former DoD insider about some of the institutional barriers that can hinder innovation and software advancements.
---------
Key quotes:
* "In 10, 15, 20 years from now, America as we know it and the value we have and the freedom we enjoy will be at risk of going away if China dominates in AI like they are doing now."
* "TikTok is effectively an intelligence weapon of China on US citizens right now."
* "We don't see a lot of training and implementation of Agile at all in the DoD, which really leads to the inability to move at the pace of relevance and tremendous waste of taxpayer money."
---------
* https://www.linkedin.com/in/nicolaschaillan/
* https://www.linkedin.com/pulse/time-say-goodbye-nicolas-m-chaillan/
* https://ama.preventbreach.com/register
WIN018 - Nicolas Chaillan - US Air Force and Space Force
[00:00:00] Jeremiah Roe: Nick. Thanks so much for joining. [00:01:18] Bella DeShantz: yeah, Nick, it's so good to have you on the show. We're really looking forward to talking to.
[00:01:32] Nicolas Chaillan: Uh, thanks for having me. rrr
[00:02:23] Jeremiah Roe: so, so obviously you recently left the air force as its first chief chief software officer. Um, you made something of a splash on the [00:03:00] way out, and basically when you announced that you were leaving, um, Well, numerous ways of things that you outlined in which the DOD was not necessarily walking the walk when it comes to prioritizing basic it issues.
Um, so from your point of view, uh, what are the three most glaring problems, uh, with how the Pentagon purchased software development and cybersecurity?
[00:03:34] Nicolas Chaillan: Yeah. So I think the largest one is the lack of adoption of agile. You know, agile is 22 years old. You know, when I created my first company back in France, I was 15. I was already using agile, um, 22 years ago. Um, And really at the end of the day, um, we don't see a lot of training and implementation of agile at all in duty, which really leads to the inability to move at the pace of relevance and tremendous waste of taxpayer money.
[00:04:00] I would argue at the maximum, we get 10 cent on the off. Every, um, return an investment made on, on the investment by the taxpayer money in, you know, uh, capabilities. So that's, uh, that's pretty, pretty bad. So we feel complacent. We feel good about spending more money than everybody else. It doesn't mean you spent well and wisely and effectively.
So that's point number one, lack of agility. Um, we don't invest in our people, so we don't, um, And I invest in that country's learning and enabling and empowering that the right people, you know, we put people in charge that have no background in, uh, those, uh, key challenges like clouds, you, you, you, you wouldn't see a Google, you know, put, uh, uh, someone that's never even run a, uh, you know, a data center for 20 people in their basement in charge of Google cloud yet.
That's what we do in the largest implementation of cloud in, in the, in the. Uh, with a lot of the [00:05:00] critical security challenges we have. Um, and then I think the last piece is the lack of joined work, uh, where, um, you know, um, we see egos getting the way, uh, and compounding the, the talent problem and the lack of efficiency we have by creating more redundant work by having teams, you know, build basically as of life in it like cloud and connectivity, data fabric, you know, um, AIML capabilities where we should create joint joint offices, you know, um, that will be led by, by, um, government people that, that have experience during those.
And, uh, merge, bring the best talents across all the duty services and, uh, have the government be the integration [00:06:00] team and not a big prime and more importantly, uh, having, you know, uh, uh, uh, buying capacity of work. And tenants with a very clear definition I've done and how we buy and how we deliver the code into a, a government furnished DevSecOps environment, and really all the critical aspect of, of a successful delivery of software continuously, you know, efficiently with Becton security.
[00:06:48] Bella DeShantz: you mentioned the sort of like not investing in continued learning and training for folks, or also kind of alluding to putting folks in positions of. [00:07:00] Having to lead a group or an, an effort and maybe not having prior experience with that. Can you talk a little bit more about, um, you know, how that happens and, and, and like maybe what that issue is?
[00:07:16] Nicolas Chaillan: most of the time, you know, two or three star generals and below all rotating and assigned to different roles, uh, often, um, w without understanding a courier track and, um, thinking effectively, um, it's sort of just about management and you can just rotate people and they can just manage people despite having no experience in the field.
Instead of having someone with experience, doing something like this, that knows what [00:08:00] works and what doesn't work, and doesn't have to figure it out in the job also, when they finally get good at.
Uh, they rotate every two to three years. By the time they get good, you go back to square one with someone new.
[00:08:13] Bella DeShantz: Is there an option or like, Approach that you would recommend, or that would work better for the technology field and also kind of, why does that approach not work well for technology?
[00:08:28] Nicolas Chaillan: Yeah. Well, I think, I think it doesn't work well with anything.
[00:08:31] Bella DeShantz: Oh,
[00:08:31] Nicolas Chaillan: So I don't think that stops technology. I think we're getting away with it because you know, technology, I guess, is moving such as a fast paced. There's compounded. Um, the, the impact that this has is compounded by the velocity of it. Right? And so you could get away with stuff that moves, you know, with cycles of 10, 20 years, but in it, well now, you know, w we move from 20 to 10 to five to maybe a year cycle now, uh, you don't have the luxury of time.
So, [00:09:00] um, all of these mistakes compound over time and create issues. And, you know, in term of solving department is just fairly simple. You. Um, look at experience of people and you build and create you train and invest in people and create, uh, career tracks, you know, very early on, just like China is investing, you know, six, seven years old, um, kids, you know, in training them on AI and data science and, and different things.
You can do the same, uh, even when you're still in the military, you know, if you're gonna invest in a, in a captain or major that was going to start getting, um, hands-on, you know, coding and. Cloud cloud learning and all this stuff. That's the right leader of tomorrow, uh, when it comes to, um, um, to all these different, uh, fields.
So just do that, right. Just, um, um, invest in those people and keep them in the cardio track. There's no courier track right now. In fact, uh, it is often seen as a dead end where you never make it, [00:10:00] uh, to become a general officer. So that's a, that's a problem, you know?
[00:12:39] Jeremiah Roe: Sohat fundamental changes inside the Pentagon, um, need to take place for it to truly embrace, uh, the proper mindset when it comes to cyber and operational effective.
[00:12:50] Nicolas Chaillan: Well, first we need to subbing complacent. You know, we we've seen China, uh, slowly and surely catch up and, and people keep dismissing this, calling them, you know, neoprene [00:13:00] advisory. We're really, I think the leading in cyber and AI. Um, and so they all peer and then a near period. And we need to wake up and, and, and, uh, you know, people are waiting for this kind of crazy event to happen, to wake up and that's just foolish and criminal.
Um, so people need to take proactive action, you know, um, but, um, um, having a basic understanding of agile, you know, I've seen it even in the recent days after my, uh, Um, I was a nation people responding, saying, you know, either army CIO is saying that AI is allegedly baked into every army programs from the get-go, which is a complete lie all the way to, uh, you know, the Jake they're drawing AI central director of say that we're going to be implementing AI in a slow but incremental pace, which is, um, very wrong.
Uh, the answer is fast and incremental. Uh, so he did, he got, he got half, right? At least this time, uh, before it was, it was slow and Monterrey monolithic implementation. So [00:14:00] I guess, uh, that's progress. But, um, again, that's back to my, uh, comment on lack of understanding of agile. You know, we need to, uh, to step up the game there and create a sense of urgency, but also, you know, people use the fact that I'm, uh, coming out and saying all this stuff publicly.
Um, as, as saying, you know, that's a, that's an operational security, risk upset risk of me talking and, uh, you know, putting on nation at risk by being transparent like this, where first, obviously that's a joke because China has much more intelligence than me talking about this stuff. So that's again, vastly underestimating what China can do, uh, in term of intelligence, but.
On top of that. Um, the real reason is that, uh, people created this concept to make sure that no one is ever held accountable because we're going to classify stuff and we're not going to talk about stuff. So that way, um, you know, if you mess up, you know, it's not going to come out and no one who will be upset about it.
And you see BDMs of taxpayer money [00:15:00] being wasted on programs again and again, every year, um, often same programs getting, you know, keep missing their targets and deadlines. You know, money being wasted and, and, uh, no one ever knows about it. Is that a beautiful, that's a great model, you know, uh, billions of taxpayer money, 750 beat in a year.
Uh, everybody feels good about investing in, in defense. Congress is happy. We Congress mandates, uh, the DOD to plan five years to 10 years ahead on where to spend money. Don't understand. Basic understanding of capacity or fork on how a company would, would behave. No one is thinking five years ahead in it, um, is completely insane.
Um, it's not realistic, you know, all these all guesstimate at its best and, and complete, uh, um, completely wasting everybody's time writing this plans. Um, And begging for money, um, in these silos. So I think, you know, you want to change the way we fund things. We need to buy [00:16:00] capacity. We need to be able to groom the backlog and prioritize work based on what's going on in the world.
You know, you've seen China alone say hypersonic missile, and again, Pentagon, Leidos. Talk about a Sputnik moment or near near it's the nearest Sputnik moment. It's not, they're never going to admit it's a Sputnik moment because it is, but they're not going to say that. Um, and that's, you know, again, right.
Complacency hiding, um, you know, most, um, you know, people talking about this will say, well, you know, we can talk about it as classified. And so, uh, of course hiding behind that, that wall magical wall that we decide to use whenever, whenever we want with, uh, whether or not there is a real risk, you know, Why is the Chinese launch classified to the, to the, to the Americans.
If we know stuff about China, why is it a risk for Americans to understand the threats? Not describing our stuff? Makes sense.
[00:16:55] Jeremiah Roe: Well, we can't really innovate unless we understand those risks. Right.
[00:16:59] Nicolas Chaillan: And we can, you know, if we [00:17:00] can't even go to American companies and say, Hey, look at what China is doing and look at, uh, the aggressiveness and, and, uh, you know, this is really an existential threats for kids. And, you know, you see Google, you Google walking away from product Maven three years ago, because a couple of a hundred of our employees say, you know, they didn't want to do business with DOD.
Where, you know, uh, vision capability could have potentially saved the seven kids, uh, that were, um, killed in Afghanistan, which was a disgrace again recently by targeting the wrong, the wrong. Which again, no one is held accountable full. Right. Um, and so technology not only can improve that, but you know, people walk away saying we don't want to kill more people or whatever, but the fact is you're also saving lives and, and, you know, also having the deterrents and the, uh, um, uh, great, well fighting capability will prevent worlds, which will kill meanings potentially of people.
Um, so maybe people also need to get out of that bubble
[00:17:56] Bella DeShantz: So on that I know, you know, beyond just this conversation, I [00:18:00] know you've talked recently about, um, this technical technological race between the U S and China, specifically around artificial intelligence, cybersecurity. Um, and you know, w you're kind of making the point that China is advancing more quickly than the U S um, what is at stake in this race for dominance in the technological?
[00:18:23] Nicolas Chaillan: Life. I think I'm in 10 to 15, 20 years from now. Um, America, as we know it and divide you, we have, and the freedom we enjoy will be at risk of going away. If, um, China dominates in AI, like they're doing. Uh, and if we don't wake up by December, 2022, there's going to be no chance of catching up because of the volume of data that the size of China was 1.5 billion people and the velocity at which they move.
At some point, there's a physical aspect of, you know, uh, exponential velocity where you can't, you can't even catch up, [00:19:00] uh, physically speaking. So, um, time is now. That's why I left and I felt we were running out of time and, and I've been pushing and raising that awareness. From the inside for three years with very little action, um, and more complacency and more reports telling us we have more time than we have.
Uh, again, a recent report says, you know, if you don't wake up by 2030, that will be too late, but they are failing to realize that, uh, uh, that not taking into account the velocity and the volume of data they have compared to what And effectively that, that doesn't make it very difficult if not impossible to then wake up at that time.
So, so it's foolish to say that's the deadline by which we have to wake up. That's the day by which we're done. And so if we want to wake up and fix it, uh, not only because of the bureaucrats and the, the, the, the, the slow pace of, of government, um, component. You know, less data, less people, less access to experts.
Uh, [00:20:00] of course China mandates there, uh, Chinese companies to give them access to all the data. Tik TOK is effectively, uh, an intelligence weapon, uh, of China, uh, on us citizens right now, uh, capturing everything from, um, you know, your pictures, your, your information from your phone. Your biometrics all the way to, uh, what's in the, background, what you see, what you're, what you're wearing, you know, what you're thinking, what you're talking about.
And what's like, if you look at your video, when you're streaming, what do you have on the wall what's behind you? You know, uh, what you're talking about, what you're wearing, uh, that's a very scary, uh, amount of data that they can use to, um, train their AI to stop spreading misinformation, stall, uh, understanding the mood.
The state of America and the citizens and what to do to shift, um, debates and, and, and, uh, potentially, you know, impact elections and different things. Uh, it's a very scary [00:21:00] thing. And, and that's, um, uh, supported and sponsored by the us companies that decide to ignore those companies and where they all very well know that this data ends up in China and the CCP has full access to it.
[00:21:15] Bella DeShantz: So, but what is the, what is the government's role in protecting. Citizens from this kind of issue, right? Like Tik TOK is an application that all of us private citizens can elect to. Like, it's our choice to download that. And it seems so harmless. And I know it's not just tick-tock I know that's one example.
Um, but like, what is the government's responsibility? How can they protect citizens? Like what should they be doing here?
[00:21:44] Nicolas Chaillan: Well, you know, it depends, right? I mean, it depends where you are far. You want to go, right? Uh, it depends if you're going to talk to Republicans or Democrats, um, you, you, you see a lot of people take proactive action to protect people, right? People are completely fine. Uh, by name the former president of United States [00:22:00] social media, right.
That's okay yet. Um, we don't buy it and tick talk out of the play store and apple store. Why, why not? You know, what's why wouldn't we do that? China bonds, conquest us companies from their stores and their internet. Uh, you can go to Google in China. W why do we let them come here?
You know, we could have a tick-tock American, right?
I mean, Tex-Mex technology is not mind boggling. We could have a tick talk in the U S right. Um, uh, particularly when you start understanding what's behind it and the drive and why it's so viral and why it's designed to be viral. What's why is designed to collect So much information and data, but kids and look, those kids are completely left unprotected.
They don't understand that this data is never going to go away. You know, their entire life is monitoring. You know, we have a responsibility as parents to, to take action. Right. And the government, in my opinion should ban it. Right. Um, without a doubt, um, uh, particularly when it's that obvious, right.
[00:23:00] Sometimes you don't know. I mean, you see Facebook giving, sharing data left and right. And getting away with. Uh, and look, people are adults and they understand, but you have kids too. Right? So at that point, who is deciding for the kids? Well, do you have pre-natal consent? Are you signing a form to allow your kids to go to Facebook, all the lying up there about their age?
How do you know, you know, who has access to what some companies? I mean, you've seen recent testimony, uh, in front of Congress that were pretty concerning. If you watch them on about goo Google tick-tock in fact was there couldn't really answer the question about Chinese access to data in a. You know, tangible way.
I mean, we should demand, for example, these companies to provide a exhaustive list of what company get access to, to the U S data. Why can't we know, but why can't you tell us who has access to that data? Right. Uh, particularly if it's fraying find companies, particularly if it's Chinese companies. Um, and so I think in my opinion, we should ban ban us, uh, At, [00:24:00] uh, Chinese apps like this, and we should also, um, um, of course move back all the supply chain.
We, we offloaded to China, which possessing a tremendous, uh, uh, Tremendous risky situation, both on the healthcare side, all the way to every aspect of life. As we know it from chips to, to everything. Um, the masks you bought for COVID all made in China, right? Uh, why is that? You don't think we can make masks, uh, you know, it just, we, we decided to offload, you know, this 20 years ago, I gave them all that IP.
They stole all of it. Um, create a credit, uh, their own version of it. Even companies that go to China, what's the benefit, right? You're going to go to China. It's a big market. You see all these companies in digital media and all that, uh, like Disney. I be excited about China, but then they, they felt really.
In history. When you look back, um, they let you come in and all to steal and create a [00:25:00] local Chinese version and ban you and kick you out. So what's the long-term benefit of going to China. Why would you want to go to China when you know that? Um, it's not the Chinese people. I don't blame the Chinese people, but the fact is a CCP is an enemy.
It's not anything else, but an enemy to the United States and, and our kids. So. W treat them as such, if we know a big coming from China and the CCP has access to that data, we should be more than concerned. We should take proactive action. We can have a us company create a, you know, a tick duck, number two, right.
Call it. Tic-tac I don't care.
[00:25:39] Bella DeShantz: So moving on from, so it kind of taking a step back from, from the tick-tock conversation. Uh, I think, you know, we talked a little bit about the government. Being a little bit lacking as far as a technical technological advantage, uh, in this area. Um, but I think, you know, at least from my perspective, it does seem like there's a lot [00:26:00] of research and innovation happening in academia and the private sector.
You know, you mentioned, um, space X as an example. What, what could the government be doing to kind of emulate that. The, the pace that we see more often in the private sector.
[00:26:18] Nicolas Chaillan: Well, I think it's really should be driven very much. Like we did back in the day with bell labs and all these. The patient labs with private, private public partnerships, but also stop over classifying all these, the information about the threats and why this matters. So people will want to proactively engage.
And I believe most Americans will will say, Hey, you know, if, if they saw what I saw, they will be like, well, you know, I want to join in and join the fight and helping AI and, and, and try to bring my, my skills and my capabilities to, to the fight, uh, proactively, without having to force anybody to do that.
Uh, but because they don't know. And, and like I said, days is sick and variable. Everybody's nice and, and [00:27:00] happy. Um, and they fail to realize sometimes that without the sacrifices of the warfighters, uh, we'll be in a different situation right now, potentially speaking a different language. Um, that, that that's something we can't forget.
Right. And so we need to have the deterrence. We need to be. We need to, uh, ideally never use those weapons, but we need to have them. And so those partnerships, you know, driven by, uh, understanding of the threats and the risk and enabling that, uh, um, joint partnership and removing the classification. And all the nonsense we created to allegedly protect the U S data, but really, and in ending up putting us more at risk by becoming irrelevant as soon enough, no one is going to try to hack us because we're So far behind and irrelevant that we're not going to have a cyber risk because no one is going to try to hack it.
[00:27:48] Jeremiah Roe: So you've said that inside the DOD, um, if, if they could understand the velocity behind the way companies like Google and space X operate, um, it would cause their. Explode, literally. [00:28:00] And so with that in mind, um, how do you think that we can get the DOD to change those antiquated systemic processes and act more like Silicon valley?
[00:28:13] Nicolas Chaillan: Yeah. And obviously by not be a literal. My actually, they might not actually explode. I kind of misspoke on that one, but who knows? You never know. Maybe it's going to be so crazy that they're going to have an AVC, you know? Um, I don't know, but I think the key aspect is to also bring people from the outside, like me into the government.
So we actually show them what a normal pace is. I think if they go to space stacks, they're gonna, they're gonna realize pretty quickly that. Massive issue. Um, the issue is when we send people to space X, they don't come back all. They, they come back and they want to make change. And they're so frustrated that we're not listening to the changes they're proposing that they end up leaving even faster than they would have if they didn't go to space.
So we, we can retain them. So there's a [00:29:00] problem here where if you're going to bring people in like me, you're going to, you're going to want to listen. You're gonna want to take action. You're gonna. Let them do the work. You know, we're not policing shop. I remember some people when Dr. Roper left the air force was my boss.
[00:29:13] Jeremiah Roe: I really liked Dr. Roper by the
[00:29:14] Nicolas Chaillan: people's lives to tell me. Yeah, Dr. Harper is awesome. But, um, when he left, people started to say, well, you, you, you should be an adviser. You shouldn't be doing stuff right. Well, that's not why you bring someone like me and the government, you know, I'm, uh, I created 12 companies, you know, I peel products is what I do.
Um, if you want an advisor, you want a policy shop, you want a governance shop, pick somebody else. Right. Um, but that's what shortsighted, you know, uh, three-star generals do, uh, when they have no background in actually doing something.
[00:29:42] Jeremiah Roe: one of those things that helps to, um, [00:30:00] keep innovation happening in the private sector. Interestingly enough also aligns with salaries, right?
And I think that there's a vast despairing difference between why we see a war fighters leaving the DOD and going to private sector. Not only is there that glaring issue between being able to get anything done and what they're paid to do those things inside the deal.
[00:30:27] Nicolas Chaillan: I don't think it's the most important problem because I think people really care about the mission and they will take some level of picker. And fortunately, he got to be, to be weighed too much. Right. You're talking often now 2, 3, 4 X, the pay cut. So that's a, that's a pretty big one and that's really a problem.
Right? We need carrier tracks. We need to, and your Congress talks about creating an AI carrier track. Again, they fell to even understand that we don't have a solid. And cloud track. [00:31:00] Um, and So, you know, and did I say on Strack first to even get to AI track? so maybe we need to solve that first. We certainly need to completely reinvent the way we, we hire the fact that it's, you know, the clearance process is so hard to.
And then you can keep it. If you don't stay in the game is making it very difficult for people to go back to the commercial side, come back and make a difference. Again, you know, you, you becoming stale, you becoming complacent. I was feeling myself, um, you know, almost becoming part of the problem because you know, you get used to the lack of velocity and frustrate.
And you get less and less eager to, uh, to move fast because you're frustrated. And so leaving and coming back, I think is great, right? I think that should be, uh, enabled, but, but the, the system is designed on purpose, you know, uh, to create this dirty bubble. So there is no competition of talent because they know that if they had the opportunity, um, to compete against people coming from the commercial side, most of the time [00:32:00] they will lose that battle.
And they will lose their jobs and so better if we don't enable people to come from the outside, because now you have this small bubble and all you do is rotating people around you. Not really enabling, enabling the best leaders and the best doers of the commercial companies come and compete into that game.
So you're protecting your job by, by creating this, uh, uh,
[00:32:26] Jeremiah Roe: So, so thinking about our adversaries and. And both cybersecurity as well as you know, technology to begin with our audience is, is definitely aware of the many, many cyber attacks that have currently contributed to China and others. So, as an example, Microsoft exchange hack is just more, uh, one of the more recent ones.
Um, how do you think the us should ultimately respond to these kinds of incidents going forward?
[00:32:55] Nicolas Chaillan: Well, first of all, we need to step up our game in defense, right? Because I can tell you the, the cyber [00:33:00] poster today of critical infrastructure and the departments, most us government agencies. It's really at the kindergarten level compared to the U S companies. Um, you know, I pushed your trust five years ago at, uh, at DHS and, uh, all to be told that, uh, that was too early and they didn't believe in zero trust.
Now it's finally mandated all to have a plan by 2027 to get there. So effectively you see a 12, 12 year lag of, um, implementation between the commercial side best practices and the government. That's pretty scary because you don't have that luxury of time, uh, anymore in, in its. First let's fix that and brings you a trust.
I brought the largest implementation of zero trust and the air force and space force in four months. And we were to, uh, to a pretty large scale, uh, after a year and a half. And yet you see. Uh, duty Sierra and this, uh, now create a new bid to start from scratch. And now we're using any of the work we've done in the air force in space full since zero trust, all to focus on unclassified work, where we have all classification levels from the [00:34:00] get-go at the air force.
So clearly we need to sub the silos and the egos, uh, issue there. Um, But then, you know, when you look at, um, uh, the defense side, of course, you know, that's preventing, you know, ideally making sure that not everybody can get into our systems tomorrow, but, you know, do we respond in kind, you know, do we act, we know for sure that, uh, uh, the actor is Wu.
We think they all have, I've always had issues with attribution because I would argue, uh, the best accurate. Very much likely pretend to be woo. They are not. And so,
[00:34:40] Jeremiah Roe: a hundred percent
[00:34:40] Nicolas Chaillan: best Chinese Accurus, you know, best Russian. Yeah,
Best Russian would pretend to be Chinese. And then Decatur's, we use all anecdotal at best and I think could be faked, uh, pretty easily by the most advanced teams.
So I think, um, it's a little bit ridiculous. So then if you don't know for sure, which is why effectively people say, well, [00:35:00] you know, if someone attacks you like this, it's an act of war. You can fight back or attack back. Well, what if you don't know who did it, what are you going to do? You know, who are you going to push back on?
If you're not a hundred percent sure that's who it is. Uh, so it's a little bit different. Um, and that makes it wide. I think so far all the recent bridges, despite even sometimes, um, knowing who allegedly did it or likely did it, uh, you've seen no real response in kind or, uh, any of this. From the U S because I do believe that. people know deep down that, um, maybe are not a hundred percent sure.
[00:35:42] Jeremiah Roe: even though they can't necessarily attribute who is doing what, uh, because of that very real fact that, you know, if I'm going to emulate, um, And advanced persistent threat, then I could just as easily emulate their tactics and the TTPs that [00:36:00] we know about them, or the indicators are compromised, that, that are developed from them and in doing so, you know, utilize something like the Tor network and, or my own subversive network that I've built based off of very similar protocol to start attacking switching IPS, attacking switching IPS, and then emulating, uh, various known tools that they utilize.
So. From that specifically. Um, what could we do, uh, maybe a little bit better to, um, safeguard ourselves and the U S from those kinds of things that we aren't maybe doing.
[00:36:36] Nicolas Chaillan: Well, it's really investing in cyber, you know, and, and having the right talent and creating the talent. You know, I I've seen, uh, in the news that Microsoft is working with universities to fix half of the talent gap. As we have in the U S in term of cyber tenants, which I believe is 1.1, one eight meeting, um, jobs missing, um, uh, an applicant.
[00:37:00] Um, but I'm also concerned now that, you know, are we going to just teach them Microsoft, uh, Microsoft technologies and create a lot of vendor looking stuff that shouldn't be a single company solving their problem. It should be a. A joint effort to bring the best and bias curriculum to make sure we have options and diversity of choice of technologies to solve the problems.
Otherwise we're going to create biased, uh, cyber experienced. That's probably not a good idea. [00:37:28] Bella DeShantz: But what can the government do there specifically that private companies can't. So like you mentioned Microsoft. And I know that there are a lot of other private companies investing in educating, you know, young people or people that want to change careers to solve this problem. But what, what is something unique that the government could do and should do that, that isn't happening.
[00:37:50] Nicolas Chaillan: Well, you know, the government has massive budgets, right? So we, they can of. Also into creating this curriculums, creating these, uh, uh, this urgency in [00:38:00] universities and schools very early on, uh, right education, very early on, uh, all the way, you know, um, at the kindergarten level, who knows, right. Uh, that's where we all anyways, so might as well sell there.
Um, and then, you know, I think, uh, um, treating the pump seriously, you know, when it comes to staffing and Manning of the critical infrastructure side, you know, DHS is really behind It Basic basic understanding of, of zero trust and, and securing, uh, the critical infrastructure, power water supply, and so on, uh, side of the house.
So there is so much to do. Uh, SCADA systems, you know, that he's a loft we searched that could be done, you know, to see how zero trust can be implemented in these, um, you know, industrial control systems. Um, that's the kind of stuff that government needs to be leading because commercial companies, I'm not going to care about that market too much.
So they, they, they all things that. The government needs to pay attention to, you know, like, [00:39:00] you know, like I said, companies can be biased will have the company's interests at heart. The government should be more, um, independent and, um, have no bias towards one single company, you know?
[00:39:11] Bella DeShantz: It seems like this conversation. So we're kind of having two conversations. One, this idea of investing in people who are investing in training, folks who are interested in getting into cybersecurity or advancing in cybersecurity, but also investing in technologies that have benefits cybersecurity as a whole.
It seems like there's so many other areas and companies and individuals, even within this industry who are noticing how big of an issue this is and are doing something about it. And you know, this idea of, of, uh, fixing the talent gap and this idea of. Identifying areas for companies to improve and doing them.
And you know, there's, there's so many buzz words about cybersecurity right now. It seems like everyone is talking about it. Why, why has that not really permeated or not? [00:40:00] Pronated enough, uh, into the government, into the, into the public sector.
[00:40:04] Nicolas Chaillan: I think it's back to the lack of, uh, urgency in the government and the lack of agility, you know, um, the, the waste of taxpayer money, like I said, 10 cent on the doula. You're wasting a lot of money in acquisition and contracting and all the boring stuff that, that effectively are supposed to protect the, the waste of taxpayer money, but create more taxpayer waste.
Um, so, um, you know, I think it's about how we execute having the. Talent into government so they can make the right decisions. You know, um, if, if there's, uh, a massive wall of understanding of, of issues between the government, people making decisions and the people trying to solve them on the commercial side, then you never going to solve the.
And the government, and then all this critical infrastructure stuff is going to remain the same. There's also some lack of funding, honestly, um, as well, compounded by the waste of course of money, but, [00:41:00] uh, still, you know, we don't invest enough in critical infrastructure. I would argue, um, there was some plus.
In recent years, but it's probably not enough when you look at state and local level it's, um, you know, you look at nine 11 systems, you look at a lot of the, uh, critical infrastructure we have to deal with. It's, it's massive volumes of companies. It's very siloed. Um, you know, these hundreds of companies creating the grid, it's not just one or two, you know?
So how do you really spread that across. The industry, these are all big problems and a lot of people think we're going to have to wait for this, uh, Pearl Harbor cyber. I want people to wake up, but we add, I would argue already some mini ones with the old pipeline and what our supply in Florida got hacked.
And they changed the, the chlorine volume in water, potentially killing people, but that was caught, uh, right on time. But that sounds to me like a pretty big [00:42:00] deal, but yeah, you know, people just move on and, and keep, uh, keep doing more of the same.
[00:42:06] Bella DeShantz: my perspective here is I, I have never worked for the government. I have very little insight into how the government works, military I'm totally on the opposite side of things. And it's, I think. To be honest, it's a little baffling to me too, to see the conversations happening in cybersecurity.
That just don't seem to be happening as much in, in the other side of things. Uh, which is, I guess why I'm kind of, you know, keep pressing on this question. Like how can this be.
[00:42:36] Nicolas Chaillan: I had the same feeling that I've made. I was the same before going into government. It's almost like I want to do the same incentive, few people, two weeks in the government. So there, their had exploded. Well, first, first year you need to wait six months to get into job.
[00:42:50] Jeremiah Roe: Used to be two years.
[00:42:51] Nicolas Chaillan: 10 months, I've seen, I've seen someone in my.
Yeah. I've seen someone in my team take 11 months to, to get started. Um, and then you, you see, you know, [00:43:00] you see, uh, uh, to be onboarded to get access to the building and get a laptop. You see, as a month to two months wasted, I mean, you would never see that on the commercial side ever. I mean, I'm sure when you start your job the same day, you got your laptop and whatever, right.
[00:43:39] Jeremiah Roe: since you've left, um, the office of chief first chief software officer, the air force, um, how have folks responded to you, uh, based off of the things that, that you've been sharing, some of the insight that you've gotten from say LinkedIn posts from, um, interviews that you've done with various news things, how have people felt from DOD?
How have they responded based off of these.
[00:45:39] Nicolas Chaillan: Well, they say, it's the people that love it. And the people that hate it, there is no in, in the middle, you know? Um, I think there's more people that love it. A lot of people reached out to me privately. You know, most of them don't feel comfortable of course, saying it publicly and that's okay. But, um, got a lot of, um, people reaching out and telling me, thank you.
And even outside of duty as well, [00:46:00] all former, you know, veterans all or whatever, right. Um, even people that don't do much in duty, you know, but, um, and then there's the people saying that I'm disrupting, you know, creating a personal security and, and, uh, putting us at risk. And, um, those are the problem. I could almost use that list as who to get rid of in the department.
That would be a good shot list of where to stop, um, because they clearly are trying to protect their own interests. So that's, um, that should be a list we're going to use in a, in a few years when I'm back into government.
[00:46:31] Jeremiah Roe: Yeah. So you kind of mentioned a few years, you're going to head back into the government. So have you decided what you're going to do next or any news that you'd like to share with any of the podcast listeners?
[00:46:44] Nicolas Chaillan: Well, you know, I joined a few bolts to help a few companies and help and, uh, walking on a stealth startup, um, that's gonna help, uh, in space in the space sector, not the DOD space, but the commercial space, you know, space is So hot, right. It's going to be a lot of excitement in space, [00:47:00] all the companies trying to build secure, uh, capabilities.
So I think, um, I'm pretty excited about space, so that always got me excited. So I think we're going to do something on space and, um, I'm going to keep raising Rena's. I'm going to spend a lot of time. Unfortunately for me because I'm not a, I don't love it, but, um, I have to do it because no one is willing to do it.
Uh, go on TV and talk about this and keep holding people accountable. We have this, um, every two weeks, as many thing events on LinkedIn, where we do live at 1:00 PM every other Tuesday. Uh, we talk about all, you know, take questions live and bring guests and talk about different things, uh, around the agile and DevSecOps and how to implement agile in the government.
Uh, and. And, uh, you know, we're going to, we have this, a clock ticking of December 20, 22, by which we rent a lot of the time in AI. So every month we're going to hold people accountable on TV and try to, um, have the government get back to us and show tangible progress. What [00:48:00] is, um, improving what's already, uh, changing and, uh, are we doing enough so that when that clock runs out, we're not, um, at a point where we lost, uh, the, the.
[00:48:12] Bella DeShantz: So I don't want to, I don't want to steal any thunder, so maybe you can just give us a taste of some of the stuff that you talk about on those conversations. Uh, basically I want to know if, do you have any advice. Working to fix this problem, uh, within the military or the government more broadly that you would like to share here.
[00:48:32] Nicolas Chaillan: Yeah. So I'm accurate writing a, an open, a pretty long one where I'm going to list that by step all the, all the things, the tangible things that can be implemented within a six to eight months to solve all these problems. So tangible steps from acquisition to contracting, to learning training. Uh, personnel policies, you know, technology, implementations, drawing, work so very precise and tangible things.
It's, uh, it's going to [00:49:00] be a very detailed, um, uh, article, uh, I'm going to, I'm going to have a, a step-by-step crawl walk, run in a very agile fashion, um, and very precise, tangible enough. So it's not, um, Uh, just, uh, you know, bullet points, but a very, very precise guidance. And that's going to break them out in the next couple of years.
[00:49:21] Jeremiah Roe: there was recently the DOD enterprise DevSecOps reference design that was just released.
What, what are your thoughts around.
[00:49:49] Nicolas Chaillan: Yeah, there was a. At least, um, uh, recently I, I keep helping, you know, I'm an advisor to, uh, to the air force, uh, uh, right now, unpaid, you [00:50:00] know, just to help. Um, and so we still, I still see a lot of eagerness to solve these problems and, uh, you know, secretary Kendall was very clear. He wants to take action and, and fix all of this stuff. So I think, um, these. Good progress. It's very early, but, um, I'm hopeful and I'm going to keep pushing and keep helping and, and, um, you know, uh, Jason White waste was, um, uh, named as the first, uh, duty CSO. Um, so he's going to be pushing a lot of the, the good work, you know, he's a, he's a good friend and a good.
It's going to do great work. And so I'm going to keep advising him and giving him my thoughts. And of course keep helping, uh, who is going to replace me in the job. Um, and, um, try to, um, to help of course, uh, uh, the FCIU and, um, everybody that's winning.
[00:50:51] Bella DeShantz: looking back on your. And the air force. Um, if you had to do over, is there anything that you would do before.
[00:51:10] Nicolas Chaillan: Yeah, I think where I wasn't good enough is to try to understand what, where some of these people were coming from. You know, there was such a. The difference of culture and, you know, everything was So different, um, between the commercial side and the, and the, the government. And I was dropped into the job with no training, no understanding of anything.
I wish I had more training and a multiple TG to understand where, where some of these people were coming from. And, you know, if, if I had done better there, I could have built better relationship with some of them. But, um, you know, I guess you do.
[00:53:21] Jeremiah Roe: And, this is kind of the final question that we ask everybody just to, um, sort of make it more real. I think what is the one thing people wouldn't know about you by looking at your LinkedIn?
[00:53:34] Nicolas Chaillan: That I'm a beekeeper.
[00:53:38] Jeremiah Roe: would never have guessed that actually. That's awesome. Uh, I've
[00:53:44] Bella DeShantz: you get over
[00:53:45] Jeremiah Roe: I've
[00:53:45] Bella DeShantz: D where you just never afraid of
[00:53:47] Nicolas Chaillan: It never expires. That's the best.
[00:53:48] Bella DeShantz: I can't, I can't
[00:53:50] Jeremiah Roe: in a honeypot.
[00:53:52] Nicolas Chaillan: Oh, I'm not a big fan of bees, but, uh, I, I've been stung a few times in my head, turns into five times the size. So that's not fun,
[00:53:59] Jeremiah Roe: Oh,
[00:53:59] Nicolas Chaillan: but [00:54:00] you know, you have gear on your protect yourself. I'm not a big fan of beginning. Stung don't get me wrong. But, um, usually they are pretty nice, you know, for a hundred thousand bees.
So that's a lot
[00:54:08] Bella DeShantz: It's gotta be worth it for like top tier honey. Yeah.
[00:54:11] Nicolas Chaillan: this is fun. And you get, you get honey. Yeah.
you get honey, I have chickens too. So I get eggs, you know, that's, that's fun.
[00:54:18] Jeremiah Roe: Nick, thank you so much for your time today. And I know I personally really enjoyed this interview, so thank you for coming on the show. And I know I
[00:54:26] Bella DeShantz: I learned a lot, like this is a really awesome
[00:54:28] Nicolas Chaillan: No. Thanks for having me
[00:54:29] Bella DeShantz: to kind of hear more from, because it's very much not, uh, anything that I have a lot of experience or perspective on. So, so thank you so much.
[00:54:40] Nicolas Chaillan: Yeah. My next step is to convince you to, uh, to join the government for four year.[00:55:00]