How Idaho National Laboratory Is Building the Future of Infrastructure Security with Zach Tudor
Season 3 Episode 18 •Show Notes
America is asking more from its critical infrastructure just as adversaries are finding more ways to target it. AI, data centers, electrification, and next-generation energy systems all depend on operational technology—the control systems that keep power, water, transportation, and industry moving. As that backbone grows more connected, the stakes of securing it grow even higher.
In this episode of Cyber Focus, Frank Cilluffo speaks with Zach Tudor, Associate Laboratory Director at Idaho National Laboratory, about how INL tests and secures critical infrastructure at scale. Tudor explains why resilience must guide infrastructure defense, what Ukraine and China reveal about the risks facing critical infrastructure, and why cyber-informed engineering is essential as new technologies move into energy, nuclear, wireless, and industrial systems.
The conversation also covers AI’s role in control environments, the workforce needed to secure future infrastructure, and the challenge of moving faster before a major event forces action.
Main Topics Covered
- INL’s critical infrastructure mission
- Testing infrastructure at scale
- OT security and resilience
- AI risks in control systems
- Cyber-informed engineering
- Workforce needs for energy security
Key Quotes
“No infrastructure is impervious to attack.” — Zach Tudor
“I think we’re getting to the point where, if you are delivering power to the nation, then you are a risk professional as well as a power engineer.” — Zach Tudor
“Resilience for me is not just the preparation for an attack or the response to an attack, but the ability to mitigate the effects of an attack, to respond quickly, and to recover quickly as well.” — Zach Tudor
“We are a national lab in the public economic and national security interest. And so we’ll do what needs to be done. We say that labs do what others can’t, won’t or shouldn’t do.” — Zach Tudor
“The mindset of an engineer who’s thinking about operations is different from the mindset of an IT security person who’s protecting databases or privacy or other data.” — Zach Tudor
Relevant Links and Resources
- Idaho National Laboratory
- Department of Energy National Laboratories
- Cyber-Informed Engineering (CIE)
Guest Bio
Zach Tudor is Associate Laboratory Director for National and Homeland Security at Idaho National Laboratory, where he leads programs focused on critical infrastructure protection, operational technology security, and national security innovation. He previously served at the Department of Homeland Security’s ICS-CERT and is a former U.S. Navy submariner. Tudor has spent decades working at the intersection of cybersecurity, energy systems, and national defense.
Transcript
1
00:00:00,000 –> 00:00:01,000
Zach Tudor [00:00:01]: The technology is moving so quickly. We like to have tested, fielded, you know, technologies that we know aren’t going to fail, et cetera. But I think we’re going to have to, you know, really be, you know, innovate faster.
2
00:00:01,000 –> 00:00:02,000
Frank Cilluffo [00:00:15]: Welcome to Cyber Focus from the McCrary Institute, where we explore the people and ideas shaping and defending our digital world. I’m your host, Frank Cilluffo, and this week I have the privilege to sit down with a longtime friend and colleague, Zach Tudor. Zach Tudor is an associate lab director at Idaho National Lab, where he leads their national security portfolio and their homeland security portfolio and has been a longtime advocate for many of these issues and is a plank holder. He previously served at DHS at ICS certs and knows the issues inside and out and is a submariner out of Navy. So lots of expertise and has been around this town for a long time and I think has made a big difference in, in many of our programs. Zach, thanks so much for joining us today.
3
00:00:02,000 –> 00:00:03,000
Zach Tudor [00:01:04]: Thank you for having me.
4
00:00:03,000 –> 00:00:04,000
Frank Cilluffo [00:01:05]: You know, I thought I’d start at the beginning, and I, I think many people are familiar with Idaho National Labs, the name, but not necessarily the mission, not necessarily what it is primarily focused on, at least your portfolio. And I thought we’d start there.
5
00:00:04,000 –> 00:00:05,000
Zach Tudor [00:01:23]: Okay, good. Well, I’ll, I’ll give a plug for the entire organization. So there are 17 Department of Energy national labs, different secretaries and others will say that they are the jewels of research in America. And I won’t disagree. Idaho is the nation’s nuclear energy laboratory first and foremost, but we also have a large portfolio in energy and environment and also in national homeland security. So over the years, the Idaho National Lab, on its nuclear energy side has, has built 52 nuclear reactors. We started out as the National Reactor Testing Station.
6
00:00:05,000 –> 00:00:06,000
Zach Tudor [00:01:57]: And so from that experience where they would test materials, control systems, the physics of all of these things, the DNA of our lab kind of, you know, resulted in us really understanding the critical infrastructure, operational technology, material characteristics that make INL special in the area of OT cybersecurity. And that’s where my team focuses.
7
00:00:06,000 –> 00:00:07,000
Frank Cilluffo [00:02:20]: And so, and we’re going to go deep on OT and critical infrastructure generally, but what else is really unique in terms of what the lab brings to the table? And why can’t it be replicated elsewhere?
8
00:00:07,000 –> 00:00:08,000
Zach Tudor [00:02:33]: Sure. Well, you know, Idaho, for instance, we are the fifth largest national lab by, kind of, revenue, the amount of research that we do, but we’re the largest lab in size. So 890 square miles of territory that, that gives us the ability to test things from, from a research idea to a bench to, to at scale. I have 132 mile electric test grid. I can emulate 75% of the, the world’s distribution voltages. I have a national security test bed where I can detonate 20,000 pounds of TNT equivalent explosives and use that with UAS and county UAS types of programs. So I can test a lot of things that are important to critical infrastructure and also that are important as we go forward in some of these different areas as well. The expertise that we have there is second to none. Say you know, so I have a wireless testbed as well.
9
00:00:08,000 –> 00:00:09,000
Zach Tudor [00:03:28]: 2G, 3G, 4G, 5G with, with scientists and experts, all with TSSCI, you know, top level clearances so we can work with any agencies on the problems of the day in a real world environment.
10
00:00:09,000 –> 00:00:10,000
Frank Cilluffo [00:03:41]: Awesome. So I mean just in terms of scale and scope, it’s unparalleled in many different ways. And I think one of the things that all of the labs, but INL in particular when it comes to critical infrastructure is the applied research. So this isn’t just research that may have impact 10 years from now, it’s here and now, right?
11
00:00:10,000 –> 00:00:11,000
Zach Tudor [00:04:02]: Yeah. So as an engineering lab, so once again, three types of labs. You have the NNSA. They take care of are nuclear deterrent. You have the office of science laboratories. Many of them are kind of special, you know, single purpose, single piece of equipment. The multipurpose labs, once again the weapons lab, but also Pacific Northwest, Oak Ridge, Idaho, all have that capability to do the national security mission and other missions as well.
12
00:00:11,000 –> 00:00:12,000
Frank Cilluffo [00:04:29]: You know, when we think about how our world has changed when it comes to critical infrastructure, what have you seen the biggest changes in the past five years?
13
00:00:12,000 –> 00:00:13,000
Zach Tudor [00:04:42]: Well, I think that more people are realizing that critical infrastructure is at risk. I think the last couple of years as we’ve seen say the war in Ukraine and how critical infrastructure is being attacked as part of a normal part of the course of business. We’ve seen several well known cyber attacks from China, the typhoons-
14
00:00:13,000 –> 00:00:14,000
Frank Cilluffo [00:05:02]: Pre-positioning. All the way through, yeah.
15
00:00:14,000 –> 00:00:15,000
Zach Tudor [00:05:03]: The pre-positioning and kind of putting us at risk and forcing us to spend different resources to kind of get them out of there. So yeah, so people are starting to see it more especially, you know, policymakers are understanding it, but also the rank and file are understanding it as well. And of course, you know, we have much more of that critical infrastructure in place and we plan for more of it. So whether it’s the electrification of vehicles, data centers, AI, all of those things, you know, require operational technology, you know, industrial control systems.
16
00:00:15,000 –> 00:00:16,000
Frank Cilluffo [00:05:32]: We’ve had a number of discussions around sort of the twin goals of you can’t be AI dominant unless you’re energy dominant and what those implications are. And I, I do want to pull that thread. But, but prior to doing that, we’ve heard the R word, resilience, for so many years. What, what does that look like in practice?
17
00:00:16,000 –> 00:00:17,000
Zach Tudor [00:05:53]: Yeah. I, so about 20 years ago now, INL had the first international conference on resilient control systems. And, and the experts there, the first session was let’s define resilience. And it was the, it wasn’t the blind men and the elephant. It was blind men making an elephant, I think.
18
00:00:17,000 –> 00:00:18,000
Zach Tudor [00:06:11]: And you had the folks who were there, well, you know, resilience is this. Well, that’s, that’s high assurance or it’s this. Oh that’s redundance. So we, they said, okay, we’ll have a small working group. We’ll come back on day three and say what that is. And on day three, they still didn’t have a definition and came back the next year and someone wrote a paper that we still use today. But resilience for me is not just the preparation for an attack or the response to an attack, but the ability to mitigate the effects of an attack, to respond quickly, and to recover quickly as well. So we’ve seen in the past that no infrastructure is impervious to attack, although many people, a water system, gee, why would anyone attack a water system? That’s how we get our water. Why would anyone attack an electric system? It might impact first responders or hospitals, but we see that’s the case.
19
00:00:18,000 –> 00:00:19,000
Zach Tudor [00:07:03]: And so how quickly, you know, we can respond to that, because we don’t, we just know now and years ago we thought that we could have perfect security if we remember all those days, yeah, the, the Rainbow series and other things like that.
20
00:00:19,000 –> 00:00:20,000
Frank Cilluffo [00:07:14]: Oh, yeah. Oh, yeah.
21
00:00:20,000 –> 00:00:21,000
Zach Tudor [00:07:15]: You know, I was telling someone about C2 by 92 and I was like, 92 never came.
22
00:00:21,000 –> 00:00:22,000
Frank Cilluffo [00:07:20]: Yep, yep, True that. And I think when I think of Idaho National Lab, OT is not an afterthought. It’s at the heart of what it is the great women and men of INL are working on day in, day out. I think it’s finally seeing its day. People are recognizing, but very different in terms of what the skill sets are and what some of the needs are. So I’d be curious what your thinking is there.
23
00:00:22,000 –> 00:00:23,000
Zach Tudor [00:07:51]: Yeah, so OT, operational technology, you know, the things that run manufacturing plants, water, energy, etc. is where we focus. And we were talking earlier about what each different lab does. And we do have lots of capability and we have foundational capabilities that make us look like we all can do everything, but we really do all have specialties. And INL really does try to stay in that operational technology box. What makes the cybersecurity or the security of that different is that the mindset of an engineer who’s thinking about operations is different from the mindset of an IT security person who’s protecting databases or privacy or other data. One of the big items that is talked about now is convergence. You know, the IT technology is being used in operational technology, but the reasons are different and understanding the applications are different.
24
00:00:23,000 –> 00:00:24,000
Zach Tudor [00:08:46]: So I believe in interdependence. I’m not a big convergence. We’re not going to have one type of engineer or person that I think can, will be able to do both effectively. But we have to work together to make sure that those IT systems and those OT systems don’t impact each other. I mean, Colonial Pipeline is a perfect example of that. You know, there was no OT attack on Colonial, but it resulted in a major, you know, shutdown because the interdependencies of those two systems.
25
00:00:24,000 –> 00:00:25,000
Frank Cilluffo [00:09:12]: And then you think of real world examples, you brought up some of the work you’re doing around UAS and counter UAS, and, and I mean, if one thing’s clear coming out of Ukraine and elsewhere, this isn’t science fiction. This is, this isn’t even a tomorrow, it’s a here and now. Honestly, I’m not sure we’re ready in the United States. But what, what, what can you, how can you apply some of the lessons learned and observed and bring them here?
26
00:00:25,000 –> 00:00:26,000
Zach Tudor [00:09:40]: Well, I think the one thing is that we have to be fast and flexible. I think Ukraine has taught us all that. And you know, we can, when we start talking about AI, it’ll be the same thing. That technology is moving so quickly. Our procurement cycles in the U.S. we like to have tested, fielded, you know, technologies that are, that we know aren’t going to fail, etc, but I think we’re going to have to, you know, really be, you know, innovate faster. A lot of the, the things that were said in Silicon Valley for the last, you know, 40 years really have to come to heart. You know, you don’t want to fail, fail, period, right? But you’re going to.
27
00:00:26,000 –> 00:00:27,000
Frank Cilluffo [00:10:16]: But if you do, do it fast and learn from it.
28
00:00:27,000 –> 00:00:28,000
Zach Tudor [00:10:17]: Do it fast and learn from it and, and move and not be afraid, and I think we have to all get used to that. Yeah, I think that the lessons in Ukraine, the lessons of, of, of Russia using foreign technology, Iranian technology or others, Chinese, to help them innovate is something that we need to see. I think we can do it here. We have partners, you know, that can do it. We just have to make up our mind and get there. And I just don’t want there to be an event that causes us to, you know, you know, to wake up to it. We, we can get ahead of it.
29
00:00:28,000 –> 00:00:29,000
Frank Cilluffo [00:10:48]: Well said. And, and, you know, you can’t escape a discussion this week or last week without talking a little bit about Glasswing and, and Mythos and, and, and, and some of the frontier models that are out here, here and now. What are, what’s your early take on that? And realize we don’t know what we don’t know.
30
00:00:29,000 –> 00:00:30,000
Zach Tudor [00:11:09]: And so, and so, remember before I came to Idaho National Lab, I was at SRI International where we made Siri. And so I’m still very nice to Siri. I’m very nice to Alexa.
31
00:00:30,000 –> 00:00:31,000
Frank Cilluffo [00:11:18]: There you go.
32
00:00:31,000 –> 00:00:32,000
Zach Tudor [00:11:19]: So when they take over, they’ll remember me as one of the folks that treated them well. So I am, I’m at a national lab.
33
00:00:32,000 –> 00:00:33,000
Frank Cilluffo [00:11:28]: Actually, I’m not laughing. I might cry.
34
00:00:33,000 –> 00:00:34,000
Zach Tudor [00:11:30]: So I’m at a national lab. You know, we’re about science. You know, INL, we’re about testing. We have a test bed, we call it TAIGR, Testbed for AI Grid Resilience. So I believe that INL should be the place where we will take systems developed by various vendors, you know, none to be named now that say that we are AI enabled. What does that mean? How, how much enablement? ISA says that, that generative AI shouldn’t be used for control because it’s, you know, non deterministic, right? It hallucinates.
35
00:00:34,000 –> 00:00:35,000
Zach Tudor [00:11:55]: However, you can use it for forecasting. You can have it as an input to your control system and, and where that is. So can an adversary spoof an input on load or weather or something that might force the control system to crash in some way? And things like Mythos, Glasswing can, might be able to do that. But I want to test it. I want to see if we can identify it, if we can mitigate it. And as the papers kind of said, maybe a bad day for defenders now, but in the future, the defenders may learn from this and be able to use those.
36
00:00:35,000 –> 00:00:36,000
Zach Tudor [00:12:27]: So I want that future to be faster, but I also don’t want to spend a lot of cycles on theoretical attacks or threats that, oh, gee, you know, if you just do this, this simple and we’ll get to cyber informed engineering consequence driven.
37
00:00:36,000 –> 00:00:37,000
Frank Cilluffo [00:12:41]: You bet we will.
38
00:00:37,000 –> 00:00:38,000
Zach Tudor [00:12:41]: This simple type of measurement or mitigation may be able to detect these or mitigate it, you know, with minimal work.
39
00:00:38,000 –> 00:00:39,000
Frank Cilluffo [00:12:49]: And you know, one of the, and disagree with me, but I genuinely, so you and I have been around the discussion of public private partnerships from the beginning. We all believe in it, but I like to say sometimes long on nouns, short on verbs. What we’re seeing now though is to some extent that partnership is being flipped on its head, isn’t it? So there was a little bit of, and I don’t want to say hubris, but maybe a little of government lead, private sector follow. In this case, it’s kind of the inverse.
40
00:00:39,000 –> 00:00:40,000
Zach Tudor [00:13:21]: Yeah, well, I think that’s been coming for a long time.
41
00:00:40,000 –> 00:00:41,000
Frank Cilluffo [00:13:24]: For a while, but now we’re seeing it. And fast.
42
00:00:41,000 –> 00:00:42,000
Zach Tudor [00:13:26]: So, so I said before, you know, like, you know, 10, 15 years ago, I would give talks about AI and felt that I knew what I was talking about. When, when the generative models really started hitting, suddenly I would sit in the audience and listen and see. So it really flipped. Several things have kind of flipped. The, you know, the advances in UAS, you know, the need for data centers and not just for AI, but for so many things we do. And yeah, it is definitely, you know, leading public discussion. Look at space travel, you know, so, you know, you know, you know, luckily Artemis came. The government has been doing something, but, you know, space travel is being led by the commercial sector where it hadn’t been for the last 50 years. Right?
43
00:00:42,000 –> 00:00:43,000
Frank Cilluffo [00:14:03]: And it’s still not designated a critical infrastructure. So I got to put my little plug in there. So I’m not going to make you take, take a position on that.
44
00:00:43,000 –> 00:00:44,000
Zach Tudor [00:14:12]: Once again, as, as we start looking at, at those technologies and what we intend to do, you know, we’re talking about space, that, that domain, yes, it is, it is, it is a critical domain. And of course, you know, satellites are our communications. I mean, so many things are critical and that’s, that’s one of the issues we have. We have so many critical technologies, so many critical infrastructures. Being able to understand, and once again, back to resilience.
45
00:00:44,000 –> 00:00:45,000
Zach Tudor [00:14:38]: How much protection can we put in each one? A concerted adversary may be able to have an attack. That’s why we need resilience.
46
00:00:45,000 –> 00:00:46,000
Frank Cilluffo [00:14:44]: Yep.
47
00:00:46,000 –> 00:00:47,000
Zach Tudor [00:14:44]: We need to be able to understand that we are under attack and respond appropriately and not go, gee, what was that?
48
00:00:47,000 –> 00:00:48,000
Frank Cilluffo [00:14:51]: That’s actually a really important point because we’re never going to be in a position, even if we want it to be, to be able to protect everything, everywhere, all the time from every perpetrator, in every modality of attack.
49
00:00:48,000 –> 00:00:49,000
Zach Tudor [00:15:01]: I love that movie though.
50
00:00:49,000 –> 00:00:50,000
Frank Cilluffo [00:15:05]: But we’re never going to get there. But we do have a responsibility to think about resilience on the front end. And that’s, that’s my tee up for CIE, so cyber informed engineering.
51
00:00:50,000 –> 00:00:51,000
Zach Tudor [00:15:16]: So, so for the last 20, 30 years or longer, so many of our friends and colleagues have been looking at different ways to build security in whether it’s, you know, Lipner on the software side or others, the building code for building code, all of these different things. So many of them were smart and aspirational but hadn’t been adopted. Everyone would say yes, we need to do that and then we would listen as innovators would, you know, once again, that, that, that first prototype didn’t have security built in and we get that. Now with cyber informed Engineering, Cheri Caddy, who was at DOE, would say we need to get that daily dose of cyber resilience thought into every engineer’s curriculum in their everyday lives.
52
00:00:51,000 –> 00:00:52,000
Frank Cilluffo [00:15:57]: A senior fellow of ours, Cheri, for transparency.
53
00:00:52,000 –> 00:00:53,000
Zach Tudor [00:16:00]: Absolutely. Yeah. And so one of the other things that was a part of that was consequence driven cyber informed engineering. We kind of trace that back to Mike Asante, who is kind of a well known predecessor for all of us absolutely. When he had the workshops when he was at NERC on high impact, you know, low frequency events. Right? So when you did a traditional risk assessment, you’d say, oh well, you know, damage to that turbine is so unlikely, you know, that we will give it a low score on our risk assessment.
54
00:00:53,000 –> 00:00:54,000
Zach Tudor [00:16:30]: But of course, if we’re looking at the adversarial world that is the target now. And so that high consequence event is something that we have to prepare for. And so when you use that methodology and once again, this kind of goes on top of traditional risk assessment, may not replace it. Right? Because we still need to understand our systems in all the traditional ways and then come back and look. But what would the adversary do? Are we critical enough that we have to do this? What would our, our, our, our gems be? Right? And, and how might they impact it and how might we, we mitigate that?
55
00:00:54,000 –> 00:00:55,000
Frank Cilluffo [00:17:03]: You know, I, I do think that gets lost. And you’re bringing up a lot of previous work in the, in the post 9/11 and pre 9/11 environment where we were talking sort of failure of imagination, but, but the reality is, is we’re dealing with thinking predators and they tend to base their actions on our actions. Right? And if you batten down here doesn’t mean you remove everything there. So this is something where we do need to think like our adversaries. And also I, I think it just underscores the, the importance of intelligence writ large and situational awareness. You know, one thing just given Idaho National Lab and its history and seeing a bit of a resurgence around nuclear, especially to be able to accommodate the energy needs and requirements, that brings about a whole new set of opportunity but also some risk, right, from a security standpoint. Anything there that would be worth?
56
00:00:55,000 –> 00:00:56,000
Zach Tudor [00:18:06]: Well, and so, you know, we are, should be leading the charge on cybersecurity for next generation nuclear and we will be having our second annual workshop with the industry, with other lab partners, with academia on nuclear cybersecurity and what it means to use CIE and CCE in the next generation. I know that DHS science and technology is really looking forward to doing more things in this area. The CESER office in DOE, the Office of Nuclear Energy in DOE, all understand these things and working together with these new vendors because so many of them are new to critical infrastructure. A lot of venture and private equity backed firms that really don’t, have not had experience in developing critical infrastructures, you know, need to be, you know, brought on board. You know, I mentioned earlier so much of the, the outreach and community making that, that DHS and CESER and other DOE offices have been making over the years needs to really be applied now to make sure that we bring this new set of entrepreneurs, innovators, et cetera, into the space and do it securely.
57
00:00:56,000 –> 00:00:57,000
Frank Cilluffo [00:19:10]: And you know, again, real world examples, data centers are now being targeted in the Gulf and elsewhere. Shouldn’t be surprising, but it was to some extent.
58
00:00:57,000 –> 00:00:58,000
Zach Tudor [00:19:19]: And once again, it’s that, and once again, that cyber informed engineering, what are you building? And there is no infrastructure, I think, that has been developed, you know, in history that hasn’t been abused, you know, by some kind of adversary. Whether, you know, it’s the telegraph, the, the, the, the train, the car, you know, etc, right?
59
00:00:58,000 –> 00:00:59,000
Frank Cilluffo [00:19:38]: They all have a double edge, right?
60
00:00:59,000 –> 00:01:00,000
Zach Tudor [00:19:39]: This is a great thing and then someone uses it to maybe a great thing, you know, for, for, you know, usually it’s, it’s to make money somehow, right? It’s, it’s all, it’s all about some kind of leverage.
61
00:01:00,000 –> 00:01:01,000
Frank Cilluffo [00:19:47]: And, and when I think OT, a number of our networks or legacy technology, and when I say legacy, I mean real legacy. These are old tech, but they’re being netted by modern means and IoT and IIoT and everything else. If you were to sort of, when, when you look at IT, OT, a couple of clear differences in terms of what we need and what are your workforce, what, what are the demands there and how do we get our arms around that?
62
00:01:01,000 –> 00:01:02,000
Zach Tudor [00:20:21]: Well, so you know, our workforce at a lab I think is a little bit different than the workforce in general. So I’ll, I’ll start with the kind of the workforce in general. Although I’ve been a proponent, you know, for, for cyber folks forever. You know, those of you that are CISSPs, ISC2, I was on that board as well.
63
00:01:02,000 –> 00:01:03,000
Frank Cilluffo [00:20:35]: You chair it, right?
64
00:01:03,000 –> 00:01:04,000
Zach Tudor [00:20:36]: I did, I used to, I was, one of the best kind of, you know, part time jobs I ever had working with our own community. But now I say, you know, we need more power engineers. We need more power engineers who understand security, we need more electrical technicians because all of these data centers, who’s going to build the substations? Who’s going to integrate the nuclear energy? You know, unless it’s all cogeneration, we’re going to need more transmission, more distribution. But we’re also, once again, cyber informed engineering needs to be in the curriculum for these various disciplines so people think about the security.
65
00:01:04,000 –> 00:01:05,000
Zach Tudor [00:21:12]: You know, I say that every cyber professional is really a risk professional. I think we’re getting to the point where if you are delivering power to the nation then you are a risk professional as well as a power engineer as well. And so, and also sure, in cyber we have those same needs. But similarly, you know, as we talked about AI, I’m also still on the board of trustees for the Center of Cyber Safety and Education. So we do that, we start thinking about it. If we’re trying to get people into the workforce, what is the workforce of the future going to be like? How is AI going to, well obviously it’s changing entry level, but employers still want people with experience. Okay, well if you’re not going to hire them at the entry level, how are they going to get that experience? How do we train people to be three years more experienced? And once again it’s about using that new tool. We need to not be as afraid of AI as we may be. But remember I like to say that, you know, carpenters who didn’t want to accept circular saws or jigsaws were rapidly put out of business. Right? And so learn to use the tool, learn to excel and then go from there.
66
00:01:05,000 –> 00:01:06,000
Frank Cilluffo [00:22:17]: Yeah, well said. And I think educational institutions, and not just higher ed, But K through 12, that that’s where people are going to be hands on learning, correct? So how do we, how do we get our arms around that, that it’s arming them with education and knowledge at a, at a very young age.
67
00:01:06,000 –> 00:01:07,000
Zach Tudor [00:22:36]: I always think, you know, it’s, you know, we talk about K through 12, so, you know, like, you know, 9 through 12 is the problem because, you know, by then they all hate us, you know, you know, love, love our teenagers. And then later on when, you know, they’re a little bit older, they, they’ll come back and say, yeah, you might have been right back then a little bit. But I, I think that, you know, bringing those experience, I think that it’s, it’s an age old problem. Old people think they’re smarter than young people. Okay, that being the case, let’s flip that on its head and learn from what they’re doing. So I was listening to, I can’t remember which type of job posting, but like people that, oh, air traffic controllers, if you’re good at gaming, you should apply for this. Because those skills of being able to multitask and see the operational picture, etc. I’m like, I guess they were right. My son was right all those years. He was learning skills, you know, play of any kind teaches you things.
68
00:01:07,000 –> 00:01:08,000
Frank Cilluffo [00:23:33]: It does, it does. And I have to do a plug because I just came back from our trustee meeting. So, I’m a trustee at the Alabama School for Cyber Technology and Engineering. First magnet school, and leading school in the state now, focused on cyber and engineering, not just STEM. But what I think differentiates it is the gamification. And I don’t mean just an Xbox or a PS5 or whatever gaming console people play with today, but it’s applied learning there. You see, UAS is flying around in the building.
69
00:01:08,000 –> 00:01:09,000
Frank Cilluffo [00:24:10]: You, you see them dealing with real world challenges, hacking satellites because they’re in the South. So I do think that is something that we need to see more of. And that’s, that’s high school. That’s, that’s at the high school level.
70
00:01:09,000 –> 00:01:10,000
Zach Tudor [00:24:26]: And getting the kids to understand that it’s valuable. Once again, the gamification kind of, you know, brings more people in. You know, we have to lower barrier, barriers to entry, you know, at all levels. You know, we also look at how do we reskill, you know, folks, and I think we’ll see some of that.
71
00:01:10,000 –> 00:01:11,000
Frank Cilluffo [00:24:41]: I just worry about ethics. That has to be top of, so there’s certain things I still want someone who swore to the Constitution making decisions on.
72
00:01:11,000 –> 00:01:12,000
Zach Tudor [00:24:48]: And once again, you know, the, the, the ethics training, you know, that, that we get, once again, I was in the, in the Navy, you know, we did, you know, sometimes you swear an oath and don’t know what it means. And so, so that ethics training, not just, you know, sign the, sign here that says you won’t do that stuff and you didn’t read the fine print and then you go do that stuff anyway because it’s fun. Not always a good idea. So, so, but, you know, hopefully we’re leading by example, you know, throughout some of these different types of training.
73
00:01:12,000 –> 00:01:13,000
Frank Cilluffo [00:25:14]: And you know, one thing that I think at least impresses me at Idaho National Lab and your brethren labs are that they’re not just admiring problems, they’re really focused on implementing solutions. What keeps you most excited in terms of what INL’s working on right now?
74
00:01:13,000 –> 00:01:14,000
Zach Tudor [00:25:35]: And thank you for that question because I always get the what keeps you up at night? But I like the excitement question.
75
00:01:14,000 –> 00:01:15,000
Frank Cilluffo [00:25:40]: Yeah, yeah.
76
00:01:15,000 –> 00:01:16,000
Zach Tudor [00:25:40]: You know, you’re working on, on next generation, you know, wireless technologies, waveforms that can protect privacy and increase bandwidth. You know, helping our special forces as they, you know, prepare for, you know, what their next mission, you know, may or may not be. We hold something, the International Breacher’s Symposium, where we bring, you know, the, the special forces, you know, guys who have to, you know, make a hole in that thing so that forces can get through safely, and they just share experiences. We do the same thing with operational technology. One of the things that I’ve noticed about our team is as, kind of as an honest broker, we are a great convener. You know, we bring people from the intelligence community who maybe didn’t work together as well, or we had Air Force fellows and a couple of them decided to have their own conference at INL to say come, you know, here. And several teams in the Air Force that hadn’t really talked to each other, didn’t know they were there, were able to get together.
77
00:01:16,000 –> 00:01:17,000
Zach Tudor [00:26:36]: But yeah, some of the things that we’ve delivered, the Malcolm Tool for OT technology that is kind of focused on that resilience that you’re talking about, cyber informed engineering. Many of the programs, Cytrics, the supply chain testing, those started out as internal development programs at INL that became programs inside CESER and other. And seeing that progression and also that we’re getting to the point where interns are coming, that is as my favorite part of the year.
78
00:01:17,000 –> 00:01:18,000
Frank Cilluffo [00:27:07]: Absolutely.
79
00:01:18,000 –> 00:01:19,000
Zach Tudor [00:27:08]: And so when you talk about, you know, you know, teach, teach them, you know, teach ethics, bring new people in, but they also, they energize us, you know, you know, you know, people that are early in their educational journeys in their careers and they’ll ask a stupid question. Can I ask a stupid question, and they ask a stupid question and we look at each other go, we’ll have to get back to you.
80
00:01:19,000 –> 00:01:20,000
Zach Tudor [00:27:28]: But come over here and ask more of those questions. And it just, it just really brings something.
81
00:01:20,000 –> 00:01:21,000
Frank Cilluffo [00:27:32]: It energizes it and, and I can say the same at a university. So we’ve got-
82
00:01:21,000 –> 00:01:22,000
Zach Tudor [00:27:37]: You get them all year long.
83
00:01:22,000 –> 00:01:23,000
Frank Cilluffo [00:27:38]: 20 students and they’re full time doing real world work, which I think is important for places of higher learning, not only to teach and educate, but hopefully learn from.
84
00:01:23,000 –> 00:01:24,000
Zach Tudor [00:27:50]: Correct.
85
00:01:24,000 –> 00:01:25,000
Frank Cilluffo [00:27:51]: Which may sound selfish, but we are learning.
86
00:01:25,000 –> 00:01:26,000
Zach Tudor [00:27:53]: That, that is correct. I mean it’s, it’s, it is hard to teach a class of, of any kind of, and if we’re all doing it right.
87
00:01:26,000 –> 00:01:27,000
Frank Cilluffo [00:28:01]: Can’t use your syllabus from 10 years ago, right?
88
00:01:27,000 –> 00:01:28,000
Zach Tudor [00:28:03]: That, that the students don’t, you know, come back and change the way you teach, change the way you think and then go forward. It’s, it’s, it’s really great for all of us.
89
00:01:28,000 –> 00:01:29,000
Frank Cilluffo [00:28:13]: You know, one thing I’d also be curious because you sort of mentioned Citrix and Malcolm, and how do you take, so when you look at a VC environment, it’s pretty clear cut, but with a, with a national lab to take a, an idea which you have to innovate on and then turn it into a tool, what, what does that life cycle look like?
90
00:01:29,000 –> 00:01:30,000
Zach Tudor [00:28:36]: Yeah, well, you know.
91
00:01:30,000 –> 00:01:31,000
Frank Cilluffo [00:28:37]: And you don’t have to pick on a specific, but…
92
00:01:31,000 –> 00:01:32,000
Zach Tudor [00:28:39]: Yeah, you know, the valley of death is really no different, different for us, but we do have the advantage of, you know, primarily working with government customers who have a need. And so that means that we have somewhat of a transition partner, you know, at least initially. Now sometimes a tool becomes even greater than, than what that sponsor needed, right?
93
00:01:32,000 –> 00:01:33,000
Zach Tudor [00:28:57]: Or because of the, once again, the convening power of the CESER office in DOE when they demonstrate some of the work that they’ve done, and they will have those types of, of meetings on a regular basis, either annually or semi annually. Because we have to be industry informed not just at the lab, but also at the sponsors, so, so we get those things, and so you kind of beginning with the end in mind. The other thing that I’ll say is, you know, for the most part national labs don’t, don’t chase, you know, shiny new things. They build capability and capacity over time. And if, you know, if the cyber problem were to be solved, you know, I would have to, you know, help my lab pivot to solve that next hard problem that the nation needs. Because we are, we are not a for profit company. We are a national lab in the public economic and national security interest.
94
00:01:33,000 –> 00:01:34,000
Zach Tudor [00:29:45]: So we’ll do what needs to be done. We say that labs do what others can’t, won’t or shouldn’t do. They said, you know, so they, they shouldn’t have a 20,000 pound explosive limit on a space that’s almost the size of Rhode Island. You don’t want to do that in Providence. There’s no profit motive for a lot of the things that we do. We develop it because it’s needed by the community. And, and so those are the kind of things that we work on.
95
00:01:34,000 –> 00:01:35,000
Frank Cilluffo [00:30:07]: And tech transfer, that’s, I know that the labs have really strong, but easier said than done, isn’t it?
96
00:01:35,000 –> 00:01:36,000
Zach Tudor [00:30:18]: Correct. I think that the labs have some of the same problems that, that other companies have. But, but like we say, we do have that kind of the roadmap and the strategy from, from the government customer where they, they know that there is a need, you know, at least at the government level. And we talked about that public private partnership. So if 80%, 90% of the infrastructure is owned by the public sector, but they have their own, you know, motives, the national security of that, that 10%, that 20% is owned by the government to help those infrastructures maintain that or to be able to, to influence them that way.
97
00:01:36,000 –> 00:01:37,000
Frank Cilluffo [00:30:52]: Very well said. And, and this is just out of left field. So if it’s a stupid question, just say so. Do we need-
98
00:01:37,000 –> 00:01:38,000
Zach Tudor [00:31:00]: Don’t, don’t threaten me with a good time.
99
00:01:38,000 –> 00:01:39,000
Frank Cilluffo [00:31:02]: No, no, no. But it’s sort of that, do we need an In-Q-Tel like approach with the labs?
100
00:01:39,000 –> 00:01:40,000
Zach Tudor [00:31:09]: Well, I think that the labs take advantage of various types of forms like In-Q-Tel, and we contract with or bid on programs from DARPA, NSF, IARPA and others that operate in that mode as well. But you also need that constant kind of pipeline of needs or requirements.
101
00:01:40,000 –> 00:01:41,000
Frank Cilluffo [00:31:33]: Exactly. In itself, that’s insufficient, but I was just wondering if there is some thinking.
102
00:01:41,000 –> 00:01:42,000
Zach Tudor [00:31:36]: So I was, I was at, at SAIC at the beginning of In-Q-Tel and it was just like, holy cow, we’re going to try and do things kind of the way Silicon Valley does. The, the DIU, the Defense Innovation Unit, I was always very concerned because once again, as a taxpayer, I don’t want you to spend my money on, you know, the way Silicon Valley does it because eight out of ten of their, their projects fail, but those other two are fantastic. Right? So if you can take the failures, then we’ll go for the fantastic. But, but our kind of once again, I want proven technology mindset. Made us kind of not ready for that innovation, but it has come. You know, once again, I wasn’t sure about DIU when it started, but now we’re at the point where they have a methodology and they can do that wisely.
103
00:01:42,000 –> 00:01:43,000
Frank Cilluffo [00:32:22]: Yeah, no, I’m with you on that. Zach, we covered a lot of terrain in a short amount of time. We’re near the end of our time. What questions didn’t I ask that I should have?
104
00:01:43,000 –> 00:01:44,000
Zach Tudor [00:32:32]: Oh, my gosh. Yeah. So you asked the workforce question. You know, where is the, where’s the government going to go next?
105
00:01:44,000 –> 00:01:45,000
Frank Cilluffo [00:32:38]: That’s really what we’re talking about.
106
00:01:45,000 –> 00:01:46,000
Zach Tudor [00:32:39]: But I don’t know, I don’t know that answer. But I do believe that we’re going to see some, some new technology and innovation in the UAS and counter-UAS space. We’re going to see more innovation in wireless. We want to take world leadership, you know, again, or regain world leadership and chips, which will help us in some of these different areas. So I’m really, I’m, you know, I don’t know the answer to your question.
107
00:01:46,000 –> 00:01:47,000
Zach Tudor [00:33:01]: I’m excited to, to see what’s, what’s coming and, and the labs are all going to be part of it.
108
00:01:47,000 –> 00:01:48,000
Frank Cilluffo [00:33:06]: Well, Zach, thank you for what you do every day. Thank you for the fight you’re fighting. It’s the righteous one. And thank you for spending so much time with us.
109
00:01:48,000 –> 00:01:49,000
Zach Tudor [00:33:16]: Thank you for having me. Appreciate it.
110
00:01:49,000 –> 00:01:50,000
Frank Cilluffo [00:33:18]: Let me leave you with a token, figuratively and literally, our coin.
111
00:01:50,000 –> 00:01:51,000
Zach Tudor [00:33:19]: Yes, yes. So the coin. Absolutely. Thank you.
112
00:01:51,000 –> 00:01:52,000
Frank Cilluffo [00:33:23]: Awesome. Thank you for joining us for this episode of Cyber Focus. If you liked what you heard, please consider subscribing. Your ratings and reviews help us reach more listeners. Drop us a line if you have any ideas in terms of topics, themes, or individuals you’d like for us to host. Until next time, stay safe, stay informed, and stay curious.