Part 2 of 2: Enhancing Security and Resilience of Critical Infrastructure Artwork

HSDF THE PODCAST

The Homeland Security and Defense Forum proudly presents HSDF THE PODCAST, an engaging series of policy discussions with senior government and industry experts on technology and innovation in government. HSDF THE PODCAST looks at how emerging technology - such Artificial Intelligence, cloud computing, 5G, and cybersecurity - is being used to support government missions and secure U.S. national interests.

All Episodes

HSDF THE PODCAST

Part 2 of 2: Enhancing Security and Resilience of Critical Infrastructure

July 26, 2024 • Homeland Security & Defense Forum

Welcome to “HSDF THE PODCAST,” a collection of policy discussions on government technology and homeland security brought to you by the Homeland Security and Defense Forum.

In this second of a two-part series, an expert panel with representatives from DHS, FBI, the White House and industry discussed the latest developments around Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), integration of cyber regulation efforts, and how agencies make decisions about what cyber threat information to share publicly without giving adversaries an edge.

Featuring:

Matt Hayden, Vice President of Cybersecurity Policy, GDIT
Iranga Kahangama, Assistant Secretary for Cyber, Infrastructure, Risk, and Resilience, Department of Homeland Security
Cynthia Kaiser, Deputy Assistant Director, Cyber Division, Federal Bureau of Investigation
Nick Leiserson, Assistant National Cyber Director for Policy and Programs, Office of the National Cyber Director
Bobbie Stempfley, Vice President and Business Unit Security Officer, Dell Technologies (moderator)

This discussion took place at the HSDF’s Cybersecurity Symposium on July 10th, 2024.

Follow HSDF THE PODCAST and never miss latest insider talk on government technology, innovation, and security. Visit the HSDF YouTube channel to view hours of insightful policy discussion. For more information about the Homeland Security & Defense Forum (HSDF), visit hsdf.org.

Audience: 0:01

Thank you, frank Sandow from Microsoft. But this is more from a general public, citizen perspective. As you develop these policies and you provide critical infrastructure with these concepts about where the vulnerabilities are coming in. We develop policies of like maintaining, like this, basic cybersecurity across your organization, your organization. Do we need to establish disincentives as well? I mean, we have HIPAA, we have SEC, you know coming out now, but so, hey, it's been two years, you haven't solved these problems. Now you've been attacked. We have this major incident within agriculture. Just pick an industry to say, well, no, you were aware with. You know DHS made you aware of this. You know we had the policy that you had to maintain this and because you don't do these things, that we have to now establish disincentives like HIPAA, fines and what have you. Are these conversations also happening within? You know your areas that we need to. You know there must be a hammer somewhere as well that the perspective that we have in the administration is.

Nick Leiserson, Assistant National Cyber Director for Policy and Programs, Office of the National Cyber Director: 1:08

It's all of the above.

Nick Leiserson, Assistant National Cyber Director for Policy and Programs, Office of the National Cyber Director: 1:09

So let me give you an example.

Nick Leiserson, Assistant National Cyber Director for Policy and Programs, Office of the National Cyber Director: 1:09

We're talking right now about in healthcare right, saying HIPAA is focused specifically on data security and focused on health records electronic or otherwise and there are conversations now about can we expand that to broader healthcare systems, because we know that, for instance, ransomware actors right now are continuously targeting the healthcare sector.

Nick Leiserson, Assistant National Cyber Director for Policy and Programs, Office of the National Cyber Director: 1:31

Tied into that, though, if you look at the fiscal year 25 president's budget request, there is a significant $1.2 billion investment for small, rural and critical access care hospitals, and that's kind of like you need some of both. You need regulatory requirements that come with them, some sort of consequence for not meeting the standard. We also need to recognize that, depending on which sector you're in and the varying levels of maturity like we can't just drop a bunch of requirements on a critical access hospital and say we're going to fine you for not doing this. It's like they are then we're doing the adversary's job for them, right? We shut down this critical access care hospital because they didn't have good enough cybersecurity, so that the adversary couldn't shut them down is like completely antithetical to where we want to live. So you need the full spectrum of tools in the toolbox, and that does include disincentives as well.

Bobbie Stempfley, Vice President and Business Unit Security Officer, Dell Technologies (moderator): 2:31

It's a good question. It's a complex problem that we have. We have a question over here.

Audience: 2:45

Thank you. What you wanted to touch on with the Quantum Computing Security Act, we know that was passed in 23. At the component level, I can tell you we have not heard anything about it. And I'm looking across here at the top echelon, here, and we always look up at the component level, the guidance is coming down. We know that.

Audience: 3:04

So I'm trying to give you guys a real threat because everybody I've talked to is always well when it'll happen, but we know that that threat is out there. What's the current status that you guys see where you're at with it and what are the plans to address it?

Iranga Kahangama, Assistant Secretary for Cyber, Infrastructure, Risk, and Resilience, Department of Homeland Security: 3:22

I think Q Day is real and that will be an issue in PQC. I think we've been very focused on this. We issued at DHS a roadmap through the secretary back in 2021, which is a roadmap for how do we inventory our critical needs in terms of identifying what the encryption is and then, following NIST and NSA guidance around how we think about identifying and then making it quantum encryption proof. I think it is definitely a priority for us. We've been tracking it and we take it as a priority.

Iranga Kahangama, Assistant Secretary for Cyber, Infrastructure, Risk, and Resilience, Department of Homeland Security: 3:55

I also think that I recently had a roundtable with about a half a dozen quantum startups to talk about the benefits of quantum, because I also think that the quantum aspect is often talked about as a doomsday and, you know, in certain scenarios it may be for encrypted security reasons. But there's also a big boon in the technologies. When you look at things like sensing technologies, you know, even in the DHS mission, space that provides a lot of opportunity, whether that's, you know, detecting tremors to identify natural disasters, for FEMA to be more proactive, or digging for underground tunnels at the border. I think those are all fascinating ways forward. So we definitely look at it from the preventative side of getting ahead of Q-Day, but also on the potential opportunity side, at least for DHS.

Iranga Kahangama, Assistant Secretary for Cyber, Infrastructure, Risk, and Resilience, Department of Homeland Security: 4:40

Yeah, I'll just jump in really quick. From critical infrastructure side, you have the challenge of encryption is a layer of defense, so if an adversary bypasses a layer of defense and meets encryption, traditionally, that's a warm blanket of okay. They can't do anything with what they have. Ransomware operators are collecting data, encrypted data now to unlock later, and, as we all know, everything on the internet is forever, and so there is a need to get ahead of this in that decade range so that you do have encryption standards in place that still offer that shield and layer of defense as opposed to you know. Oh, we have to have this in place now so that this operation can't crack our encryption in the future. It's really a necessity to move on.

Bobbie Stempfley, Vice President and Business Unit Security Officer, Dell Technologies (moderator): 5:25

So Q Day is real bottom line and there is a tension on it. I want to make in sort of our last five minutes. I want to pivot a little bit here. We've talked a little bit about information sharing, but I don't think we've gone into it. The sort of collaborative defense concept which is vital for critical infrastructure, the public-private sector collaboration is great. The interagency collaboration, I think, is really great and as the scope and scale of everything is changing, I think we need this more and more. Cynthia, would you like to talk a little bit? I'd love to hear about some of the lessons you've learned within your experience from the FBI. You touched a little bit on information sharing and sort of what works and what doesn't. Could you dig into that?

Cynthia Kaiser, Deputy Assistant Director, Cyber Division, Federal Bureau of Investigation: 6:03

a little bit Certainly so I think you know, when it comes to information sharing, the FBI is really focused on assisting victims and preventing others from becoming victims. But you know, I think it's really easy to get stuck in a mindset of all warnings have to be new or complex. All warnings have to be new or complex, but really the majority of intrusions that are going on across the US are because of fixable problems that certain people just weren't tracking, and that's really why the FBI is committed to providing and proactively sharing as much information as we can, as publicly as we can, to include indicators of compromise or known tactics that adversaries are using, so that we can help aid network defenders in protecting their own systems and keeping their businesses open. I think a really great example of that is an alert that FBI, cisa and our partners published a few months back that talked about pro-Russian hacktivists targeting of operational technology networks across North America and Europe. The mitigations we put in there included updating passwords from default passwords on your devices and implementing multi-factor authentication limiting OT networks from the internet.

Cynthia Kaiser, Deputy Assistant Director, Cyber Division, Federal Bureau of Investigation: 7:30

These aren't new right, and then they're not necessarily all that like sophisticated, but they're really important to still put out there, especially when we see adversaries using them to be successful, even if it's nuisance level on operational technology, and so I think for the information sharing purposes, that's one of my biggest lessons of the last years that we've been doing this, that we've been increasing.

Cynthia Kaiser, Deputy Assistant Director, Cyber Division, Federal Bureau of Investigation: 7:52

Nowadays I think you're going to see so many more industry alerts on FBI's Internet Crime Complaint Center, ic3.gov. I think there was over 40 industry alerts last year up to over 30 this year and really that's focused on the novel, the new and the used, and I think mixing both of those to really try to protect networks is part of being the best partner we can be, and I think that's also why it's really important and we continue to emphasize know and call your FBI field office before an intrusion occurs. Get to know people, know what we can offer in the middle of a crisis if you need it, but then also know how to just get useful information into your hands so you can really be in the best protection you can for your networks.

Bobbie Stempfley, Vice President and Business Unit Security Officer, Dell Technologies (moderator): 8:41

Yeah, I think that's good. So, in our last few minutes, I want a lightning round this and I'm going to start with you, Matt, and we're going to work back this way. Two questions what's your prediction for 2025? And what's the one thing you want the audience to take away?

Iranga Kahangama, Assistant Secretary for Cyber, Infrastructure, Risk, and Resilience, Department of Homeland Security: 8:55

So for AI, for 2025, we're going to see a strength in the defender operations because the big challenge we have right now is the turnkey from a malware operator getting access to your system went from years, weeks, days, hours, minutes, almost instantly. So if you have a vulnerability, that that door is open. They went from having a strategy of how to deploy to acknowledging the deployment hit almost instantaneous. So having those defenses work at that pace, at that speed that, candidly, humans can't hold, is going to be the strength that we're going to see in 2025, because the bad guys are using similar tools, but their defense tools aren't, candidly, as mature as some of our offensive stuff. So we have the ability now to get a defender's advantage and I think that may not last long, but it'll be 2025, so we better take advantage of it. What I would have the audience take away is, especially from critical infrastructure and industry side.

Iranga Kahangama, Assistant Secretary for Cyber, Infrastructure, Risk, and Resilience, Department of Homeland Security: 9:48

Working with government has been an increase and it has been advantageous, but there is an expectation that none of these attempts that the government or industry figures out bad guys are doing, it's going to work twice without a mitigation in hand. So, yes, there are going to be those that don't patch. There are going to be those that have challenges, with nation state adversaries advancing very expensive things, but we're in it together as a community to say, okay, if something happens in any part of the world and any of us know about it, we can't let that happen twice at least without being very noisy about it. And there's been a great increase in government. So I applaud all your efforts. You've been doing very well and I will also say industry has been leaning in, even pre-Sarcia, into sharing that information to make sure that that outcome, that goal, hits on those marks. And so that's where we really have to see it and the prioritization of. By the way, we told you that this mitigation was bad and it's accelerating. You have a wildfire moment. Get after it is also very helpful.

Bobbie Stempfley, Vice President and Business Unit Security Officer, Dell Technologies (moderator): 10:49

Ranga.

Iranga Kahangama, Assistant Secretary for Cyber, Infrastructure, Risk, and Resilience, Department of Homeland Security: 10:51

So I think, staying on theme for 2025, I predict our ability to promulgate a final rule on SIRS-CIA and really get that I'll pass myself to abiding by the timelines in law. So I'll pass myself to abiding by the timelines in law. So I predict that and I'm optimistic that that will be a boon to everyone on the stage and everyone in the room and our ability to implement it will really be a helpful resource for everyone. So that's kind of what I'm looking forward to the most in 2025.

Iranga Kahangama, Assistant Secretary for Cyber, Infrastructure, Risk, and Resilience, Department of Homeland Security: 11:18

In terms of AI, I think I agree with Matt. I think I've really already seen some really interesting tools, not just on the defense side, but I guess I'm really optimistic that it will raise the tide of of, of sophistication and of defenders, like particularly just like very mundane things like sock analysts and people sitting in socks being able to manage and have support to identify and triage the highest order tickets and really streamline a lot of the really mundane tasks and allowing them to have more space to do things that I think are more important. I think that could have a multiplier effect and I think that's going to be something if we can focus on. We'll bring in a lot of new entrants into the space right and it could really set a higher bar for how we make you know, diverse and nontraditional people also enter this community and kind of grow the deficit of cyber expertise that we have in the country, both private and government side.

Bobbie Stempfley, Vice President and Business Unit Security Officer, Dell Technologies (moderator): 12:13

All right, Cynthia prediction for 2025, and one thing you want the audience to walk away with.

Cynthia Kaiser, Deputy Assistant Director, Cyber Division, Federal Bureau of Investigation: 12:18

OK, so I'm going to stay on the AI theme, just so I can echo it that I do think right now that the cybersecurity benefits of AI far outweigh the risks that we have.

Cynthia Kaiser, Deputy Assistant Director, Cyber Division, Federal Bureau of Investigation: 12:27

But I do.

Cynthia Kaiser, Deputy Assistant Director, Cyber Division, Federal Bureau of Investigation: 12:29

The FBI is not taking that for granted and we're really keeping a laser focus on what adversaries are doing put out information about a Russian disinformation influence kind of tool.

Cynthia Kaiser, Deputy Assistant Director, Cyber Division, Federal Bureau of Investigation: 12:38

That really is the first time that we've talked about outing and disrupting something using incorporating Gen AI concepts into some of its tooling. And so our adversaries are going to be using AI to be labor like save their labor, you know, do basic coding, et cetera. They are going to use it to lie better, whether that's spear, phishing emails or some tools like this, and you know they're going to use it to try to hide where they're at in the systems. And I think that's why and that's I'm going to what I want everyone to take away from that's why it's really important for us all to work together. It's why it's important to reach out to your FBI field office, get to know them, but it's important to know all of us and it's important to really have that partnership, because that's the only way we're going to be able to keep that balance weighted towards. I think that cybersecurity benefit Bring us home.

Nick Leiserson, Assistant National Cyber Director for Policy and Programs, Office of the National Cyber Director: 13:35

Great, I'm not going to talk about AI.

Nick Leiserson, Assistant National Cyber Director for Policy and Programs, Office of the National Cyber Director: 13:37

So, my prediction for 2025 as a policymaker is 2025 is going to be the year where I think conversations about software liability really start to hit more of a broader community. It was in the strategy. We've been doing some work on it at ONCD, but I think, if you look at what the new European Commission that's being formed and where do I think some of their heads are going to be at, there's going to be a lot of international conversations about software liability as a next step after the Cyber Resilience Act. I think it is incumbent on us, as United States policymakers and software manufacturers, to have a lot of really in-depth conversations about this topic, which is one that has kind of floated around in the academic ether for three plus decades. But get down to brass tacks to get left of that, because I think we're going to hear a lot more, especially from the EU, about this topic in 2025.

Nick Leiserson, Assistant National Cyber Director for Policy and Programs, Office of the National Cyber Director: 14:39

And again, I want to get as far left of that as possible. And again, I want to get as far left of that as possible In terms of takeaways. The word that I heard a lot from my partners myself maturity Right and I think this is like one of the things that is a theme across the board is we're at different places in critical infrastructure depending on which sector you're in, depending on how long you've been regulated, depending on how mature your sector risk management agency is. We are committed to raising that across the board. You see that in the fiscal year 25 budget, which is gangbuster for sector risk management agencies, like investments like we've never seen before across the board and I think that will continue to be a theme from the administration is we all need to work together to lift all of the different aspects of critical infrastructure together.

Bobbie Stempfley, Vice President and Business Unit Security Officer, Dell Technologies (moderator): 15:31

Yeah, I appreciate that. I think not only are different sectors mature, I think within a sector, you've got a wide range of maturity, even in the most mature sectors, and so for me, the big lesson has been critical. We treat critical infrastructure, we talk about critical infrastructure as though it's one monolith and it is. There's one of everything out there, and so we really need strategies that address one of everything.