Rep. Katko Fireside Chat
7:02PM Jan 27, 2021
Literally are desperate. I have learned a lot in the last couple days. I am introducing our representative john katko from the 24th District of New York. He is the new ranking minority member on Homeland Security so he's got a lot of work in front of them just a little bit about his background which I found fascinating cuz I'm a huge fan of Narcos is before he joined Congress in 2014, he was a federal prosecutor first as a senior trial attorney at the Securities and Exchange Commission, and then he spent 20 years as an assistant attorney general, the Department of Justice where he actually was down in El Paso and did some time for Rico so as much as I love to talk about cybersecurity. I also know that bad guys or bad guys and they tend to have similar patterns in their behavior. So I'm very glad to know we have somebody who really has steeped in this area now looking at the area of cyber so congressman. Thank you for joining us today, and see you on the screen we have him up here, jack.
Oh, there you are.
is so tech savvy he's doing this from his his phone because he doesn't, you don't have Wi Fi in your office and they
say never got Wi Fi got it and they didn't have it so we're dealing with it. So, but that will be fixed.
It was as he said God bless mobile it's still worth we have options. So let's start with solar winds happened in December gave a lot of people a new perspective on the challenges that we have in the cyber arena, and one of the areas is the conflation between what we can, we might call the.gov space which is the federal government, and sometimes state and local and commercial and how we're doing information sharing which brings us to this cyber element of Homeland Security, how is it going with this and what are you thinking moving into this. This new area in 2021.
I really think that the solar winds debacle, for lack of a better term has pointed up a lot of the vulnerabilities of our current makeup of cybersecurity, and in the.gov domain it's it's clear that we don't really have a truly defined quarterback says, it should be the quarterback of about 101 agency team as a.com domain. And it's there's too much, too much, there's, there's not enough centralization for that effort. And I like to describe what I'd like to see him become is the quarterback in that team, not in charge everyone Tony, but you know, in charge of everybody but helping them move the ball forward and help them with their cybersecurity but we don't we need that centralization i think is something that's really lacking and I came up with a 5.5 pillars of AI, if you will, of things I think we need to do in this domain and in light of what happened with solar winds and, and the vulnerabilities to our system that are highlighted So, do you want to go through those
yes please look over here
oh five yeah I mean first of all we seriously region, need to rethink our fragmented approach to the.gov security by centralizing authority but Cisco that means not, it's not taking the authority away from the other agencies, but just centralizing the authority and having having a good clearing house as a who stands as the good advisor for the entire cyber realm.gov domain. Second, we need to better understand the nature and extent of third party cyber risks. So we went with a third party software that had an unbelievably open back door, and no one really heard of cyber or solar winds, as little as two months ago and now it's kind of a household name, and not for a good reason. So, we need to understand that the third party cyber risk better. Third, once we identify the potentially concentrated sources of the cyber risk. I think we need to ensure we have a better vendor certification process that actually reduces that risk. And I can I'm thinking about the Federal Acquisition Security Council and do a better job of that. But we can't stop there. The fourth thing is it's, it's imperative that we drive better Software Assurance practices, and we need a system to prevent software flaws and causing widespread harm. Anytime you put a update on your system you're creating a vulnerability and there's no way we can have a oversight of every single piece of code. And we need to start thinking better about Software Assurance practices that are better than they are right now. And lastly, we need to whack the hell out of the bad guys when they commit these acts like solar wind and it might happen with with Russia, we all know was Russia, and to my knowledge, nothing has happened yet from an offensive standpoint and we need to do that from a sanction standpoint we need to do that from indictment standpoint we need to do that, we need to let them know that you know this isn't just an open field here but make no mistake about one of the overarching things I've seen is, it's clear that Russia and China and the other bad actors and around are putting far more resources into their offensive capabilities than we are into our defensive capabilities and until we start leveling the playing field, we're gonna have a hard time trying to keep our system safe going forward.
So the legislation did spend quite a bit of time in the interagency process working through the supply chain security problems do you see that moving forward as we go into the administration.
I hope so. I hope we haven't stopped at progress we definitely made progress with system the last administration, but it's still not anywhere near where it needs to be and, you know, I'm a conservative I don't like spending money but at the same token, if we don't spend this money on CES and we don't get Cisco where it needs to be and give them the tools and the resources that they need. There's just no way we're going to be able to do do what we need to do it's clear to us there's much more that needs to be done. And we've got to, we've got to give them the tools to do it.
Well we've encouraged so many people to go to the cloud and there's so many amazing things that the cloud can do and on one level is it can it can it can protect you. This group yesterday was also online and there was a lot of chatter in the chat you know Internet's down wasn't really the internet if people think of it as one piece but knowing the layers of the stack and one of them was actually, you know, Amazon was having some issues with AWS and so we did see some websites go down, was a little moment of panic, but we all got through it, but I think your point about the third party risks are really important. So do you think that we need to really, really look at procurement as far as the federal government and the IT team will call the dogs, face to ensure that we have the throughput of security ideas, you mentioned software but there's many other elements to that as well.
Absolutely, I mean it's just like just look at it from a just a practical standpoint. Gone are the days where cybersecurity was basically the mission was to just get a patch to fix a cyber vulnerability is much more ubiquitous in that the internet of things in your in your home you have 3040 devices and I just think back. The best example I can think of and it was one you would never think is a cyber issue was buying somebody in New York City, New York Governor and his infinite wisdom, or lack thereof. I had a little bitter process for the, for the for the subway station subway trains in New York City. Well, we all know that China unfairly supports their subway manufacturing facilities, so they are automatically going to be the lowest bidder I think, and they get the contract, but no one thought to stop to think and say okay, all the Wi Fi that's transacted on those trains is probably got is Chinese software that's probably embedded with spyware. And what are we doing Why are we why we make and anybody who transacts on that network vulnerable to hacking. Those are the types of things you got to think about it's a much more complicated world So from an acquisition standpoint to 5g technology and everything else. And it just amazes me that people are still doing business with the five G's, the Chinese 5g manufacturers when we know that what they're doing with their with those systems so there's a lot. It's a lot more of a ubiquitous problem than just thinking, keeping your computer safe, everything's tied to the internet everything's got computers and so many devices talk to each other every day and people don't realize the vulnerabilities we're creating.
So the idea of a National Cyber director, how do you see them collaborating with Cisco, are they the top of the pyramid, did they just part of the centralization Do you have an idea how that process
might no doubt my mind that we badly need a saw a National Cybersecurity director it came out of the cyber solarium, and it's something we absolutely. We absolutely have to have. And I view them as being just what they should be there's a total centerfielder. If sissa is the quarterback of the.com domain, then of course we have the Department of Defense, the quarterback of the.mil domain. This the system assignment assignment a cyber director has got to be the one above all that looking out over the entire playing field and saying, what are what are our strengths, what are our weaknesses, what do we need to do. And that person should be the person I think should that should be giving advice on how bad attacks are on us and what we should be doing in return, etc. So I think I've used that role is a very important role, not just a figurehead role at all. It's not a ministerial role and I I liken it to. Back in the days when, when they formed the Office of National Drug Control Policy when I was an organized crime prosecutor. We had tons of disparate agencies involved in drug enforcement and rightly so, FBI DEA costumes customs about. Alcohol, Tobacco, Firearms you needed that you needed that quarterback you needed that individual kind of was above it on the on DSP person wasn't one and it was really good. So, and I think this addition is similar role for for the cyber director.
Actually back in that same time period we had a challenge with the Coast Guard because everybody was like are they drug addicted. Are they part of the military they're technically part of the education at the time, as I see this like kind of in the digital role the same thing where everybody wants a little bit of them but nobody wants full ownership. And so I think having a full ownership in it and giving them responsibilities would be huge, spiritual and information sharing, because that seems to be a friction point that we're getting.
And that's not to say they're just term silos it's overused to some extent but boy, and the entire field and the counterterrorism field, it was a real problem before 911, obviously, that's what the 911 Commission exposed. And really, I think we're having similar problems, I don't think it's as acute as it was back then. For nine for the side but for counterterrorism but it still has silos and when people are trying to protect their turf, instead of doing what's right to help the team is all or unwittingly having silos topic because they just don't, they're not used to sharing the information and trusting the sharing of the information that's a problem, but the task force concept that was born out of 911, the jttf and where we have that cyber, cyber realm and needs to be better, and we need to make sure that the information that's being generated is being shared and being, and everyone's basically playing nice in the sandbox quite frankly we need that as well.
We mentioned sanctions, there's always been the challenge with cyber treaty that what his first amendment rights for someone is their right to say no to information flow, but you know, how do we once we also had Chris painter was in the Obama administration was very good, but he moved moved to the White House. State Department which made it very diplomatic but not necessarily having the backing of the criminal effects, we needed. You mentioned needing a financial costs to make them understand that we're serious about not wanting them messing with our systems. Do you have some ideas on how you want to implement that.
Yeah, I think cyber doctor is gonna have to play a role in that there's no question about it but the bottom line is, when we, when we know someone has done something like they have done solar winds. There needs to be very serious consequences from an economic standpoint, and maybe, maybe, utilize some offensive cyber capabilities and if the powers that be deem that necessary. I'm not saying that should be in every single case but there's a lot of times you know who the bad actors are and you know what, indictments people laugh about indictments in the past, we snag people on international criminal organizations they thought we'd never get because we had him indicted already and when they traveled internationally we're able to grab them and so I think we should use all the tools in our toolbox to let them know that when you do something like you did with solar winds, there's going to be a heavy price so you can try it. But if you are if you get caught, we're gonna whack you hard, and I think that's really what's lacking here in some extent.
It is a little more parochial but with COVID and so many people working from home and especially the federal government. Have you received lessons learned, we have a challenge from this is actually more on the administrative side of having our government now working from their their home computers are possibly not their work computers and how we make sure that they are not the point of vulnerability going forward.
I think they just have metastasized because of remote remote working. Now let's face it, I mean, there's just so much more people working on that what's I think maybe secured networks, but, you know, there's more laptops. There's more. There's more stuff out there and the cloud is more everything going on and I think that, to me, the problem has metastasized much like it has with respect to like the Internet of Things like I was talking about earlier. It's just, I think it's not it's not going away I think it's here to stay. I think remote working and telecommuting is here to stay. I also think tele telehealth and telemedicine and tele counselling and all those things are here to stay. I know that because of legislation I've been reduced so we've got to start thinking about protecting all that as well and that's why, understanding what solar winds represents, just from once one vulnerability standpoint. It's symptomatic of a much larger problem we've got to understand that.
Again little on the parochial side but going to Congress, when they originally were looking at, you know, post 911 fiber being a very my partner that there were about 132 points of jurisdiction. Have they been able to contain are you now with your Subcommittee on cyber on homeland Do you feel like you have enough jurisdiction, you don't have to deal with as much cross functional interagency problems still exist but getting Congress to speak with one voice on cyber seems to be a key. Well,
here's the problem. When one is one of the unachieved goals of the 911 Commission was to have more jurisdiction within the Homeland Security Committee. It just hasn't happened every for the vast majority of things to do with doing Homeland Security and cyber included. There's several other jurisdictions perhaps E and C maybe a government reform and oversight and some others that are going to have their, their hand in the pot as well, and it leads to very, it's makes it very difficult to get legislation through and there's too many unnecessary turf battles if you will and competing interests. We are the We Are The committee that is, that is charged with keeping the country homeland safe, and the cyber component of that is very serious and that's why I think. And I could care less about who gets watered turf I'm just saying from logical standpoint, cybersecurity is within our realm system is within Homeland Security, and we should be the primary jurisdiction for that, if not the sole jurisdiction, from keeping our country safe standpoint, and I know there's other other components elsewhere but we have jurisdiction over I think six or seven different committees at least. And that's, that's not i'm not not many other agencies have that kind of a problem and that's a real problem for trying to get this up and running to where it needs to be there's there's very few people in the cyber realm that would disagree with us that system needs to be beefed up more in light of what's happened with solar winds.
And I know that we are specifically talking about cyber but are there other areas you want to let us know as you guys go into your new Congress you've got new members on the committee. What are priorities coming into the first couple of months here.
Wow, there's a lot I mean, some of the things we got to talk about is Lucas, this was granted a bunch of new authorities in the NDA, and we've got to be big to make sure we do proper oversight of that for sure. We got like I said we got to make sure that system is fully resourced that's gonna be a big issue election security. That might be an issue right. And I think doing some post mortems on where some of the shortcomings were, I mean in New York State. New York 22, we still don't have a member of Congress for that race, and then we may not for several months, because they're ready to go now we got to do a better job with election oversight we need to beef up the election oversight area. Our cybersecurity workforce. There's workforce shortages in the cyber field are at a critical level now we need to address that ransomware attacks are becoming a big issue. The 5g technology is a big issue that we need to do and I think clarifying federal roles and responsibilities to prevent counterproductive encroachment on Cisco's mission I mean I just read recently where a state is beefing up their whole cybersecurity arm and they have a very different interest. There's. They're, they're the intersection for them is is is not keeping homeland safe. That's a component to consider but diplomacy is also part of it. Not sure cybersecurity and diplomacy, are a good mixture. I think when you're making decisions on cybersecurity, They should be based on cybersecurity so that's a pretty good example. So from a cyber um, those are words, or
your your video. We hope they are. Okay, good. I'll say that to them. Right. We, as far as the State Department and I mean multilateral we've seen different ways around this but there's there's definitely a need to figure out how we go after the bad guys and how we keep you know in communications there's one of the books I've pulled this morning just because I love this statistic, and then thinking about the work that you've done previously. One of the guys in Mexico they when they they caught him he had $200 million in his house which at the time was twice of what they were spending on Interpol for drug interdiction I mean it's just, we've never quite got the numbers right and then figured out that you know the jurisdiction battles are won for getting the authorization into the right place so then they have permission, and then making sure that we actually fund it. And it is. You buy equipment like to think kind of has a it times out quickly. And one of the great things about actually 5g and what we're seeing go forward is hopefully that will be faster to do that on a software level and we won't have to spend as much money on. But that's you know that that's a never ending battle.
Perhaps you're absolutely right. It's. If you really if you just stop and think about it fundamentally Okay, you have you have the bad guys over here, and they're spending. Let's just throw a number out there, $50 billion a year for offensive cyber capabilities I'm over here spending a mere fraction of that they're gonna kick our butts every time, because they're going to be able to continue to do it because they have the resources to do it. I'm not saying we need to be at level 10 but we need to understand there's a gigantic disparity between their offensive capabilities and our defensive capabilities and we need to insist as part of that department Department of Defense apart data.mil domain and there's a lot of things you can be doing that we need to be doing and we need to be doing it by beefing it up and also making sure we have a cyber director I think it's critically important.
Well I think I'm glad you brought up workforce, because that's that's a huge issue too is we just have such a dearth of people that have the collective skills I always think it's a little bit like how we hold the, a lot of our pilots come out of military which is great I feel safe on American flights, but we can only train so many people in the. They go to NSA and all these different agencies and we need to find a way to make sure that we're getting the pipeline filled people that don't necessarily have to have military grade they you know they can be great at that but we have a lot of areas where we just need people to understand how that how that information flows and get it to the right person so.
Not everybody needs to have a master's degree or a doctorate to do this either and that's one of the things we got to understand and I think one of things we're going to have to do we've already started doing that as we start to get to start drilling down into high school maybe in the middle school level was curriculum. And it really is going to be that basic, getting people to understand and understand the lucrative careers that are out there. I mean, if you're in if you're in the cyber domain right now you're basically a much sought after free agent. And we've got a. We've just got to understand, we've got to get more people in that field we got to incentivize and go into that field for sure.
Yeah, there's actually one of my, I just talked to Mika young who's going to be the Deputy Assistant Director, or Deputy Assistant Secretary of Defense and she just started a new podcast called to catch a hacker, and it really is it's like there's so many good stories that are real you don't even bother to make fiction out of them you just follow what's going on, and trying to figure out how to make that excitement understandable as an actual career would be a huge boon to getting more kids interested in going this direction definitely
really yes, those hacking just hackathons and things are actually really, really useful they recruit talent, they're very, very good.
Yes, this organization also does a lot of work with the congressional app challenge I'm sure your office's. I'm getting a one minute warning any last thoughts before we sign off.
Yeah. Listen, I mean, I do think, if you want to just say one thing in particular. It's that we have to understand that cybersecurity is not like I said earlier, it's not about just fixing the patches anymore. It's interwoven with every fabric of our business and every fabric of our society from medicine, to, to, to our homes to our businesses every everything is tied to the Internet, and we got to understand that it's much much bigger and much more complex problem than than just keeping a system, safe, it's much more difficult and I think that it requires a very significant response and Bennie Thompson and I are committed to raising that as I going forward to raise that as an
American We miss you a lot of luck I'm sure a lot of people watching this would love to come in and talk to you about what's what's important in this area and we are and we wish you a great next Congress going in and thank you for being with us to today.
Let's hope it ends better than it started
that way. All right, all right, turning it back to you all. Hi Jim, you're ready to take over Shane.
Thanks a lot.
It was a great conversation. In fact, I'm actually have to replay that last bit about the, the job opportunities and cyber for my 15 year old.
Yeah, I would be great at it actually maybe we can get him an internship on the committee.