SOTN2023-09 Cybersecurity Today: Navigating Current Threats and Challenges in the US
9:21AM Mar 12, 2023
Jameeka Green Aaron
We'll go ahead and get started. Thank you so much for joining. My name is Ricky George. I lead the cyber exercise and wargame program at the Chicago Mercantile Exchange. But I have the pleasure of representing the Internet law and found a policy foundry here today as a class for fellow and executive board president. We have agreed All Star panel here for you today to speak about cybersecurity. So I'll let them kind of go down the line, introduce themselves, their organizations and responsibilities. Certainly. My name is Greg is
CFO. You can hear me I can tell. I'm the chief sorry. I'm too loud. All right. Okay, Chief Strategy Officer at the Institute for security and technology. I'm also the executive director of the non government ransomware Task Force. ISP is a 501 C three, we're based on the West Coast, we work to eradicate emerging security threats associated with technology. And we do that by bridging the gap between policymakers and technologists. Thanks for having me.
Hi, my name is jamika Green heron, I am the Chief Information Officer security officer of octus Customer Identity Cloud. And I also am the executive sponsor to the US Department of Veterans Affairs. I've been at octave for a few years, and we represent both spectrums of digital identity the workforce protecting our workforce and protecting our consumer base.
And he's Captain Han bello award for lumen technology as well as sponsors. Thanks for being here. For lumen, I am a Senior Director of the National Security Emergency Preparedness portfolio, and that position is within the corporate security sort of environment. And it focuses on emerging and systemic threats, that lumen by itself can't fix. In my other day job. I'm also the Vice Chair of the communications sector Coordinating Council. And I work extensively with government and sort of an advisory risk management role in that sort of dimension and do have the opportunity to work extensively with all the critical infrastructure sectors, given that role, and since given the topics we're going to talk on unless you take most of my comments from sort of that public private perspective.
So I'm Warfel Irwin. I'm the Chief Security Officer at Mozilla. So that job is what you would expect leading the team responsible for protecting the company and making sure we build secure products, and also engaging in forums like this to make sure that we're building out a good cybersecurity policy agenda as well.
Awesome, great. Um, so just to kind of give you guys a little bit of rundown on the approach for today's discussion, we're gonna look back a little bit, talk about the current challenges and threats and then look forward. Obviously, there's some things hot off the press at NCD as of last week, but we'll we'll get there. But first, let's let's look back and think a little bit about some of the things that the current administration has done with regard to cybersecurity. You know, prior to the publication of the National Cybersecurity strategy, you know, one of those being the executive order in May 2021, around improving the nation's cybersecurity, which, of course, was published shortly after the Colonial Pipeline incident. But we can also talk about the cyberspace Seoul solarium Commission, which of course, has kind of changed and morphed during this current administration. But I think, you know, starting with Marshall, let's get some perspectives on, you know, what has the administration been doing that you think is right, what are you thinking that they need to change and just kind of a look back and your perspectives there.
So with the strategy published last week, I think it's really exciting because there's really a sense of momentum right now on these issues. And I date a lot of that momentum back to the executive order. The administration, I think, really was quite effective at stepping forward at a moment of crisis, taking advantage of that crisis moment, or a series of crisis moments really, to make a series of really smart decisions about what was going to go into that executive order. And it's worth sort of giving giving a read to that, because it's actually quite unique, because very in the weeds and detailed about precise security controls, things like that, that I think were really helpful and leaned in to the technical challenges here, I mean, useful way, things like establishing multifactor authentication requirements, data encryption at rest, data encryption, and transit, standard logging requirements, deployment of things like endpoint detection and response. Now, this stuff to be clear is not rocket science. These are the same things that we should expect most companies to really be deploying in their network. So it's worth pausing for a moment asking why when we had roughly like, like two decades of cyber strategies, did we miss some of these foundational components? But regardless, I think that was really quite meaningful step forward. And it's really critical context for the strategy again, because the federal government really can't push the industry to do better if it doesn't sort of have its own its own house in order. And I think that's really what that executive order did. And then to quickly comment on the solarium commission. What we've also seen, I think, where we've where we've actually seen the most progress over the last two years, isn't just basic institution building. So that's I think what a lot of the solarium was pushing for was building the institutional capacity within the government. Oh NCD being the best example of that, but there are many others. And as a result today, I think that Federal Government has a lot more cybersecurity muscle than it did only two years ago. And that means that the executive order the strategy, these aren't going to be just documents on paper, there's actually going to be a solid workforce capable of actually executing on these strategies and moving the ball forward, which really hasn't been the case for a long time.
Great. And Catherine, I don't know, if you have perspective, some a, you know, public private partnership or on a broader
I sort of have sort of a long story arc, if you will. I'm old enough that I was around when they sort of did PPD 21, where they created the critical infrastructure sectors and stuff like that. And they did it at the time, because they said, wow, we really rely on critical infrastructure to do our thing. That was a big aha moment. Now industry has gone yeah, you do. And as I watched that evolution over time, clearly, just as he was speaking to some rebuilding the institutions, the institutions have been built. So that government who does not bake, and who is not the bakery for the nation is not the manufacturer for the nation is not the water, you know, produced for the nation, you know, those institutions have changed and matured and evolved. And I think that it was perhaps with the cyberspace solarium Commission, in particular, where we really sort of saw for the first time, you know, bringing industry into this, because there was actually on this commission, a private industry person, I would like to formally thank Tom fanning with Southern Company in the electric sector for for participating in that, and for using his position in that commission, and also as his position is that one of the chairs have the energy sector, to reach out to other sectors to go, you know, government's thinking about this, does this make sense that sort of, does this make sense? Because what government does does not necessarily make sense for industry, when the executive order came out, this is where lumen as a you know, a customer Luminesce vendor to government sort of went off, this is what our customers are going to be needing this is what we're going to need to be supporting. And as a sort of a extensibility of that, you know, if our government customers up to zero trust, well, we better be doing zero trust to if they're doing s bomb, we're doing as much because we have to feed them, they have to feed us and we needed to stand shoulder to shoulder what I look at and as I look at the arch, and is with the newest cybersecurity strategy, once again, I see serve a common common drum beat drum beat, this is not a topic is going away, this is not going to be an issue that we as a nation can avoid defer or kick the can on the environment has changed. And whereas it used to be happy glad company, let's go create an app and you know, wreck a billion dollars and I'm 12 years old, you know now, okay, be 12 years old, create an app, but what's the security on that? So for me when I look at sort of the long term Archer, but what I choose, what I'm seeing consistently is a drumbeat towards No, we really have to be much more sophisticated about these things. It's a whole of nation in that everybody involved back to you.
Now, that's that's a great perspective. Thank you. And no and jamika, from your perspective at Okta, right, you know, what do you think about what's happened in the past couple of years leading up to this new National Cybersecurity strategy,
I think, with the Biden Harris administration, which we are grateful for this has done is highlight and both of you have also highlighted the need for additional public private partnership, and what we're doing with this new executive order. And now the strategy is taking the vision and putting it into action and actionable items and real implementation. And I think that there shouldn't be a panic around this strategy. I think that ultimately, when you set the vision, you are setting the path towards the future. And that's what this administration has done, they've set the path towards the future. And the future, how that manifests is in many different ways. Right now, when we look at this space, 70% of global governments have already implemented at least one tenant of zero trust architecture. So that means they've even looked at identity, which is the first pillar, they've looked at design or device. And they've also looked at infrastructure and implementation. And they've said we have a plan to implement at least one of these things. What the government what our government is saying is that this is the future. And so when we reinforce this with a national cyber strategy or with the FedRAMP Authorization Act, which sets FedRAMP into law, we are saying that we are doubling down on that button drumbeat that says yes, this is the future cybersecurity is important. It's not going away. Not only is it not going away, we would like to see more by design we'd like to see secure by design. We'd like to see privacy by design. And I think that this new strategy that's out is really honing the path ahead.
That's great. That's great. So maybe from a civil society perspective, you know, what's the last few years been like you know, what your comments on again ministration is done the EO and thanks leading up to today.
You know, I think it's a to echo the points that some of the other panelists have made I do agree that it's been a steady drumbeat. I will take the way back machine further back back to CMCI, which was the comprehensive National Cybersecurity Initiative. Some of us called it lucky 77. And there, you know, this was 2008 2009, you really see the government starting to organize itself. Now, finally, I think this is these strategies today are really talking about this, the need and the essential role for public private partnerships. So we're pleased to see that, you know, and just so I think I'm cautiously optimistic, I do agree that there's a lot of the tempo and the messaging is consistent. And so I think one of the things that hasn't been highlighted by some of the panelists is, whereas before, you would see government saying you need to do all these things. Now, thanks to a number of legislative successes over the past 18 months, 24 months, there's actually money behind some of those, you should do this. I'm thinking in particular about some of the monies that were allocated in the infrastructure protection, or excuse me, infrastructure bill, rather, getting out to state and local entities as well as private sector actors, civil society, etc, to help them shore up their cybersecurity. So they can do things like zero trust or have the capacity to log so that they can report incidents. You know, the Slurm. Commission, we mentioned a couple of but there, I was looking quickly, because I knew this was one of the questions. As of last fall, they were counting I think 60% progress on their recommendations with with over 25%, I think we're 60 plus 25. We've got 85%. Now we have the strategy. So that's another kind of success that this Lorem commission, I think, put this put our nation on, and I think the strategy sets up sets us up well, the new strategy sets us up well, to continue to carry forward those objectives and really get to a better place.
Absolutely, yeah, I think, you know, it's important is to look back a little bit, but then also discuss kind of what are the current challenges and threats that the administration is facing? And I think, you know, in preparation for today's discussion, and, you know, Megan, I'd like to kick it to you to kind of set the stage on, from your perspective, what are some of those current threats and, and challenges building upon, you know, what's been done in the past from the legislation perspective?
Sure. I mean, I think, you know, certainly not much has changed in some ways in the sense that we're still talking about the Big Four, Russia, China, Iran, North Korea, what has changed is that they haven't slowed down, you know, the, the pace of particularly Chinese activities continues and continues, and we can talk about balloons. I actually live in South Carolina a little secret and didn't see it go down. But the number of incidents that we are visibly seeing now from China, whereas before, you know, we're on the wayback machine would, from when I was in government go around telling industry, you really need to be worried about the Chinese. And people would sort of look at you like what, so they are not going away. I think what what I hope folks are also focusing on though, is, before I get into that point, you know, what are we worried about with North Korea? Right? Well, among other things, they're hacking cryptocurrency exchanges in the like in order to be able to fund their WMDs p. So as we think about not only the security of the Internet, we think about the security of digital assets. And so wanting back to the great accompany in two minutes. Well, what's the security of your exchange piece. And as I mentioned, when I introduced myself, I do serve as the executive director of the ransomware Task Force. And the message really is to say, ransomware, has not gone away, just because colonial was almost two years ago. Ransomware continues to be a major problem. The reason we don't see it as much, is a multifold set of issues. But I think, among other things, we should not grow complacent both on the ransomware front, but also on the scale and scope of Russian activities. Many will want to say that, look, you know, we didn't have cyber war in Ukraine. Well, let's not be naive about that. A lot of credit, I think goes to the administration for getting the shields up campaign going and helping industry prepare and know what was coming. Likewise, a number of other industry partners have really worked to support the Government of Ukraine and others in country to help shore up and make their infrastructure more resilient. So not nothing. No good news there, unfortunately.
Definitely, yeah, bad actors are going to stay busy as they always do. You know, I don't know if you from kind of martial from your perspective as a CSO kind of what are some of the current challenges or threats that you're considering today?
Yeah, so I'll just say the the threat environment is still just extremely challenging. And from my perspective, you know, we just see that on a daily basis, I'm the guy that I get the call at 1212 midnight, you know, when my team says, Hey, we've got a problem. And it just keeps us jumping and moving constantly. I think just from a defensive perspective, you know, like most enterprises today are very complex. And that includes Mozilla, but I think it's the the various pieces of technology that we have integrated into our internal network, and then the vectors that that creates for compromise. Just creates a very challenging environment for us. As you combine that with just a diversity of threat actors, even when you're not including the potential state actors, which are the most sophisticated, which are the ones that are gonna get in and have persistence, so it's still very challenging. Like I spoke earlier, I think we've made some real progress at getting the defenses up, both in industry and in government. But there's still more more left to do, than we've done. And it's still pretty challenging.
Absolutely. Catherine, you spoke about, you know, some of the sector coordinating bodies, I'd be interested to get your perspective on in those communities, what are some of the key challenges and threats that you guys might be discussing amongst yourselves?
When I have found, I've been doing this stuff now, for a thing for about 10 years? Thank you, lumen. It's an environment where, you know, I'm communication sector, you know, I'm a big ISP, I'm a global backbone, you know, and then there, in my sector, at least, you know, there are solid network service providers that have literally, you know, 35 employees, and they take care of 5000 square miles in Montana. Okay. So to different sort of scale thing. So we're always trying to reconcile sort of the we, we understand I see philosophically what the threat is, but how do you manifest you know, so what are you going to do about it? And there's always a lot of reconciliation, even within the sector, even between the cable guys, the wireless guys, the wireline guys, the satellite, guys, the broadcasters, what, what's our solution? What's our approach for fixing it, and then you have to add the added dimension of, you know, small versus big? Well, that's just one sector. Let's get to 16 and 18. And so while you can see the intent, and you see the goals of government to reduce risk, mitigate in credit, increase resiliency, being able to create a taxonomy so that the energy guys are doing this, and by the way, the nuclear guys are doing one A and the oil and gas are doing one B and the electric guys are doing one C dot one, if they're generation versus distribution versus transmission, you start to see sort of the to your point, the complexity of trying to reconcile this is the goal. This is the objective now, how do we all interpret it so that we can all move towards that goal? I think the biggest challenge to the threat is not so much that we don't understand the threat. But can we move quickly enough and in sort of a not a lockstep but in sort of a steady step fashion? So that all of us are, you know, raising the boats at the same time? That's I think the struggle.
Yeah, absolutely. And Angelica, as I see, so rates similar to Marshall, I'm sure those late night calls are nothing that are foreign to you. I'd be interested to get your perspective, especially in relation to authentication in the work that your company does. Addressing threats.
Absolutely. So I think one of the things that we've done really well as we're, we're really good at protecting the workforce and protecting our employees. But what what this new cyber strategy is saying the accountability for protecting the consumer is also our responsibility. And I think at Octo, we really take that responsibility seriously. So what am I seeing in this space, I like to call them my big three, we have a report called the state of secure identity, it's focused specifically on customer identity and access management, which is Siam acronym. And what we're seeing in our big three is fraudulent registrations, which is actually going in and taking advantage of one time use passwords, credentials, and actually aligning those to the threat actors intentions and doing fraudulent registrations, credential stuffing, taking advantage of the idea that users are creatures of habit. And so when you are able to compromise one set of credentials in one environment, you lift and shift those over to another environment, credential stuffing is incredibly successful. It accounted for 30% Over 30% of logins within the first 90 days of 2022, we're seeing similar but higher numbers in 2023. And then finally, fraudulent registrations, just focused around an MFA bypass. So both of those two together focused around this idea that people get tired. They have MFA fatigue, and so they're starting to use lighter, lighter vectors in that space. And so what are we actually doing about that? Because the accountability is on us, really enabling use of frictionless access to consumer spaces. So what does that actually mean enabling CAPTCHA enabling one time, passwords, biometrics are going to be critically important. Enabling the use of frictionless login technologies in commercial spaces, is really going to be a big deal. And that's the work that we're doing. I think that the accountability is on big business to really be focused on protecting the consumer. And so that's the space that I'm really looking at right now. My team is always busy, the nation state actors are pretty, pretty thorough. They're working together. And I think, you know, when I think about what are the organizations that are going to help us help us do this work, one of the reasons why you're not hearing about ransomware as much is because CISOs aren't disclosing it. And the reason that they're not disclosing it is because when we disclose, it's often punitive. We have to get away from this idea that it's punitive and understand that the collective is better than any one individual organization. And so when I think about working with organizations like Jen, you You certainly over at Susa. They are making it so that things are not punitive for us, we're able to disclose. And one of the big things that's in the news right now is dole dole is suffering from a pretty significant attack. And there should have been a rally cry of security professionals throughout industry to come and help dole. Dole is critical infrastructure with our food. And so this is something that didn't rise to the heights of solar winds, but maybe it should have, because it's critical infrastructure.
That's a good, that's a really good point. And I think it's a good place for us to transition now to the new cyber strategy that was published last week. You know, before going into that, I think it's important for those that maybe didn't take that on as a reading assignment over the weekend. There are five key pillars in that report, right, the first one being defending critical infrastructure, the second being disrupting and dismantling threat actors, the third being shaping market forces to drive security and resilience, and then also investing in a resilient future, then forging international partnerships, oh, probably could still hear me to pursue shared goals. Right. And so that is a vast, those pillars cover a lot of territory. I think it will keep people busy for for a long time, right to consider challenges and things in that area. But I guess starting with you, Megan, I'd like to get your perspective on, you know, what did you think of the reports, right, what's in there that, you know, normally tracks with what you're looking at what's not in there? What surprised you? I think your kind of first reaction.
My first reaction was, I think it's bold, and all the right ways. It is carrying forward, as Catherine said, and others have said, the common messages and common best practices and common elements of prior strategies. But where I think we are finally, it took us longer than many of us would have liked to get here we are finally to a place where we're talking honestly about incentives in the marketplace. So I think that the thing is that most pleased me, in addition to the incentives piece, and thinking about giving a dual track approach of putting responsibility in the right place with regard to security, and particularly thinking about software development, but also hardware development. But also thinking about safe harbors, there are a lot of companies that do the right thing. And they shouldn't be penalized to your point for having done the right thing and still fallen victim to to the nation state actors. We as an organization that has been supportive and advocating for closer collaboration with between industry and government are particularly thrilled with the disruption piece of this operational collaboration is something that we can do very well as as partners, but we are still suffering from some limitations when it comes to scale and consistency. We still need to build capacity, both within industry and government. And between these two stakeholder groups, I believe it's a much broader stakeholder set than that, to do disruption, get information in the right hands. And, you know, not to sound too militaristic about this, but take the fight to the threat actors. In, in close collaboration, it's not that we're doing everything. And every second together, there are very good reasons why certain information doesn't leave certain places. But that shouldn't be the norm. And that shouldn't be kind of the rule. And I think it's it's particularly refreshing and optimistic to see the administration take this idea on of saying, you know, at the bottom of the discussion around disruption, we're going to get through some of these administrative barriers, because there is a will on both sides of this. It's not even an equation. It's the plus plus equals side of this, and we're you know, we're there's a well, we know that there's a way so I'm, I was pleased to see those aspects in particular.
That's great. Now, I like that taking the fight to the threat actors. I think that's something we can all get behind. And Jimmy, go for it. What's your perspective on the strategy?
Strategy, I think that the government is about the people. And because I'm an identity company, I'm like, we don't do technology just for the sake of technology, identity is about the most important aspects of who we are as individuals. And so this is about the people for us. And so, you know, to mandate zero trust architecture as one of the key tenants is critically important. What I think it also highlights is that yes, there is a deeper need for public private partnerships, there is a deeper need for accountability and where that sits at, but also, how are we actually going to get that done? I think one of the ways in which we do that is neutrality. vendors have to work together, we have to have ways in which we can do implement interoperability. And so being neutral is going to be I think, a big part of how we actually do that implementation and how we hope to feel that it's also how we're going to take accountability. When we have partnerships with other organizations across the board and different types of organizations, whether they're NGOs or whether they're in Internet service providers, or whether they're another vendor like us. I think it's going to be critically important that neutrality will allow us to look at our intelligence signals, look at threat postures and threat actors and really allow us to build products that actually protect the people and so Oh, I'm excited about the new executive order.
That's great. Oh, that's really good to hear, I think. Absolutely. Yeah, I think collaboration is is really important. And that interoperability is well, um, Catherine, what's your perspective?
I listened to the conversation, and I sort of feel like, you know, we're having this conversation on sort of a very strategic level, and then we're having ceremony more, you know, let's planning it kind of thing. And now we're at the tactical level, you know, and, and it's sometimes and I think, for many people who follow this, you know, which layer are we talking about right now. So, I'm going to talk not at the tactical level, but one level up. What I found most encouraging about the cybersecurity strategy is once again, it was very extensible from, you know, work from way back when you see NCI PBD, you know, the slurring commission. And when they're talking about the operational collaboration, now, you are clearly talking to sort of like Operation collaboration, terms of interoperability between systems or products or services. Cool, okay. Here, I'm sort of talking about, you know, here's the interoperability or the collaboration between entities who have visibility and capability in the cyberspace to work to gather, to respond to see to address, as well as to be able to do that with government entities who also have visibility and capability. And we saw most of that works for kicked off in the Cissus joint cyber defense collaborative, it's now been in play for more than a year or two, I'm lost track. Lumen is one of the Alliance members. And it's been fascinating to watch, you know, what does it mean to collaborate? Folks? I just want to tell you right now, yeah, we're on all the for the channels in that environment. You know, it's quiet, it's quiet. But what's so amazing is to know that if something bubbles up, there are 22 companies on standby, who are sort of monitoring, monitoring, oh, I've got stuff there. I'm seeing that to come together sort of figured out. So this sort of, you know, it's a new practice at a higher level. It's not it's sort of a, you know, is it interoperable between, you know, Apple and Microsoft OSs and stuff like that this is sort of the icing this, can I contribute to solving this problem? I see that can I contribute to solving this problem, and the fact that there's now a domain where one can do that, and not only work with, you know, some, you know, the most capable agile entities, but also to be able to collaborate with government has been amazing. It was incredibly fruitful through the Russia, Ukraine for situational awareness. It was fruitful in terms of mitigating some of the issues that were happening overseas. And definitely one where I think we will continue to sort of build on those playbooks as we move forward.
And I think the interoperability that you're talking about, and the interoperability that I'm talking about is the same, because we're feeding signals at different levels. And so there's this there's this tactical level that feeds signals at upper levels. And so I'm talking about a more foundational interoperability. But I am also speaking to organizations like Cisco, where when we have that level of interoperability at a foundational base, we also have it at the higher levels.
That's kind of partial from, from your perspective, right? What stood out to you from the strategy,
shift back to the tactical level, maybe even like the more tactical keeping straight about where he was. So the two things, I want to call out little pieces of the strategy that I liked a lot. The first was the call out to support modernizing the core Internet protocols that drive a lot of how we communicate online today. So one of the key pieces that didn't call us there was the DNS system, which is just incredibly out of date, Mozilla, we've done a lot of work to build, basically a more secure DNS system called doe, or DNS over HTTPS. And we have actually deployed that in the Firefox browser. But it's been a very heavy lift for a variety of reasons. So if you're a Firefox user, your DNS queries when they leave your device are encrypted. For the rest of you, however, they're probably still leaving your device in clear text. So good call out to switch your browser, but also why I think this focus on the underlying security protocols of the Internet aren't really quite click critical. The other piece I want to call out is we've mentioned earlier, the software liability focus, which I am both excited about, but also a little nervous about excited because I think this basic idea that companies need a stronger incentive to build products usually is right. And so putting like a liability structure in place, there, I think, is a pretty sensible approach. The challenge, however, being and I think everyone already knows this, all software has vulnerabilities. And so you need to create a safe harbor such that as long as you meet us some baseline set of security controls, if you meet that baseline set, you won't be won't be liable. And then the challenge then is okay, what's the baseline? I think that's really going to be a challenge. And like I said, it's going to be easy to get wrong. So for example, Mozilla, we have That was the first private bug bounty program in the country almost 20 years ago. So that's a good good indication, like, that's a pretty standard requirement. Everyone knows what it is, I think that's the type of thing that I would like to see in that safe harbor. But the list will get longer and longer. And as it gets longer, it gets more complex. And the more complex it gets, the more failure prone it's going to be. So we really need to set that threshold correctly.
Yeah, absolutely. So I think as we, before we go into questions from the audience, I want to kind of look a little bit further forward, right, and get your perspectives on what might be on the horizon. So Katherine, I'll start with you, you know, with this new strategy being released and and enhanced, you know, what are you looking forward to or thinking about trying to kind of drive forward with regard to lemon or broader sector wide efforts? was on the horizon?
I think the two key elements and you pinged on one of them in the strategy is the relook at the underlying Internet protocols. Wow. That means we have to get the entire world to change. Okay. So I know that the focus, sort of at an advisory level right now is going to be what's the problem you want to solve with DNS or Border Gateway, what's the problem you want to solve? Because these are gonna have to go through global standards, to be able to be reconciled, put into computers and operating systems. So this is a big, big problem is to be able to have a clear vision at what's the goal, as we start to evolve these relatively old standards and to something that's now next generation, that's gonna, that's gonna require a lot of talk in a slightly more, you know, okay, we need to start moving on this now. We're also just thinking very much about the post quantum environment. So if you haven't already started figuring out where all your data is, and where that data Verizon who how much you care about to do what's currently encrypting it, so that you can at some point, because it's a big yin yang, between your vendors, your partners, your suppliers as to what is the the quantum resistant, you know, algorithm that's going to be using that you're gonna have to put into your system? Well, you better start thinking about it now. Because I think it's better to be prepared and to know what you're up against. So we're all in sort of a pre sort of quantum to K con mode. Back to you.
Yeah, absolutely. So what's your perspective from Okta, on kind of what's on the horizon? What are you thinking about looking ahead for
digital identity and a digital identity, I don't know what have Okay, there we go. digital identity, I think is is the wave of the future. For us. At Octo, we're looking at workforce, we have two clouds, workforce Identity Cloud, which is focused on workforce employees, customer identity, cloud focus on the consumer, digital identity, I think, is the future. And it really relates more to the privacy of the consumer itself and their right to be forgotten. And so we're looking at that we're looking at data sovereignty, we're looking at the ways in which we can enable identity to create those safe spaces for the consumer. And so digital identity is going to be big for us in the future. It's what we're looking at, we're doing a lot of research and understanding how technologies actually work together. Because I think this is something that we can get out of the gate of I'm obviously I work at a cloud native, remote company, we're way out there. But we also know that there are a lot of organizations that need to be brought along. And so we're not just thinking about it from this space of what's going to happen in the future. But we're also thinking about how do we help incremental change happen in organizations where they're not quite there yet? How do we look at DNS again, how do we we're thinking about the past as well as the future. But we believe that digital identity identity is one of those big investments that we have to make for the future in our investment in protecting it.
Absolutely. Yeah. I think is certainly a bedrock of things going forward. Megan, from the social, sorry, civil society perspective, but also building upon you talked about threat actors aren't going anywhere. Right, a lot is, you know, continuing to happen and will continue to happen. What are you thinking about what's is T doing? Looking ahead?
Sure. So we we are continuing to implement the recommendations from the task force that we convened almost two years ago now and will stand by for more, but we'll have an event to talk about those. The progress that's been changed, hopefully, in May. But among the things that we're working on, in that, in the work of the task force is to look at hygiene. So we developed something called a blueprint for ransomware defense thinking about especially small and medium sized enterprises, how can they better equip themselves to manage ransomware? Probably when it happens, not if it happens. And we're also looking at what is how is the ecosystem dealing with inflammation? I think you mentioned CISOs are not reporting ransomware incidents. Why is that there? You know, numbers of reasons. But there is a lot of data out there about ransomware. But it's not getting in the right hands. And we can't really develop both technologies and capabilities and from the consumer to the network level to withstand those incidents. If we don't have the information we also can't deploy instruments of now. She'll power and seek to develop and deepen relationships internationally to manage those incidents if we don't have the information, so we're trying to push forward on digging deeper into the ecosystem and figuring out where those kind of still silos, unfortunately of information reside, and how we can better equip those who do have the information to share it appropriately. In terms of the both the strategy and another area that we're beginning to start some work in is around open source. So the strategy talks about the responsibility and the need for renewed attention on on software development, but particularly thinking about open source. And we are will soon have a paper out talking about our our kind of recommendations on where the open source software security space is and where we think there needs to be continued progress. And the last thing I would say is that this this idea of public private collaboration, really around operational collaboration, so not just sharing information, but let's take action based off of that information, respecting values, privacy and civil liberties. But as I said, a few minutes ago, thinking about how we can not squabble amongst ourselves, what put that Take That squabble to the threat actors who are really pushing it that scene between industry and government, not only domestically. But if we think about the kind of rates of our initiative, it's terrific, we have 35 countries plus the EU, or 34 countries with the EU, I can't remember the worst. That's a great coalition that's been built. And I know that the administration is keen to expand that, that coalition. They have a number of priorities, but including, you know, policy issues. And in many cases, I think we're we're on the the kind of top level agreement around policy and the need to work between industry and government to reduce the risks from actors who operate from safe havens. But we also need to continue to build that trust that allows us to act on those common policy objectives.
Absolutely. Marshall, what are your your thoughts on the road ahead?
Yeah, so just to maybe close out with one, one gap that still concerns me, we talked about the executive order earlier, one additional focus in that executive order was on supply chain, obviously, in the aftermath of the SolarWinds attack, it's a lot of focus on figuring out how we can sort of build a more robust supply chain. And I'm think there's still bigger gaps there that we need to be mindful of the type of solutions that we've been exploring there in the solution space is just not very good. So those solutions tend to be very compliance heavy and process heavy, which I think in the end is not great, and tells me that we don't have good technical solutions there yet. And so I think I'd love for people to give more thinking to that, what the right set of solutions is that get beyond the sort of compliance burden for a lot of a lot of companies, because that's still, like I said, a big, big gap. I think that executive order, what it did is made it more likely that when there is a compromise will be taken quickly, and responded to. But I think it probably did the less of a good job of actually preventing an initial supply chain compromise in the first place. Not for lack of effort and a lot of good thinking. But just because like I said, the solution space is not great yet.
That's now that's important. I think that's a good perspective. And a good time for us to kind of pause here and see if our audience has any questions take advantage of a great opportunity to get some insights from our thought leaders here. I'll open it up to you all.
So nice, white bear.
Is there something I'm not seeing back there? Can we go ahead and stand up?
Pretty good today by just talking a lot, actually. And somebody said how thank you guys for wanting to cancel those really well might have to syndication at the administration is reroute in a whether the danger then features hybrid splinternet. That is such a maturation because we shouldn't be looking at Joe to fill is such a partial sector in Atlanta responsibilities that they carry and trying to help sooner. I want to throw this a little bit. How about we have these issues around privacy elite Williams, or super late at questions up at the error or the you know, what happens when we don't have responsible governance for partners? Potentially, it'll light up bizarro world, for instance, of how you blame that despite one side it was like I did with the access or you know, you have centralized master data and etc. So like, do you have more Nisha states can well as a follow up to the cast and gotten there yet. Do you think it's something that the people have to focus on?
I think I think we have gotten there. I think, you know, the way that we the legislation around data sovereignty and privacy isn't new GDPR isn't new. And I think that when legislation is enacted that says that we must protect privacy, then that's the legislation that we have to follow. I think so for us as an organization that focuses on identity. Our goals are the goals of the organizations that we support, and that we build for. And so and we're a global company, we do 40 to 50% of our business internationally. And so privacy isn't a new part of it. I think it is starting to be a consumer expectation, one that we have to live up to and so whatever it is, whatever organizations and companies that we support, we also have After support all the legislation around privacy that that relates to the consumer. And so yes, we're thinking about it all the time, because it's the same privacy that's violated in the way that you speak up. That's what the threat actors are looking for. They're looking for critical information around users, they're looking for social security numbers, they're looking for even IP addresses in many countries are privacy protected by privacy. And so it really is up to us to be thinking about this. And we are. And so we really want to make sure that the legislation around privacy, the laws around privacy, that we implement that into the design and architecture of our products, and we are doing that, again, identity is about people, it's not technology for the sake of technology. And so our number one goal is to protect the people that we serve. Okay, and for those
that do any of the videos have any concern about the expansion of the concept of security, cybersecurity, beyond some of the technical Zona understanding well into the CIA, the confidentiality, integrity and availability. Now we see that you know, trade relations are being defined as national security that we are trying to control and development of technology through export controls. Do you have any clear idea about where this leads or what the theoretical basis is based on in terms of its understanding of how national security is related to technological that businesses and develop? Yeah,
I think it's interesting that that comment, because I think one challenge that I see is that cybersecurity is kind of everything security. And what that means in practice on a day to day basis is like, it's easy to take your eye off the ball. So like, I think, as a general matter, the expansion that you're describing is actually appropriate. Cybersecurity is core to national security. But I think, as I mentioned at the outset, like how is it that the federal government didn't have basic security controls in place, right, like someone took their eye off the ball, at some point, we'd like to sort of talk very big and think very big about cybersecurity. Like said, it seems to implicate everything. And I would love to see it as we think big, we're also able to execute on a tactical level. And if we're able to do that, but I think the breadth that you're describing is fine. If we're not, then we should narrow down and actually get some progress in the tactical areas. Great,
I think, you know, right now, we still have arms of the government globally, who don't use multi factor authentication. And so when we look at this executive order, I'm looking at it at the base level, I'm not looking at it to be evasive, or to obfuscate information that should be available to the public, I'm looking at just the basics of protecting identity. And this is just the, you know, when we think about what threat vectors and what attacks are effective, and we're still employees are still the number one threat vector, and they're still the number one payload delivery and, and a lot of that can be protected by multi factor authentication, which we still don't have widely deployed. And so I think you're thinking, you know, to your point, you're thinking super high level around our ability to make information available, and we're looking at the base level, just get these base level controls in place. That's where we are right now. We're, we're looking at a policy that says, Let's get these base level vector of security controls in place, I think, yes, as we grow, this is something that should be of concern. But right now, we're just not there, it's still, you know, really, really basic, rudimentary cybersecurity,
as well as one follow up on this. If you're already in an environment, where we have gone from, sort of, we're using cyber for cool things to we use cyber to run everything. And if the nation as a whole government, you know, as a leader of representative, if you will, sort of isn't still start doing the basics thing, then we have put ourselves in a position where our cybersecurity practices undermine our ability to do business to do whatever it is we do. And if we have not paid enough attention to doing the fundamental core things that make our company, whatever makes it important, whether power or whatever, if we haven't done those basic things, and we're undermining our economic security. And if our economic security is undermined, because power things go down, or another colonial explodes, or there's another big, you know, problem with, you know, one of the major operating systems than we as a nation are in undermined position, and therefore, that impacts our national security. So I see the string, but to their points, you know, you have to start with, did you lock the door?
And it's so in this question of, is there an end to this? Or is it is it everything is the values that we ascribe to and have coalition partners who share those values? So we're where the United States and its partners are thinking about implementing core principles of security, to advance economic security. The value there is around individual privacy and security in the national security sense for the United States and its partners is not about regime stability, in the sense of of the authoritarian countries think about it. So the values that we articulate as Western countries and as partner nations, I think, is one of the key distinct distinctions between a trade policy that that might be coming from from other parties at the table who can may say the same thing, but they don't have the same meaning behind it.
And so, appreciate data from potholes. So the previous that move this get this book was about a few of them in the Saturday and metaverse came out. So my question is, with all of those feats technologies and intuitive kind of use, how does how does that get back to how you pick about cybersecurity? And not is that the type of radiation of course Pingala G's aprilat would say we need our radiation endpoint issues be people that you discover as?
Well, I think it's I mean, I, as I'm excited about AI, and machine learning technologies, but I also worry, I think worry is an innate state of a CISO. And so you know, that's just a part of my my fiber of who I am, I worry, because with every new technology, there's the threat actors always thinking as much as we are thinking about using it. And so I worry that we will not get ahead of the awareness around what can be done with AI, I worry about source code being dropped there, I worry about its ability to code very quickly and very accurately. So I worry in that space, that that will become another threat, another vector for threat actors to deliver payloads and to deliver information to deliver into our code and into our by design process, payloads that potentially could turn into solar winds or Stuxnet, I do worry. But I also believe that it is our job while we worry to also continue to drive innovation. And so for us chat, these GPT is one of our new customers, and they are flexing our engineering team in an incredible way that will enable innovation through the login box. And so while I am worried, I'm also balancing that with this idea that the greater good is so much more important. And so yes, I worry, but I worry in the same way that I worry at some point, our CIC or off zero technology was also the thing that people worried about. And then we came in very quickly and said, No, we're going to shore up security for it, I think we have to do the same. If we don't, it will become you know, and I hate to use this example. But it's a great example, people really loved that. Bitcoin was unregulated. They loved it until they didn't. And now the fact that it was unregulated and uninsured has become a really big problem for citizens globally. We don't want chat GPT to be the next FTX we don't. And so if we don't want that to happen, we have to engage early often and make sure that it doesn't become our next big, big threat vector. So I'm excited about it. But I also know that there's a right level of worry around security. To your point, I
think one of the points that's that's both articulated in the strategy. And I think also in the speech that director easterly gave it at Carnegie Mellon last week is this idea of where do we where do we advance security around these new technologies are we are we as as both civil society industry and governments at those conversations around the standards development organizations, and I think, unfortunately, I fear it, I worry that we are now getting paying it back a little. So we're coming from a deficit. But what what I heard in the strategy and director easterly speech last week was really kind of encouraging, again, industry to come and regain the kind of leadership role in the standards development organizations, again, to articulate a number of things, including the values that that we are building into companies and harnessing those values and advancing innovation that is actually consumer centric and privacy and security. effacing
Can I just jump in quickly on this? I'll just say like, I really appreciate these comments. The the contrast to cryptocurrency and I think is interesting, though, because I will highlight sorry, just to be a little sharp at the moment, like blockchains kind of a useless technology. And so when the market there collapsed, the the potential implications were fairly contained, this technology that we're talking about here, well, it's it's still very immature. And it's, I think, actually pretty far from being productized in a in a meaningful way. It's going to touch everything eventually. And exactly what that means for our jobs and everybody's jobs I think is going to be really dynamic and I'm sure it will have some interesting implications for our job just like everybody else because I think the technology is pretty remarkable.
Mike Nelson with Ricardian doubt better hit us up piece 30 years ago I started working on encryption policy. It's even more screwed up now there what's in the Clinton administration. And the main reason is because of my favorite pass Chegg when policies collide, we've got three different agencies all pulling in very different directions. And we have the same situation in India, the same situation in the UK. We have a similar problem with vulnerability, disclosure. Cybersecurity people that you want to know where the problems are certain other agencies want to be able to exploit them. So my two part question for anybody that wants to answer that. Is there any country that's actually going to resolve this collision of policies? And if there is one, tell me who it is, and whether they'll do it right or not?
Let's meet the question of who wants to take that on? I think that's an interesting question. And it's interesting
that you say, it's worse now than it was before I actually think in the states would make more progress. And actually, the challenge I see globally, is that we haven't seen you we've had a very robust debate here for a long time. And that hasn't landed in any particular sort of statutory framework. But I think there's sort of this detente at this point where everyone's like, you know, actually, cybersecurity world's a kind of a mess, we're going to be pro encryption. That's either in practice, I think where we've landed, that's not the case. The case globally. The the vulnerability disclosure piece is a little trickier. I also think there was progress there almost four years ago. And with sort of the without the, the bap, the vulnerabilities, equities process started to mature. And that seems to have receded a little bit. And I think there's probably if we sort of look under the hood, and look at what's really happening in government, I suspect there's some been some backstepping. There.
Yeah. And I'll add, the UN had the, their cyber stability conference last Friday, right. And there was a lot of discussion, not so much about vulnerability disclosure, but about attribution, which is also one of those really hard topics. And you kind of think about the dichotomies that you spoke to you around, you know, people trying to exploit vulnerabilities, people wanting to understand what it is, and what they mean for their organization. So I think that there's a lot of tension around these topics that you know, if to your question around a front, emerging, right, I think that's a pretty, you know, difficult proposition to try to read the the tea leaves there. But it's something that I think the industry collectively is cognizant of and trying to work through, but also have some wins there spaces, including spaces identified in the cybersecurity strategy, for example. I think there was one more question you'll be our last question.
Mr. What are you a little bit or talk about global coordination of national strategy on state level legislation, private sector responsibilities to protect individual consumers and using an infrastructure or affording stations working hours as levels? But what is the expectation from building open government, specifically, local law enforcement capacity to engage and cybersecurity to Benson's? If it's not possible, you know, why should we give up on that particular aspect of this cybersecurity and subtract,
I can take a quick stab at that. One, there is a state local, tribal territorial government coordinating council that we do get to hang out with a little bit. What we increasingly see as industry, the critical infrastructure sectors is increasingly, you know, the desire and the ability and the willingness for federal goals, to be manifested in grants, monies, whatever, which ended up being administered at the state, which ended up harmonizing some of the whether its resiliency goals or cybersecurity goals in not only their own state level or local level infrastructure, but also some of the infrastructures in that area. Certainly, the broadband Grant Program is a, you know, a poster child for that. Where I think the frustration rise is that and it's it's a frustration shared by virtually every company on Earth, unless you were, you know, someone the size of Google or something like that is that, you know, it's not your normal job. This is not your normal job. And so I think what we're increasingly seeing, I think it's teased out, certainly in the slurring Commission, as well as in the strategy, the idea that, you know, those who have the capability need to make it as streamlined and as easy as possible to be able to why they're locked down the K through 12 systems or alternatively, to be able to have the local county police understand that know that data center around the corner is really important. And if you see weird, weird things in the area, you know, you might want to answer the call quickly. We are seeing that extensible, that going deep, increasingly, are we there yet? No, no. But the fact that we're seeing it, we're seeing it manifested in exercises. We're seeing an exercise in grant programs. You In my mind, huge progress,
I would add that this new strategy is one that can be adopted at the federal, state and local level, it's not one of those strategies that is so granular that nobody can figure out how to do it. These are simple, high level, not even high level, these are simple foundational recommendations around how cybersecurity can be implemented, how data can be protected, how it can be encrypted at rest, how it can, like these are really simple. And so for a federal state, or local government, multi factor authentication, zero trust, these are things that everyone should be thinking about for the future. And so federal, state and local governments shouldn't feel like this is too hard for them. This is a this is the type of strategy that will allow for a leader follower model. And I think this is one that we should really take a look at and say they've got it right at the federal level. And so this is one that we should follow.
Or, you know, for those who don't know, Craig Newmark, the philanthropist has stood up something called the cyber civil defense. And so he's looking at, you know, equipping civil society largely out of nonprofits to better secure themselves and supporting us in a number of other nonprofits and helping to kind of push security down to the local level, where I think we still need to, to evolve is the point that you made, one of the points that you made, local law enforcement is still not in the position it needs to be. And I think we do have a bit of, I think Director easterly and her predecessor, Chris Krebs would say, since his role is in the field, and it really needs to be Sissa and FBI working with its local partners, to bring the defensive narrative to the local level, and think about how we can build the capacity of local law enforcement, together with their sister partners, you know, we need to be in a place where we are with natural disasters. You know, FEMA knows what to do, and probably everybody here knows I live in a European region what I need to be doing to get ready. We still have a little bit of ways to go. And there are you know, there are things that we can get in there capabilities that that consumers and locals can use, but we still need to get it in their hands and have them be able to maintain it. That's great.
Now something certainly to work on. Well, I think we're we're standing now between you guys and lunch. I want to thank our panelists. I think this great discussion, really appreciate it. And thank you all for attending.