This week, we kick off a two-part series with Mariam Baksh, Cybersecurity Policy Reporter at Nextgov. As a reporter on the front lines of security policy as it happens Mariam shares her perspective on how deciphering cyber picked her. Rhetorical catchphrases shaping global perception and cyber responses. Gaining clarity on if or where cyber policy and partisan lines are drawn.

Drawing the line on sanctions, hybrid attacks, Cyber Diplomacy Act. The roles of standards bodies, auditing and incident response teams, and potential impact of a low price technically acceptable approach. You won’t want to miss this insightful two-part discussion!

Episode Table of Contents

• [01:12] Deciphering Cyber Is Like Following the Breadcrumbs
• [07:55] Where Do You Draw the Line
• [17:05] Dealing With a Known Issue Versus Deciphering Cyber Issues
• [26:24] Deciphering Cyber Incident That Meets the Threshold
• About Our Guest

Deciphering Cyber Is Like Following the Breadcrumbs

Rachael: Mariam Baksh is here. She is a cybersecurity policy reporter for Nextgov. She's got a front-row seat at all the awesome stuff that's happening today. Welcome, Mariam. I am so excited for this conversation.

Rachael: Your roots are in investigative journalism, which I think is so appropriate, right? When we look at cyber, so much of it is about following the breadcrumbs. Like an episode of CSI, you have to pull it together, but it's incredibly hard work. I'm just kind of interested, what drew you to investigative journalism?

Mariam: I just wanted to get beyond the talking points. You would read articles, and so many of them will say, "Well, this person said that. This other person said this other thing," and that's the article. I'm like, "Well, which one is it? Who's right?" It was just that instinct to want to dig deeper.

Eric: You picked cyber, where attribution is almost impossible. We've got problems everywhere. This is good.

Mariam: I'm so glad you mentioned attribution, that's the biggie. But in all fairness, cyber kind of picked me up more. I did pick tech policy, I was very attracted to net neutrality. That led me to go back to grad school in the first place, and very generally interested in tech issues.

Mariam: One of the things that's so attractive about it is that policy is constantly emerging because technology is changing. So you have these lawmakers who are like, "How do I feel about this?" It's not really clear where the partisan lines are.

Deciphering Cyber Security Is Where the Demand Is

Mariam: For example, some of these competition issues or section 202 issues have people who are on both sides of the aisle. They’re sort of trying to figure out what they want to do with this. I was attracted to tech for that reason.

Mariam: Then cybersecurity is just where the demand is, honestly, in journalism. I was looking for jobs and that's where the jobs were. Initially, I was a little bit disappointed at the thought of having to move from tech more generally to cyber. But it was totally unwarranted for me to feel that concerned because cyber is so interdisciplinary.

Mariam: You've got international relations angles, you've got the antitrust stuff. It’s still there, even though it's not talked about as much. Just the general sort of federal government regulation versus the free market. It's a very dynamic space and I'm grateful to have ended up here.

Rachael: One of the things we were talking about too, as a journalist, is the importance of words and language. There's been a little bit of discussion lately about these rhetorical catchphrases, if you will. Like Leon Panetta back in 2012, Cyber Pearl Harbor, Cyber 9/11. All of these warfare languages describe cyber and over time, when you talk about interdisciplinary as well, you have nation states or countries starting to think about physical responses, nuclear responses to cyber attacks. That seems like a really weighty thing for you to have to move forward when you're doing reporting on cyber. What do you think about that?

Mariam: It's just sort of making sure that you break down the responsibility of the journalist and anybody who's taking this policy or policy making seriously.

Breaking Down the Terms and What’s Behind Them

Mariam: It is the breakdown of those terms and seeing what's behind them. Even if you look at the sanctions that were issued yesterday and you read into it. You read Representative Langevin's statement and you know enough about the history. You know that these intrusions, which the administration has characterized as espionage, are not really out of bounds. They're within the rules of the norms.

Eric: You're saying historically speaking.

Mariam: Today. The US acknowledges we want to spy, too. That's still there. So what was it about what Russia did, according to the administration, that warranted these sanctions? If you read the Treasury Department press release, they're very careful to say, "We did this because of the scope and the possibility for further intrusion. The history that Russia has with these attacks."

Eric: Because we can. Russia could sanction us, but I'm not sure we would care in the United States. We have that weapon, but if you go back to the cold war and a spy ring was detected conducting espionage, you would kick diplomats out, which we did. So to me, that seemed almost aligned, Mariam. The sanctions seem new, but I don't know. Better than launching missiles, at least from my perspective.

Mariam: The other part of it is that this comes in when you look at what's going on. What happened with Iran and the attack there. It's not clear that it was a cyber attack. It might've been explosions brought.

Eric: You're talking about the loss of power over about a week ago, early, mid-April.

Where Do You Draw the Line?

Mariam: It's about escalation. Whether you see a cyberattack as a reason to escalate into a physical attack or vice versa. Language like Cyber Pearl Harbor will cause elected officials and others to say, "God, we got to do something. We can't just sit here, even though we've both been doing the kind of espionage operations." With both, I mean the governments in general, we've all been.

Eric: President Obama talked about a red line. He was talking in the context of Syria, as I recall. How do you look at that as a correspondent in deciphering cyber? Where do you draw the line? Should we have sanctioned the Russians, for the case of Sunburst?

Eric: Should we have expelled diplomats? Was that an inappropriate response? Should we have just allowed them to continue to do what all nations try to do? When do you say enough is enough? Get out of my wallet, get out of my house, get out of my systems.

Mariam: That's way above my pay grade. But I think Obama, in terms of the line that he drew, Obama said, "Don't steal intellectual property. Don't cause physical effects." The spying stuff is fair game.

Eric: Many would argue it is, many would say it's not.

Mariam: Well in terms of what Obama said. Just to answer your question. In terms of the SolarWinds thing, there were sort of new considerations if you will, to factor in, like the scale. It was 16,000, the number the treasury cited, or what the administration cited for where they could have made further intrusion. It's like, maybe that's something that's different about this case that warrants the sanctions. I don't know.

Eric: Many would argue they were responsible.

Deciphering Cyber Codes Within the Laws of the Land

Eric: Dmitri Alperovitch, who has been on the show, would argue that the Russians were responsible. They were conducting espionage. That's within the laws of the land as we commonly accept it. But many people would say the Chinese on the exchange server attacks were irresponsible.

Eric: And we should really address that. What do you think about covering the space? You hear policymakers and you hear experts in this space talk from their opinion side. How do you sort through all of that? It seems so complex, let alone reporting on it.

Mariam: First of all, not all publications do this and it's always annoying. I am always very careful to say alleged or suspected or even go further and say, who is alleging. So way before when the USG, the Uniformed Cyber Group, UCG? When the administration said likely Russian origin, I always quote that very exactly.

Mariam: Attribution is hard, and the FBI will be the first to tell you that these attacks are more and more becoming hybrid attacks. You've got state actors and you've got private criminals. Sometimes the state actors will pay the cyber criminals, sometimes the stuff gets released. Even from the NSA in the past, onto the world and then other actors use it. Then you can also mask IP addresses.

Mariam: I don't want to pooh-pooh the attribution experts at the FBI at all, but I do want to acknowledge. It's important for diplomatic reasons to acknowledge that even when the FBI makes an indictment, they have to say alleged. So in terms of how I handle it, to your question, very carefully.

A Global Policy Coming Together

Rachael: You mentioned the phrase cyber diplomacy, it's something that I'm always interested in as well. We talk about policy, global policy, coming together in the potential of a Cyber UN. What do you think is the way forward here for us to find some common ground globally. Where it's not such a street fight necessarily, but can we find peace in these times if you will?

Mariam: I'm not a policymaker and somebody should pay me for this opinion. I'm joking, of course, I'm happy to give my opinion. Surprise! Journalists have these. I do think that if it's done correctly, cyber diplomacy is a way forward. I don't think that you should be talking about these issues in a silo or in different silos.

Mariam: You should be taken further than what we've had so far. For example, what Representative Langevin and Representative McCall and others are trying to do with the Cyber Diplomacy Act. They have the state department have an office, a bureau, whatever you want to call it.

Mariam: A place where they're not just handling cyber, but they're handling cyber and issues of trade and human rights. All of these other factors that intersect. You have a better chance of dealing with this in a comprehensive way. I could be wrong, but that's kind of my instinct.

Eric: I don't know that the US or any sovereign nation in the world has the ability to control that like we once might have.

Mariam: I could be wrong. Let's take an example, China. If you want to say, China, you have to do right by the Uighurs in Xinjiang.

Eric: Which the United States is trying to say.

Optimism For the Path Ahead

Mariam: We also want them to stop stealing intellectual property that they've been accused of doing. Is it harder to get them to do both of those things? If you're asking them to do both of those things in the same place at the same time, in the same context. Or is it easier to say it's to separate them out. I don't know. It's a hard question. I'm not a professional negotiator.

Eric: Not my area either. We had an agreement with the Chinese. They've violated that a bunch. I'm sure we’re violated from our side. How do you link those together and get behaviors?

Mariam: So far, we haven't really been doing it. So we might as well try.

Rachael: We had Evan Wolf on and it’s really refreshing because he has optimism for the path ahead. A lot of folks who've been in this industry for a long time, our CTO kind of explains it. It is like pushing a dead horse up a hill. It's so hard now to get things done, but we have to have optimism, to your point, and why you're a reporter. We will find this path forward.

Mariam: The legitimate counterpoint in the China example is on President Trump's attempt to blend cybersecurity with trade. That didn't really go over well with a lot of folks.

Eric: We want our cheap TVs, and we want our whatever's made.

Mariam: The cyber example being when we tried to block the ZTE. He was like, "Well, we'll reverse that if you give us all these cheaper prices on the soybeans or whatever." Congress was like, "No, you can't trade security to get cheaper prices or whatever."

Dealing With a Known Issue Versus Deciphering Cyber Issues

Eric: We're willing to deal with a known issue if you buy our material. Like, we have a problem, but we're willing to overlook it. It's not as big a problem, maybe it is the way to look at it than selling soybeans or pork or whatever it may be. Or allowing American companies to produce in China and then export.

Mariam: Another facet of this that's pretty important is the standards bodies. Having US representation there, not just corporate, but US government representation. This has been a bit of a tension, I think. In general, people have said things like, "Let's have more US involvement in standards groups to combat China." Because China has flooded the standards-making bodies.

Eric: They're smart. Economic security, if you will.

Mariam: That's where the policies are made. If you say, "What qualifies as 5G is such and such thing" and that goes out in the global marketplace. You're stuck with that. It is smart for them to be doing that. People generally in the policy-making space, industry, everybody agrees there should be more US representation.

Mariam: But if you look at ITI, the Information Technology Industry council, it's always tricky, but these are the big tech groups. In response to the US government's attempt to limit information communications technology that can be used in the US. They have said, "We don't want imports of these ICT supply chain elements to come from foreign adversaries."

Mariam: In response to that and the executive order that's coming, I think it's actually more the executive order. After SolarWinds, the administration said, "We're coming with this executive order, we're going to require more software companies. They're going to have to adhere to certain standards."

A Tension That’s Going to Continue

Mariam: These tech companies responded telling the US government, "We don't want you to get involved in the standards process. Leave that up to businesses." There's going to be a tension that's going to continue to get teased out there.

Mariam: Because policy makers, the community has called for greater participation, US participation on standards groups. But does that mean government, US government participation or US industry participation? That's going to be something that starts to get teased out a little bit.

Eric: It needs a little of both. We need a little NIST and the like in there, but you also need commercial America represented. On the government side, oftentimes you'll observe the government is way out there in the theoretical not practical, or they're not up with the times, and they aren't dealing with the practical.

Eric: They aren't dealing with the future because they're dealing with the here and now. The government, technology-wise tends to be a laggard outside of aerospace defense type stuff, in my experience. Technology-wise, I would say. So I think you need a mix, Mariam. I don't know. That's my experience in a couple of decades.

Mariam: It's probably reasonable to say you need a mix. But there's an argument for the government to spend more time on those bodies, for more of the government to be on those bodies. So that they can be more familiar with the current discussions or debates, including on a global level.

Mariam: Now in terms of the government being laggards, I like to push back on this, sometimes. Especially in terms of cybersecurity, the government tends to get pushed in this corner and dismissed as not being up-to-date.

When Evidence Points the Other Way

Mariam: But evidence points the other way on this a lot of the time. For example, CISA, the Cybersecurity and Infrastructure Security Agency put out this directive on vulnerability disclosures. It sort of pointed the way for timelines, for patching, and a CISA official came out. I can't remember the exact webinar or whatever it was, but there was an event where she came out and said, "Government patching timelines exceeds industry."

Mariam: They're patching faster. If you look at the entities that are getting breached, even OPM. OPM was breached because of a third-party contractor, which is a private sector. So I don't think it's fair to say the government sucks at tech.

Eric: I haven't said that. Actually I have said that, but I did not say that on the podcast today. How about we agree that the government can suck at tech.

Mariam: But so can everybody.

Eric: And when you look at those metrics, the government patches faster. I could agree with that statement in some cases. They don't patch faster than the financial industry. In fact, we have reports, there's at least one, if not several that were saved in the Sunburst breach. Because they didn't update SolarWinds, which was months, almost a year behind. So it really does depend on the context.

Eric: I guarantee the government is not as advanced as the financial industry. They're probably more advanced than the dairy industry. I can tell you, I'm still dealing with mainframes that were installed in the 60s in some cases in the government. In a lot of commercial cases, we've moved away from. In the government, we've moved away from that too. So it depends on the answer.

Deciphering Cyber Requires More Granularity of Data

Mariam: I've asked this. It's a good reminder to follow up on this request for more granularity on that data. I’d love to see which industries are patching faster than others. The final point I'll make about this is SolarWinds has revealed that we don't have incident reporting laws. We don't really know what number of private sector entities are getting breached all the time. However, we do have the government accountability office to see and to report on what government entities are doing.

Mariam: I read those FISMA reports that came out and it's another horrible report for some poor agency. I'm a little sympathetic because it's like, "Okay, well, here are the things that you didn't do. Okay, we'll work on them." But at least they have that accountability mechanism. Who's doing that for the private sector? We have no idea.

Eric: There's a difference between reporting and accountability and disclosure too.

Rachael: This particular topic for me is the threshold issue. How do you set thresholds for that kind of work for large, small industries? I read an article earlier this week that said that banks are saying whatever they've received from the treasury department, they feel it's a very cumbersome notification requirement. They're just churning it out and all this administrative work, and it's not necessarily delivering the data that they're looking for. It's just paperwork.

Mariam: They're going to get into some of those threshold issues now. At the end of the day, there's something that you can't really solve. Unless you have auditors in those places, whether that's government auditors or third-party auditors. All of this information in an incident reporting law is going to be self-reported.

Deciphering Cyber Incident That Meets the Threshold

Mariam: So how do you verify that they're reporting an incident that meets the threshold in the first place?

Eric: We do have auditors commercially for SEC requirements for commercial organizations. That model, it's not my space, but it appears to work. Financial auditors. They come in and they audit the books to make sure companies are following.

Mariam: But are they doing that because somebody is telling them to, or because of their own sort of health?

Eric: They have to. As public traded companies, they have to meet SEC requirements and regulations. So you have an Ernst and Young come in, or somebody, and audit your books.

Mariam: For information security specifically?

Eric: For financials. I'm doing a comparison. That seems to work pretty well in a couple of ways. One, there's a relatively decent level of transparency. Once again, I'm not an expert on this space and I've got a couple of business degrees. But from what I've seen, there's a relatively decent level of transparency. It drives behaviors. I can't tell you how many conversations I am in, not just at my level.

Eric: When I was a sales rep or an engineer, where we can't do that, the auditors won't allow that. Not the business won't allow that. The auditors won't allow that, which drives behaviors.

Mariam: That's a core thing, that you count on having some sort of a verification of those financial practices. Thank God.

Eric: But if we just simply folded some kind of InfoSec disclosure components into the same type of audit. Did you have any breaches? If so, then obviously defining what's a breach? What do we disclose, what don't we? Where's that line?

Are They Telling the Truth?

Mariam: You have to get into the artifacts though. I don't want to get out of my depth here. But again, it's just like asking them, "Did you have any incidents?" No. Yes. The checkbox. How do you know they're telling the truth? That's my point.

Eric: Well, maybe they are if they don't look hard enough. Financials are much more definitive. You wrote an article yesterday about the DOD testifying back to Congress. Senator Blumenthal from Connecticut was asking a question about SolarWinds or Sunburst.

Mariam: Was this me or was it my colleague?

Eric: I'm pretty sure it was you.

Mariam: Oh! The DOD said that they weren't compromised. Yes.

Eric: We're not aware of any compromise basically. I don't want to paraphrase too much. Did we meet the disclosure law? We didn't know anything, so we didn't disclose anything. Is that good, or do we have a level that we need to dig deeper?

Mariam: I don't know, but I do know that there are disclosure laws for PII, Personal Identifiable Information. Again, I don't know how to do this.

Eric: Nor do I. What do we do here? We've got a lot of questions.

Mariam: We should invest in live-in auditors for every entity. Auditors or infrastructure, President Biden.

Rachael: For this week's episode, we're going to leave you with a cliffhanger. Join us again next week as we pick the conversation back up with Mariam. Until next time, thank you so much for listening To The Point. Please be sure to subscribe to our podcast to get new episodes delivered directly to your inbox every Tuesday. Take care, and we'll catch up with you next week.

About Our Guest

Mariam Baksh reports on the development of federal cybersecurity policy for Nextgov. Started covering technology governance in 2014, during the heat of the Net Neutrality debate. She focused her graduate studies at American University on investigative journalism.