The Solar Winds of Cybersecurity: Biden and the 117th Congress Need A Unified Strategy

5:47PM Jan 26, 2021

Speakers:

Shane Tews

Keywords:

cyber

cybersecurity

people

intelligence

morgan

private sector

industry

attack

government

agencies

point

adversaries

sharing

information

state

companies

solar winds

tradecraft

security

called

I sent her a link this morning. Let's see if she.

Are we ready to go. Hi everybody, welcome back to state of the net. Very excited we have a great panel on to discuss cybersecurity today and specifically we're gonna be talking about the most recent solar wind attack but as a program note I wanted to also mention that tomorrow we will have congressman john Cato who is just been announced as the ranking member on Homeland Security's committees cyber subcommittee to 20 so plan on joining that as well if this is a topic of interest to you. So thank you for joining us today, I want to introduce these amazing panelists and then we will get right into the discussion. So today we are joined by Tatyana bolt, Bolton, she is the policy director for R street Institute cybersecurity and emerging threats team, where she leads the public policy strategy with a focus on secure competitive markets data security and data privacy as well as diversity in cybersecurity Patreon is also a senior director on the US cyberspace solarium commission where she previously served as the Senior Policy Director, focusing on US government organization and resilience portfolios. Robert Mayer is Senior Vice President of cybersecurity with us telecom Association. He has a responsibility for leading cyber and national security policy, along with state relations and coordinating a multitude of regulatory initiatives for the wireline broadband industry. He's also the current chairman of the communication sector of the core communication sector Coordinating Council which represents broadcast cable, satellite wireless and wireline industries, with DHS his public private partnership, Robert also co chairs the recently announced council to secure digital economy, which consists of 13 Global ICT infrastructure providers who have joined forces to drive solutions to enhance cyber resilience in the digital ecosystem. Kimball Walden is an attorney at the digital security unit at Microsoft, where she operates in the intersection of cybersecurity and critical infrastructure protection. Prior to Microsoft Kim has spent a decade in the government services department of homeland security in their attorney, several attorney roles most recently she was an attorney advisor for the newly created cybersecurity and infrastructure security agency sissa and you're going to hear that acronym a lot today. And then our last panelist is Morgan Wright, he is the chief security officer at Sentinel one, and an internationally recognized expert on cybersecurity strategy, cyber terrorism identity theft and privacy. Previously Morgan was a senior advisor at the State Department's anti terrorism Assistance Program, and a senior law enforcement adviser for the 2012 Republican National Convention. In addition to 18 years in state and local law enforcement Morgan has developed solutions in defense justice, intelligence and the for some of the largest technology companies in the world. So welcome everybody and I think you'll really enjoy this. This discussion. So, Morgan I'm going to start with you. The reason solar wind. The reason solar wind security breach is just the latest example of the incredible landscape that we live in. So can you walk us through the anatomy of this recent attack and the known victims as well as a collateral damage that we currently know about and then that that we're probably expecting to uncover.

Yes, so you know what I'll do is I'm going to keep it up. Shane at the kind of the 50,000, foot view, there's probably a lot of technical people and non technical people on. If you want to do a deep dive on the Slack channel and drop me a note, I can get you some information from Sentinel one where we did a deep dive but this is not a commercial. But let's go back and really talk about the way this really happened. This was less of a technology operation as much as it was an intelligence operation that understood how to exploit human weakness. Conventional wisdom proverbial thinking in order to achieve an intelligence objective which was to get this information, it was, it wasn't about stealing money. It wasn't about bringing down the internet. What they did was they did the same thing you do what in military people understand this term it's called intelligence preparation of the battlefield. They were able to scan the landscape they look for where we were vulnerable they looked at how we thought about security. And so I'm not going to pick on a company, the actual vulnerability is called sunburst. And the way it was done, but really that's just the way it was really done Shane and you know for you folks listening out there, it was done because what they did is they, as we were so focused on the 2018 election and stopping the influence operations and the active measures that were being done by the internet research agency. At the same time, a lot of attribution out to one of the Russian intelligence agencies the SVR was in the process of designing this entire operation probably took them at least a year to put this together. Then they started by deploying some test code into a targeted company that targeted company with solar winds why because they provided the network management and database management for a bunch of companies around the world about 300,000 18,000 appear to have been targeted. But out of that 18,000 who do we target people like the National Nuclear Security Agency, the Federal Federal Energy Regulatory Commission state, God, a lot of government clients, a lot of private sector people defense contractors big names that you've heard about why they're interested in information so they were able to insert this code in by probably using social engineering techniques using spearfishing and phishing emails to get targeted employees inside of solar wind, as well as maybe other countries where development was being done. Compromise them understand how this thing was built, and then they started the, the operation chain and what it was was, they put code into the update server. And they're able to send out these updates that you all thought were trusted because they were cryptographically signed you know big long complex number that says hey nothing has changed on this. So you install the update. The other thing it did is exploited human weakness in terms of how we thought we thought we'll put it into this little thing called a sandbox and as long as nothing bad happens within three to four days. Then we'll put it into our operational environment. So what did they do. Okay, well wait 12 days. Waited 12 days and like a periscope on a submarine popped up looked around and said oh we're in the operational environment looks for a couple other things to say. Are there things here we don't want to have in the environment for us to be able to operate successfully. Once all the parameters were met the code executed. And then what it did it started stealing information and started allowing these updates to go in and be able to impersonate people be able to take over accounts be able to take over accounts that even had multi factor authentication. And what did they do they read emails they gleaned information. So, Shane that's kind of the 50,000, foot view, like I said, you know, I'd be glad to provide more technical details but really at the end of the day, it was an intelligence operation that understood the weaknesses and how we thought and how we deployed security, it was from a just from a professional standpoint. It was actually very outstanding tradecraft, and this is now forever changed how we view things how we view the world I did a keynote A while back, which I said trust no longer exists as we know it used to be verified and trust and trust but verify. I don't even know if we can do any of those things anymore.

Interesting. So the whole concept of zero trust as zero trust, so good. Talking on it you have spent a lot of time looking at this from all sides of the equation and most recently in your role at the cyber cyberspace solarium commission as they call it. Can you give us some ideas of how to look back I realize you guys are looking very heavily at this in hopes to get ahead of this issue or a problem like this happening, what could have been in place you think could have been helpful to this and what are the lessons we've learned that we need to make sure in place going forward.

I think there's a lot of things that we could have done and certainly in the introduction to the report you can see us sort of thinking through major disruption a major attack and talking about how our sort of report is attempting to bring us back from that Brink and address these things. A lot of the things we talked about for example resilience right like building a risk management cycle that works well, establishing the Bureau of cyber statistics that can provide information to critical infrastructure owners and operators and can influence policymakers with with information that they can use to draft and craft appropriate policy. Things like amending the Sarbanes Oxley act and developing secure cloud certifications. All of these things are, are what could have prevented something like this from happening and we hope to move forward and put these into the next year's NDA or standalone bills, so that we can be prepared, next time around. One of the things we actually did get done which is fantastic as the National Cyber director, which passed in last year's NDA and has been is being stood up right now within the White House. We hope to hear an announcement on who that will be shortly but I think that the leadership in the White House someone focusing on cybersecurity day after a day, waking up in the morning and thinking about cybersecurity that is one of the critical pieces that was missing after the, you know, after the removal of the cybersecurity coordinator in the last White House. So I'm glad that we saw that change, along with the 24 other changes that we got put into the NCAA this year. So, hopefully we can we can make some changes in this next year as well.

And we will come back to the National Cyber director because that's going to be. Robert 20 years ago, we thought a lot of this was just the federal government's challenge and industry was in its own swim lane and now we realize it's everybody's problem we have to coordinate and you're spending a lot of time doing the coordination of point for your industry, can you walk us through where you guys are some recommendations that you've made things we should be looking at as we move forward in this public private partnership space. You're on mute, Robert. Robert you're on mute.

I got it.

Okay.

Thank you very much.

You know,

sure. Uh, yeah I think you're right I think 20 years ago, we were swimming in our own minds with 20 years ago we had no idea. I think a few of us had an idea of how significant cyber security threats would be for our national economic security and to some extent even at the existential level that it's a threat today. I think it's, you know, based on what you've heard and based on what everybody understands at this point. This is something that industry and government cannot do alone we really need to be engaged in ways that are even more substantial than have existed in the last decade. Under what we call the public private partnership I read a blog this morning that talked about the difference between a parent child relationship, and a spousal relationship was there's mutual respect and there's a recognition of different interests, I think we're at the point right now where we need to engage as industry with our government partners in ways that we haven't done so before. And I think this is being reflected in the real world I give you two examples. One is immediately after solar winds are regulated the FCC reached out to the communication sector Coordinating Council, the major associations, some of the largest company, and some of the largest DSPs and said look we want you to come in, we want to understand exactly how you've been impacted by this. What efforts you took on have been, you have taken to protect them and detect the, the activity, respond and recover. And that has gone forward and there is this real sharing of I think important information in a safe and contained environment because many of these companies as well as the government they're still investigating. When Morgan described the extent of activity associated with solar wind. It's easy to understand that we haven't captured and fully understood all the implications of the attack and what's been impacted. Another area that we've worked on in the last couple of years and we may talk about this some more is a within DHS this, the ICT supply chain Task Force, where we've been working with about 12 government agencies, all of the major IT companies to global comm companies. We have 300 people working for two years on the task force we've developed reports on the supply chain. This was a supply chain software attack. Clearly it was something that was anticipated in one in one level but really not fully understood and appreciated so we are going back into the reports in the materials that we developed over the last few years, and see what we what we what we pointed to as potential risks, what we may have missed, and then most importantly, what can be done going forward to address this kind of attack and I'm interested. And we'll hear more about this you know when you're talking about zero day when you're talking about backdoor tax is this is something that we can really reasonably expect the private sector, especially if they're competing against if they're working against a foreign adversary to protect themselves against. And what does that mean for the government, private sector

relationship.

I'm so excited you're able to join us in this conversation because you have been at the ground zero for a lot of this for the last 10 years I'm just trying to get the planning, right and I know that there's so many challenges with jurisdiction, you know, you know how Congress wanted to manage how the administration went to manage change administration while you were there, as well as we want to hear about how you're now, you know, on the other side of the fence with Microsoft but I was thinking about you mentioned in a previous conversation you had with the presidential directives executive orders the dozens of new laws that are being passed, not only you know federally dealing with state and local as well as international. So, how do we take into account, what's currently in place and recommend the right direction and guidance going into especially a new administration. Well, first,

thank you for having me here. Like you said, I spent some time at DHS, and I've been here at Microsoft for a little under two years. And in my, in both positions I've observed a few things right. First, I'm a huge advocate of information sharing. I do think just to pick up where Robert left off, is that the public sector and the private sector really need to double down on working together right we've made some headway over the last two administrations Obama administration and the Trump administration, and in significant ways, but we really need to get good at it now. And you would ask specifically, what are some of the tools that that we have that we may not be optimizing at this moment. This was a software supply chain. Security attack compromise here. There are a couple of things. The federal government recently passed, maybe not so recently that was December 2018 Federal Acquisition supply chain Security Act, which gave the federal government. More procurement actions to take based on risk assessment of their supply chain right software is part of that we haven't really leveraged that authority, we have excluded the keep saying we it's only been two years, and the government has exclusion authority removal authority they can really take a deep dive look into their trusted partnerships with vendors vendors, on the other hand, have the opportunity to weigh in on how individual departments and agencies, assess risk from their point of view, in that in that structure, the regs came out, I think relatively recently in the last two or three months, so the, so the Act was passed in the Obama administration the regs were finalized in the Trump administration so there's a sort of continuity there. I will also say that in the private sector I've observed that, you know, we've always known this private sector owns, you'll hear statistics anywhere between 70% to 85% to 90% of croco infrastructure. So, and the private sector actually has more access to signals intelligence and a lot of ways that the government does government has more authority to do things with that intelligence than the private sector does. So there really needs to be a cooperative collaborative actionable relationship between the two. In order to be able to address something like, supply chain software supply chain security, and to restore trust, right. Most of these attacks that you've seen over the last several years in my estimation were about eroding trust in one way or another. So I think, I think partnerships are where we need to work. I will say, the other few legal authorities that the federal government is contending with to address these sorts of issues. Let's not forget about the Committee on Foreign Investment the United States on actively was at DHS and other similarly situated organizations like pink telecom so clean telecom cepheus, the Federal Acquisition Security Council the fast rules are all meant to be inter agency driven risk, informed processes for bringing trust back into our supply chain security. I hope that answers your question Jane,

no it does I mean there's just a part of the challenges system, tends to be a bit of a hot potato and everyone's, you know, everybody knows that they need to be doing something but not everybody wants responsibility for what needs to get done. You know, former, Mike, General Mike Hayden former director of both the CIA, NSA used to say the cyber, cyber Calvary is not coming. But I think we all want them to write you know this is you know what we're talking about with the wanting offensive measures to be much more proactive, we're still kind of on our back foot on defensive measures. And so part of that challenges we're losing with a National Cyber director like, do we need to make major changes is that an admitted stration perspective where they they're like okay, we're just we're just going to say this has to be done and it's by eating of the president versus waiting for Congress to get this right, or is it a combination of the two and then eventually we have to get into the international discussion because we need our partners to be on the same page with us on a lot of these things. So, what do we do with the National Cyber director, what do we want to see them take on what sort of space, opening up to that group.

Let me throw out one thing you can have all the positions you want but they have to come with three things, or they'll never be successful responsibility accountability and authority. You can give people all the mandates in the world you want but unless there's teeth behind it unless there's a process that says this shall be the single person, if you remember after 911 What did we create the Director of National Intelligence why because we had a lot of intelligence, you know, agencies operating independently. And it used to be the head of the CIA was also the Director of Central Intelligence they were the person that gave the briefings to the President, CIA kind of led that charge. Now it's the DNI, you can argue whether or not that's successful or not but at some point you can, you can say, what is the equivalent of a DNI and cyber what is the equivalent of where everything flows up to one place that has responsibility accountability and authority to make decisions to spend budget. I if you just leave it in the government hands, we are not going to solve this problem. I mean, government is not cannot solve every problem they can enable the solution, but they cannot solve every problem and this is where as kemba was saying this public private partnership, not only between information sharing, but between quantum computing, you know, things like artificial intelligence there has to be collaboration for us to develop the next generation of solutions that are going to defend and protect the United States.

How do you, the National Defense Authorization Act passed as early this year this month, had a numerous of your committee's recommendations in it. So it seems like I understand what Morgan saying that you know the government can't take it all on but certainly the government can be better structured for this. So what should we expect now that the NDA is passed that will be changing. Well,

so, you know, we just talked about the National Cyber director and I you know I agree with Morgan I think that it does need those things. I think that our proposal and our recommendation and the NDA did a good job of imbuing that office with the appropriate authorities. And, you know it'll remain to be seen how the president uses this office and I, it is my sincere hope that the majority of the USG and everyone who sort of works in the cybersecurity sphere does its best to work with the NCD and give it sort of the prominence that it needs to do its job correctly. One of the other things that you know that we did, and were successful in in passing through the NDA was strengthening cism. You know says, I think, is, is a place where it hopes to be the cyber expert it hopes to coordinate US government efforts to handle federal cybersecurity and the commission felt strongly that Cisco was resourced and undervalued and generally unprepared to handle the job that it wasn't you know that it was intended to do i mean i you know I'm sure all of you read the multiple reports, and comments that came out after the solar Woods attack about well, should we have says oh what's the point what you know what did we spend all this money on Einstein for when you know clearly a failed or like what's the point of CDM, you know i i think that that's the sort of the wrong question, the people on the hill asking the question of why isn't Sousa doing what we've given it money to do is really more of a question of, well, why, why didn't the hill fund Sousa to a point that was commensurate with the job that was given to it to your point about mandates unfunded mandates. You know Sousa doesn't have nearly enough resources to protect the federal government networks, let alone all the other efforts that it needs to do. There's a lot of good people doing good work there and the commission felt that that needed to be sort of strengthened that that did pass through the NDA so you're gonna see a lot of that happening I think DHS and scissor right now are doing a lot of a lot of looking through the NDA and figuring out how to you know take in some of these new authorities and responsibilities and work to kind of improve the risk management aspects on the support to the private industry that it got so you're gonna see, you're gonna see a lot of that. I think a lot of planning, there's also, there's also some good, some good provisions to support the god cybercom we're reviewing the cyber mission force. Things that we recommended that are desperately needed in order to bring the you know the offensive cyber also up to speed with where we are in 2018 and cyber attacks i mean i think that what we've seen is that we've been operating under these strategies and for structures that or created 10, or sometimes 15 years ago and we've been operating with the same manpower same personnel, and that isn't sufficient. We recommended. We wanted to recommend a review of those of those structures and, and that funding, and I think you'll see a lot of improvement over the course of the next three years as these agencies, sort of, take, take that those changes and make them real.

I really hope he was I know you spend a lot of time on this you do come to talk to you in the top 10 do these first. And so we'll do we're looking for you to go to our street like all right for all those members of Congress, they're like where do I start. Yeah, you're talking about I'm sure you got it and move forward reading it. You all brought up in the point of the gap in intelligence. How do we manage that how do we get past this fact that we're, we have a lot of information but it's not flowing in a way that's that's getting us ahead of the game here.

Okay, I'll take a shot at that. But before I do that I just want to very quickly. Go to the issue of the new appointments in the cyber Directorate position. I think we're sending in a very important signal the by the administration in terms of the caliber of the people that have either been announced or reported to be in in new positions. I think it's been pretty clear that when the decision was made to not replace the cyber coordinator in the last administration. We saw a lot of activity happening at different agencies that arguably were not rationalized and there was duplication of effort, especially in areas like supply chain and 5g. What is going to be interesting in that area is you've got now the National Cyber director, you've got Andrew Berger who's coming in from NSA in a senior position, you've got somebody coming in at sissa. All of these people are going to have responsibilities for coordinating aspects of cybersecurity whether it's in coordination in the intelligence community and information sharing public private partnership, how they work together how they coordinate how to establish priorities and how they communicate that the industry is going to be very, very important. And we don't have that insight yet. So I suspect that the way this administration would work is that they will be highly coordinated. Most importantly, there'll be sending an important signal to industry and the world writ large. That cyber matters. They have all the gravitas that you would look for in leadership. So I may have taken up my time on the Intel front but I will just say on the information sharing question you asked. Well, you have the floor if you want to go on on the gap of intelligence please do. And I want to just kind of tap the work that we did at the ICT supply chain task force we had two years of work on information sharing and one of the things that we we discovered was, and you know when talking about information sharing is industry to industry industry to government government the government government the industry. the fast is part of the task force. So there has been a lot of conversation. What we found was that in terms of sharing information industry to industry in particular, for example, there are a lot of liability concerns because if you suspect the particular vendor you suspicious. You have to be very careful about how you communicate that to the industry or government because there are antitrust issues there state causes of action there's a whole bunch of legal activity that's going to require us to go back to the hill and revisit information sharing and see whether or not we can get some liability protections both for industry and also government, the ability for some of these agencies to share with other agencies is limited, so I think we have to go back and really wrote a route our whole issue of intelligence sharing information sharing and see what can we do to identify the areas where they're friction and let's, let's remove them, so that we can have. We can stop this kind of siloed view of just one piece of a, of a big elephant.

Thank you want to get in there. Yeah,

I'd like to offer a couple of observations. And this has been a fun conversation by the way so I feel like I need to address a couple of things well I have the floor. In addition to what Robert Mayer, just described with the potential new system the rumors of the new sister director the cyber Director of the National Cyber coordinator, and director. Don't forget Lisa Monaco and DOJ and our cyber enforcement authority across the government, including the HSS, law enforcement authorities and if ally America is sworn in, he's got a rich background in that space as well. The, the, I want to bring up intelligence sharing and information sharing. Robert wrote brought up a real concern among the private sector which is which is liability. In 2015, I believe the cybersecurity information sharing Act was passed in an effort to resolve the anti trust issues, the, the liability issues that were faced by the private sector in the SR 2015, it's unfortunately the same name as the new acronym given to our new agencies. Information Sharing Act provides for your protections protections against disclosure, under foi a protection disclosure under sunshine act liability protection for industry the industry sharing industry the DHS sharing agency to agency sharing and a whole host of other protection anti trust protections and DOJ provided a complimentary legal opinion about that as well. So, I think, as the private sector begins to use some of that in 2015. We'll see clearly that Congress will need to update it to address some of our newer risks. But that we should probably encourage industry to share more and to explore some of those liability protections afforded to them that aren't really optimized intelligence sharing gaps. I'm sorry. Well, let's have, there's a there's a clear gap and maybe it's right that, you know, 12 triple three authorities for the intelligence community does not allow for collecting domestically. Right. That's the thing. But for information that is collected domestically, how do you make sure that the intelligence community needs, what it means, lafley, to be able to connect those dots the hops that might occur overseas into the hops that occur into the core of our critical infrastructure, how do we connect those dots. How do you make sure that the private sector has the right level of clearance, and it to be with timely and actionable information to be able to take action to complement the work by cybercom or NSA The, the offensive or the defensive work abscissa, I think, I hope.

Go ahead. I'm sorry, saying, What is it, Well, it's a bit of an infinity loop we have here which is without the liability reforms which give people the feeling that they can appropriately share information which we need as real time as possible. We, we don't we need that clarification so we can get to the get you know we're talking with a gap of intelligence that's a lot of the reason we're the gap in intelligence in Ghana you had your hand up.

You're on mute. You,

sorry, and that specific point. You know, one of the recommendations that we put forward was specifically to address that some of these concerns, which was this codifying systemically important critical infrastructure. Now this doesn't get to the problem of sharing sort of across the board for all companies but it does address sort of some of the most critical issues which are the you know the financial exchanges and the critical energy companies or nodes of production and transmission of energy, among others, including communications. The idea being that if we can identify something like a section nine list but codified in law. With imbued with some benefits and some, and some requirements. You, ideally would set a certain standard of requirement, and the companies on that list would be would be held to that to a specific standard to protect what we believe is critical, the most critical of critical infrastructure. And if you are on this list, then you also get perhaps some liability protections that if you're hit by an AP T, and if you're hit by China or Russia if you're targeted, then it's unreasonable to assume you'd be able to protect yourself and if you show that you have done, sort of the due diligence to protect your company and networks from an attack. Then, you would be, then you would be protected from liability and you would be given for example better coordination with the federal government you'd be prioritized in terms of perhaps intelligence collection or information that the government could share with you. And so the idea is that you would get information but then with that sort of better collaboration and coordination and some other benefits, you would also be held to a higher standard. And so, we believe that was a really critical piece to ensure at least the most critical of our industries was protected and I think that, along with some of the other. Some increasing intelligence support to the private sector and predefined processes for identifying private sector Cyber Intelligence needs that all together could create a framework that would improve intelligence and the collection and cybersecurity for our critical infrastructure.

Morgan. This all sounds applicable to

all four this is this is one of the media issues I want to get into Look, I spent a lot of time down at Department of Justice building what's called one DOJ the plan to share information between 18,000 federal tribal state and local law enforcement agencies. On top of that, the big question I think kemba got into it too is, how do you share intelligence, with certain places and the problem is you can't because you cannot clear enough people that can take action within every agency to be able to act upon that information. So we started creating what we call the shareable tear line initiative, how do you write an unclassified version of the cable. I don't care what cave in Afghanistan, there's a plot being hatched I care about. what's the piece of infrastructure I need to worry about defending and the quick history lesson I'll give people as in. Don't raise your hands because I pulled you guys yesterday, how many people know who Ollie pin kowski was code named hero. How do we know how to avert the Cuban Missile Crisis back in the 60s It wasn't because of technology, it was because we had a spy inside the Russian military that told us the CIA, what was coming in and then we flew our technology over to confirm that we, the one of the reasons we have an intelligence gap today is because we've lost human intelligence, we're great at sigint elint named all the other hints. But when it comes to human intelligence, we don't have, we have lost 80% maybe 90% of the agents we had in China, they've all been caught and killed. We've lost a lot of agents in Russia, so it's you cannot look at technology as a simple silo and say well we can solve it if we just look at technology. It's the blend of human intelligence technical intelligence you know signals intelligence. It's everything coming together. Last point to, I would say I sat in a briefing a few years ago with john Carlin you might remember him kemah, the Assistant Attorney General for national security. Every fortune 500 company has been breached every single one of them. If you think you can defend against a nation state, you can't get enough time they have the time the resources, the tradecraft to get into everybody. So this gets back into one of the intelligence gaps we have is our failure, and I saw it in the comment that the 911 Commission, their final finding was failure of imagination. We could not see an attack like solar winds come and we thought that our sensors overseas NSA us Cyber Command, we could detect this stuff that gets into 112 triple three that Campbell was talking about what authorities do we have to collect intelligence, we have a bright, bright line between domestic and international for a reason because we do not operate as a dictatorships to as other countries do so we guess what, I don't think we'll ever solve that problem I think we will always have an intelligence gap why because I don't want the NSA and the CIA spying on American citizens in order to do. That's just a decision you have to make in a free country. Sorry, I got a little emotional there but having friends who have served lost people in the line of duty lost them in military action, and I know the consequences of lack of intelligence. This is probably a problem we cannot solve but we can do a better job at sharing information in order to make better decisions.

And I asked Morgan a question change your mind. As I understand it, one of the reasons on solar winds, was that they actually came in, penetrated us servers, to avoid having certain agencies having the ability to make that protection is that right

of way, they got it, they got in through solar winds they also utilized servers in the United States, they used anti forensic techniques and obfuscation and things called steganography to hide their traffic why because they knew that Cyber Command and NSA had sensors out there that could see things externally. We just because of everything from Posse Comitatus to other. You cannot operate in fact if you guys remember during the DC sniper case, there was a lot of issues about even the military flying air support over the DC region to provide advanced technology in order to locate the sniper So, yeah, to your point, Robert we we were blind, we could see everything externally we just couldn't see what was happening internally.

That's a very good point if we can walk that back for a second because I'm not sure everybody understands what you all just said, and Kim I think you're probably in the best situation to kind of dial this back again for us so we didn't. What did how did they get on to the US soil without being detected since we're saying they're Russian.

I'm not, I'm not gonna answer that specific question I'll leave that for Morgan so the how, technically they did it, but theoretically, what Morgan is saying, just in a real simplified combined non technocrat terms. They, they went straight into the domestic or domestic infrastructure, right, they, they went circumvented the border and just went straight in. Right, so that they wouldn't track trip. The the protections that we have in place that we are authorized we meet in the US government arm are authorized to see outside of our borders right. This is one of the reasons why what Tatyana described early is really important. Ces is really now going to be or domestic or domestic agencies are really now going to be are are at the frontlines of nation state cyber attacks, I mean they are at the frontline it's not necessarily though we need, but not necessarily Cyber Command and God and our, and our strength there. It's really what's at the heart of the country. I don't know if Morgan wants to describe the how they came in to our systems and how they evaded. They are authorities externally, but they really just come straight into the end, I think this is not the last time. Unfortunately we're going to see this sort of approach because it seems to work

well I'm in for it more I would like you to explain that, but I remember back in mid. 2014 15, this became an issue with the financial services industry because they was a Middle Eastern attack that realized that they could arrive in right in between that space right that they could go into the JP Morgan Stanley and all these, these banks and get information and that the US couldn't come in and cover you know that this situation so they figured out that that fine line. And I don't, I think it, I think you're probably pretty jumped to say something I'd love to hear it is like, have we have, are we on the path of fixing that problem which is really a procedural problem or

office.

Anyone, because it just seems like it's it, I get why it exists and it's very analog but in a digital world we need to move beyond that as being, you know, how we decide what we, we manage from information and defense and offense.

I can throw something out there well well Tatiana's collecting I got really touched on yet on this panel we really do need to and the cyber six seven commission address this, we really do need to start thinking more clearly about international norms, cyber norms and working more closely and more methodically in a coordinated way with our international partners. And I think that's one of the structural.

I will also add.

Yeah. And, you know, Kevin and I saw this from Sousa and we work together on some of these things and I think we kind of both saw that some of these things that people are talking about in fact some of the questions that are popping up in the in the chat mention a lack of creativity or a lack of imagination and, you know, I think this actually boils down to the, who is doing some of this stuff, and the leadership that's necessary so for me. What were two of the biggest things that, and we sort of touched on it in the commission report we did do a follow on white paper on this topic as well, is leadership and workforce. I know people consider workforce sort of a, you know, black sheep, kind of, you know, I don't know, Don Quixote style like you know tilting at windmills thing because there, there's a lot of a lot of efforts on it, and very little gets done but I honestly believe that if we want more creativity. If we want to think more like the adversary if we want to move away from the way in which we've been doing cybersecurity, we need to include more people, and a diverse view, different diverse views from different people who can think differently, right if we keep using if we keep doing what we've been doing. We will keep getting what we have been getting i mean it's it's a it's a trope because it's so true. The. We have a lack of diversity in the field we have very few people who come in it that aren't sort of like computer science like cybersecurity background we have only 20, something like 30% women in the field very few minorities. We just don't think kind of broadly we are not you know we we need to get a broader pipeline of people coming from a various different skill sets various different, you know, degrees that are, that need to be in cybersecurity it's not just the computer scientists that we need we need to be taking in people with communications degrees and policy degrees in international relations and everybody, everybody from those fields we also, I think, and on our street we're working on this, trying to educate groups that work with cybersecurity but don't really understand cybersecurity, such as, like, like, generally attorneys although obviously Canva. You are very well acquainted with cybersecurity, but I would argue that there needs to be more. I think there needs to be more of them more for attorneys more for judges more for business executives, so that we can, you know, change the culture around cybersecurity and that is where I think you're going to get big returns on your investment.

Morgan. Oh, sorry. Go ahead.

Keep on going back I agree with what the ANA said about workforce and all that. A couple of things. One is, we're still in the blaming the victim mode, I don't care what anybody says there's still going to be an impulse on the part of government, I think, to say what can industry do more. How can you protect yourself. What are you not doing, how much more can you be spending. I think that's a misplaced thought right now because, as people have said, you know, when you, when in a kinetic environment if a foreign government attacks you and they start hitting your physical facilities and taking you out. Nobody expects a company to come in and you know, respond with jet fighters and whatever other other activities so we have no one understand that in a nation state and global criminal enterprise system we're facing something completely different. Second thing we need to do is we're not imposing a cost on the adversaries. One of the first things that President Biden indicated, very early on was when he was responding to cyber solar when he said, we got we have to make it more costly for adversaries we've been saying this for years. Now I don't know what is happening behind the scenes in Cyber Command, just know the result. And from looking at the result that doesn't appear to me that some of the major companies in the Commerce Department just identified six foreign adversaries, you know, China, North Korea Iran, Cuba. They're not stopping, they're continuing to attack on a daily basis, very significant attacks. So somehow the message has gotten to them, that there's a cost. And so we have to start figuring out how do we make it more costly for them because they have all the economic advantages. It's an asymmetric battle between the sender and the originator of the effect. If we can't level the playing field. We're going to get further and further behind, we're not going to make. And then there's going to be, you know, unrealistic expectation that somehow the private sector is going to fix it and make it make us more secure, or we're going to regulate the private sector and that'll work well. The federal agencies were essentially regulated. They all have FISMA they all have requirements compliance requirements. They didn't even identify solar winds. It was the private sector day and so the entire model has to be re examined from square one and I hope, as we go forward we're not having the same conversation we had, you know, with the old legislation of Parliament's leaving Liebman and Rockefeller Smith, we really need to rethink what the responsibilities are and how we work together and collaborate and we got to do it quickly.

Sorry I think you've all brought up elements of our international challenges here Kevin you mentioned cyber norms, which is obviously are key and back in the Obama administration, I think, you know, I was very excited with the work that Chris painter was doing and it was interesting that we saw him move from the White House to the State Department which is good from a diplomacy perspective but I think it was also maybe sidelining cyber is people didn't understand that was so integrated into how the economy works now, now I don't think anybody questions the digital economy, especially during COVID install doing zoom calls like this, but we're, where do we start I mean, we're, where do we pick the ball back up, we feel like it got dropped on the idea that we need it, international points of view on this and may it be if there's repercussions or the dialogues, you know, Robert just mentioned the classic six, who are always causing trouble you know how do we how do we make them understand that we're serious about stop messing with our systems that anyone go ahead Morgan, you got to go.

Yeah, I'm gonna be the pessimist. We're not you know this, I know Robert was talking about want to level the playing field My belief is we'll never level the playing field because the advantage is always with the adversary, because they pick the time and place that they want to do the attack they click the time and techniques tactics tradecraft that they want to employ what we have to get better at the military folks out there left a boom right ooda loop How fast can we get our decision making processes so that we may not. We don't have the advantage of the initiative that the adversary does but we need to have the advantage of response that puts speed and precision into our ability to respond to these things. That's how you deflect, that's how you mitigate the cost of an attack. I'd love to raise the cost of an attack on a lot of these attackers I think you can do it with criminal organizations, but nation state actors. You want to talk about norms, how do you plan on negotiating with China for norms in cyberspace where we're currently battling with them in outer space. You know, we're looking at what are the rules out there of Russia. We have a lot of the major players that will not negotiate with the United States we have our Five Eyes Alliance US, Canada, Australia, New Zealand and Great Britain. Great. We've got five folks but the UN is at the proper place is it NATO so I mean we have a lot of things I don't ever think we'll get back to this you know what we're going to get is this squishy middle that says one day the pendulums way over here. One day the pendulum swing over here and I think our ability to survive this is finding out how do we live in the squishy middle that allows us the flexibility to make decisions. Each day, but I just go back to what we just, we have lost the integration, or we haven't really explored the integration of human intelligence with all of our others including Cyber Intelligence to get better. I would have been what I would have preferred to stop this attack is having a spy inside the SVR calling up one of our agents or case officers and saying hey guess what we have an operation going on, here's what it is. Here's what you can do to stop it. At the end of the day, I think, quite personally is somebody who's trained people in that and taught behavior analysis out at the NSA talk to the agency. It's, to me it's a people game and we're losing the people game because we believe too much in the technology and not enough of the people and that gets into the International. I don't think we'll ever solve the international but how do we survive in that squishy middle

not loving the idea of especially middle, I'll be honest. Anybody want to take the cap of the CounterPoint or elaborate on other processes that might be more optimistic.

Please.

Yeah, I mean, I think there is more that we can do for example I mean we don't even have an Assistant Secretary of State for cybersecurity cybersecurity in the State Department it's like a 10 person shop right like, how do we intend to even communicate our signals to adversaries or friends. If we don't even have the diplomats that are out there doing that. So, you know, an Assistant Secretary of State for cyber, the cyber diplomacy act sort of puts that into play this year and I hope that that passes. Also, you know, doing more m laughs and more a lapse for the FBI, so that they can, so they can track sort of criminal activity and find faster and make sure that we're communicating with our international counterparts. And we can improve cyber capacity building as well. And if we work with our international partners improve capacity. I think that there is something to be to be said for that. In terms of in terms of imposing costs, I think that our attribution process is incredibly slow, and we don't have a sort of a strong path for that right now we have sort of a, an ad hoc and ad hoc system that you know that we can certainly improve. But, you know, you can sort of, you can raise costs on adversaries in two ways right like you can you can impose costs on them after they've attacked, but you can also make it more costly to attack you. So that's the resilience piece that I think is so critical that we're missing. We haven't even raised the our walls right we haven't even secured our networks to a point where it's hard, and expensive to attack them. Right. And that's not just for private industry it's for the government is for everyone and like, you know, sure FISMA but like I think that we still have a whole lot more to go in terms of both federal government cybersecurity and private industry cybersecurity. So, you know, I think that there's a lot more work that we can do to just increase costs on the adversary in that way, you know, and that that's part of the solarium sort of mindset is that we have sort of a defense in depth, right, we're not just trying to you know tell adversaries after they've hit us that like we're gonna deter you by something by putting you on like an entities list or hitting you with sanctions. After you've done that, the idea is you create this defense through two separate layers right and the first layer is resilience. So

that's sort of my phone. Any additional thoughts on this topic.

I'm not, I'm not I don't want to get on my soapbox, but I will offer, maybe an example right that we can sort of consider wouldn't. Right now I'm I work on ransomware now at Microsoft, as an Assistant General Counsel but. So one of the things I think about are. Wouldn't it be interesting if we had an international agreement of whatever that in whatever form that is international norm that says hospitals are off limits, right, or, or, if we had an international mechanism a mechanism to sort of agree internationally that, you know, cyber, cyber weapons are not for sale right or whatever, whatever it is. I feel like there is space to counterpoint of what Morgan was was explaining. Just for fun. You know there is space for us to raise costs, make cybercrime at least, if not, not demotivates, a nation state actors but maybe D motivate cyber criminals or cyber mercenaries by by reducing profits in this space can be from a ransomware mindset. I think there is, you know, sharing signals across across friendly countries across frenemies, you know what if Home Affairs in Australia works with with sissa in the United States which they do. What if they they have more opportunity to collaborate with Mr Putin needed to share supply side or supply chain intelligence, you know in a controlled environment. That's not available to those that decide not to sign on to the same cyber norms. These are just some this food for thought as you consider whether it makes sense or whether it's even worth having international norms or finding cyber diplomacy as using cyber diplomacy as a tool in this space.

The Internet Governance Forum, the International Congress is to have that dialogue around hospitals specifically you know like can you put things off limits and when we first started having a discussion like 15 years ago that the ability to obfuscate we were still forests functioning through that from a technical perspective and I think we've gotten better about it but it is now that we know that people are getting very good at targeting and ransomware is such a huge issue I'm sure you're very very busy, is that, you know, that we just knowing now that that's off limits like actually needing to be very public about the policies of like this is a absolute hard stop no go you will go to a horrible prison for the rest of your life, or you know whatever the decision is on that is, I think we're ready for that more so than we were when we were just trying to make it a very technical conversation, you know, probably several years ago. So you guys are all on some great things we are down to four minutes, good jobs have been a great conversation and one thing I'm not, I'm a little confused by what's going on the chat, but I do see this one and this is going back to actually more well. Eric Davis asked, How do you see the role of compliance and all this some companies lean heavily into compliance instead of security. I'm a believer that sometimes the compliance is what forces them to make actually spend money on security, and we didn't even get into insurance is a whole nother discussion but anyone want to comment on Eric's question.

Well, I'll comment that it's probably one of the most important questions to ask. In the sense that there is so much emphasis too much emphasis in my mind on compliance because I remember somebody telling me, I'd rather be compliant than secure which is a terrible thing to say what he what this person was saying was, if I can demonstrate compliance I'm not going to have. I've got to see why a situation I can explain to my boss we're meeting all the requirements, full well knowing that there are things that we could be doing and security that we're not doing. So I think that is ultimately the question. And we're going to have to find the right balance between maybe compliant gets to some basic hygenic type of actions that we just know those are table stakes you got to do this if you're not doing it. Shame on you. And I think, you know, for example, the FTC has done some really good work on that. In terms of saying you know if you're not doing this activity action. You're not being responsible and we're going to hold you accountable for that. Beyond that we have to explore what does it take what does it mean to be secure. What are the priorities, what are the most what are the crown jewels of your organization that need to be protected what's the best technology, and as well as Morgan says, you know, putting aside the spycraft for the tradecraft for a moment, you know, what are the processes and people and support we need from management and culture to support that. But we have to build more secure environments and we have a lot of insecurity

right now. You bring a point though is are there are there any inducements to for proactive positive actions that actually goes back to the liability reform question that we anybody's seen in place. We've seen more information coming forward because there's a comfort level about sharing that information.

Well there is the god cmmc the maturity model concept that is coming into play. And hopefully that will that will improve it. But I yeah I agree that I think that this compliance or security model is is flawed and I think we need to move more to a maturity model, where we're giving some benefits for some for some costs. I like I like to do D although there are some challenges with that as well you know I've seen some, some technical people including Bryson board on my team who are not 100% pleased with it but you know securing foundational internet protocols and a national Breach Notification law, these are some of the things that we could do that would make this sort of baseline reporting requirements and then improve the culture of cybersecurity. On top of that,

we're going to want to get in there,

3030 seconds. Yeah, well HIPAA has been around for 20 years as compliance right and is healthcare more secure today than it was 20 years ago there's a lot of arguments that way. Unfortunately compliance has become too much about successes about the process, not about the outcome. We've got to become more outcome focused you know to really make this work. And I just get back down to, you know, final thought for me from all of this is that Tatyana hit it really good too. A lot of this is about culture. Culture eats strategy like Peter Drucker, you know, said one time famously so we've got to change about how we think about the problem. And here's a novel idea, rather than the government finding organizations and taking that money and keeping it instead make them turn around and spend that $5 million fine on improving their cybersecurity quick collecting the revenue. Make it because then you force them to spend 5 million on a fine. And then another 5 million to six to problem, just make the penalty. The fact is you need to take this money we're about to find you and instead improve your cybersecurity, so we can raise the bar and make it tougher. We'll never solve all problems, but we can't regulate our way out of this we can't spend our way out of this we have to think differently about how we solve this problem

in your very else 30 seconds of Final thoughts, then we have to close down the panel this has been a great discussion. Thank you guys so much.

Final thoughts,

said it all.

Okay, well thank you guys very much I am sure that the people on the net have really enjoyed this conversation and I'm sure you're all available for further discussion. Thank you. I just want to thank Steven and Tim and jack and Joe and the whole team because I know that doing this, virtually was a bit of a challenge but i think that i know this panel I feel like has been a success and I hope that everybody will stay tuned for the rest of the day so thank you guys for your participation and thank you to the viewers for being active listeners and viewers on this, this panel discussion.

Thank you.

Alright. Thanks so much, Josh.

Thank you.

Hi, Ellen,

how are you.

Oh, I think you're on mute.

We're just getting the rest of the panelists and our moderator Alan sorted. To begin sorry for this short delay.

Adrian Adriana.

So Hi everyone, thanks for being here. I'm Adrian I helped curate the state of the Nativity here and I am.