.jpg)
HSDF THE PODCAST
The Homeland Security and Defense Forum proudly presents HSDF THE PODCAST, an engaging series of policy discussions with senior government and industry experts on technology and innovation in government. HSDF THE PODCAST looks at how emerging technology - such Artificial Intelligence, cloud computing, 5G, and cybersecurity - is being used to support government missions and secure U.S. national interests.
HSDF THE PODCAST
Defending Against Foreign Cyber Threats and Improving Cyber Situational Awareness P2 of 3
Today’s program is the second in a three part discussion with government and industry leaders on Improving Cyber Situational Awareness and threats posed by China and Russia.
It features Riley Montgomery, from the FBI’s Cyber Division, Jason Kane, Office of Investigations at the U.S. Secret Service, Patrick Flynn, Advanced Programs Group at Trellix Cybersecurity, and David Aguilar, Former Acting and Deputy Commissioner at Customs and Border Protection.
This program was recorded in conjunction with the HSDF policy symposium, the Evolution of Federal Cybersecurity on June 21, 2023.
Follow HSDF THE PODCAST and never miss latest insider talk on government technology, innovation, and security. Visit the HSDF YouTube channel to view hours of insightful policy discussion. For more information about the Homeland Security & Defense Forum (HSDF), visit hsdf.org.
Announcer (00:03):
Welcome to HSDF the Podcast, a collection of policy discussions on government technology and homeland security, brought to you by the Homeland Security and Defense Forum. Today's program is the second in a three-part discussion with government and industry leaders on improving cyber situational awareness and cyber threats posed by China and Russia. It features Riley Montgomery from the FBI Cyber Division, Jason Cain, Office of Investigations at the U.S. Secret Service, Patrick Flynn, Advanced Programs Group at Trellix Cybersecurity, and David Aguilar, former acting and Deputy Commissioner at Customs and Border Protection. This program was recorded in conjunction with the HSDF Policy Symposium, the Evolution of Federal Cybersecurity on June 21st, 2023.
Jason Kane (00:46):
I mean, I think one of the parts is obviously there's an educational piece to it. I think where companies get a little lost is that we can't remediate your systems. We can come out and we can devise, but at the end of the day, we don't want to touch the systems at the end of the day. However, the educational piece, and the FBI does a great job at this, we do cyber instant response seminars twice a year where we invite different public sectors. We pick a sector, it might be healthcare, it might be educational, retail, what have you, to educate the public on. And two, not only educate, but then what do you do if it happens? That's the other part. I think that I'll bang the drum a little bit of, who do you call? And I always say, everybody goes, "Well, the FBI and the Secret Service, who do I call? Which one?" I'm like, "Just call somebody. We'll work out the details." And we're great at that.
(01:45):
Riley and his team up here and the Secret Service team in DC, there's no daylight between what we want as priorities, so we're synced as far as that goes, but educating the public on who do you call and what do you do? Then two, internally, and that's for you to do, for companies to do, like your general counsel, which is usually one of the biggest roadblocks, and to helping law enforcement, and then too, providing details for us to help in that for you. Pat's team obviously is a piece of that. When they see indicators, that might be the first indicators, because trust me, if they're calling, if Riley and I call next, it's a bad day, because usually when we're calling, we're seeing something way larger that we can't necessarily talk about, but we're telling you, you have a problem.
(02:32):
So the incident response part and then too, the educational part. Again, it's just making ... And two, what I get, and I think the overall theme though is companies have gotten a lot, lot better. I think that's based off a lot of the products that companies are now offering, full resource solutions to companies. And companies are enveloping that because they don't want to go bankrupt because some of these bad days, these ransomware type of events, they're really, really bad days for companies. So how can you resource that and make it a little bit more? And again, companies, private sectors answered the call there and says, "Hey, we have a full context here. We're going to add this product, we're going to add this product." And then two, now you're better protected. So we're seeing less of that. However, I'm still, and I won't testify for Riley here, but I know that I still get phone calls from companies and I'm like, "You don't have that," or, "You don't have that type of solution?"
(03:25):
And again, I'm not the person that's being critical. I'm just saying sometimes I want you to have that solution because it provides me indicators of compromise that I can dig into through our network analysis part. So those parts are incredibly important, because like I said, if you're not reporting, you've got to be a good witness. So sometimes that good witness part helps us go after and isolate who the bad actors are. Eventually everybody messes up and we were able to many times, and I'm sorry Lee, you've heard this one about 100 times, we can approach people while they're on vacation, which happens quite a bit, and we'll put some handcuffs on them. Because Russia and China, no one wants to vacation there. They want to go to the Maldives or they want to go someplace. Well, I'll give them a nice plane ride to Guam and put them in a federal courthouse. So, that always happens. That's how we ... Some of our success.
David Aguilar (04:14):
Thanks. Pat, same question to you. Building with cultural awareness and what do you see as the challenges?
Patrick Flynn (04:19):
I think I spend a lot of time really focusing on advocacy of being better aware, pushing your awareness way left of boom. I think in the cyber realm of things, especially at the SOC level, the security apparatus level, they're trying to put their finger in the dyke too often and be reactive. My whole crux of why I even exist today is to help people left of boom and the more they realize and the more they actually utilize the information in front of them, to do real risk analysis, I think it would benefit everybody. It's just not the technology, but the time and effort you put into realizing what's affecting everybody, not just me, but other verticals in my same sector. I spend a lot of advocacy endorsing that way of thinking. That's what I'd like to see improve.
David Aguilar (05:16):
There you go. Well, the first time I saw this kind of presentation, one of the first things that came to mind was the old CompStat model. Basically trying to be predictive to the degree possible in order to take preventive actions. I'm going to throw this out to industry, and I don't know the answer to this, but an affiliation, a club, if you will, of industry taking a look at stuff like this and building that preventive capability, an association ... I heard it several times this morning or this afternoon, public/private partnership. This is going to be going on for forever. I mean, this is our world now. So might we consider doing something like that?
(06:01):
Now, having said that, there's two approaches in general terms that I think this is being handled right now. One is by deterrence policies. Basically, to me, that's a human factor. Teaching, training and forming, educating and instituting processes, that's one. And then there's the denial strategies. That's more the kinetic type response to when something is happening. Let me start with Jason here. Is there a preferred model, and if so, why? And if not, beyond those two, what do you see, the human factor and then the kinetic industry supported, Trellix supported efforts?
Jason Kane (06:46):
I don't think you can isolate one. I think all of these pieces are ... The Secret Service is traditionally known for our protective methodologies for the president, vice president. That is done in a layered approach on purpose because if one layer fails, we have another layer to catch it. The resilience is built in. But there's sections of the pie there, there's a lot of different entities. That's also part of our cyber mission is where the president goes, what cameras are there? Who controls the elevators? Who controls the lights? All these different things. Layered approach. How do we defend against that and how's the best way possible? However, what I will say is we cannot do what we do without a full spectrum of capabilities, both from private industry, private sector, and again, our fellow law enforcement partners, SISA, you name it. Everybody helps us do what we have to do.
(07:41):
But those are all pieces of the pie that says Riley and I will be the guys that do the deterrence part. We'll go after them. Or the denial part. And then the deterrence part has to be another section, at least in my view, again, to make that full pie of the suite of options that fit. Trellix, again, would be a part of that. What am I seeing? Now that I see it, and we had this conversation in the back, what do I do about it? Now that I've seen it, okay, now what do I do about it? And then once I get hit, who's going to go after them? I think that's in line, not that it's done this way, but in line that's probably going to be how it works, except for probably somebody in here to the incident response, but then Riley and I are going to go put handcuffs on people.
(08:24):
That's how I see it as far as the pie. And again, it's not just one section. It's probably multiple tiers in that pie to make this work the right way. And it's tough because not everybody's always on the same page regarding what that should look like. I think there's a lot of great tools out there that help companies do this, and two, to help law enforcement as well. But always, one of the big problems we have is how do I make that work in a seamless transition? I don't think we're there yet. But again, because in 1996, it's not that long ago.
David Aguilar (08:57):
Yeah, not that long ago. Exactly. Riley, anything that you would add to that?
Riley Montgomery (09:00):
I think that every major cyber success that the FBI has certainly had has involved some type of partnership with the private sector. The nature of cyber is not one that is localized. It's global. So the FBI is taking, we're leveraging our partnerships with international partners, with private sector partners, and that's the only way that we can be successful. The FBI cannot do this alone. So if we don't have private sector, if we don't have cooperation from the private sector, we're missing a huge piece of the pie. I mean, as you see, the slides, that's stuff that is invaluable to investigators in the field, to have that visibility worldwide. And that really empowers us to take disruptive actions that prevent the activity from happening. I know something that was very public recently was the take-down of Hive ransomware; something that would not have occurred without cooperation from the private sector. So those things are incredibly important, and without it, we aren't going to get anywhere.
Patrick Flynn (09:59):
I think we couldn't do anything without public/private partnerships. And the three that I would mention are The Cyber Collaboration Center of the NSA, Morgan and Damski's folks up there, the JACTC within DHS, SISA. But more than anything, our relationship with the FBI has been critical, along with Europol and Interpol. We've been associated and working with them for 10, 15 years, longer than my existence in my current position. It's critical. But those organizations and the way they bring you in and the way they share information is second to none.
(10:46):
I remember in the run-up to the Ukrainian invasion before the Russians actually crossed the border, we were sitting up there, and from an indications and a warning perspective, they were enabling us to be more proactive. And we were also sharing information what we were seeing on the threat scape also. So without those organizations endorsing what you're doing, sharing information, and the way they share and the way they openly communicate is to be applauded.
Riley Montgomery (11:15):
I think that paints a very rosy picture, honestly. I mean, I would say these partnerships are incredibly important, but it's incredibly difficult for the FBI to share information back with the private sector, just because of the way we gather information, whether it's through legal process that is protected by a court order, there are things that we just can't share. So it's important to have relationships like that, where the other side understands where the difficulties are with us. If it were up to us, we would share everything, as long as it's a trusted relationship. So it's incredibly important, but at the same time, it's incredibly difficult too.
Patrick Flynn (11:50):
Sometimes we just do it on pure trust. We have to protect our customer's identity, period. But there's elements that we can provide them in a trusted framework where they can go off, like down in Charlotte or wherever, and they do what they do. We don't ask for anything back. We provide them what we're seeing, and we ensure that the privacy is there, protecting our customers, but helping them do their job.
Announcer (12:13):
Thank you for tuning in. You can follow HSDF the Podcast on every major podcast platform. Visit hsdf.org to learn more about the Homeland Security and Defense Forum and HSDF the Podcast.