"The major issue that we typically have is on The Hill. For years, we've seen bills coming out, which specified a direction of left or right or up the middle, and nothing happens. That leads a lot of us sceptics to believe that people on The Hill who are being funded by the largest tech companies don't move because it's not financially viable for their future campaigns. Our cyber life cannot be attached to the whims of politics. "
Rob and Stan are taking a well earned festive break, they'll be back in the new year.
So we've decided to do some Christmas re-gifting and dust down a terrific episode from a couple of years ago.
It features Michael Echols, CEO of MAX Cybersecurity, LLC and author of 'Secure Cyber Life: The Government Is Not Coming To Save You'
As you will hear, Michael is passionate about his subject and has conclusions that you could find rather disturbing.
In other words, perfect for a podcast episode.
Do share the reimagining cyber podcast with those who you think will find it useful, and if you use apple leave us a review. It really helps spread the word.
We'll be back in 2023 with more great guests.
Follow or subscribe to the show on your preferred podcast platform.
Share the show with others in the cybersecurity world.
Get in touch via reimaginingcyber@gmail.com
"The major issue that we typically have is on The Hill. For years, we've seen bills coming out, which specified a direction of left or right or up the middle, and nothing happens. That leads a lot of us sceptics to believe that people on The Hill who are being funded by the largest tech companies don't move because it's not financially viable for their future campaigns. Our cyber life cannot be attached to the whims of politics. "
Rob and Stan are taking a well earned festive break, they'll be back in the new year.
So we've decided to do some Christmas re-gifting and dust down a terrific episode from a couple of years ago.
It features Michael Echols, CEO of MAX Cybersecurity, LLC and author of 'Secure Cyber Life: The Government Is Not Coming To Save You'
As you will hear, Michael is passionate about his subject and has conclusions that you could find rather disturbing.
In other words, perfect for a podcast episode.
Do share the reimagining cyber podcast with those who you think will find it useful, and if you use apple leave us a review. It really helps spread the word.
We'll be back in 2023 with more great guests.
Follow or subscribe to the show on your preferred podcast platform.
Share the show with others in the cybersecurity world.
Get in touch via reimaginingcyber@gmail.com
I'm Ben, producer of the Reimagining Cyber podcast.
Rob and Stan are taking a well earned festive break, they'll be back in the new year.
So we've decided to do some Christmas re-gifting and dust down a terrific episode from a couple of years ago.
It features Michael Echolls, CEO of MAX Cybersecurity, LLC and author of "Secure Cyber Life: The Government Is Not Coming To Save You.
As you will hear, Michael is passionate about his subject and has conclusions that you could well find rather disturbing.
In other words, perfect for a podcast episode.
Do share the reimagining cyber podcast with those who you think will find it useful, and if you use apple leave us a review. It really helps spread the word.
We'll be back in 2023 with more great guests.
Michael Echols
Cybercrime has reached a level that we could have never imagined, and this world is becoming digitized, and we are becoming more vulnerable every day. With all of that being said, I'm in Washington, DC. I can get on the bus, I can go 10 miles around the city. I can get on the Metro; I can go into any building in the world's most powerful city, and there is not one sign that tells you that you should be digitally secure.
Rob Aragao
Welcome to the Reimagining Cyber podcast, where we share short and to the point perspectives on the cyber landscape. It's all about engaging, yet casual conversations on what organizations are doing to reimagine their cyber programs while ensuring their business objectives are top priority. With my co-host, Stan Wisseman, Head of Security Dtrategist, I’m Rob Aragao, Chief Security Strategist, and this is Reimagining Cyber.
So Stan, who do we have joining us for this episode?
.
Stan:
Our guest today is Michael Echolls. Mike is a senior cybersecurity executive and critical infrastructure protection strategist, working with corporate leaders and government officials to make the nation more resilient. He's leading a revolution to stand up and support information sharing and analysis organizations or ISOs.
As such, Mike leads a global effort to harmonize cyber threat information sharing. And while serving in the government, Mike managed cyber resiliency programs for the US Department of Homeland Security while assisting in the advancement of risk reduction and as the point person for the rollout the President Obama Executive Order 13/691, Mike developed a national program for ISOs.
He's also released a book in 2020 entitled, ‘Secure Cyber Life. The Government is Not Coming to Save You’, which is pretty ominous.
Rob:
So Michael, one of the things I think would be interesting to share with the audience is what happened post 9/11 to where we are now, that journey that we've been on.
What’s driven you to lead the creation of the ISO but just walk us through that timeline, if you will.
Michael
Sure. 9/11 occurred and the nation was awakened to the fact that critical infrastructure protection is incredibly important. As we saw three planes, I believe went down, but it affected the financial stability of the nation from that event. And so we moved towards strong public-private partnership because the government realized they could not protect everything. So they needed for critical infrastructure owners to do their part in using good risk management techniques. So around 2005, you saw the development of the national infrastructure protection program. Following that you saw the development of a national response framework. That's how government and industry will work together to respond. A couple years later, there was a national cyber incident response plan. That response plan shows how government and industry works together when there's a major national level cyber event, they can scale up, who's in charge, how things work and then how we go back to steady state and scale down. Around 2013 one of the lessons that we learned from 9/11 was employed. After 9/11 we gave out a lot of grants to states, locals corporations and private sector organizations to implement resilience programs. One such as being able to use radio interoperability. What happened from those grants previously was that even when the government gave out that money, those organizations bought the same radio systems that didn't speak to each other. So one of the lessons for cyber was that if we start giving out a bunch of grants for cyber, then as the adversary matures that money would've just been wasted.
So the government took a tack and admitted, I believe, that the government can't save you. Essentially, the government started producing risk assessments that everyone could use. Hence, the NIST Cybersecurity Framework was developed. It's a tool that allows any organization to use it as they see fit to develop their risk management strategies.
Following this, the government developed a process called ISAOs, information Sharing and Analysis Organizations. I led that process and what that allows you to do is any group of organizations or trusted partners could come together, share cyber threat information with each other and have a relationship with the Department of Homeland Security if they chose to.
And as we rolled now to 2021, the realization from all of that over the last 19, 20 years is that we've had time to adjust and adapt and 20 years in cyber time now, and the hacker world has turned into about three years. We are falling behind. The exploits are getting more sophisticated. A lot of the tools that are being created and sold in organizations are making billions of dollars are not effective.
There has to be a holistic approach to risk management. And this is not a government affair. It is a system, community affair, much like responding to a pandemic.
Stan:
So Mike, it looks like the Biden administration is taking cybersecurity very seriously. They seem to be putting in some good leaders. Do you like what you're seeing so far and do you think going back to one of your passions, the ISOs, do you think that'll have an expanded. role in that public-private partnership?
Michael:
Yes. I think one of the benefits of the Biden administration coming in is I'm seeing a lot of familiar faces, people who've done a lot of the hard work and a lot of the hard research.
To put the NIST cybersecurity framework in place to put ISAOs in place. And so they know the importance of moving quickly. They don't have to come in and study and learn. They know what's available. They know where the holes are. To give credit to the Trump administration one of the things that they did, was to put an executive order in place that said there has to be an assigned risk manager for every federal agency, meaning that someone is responsible.
And as obvious as that sounds that sort of thing was not in place previously. So, if you add what the Obama administration. And you add the things that the Trump administration tried to do. I think we're in a good place now. The major issue that we typically have is on the Hill.
For years, we've seen bills coming out, which specified a direction of left or right or up the middle, and nothing happens. That leads a lot of us sceptics to believe that people on the hill who are being funded by the largest tech companies don't move because it's not financially viable for their future campaigns.
Our cyber life cannot be attached to the whims of politics.
Stan:
Do you think, though, following the SolarWinds attack that some areas like supply chain may be addressed by legislation?
Michael:
I'm sure you hate hearing a question answered with a question, but did the OPM breach change anything?
Stan:
It did not.
Michael:
So I had the opportunity to speak to a top three NSA person a few years ago, and I asked, Hey, we're always talking about this Pearl Harbor event. For cyber.
I said, if I had asked you the day before the OPM breach occurred, if you thought that 21 million records of secure individuals, their families, their personal records our partners in other countries, military, police, law enforcement at the federal level, if we thought that was going to occur wouldn't you consider that a Pearl Harbor event?
And he wouldn't answer the question. And so to me that says that we keep moving the bar forward to accommodate our not being ready to do what we need to do. So SolarWinds comes along. Probably the thing that will help with SolarWinds is it doesn't seem to stop. Every two weeks we hear about something else related to SolarWinds, right? We have no grasp on how wide it is or what the long term damage is. And I think that will be the motivator,
Rob:
Mike as you've just stated. And I'll obviously call out in your book pretty clearly organizations need to take the proper steps to protect themselves, right?
And the point I'm making is, as you've made we can't rely on the government, nor should we really. There are some benefits that we hope could come out of there, time is passing us by. We can't just sit back if you will. You've talked about the importance, which I completely agree on, the collaboration, so threat intelligence sharing and the ISOs and the value that they bring.
Looking beyond the threat until sharing capabilities that we now have out there. What else are you recommending? What else are you actually starting to see that's making a difference.
Michael:
So I am saying that we should assume the worst. I'm also saying that you should not say you're doing cybersecurity if you are not able to understand the vulnerabilities, see the threats, and to measure or understand the consequences.
When I give speeches, I talk about how cybersecurity is actually just a buzzword. It's risk management. If we were in a country where the government told you what to do, what hardware to use, what software to use, cybersecurity would mean something. In this continuum of a free society, we get to make choices, right?
Based on what we perceive to be at risk. Risk management is you understanding the vulnerabilities. The threats, and the consequences. And then making a decision about what's important to you. This is why government intervention becomes so important. We like to take the word standards and related to regulation, and that's why nothing happens.
Organizations, companies do not want regulation, but in some cases we have to have standards. If I'm at my house using my hair dryer, 110, 120 outlet, I can go to your house and plug that same hair dryer in. We have to have some levels of standard to assure that we can get to some place where when I'm doing my risk assessments to understand the consequences and you are doing yours and we are in an interdependent digital society that we're on the same page.
That's what's missing.
Stan:
So Michael, just to follow up on that the standards lay that foundation, right? Let's face it, they are not necessarily able to keep up with the latest threats. That's why also you augment that, I assume, with the ISOs, right? That you have then the threat intel sharing to also give you that insight into what else is happening with the threat actors.
That if you have to augment that foundation, laid by the compliance to standards then you need to take that action. Correct. So is that a way of then managing that risk?
Michael:
So here's what's so important about the concept of ISOs. The ISACs have been around since 1999. The financial services were the first, and the idea was that we bring together these like critical infrastructure entities and they can share information, reduce risk.
Share information with trusted partners so that we don't have to continuously try to come up with new regulation that hurts industry. What we found over time is of the 8 to 10 ISACs, it becomes like a club, right? The biggest, the wealthiest organizations all participate. They share and trust with each other.
That's not the way America works. America works in the communities, right? We saw that with the pandemic. And so the ISAO concept allowed any group, regardless of what sector they're in, sub-sector, as long as they trust each other, and as long as they're participating in the process of sharing cyber threat information, if something happens to you and you're one of my trusted partners, it should not happen to me , right? That limits cascading effects. The way things are set up now with the ISACs, which are very effective, and they work across sectors, energy sector, financial sector, telecommunications. What happens is as they are sharing information with each other and they're putting mitigations in place, that does not mean that the rest of society is not going to get wiped out.
Stan
How have you overcome the typical I'm willing to consume and ingest threat intel information, but I'm unwilling to share? How do you encourage that bidirectional sharing?
Michael
Value. So everyone has to value in what they are providing. Meaning that in some organizations, ISOs have set themselves up like this. In order to receive, you've got to contribute, right? And so there has to be an ecosystem set up that is based on that premise. I think the way that we did things originally as a forerunner to all of this information sharing, we had to go through those pain points. At this point, it's time to rev it up.
Let me say, since I haven't been in the government, I can actually speak very straightforward and honestly, and that's the most important thing to me, right? It’s the ability to say what needs to be said, right? And what needs to be said is we need cyber leadership. Leadership is when you get, when you stand for something and you pull other people in that direction, even though they don't understand at that moment. It may not be popular, but someone at a level that is consistent with what we consider a national leader has to start pulling people towards a certain direction.
Stan:
So, Michael, on May 12th, President Biden signed an executive order to improve the nation cybersecurity and protect federal government networks. In an aspect of that EO is the removal of barriers to threat intel sharing between government and private sector. And that that seems in line with some of the things that you're trying to accomplish. Do you think the steps they're taking is going to help?
Michael:
Stan, as an executive order does not define new law. An executive order is the implementation of the laws that already exist. So, when we talk about removing barriers, this is more of a social exercise. The government has to take leadership and there has to be someone at the help who gives instruction and makes sure that those instructions are followed. In 2015, there was an executive order that essentially said the same thing, where we are going to remove barriers to private sector information sharing, and it gave instruction to federal agencies about how they share with each other, making the end kick at DHS, the hub of cyber security.
The main barrier has always been trust. The second barrier has always been where a company will say, if I tell you about an incident that has occurred that involves you, you could sue me to get the origins of that information, which puts me in jeopardy. Those acts back in 2015, supported by those EOs, essentially removed those barriers.
And I can tell you today that we have the same issue. So, it's a trust issue that the government has to find the leadership to move not only the private sector, but federal agents past.
Stan
Understood. Thank you. And as far as just in general, the other aspects of the executive order, what are your thoughts about raising the bar of cybersecurity implementations and some of the examples they gave and the executive order, do you think they'll be effective?
Again, to your point, it's not law.
Michael:
So essentially this leadership thing requires that someone step forward in an entrepreneurial way and tells everyone else where we're going, that someone is the government. Very amorphous. We need individuals who become the face of cybersecurity, who are pointing the direction in the same way that we've always had CDC leaders for pandemics.
One of the major issues that we have face as a society is when an event happens, we come out with a huge response. Cybersecurity issues and incidents and hacking and data exfiltration are occurring every day. We did not need the Colonial Pipeline to make the government come together at the level of the National Security Council to come up with a set of activities.
These activities should have been pushed forward a long time ago.
Stan:
Certainly the Pipeline certainly seemed to be the tipping point, but your point is it didn't need to be. We have enough incident.
Michael:
That's right. So, it actually has an opposite effect. People tend to think that we're only doing these things because of SolarWinds and the Colonial Pipeline, as opposed to this needs to be a way of life for us.
Our society is becoming digitized, including our identities. If we're going to move into this 21st century we have to have a new approach to doing cyber and digital business. That includes protecting those systems and those assets, and of course, things like our privacy and our data.
Rob:
Mike, I think you, you're taking us right down the path I want to go next. Tha’st cyber leadership and that requirement and need that's lacking out there. And I want to tie it into some of the new work that you're involved with and specifically the smart city initiatives and the one down in Jacksonville, Florida, I think is extremely interesting that you've been pulled into and it, to me, it ties into the need that you just described, getting people to understand the need, the value of cybersecurity, getting them to understand why it's important to actually bake it into what they're trying to accomplish in this new smart city concept and where we're going in the future. I think it'd be great for you to share how you got involved first, but then also what it is that you're starting to influence there from a cyber perspective.
Michael:
Sure. In Jacksonville there's an organization called the Jacksonville Transit Authority. It is their citywide transit organization. And they had a requirement, or they put out a plan to develop autonomous vehicles lanes. It's called a U2C project. This lane will go around the city on a straight couple of turns at first, but then they look to expand.
It's one of the first efforts like this across the country where you will have commercial vehicles that do not have a driver. So you can imagine the cybersecurity requirement for that, right? Health and safety and welfare. What becomes important here is that Jacksonville had the forethought to require of the contracting companies -let's think about it. This is a big contracting opportunity that just happens to involve autonomous vehicle companies, right? - So, the bidders for this project were big construction companies. Cybersecurity is not their first thought. And so it allowed the opportunity to put cyber requirements on all of the vendors that are participating.
That includes the electrical companies, the ones that will build the networks, the ones that will even be doing the painting, right?
Stan:
And that's the way to do it, right? You've built it into the contract language itself.
Michael:
but then additionally, , it creates an opportunity to train the community, and the goal is to start to develop a culture of cybersecurity, not just for the community that will use the autonomous vehicles, but for the people that work at the transit organization who now will be responsible.
These, some of these people have been working in transportation for 20, 30 years, and the idea is that we have to grow from the bottom up and not the top down the way that we've been trying to do it. Now this coincides with another effort that I have and I've been working with HUD and Department of Commerce to figure out how we implement something like this.
But we want to take all of these cyber programs. All of these things where training and risk management and protection of critical infrastructure and move these programs, which do not even hit their endpoint in most cases. They're great programs, but they never reach the people that they're meant to reach in a lot of cases.
And we want to move those down to the local levels. So now we are building a culture of cyber security in communities, right? And now we start to solve problems that have been longstanding problems. How do you get more kids to be interested in cybersecurity careers? How do you do more training? How do you get senior citizens to know not to click on that button?
How do you get people who work in critical infrastructure to understand the importance of digital risk management?
Stan:
Raise that bar of awareness. Yes, across the board. Now, I was intrigued. You had an article back in May, 2020 about taking what you're doing with the smart city technology as a way, ofs also minimizing the spread of Covid 19.
I was really, interested in that concept. Can you expand on that?
Michael:
Sure. So the one thing that this pandemic has done for us is it showed us clearly that the government is not coming to save you and that there is a responsibility of businesses and individuals to do the right thing. In pandemic language it's good hygiene. in cyber language, it's good cyber hygiene and risk management. We are all exercising risk management right now. We understand the risk management that we are exercising from a pandemic because someone explains it to us every day on the television. You actually even see posters, signs when you walk into buildings that say you must wear a mask. You must wash your hands. Please do this. Please stay to the right. Please stay to the left. Let me tell you something very interesting in all these years and all this discussion that we're having and the fact that cybercrime has reached a level that we could have never imagined, and this world is becoming digitized and we are becoming more vulnerable every day.
With all of that being said, I'm in Washington, DC I can get on the bus, I can go 10 miles around the city. I can get on the Metro, I can ride the train from Maryland to Virginia. I can go into any building, I can walk down the street on the most traveled routes in the world's most powerful city. And there is not one sign, there is not one piece of public awareness information that tells you that you should be digitally secure, that you should be practicing risk management.
And I can assure you that if a person is not thinking of those things and practicing those things in their private life, why would they all of a sudden start practicing those things or thinking about those things in your critical infrastructure environment? Not going to happen. And so we learned a lot about cyber from the response to the pandemic.
and from understanding the human condition, what would a human do in this situation?
Rob:
Mike Ithat's a really interesting way you took that and how you connected the two. But the key that you've called out several times now in the conversation is changing that mindset, right? And driving the right culture and driving it as far down that chain, if you will, of, embedding it into just the way we normally think and how we're going to approach, just taking care of ourselves.
If you will, our own physical aspects, and that translates into making people be better overall for their cyber capability. I think that's a, that's quite insightful aspect of that. Is there anything else that you wanted to share that kind of looks at the point of resiliency and how we can all better be better thinking in that manner of being more resilient in and of itself beyond being cyber secure? Being resilient because we have to just deal with these things as they're coming at us.
Michael:
Sure. The world that we live. For safety, efficiency, effectiveness is becoming more digitized. Everyone knows that. However, we are not making the assumption that the threats that go along with all of this digitization is consistent.
And for that reason, even people who may not have been affected by a cyberattack, by the loss of data, by systems going down, everyone, the number of potential victims grows every day, right? And so we are actually increasing the opportunities for cascading effects. The way that you limit that is simple awareness.
And people say, Mike, what can I do about this? It's not so much about what you can do about it, but just by being aware of all the threats that exist in your life, you have an opportunity to limit the consequences to you. And I'll give you a quick example. Just by understanding that Alexa is listening to you all the time how else would it be able to respond when you call? It's listening to you all the time. Just being aware that when you have an alarm system in your house that has a camera on it, that there's the potential that someone else could be looking through that camera and not just the organization that you have a contract with.
Stan
Mike, that's exactly what we saw with the Verkada hack as far as the cameras 150,000 cameras now, you don't know who really is behind them.
Michael:
There is a part of the training, societal training that is missing in our quest to become a digital society.
Rob:
Completely agree. Completely agree. Mike, truly appreciate the time you've taken to share with us the work that you've done, the history kind of taken us through really what kind of accelerated things for you, right?
And where you are taking us next. So thanks for sharing with us today, Mike. Appreciate your time.