Speaker 1 (00:03):

Welcome to HSDF THE PODCAST, a collection of policy discussions on government technology and Homeland Security, brought to you by the Homeland Security and Defense Forum.

(00:12):

Today's program is the second in a three-part discussion on protecting US supply chains, securing critical infrastructure, and creating a culture of cybersecurity in America. Featuring Tom Fanning, chair, Cybersecurity Advisory Committee at CISA, Eric Goldstein, executive assistant director of CISA's Cybersecurity Division, Bobbie Stempfley, vice president at Dell Technologies, and moderated by Luke McCormack, former CIO, Department of Homeland Security.

(00:40):

This program was recorded in conjunction with the HSDF policy symposium, the Evolution of Federal Cybersecurity, on June 21st, 2023.

Bobbie Stempfley (00:49):

In that context, one of the things that is incredibly important and we've made a ton of progress on is getting to more common taxonomies. When I go way back and look at the arc of cyber policy in this nation, when we started in the early days, this was a technocrat, a technology oriented activity. I have the advantage of being one of the CIOs on the panel here, so not a dead-end job, although, I can see that-

Tom Fanning (01:22):

I was going to point that out and reveal that, at least.

Bobbie Stempfley (01:25):

Yeah, exactly. But one of the challenges we had as CIOs was understanding and speaking in business language. That was in the early days of information management and other items. The security industry had the same problem, and I think the big transformation we've made in the last four or five years is recognizing it as an economic problem of incentives, not a technology problem. We're not going to engineer our way out of it. We need organizational agility, we need individual agility, we need collaborative agility in order to do these things, and so I think that language becomes an incredibly important element of it for us to be successful.

Tom Fanning (02:07):

The irony of my joke is I'm a former CIO.

Bobbie Stempfley (02:10):

There you go. See, I love it. So there was a question-

Tom Fanning (02:16):

Financial incentives... From a corporate CEO standpoint, value is a function of risk and return. I'm talking about stock value. And one of the things you must realize is we have a fiduciary accountability to understand this risk. This is something we used to pass off to CISOs or CIOs or something else. This is a board level, CEO, CFO problem, and we have to own that. More and more CEOs are now waking up to that reality. We used to like to give the government the Heisman, right? And now we know that because these battles are happening on our networks right now, that we have to embrace the collaboration we get in the joint collaborative environment and all these other places.

Bobbie Stempfley (03:00):

And we have to have a language about risk that enables us to have that conversation.

Tom Fanning (03:05):

A hundred percent.

Bobbie Stempfley (03:06):

And that's the piece that I see a lot of innovation happening around now, right? Risk and measurement. Those are the next steps of the maturation as an industry.

Tom Fanning (03:18):

Langevin and I at Solarium, Jim, remember we talked about creating a regulatory mindset where it becomes part of your control environment. You've got to be able to demonstrate that you have adequate protection, including tone at the top and culture, in order to address these issues. This isn't a technical problem. Technical is at the heart. It becomes a cultural, corporate valuation problem.

Luke McCormack (03:44):

So let's pull on that a little bit since we do have a CIO / now CEO in the room. Two to three years ago, you were having these conversations with your colleagues. Now you're having these conversations post solar winds and some of these other things. What's changed in two to three years? How do those conversations look now compared to... Of course, the people will remain nameless, but we're curious.

Tom Fanning (04:13):

It's way more than two to three years ago. Let's go, gosh, I don't know, eight years ago.

Luke McCormack (04:18):

Let's go 10 years ago.

Tom Fanning (04:19):

Yeah, something like that. Look, there were a lot of people that said, "Don't bother me," and a lot of people's stock valuation was getting product to market. They worried about the sanctity of their product after the fact, and there was no way to sense whether the system they were putting in place had some sort of continuity of protection, because we know that it's almost like the lava lamp of the sixties. Now, I'm showing my age, but the threats always change, the surface of attack always changes. And so we always know that a widget can't get UL certified, if you know what I mean. The process of protection must be the issue of certification. How are we going to renew the effort to make sure that what we have is safe? That is a key issue in America.

Bobbie Stempfley (05:11):

I don't disagree with you but I think the maturation we need is to understand the technical controls and have greater business controls, because at this point, the control environment is all at a very low level in the enterprise. And so if I were to come to my CEO and say, "I've complied with technical control PO.3.4," that doesn't help us. But if I come to him and say, "I have secured our engineering infrastructure sufficient against supply chain attacks 1 through N," that's a different meaningful conversation, and so we have to make that transition.

Tom Fanning (05:56):

Yeah, but you just hit a hot button of mine and it is this: you can't regulate your way through this issue.

Bobbie Stempfley (05:59):

I agree with you.

Tom Fanning (06:00):

Regulation by its nature is defensively oriented. Any successful company is offensively oriented.

Bobbie Stempfley (06:06):

Agreed.

Tom Fanning (06:06):

Regulation says, "I will comply." It is by its nature in the rear-view mirror. It always looks back when it said, "You must do this." As an aspirational behavior of corporate America, we must not look backwards or comply. We must think about what is ahead and skate to where the puck will be.

Bobbie Stempfley (06:26):

Absolutely.

Tom Fanning (06:27):

If we limit ourselves by just complying, we will be doing an enormous disservice.

Luke McCormack (06:34):

Eric, I want you to weigh in on this, where CISA fits in this model and what they're doing to encourage this community to collaborate from a volunteer perspective versus a regulatory perspective.

Eric Goldstein (06:51):

So a few thoughts. First of all, on the collaboration front, we have to show shared value. The only way to get an organization to engage with the government, engaging with the government is never perceived as cost-free or risk-free. There's always some perception of marginal risk or marginal costs. We can get all the authorities we can to drive that risk to as near to zero as possible, but both I and our directors spend time in the private sector. We realize very well that that risk will never get to true zero.

(07:22):

And so the only way to incentivize that collaboration is by showing that the value exceeds the perceived risk, and that's why the work that we have been doing with JCDC is designed to say, "You don't have to be here. We want you to want to be here, because by being part of this process, you are going to get insights, you're going to get relationships, you're going to get partnerships. You're going to get visibility that none of us, no matter how mature, how capable, how broad, could achieve alone." And the more that we can publicly articulate that value proposition, that makes it easier for operators, for CISOs to go back to their businesses and frankly, go back to their attorneys, to go back to their counsel and say, "Listen, we understand that there may be some perception of risk here. Be that as it may be, the benefits far outweigh any potential risk."

(08:13):

On the regulatory front, I think Tom frames it, as usual, extremely well. Our goal is to make sure that we have a clear understanding as a community, and also as Bobbie well noted, about the necessary technical and business controls that as the threat evolves are most effective, that drive investment in the right areas and are responsive to where the technology and threat environment are going.

(08:39):

And then ideally, we will see a business imperative to invest in those prioritized controls, whether or not they are mandated. And what we want to drive is that agile security behavior where organizations are continuously testing themselves against what we are seeing in the threat environment and investing accordingly. And whether or not there is a regulatory floor, we never want that floor to eventually be the ceiling, and so making sure that we are continuously improving our game, recognizing that the adversaries are doing the exact same thing, that's the only way that we'll stay ahead of the threat.

Luke McCormack (09:13):

Tom, I want to ask you about the CSAC and your role there, and if you could for the audience, explain what is the CSAC? What is your role there?

Tom Fanning (09:23):

Cybersecurity Advisory Council Committee. I don't know what it is.

Luke McCormack (09:28):

Something. It's a C.

Tom Fanning (09:28):

Yeah, it's a C, corporation. Look, it's a group of individuals that are so talented, it's an embarrassment of riches in the world, but these folks are broken up into six subcommittees that attack both the what and the how of helping CISA undertake its mission. It goes all the way from transforming the cyber workforce to ideas like defining cyber corporate responsibility. In a broad sense, cyber hygiene, creating, I think a national alert system. So I chair the CSAC. I also chair one of the subcommittees and it's the critical infrastructure, as you would expect, subcommittee where we're trying to build resilience.

(10:23):

When I think back to the original output of the Solarium Commission, I commend you to read the executive summary. It's not bad, 75 pages or so, but there were three big outcomes that we focused on. One was to use all of the powers of state to create a sense of cyber responsibility among and between nations. The second was to create recommendations that would deny the benefits of an attack by our adversaries. And the third was to unleash the power of the United States when attacked to increase the consequences to the attacker. And I think if you look at those three things, those are all kind of inherent, although the second one is most important, to this idea of hardening the infrastructure. What can we do to be more efficient, more agile, more proactive, more aspirational in terms of our behaviors as a private sector with the government?

Luke McCormack (11:29):

And I believe 29 recommendations out there, that CISA has pretty much agreed on most of those and is in the process of implementing them and I would encourage you all to read those.

Tom Fanning (11:42):

And didn't agree with all of them, only because CISA has to deal with the current state. There are changes in law. There are things that we should do as a nation to make ourselves even safer. Well, CISA can't take responsibility for that, but as the private sector, as our committee, we'll go ahead and recommend those anyway. That's a job for the next administration and the next year and et cetera, et cetera.

Luke McCormack (12:09):

Sure. I'm going to rewind a little bit. Bobbie, you did reveal that you were a CIO once upon a time.

Bobbie Stempfley (12:16):

Once upon a time.

Luke McCormack (12:18):

And you're really in a unique situation because of that role, the roles that you played at what is prior to CISA. NPPD, you spent a lot of time over there in different roles, a variety of roles in the private sector. Let's just get a current definition of ransomware and why is ransomware so prevalent these days? Weren't we getting tipped over 10 years ago? What's changed?

Bobbie Stempfley (12:45):

Oh, gosh. So remember I said that we recognize this as an economics problem? Our adversaries recognized this as an economics problem long before the technologists did in this space. They went where the money was. Ransomware is a manifestation of they're following the money. Think about it... I find it shocking that I would need to define ransomware to a group of individuals, but in case you don't know, think about it as an adversary getting access to your network and holding something of yours of value hostage. They encrypt it for you, you can't get access to it, and then they ask you to pay to get it back. But they're also very happy and very likely to either not give it back to you but to release it out onto the web anyway. So it's all about getting money, right? That's what it is.

(13:37):

And the incentive structure in this world, because software is everywhere, because we are happily interconnected, because we have holes in many instances in the bulkheads that exist throughout the world, because we have folks who can have high end mature security programs and those who don't have high end maturity programs, the ability for this to be pervasive is substantive. And the anonymity on the part of the adversary makes it a low cost, high payoff activity. This is sort of the contribution, so why wouldn't this be a thing that occurs?

(14:20):

And there's been an awful lot of work being done at the technical level, at the inter-organizational level between government and industry, at the international level to affect all parts of this problem. It's been recognized as an ecosystem set of activities where government has a variety of roles from law enforcement and investigation, and I think even the JCDC's involvement in that space. There's treasury involvement and others in order to try to impact the financial benefits of it. And there's a lot of technological components that are in place to try to identify these infections very early. And a lot of business focus on business continuity and resilience such that when it occurs to someone, you can come back from it in a rather rapid manner.

(15:14):

Unfortunately, it is a sophisticated... Whereas a specific event might not be sophisticated, the response required to change the dynamic requires the whole ecosystem to do something and to pull in the same direction. And so I'm actually really pleased with things like the Ransomware Task Force, with a series of international conversations around it that have really made a difference. A number of industry partners have really stepped up in terms of ransomware detection in their activities. There's an entire set of cyber resiliency tools and technologies that are out there that help organizations buy down the risk.

Luke McCormack (15:51):

And why don't we... Go ahead, please.

Bobbie Stempfley (15:55):

No, please. But if you talk to CIOs and CISOs, their data, they recognize this as a substantive risk for them and they recognize their data as having immense value, and really are in the process of undergoing what workloads are more important than others as they're trying to roll out their own internal business continuity activities in light of this threat model.

Speaker 1 (16:21):

Thank you for tuning in. You can follow HSDF THE PODCAST on every major podcast platform. Visit hsdf.org to learn more about the Homeland Security and Defense Forum and HSDF THE PODCAST.