This week we kick off a two-part series with Mariam Baksh, Cybersecurity Policy Reporter at NextGov. As a reporter on the front lines of security policy as it happens Mariam shares her perspective on how cyber picked her. Rhetorical catchphrases shaping global perception and cyber responses. Gaining clarity on if or where cyber policy and partisan lines are drawn.

Drawing the line on sanctions, hybrid attacks, Cyber Diplomacy Act, the roles of standards bodies. Auditing and incident response teams, and potential impact of a low price technically acceptable approach. You won’t want to miss this insightful two-part discussion!

Episode Table of Contents

• [00:40] This Thing We Call Cyber
• [07:20] What’s Behind the Pushes
• [15:37] The Whole Idea of Risk Calculation
• [20:59] The Right Thing to Do
• About Our Guest

This Thing We Call Cyber

Rachael: Today, we're picking back up our conversation with Mariam Baksh, cybersecurity policy reporter for Nextgov. We're going to dig into how government and private industry can get ahead of this thing we call cyber. Now let's get to the point.

Mariam: The other thing that I will say is there's so much to this. For example, I went to a conference once where these lawyers were talking about incident response. They basically revealed to me, well, other people probably have known this for a long time, that there are basically two sets of books. When you have an incident response team, these lawyers were discussing.

Mariam: There is one set of records that you have for the regulators for when you want to report to them. There's another set of records, which are protected under attorney confidentiality provisions. Because a lawyer is called into the incident response process.

Eric: Like a cyber infosec info response?

Mariam: Yes. You have an incident. Some kind of breach or something.

Eric: Somebody steals data, whatever.

Mariam: The first thing the incident responders will do is call in the lawyers. Once that happens, you're protected under that attorney privilege. Then you get to select which pieces of information you want to share with law enforcement.

Eric: I'm all tight inside.

Mariam: It's not pleasant.

Eric: That's happening. It's horrible.

Mariam: Which is why the solution has to be live-in auditors. I'll push my point on this.

Live-In Auditors

Mariam: Live-in auditors for any company above a certain size will also reduce paperwork. Because then you don't have to report all this information that's unreliable anyway. You have a live-in auditor who's constantly tracking it. I should become a policymaker.

Eric: I'm just glad FireEye and Sunburst actually disclosed because imagine where we would be if they hadn't done that. That is just crazy to me.

Eric: The Biden administration. If you could tell them any one thing on infosec or cyber, what would it be? Based on your perspective, what you've observed over time? Just one thing. You're going to have to stay on select here.

Mariam: What's the one thing I would say to the Biden administration?

Eric: One piece of advice. Based on your observations, what guidance might you give them? See, the audience can see this isn't scripted here. We actually just have real discussions.

Mariam: I would say approach requests from industry with scrutiny and stay strong.

Eric: Do you have an example?

Mariam: For example, what I was talking about before with ITI and the letter about the standards and the executive order. For the longest time, going back to the Obama administration, there has been this huge effort to keep everything voluntary.

Mariam: To sort of make all these concessions to industry. Honestly, in my opinion, and I know there are people out there that probably hate me for these. I don't think that's been working.

Mariam: People will say, like the CSF, the Cyber Security Framework, they discuss this as like a landmark framework. It's been so successful. But what is the metric for determining that success? Or for claiming that success?

Make Sure You’re on Solid Footing

Eric: Is there a metric?

Mariam: Exactly. I put this question to, I forgot his name but he's the head of the NIST information security program. He was like, yes, that's a hard question. They haven't really figured it out. So if you're going to make that claim or you're going to base policy on that claim, you should at least make sure that you're on solid footing.

Mariam: A lot of people will say if you're following the cybersecurity framework, you're A-OK. But again, what does that mean? Like the CSF, the Cyber Security Framework, at this point has almost become one of those rhetorical devices.

Mariam: But when you break it down, and people in the know will tell you, the CSF is not a standard. It's a collection of controls. A framework of controls that the implementers choose which controls they want to put into their systems. You could say based on risk, and the risk includes business risk.

Mariam: You could say, it's a risk to my business functions. I won’t be able to spend enough time doing the business function if I spend time putting in such and such controls. So I'm going to take that risk. Totally up to you. I'm going to take that risk and I'm not going to put in these controls.

Eric: Or I don't have risk here, therefore I'm not going to do something.

Mariam: It's a totally subjective exercise. But at the end of the day, somebody, a policymaker, can ask you, are you using the NIST framework? The cybersecurity framework? The person can say, totally. Not having implemented a single control, that's what it comes down to.

What’s Behind the Pushes

Mariam: That's what I want the Biden administration to really look hard at what it means, what's behind these pushes.

Eric: Do you think they will?

Mariam: I hope so. All of what they've said so far around the coming executive order sounds good. It's the right thing that they're saying in my opinion. Someone from the administration came on, Jeff Green, he used to be at NIST. Now he's in the National Security Council working with Anne Neuberger and company.

Mariam: He was talking about the development of these standards. How they're going to choose the standards that they're going to be asking the software industry to adhere to. It was sort of the same thing that we've heard before. Like, we want NIST to be in control and we want the industry to be at the table.

Mariam: I think that's fine too. But I think they need to stay strong in terms of saying, this is mandatory, not voluntary. Because what good is an order that isn't ordering someone to do something?

Eric: It's like an unfunded mandate in the government. You're supposed to do it, but you don't have any money. People just don't do it because they can't. So let me flip it on you then. What about for vendors, what would you tell the industry if you had one thing you could tell them to do?

Mariam: I would say take a long-term approach to what you're doing. The argument that industry itself often makes is we don't need the government to give us any mandates. It's in our interest to abide by rules so that we don't get hacked and we don't lose credibility.

Companies That Get Hacked

Mariam: However, we have seen companies that get hacked. Target, you name the company, and they rebound from this in the market days after. So there are studies on this. I can't remember the exact studies now, but there are studies on this. Those companies are still thriving.

Eric: Equifax, Target. You go down the list. Who's actually paying the price?

Mariam: Right. So when you talk about loss of reputation, I don't think that that's a credible point. But in terms of their long-term sustainability, I would tell them, and this is kind of an optimistic approach. I’d tell them, look, people are paying more attention and you should get out in front.

Mariam: Get out ahead and show the example. Support some of these measures that the government is considering in a full-throated sort of way. That's what's going to give you a good reputation.

Eric: It's expensive. Where does the money come from? I'm involved in some of that here. We're talking millions of dollars to change things so that you can meet audit requirements or you can do something. Our business is on GovCloud. It just costs more to run on GovCloud than it does standard AWS.

Eric: We're doing it, but we've got to raise prices to support that. That's the way it works. So there's a balance there. I'm not arguing with you at all. I'm in agreement, but there's a balance. It's a tough one. These are some tough problems.

Mariam: It costs money.

Rachael: But don't they have a list though, a hard problems list that they update?

Blaming the Victim

Eric: We should do a hard problems podcast list? We take an hour to read off the problems list one day if we put it together.

Mariam: At this point, I'm not going to wait for your question about blaming the victim. This is a good opportunity to talk about that. And this is going to sound harsh, but in terms of it costing money. You asked about the journalist's responsibility to look at this. Or to approach coverage in a lens that's not blaming the victim. My question is, we've got layers of victims here.

Eric: And repeat victims.

Mariam: And repeat victims. So when you talk about victims, are you talking about SolarWinds? Or are you talking about their government customers? Are you talking about the government employees? All of the private sector employees that were compromised? Or their customers that lost their PII that might now be on the dark web?

Mariam: So what is your obligation to the victims at the very bottom of the line? To bring it back to what we were talking about earlier with this stuff costing money. Do you have an obligation to stay out of the game if you can't afford to play? In other words, if you can't afford to implement those security controls, should you be in business?

Rachael: We've had conversations too about grades. Like games come with a certain rating. Does that become a factor here? Like what you're saying. You get an A if you're investing and you're doing all the things. You got a B or you have a C for example, when Chick-fil-A came to New York.

Willing to Roll the Dice

Rachael: They didn't pass the restaurant standards, but the line for them was around the block. Because people were willing to roll the dice for Chick-fil-A.

Mariam: They were going to take that risk. That's exactly the way that Ann Neuberger described her push for this executive order. She used that exact restaurant rating analogy.

Eric: I don't think it stands up. When you look at the commercial world, the consumer will typically do what's in their best interest. I don't know that they fully understand what's in their best interest. Like if they got a TV for $400 instead of paying 800, but it had a microphone. It came from Vizio or wherever, pick your company.

Eric: We didn't have assurances that that wasn't remotely operable and people could listen in. Does the average consumer care? I don't think so. They won't even dig the microphone out of the TV or tape over it. I don't think they care. They want to save money.

Mariam: I didn't think I was going to say I agree with you based on the conversation so far.

Eric: We're violently in agreement on a bunch of things.

Mariam: In this case, certainly. Like the Chick-fil-A people, they were still eating that Chick-fil-A right.

Eric: They want their chicken.

Mariam: And those waffle fries.

Eric: Is that a sanitation concern?

Rachael: It was when the restaurant first opened. There were some sanitation concerns.

Eric: What they were saying was they wanted their dirty chicken. They were perfectly fine.

Rachael: You know, New Yorkers, we love our street meat. So what's the difference?

The Whole Idea of Risk Calculation

Eric: I love a good bread on the cart. I used to go through the city when I lived up there, trying to find the best deal. I’d get dollar hot dogs all day long.

Mariam: I'm sure those rats were all up in that.

Eric: So, we're looking at dirty chicken and we're okay with it. We have a problem here.

Mariam: Here's the difference. When the customer you're talking about is the government, again, to give credence to the whole idea of risk calculation, okay, my purchase of a TV in my living room, probably not as consequential as water safety systems.

Mariam: That's where you have to say and acknowledge. That it would be helpful for the people who are running the water safety system to look at those ratings. If you can't afford to have security processes that meet them, then, you're not going to get that business.

Eric: That's a good point. Although I will tell you, we're hearing in the form of CMMC. There’s a concern where it will drive some vendors out of the business that are critical suppliers to the government. Because it's just not lucrative anymore. As a buddy of mine would say, the juice is not worth the squeeze.

Rachael: But should security be lucrative since it's kind of essential to our lives?

Eric: What I'm saying is, the enhanced cost of security makes it a non-interesting or non-profitable business line. I was at a company once where we were looking at putting some capability into a commercial device. Think of it like a dishwasher or a refrigerator or something like that.

A Dollar Worth of Latitude

Eric: There wasn't even a dollar worth of latitude in the pricing scheme to stay competitive with competitors. The vendor at the time decided not to proceed forward due to cost. Even though they could embed some capability that would theoretically make their IP connected devices much more secure. There was so much of a slim margin there, that it just wasn't worthwhile for them.

Mariam: This is where the antitrust stuff kind of pops up and I find it really interesting. Are there multiple vendors who are supplying that particular service or product for the government?

Eric: That was a consumer product, which had a lot of competitors.

Mariam: Maybe some of them should fall off if they can't afford to meet the security requirements. I'll tell you why.

Eric: The vendor's perspective was, the consumer doesn't care. Therefore, this isn't something we're going to spend money on and focus on because it makes us less competitive. Like announcing that you've got a secure, let's just say it was a dishwasher. It wasn't, but it was close. We've got a secure IP-connected dishwasher.

Eric: If it raises the prices by 3%. It was less than that. But in a competitive market, does the consumer decide that they want the more secure dishwasher for more? Or do they want the less secure dishwasher for a few dollars off? The business we were working with at the time said, we're going to go with the cheaper dishwasher.

Mariam: Well, in the case of CMMC specifically, the customer is the DOD. So are they going to say, we want the cheaper one? The policy that they're espousing right now is that they're moving away from the lowest cost, technically acceptable.

A Race to the Bottom

Mariam: Moving into this new era of having security be a pillar or whatever you want to call it.

Eric: My answer would be, yes, historically. LPTA, low price technically acceptable, in my opinion, was entirely overused and used in the wrong ways. It was a race to the bottom on cost but with that you also lost a lot of things. For over a decade now, I've been in discussions with different government entities about the secure supply chain, about made in America.

Eric: You can talk to the consumers about the mission owners in many cases. In DOD, the intelligence civilian agencies, it doesn't matter. You can talk to them about, hey, we're making this in California. The problem is when you go to contract. There's a component around price. We're weighing this contract, 50% price, 50% on technical acceptance, technical merits, whatever it may be.

Eric: My experience, the price piece, you get killed even if you're the best. In most cases you lose out. Even if the business wants it, they often don't have power over the contract shop. The contract shop is legally obligated to meet, to award to somebody that's cheaper and technically acceptable.

Eric: Unless it says it must be made in America, which I have seen zero IT contracts say that to date, it doesn't pay off. I've never been able to make the business case work out. It's a lot more expensive to do things in America with US citizens.

Eric: I happen to work in a business where it's US citizens 100%. We do have a foreign element, but they're actually segmented off. It's very small compared to our government business. It is entirely business segmented.

The Right Thing to Do

Eric: Our costs are higher as a result. It's the right thing to do with the business we're in. We have to do it. But in most cases, especially around products, it doesn't work well. That's just my experience.

Mariam: It's just one of those things that remains to be seen, like with the implementation of CMMC. It's actually in policy. I saw something in the Federal Register or somewhere that's that officially said we are moving away from LPTA.

Eric: I've seen reports around that also, which is good.

Mariam: It's just a matter of implementing that policy now and whether the individual program managers and contracting officials.

Eric: I don't want to get too deeply into this, but you're right. There's a ton around that. It's not just moving away from LPTA. A lot of contracts have a price component. Really, every contract has a price component of some sort. But it's always weighed.

Eric: If I gave you a response of $1.3 million and a foreign competitor that wasn't on some kind of do not sell list or didn't have issues. Gave you a 1.1 and we were both ranked technically acceptable. In most contracts, the government is obligated to award them if they're a legitimate business.

Eric: Now, do they value the fact that this was done by Americans in America? Not that I've seen. Is that better? You could argue that too, in some cases. There are people who make good products all over the world.

Mariam: That’s also going to be a contentious issue because ITI, again, a lot of companies of those companies have developers in China in these places where there's scrutiny. But we live in a global society.

The Reality

Eric: That's the reality. That is the discussion I have with these hardcore supply chain owners in the government. It's not 1960 anymore. America is one of many countries in the world that create products. There are more products created outside of America than in America. From an IT perspective, good luck getting IT components.

Eric: We'll buy Dell servers. But most of the components are coming from Taiwan or Mexico or elsewhere. Like you don't even have an option today because it is a global society. We almost have to buy into that and assume the breach, assume products aren't made in America. Like the supply chain just doesn't work that way.

Mariam: Then once you do that, once you assume they're not made in America then you turn to more nuanced technical considerations, like development processes, like dev sec ops. Like do you have security people on your development team?

Eric: Inspection.

Mariam: Live in auditors.

Eric: We should stop right here. We're finally in agreement. I love the fact that we were interviewed on this show. Mariam, thank you so much for your time.

Mariam: Thanks again for having me.

Rachael: Thanks everybody for joining us again for To the Point. Smash that subscription button so you can get us every week in your inbox. Have a great weekend, everybody.

About Our Guest

Mariam Baksh

Mariam Baksh reports on the development of federal cybersecurity policy for Nextgov. She started covering technology governance in 2014, during the heat of the Net Neutrality debate and focused her graduate studies at American University on investigative journalism.