On January 16, 2025, the Biden administration released the capstone Executive Order “Strengthening and Promoting Innovation in the Nation’s Cybersecurity.” In this bonus episode of TechnologIST Talks, Chief Strategy Officer Megan Stifel and Chief Trust Officer Steve Kelly are joined by Carole House, Special Advisor for Cybersecurity and Critical Infrastructure Policy at the National Security Council and a member of the office responsible for leading the drafting of the EO. Megan, Steve, and Carole walk through the main components of the order, talking about its implications for federal systems security, quantum, efforts to tackle cybercrime and fraud, and more.
“Software is such a prevalent root cause of so many of the supply chain attacks that we’re seeing and that have been occurring. It’s the next step of evolution. We are requiring software vendors to provide verifiable attestations of those software practices.” Carole said.
What prompted the drafting and release of this Executive Order? How does the EO address ransomware? And what should government–and industry–take away from its provisions? Join us for this and more on this episode of TechnologIST Talks. See the transcript.
Apple Podcasts | YouTube | Simplecast | Spotify
Transcript
Steve: Welcome to Technologist Talks, a podcast from the 501c3 non-profit, the Institute for Security and Technology. Technology revolutionizes the way we live and it also has the potential to threaten global stability and security. Technologist Talks features conversations with technology and policy leaders at the forefront of tackling these challenges.
I’m Steve Kelly, Chief Trust Officer at IST.
Megan: And I’m Megan Stifel, Chief Strategy Officer at IST. Today we’re thrilled to welcome Carole House, who serves as Special Advisor for Cybersecurity and Critical Infrastructure Policy at the White House’s National Security Council. In this role, she helps shape and implement the administration’s strategy for protecting our nation’s most vital systems and networks.
Steve: President Biden today signed a new executive order on cybersecurity. As President Trump will step back into office next week, we thought it would be a perfect time to look back on the cybersecurity challenges and accomplishments of the past four years and look ahead too. Thanks for joining us, Carole.
Carole: Thanks so much. I’m thrilled to be here. I’ve had a great opportunity to work with both of you previously in government and in industry roles, and it’s wonderful to get to talk to you now on this side and after such an exciting capstone project.
Megan: With regard to this capstone project, the executive order, can you tell us a bit, Carole, obviously there have been some disclosures or conversations within the press about the EO, but we’d love to hear directly from you about how this EO came to be, executive order.
For those who don’t speak government, EO is how we will probably, you’ll hear us refer to it throughout this conversation. We might throw some numbers in here as well, and we’ll try to minimize those probably. So, how did this come about?
Carole: You’re right, I’m fluent in the alphabet soup that is from DC, but I promise to, to do my best to work around it.
But for those who haven’t memorized, the first cyber EO that also came out at the beginning of this administration, President Biden, right at the beginning of his term, set out some of the key foundational steps that are critical to better secure our critical infrastructure and federal systems. So, setting out key directives, like for agencies to implement zero trust architectures, and requiring for the creation of the secure software development framework, and ensuring that these critical pieces of software that both federal agencies and that industry really critically rely upon are being developed in a secure way and being used in a secure way.
So this new cyber executive order that the president just issued is really, this is the capstone project that really takes and leverages all of the lessons learned that have come out from the administration’s long ongoing efforts, the administration that has focused more on cyber security than ever before, and in a space that’s getting more and more digitized.
And reliant on digital critical infrastructure and working in the cyber domain, recognizing that we need to continue to drive really, really critical momentum and steps to continue to address key critical vulnerabilities and cyber hygiene gaps that are at the root cause and at the heart of all of the major cyber incidents that we’re seeing affecting federal agencies and industry.
So this order really takes and leverages a lot of those lessons learned from major cyber incidents that have occurred recently, looking at what the key like concrete specific critical measures are that are needed to defend those networks and those systems in order to make sure that we can better protect ourselves from state actor targeting like we’ve been seeing from Russian and Chinese targeting of federal systems and companies of late to put in place critical next Iteration and evolutions of protections for software security, cloud security and key management, encrypting federal communications, you name it.
So this really is that next phase of evolution. And it’s a topic that’s just so critical across the agencies and for industry. And we can’t do it alone. We have to do it in partnership. Something that I know IST talks a lot about is that need for partnership.
Steve: How do you hope the incoming Trump administration will use this document? Is this trying to set their agenda?
Carole: A great question, but not at all. I think cyber security is one of those areas that we’ve seen across different administrations. A lot of initiatives have persisted and continued in prioritization because cyber security and the need to ensure that we can engage in commerce as well as national security and other activities and protect data in the cyber domain is just one that transcends partisan politics.
Like this is this is something that is a priority regardless of your party, whether you’re a Democrat or Republican or Independent. Cybersecurity isn’t becoming less important, right? Like we’re getting increasingly intertwined and commingled activity in critical infrastructure activities and goods and services being provided on digital rails.
And when that’s the case, and you also have state actors that are targeting us, regardless of which parties are in power, like both parties and really regardless of partisan politics, this is an issue that the entire national security community recognizes. And it sets in motion critical initiatives that again we’ve seen in the context of the major state targeting that has occurred across many administrations.
And then also sets out some really key initiatives that we believe the next administration will see and elevate as a priority like a national security memorandum that can drive the needed evolution for national security systems and put in place really critical protections. We see that as a key area for partnership and something that doesn’t have a divide based on, on a particular timeline of one admin coming in or going out.
This is something that’s a national security threat had to be addressed in the near term with critical measures that are put in place. And we expect and hope for the next leadership to continue it on. And they have some great cyber leaders that are coming in. Yes,
Megan: And I think we’re all looking forward to working with some of those folks.
Some of them are probably familiar faces to all of us, given our short period of time that we’ve been in this field, because we’re all still quite junior and young and chipper. So, Carole, you started to mention some of the key priorities, but we’d love to hear from you, in your opinions, what is closest to your heart about the accomplishments that this EO contains.
Carole: Oh, man. It’s really hard to pick a favorite. There’s so many great measures that are in there. I really do love a lot of the measures that are put in place to try to better secure the internet. Some measures that we really should have been doing long ago. So things like border protocol controls and protections and encrypted DNS, as well as there’s some really important measures around combating cyber enabled fraud and fraud that is hurting Americans and hurting the federal government.
We’re seeing. Tens of billions of dollars in costs to consumers and hundreds of billions in costs to the government and to the global economy every year because of fraud, which is really being exploited by, again, illicit actors. In some cases they can be state actors and state affiliated actors that are targeting federal programs as well as Americans to try to defraud them of their rightful benefits, of their rightfully acquired funds and their wealth. Like, it’s a devastating crime and it’s enabled and made available because of widely available information, um, in PII that’s been available and stolen for sale on the darknet really cheaply. And it’s being used to be able to fraudulently purport that you are in fact, this illicit actor.
Or that the criminals are using to report that they’re the victim. So in the wake of all that, what we need is greater investment in identity protections. So we need to implement phishing resistant multi factor authentication to better prevent against SIM swapping and other types of attacks that have been targeting people and have been culprits in other incidents.
And then we also need to put in place other investments in digital identity infrastructure. that preserves and defends democratic principles and privacy preservations. So things like privacy preserving attribute validation services that can help to ensure against synthetic identity frauds and ensure that that identity is real when institutions and agencies are trying to determine and assess whether or not you are you.
And then also digital identity credentials, right? Things like mobile driver’s licenses are so critical because they’re leaning on. The most pervasive form of identity that Americans use to prove yourself, right? Most of the time it’s a plastic card and a driver’s license saying that I’m me, but that doesn’t work very well when you’re trying to prove yourself and establish trust online.
So instead, we’re encouraging agencies to consider accepting digital identity documents as long as they meet the principles and standards that expect things like privacy and preserve access for sensitive data only for the conduct in accessing that particular program and consistent with appropriate laws and legislation.
And protections that exist around there. I really think that the identity investments that are directed in this EO are some of the most critical to defend the consumers and Americans that are being exploited, and also to defend the US government that’s being exploited. The GAO report that came out earlier this year, I think underscored about it, was between $200 and $500 billion a year that the US government loses to fraud.
So, this really is that continued down payment on protecting Americans against being defrauded.
Steve: I was thrilled to see reference to identity in this document, and I wanted to call attention to the fact that IST put out a report back in October on the implications of artificial intelligence in cybersecurity and the effect on the offense defense balance.
There was an entire section of the report that we, in the research process, we stumbled into this. This identity and authentication challenge, especially in light of deep fakes, audio, video documents and such. And one of our recommendations is to modernize authentication approaches to account for ai.
And we also called attention to the potential for mobile driver’s licenses, and the such, to be a, a key part of the solution. It’s interesting with a number of states having adopted mobile driver’s licenses and that there’s a cryptographic key in the process. It’s, it, it leverages PKI. And some people might be concerned if there was some sort of a central federal government digital identity and authentication service that that may create kind of a threat to civil liberties and privacy.
Do you see a more state level solution where we take advantage of the trust relationship that people have with They’re state governments and their experiences with motor vehicles offices and everyone has a driver’s most everybody has a driver’s license or an identity card that’s issued by the state that that’s actually a key part of the solution here to some of these identity challenges.
Carole: Absolutely. I think that’s a really great point that people have this already existing relationship with their states and that’s where they’re getting this credential. That’s what the mobile driver’s license is and their physical driver’s license is as well. I like the mobile driver’s license infrastructure and one that it’s, it still preserves that exact same relationship, right?
For a consumer and a user with their state government, this isn’t mandating a federal ID card at all. It’s in fact instead directing federal agencies that if they accept digital credentials that they need to Ensure that they’re compliant with existing international standards that the U S government has been supporting and privacy preserving and interoperability enabling, and a lot of different features that are necessary to ensure that we don’t create an issue of certain types of vendor lock in that could prevent higher order economic developments that are needed for digital economies and where.
Identity really isn’t the place that we want there to be massive amounts of competition and continued data harvesting without regard for privacy and the right kinds of protections that people need. And that’s why leaning in on and reinforcing the standards that we’ve been promoting related to privacy preservation and security of sensitive data.
And then also preserving and reinforcing that already distributed infrastructure and ecosystem that Americans interact with to get these credentials, which is at the state level and not at the federal one. So all of the different measures focused on identity here are about preventing fraud and putting in place security and enabling that greater trust online and commercially.
that you could normally try to rely upon in a physical domain and still enable that kind of privacy preservation that exists in the digital world and prevent against unlawful and undesirable surveillance and tracking of information and presentation of that credential. All of those are things that we tell agencies not to look for in the digital identity services that they want to be able to use for getting access to their services, because we don’t want that kind of surveillance. We want to ensure appropriate privacy while also enabling greater assurance in the identity that you’re presenting and getting access to federal benefits, but providing those better capabilities and accessibility. And greater security and assurance capabilities that you get from a PKI or encryption enabled digital certificate.
So it’s a lot harder just, you can’t spoof PKI the way that you could spoof someone’s email or create a fraudulent, you know, picture of a driver’s license with now widely accessible artificial intelligence tools, right? Those make really compelling and good visual images only through leaning on things like encryption and emerging tech is how we’re going to be able to keep pace with and combat those threats.
Megan: You mentioned at the beginning of this, of our conversation around the digital identity piece, which you said was near and dear to your heart, and I think it is to ours as well. Some of us might have been around before we had all this stuff in the government, and I started to think about all the evolution, which is terrific, that’s happened in the time since those early days.
So in thinking about the idea of digital identities, obviously the government’s been procuring services, goods and services. We have PIV cards and a variety of other things that are deployed throughout the federal government. The government then is leveraging that procurement authority not only for itself, but as the national security, cyber security strategy talks about as a way to try to improve the nation’s overall cyber security.
In the new EO that’s been issued, their procurement is woven throughout it as a tool. I wonder if you wanted to talk a little bit more about the use of that tool and how you see the benefits in the early phases and the pathway towards deployment of that tool. I really
Carole: think that that’s a really poignant part of the executive order is highlighting how it’s leveraging not regulatory authority or other kinds of mechanisms, but instead leaning in on one of the greatest tools, which is like billions and billions of dollars of federal procurement and putting that to work to better secure federal systems and agencies and the critical goods and services is that Americans rely upon in order to conduct their daily lives, right? Like I’m a veteran, I get VA benefits. There’s lots of information about my healthcare and my service record. And I need all that information and that very sensitive data and critical services to be protected so that they’re not disrupted.
So that my sensitive data isn’t exfiltrated. Like all of these are critical protections that need to get put in place. And the greatest lever that the government has with so many of these vendors that provide software and other services and infrastructure and cloud environments. to both industry and federal agencies is to leverage the power of the purse.
So that procurement lever is so important. Like you mentioned, it’s really one of the beating hearts of this EO and it’s connective tissue that’s woven throughout where basically we’re requiring that, okay, if you do business with the federal government, you know, as part of us being responsible stewards of taxpayer dollars, we need to make sure.
That those services are properly secure. So making sure that doubling down on some of the initial steps and the foundational measures in the first EO on software security, whether it’s for federally procured space systems, which is another thing that was also near and dear to my heart. I should have emphasized that too.
When I was a kid, I was in the NASA student involvement program. I thought I was going to end up working at NASA and doing space stuff. Obviously, didn’t happen. went into the army and then ended up in cyber. But I still have my NASA lab coat from that program. So getting to work on not just cyberspace, but space cyberspace has been a wonderful time of this particular tenure back at the NSC.
But so we’re using that power of procurement to make sure that for federally procured systems, both on the civil and the national security side, that we’re putting in place critical protections like to defend against. command intrusion to detect anomalous activity to ensure secure patching and secure booting.
Like all of these are some of the critical measures that we need to ensure are in place to defend against the emerging and dynamic threat space. But yeah, on improving federal systems leaning in on the power of procurement is really one of the major pillars of the executive order that president Biden is issuing now is again, that kind of capstone on the end of his term.
It’s like we’ve seen where power procurement, which was really kind of launched and started at the beginning of his term in the first cyber EO, we’ve seen that that lever is really one of the most impactful and the best ways to try to drive the market, right? Like it’s a natural market force. We are a customer.
So let’s use that lever in addition to the other measures that we’ve been putting in place, including voluntary partnerships and regulation, but in this case, making sure that the market evolves the way that it needs to, to make sure that. The cyber domain remains secure and digital economies can be built on a foundation that’s stronger in one of security rather than on one of sand.
Steve: Thanks, Carole. And quickly revert back to the space topic. It’s a fascinating one. And so much of our infrastructure relies upon communications and sensing that requires space assets. And of course, there was a. There’s a lot of debate within the think tank world and elsewhere about whether space should be a critical infrastructure sector.
And one could debate that till the cows come home. And I noticed in this executive order, there’s a lot of focus around space asset command and control. And of course, taking a risk based approach, you know, what’s motivating this? I mean, clearly As the world becomes more and more dangerous, the importance of space assets and for them to work is essential to our economy and our national security and our military operations.
Is there anything more you could say about why it figures so prominently and what the gaps might be?
Carole: The threat landscape in space continues to grow and is only going to continue to be a really attractive target, right? Like you mentioned, critical communications and commercial activity, whether it’s about navigation or military activity, also all absolutely make these attractive targets.
And we’ve even seen space infrastructure being targeted that occurred in the wake of the Russia Ukraine conflict, right? So we’ve seen what the potential devastating impact can be of disruptions in the space domain. So because of that, command and control, obviously really critical functions, right?
And then for assets that have some unique mission capabilities and functions, it’s hard to reach assets that are in space. I think I had made a joke once that I don’t think my, the brilliant people in the government, the space colleagues, I made a joke about pigs in space that I didn’t get nearly enough laughs for because of course that was very funny, but I’m, I was obviously the biggest Muppets fan.
Steve: Are the folks in the room just not old enough?
Carole: Or that they just recognized how cheesy that joke was, but it was really wonderful to get to talk to the incredible experts across. The space community in the U. S. government, like those at NASA and Commerce, DOD, and others, they’re just like a wonderful group of experts really recognizing what this threat landscape is.
And we identified these key measures in response to the Vice President, who chairs the National Space Council, directed that the National Space Council identify cybersecurity requirements that really need to exist. And in this case, leveraging that power of the purse to ensure that federally procured space systems implement these.
Really, really critical protections that we see that are relevant to the threat landscape that’s targeting them. So honestly, it was a great effort. I know I’ve heard a lot of the same conversations that you’ve mentioned where people see that they’re debating on whether or not it should be its own sector or whether or not it’s sufficiently captured under things like the information and communications technology sector.
I know that and that will be interesting to see if the next admin takes up any sort of changes there. What we do see and do know and point to in this is that it is critical to the goods and services and major functions and infrastructure that we rely upon for communications and military operations.
And so much of our commerce relies upon it. So this doubles down on and really gives a down payment on that investment and those great processes that have been underway at the National Space Council.
Megan: In the same section where there’s a discussion about space, Carole, there’s a long discussion about FICAM and a range of other topics, and this is in the section for those playing along at home around security of federal systems, I believe.
So, SSDF, you mentioned also a couple of minutes ago, but software security was already a focus of EO 14028 that you also already flagged. There’s a lot more in this particular EO on the topic of security software and, you know, we’re Also, again, seeing this procurement topic, but help us, if you wouldn’t mind, unpack this section for us.
What do we need to take away from this? What is the government telling itself to do? And then I think a question that we have out here in nonprofit space and serving as a bridge between policymakers and technologists is, what’s in this for industry aside from selling to the government?
Should they be listening to this to secure their own houses?
Carole: First, absolutely. Like you mentioned, secure software, which I know both of you have long cared about for years, and was absolutely like just a pillar and a cornerstone of the first cyber EO that was issued in 2021 towards the beginning of the administration.
Again, like I mentioned, This is the next phase of evolution and lessons learned, right? That we have from where we’ve seen that major incidents that despite those critical measures of developing the secure software development framework of requiring that any software vendors that do business with the federal government need to attest to the fact that they use secure software practices. And unfortunately, we’re still seeing insecure software being at the root cause of so many different incidents, right? Like, it’s really tough to find a supply chain attack where software isn’t a major culprit. There are some instances, again, where cloud security and key management and other things are certainly compromised credentials, etc, are playing roles.
But software is such a prevalent root cause of so many of the supply chain attacks that we’re seeing. And the major incidents that have been occurring. So instead, like I mentioned, it’s the next phase of evolution and those lessons learned. So we are requiring software vendors to provide verifiable attestations of those software practices.
So basically we’re requiring the submission of artifacts from vendors to really just set up federal agencies to the point where we can know and understand and better prove. And feel greater trust, establish greater trust that the vendors that we’re using really are at least developing their software in a secure way.
And this is a critical next phase of evolution because basically if you ever want to be able to take an action or enforcement or to be able to know whether or not secure software was being used or developed or to know whether insecure software was being developed. If you want to have any artifact other than a breach, if you ever want to be able to know this, and that it was insecurely developed before a breach occurs, then you have to do some work to check their homework.
And so in this, in requiring those software vendors to submit artifacts, And then CISA standing up a program to verify and validate those artifacts against the attestations that they’ve made and the practices that are there in the attestation form, that’s really a needed evolution that we’ve seen to try to make sure that we can hold industry accountable when they’re not, in fact, fulfilling the promises that they’ve made and those commitments that they’ve made in the software attestation.
So we are also updating the secure software development framework based on other lessons learned from other incidents, like, for example, for secure and reliable deployment of software updates to help prevent future cyber incidents. So that’s really another critical cornerstone of this EO, the same way that it was in the first one.
This basically picks up from the first cyber EO and takes it to the next step of evolution to try to drive greater accountability and adoption of secure software practices since both we and industry all rely on it. So you mentioned what industry should look to as well, all the industry entities that rely on and use that software will be able to know publicly what the results are of the validations that end up occurring.
So we’re driving greater security and software that also industry will be able to benefit from, like I mentioned, using and leveraging market forces to better streamline and make more efficient and more secure the critical security services and IT services that both industry and Americans and the federal government rely on.
[00:23:48] Megan: I was a little surprised, but not entirely surprised to see that there were also criminal referrals, when those attestation validations are found to be inaccurate or potentially criminal referrals. I shouldn’t read too much into it, I guess.
Carole: The president did encourage DOJ to consider what actions would be appropriate.
If there is a vendor who attested to the fact that they use secure software practices, and then the artifacts that they submitted, do not substantiate that. And in fact, demonstrate that they’re not. Building things using secure practices, then ultimately that misrepresenting things to the government is something that absolutely should potentially hold consequences.
So, but ultimately, we think that this is going to be a critical lever that industry is going to rise to this challenge, right? We’ve already seen so many pledges and attestations that industry has been using to more greatly. So we’re going to continue to evolve this living framework, right, as it should be.
And NIST constantly works to make sure that they update their guidance based on best practices and the emerging landscape of both technology and threats. So I think we see this much more as just accountability and goodness for those vendors that do adopt and use it. Like the good and secure actors deserve to be rewarded for using that.
And then also the American people deserve to have stewards of their resources to ensure to put in some level of assurance. and insurance that when we’re using this software to provide critical goods and services to know that it was done securely.
Steve: So Carole, let me jump in. I noticed that post quantum cryptography figures prominently here, and that has also been a focus of this administration for the entire four years, frankly, it was an early topic that came up.
And this is a train that’s coming down the track that we’re not quite sure when it’s going to arrive. And when it does, it’s going to have an immense impact on how everything works because either we’re going to beat the quantum relevant computer and we’re going to have post quantum resistant cryptography in place and we have secure communications and secure data storage or we’re not and we’re going to be in serious trouble and then also everything has been encrypted up to this point that is sitting in data stores elsewhere perhaps has been stolen by adversaries you That information can be quickly decrypted and made use of.
And so it’s kind of a scary scenario that folks are having a hard time getting their minds around. And so the focus of this executive order on implementing some of what has been coming out from NIST, and I see references to Transport Layer Security Protocol version 1.3. How is this going to posture us?
Do you think we’re going to beat that runaway train? And what does the future hold?
Carole: We’re certainly making sure, and President Biden is helping to make sure, that the federal government is taking all the necessary steps that we can to try to get ahead of that train, right? Whether it’s been, like, through national security memoranda and policy setting out to make sure that we are competitive in the quantum computing space, but also doing things like inventorying where we rely on certain kinds of encryption that needs to be updated and modernized.
There’s critical foundational steps that we’ve done to try to make sure that we know and see where we need to be. Focusing our future modernization and tech efforts and also driving competition. And then here, making sure that now, after NIST has published the first ever standardized post quantum cryptography algorithms that are resistant to a potentially cryptanically relevant, quantum computer or a CRQC, in the wake of all of that, we need to drive very specific measures, like you said, like implementation of TLS 1.3, which is really like going to be the first TLS protocol that’s going to actually implement, and then all future versions have post quantum cryptography that’s embedded into it. So we need to make sure the federal agencies are implementing that, and are relying on only that and future versions as a critical step.
So we’ve identified a couple of concrete, very specific measures here. Um, we’ve also required for the development of a list of products that as more and more evolution. comes in the PQC space of like PQC relevant and quantum resistant cryptography being embedded into different types of goods and specifically in tools that as those become available, they’re going to be on a list and published on this list that federal agencies can use for their procurement, because basically, as soon as a tool is widely available that actually integrates quantum resistant cryptography, then we need to make sure that federal agencies in their solicitations are only now like relying upon those kinds of tools that meet that call to be quantum resistant and to integrate quantum resistant cryptography.
So, as we require that kind of implementation, as well as some of the other steps where we tell agencies. To transition to either PQC or hybrid encryption and key establishment over time as well that all of these as soon as practical, we’re telling agencies what some of the more concrete and deliberate steps are that they need to be able to meet that initial objective that the president had set out.
And again, that’s going to absolutely cross administrations and be an issue that’s going to. be relevant to agencies, regardless of power parity and who’s in charge, like quantum is coming. So we need to take the meaningful steps that are needed to ensure that we can actually drive the migration over into the technologies that are going to help us be able to compete and better secure our information.
And that’s really important because, like you mentioned, the potential threat of what happens with data that’s stolen now, but that in the future. With a CRQC, the capability to be able to decrypt all of this protected and sensitive data, if you think about it that way, that means that every year that you’re making a decision to not invest in this and on the industry side, this is going to be especially tough, especially where regulatory obligations don’t necessarily exist yet.
Or where industry is just going to take a really long time because some sectors that rely on other sectors, you’re going to have to do sort of phased and iterative implementation and engagement. It’s going to take a while to figure out, like, which are the tools and solutions that can implement this first?
What is the right phasing of the level of IT modernization that you need to, um, that you need to put in place? Where are the resource investments for the budget? All these things are going to be processes that take five years, ten years. To be able to migrate. We’ve seen that with other types of IT modernizations, which is why there’s, there’s no time for hesitation.
We need to be able to just take initial steps now, and I’m glad to see that the federal government is set on this path and hopefully in follow up to Megan’s earlier question about what is it that’s out for industry in this. I think that this highlights what some of the key steps are that industry can also be taking and where the federal government can really take the leap.
Steve: In this section, there’s a little note about FedRAMP and the cryptographic key. management controls that need to be in place for cloud infrastructure. And that’s suggestive of a major incident that happened not too long ago. I’m glad to see that there. It completely makes sense that one of the FedRAMP controls effective key management policies, but I’m glad you got this in. Any very quick reflections on that?
Carole: Cloud services are some of those centers of gravity, right? Kind of like software vendors that we talked about before. Any sorts of managed service providers, including cloud, are critical services that provide Necessary and very helpful. And there’s, there’s a lot of greatness that comes from using different, obviously software vendors and managed service providers and cloud services are experts in what they do and what they provide.
And you get a lot of efficiencies that can come from using those services, but if they’re not delivered. and managed securely, then you have a major issue when you have this greater concentration or like use of services that I know I mentioned before how this EO really is pointed at trying to deliver benefits, not even just for federal agencies, but pointed out those center of gravity capabilities and services that are.
Also used across industry. So in this case, it’s another investment in making sure that cloud services are using the right best practices and emerging technologies that absolutely exist and that are needed to better secure the sensitive data that they use and that agencies rely upon critically. So cloud security and proper key management have similar to software.
These are things that have been at the heart of several major incidents, and we need to make sure that all those services again using that lever of procurement right are meeting those best practices that industry has identified and that the federal government can and should be relying upon. If we’re going to do business with these services in order to host really critical and sensitive data, in some cases, national security data and functions, right?
Like all of us have worked at those kinds of agencies and services. Like we need to make sure that that information is critically protected and key management is a key area of that.
Megan: We unfortunately know that it’s not just China who’s wreaking havoc on a range of systems. non exclusively federal systems, and while those are largely the target of this EO, there’s another section in the EO that touches on a topic that we’ve also had a chance to work with you on, Carole, and that’s the subject of ransomware.
So, I think we at IST, and sort of as the, as the conveners of the Ransomware Task Force, but I suspect other members of the Ransomware Task Force, were quite pleased to see the section around additional steps to combat malicious cyber activity. So, it appears as though the scope of the sanctions has expanded a bit to include what I think is in there, looks like access brokers, and maybe those providing goods and services to sanctioned entities.
I wanted to see if you might unpack this a little bit for us. What should we take away from this section?
Carole: I love that you brought this up because as you mentioned, I know IST has been absolutely focused on areas like disruption of ransomware for years. And then I also, when I was first at the NSC back in 2021 was standing up the counter ransomware campaign.
And you’re right that like this issue of the most pervasive form of disruptive cybercrime that is targeting Americans and critical infrastructure. And is often perpetrated by malicious cyber actors that are operating inside of jurisdictions that are refusing to take necessary steps to combat that illicit activity that’s emanating from their jurisdiction.
And it’s irresponsible. That issue of ransomware is such a core concern for me. Also, having come from Treasury, it’s at the nexus of cybercrime and financial crime. So ultimately, it points to why I love President Biden. Decided to support inside of this executive order, also driving the next phase of evolution of making sure that we can take necessary steps to hold accountable these malicious actors.
So like you mentioned, the changes and adjustments that are helping us be more effective. effective and efficient in our targeting of malicious cyber actors, whether state actors or non state actors, as we see in different sorts of contexts, to be able to target them in this dynamic threat environment.
You mentioned like there’s explicit call outs to ransomware activity and you’re right. Those kinds of enablers for ransomware that are not necessarily just the cyber actor or the person who’s like pushing that exploit onto a network, but also the broader ransomware as a service economy has a lot of different types of facilitators, whether on the financial side or the recruitment side or the HR, like the, the level of sophistication of these ecosystems has just continued to grow and involve specialization and a variety and scope of activities that are all supporting it.
And we needed to make sure that given the really dynamic threat environment and that evolution and sophistication, the threat actors, that the sanctions authorities and our disruption levers also evolve and also become more effective and sophisticated. And so that’s what’s seen here. I’m really thrilled about this particular measure and it’s, of course, it strikes home for someone who is former treasury and very excited from my OFAC partners and their ability to use this to more effectively hold accountable and disrupt malicious cyber actors that are targeting Americans.
Steve: Great, Carole. Thank you for that. Certainly, ransomware is something that’s impacted one way or another, almost every American with hospitals going down and all sorts of things. So great to put more pressure on the bad actors for sure. Let me pivot quickly to AI and AI and cyber, as I mentioned, where we are big fans of this topic, as we’ve completed our report in October on AI and cybersecurity, and oftentimes people talk about AI in the context of the downsides, the ways that that’s going to create problems or generate risks, and I see in here that there’s a discussion of The positive uses of AI in improving cyber defenses.
And so I’m glad, glad to hear that because there’s a lot to be done and there’s a lot of efficiencies to be gained there. Can you talk about what this does? I see reference to a pilot and, and references to the energy sector. So how did that come about and what are you hoping comes out of this?
Carole: I love this section because it really focuses on both driving and improving greater security in AI and then improving security with and through using and leveraging AI and emerging technologies.
So first, the pilot that you mentioned, which is a really exciting effort that the Department of Energy is going to have underway and that builds on a prior pilot. That DARPA, the Defense Advanced Research Projects Agency, very cool part of DOD that created the internet and also does lots of other very cool projects.
They had had this AI effort and pilot that they had had underway and launched last year and had worked to Look for and drive and promote developments and use of AI applications to support things like cyber security. And now we want to leverage the lessons learned from that partnership that DARPA had launched.
We need to use that and take it and turn to the critical infrastructure sectors that are at the heart of targeting by malicious actors like Volt Typhoon and other PRC cyber actors, like the federal government has announced that the energy sector is at the heart of a lot of targeting by state actors for and pre positioning on critical infrastructure in the wake of a potential future conflict.
That means we need to, I think Anne has said before that the adversary sets the pace. Okay, so we need to keep up and we need to evolve and advance our ability to use and rely on critical emerging technologies to advance our capability. to keep pace with potential adversarial like use of AI and also just leverage the positive benefits that you get from really advanced artificial intelligence and machine learning capabilities to do things like detect anomalies and be able to support potential automated patching and vulnerability management like there’s There’s so many great potential applications for cybersecurity, for AI, and that many cyber vendors have already been experimenting with and using.
We need to leverage those, like the emerging, the front edge, the cutting edge of this technology that again, we’re seeing the lessons learned from that DOD pilot that originally was starting and now turn to the energy sector, a really critical sector that almost every other sector relies upon. Right.
Everybody needs electricity. So this is a great high impact sector. That’s also at the heart of being targeted. it by illicit actors. We’ve seen it in the case of ransomware, right? It’s like, right as I started the NSE the first time, it was Colonial Pipeline. So we absolutely see that the energy sector is a critical one that’s being targeted by illicit actors, and also has a lot of interest in and is already using advanced technologies, but we need to make sure that the cutting edge lessons learned from the other U.S. government efforts where we’ve been promoting R and D with industry are used now to benefit critical infrastructure. So this is one of those first.
There’s a few other good things in there too, like we’re prioritizing research like R and D and funding to support more advanced frontier models and others that will be able to support cyber security applications. And then also I mentioned security in AI, we’re requiring agencies to integrate into existing processes, like for vulnerability management and cyber incidents when there’s issues on AI security and AI vulnerabilities.
We need to have a process for things like reporting and to be able to manage and mitigate those vulnerabilities. So there’s a requirement for agencies to integrate that into already existing processes where appropriate or create new ones where they’re needed. So, um, some really great efforts here, both to improve security through using AI, but also to promote greater security in AI applications.
Megan: So, to take a slight step, perhaps, into a different section, there’s also a discussion about the Cyber Trust Mark, and so thinking about, again, the government’s procurement power. And I know last week at CES, the FCC and the White House rolled out the implementation of the U. S. Cyber Trust Mark, which some of you may know was Steve’s baby, and even a few years before that, someone else on this podcast, who is not Carole or Steve, wrote us a paper about using something called Security Shield, which was essentially a Cyber Trust Mark.
I of course am pleased and that I was very pleased to see that this thing finally emerged and kudos to you and Steve for getting it even further than I had made. So tell us a bit about the role of CyberTrustMark and procurement again in thinking about IoT devices and their security.
Carole: Absolutely. And I know that this is such a key issue for Steve and NSC cyber leadership continued to be a really cornerstone for them.
And I think that it’s really like, it’s really evident in this order, right, is this doubling down on saying, okay, we have launched this program to better drive and improve trust in cyberspace for consumers so that when consumers purchase and acquire consumer IOT or Internet of Things devices that they know If there is this mark from the government, kind of like, like the energy star before these consumer IoT devices, like how trustworthy is this is this device on at least implementing XYZ critical cybersecurity, like basic cybersecurity measures, some of the ones that are ultimately like will probably be part of a living framework that will continue to evolve over time based on the threat landscape.
But through this program in this process, it creates a way for consumers to know and trust that the devices that they’re procuring and relying on. Again, because you can’t, you can’t avoid the internet now, right? Like, so much of commerce, like, is e-commerce. Americans, how much time do you spend on the internet every day?
We need to know that when we’re purchasing routers or baby monitors, goodness, like, incidents, we need to know that our IOT refrigerator isn’t something that’s going to be then used and leveraged in a DDoS attack against my neighbor like there’s basic security measures that need to get put into place and to help make sure that the things that are part of our daily life are not being exploited and targeted by illicit actors that are trying to invade our privacy and leverage and harvest secure information.
In order for their uses to further exploit Americans and conduct fraud or to extort, or to extort people because of the sensitive information that’s on them, we need to make sure that these devices are secure. So in this case, this is the federal government now being required to take that next step, that next evolution and down payment on the initial steps that had already been underway over the past few years to make sure that there’s the federal government purchases that procurement authority purchases a consumer IOT device.
That we’re only using those things that have been that have been certified to include those very basic cybersecurity protections. Americans deserve that. So do the agencies that Americans rely upon. So we’re going to make sure that that’s the case by 2027.
Steve: Certainly excited to go to the store, going onto amazon and finding products that I can sort through that have the cyber trust mark that shield and the name.
So, exciting time. I think it will be a real service to consumers. So we have time for one last question, Carole, and we noticed that the national cyber director is specifically called out in several sections, and I know that there were growing pains this term as to the National Cyber Director’s Office was new and that there remained questions of its role vis a vis the National Security Council.
Does this document clarify that and what do you think the future holds?
Carole: The Office of the National Cyber Directors was a critical partner in the creation of this executive order. In fact, there’s many key initiatives that they have been the main driver of. And you’ve seen it in the national cyber strategy.
You’ve seen it in major papers and reports and initiatives that they’ve been driving, including on things like BGP and encrypted DNS. I mentioned some of the things that I was some of the most excited about are things like securing the internet that we all rely upon and where the federal government is some of the operator.
A lot of their efforts are absolutely part of the thumbprint here. So I’m very grateful to ONCD for their partnership and their commitment. And there are some very key roles they’re going to play here, including on space. Again, all my favorite things ONCD is presented in this order. They’re going to do a study and an inventorying space ground systems and look to see where space ground systems.
Operate as major information systems and look to what extent they fall underneath FISMA requirements or what other cyber defense measures need to get put into place. So ONCD, just like many other key cybersecurity agencies, like whether it’s GSA, OMB, CISA, they’re all woven throughout the whole order. I do suspect that as ONCD continues to grow, I know we’ve stood it up over the course of this administration.
And so much has happened, including a lot of people that we worked with at the NSC have spent time over there. And I’m confident that the next administration. Um, and I think that the administration will continue to drive that evolution and, and setting out different responsibilities and their roles.
And I’m definitely looking forward to seeing what continues to come. And I’m incredibly grateful to ONCD for their partnership on this. They were really invaluable.
Megan: Thanks, Carole. I know that was, I think, our last question. So, again, thanks for making the time to come talk to us. I know it’s a busy day and it’s a busy time at the end of this administration.
So, just congratulations to you and the team on getting this executed. The lessons learned, I think, in executive order, some are saying, maybe, maybe not, which has a lot of great stuff, not just for the federal government, but really, I think there are opportunities for industry, not just in serving government, but also in serving and competing and innovating against each other and with the market leavers that you described through our conversation today.
So, appreciate you and your service to the government and so many different roles over the years.
Steve: It was a fantastic conversation, Doug, and good luck as we approach Inauguration Day. [00:45:31]
Carole: Great. Thank you guys so much. Really appreciate it. What a wonderful way to end my second term here. It was wonderful. Thank you both so much for the conversation.