Future of Digital Security

Hack the Plant Episode 37: The Case For A Cyber Force

July 23, 2024 – In this episode, Bryson sits down with Mark Montgomery, Senior Director at the Foundation for Defense of Democracies. For three years, Mark served as Executive Director of the Cyberspace Solarium Commission, created by congressional mandate to develop strategic approaches to defending against cyber attacks. Now, he directs CSC 2.0, an initiative that works to implement the recommendations of the Commission. 

What were the key recommendations of the Cyberspace Solarium Commission? What are the politics of cybersecurity? How do we ensure that our international partners have the same level of resiliency and recovery that we have domestically? 

“We’d like to fight our adversaries overseas. That means we have to fight with and through our allies and partners. So they have to have strong critical infrastructure as our forces arrive and execute their missions,” Mark said. 

Join us for this and more on this episode of Hack the Plan[e]t. 

 Hack the Plan[et]t Season 4 is brought to you by ICS Village and the Institute for Security and Technology. 

View transcript.

Transcript

Bryson Bort: I’m Bryson Bort and this is Hack the Plant. 

For today’s episode, I’m joined by Mark Montgomery. Mark serves as senior director of the Center on Cyber and Technology Innovation at Foundation for Defense of Democracies, where he leads efforts to advance U.S. prosperity and security through technology innovation while countering cyber threats that seek to diminish them. Mark was previously Executive Director of the Cyber Solarium Commission, a congressionally-mandated effort to develop a strategic approach to defending the U.S. in cyberspace. We kicked off Season 2 with Mike Gallagher, who was instrumental in setting up the Cyberspace Solarium Commission. Now, Mark directs CSC 2.0, an initiative that supports efforts to implement remaining CSC recommendations. 

Mark Montgomery: …no one can argue with the fact that the current force generation model’s not working. I have yet to have anyone come up and say, Mark, your premise is based on a false premise. Even like Paul Nakasone, who really did not like what we were pushing, the former Cyber Command Commander, someone who did a great job at Cyber Command, would say that the status quo is the only option we can’t go forward with. But the problem we have here is. The people you’re trying to recruit for cyber, Those kind of people are not the same people you need in infantry and armor units and flying F-22s, right? Force generation is just one of these things that most people don’t look at. But it’s except if you don’t start with the building blocks at step one, there’s no way you have a stable, you know, high rise at step 10.”

Bryson: We discuss his take on force generation and the role of cyber in the military. 

Mark: … And I think that if you have a Cyber Force, it’s going to be very easy to derive a Cyber Guard. I think if we have a dedicated Cyber Force Reserve, it’ll be, I won’t say it’s easy, but I think it’s very conceptually plausible that you could recruit enough civilians that come in and help you and support and these kinds of things. There’s a lot of patriotic cyber people who would like to help, who aren’t really interested in joining a military service and going through bootcamp. 

 And I think that this is an important part of thinking about how to do force generation and in the case we’re talking about here, force employment in a defensive model for protecting our private infrastructure. If we don’t do something, I promise you the private sector is going to get nothing. The answer will be you get almost no support. You’ll get the condolences of the FBI as they put the yellow tape around your servers.

Bryson: And he makes the case for a Cyber Force, saying it is the only way to protect our critical infrastructure. 

Mark: …  My biggest wish is to get this Cyber Force going. I just think if I could get through the angst that DOD is going to throw down in front of Congress for the next three years and get to that point where we’ve created a cyber force through the force generation, I think that is the singular largest move we could have.

Bryson: What are the politics of cybersecurity? How do we ensure that our international partners attain the same level of resiliency and recovery that we have domestically? And if Mark could wave a magic, non-internet-connected wand, what is one thing he would change? Join us for this and more on this episode of Hack the Plant. 

Mark: Mark Montgomery. I’m a senior fellow at the Foundation for Defense of Democracies. I also run their Center on Cyber and Technology Innovation there. My most recent job before this was working for the government as the executive director of the Cyberspace Solarium Commission. It stood up, did its work, stood down in about three years.  By the way, returned budget money. You don’t hear that too often. And then Senator Angus King, and Representative Mike Gallagher, the chairman, and I got together and decided to keep it going as a nonprofit. And we put that underneath the Center on Cyber Technology Innovation, so we keep working on the remaining legislative proposals and investigate issues that the commission wanted to investigate, but didn’t have time to in its three years. 

Before that, I worked for Senator John McCain as his policy director for a year and a half, and before that I did 32 years in the Navy, retiring as a rear admiral. My last couple of jobs were like director of operations in the Indo Pacific and deputy director of plans and policy in the European command.

Bryson: How did you pivot from that military career and being a staffer for John McCain into cybersecurity?

Mark: That’s interesting. When I was working with McCain, shortly after I got there, he became sick and eventually, as you know, passed away. Near the end of his last 8 months, or say 10 months, we kind of knew we couldn’t hire new people because probably the new chairman coming in would want to hire his or her own people. And we definitely knew he’d want to hire his own people. 

So as people left, senior people like me took on a couple extra portfolios. And I’d say one of the longest extra portfolios I had was cyber for about 10 months. A whole NDAA cycle, basically, National Defense Authorization Act, cycle. And what that meant was I had to prepare about 25, 30 pieces of cyber legislation.

And you can’t – the Senate Armed Services Committee is a mile wide and an inch deep, everybody –  but that inch better be pretty good, right? If you’re going to prepare senators to make decisions, if you’re going to have the Department of Defense pushing back on your ideas – and we had some really touchy topics there. One of them was, we wanted to make cyber surveillance and reconnaissance a traditional military activity. That’s what has enabled Cyber Command to do offensive operations. Really for its first 7 or 8 years, it was kind of limited, and the intelligence agencies kept them at arm’s length from doing it.

And so getting that done took a lot of work, working with my counterparts in the House, and Senate, and working with Cyber Command, working with the White House, working with the Department of Defense. And we got that done, but doing that really had me dig in deep into cyber. So I’d had cyber knowledge from being the J3 at IndoPACOM, and the J5 at U.S. European Commander and Commander of my own carrier strike group, but all those areas, I had a little bit of cyber responsibilities or accountability. But it really kicked in there. 

And in fact, that work we did was kind of landmark legislation, not talked about very much, but it enabled something called National Security Presidential Memorandum 13, which is the governing document for offensive cyber operations by the military, and was used very successfully. It was signed almost immediately. They were waiting for us to get this law change done. It was signed. It helped Paul Nakasone successfully defend against the 2018, 2020, and 2022 election interference by Russia, Russian actors. And so that was a lot of cyber for me, probably half my effort in that NDAA was around cyber, the other half around reorganizing some issues in the Department of Defense.

And so I got into it that way. And then a natural thing when McCain left, we all had to leave, and Senator King, you know, scooped me up to run the Cyberspace Solarium Commission, along with Mike Gallagher.

Bryson: What were the key recommendations for critical infrastructure out of the first Solarium Commission? What’s been the progress on that? And then what is the mission, the goal, and the expectations of the second iteration?

Mark: Our original thing was an 80 recommendation report. We got that done in one year. I mean, that was the beauty of King and Gallagher. They were efficient. They went and dug into the topic. 

The other commissioners were really enhanced by – We had Chris Inglis as a commissioner, Tom Fanning, the CEO of Southern, probably the most energized Fortune 500 CEO on this kind of issue. We had Frank Ciluffo, Suzanne Spaulding, Samantha Ravich. So three experienced government officials, and then Patrick Murphy, another Congressman. Jim Langevin, probably the most experienced and knowledgeable Congressman on cyber until his retirement two years ago. So we had all this talent, and we were able to get it done in a year. And what we had was an original 80 recommendations, and then we had five follow on papers with 40 more recommendations. Of those 120 plus recommendations, 70%, almost 80% are done. 

But the ones that were really big, the big focus area was first, get the government organized right. Senator King would say, structure is policy. You’ve got to have the right structure in order to get the right policy. So we realized that we needed to strengthen CISA, the Cybersecurity Infrastructure Security Agency. And we worked, 10 or 11 different authorizations for them, almost all of which have passed, doubling their budget from about $1.4 billion to $2.9 billion. Strengthening of what’s called the Sector Risk Management Agencies. These are the Federal Agencies who are supposed to be helping sectors. We can talk about that in a little bit, but I’ll just say even passing a law has not made some of them do better, but at least you can now–Congress can do oversight. 

And then probably most importantly, where we created the Cyber Diplomacy Act, helped get that through. But definitely rewrote the part about a Cyber Bureau inside the State Department run by, you know, kind of assistant undersecretary level leader. That’s Ambassador Nate Fick now.

And then finally, the National Cyber Director job, which is, put someone at the White House with a large staff, who can kind of lead the strategic approach to protecting these critical infrastructures. They’re finally at that kind of number. They’re just shy of 100 people right now. They’re the right thing. 

You know, there’s been some competition with Anne Neuberger’s role at NSC, and I’m not opposed, I think she’s done good work. The problem, though, is that she can have a great idea, but the two staff members that help her develop that great idea, then move on to the next great idea development. And what I found with Federal Agencies is they’re happy to have the White House tell them a great idea at a press event, they’re all cheering, and get in their SUV, start driving back to their federal agency, and they’re like, next topic. Unless someone calls, you know, re-engages them, and that’s what, that’s what we hope the NCD can do, is that over time, they can just grind this out the way OMB does, and USTR does, right? In the end, you got to have some bureaucracy to keep the federal agencies in line.

So that organizing, organizing the government was where we made our most headway and was our principal effort. 

The next one where we made a lot of headway was helping the Department of Defense to force generation, force employment. Some of that’s been successful, some of that has… We’ve passed a lot of authorizations. I don’t know that it always changed, moved the bar – certainly on force generation, it hasn’t, you’ve heard me talk about my feelings on force generation. But we also had force employment ones in there, acquisition ones, because the services as bad as they are at generating the people, they were doing worse at generating the tools that CYBERCOM needed. So we transferred responsibility to Cyber Command, probably a debatable strategy that we had because it removes it from traditional oversight by services, but at least got stuff moving. 

So good work was done inside, and defending, building better cybersecurity into our weapons systems, we put laws in about that, and into our nuclear command and control system. You’d think that would not need a law, but it did. 

So big work at DOD. Now that’s the good news. The moderate to bad news is that we’re about 95% successful in those first two. We were about 15% successful in these other three or four, and that’s building the public private collaboration, strengthening resilience of both the federal government and the national critical infrastructures, and just building a better collaborative environment between everybody. 

I just, I think we’ve been moderate there and it’s been very – it’s very much sector driven. Some sectors like financial services and energy are in much better shape than others like Agriculture, Health and Human Services, EPA, you know, has water, and K-12 education, you know, with the Department of Education. So a really mixed bag there. 

And so the idea behind CSC 2.0 was, hey, take each sector, sector by sector – there’s about 20, 22 sectors. There’s not 16 because Transportation breaks up pretty quickly into Aviation, Port, all these other things – and dig into those.

And that’s what we’ve been doing. We’re about five, five sectors into that process. We have another two or three, and I’m just knocking out three or four a year, and we’re going to work our way through those until we run out of energy or run out of sectors.

Bryson: So by the time this podcast comes out, both of the talks that you participated in Hack the Capital in May will be published. That was your reference to force generation. And we also got into the militarization of cyber security. This is no longer, or it never was, just private industry doing private industry, it is much more of a murky government, military and intelligence space. And so from that, let’s talk force generation. Let’s get spicy on where we need to be taking cybersecurity, and those personnel, and the military.

Mark: My big point here is, I have a personal opinion that we need a Cyber Service. That’s  debatable–people, smart women and men will go on both sides of that. Dr. Erica Lonergan who co-authored a piece with me here, with CSE 2.0 and the Foundation for Defense Democracies, we both argue for a Cyber Force, and she’s certified smart for what it’s worth.

But then no one can argue with the fact that the current force generation models are not working. I have yet to have anyone come up and say, ‘Mark, your premise is based on a false premise.’ Even like, Paul Nakasone, who really did not like what we were pushing, the former Cyber Command Commander, and someone who did a great job at Cyber Command, would say that the status quo is the only option we can’t go forward with.

And what I mean by that is, force generation is the recruiting, training, development, and retention of your cyber warriors, your cyber personnel, and the tools they need for success. And that historically, in most warfare areas, devolves to a service, the Army, the Navy, Air Force, Marines, Space Force, right?

But the problem we have here is, the people you’re trying to recruit for cyber – particularly offensive cyber responsibilities, and kind of an active defensive cyber responsibility, those kind of like what we had the cyber mission force do for the United States – those kind of people are not the same people you need in infantry and armor units, and flying F-22s, right?

And of course, right now you may have seen that the Army and Navy particularly, but all services, struggle to make their recruitment goals. Right now in the current economy, and the way people see the military as a career, and complicated by the fact that almost 70% of high school students are not physically qualified to serve in the military.

So these recruiters are sitting, you know, the recruiters have to recruit about 2% or 3% of the high school graduating class to join the military. And they’re down, after you get rid of the physical problems, the fitness problems, the medical issues, drug use, really, really poor academic performance, it has to be really poor, you know, you’re down to, we’re competing and kids going to college, which is topping 50%, right? You’re now down, 5% or 6% of the high school class can be targeted for that last 3% of jobs, right? For that 3% we need. This is tight recruiting. And let me tell you, they’re not making it. The Army missed big time. The Navy missed by less numbers of people, but a higher percentage because they’re a smaller service.

You can’t go to these recruiters and say, hey, look, in addition to all these other problems you have, the fact that we’re giving you letters of reprimand for not meeting your mark, we would like you to really fixate on getting us some good computer science or cyber guys, right? Here’s the deal. These recruiters are hanging out outside the locker rooms, the men’s and women’s sports locker rooms, trying to grab the ones who, the athletic kids – that’s the good starting spot for making your number.

They’re not hanging out outside the e-gaming hovel down in the basement, or the robotics lab or wherever, where they should be hanging out to get cyber. Because here’s what happens. They recruit kids in, at the enlisted disposition place where they pick their final rating, you know. They’re like, hey, who knows computers?

You know? Oh, I do. Okay. You’re in your cyber. Except in the Navy, if you’re smart, you’re going nuke first. You know, they’re nuclear engineering. If you’re the next smartest kid, you’re going to run what’s called the Aegis weapon systems. Then they say, who knows cyber to an even smaller grouping at that point. Bottom line is they’re recruiting people, they’re just randomly getting people with computer expertise who happen to have joined the military, and they try to, who don’t necessarily have a desire to be a SEAL or a submarine or whatever, and they push them over towards cyber. So you end up with not an – actually the product you would want.

And then we put them into these programs. And what happens is, well, after we train them, they get to their units, and we’re getting pretty draconian, drastic reports that there’ll be someone, especially in the people who design tools, they’ll get a hundred people in a unit, and only five or six people will be able to do the core mission of the unit. The other 90 are good Americans. They just don’t have the skill sets to do it, or the intuition, or the creativity, whatever it is.

If I ran an F-22 squadron and my wing commander came in, I said, ‘great news, boss, I got four kick ass F-22 pilots. I don’t let the other 25 fly.’ He would fire me, he would fire my deputy, you know, we’d start firing people everywhere, you know what I mean?

You cannot run a military on a non-targeted recruitment platform like this. So first and foremost, you start with recruiting, then you have good training programs. But you know, we now run four separate training programs, Army, Navy, Air Force, Marines. I’ll bet Space Force is dreaming up their own, and they’ll have a fifth training platform to basically get the same skill sets. 

And then the worst part is when they get back over to, they finally get to Cyber Command. They’re the force employer, they’re pushed there by the services, and the Army guy shows up and says, I’ve got four years of experience. I can do this, I have these credentials, I’m getting paid X. The Navy guy shows up and says, I’ve got the exact same credentials, same number of years of service. I’m being paid 2X. Why? Because my service did some kind of bonus that yours didn’t. It drives everyone crazy. 

My bottom line is, our retention isn’t poor because Checkpoint and CrowdStrike are snagging people with high salaries. The people, by the way, who get snagged, the best people who get stolen are stolen by NSA. Let’s be clear. The number one thief of uniformed military people who are really good at cyber is NSA, which I like. That’s a good thing. 

But the reason people leave isn’t a pile of money at the end of the rainbow. The reason people leave is if you’re not properly recruited, developed, and trained to maintain, you don’t see the people around you being done that way, you opt out.

So we’ve got to come up with a better force generation model. I know that was a long answer, but force generation is just one of these things that most people don’t look at. But it’s except – if you don’t start with the building blocks at step one, there’s no way you have a stable, you know, high rise at step 10.

Bryson: I just wanted to comment to somebody who did a stint in Armor, what are you trying to say?

Mark: Yeah, well, think about it.

Bryson: So, I mean, the other argument is that there are service-specific cybersecurity requirements that I need to have somebody in that uniform, that branch, to be able to meet that. I don’t know that I agree with that, but what are your thoughts?

Mark: There will need to be some service-retained Cyber Forces. I agree on the defensive side, running their NOC, their Naval Operation Centers, their Air Operation Centers. There’s something that is borderline IT cyber defense responsibilities. You’ll still need some, but it’s a much smaller group, and it’s of a less talent-driven desire. You know, in other words, the people I’m talking about for Cyber Forces, are probably – in the current force, we use about 6,400 people in the Cyber Mission Force. You need three or 4,000 to train them so it’d be 10,000. Now I’m going to tell you you need to grow that. Unstated here, we’ll talk about the services not growing in a minute.

So I just said you need about 10,000. There are still another 10,000 people doing, really, a form of Cyber and Service Defense, but now the problems got a lot easier for the recruiters and the trainers. It’s to a lower degree of skill set, and it’s half the number, if not more. So I think they can do that.

Now, look, when it comes to the offensive side, I hear this, oh, you need to have a Navy person doing a Navy thing. No, look, I get it. They talk about the Special Operations Command methodology, and I get it. If I’m on a submarine and you say, Montgomery, you need to blow up that train trestle 50 miles from here, and I look and they say, your choice is a Navy SEAL or an Air Force Special Operations pilot. Which one do I want to, like, have scuba dive 50 miles, pop up and blow up the train trestle? Obviously the Navy SEAL. I mean, this is, but if I say to an Air Force and a Navy, like, cyber operator, blow up, you know, disrupt that train trestle, I don’t think it’s service specific.

I think it’s, you know, the service skills, the cyber skills. There are service specific things in Defense, I think, and what we’re talking about here mostly, there’s not a service specific knowledge to it, so I do think there’s skill there. There’s no doubt Paul Nakasone has wanted to grow the size of the cyber mission force during his last five years, and Tim Hawk would like to do the same thing right now as the leader. 

I mean, China is growing fast. That doesn’t make China better, but they’re five, six, seven times larger than us in terms of these kinds of on-net operators. That doesn’t make them five, six, seven times better, but they do have a quantity. They recognize the expansionist growing mission set. We magically – I don’t know how, I was part of the issue, you know. In 2010, I was part of the Navy team, where we magically all picked 6,400 as a number. How we knew that would be the right number for 2024 is beyond me. I mean, that’s complete BS, because we basically picked the number the services were willing to give up. 2,000 Army, Navy, Air Force, couple hundred Marine. That’s how we got there. And the services don’t want to let them grow. Because if you grow Cyber Force and on-net operators, and you’ve got to grow the train, you know, the tail that supports them recruiting and training and things like that. I’m going to have less battalions, ships, squadrons, people for them.

So the services who just don’t see this as their number one priority. You know, if you ask the Air Force what their number one priority is, it probably involves something using the word air: air power, air control, air superiority. Not cyber, same with the Navy. In the end, when push comes to shove, they’re not growing it. 

And look, you don’t have to trust me. Look. You can see that over 12 years, the threat has changed. It hasn’t gotten smaller. It’s gotten bigger. The enemy has changed. They don’t have less forces, they have more forces. Yet we are anchored at 6,400. By the way, the number one reason services won’t grow. The number two is we can’t even meet the 6,400 because I revert back to, we can’t recruit and generate the right forces.

So I know I’m right. I know Dr. Lonergan’s right. But I, I’m willing to just have a discussion of it. First, let’s all acknowledge, force generation is not working and we need to come up with a new system. But if your new system is to take an eighth of an inch mini Phillips-head and do one or two quick adjustments, I’m going to call bullshit.

It is time to get this right. This is more necessary than the Space Force. It’s unfortunate that the timing such, and that’s paralyzing DoD. I get it. They didn’t like Space Force, but the truth is, Space Force has not been an abomination, right? The prediction, DOD’s predictions of calamity are wrong. 

By the way, let me just revert to think about DOD. They were opposed to the creation of the Air Force, you know, the military services. They were opposed to the desegregation of the military. They were opposed to the creation of Goldwater-Nichols. They were opposed to the creation of SOCOM. They were opposed to the creation of Space Force. I would just say when DoD says this is a critical existential interest for us. They’re like, 0 for 6 in the last 70 years. So I just, I’ll leave it at that, you know, in terms of, of their pushback on this. 

But I’ll just say we need to fix force generation. I think the Cyber Force is the way to do it.

Bryson: I don’t think anybody would push back that the Department of Defense is a hidebound bureaucracy. So all of that, I’m an average asset owner or manufacturer. Why do I care?

Mark: There’s like a third rail in any military personnel discussion. It’s called the National Guard, the reserves, you know. They just, you know, you grab that and everyone’s electrocuted, right? But this is why it matters to, I think, to companies that – look, let’s step back for a second and just say, first, the Cyber mission-sense, unlike any other. Like, if I told you there’s a cruise missile inbound to a Southern Company power generation facility, I don’t expect anyone to say, oh, thank god, Southern has an air defense system, they’re going to shoot it down.

I mean, they expect F-16s to go up there, take down that cruise missile, right, or whatever, you know, the air defense system is for that area of the country. Same with undersea, there’s a submarine mission. No one’s like, well, I wonder if Dominion Power has their anti-submarine forces ready. 

Cyber, unlike every other mission area, needs public private collaboration because the U.S. owns every submarine that would counter a Russian submarine. Or every air defense system that would counter a cruise missile, the U.S. military owns that. In the private sector, the critical infrastructure that’s under attack is actually owned by the private sector. We expect Southern to provide its own cyber defense. We expect Dominion Power to, you know, Virginia Water. We expect, you know, all those, Goldman Sachs. We expect everyone to provide for their own defense. The problem we’ve got is, we’ve got to figure out now, okay, someone’s under attack. How do you push back at it? 

Part of it is, the offensive capabilities of cyber command go down range and try to attack them at their point. But another part is helping defeat an adversary that’s in American networks, moving around, creating mischief, finding further malware, and in a crisis or contingency or after an attack, during recovery, you’re going to need some capability. 

Right now, the only capability or capacity for that kind of cyber defense is in the military, the intelligence community. What we call Title 10 or Title 50 forces. Neither one of those are in a great position, legally, or in terms of practice (I hope, particularly for the intel people, I’m confident they haven’t been doing this), of hopping on our networks and perusing around and taking a look and trying to figure things out, and be a constructive defensive support. But I do think the one group that could do it, I think CISA, Cybersecurity and Infrastructure Security Agency at the Department of Homeland Security, or the FBI at the Department of Justice. They don’t have the capability or capacity to do this. Even though we gave them a bunch of money for something called Hunt and Incident Response Teams, I really haven’t seen the development of that by CISA or DHS. 

I think the right answer might be National Guard and Cyber Reserve Forces that are, that can be translated, I think it’s Title 32, that can be used by DHS and FBI in a defensive play. And I think that if you have a Cyber Force, it’s going to be very easy to derive a Cyber Guard. I think if you have a Cyber Reserve, it’s going to be very easy. I think if we have a dedicated Cyber Force Reserve, it’ll be, I won’t say it’s easy, but I think it’s very conceptually plausible that you could recruit enough civilians that come in and help you, and support, and these kinds of things. There’s a lot of patriotic cyber people who would like to help, who aren’t really interested in joining a military service and going through bootcamp. And look again, you say to yourself, well, why can’t the services do this? Senator McCain saw this six, seven years ago, seven, eight years ago now, and put in a law and said, hey, Army, Navy, Air Force, you can hire, I think it was up to 200 people, who just come in as like majors or lieutenant colonels based on their cyber experience. It’s something we do with doctors and dentists to some success, but only the Army, after four or five years, the Army has done a handful. The Air Force has done a very small number. I don’t think the Navy’s done any, you know, they just aren’t interested in this. They’re not interested in the back and forth. 

You know, one of the other advantages of Cyber Force is people can go back and forth, I think in the private sector, in a way that armor or submarines aviation squadrons wouldn’t allow it to happen. We don’t say, hey, you’re flying an F-22, well go do four years flying at Delta, 777, and then come back and we’ll put you, we’ll promote you along in the F-22 like you were flying with us. Cause there’s a big difference, right? But in the cyber world, we could do this. So I see this world where you can have Cyber Guard, Cyber Reserves, moving people back and forth between companies and Cyber Force that actually helped build an effective defense, a much more effective cyber defense network.

And I think that this is an important part of thinking about how to do force generation and in the case we’re talking about here, force employment, in a defensive model for protecting our private infrastructure. If we don’t do something, I promise you, the private sector is going to get nothing. The answer will be you get almost no support. You’ll get the condolences of the FBI as they put the yellow tape around your servers.

Bryson: That is a very stark and visceral image. So pivoting to politics, you had mentioned earlier the Presidential Memorandum that led to the creation of a certain cyber authorization, as a result of the Russian interference in the election, and we were joking beforehand about how the fact that cybersecurity is a political issue, should not be partisan, should be a nonpartisan issue, but let’s start talking – what about the politics of cybersecurity and the latest regulatory advancements?

Mark: Senator King, who’s chairman of the Solarium Commission, I think he and Gallagher would have said, look, it’s a nonpartisan issue in the main. Especially about how we organize the federal government, and how we protect the federal government. There, it’s nonpartisan. Which, by the way, it’s not something you can say about a lot of things. How you run the Department of Education is not a nonpartisan issue. How you run the EPA, things like that. Yet, how you worry about EPA, cybersecurity of the EPA itself, it is a nonpartisan issue.

So, there it’s been good. However, when you start to talk about how Congress, the executive branch, and the judiciary interact with the private sector, on any issue, it becomes pretty partisan quick. The idea of what’s the balance between regulation and incentivization, you know, what’s the balance between regulation and an open entrepreneurial environment?

These are reasonable discussions that have taken – generally take political lines. I don’t want to say Democrat, Republican, but certainly, conservative, liberal approaches to how these work. And the recent Chevron decision kind of dropped right into that, in terms of removing some of the regulatory discretion that executive branch agencies had in the absence of clear congressional regulatory guidance. So I’m exceptionally worried that – look, I think there was problems with Chevron in terms of, if you do regulation from federal agencies, it’s very hard to have either the appropriations, have the right amount and quality of regulators. Unless there’s an agreement on this, there’s kind of like a tacit agreement between the private sector and the government, ‘Hey, the SEC is going to exist, it’s going to look at these things.’ ‘The NRC, the Nuclear Regulatory Commission, is going to exist, it’s going to look at these things.’ So I just described two of the better examples of regulated critical infrastructures in cyber that are highly successful. By the way, the two most successfully protected sectors in cybersecurity, terms of cybersecurity, financial services, and energy. They are in a regulated area, but I also say financial services, Goldman Sachs doesn’t spend a billion dollars on cybersecurity because they’re regulated, they spend a billion dollars on cybersecurity because they’ve been under attack for 25 years from cyber criminals, right? So, there’s a mix, there’s some things in there that aren’t just, you know, ah, that proves my point, you know, you need regulation, you need this balance.

But here’s the other thing you’re missing. When you just have EPA say, here’s a new cybersecurity regulation, you don’t have a grant program to help fix things. It isn’t like you’re talking to, like, Richie Rich and Scrooge McDuck, you know, and they’re sitting on a million dollars each, oh, well, now that you ask, I’ll spend some money on cybersecurity.

You’re talking about water utilities, regional water utilities. They don’t have two wood nickels to rub together. They can’t change their rates because the voters will throw them out. They can’t raise money, capital like a company because they have to do a bond. And the voters are like, I’m not sure I need to pay for that, right? You know, so. Voters barely pay for, like new high schools. They’re not going to pay for, like cybersecurity programs and, you know, water utilities. My point on this is it does need to be a Congressionally-driven executive branch-executed program. That’s when government works. Congress says, here’s what we need, here’s some left and right limits. Here’s the appropriations to support what you’re going to do, come back with a plan. You come up with a plan and they go, here’s the appropriations and you do it. And we should be doing this on a sector by sector basis. So the 20 plus, there’s not 16 sectors because Transport breaks up, as I said, the Aviation, Rail, Ports, things like that. There’s about 22, 23 sectors. On a sector by sector basis, we should have – Congress should write regulatory guidance. And it is different sector by sector, what you need for nuclear power plants is different than what you need for K-12 education for school districts, right? You just, it’s a different level of cybersecurity. You give them these left to right limits, they come back with a regulatory plan, you give them the appropriations and you execute. 

And by the way, they were told to do this. There was something called the National Infrastructure Insurance Plan. I worked at the NSC, late Clinton administration, working for a guy named Dick Clark. And we wrote something called PDD 62 for counterterrorism, 63 for critical infrastructure protection. And for critical infrastructure protection, we then wrote a national infrastructure assurance plan. So in 1999, 2000, we told like eight federal agencies, you’re responsible for this. By the way, you know, and maybe 10 federal agencies, but it was like EPA, HHS, education, all these ones. We told them you’re responsible, Energy, and go forth and prosper. Only Energy and the financial regulatory ones took this seriously. When EPA goes, oh, this is this new concept on, you know, you’re overwhelmed, SRAs was only two or three years ago and as I said, no bull, you were told in 1999 to do this, and you have a 24 year bipartisan track record of screwing it off.

And we’re stuck here now with this condition. So look, this is bipartisan guidance. By the way, Congressional oversight? Non-existent on this also. So bipartisan, bicameral, for 20 plus years, not really handled by either chamber, either party, or the executive branch. So everyone’s to blame. But it isn’t like there hasn’t been a road map out there for 20 plus years, and at least 2 sectors took the road map. Now, again, financial services, because they’re under attack, even as far away as 2000, and Energy because of the nuclear implications, and the heavily regulatory environment we’re in. That anchored itself in nuclear power plants, but spread through the FERC and other pathways. So bottom line, it is not nonpartisan.

It can be a partisan issue because you’re talking about regulation versus incentivization. But if you bundle them together and do it right, come up with a model and just sector by sector, go do this. And we’re starting to do that in Water. You’re going to see, there’s a couple of bills that are up that kind of get at, hey, here’s an initial – we’ve got things called Water Risk and Resilience Organizations that are recommendations to try to get the sector stable, self assessing itself.

And there’s another bill going through that says, look, these are the minimum security requirements, you know, that you need to meet, EPA, hold them to these standards. And then here’s a grant program to fix these things. These are all the kinds of elements that have to come from Congress. I’m starting to see it in a few of the areas. We just need to do it, rinse and repeat this about 20 times.

Bryson: Okay, so we, we talked about U.S. regulatory and political environment, but we are not an island unto ourselves, especially when it comes to cybersecurity. What about the international stage?

Mark: The commission looked at this. We thought, we need our international partners to have the same level of resilience and recovery. Now, they don’t all have the same kind of network vulnerabilities we have. They’re not, like – we’re in a pretty large glass skyscraper of, you know, an incredibly networked system with limited cybersecurity running inside it.

But a lot of our allies and partners are, and they’re critical to us in two ways. One, we need their economies to be resilient and strong as they deal with our economy so that, okay, we’ve done well, now they’re under attack from the ransomware criminals, no. We need them to be strong as well. 

But equally importantly, we’d like to fight our adversaries overseas. That means we have to fight with and through our allies and partners. So they have to have strong critical infrastructure as our forces arrive and execute their missions. This is, you know, across a multiple agency process, Department of Defense, Energy, Homeland Security, but most importantly State Department. We need to be overseas engaging. 

So the Cyber Diplomacy Act created the Cyber Digital Policy Bureau. It’s run by Nate Fick. They could not have landed on a more dynamic, effective, inaugural leader than Nate Fick and so, Ambassador Fick’s out there doing this. Now, he was also directed to do a strategy to integrate all our agency efforts.

I think they did a good strategy about how to integrate the State Department. I think the normal interagency process made it so you don’t get the Department of Defense, and Energy, and Commerce elements alongside State in the same way. But given a couple more years, I think Nate and his successors will be able to build an interagency thing that makes sure that all our elements of U.S. power are working with our allies and partners to ensure that they’re at the right level, you know, through partner cyber capacity building, that they’re at the right level to engage in this work with us so that both our national security and economic productivity are maintained in a crisis environment.

Bryson: If you could wave a magic, non internet connected wand, what is one thing you would change?

Mark: I’ve mentioned it already. My biggest wish is to get this Cyber Force going. I just think if I could get through the angst that DOD is going to throw down in front of Congress for the next three years, and get to that point where we’ve created a Cyber Force through the force generation, I think that is the singular largest move we could have.

Bryson: You’ve waved your magic wand, now looking into the crystal ball for a five year prediction. One good and one bad thing that you think is going to happen. 

Mark: This is hard with a presidential election coming up, but I think some stark, stark differences in how, how they’ll approach the bureaucratic state. Because the good thing is that the bureaucratic state does its job, and creates the appropriate regulatory and incentivization environment to get all our critical infrastructures as resilient as necessary.

The bad thing is we don’t do that, and we’re highly vulnerable, and ransomware and other cyber malicious activity continues. We don’t even need a nation state to imperil us. Criminal actors have such access to our vulnerable systems right now, and can create such havoc. I don’t think people understand the degree to which these ransomware attacks on hospitals and health clinics actually increase morbidity in our country. People die. 

Now, right now, I hate to say it, there are old people, this tends to be people already on a respirator, already in extremis. And just a higher percentage of them that would die in this two week visit to the hospital die. And that doesn’t mean they’re not people of value and it isn’t angst. But I’ll just tell you, it has not caused the kind of response that I think we’re going to have when we have these significant attacks that imperil public health and safety, and I think we’re going to have those kinds of public health and safety moments in the next 5 years. And I think that’s going to seriously, I mean, the silver lining to that is people like me, after we’ve done a very quiet ‘I told you so,’ we can then work to get things better.

Sometimes it takes a draconian event to get things moving. So for people like me, this means take your bitter pills. Like we lose most things we fight for in Congress or in the executive branch, but make sure you have them properly organized and ready to go after a perception changing event occurs. Where people say, this is bullshit, we’re going to tackle the cyber issue much harder. Hey, who had some plans for this? It can’t be after 9/11 where we have to cobble together Homeland Security on the fly. This needs to be a very organized way. So there’s people like Cyberspace Solarium Commission, there’s CSET over at Georgetown. There’s a few places where people are writing, thinking about ideas, about what the future should look like. R Street has some. You see that, kind of, we need to be ready to go. So my worst case is that we have this kind of perception-changing event where there’s a serious impact on morbidity in America.

Bryson: I would say even folks that aren’t old are also vulnerable. The studies that we’ve seen on the morbidity tied to delay in certain operations. One, two, three, four minutes any kind of denial of service or delay leads to death.

Mark: You’re right. And the other one I would mention: there are ambulances, right? So the age of the person in the ambulance could be anything. And when the ambulance has to go 42 minutes, instead of 21 minutes, there’s a direct linear morbidity curve. It might even be exponential. You know what I mean? Now that person has a lawsuit by the way, his or her family. Who’s the extra person on a respirator that passed away this month? Hard to pin down. Who died in an ambulance because they couldn’t be treated at this emergency medical services? Very easy to pin down. I hate to be morbid about morbidity, but I’ll say this is one of those things that will drive people to understand the importance of investing in the cybersecurity of our critical infrastructures.

Bryson: On that dark note. Thank you.

Mark: Thank you very much for having me, Bryson.

Bryson: This is Hack the Plant, a podcast from the ICS Village. Catch us at an event near you. Subscribe wherever you find podcasts to get episodes as soon as they’re released. Thanks for listening.