Adopting Zero Trust
Adopting Zero Trust
AZT: The National Cybersecurity Strategy
0:00
-55:36

AZT: The National Cybersecurity Strategy

Season Two, Episode Five: Featuring Former Federal CIO + Former OMB General Council

Catch this episode on YouTube, Apple, Spotify, Amazon, or Google.

This week on AZT, we chat about something timely and impactful to everyone in the cybersecurity and users impacted by related decisions: the new National Cybersecurity Strategy (full strategy here). Our guests this week are Tony Scott and Ilona Cohen, both industry powerhouses and experts well-equipped to navigate this complex document.

Ilona Cohen is the former General Counsel at Office of Management and Budget (OMB), was an Associate White House Counsel and Special Assistant to the President during the Obama administration, and is currently the Chief Legal Officer, Chief Policy Officer, and Corporate Secretary at HackerOne.

Tony Scott is the former U.S. Federal CIO during the Obama administration, has worked for brands such as Disney and GM, and is currently the President and CEO of Intrusion.

Together, they both experienced the Office of Personnel Management (OPM) breach of 2015, and have been involved with the ever-shifting threat landscape that impacts and leads to new initiatives like the latest National Cybersecurity Strategy. In particular, it resulted in the Cybersecurity National Action Plan, which resulted in the first bug bounty program.

Editor’s Note

This week we are interrupting our regularly scheduled deep dive into the world of Zero Trust and are pivoting to something both timely and impactful to the private and public sectors. Occasionally we’ll carve out opportunities to have these kinds of conversations so that you, our listeners/subscribers, can hear firsthand information from those who have been involved in similar scenarios in the past. That said, we are also building out a balanced set of guests to discuss the impending ban on TikTok, and may publish earlier than usual pending schedules.

As a side note, I’m breaking my rule regarding mentioning my day job at Drata to announce a new risk and compliance summit my team is building. On June 22, at a badass venue (The Midway), we’ll have a jam-packed schedule of great presentations, panels, and more. Check out the details here, our call for speakers that close in the first week of April, or reach out to me if you’d like 35% off your ticket.

Weekly Zero Trust Headlines and News

Most of the content about Zero Trust is opinion-based, but here are some impactful news stories from the past couple of weeks.

Key Takeaways

  • This strategy and its execution are dependent on congressional budget approval

  • Eventually, cybersecurity efforts would best be served living outside of standard budgets

  • The strategy calls for non-voluntary implementations, regulation to protect critical infrastructure

  • Liability is being shifted off of users and onto insecure software and its producers

Cybersecurity is a National Priority

The National Cybersecurity Strategy is the result of at least two years of effort, and it shows a material deliverable highlighting just how important cybersecurity is.

“Anytime an administration publishes a strategy, it shows the significance of the issue to an administration,” said Cohen.

Tony agrees with Ilona’s opinion and expands upon it with the big picture.

“One, a strategy like this is usually meant to be a unifying, strategic shift in direction or signal of a direction that an administration wants to go. And so I think it's important in that respect, in that it, it sort of ties together a bunch of the individual actions that we've seen, you know, playing out over the early parts of this administration,” said Scott.

A Shift in Responsibility

Today, breaches are in the headlines so often that consumers and users are hardly phased by them. When they first started, you’d expect maybe some free ID monitoring, a suggestion to freeze your credit, and to change your passwords. Those days are over, and putting the repercussions singularly on users may finally be at a crossroads. The new National Cybersecurity Strategy seeks to change this.

“There is an emphasis towards certain key players in the ecosystem. So largely software companies, telecom carriers, social media companies, you name it, have largely been missing from the cybersecurity defense strategy,” said Scott.

The strategy intends to shift the burden off of users/consumers and onto companies that offer insecure software and technology.

“Frankly, better resources and the means to help protect not only individuals but critical infrastructure. And I think that's an important shift. You know, today, when we signed an end user agreement, we essentially say, you know, no liability ever accrues to whoever's providing the service,” said Scott.

This is an important shift that digs into the root of the issue, rather than treating symptoms.

“The shift on liability is really to focus on the upstream impact, not the end user who might be affected, but really like how do you go upstream to make sure that manufacturers, developers are actually working on the right things,” said Cohen.

However, the strategy as it stands today is vague on how exactly they plan to implement this shift and what incentives may be put in place to encourage it. Fortunately, Ilona sees some parallel strategies that have worked in other areas that also were designed to protect consumers better, but also reduce the impact on manufacturers.

“You could take some parallels, for example, from the automotive industry. They are incentivized to voluntarily participate in the recall process because by doing so, they get limitations on their liability. It's a carrot; it's not a stick,” said Ilona. “And so if software developers get those same incentives, they're gonna ultimately make the same calculation that automakers make. ‘Hey, it's less expensive for me to participate in this recall process, even though, of course, there are costs associated with it, than it would meet for me to ignore it. And oh, by the way, it just happens to have a better collective goal of driving us toward a safer outcome.’ So that's, I think, the calculus that they'll make in trying to develop the liability is how can we create the right incentives, not, you know, make sure we penalize the right factors. That's how I think about it.”

Episode Transcript

This transcript was automatically created and is undoubtedly filled with typos. As usual, we blame the machines for any errors.

Elliot: Hello and welcome to another episode of Adopting Zero Trust or AZT as we have known to call it. I'm your producer Elliot Volkman, alongside with Neal Dennis, our host, and in a moment I will introduce you to our two expert guests.

Today we're gonna actually spur off a little bit from our traditional format, which is usually digging into various aspects of Zero Trust, and instead, we're going to focus in on something both very timely and impactful to zero trust and cybersecurity in general. With that being said, earlier this month, the White House released the National Cybersecurity Strategy, which does of course include some aspects of zero trust that mentioned throughout.

But with that being said, I'm going to actually just hand us off right over to our experts who I could not be more thrilled with the background, who are able to fully be able to speak to this particular subject. Without any further delay let's introduce Tony Scott, who is the c e O of Intrusion, who was also the former federal c o, and then also off to Awana Cohen, who is currently the Chief legal officer, chief Policy Officer, and corporate secretary for Hacker one.

In past life was the general Counsel for the Office of Management and Budget, or O M B. Prior to that, she was also the Associate White House Council and special assistant to the president. This was for two administrations. Go. That being said, let's do a quick round of introductions and then we'll just jump right into it.

Tony: Sure. So I was in the last two years of the Obama administration, the federal c i o. And, and probably during that period of time, one of the biggest things we worked on was responding to the O P M breach and you know, really took a hard look at all of the things that led up to and contributed to that breach.

And then launched a whole series of things to try to improve federal cybersecurity in particular. So we had a cybersecurity sprint. and that, you know, focused on patching critical vulnerabilities, two factor escalated privileges and things like that. And we made actually a lot of progress in a pretty short period of time.

But that was my main focus. And then also just modernizing federal systems. Before that I was CIO in the private sector for VMware Microsoft, the Walt Disney Company CT O at General Motors, and a bunch of jobs before that. So, had most of my experience in the private sector, but really enjoyed working with Ilana and our whole team at O M B during that period of time.

Elliot: Excellent. So thank you so much for walking us through your background and we'll obviously dig into some of your experience there and how it impacts to that new strategy. But Lana, let's hand things off to you and learn about, you know, where you are today and you know, where things were, you know, so what yours in the past.

Ilona: Thanks for having me, and it's so, it's so good to see you, Tony. So I too, like Tony worked in the federal government. I was the general counsel of the Office of Management and Budget, which has responsibility for the management of the federal budget, but also making sure that you know, the agencies are implementing effective controls to keep data and systems secure.

In addition all federal regulations go through O M B. So had so had a significant impact there. The agency has a significant impact. They call it the most important agency you've never heard of. So, and then before that you know, I was also still in the White House, but in the White House Council's office where I had the cyber portfolio among other national security related tasks.

I'm now the Chief Legal and policy Officer of Hacker One. And it's great to be here, especially because when I did work for the government as Tony mentioned, you know, we worked on the response to the breach of the Office of Personnel Management and that, of course, that was a terrible breach and no one would've wanted that to happen, but, They say that you should never let a crisis go to waste.

And so after that crisis, we were able to really push through a ton of reforms. Cyber, we did a cybersecurity national action plan. We created, we really were able to sort of put up a, a whiteboard and say, what do we wanna do in cybersecurity? And one of those things was the first ever bug bounty program, which Hacker one ultimately ended up winning.

So, sort of come full circle for me to be back at Hacker One, where we have been, you know, proudly hacking the Pentagon and other government agencies for good, for a very long. 

Elliot: Excellent. Thank you so much for giving us that background. And it's interesting to see how that kind of circular connections bring you back into the private sector and the relationships there.

I will say the only experience that most of us maybe that have lived in DC for o any experience to like exposure for O M B is like anytime there's actually maybe a snow day, we're just waiting on y'all to trigger that effect and then it impacts everyone else. So I think if you've lived in DC that's probably the only exposure unless you've actually worked for that.

So that makes sense. But now going . So Neal, I'm actually gonna hand this off to you now to just kind of go through the standard questions. We're gonna be a little bit more formatted than our usual, but again, today we're mostly gonna be chatting about the national cybersecurity strategy that is just released and get your input and feedback on how these things are built and you know, how this impacts private sector and all that good stuff.

But Neal, off to you. 

Neal: And if Elliot had sent me actual questions, I, I don't know where they're at, but I'm gonna ask a few anyways. , so I'm hoping he didn't without that being said. So this is, I like y'all's background. This is really fun. So once again, thank y'all for joining in and getting us involved and, you know, taking your time outta your day, obviously.

So, some of the things that I kind of wanna maybe hit up on the, the, the strategies to Elliot's point early on right there, there's a lot of big things going on over the last few years. There's a lot of things updating the way that things are moving, but, you know, th this new strategy, the structure of it, you know, what, what do you see is the big differentiations here with what's, what's presented now versus where we've kind of been building and, you know, are there really any.

Strategically different, or is it truly just the next stage and evolution of what we've already seen over the last couple of years? So I'll throw it over to maybe Alana, maybe to kick that off, and then we'll poke Tony real fast. 

Ilona: It is different. I mean, well, you know, one, anytime an administration publishes a strategy, it shows the significance of the issue to an administration.

You know, this took two years to develop. They have shown you, they've shown us just how important cybersecurity is to this president and to the administration. In terms of the actual strategy itself, though it does vary in some material respects. Like one, it calls for non-voluntary implementation.

Cybersecurity measures. So, you know, unlike prior strategies, they're calling for regulation in certain areas to protect critical infrastructure among other things. And then also, and perhaps Mo most noteworthy is they also are trying to shift liability for insecure software products to like producers of software products.

So that is very different. It's not what we've seen in the past. I mean, it, I think it makes a lot of sense, but for them to call for it and then propose, you know, legislation in that area is a, is a, a 

Neal: change. Yeah. That, that's very good. Cause Tony, what are your takes on it as well? There's some things we'll come back to here in a sec, but curious on your side of the fence.

Tony: Well, I think Ilana's, right? To me it represents a couple of things. One, a strategy like this is usually meant to be a unifying. Strategic shift in direction or signal of a direction that an administration wants to go. And so I think it's important in that respect, in that it, it sort of ties together a bunch of the individual actions that we've seen, you know, playing out over the early parts of this administration.

And it recognizes also some of the coordination challenges, you know, that have historically taken place in the federal government, in our federal government's a big place. There's lots of players, lots of areas of responsibility, and I think this provides a unifying sort of strategy for all of those efforts, which is super important if you're gonna make any progress.

As Ilona mentioned, it also, I think, significantly shifts. An emphasis towards certain key players in the ecosystem. So largely software companies, telecom carriers social media companies, you name it, have largely been missing from the cybersecurity, um mm-hmm. , defense strategy. And this clearly, I think, sends a signal that with this administration, they intend to shift the burden from the end consumer who largely now whether you're a company or an individual, have been responsible for defending yourself to some of those big you know, large scale providers of technology who.

Frankly, better resources and the means to help protect not only individuals, but critical infrastructure. And I think that's an important shift. You know, today when we signed an end user agreement, or youa as they're called, we essentially say, you know, no liability ever accrues to whoever's providing the service.

And I think it's time that some of those big entities, you know, step up and bear some responsibility. You know, for everything else that we do in, in the us there's product liability that you know, is attached to that. If it's a car or an appliance or food or whatever. And technology has, up until now, largely been.

Pretty much exempt from any of those you know, sort of more punitive kinds of things. And so I think this signals a shift that we might be headed that way for some version of, you know, responsibility or product liability or whatever you wanna call. And so I think that's important. And then the last point I would make is the end of the day, this is also a human resource issue.

And one of the problems, you know, Ilan and I both dealt with is, you know, just the tremendous shortage of cyber skilled people. And, and again, I think this strategy pulls together some of the threads that had been, you know, previously worked on, but puts kind of an exclamation point on those and says, we're gonna be serious about developing the people skills that.

we need to adequately defend our country and there's a lot more in there, but I'm sure we'll 

Neal: no. Yeah, we definitely got some things to go through for sure. So I kind of just real quick wanna briefly unpack the liability thing real fast. I think that was a great analogy from like the food service versus cars and the impact of what that liability looks like.

I, I think, you know, there's plain devil's, advocates slightly to the liability concerns. There's some people that I've seen that are concerned about certain breaches of privacy or breaches of, of. You know how they, they actually approach that liability concern and implicate and impact their, their mitigation strategies.

So, you know, as an end user, we've all got, gosh, only knows how many different technology stacks within our homes nowadays, right? But as an end user, right now, update comes in, I approve the update, or I send it to auto update, and you sign a little approval piece, right? The one thing I've seen so far is that people are afraid that those no longer are validated.

And then there's that breach potential, indirect breach of privacy when someone refuses to accept the update, but now they have no choice, right? So I know on the larger grand scale, this is meant to impact government, to government interactions and government to contractor type interactions, but do you all see an opportunity where that concern could actually play out under the current auspice of the, the.

or is that even something to even consider today? Do people have to really consider their own downstream liability? Back to your example of a car, if I don't take my car and put an oil change and it blows up in my face, that's my fault. It's not a defect. Right. I'm just kind of worried about that level of triage downstream.

Tony: Well, you know, there always is an element of, you know, user culpability. You know, if I drink a glass of gasoline, you know, whoa is onto me, you know, kind of thing. And you know, so there's always, you know, pilot error if you want to call it that. You know, that that measures into these things. But, but I think the shift is really important.

You know, the big tech organizations do have, I think, some significant responsibility for helping. You know, protect you know, our critical infrastructure and citizens FCC just announced, you know, that the telephone companies, cellular carriers, are gonna have to do a better job of protecting their users from you know, scams that are done via text and so on.

Yeah. And that's just one small example, but you know, cities all over the country you know, have a police force that are there to enforce rules and regulations and keep people from speeding and robbing banks and, you know, doing other things that you know, we don't want them to do. And so there has to be some responsibility somewhere for somebody to shift the burden from the individual to a better, scalable, more.

Appropriate response to some of the threats that we're facing. Yeah. You know, our, our national Air defense wouldn't be very good if we just had everybody on their roof with a shotgun, you know, 

Neal: in Texas it might be better, just to be fair.

Tony: It's not gonna be good against a nuclear missile, you know? So, so, you know, I think this is an important shift. Yeah. 

Neal: That's good. So 

Ilona: can I, would you mind if I answer that one? No, please. Please. So, Tony's, Tony's totally right, the focus of the. The shift on liability is really to focus on the upstream impact, not the end user who might be affected, but really like how do you go upstream to make sure that manufacturers, developers are actually, you know, working on the right things.

And it's not entirely clear what shape it will take, right? Like they left it a little bit vague in the, in the implementation strategy about, or I'm sorry, not the implementation strategy, but the, the plan itself. How are they going to, how are they gonna do this? They just called on, you know, working, they wanna work with Congress to get this done.

But you could take, like you mentioned other industries, right? And so you could take some parallels, for example, from the automotive industry. They are incentivized. To voluntarily participate in the recall process because by doing so, they get limitations on their liability. It's a carrot, it's not a stick.

And so if software developers get those same incentives, they're gonna ultimately make the same calculation that automakers make. Hey, it's less expensive for me to participate in this recall process, even though of course there are costs associated with it, then it would meet for me to ignore it. And oh, by the way, it just happens to have like a better collective goal of driving us toward a safer outcome.

So that's, I think the calculus that they'll make in trying to develop the liability is how can we create the right incentives, not, you know, make sure we penalize the right factors. That's how I think about it. 

Tony: Parallel in the. You know, the payment card industry, you know, visa and MasterCard and the providers of credit cards all got together and said, you know, and created the PCI standards for protecting people's you know, credit cards and from fraud and, and that kind of thing.

And it was, you know, a technical implementation that every organization that takes credit cards ultimately had to you know, sign up for and enforced by the credit card industry. And so I think that's a great example of, you know, the industry itself stepping up and saying, Hey, we can do something about this problem.

And I'm hopeful that the software industry. Do something similar to that, to the, to the degree that they can. 

Neal: Yeah. One, one last quick point that is also a great comparative financially speaking. You know, if I report something to the F B I and it's only 50 bucks, they don't care. But if a bank comes in and reports something for the same threat that totals 5,000, 500, 5 million, whatever it may be, then there's a case to get federal involvement and actually get stuff done.

So those are great examples. So kind of trucking along thinking about this a little bit more, this, this strategy as a whole, this new process now, I think we've already kind of really hit on this a little bit, but maybe just a fast iteration, you know, the biggest threats, risk to cybersecurity, what this kind of seeks to address.

And thanks for my part, it seems more. Day one of this is more for accountability, culpability and liability in the grand scheme of things and trying to help bring, like y'all both just mentioned, bring that up a little higher echelon to the appropriate parties and make them on par with other industries.

Would y'all kind of agree, disagree with that from a general strategy perspective of what we're trying to accomplish currently? And maybe one or two other things that y'all might call out for that? 

Ilona: Well, I mean, let's not lose sight on the fact that the administration wants to disrupt malicious actors, right?

Whatever form that takes. So yes, it will be important to, you know, focus on development of more secure software. And that's a part of disrupting malicious actors. But but you know, that is an essential, that's just one additive that I think maybe you missed in your summary. 

Neal: No, that's a fair call out.

Definitely. I mean, it is, that is definitely boldly written in there about threat actors and malware mitigation strategies for sure. 

Tony: But I think also what's important is it's kind of a and it's mentioned in here, a a whole of nation response. You know, this isn't, it's every man for himself. You know, the water's level, water level's rising and you better swim.

You know, this is a, a water level's rising, and collectively there's things that as a nation, we need to do. And I, and I think this will be the sort of starting point for some rethinking of lots of different policies, lots of different initiatives. And you know, I, I hope spurs a more both better awareness, but also action on the ground in terms of, really making progress on this.

You know, the cost to our economy is just enormous. And it's not just ransomware. It's, you know, fraud that happens digitally. It's people's money and livelihoods that are being affected. It's a, it's a scourge on our society at this point. Some of the, you know, criminal activity that's taking place digitally.

Mm-hmm. , it's the equivalent of banks in every town being robbed every single day. And, you know, we really have not had the effective tooling and resources and, and, and defense against that, that the size of this problem really calls for. And so I think this helps move it you know, in the right direction on that, on that, from that perspective.

Neal: So I'm, I'm gonna, Shift down a little bit here on a question here that you already touched on Tony, slightly on the collaboration and the whole of nation defense mentality. So we, we've got a lot of programs that have been ongoing for years. Like everything at cisa, for instance, right between the US cert, A I S Cs, C P, and a bunch of other stuff.

We've got the ISACs, the ISOs, all these other fun things that are out there. And from a cohesion perspective, a lot of those are just now really starting to get their feet underneath them to cross collaborate. You know, some of those communities have been established for a while and they do things very, very well internally.

So, quick curiosity question for y'all. Thinking of this whole of nation defense strategy, how do you feel like this is going to help foster and or present itself towards a more collaborative endeavor? What things within the strategy help maybe give people a little bit of incentives, a little bit funding, other than just simply sharing, Hey, we've got a breach and this is what it is.

Tony: Well, I would say you know, this is all hope at this point cuz, you know, we'll, we'll see what happens in the near future. But you're right, you know, the implication of the question is we're we can be pretty siloed in our response to things. And it's not that any of these ideas are bad ideas they're just not widely shared in some cases.

I, I used to say everything is known, but just not by everybody . And we have that problem in a big way. And so I think there's a couple of goals that this lays out. One is, let's figure out ways that the right information can be shared a lot more quickly across all of the places that matter. . And we've had some good efforts and improvements even, you know, over the last few years.

Even after I left the federal government. I've seen pretty good improvements in, in that space. And it points to, you know, several agencies like Nest and, and others to get the standards out there so that those can be followed, you know, directionally in terms of and other agencies as well about how to do that.

So, so I, I think there's hope there. But I, I think it, as I said earlier, it also just starts with awareness. And, and in a, in a way would where organizations or individuals who have questions. You know, want help. It gives you a place to go and a and a place to understand what your role or your part in the process could be.

And so I think we need to make a lot of progress on those kinds of issues in order for our whole of nation strategy to be effective. 

Ilona: Yeah, I, 

Tony: I'll add building codes for example. You know, there are great resources where you can go and figure out what the building code is. Where do you go if you're trying to figure out what the cybersecurity code is?

Definitely you could solve that problem, right? Yeah, 

Ilona: yeah. I'll add that. You know, before you get to a whole of nation. Effort. You need a whole government effort. And as Tony rightly noted, the sheer need to coordinate internally to be able to produce a document like this, a strategy required, you know, months of discussion and effort to ensure that everyone was on the same page.

So they're now developing an implementation plan that will follow this strategy. And, you know, that level of effort will again, make sure that everyone is on the same page in order to deliver these priorities. With regard to the rest of the whole. Effort. You definitely need, you know, the public-private partnerships that are called out for that are called out explicitly here.

That's, you know, gonna continue to be a work in progress. And then, you know, you need an international strategy. And so, you know, one of the pillars of the strategy is to, you know, focus on international partners. There's definitely coordination that already goes along with that. There's a new ambassador at the State Department for cyber which is additive to the other coordination efforts that they're already undertaking.

So, you know, there are pieces, they're all called out here, but each one requires a substantial level of. 

Neal: No, it's a fair play, especially the cyber ambassador. I'm, I'm actually excited about that as an office and position there in the State Department. Yeah. So no, those are good things. So I obviously have a very peak interest in that particular strategy and effort just by proxy what I do now and what I've done in the past.

I've worked in the IAC world and the government world both for a while for, for a bit so that, that kind of moving the ball forward a little bit. So taking us back more towards impact a little bit more then. So we, we look at what I think is kind of the overarching impetus for what the administration has done and what prior administrations have built into for things like this today.

And I, I, I imagine in most people's mind things like the colonial pipeline and the meat packer and a few other critical assets that went down a couple years ago that really started some of these larger executive orders. You know, there, there's thankfully there's a larger focus on critical infrastructure of late outside of just.

energy sector outside of just electric grid for that matter. Outside of that piece, you know, there's been a really good focus on this stuff. So from the strategy in particular, do y'all see some things within this that address, that particular perspective specifically, or that can help maybe bolster that more directly the current standards?

Ilona: Absolutely. I think if you listen to Anne Newberger, who's the president's deputy National Security Advisor for Cyber talk about the strategy and rolling out the strategy, she cited the Colonial Pipeline you know, incident as a, a real eyeopener for the governor, a government, excuse me. In part because, you know, they had been primarily focused on nation states and adversaries.

And here was, you know, like a simple. Vulnerability that had been exploited, that was like pretty easily exploited and brought down an entire, you know, geographic region, or had an effect on that same geographic region. So just the sheer impact of such a small you know, vulnerability was, you know, a real eye-opener for them.

And that's in part why the administration focuses on regulation and making sure. Every, you know, certainly in like the healthcare industry, there are areas of our society that are very heavily regulated and then there are others that have been less so, but who that have a pretty significant impact. And so making sure that there's an, a more even playing field is one that is, I think, at the heart of the strategy itself.

Then the other thing is, of course, you know, at the, there's a lot in here about, you know, defeating ransomware. So, you know, that of course is important in terms of, you know, prospective attacked on critical infrastructure. So I think the combination of the regulations plus the ransomware focus would be the areas that my mind goes to immediately when I think about how is this gonna ultimately help us protect those 

Tony: sectors.

There's also language here about resiliency, and I think we need to probably focus on that more as well. So a lot of the critical infrastructure that we have it may be vulnerable to cyber attack, but it may also be vulnerable to just lack of redundancy and resiliency. So we've also seen examples of that where it wasn't as the result of a cyber attack, it was as the result of some other failure, and all of a sudden you have tremendous disruption.

If we learned anything from covid and supply chain issues that have affected every part of our economy we should have learned a big lesson around resiliency. and a lot of our critical infrastructure, whether it's energy or transportation or communications needs to really take a look in the mirror hard around this whole notion of resiliency, whether the, the, the fatal flaws caused by a cyber attack or some other failure.

We just have to be figuring out ways to make this whole thing a lot more fail safe and, and resilient. You know, whether it's from weather or from cyber attack or you know, any of the challenges that they face. There's a ton more work to do there. So I don't want us to forget about the physical as well as the digital, cuz they're definitely tied 

Neal: together.

So there, there's a fun little story that happened a few months back that I. Most people, hopefully in this world are at least anecdotally aware of. But several months back, a couple of guys decided it would be a good idea to blow up a substation or at least take one down. So then they can go Rob, Rob the gas station, so then they could also email the owner of the gas station and try to get malware on his box.

So it was a trifecta of we don't like you, and the physical aspects, the, the approach of cutting the security system via a substation is actually now common practice and Im impacting whatever physical facility they're trying to gain access to for what ends. Those are the fun parts is finding out what they actually plan to do.

But yeah, to your point, physical and cyber, you know, they play very nicely hand in hand. And if you impact one or the other, there's definitely a bleed over for sure. Thinking about this a little bit more, and we kind of already highlighted this piece a little bit early on, on the The liability aspects and what we've kind of discussed for that.

But you know, when we think about the private sector as a whole, the executive order is, is obviously rightly so geared towards involvement with the government and what that liability means to them in general, but also trying to help promote downstream impact at a larger scale. So from the private sector piece, you know, you already alluded a little bit about how they could kind of get started and playing in the implementation of this strategy a little bit more, and then more so kind of around potential the incentives a uh, automotive and, and other industry.

Right? So if we can kind of poke that one just a little bit more around, you know, what that impact for the private sector could be directly, even if it's not playing in the government side of the house. And then how we can ensure that long term, the right people stay involved and maintain that, that level of impact long term.

So I'll throw it over to Alana. 

Ilona: Well, I mean, the private sector will stay involved because all of the, everything in the, a lot of the things in the strategy will require subsequent action. So to the extent that there are regulations that will be a participatory process with the private sector and the, the administration is really open to, to doing all of this collaboratively.

Actually, hacker one was just at the White House this week meeting with national security or national security and cyber officials to talk about the importance of getting this right. And, you know, talking about, you know, the, some of the language and the strategy that calls for, coordinated vulnerability disclosure.

So, you know, the they'll continue to be opportunities for us in the private sector to participate and, and that. You know, that solicitation is essential to make sure that the regulations that they ultimately come up with are not, you know, burdensome or overly complex and actually lead to the change that they want to affect.

Tony: So I'm c e o of a public traded company, and every quarter I have to sign off on our quarterly financial reports and we work closely with our auditors on a whole range of issues. We have an audit committee on our board and they largely oversee financial and risk kinds of issues for the company.

And I've, in every place I've ever worked, except for the federal government we've been public companies and I've been a part of that process. What I've seen over the last couple of years in particular is, More and more focus on risks associated with cyber. And the boards of directors and auditors are, and have been, but are increasingly asking questions about what measures do you have in place?

How resilient are you, what's your policy on, you know, ransomware? How are you going to respond to a crisis? And I expect that there will be some additional regulation coming in that space from S E C and other places. And so whether you like it or not, as a public company, I think you're gonna be dragged into this if you were an unwilling participant.

And I think the leading companies, particularly companies like mine that are in the cybersecurity business, should be out on the leading edge of that stuff and, and showing the rest of, you know, the private sector, you know, what good practices look like and, and you know, what you can do to be better at these kinds of things.

So I, I think there's a big role for the private sector. You know, when we had the manufacturing crisis in the country, in the, in the eighties and so on and Japan and Germany and other countries were just kicking the crap out of us in terms of manufacturing quality. We stepped up and we had the Bul Ridge award for, for quality and a private sector engaged in, in a pretty short period of time.

Our manufacturing quality is equal to anybody else's in the world. We need to do that same kind of effort here. With respect to cybersecurity, we should be the best in the world at this, and I think the private sector can help, you know, be leaders in that in that effort. 

Ilona: Absolutely. Yeah. The private sector really does have the ability to, you know, take important steps to, to ensure that we're protecting sensitive information and data, and there are best practices there.

And so they're either gonna be, you know, the, the real leaders are already implementing them, and the question is just like, how many laggards are there and what will it take to get everyone on board? 

Neal: Yeah. I think from my perspective here, the, the order and whatnot and where we've gone over the last two years, swinging this back home to the moniker of the day for adopting zero trust, I think that's kind of the really good big thing.

You know, we have a newer, more resilient up-to-date policy and procedure on implementing your security stack, right? We have new ideas on what that means, and you're no longer stuck with potentially a multi-tier. Like if you're in the cloud, you no longer have to run 18 DPCs for your infrastructure.

You can do all these things the right way. A lot of it at the application layer, more so than ever. If you follow that zero trust mentality at the application layer. I think kind of to that endpoint, this strategy coupled with existing executive orders and existing net new n standards that just recently published, right?

I think that that security layer. Kind of much more well established today than it was two, three years ago. Now, on, on that same response flow though, if we think about general impact, and when we think about n standards, we think about saying, Hey, please do it this way to keep bad things from happening.

And when bad things happen, please tell us, and here's how. But from a general perspective, improving like the IR and incident response capabilities and, and the recovery phase of things, you know, from a strategy perspective today, what are some of the guidance, if any, that you think of to kind of highlight how to, when something does actually happen that the strategy alludes to, to help that be a more timely response?

Or at least, you know, responsive in the flow of what you should do, I should say. 

Tony: Well, I think there's a couple of things that matter in this regard. Ilana kind of alluded to it earlier, but One of the challenges, I don't care what size organization you're in, that you have, is recognizing when you have an incident, you know, and then there's this fear of liability that is attached to that, you know, and mm-hmm.

And, and so organizations I think all over the place struggle with this. You know, if there's a notification requirement that I tell somebody within three days, or three hours or three minutes, what starts the clock, you know, how do I know when something has triggered this requirement that I do something?

And I think we can help organizations, you know, with some tools that, you know, can, can help identify, Hey, you got a problem, and that starts to clock. And, and, and, you know, we could probably automate some of that. , but it's also a cultural thing. In most organizations there's still a culture where everybody will try to fix something at their own level, and then only when they've figured out that they can't handle it, then they escalate to their boss and that person does the same thing.

And sometimes these things take forever to get to a, a level where it can actually be dealt with. And so I think culturally we've gotta set up within organizations, a culture that says bad news has gotta travel fast. If there's any kind of an incident or anything that even looks suspicious, create awareness.

You know, get the right eyeballs on it for somebody that can actually do something about it. And I think that awareness thing is, you know, something that's pretty important. We've done it in other areas in this country, you know, and so, you know, whether it's, you know, covid kinds of things or you know, I'm thinking way back, you know, anti-littering campaigns or don't do drugs or whatever, but we've, you know, clearly articulated what a national imperative is and created awareness that you should be more on guard or shields up for certain kinds of things, and then you know, set expectations about what the right response is.

Definitely. 

Neal: Alana, before, before you chime in real quick, a quick addendum to the question at large, you know, if we think about the prior executive. From the pipeline and that there was that initial order and legislative thing mandating critical infrastructure breach notifications. Right. And I, I think this is kind of the next step where would y'all agree with the current, the newest order here that we move beyond just critical infrastructure notification for impact?

Right? And that this new one is basically, if you're doing business with the government, congratulations, you now have some kind of legal qualifications for timely notification. Right? So just kind of highlighting if that's, if y'all think that that's necessarily the implication, but also kind of how, once again, to Tony's illusion here around timeliness and, and finally getting over the hump on the IR process, courtesy of the order.

Ilona: So I think that, so maybe in the incidence of the. You know, a, a timely notification might have been able to prevent the impact from spreading broadly. But I think the incidents like the Log four J and maybe some of the other incidents of, of, of that are more recent show, these, these vulnerabilities can spread instantaneously.

And so, although of course, you know, hacker One has as its cultural value that we want to default to disclosure that transparency is the best way to secure a safer internet. But the even better way is to prevent it from happening in the first place. So I was really pleased that the strategy called out, you know, again, C v d vulnerability disclosure programs in all sectors for all technology because the best way to handle this is to prevent it from happening.

And so, you know, we really do have to. Zero in on that. I'm not sure exactly that the strategy I, I didn't take from the strategy that they're calling for mandatory disclosure in all instances. And you might actually see how, although I, again, we think that's valuable, we don't wanna prevent people from looking, right?

Mm-hmm. , you don't want somebody put their head in the sand because they're like, well then I'm gonna have to report that to the government. We want them to, we want them to do the hard work of finding the vulnerability in the first place so that they can mitigate it. And then, you know, if there is a mandatory requirement that then they like announce that to the public or to the, you know, the agency they're doing business with that might ultimately have the reverse effect.

So you really do want to think through how you might implement a call for disclosure. 

Neal: That makes sense. Awesome. So, you know, I know we're got a few more minutes left to keep going here, but I had a couple more quick questions instead of going down my rabbit hole. I from a strategy perspective, once again, when we think about these things, and I have my opinion on the cybersecurity skills, gap shortage, whatever you want to call it, there, there's, my campus is, it's an HR thing, not so much as a people thing in the grand scheme of things, but regardless of the rationale why it exists, do y'all see anything to implicate some support around covering the skills gap and you know, maybe from a, a hiring perspective or promotion of, of education or, you know, implications behind that, that issue there with the cybersecurity professionals.

Ilona: This is a really tough one. I. I, you know, Tony could probably answer this a little bit better as probably since he's hiring in the space, likely. But it's, it's you know, I know they're calling for a strategy to strengthen the cyber workforce, but it's not an easy fix. I mean, I think, actually, I hope that they'll look for non-traditional.

Cyber skills as a way to actually boost the workforce. I mean, I know that ethical hackers, for example, could make really good federal CISOs at some point down the line. So, you know, I think we're gonna have to think outside the box in order to really solve for this problem. 

Neal: So real quick on that note, the military side of the house, in particular Space Force you know, trying to figure out their cyber professionals' issues as well.

But the other service has kind of taken hint from this. They have a program now, if you civilian Degreed or otherwise, it doesn't matter, O O J T certifications time and service, doing whatever you've done for pick a company allows you to apply that skills over to an officer candidacy program now. So bonus points for the military, they're already trying to address it through that similar route that you just mentioned.

On the flip side, I agree, I hope we're able to do things from a non-traditional perspective and an education path and then different topic, different day. But yes, thank you. Tony, 

your 

Tony: thoughts? . I think that there's, there's a ton of good ideas. One is you know, not every job in the cybersecurity spectrum here need, you need to have a four year college degree for, there's plenty of examples of people who are highly skilled at the things that they do, don't have, you know, a four year college degree.

And so I think there's broad recognition that, you know, we could expand the workforce if we just dropped that requirement at least for some jobs. Yeah, Alana mentioned another one, which is we really need a diverse set of capabilities that also have some cybersecurity skills. You know, there's no better person in cybersecurity who has this blend of knowledge about his particular space.

And has some cyber securities skill skills. If you're in the oil and gas industry and you know a lot about how it works and have cyber skills, you're gonna be a better protector in that space. If you're in the art world and you know a lot about that, you're gonna be a better cybersecurity professional if that's what you are you know, trying to protect and so on and so on.

So I think that's important, but this strategy also doubles down on some other efforts that have been launched, but haven't scaled big yet. Things like scholarship for service and other programs like that, that I think ultimately could have a you know, better than just. You know, organic sort of effect on, on improving cyber skills.

And I also want to give a shout out to some private or efforts or nonprofit efforts. The the Girl Scouts do a phenomenal job of getting young girls interested in tech and and a part of that is cyber stuff. And you know, every chance I get, I, I wanna shout out, you know, to the leaders of that organization for not only doing that, but scaling it big across their entire organization.

So, hopefully in a few years we've got a bunch of, you know, women in the workforce who got interested because they were Girl Scout and, you know, could then You know, have a great career in what I think is one of the fastest growing professions on the planet right now. So, here, here, 

Neal: that's awesome.

Anecdotally there's here in San Antonio area, there's we have the Cyber Patriots thing just in general. That's not just San Antonio, but we have the Cyber Patriots program. And I can't remember if it was this past year or the year before, but the middle school club that won came outta here and it was an all girls team who got their start as a group in the Girl Scouts program and then transitioned to Cyber Patriots.

So yeah, wonderful program for sure. On the last pieces here, so a couple of last quick questions for y'all. So, you know, we, we think about. The, the crux of the new strategies, we think about what it takes for private sector to really rationalize what's going on and unpack the, the bigger picture of what that means for them to do business with the government or with anyone for that matter, long term, especially the larger companies that are getting involved.

So for just maybe one or two quick things around, you know, what you think the best place to get started in implementing this idea, or at least learning more about the construct in a consolidated fashion to get to approach it easy. And then last but not least, you know, what do we think as far as going through that implement implementation piece that they might need to consider from, from a compliance perspective with this piece?

Well, like the highlight reel for what those big pieces might be for them. So getting started, where can they maybe kind of poke and part of what should they consider? And then as part of that consideration, what are some of those key requirements and recommendations as part of that?

Tony: I, I think in every. Significant metropolitan area. You'll find groups of people who get together whether it's industry oriented or geography oriented who, you know, provide forums where you can engage and find other like-minded professionals. Every city I've worked in Seattle and Detroit and DC and LA and San Francisco, and every one of those communities has had a group of people, whether it was CIOs or CISOs or what have you, who you could get together, learn from others, understand, you know, what the trends were.

And it was a great way of both learning and also engaging. So I would, I would recommend that. Number one, if you're in the private sector, you know, find birds of a feather in your industry or your, your geography. And then study, you know, there's plenty of material now available not coming just from the government, but from lots of other sources.

And so school up, learn and engage would be my advice. 

Ilona: I think the question was how do you sort of. How, if somebody wants to learn about like, what's coming, how do they figure that out? And, and those are all really good mechanisms to figure out what's going on in cyber generally, but let's be frank about where we are with respect to the strategy and its implementation.

Sure, there's a lot of stuff in here that they have already the authority to do, but immediate with no coincidence that immediately following the strategy the president proposed his budget and a, you know, $1 billion increase in cybersecurity funding or a, like a 13% increase. And so that now goes to Congress and it will be up to Congress to decide how much of this strategy becomes action in some ways, because you know, they have the potential to either.

Push forward and make cyber a national strategy, national priority or not, depending on how they fund it. You know, so I would say look there for the next critical piece with respect to implementation and just how much of this will be able to accomplish. 

Neal: That's a fair call out on the budget. You can write whatever you want down on paper, but if you don't put people behind it to implement it, what good does it really do?

Yeah. My old 

Ilona: habits die hard as like former O M B General Council. Cause you know, , it's all about the money. 

Neal: So I mean, those are good points for sure. So I mean, that kind of wraps it up on the bigger questions that we had at, at large. So, you know, are there any safe rounds on this? Anything that y'all would like to call out a little bit additionally in regards to this?

Anything else in specifics outside of this even that y'all think may have impacts on the discussion today? Maybe Alana, if you want to lead us off on closing out and then we'll, we'll get Tony and then I'll, I'll see if Elliot's chomping up a bit to say anything else. Finally, , , 

Ilona: You know, we've covered so much of it here.

Just the, the strategy itself, the effort that went into creating it, the alignment that the government would've had to find in order to ensure that they could put out a document like this. And then of course, the, you know, what's coming next. So it'll be, it'll be really interesting to see you know, just how much of this will be able to accomplish.

I know, I know that it will. I know that the resources are like, All the resources that they can muster within the administration seem to be you know, focused on actually delivering the strategy. And so, you know, one can only hope that there's no sort of partisan approach to this on the hill and that they'll be able to, to fund all these important strategies.

Neal: Fair. Tony, how about yourself, sir? 

Tony: Well, let me jump on the OMB bandwagon a little bit. , . Cause we both spend a little time there. I think there's two damaging things that happen. One is every year when we have a cr it freezes everything in place and really prevents progress being made. And so we, we gotta get to a world where we have budgets, you know, that agencies can count on and they know what they can do.

You know, during our time we helped create the technology modernization fund. Which is a not tied to the annual budget cycle so much and can be used to fund projects that span across multiple budget years. And I think we need a cyber fund. I love the fact that there's a lot more money proposed to put to this but if it's tied to the normal budget cycle it's, it's not as effective.

So we need to have a more strategic view of how we invest in cyber across the federal government. And that's gotta be more like we would invest in a major weapons program or a, any other major infrastructure upgrade. And it just can't be the You got it today? Oops. We're gonna pull the rug out from under you.

oh, here it is. Hurry up. You know, go do it again. Kind of thing needs to be more enduring. So, you know, write your congressman talk to them and tell 'em how important that is. 

Neal: Awesome. Well, hey, you know, like I said, we're up on time. I'm gonna throw back over to Elliot in about two seconds, but thank y'all once again for, for the conversation.

Thank y'all for taking time out of the day to put up with us and our wonderful technology failures to get us moving. But we got there and hopefully we get to hear back from y'all again, you know, in the future for some more fun stuff. Elliot, I'm gonna punt back, back over to you, sir. Thank you. Yeah, 

Elliot: you actually just did my job and saved me a little extra dry mouth for the day, I suppose.

But just building on what Neal said, thank you all so much for being here, Alana and Tony. Your experience being in those shoes and now being in the private sector and kind of back and forth just having that information out there is absolutely important for everyone to understand the scope and the magnitude of this project and how much goes into it, and of course how it impacts all of us on a regular basis.

But that is all to say. Again, just thank you so much for being here and sharing your expertise. We really do appreciate it and I think it's incredibly important for people to be able to hear this kind of information directly from folks with that kind of experience. 

Ilona: My pleasure. Thank you so much for having us.

Discussion about this podcast

Adopting Zero Trust
Adopting Zero Trust
Today, Zero Trust is a fuzzy term with more than a dozen different definitions. Any initial search for Zero Trust leads people to stumble upon technology associated with the concept, but this gives people the wrong impression and sets them off on the wrong foot in their adoption journey. Zero Trust is a concept and framework, not technology.
We are on a mission to give a stronger voice to practitioners and others who have been in these shoes, have begun adopting or implementing a Zero Trust strategy, and to share their experience and insight with peers while not influenced by vendor hype.