[0:32] Part 2: Understanding Cyber Mentality with Katie Arrington
Petko: Hey, Rachael. I love the energy that Katie's got. It just keeps going and going and going. I love this.
Rachael: Agreed. I'm so excited we have part two, we get to continue our conversation.
Petko: We do. And let's get to the point. Without further ado, here's Katie Arrington, part two.
Katie: General Honoré, another book on my shelf that you can't see because I'm on a podcast, do you remember who he was? General Honoré, do either one of you remember him? Hurricane Katrina? He's the Army commander that came in after the government screwed it up for a good week.
And he said, "Keep it simple, stupid." If you have a boat and there's somebody drowning on the other side of the river, and you don't have the authority to use the boat to go save the drowning person, go save the drowning person. This is not hard.
I just really wish all these companies that are supposed to be 171 compliant, and they attest in a contract they are, stop breaking the law and actually do what they're supposed to do. I have to follow the law. You follow the law.
And if you need more money, say it. There's a consortium that I will be releasing at the end of the month that we've hopefully gotten a place where we can fix that, where we're actually taking the MEP network, the manufacturing extension partnerships, who have been given a lot of money from the CHIPS Act and the...
Act to go in and actually work with the manufacturers and small businesses to, instead of telling them what the problems are, bring them the resources to mitigate the problems they're all aware of.
What Would Make Cyber World Better?
Katie: With a wing and prayer we'll get that one off. If you could wave a magic wand and make one thing better, what would it be? What would make cyber world better? Is it money? Workforce? Requirements? All the above?
Rachael: It's all of the above. It's the only thing where I can think of where all boats rise if we can get on the same page.
Katie: Everybody's looking for an easy button, and there isn't. That's the whole point. You can't develop the new thing. DOD thinks that if they create a cloud environment for small businesses to go into and they pay a subscription fee to the DOD to use this cloud so that they meet their criteria. Who's protecting that cloud and my data? The government? They're the last people I'd want watching my stuff. That's not teaching a man to fish.
We have to hold the bar high enough and not make exceptions to actually make a difference. It's like encryption. When I was in charge of all the weapon systems, and the amount of weapon systems that are out there that are unencrypted, because the PM at the time didn't have the time and/or money to encrypt it and they got a waiver. That became the norm, not the exemption.
This NIST 171, that 7012 clause in is to the exceptions. I'm going to dip on the other side. We have to work for the masses, not the fews. In this country, whether we like it or not, "You can't make everybody happy all the time." I'm good friends with most of the folks at the SBA. They agree. They're like, "Listen, we need to raise the bar." That's okay, but just put the resources there. So let them bill more. Right?
[4:49] The Hundred-Year Strategy
Katie: We're now in such a free fall with inflation. What scares me, and this is a economical, eCom, and geopolitical conversation. We raised the federal minimum wage, which people don't realize affect federal contractors. So if you had a firm fixed-price contract that you were working in, and you bid, and this is services, you have a custodial person that you have working and they're only getting 12.50 an hour.
Well, now because the federal minimum wage is 15, you now have to pay them $15 an hour. But you're in a firm fixed-price contract.
There was no relief given. Through all of what's gone on since COVID, none of that 3610 money, I would say, got down to the small businesses. The PPP loans, people didn't use them in the appropriate way. We're seeing that now, our adversarial influence on our supply chain. People don't think it's just by happenstance that China owns what they own out of our pharmaceutical or technology.
It's not like they just sat back and they're like, "Huh, that looks like an interesting company to buy."
They have, and we're going to go back to the national cybersecurity strategy, China has a hundred-year strategy and they stay to it. They don't deviate from the plan. There was a pandemic in the US election year. Did you know that was in their plan? They wanted to be the global domination. People need to read the Chinese hundred-year plan. It's pretty amazing when they talk about the easiest thing.
I could talk for hours by myself, obviously. I talk to myself all the time.
Destruction from Within
Katie: The Art of War, best book ever written besides the Bible. Bible, best. Art of War, second. They go hand in hand. The easiest way to destroy the adversary is from within. And the easiest way to destroy a human being is from within. You make them believe that they have no value, you'll destroy a human being.
Our adversaries have been doing a wonderful job at causing divide in our country that doesn't really exist. Causing supply chains to crumble because they're buying them out so they can't function. The same with cyber.
I've said it a thousand times, and I'll say it again. Hollywood generally sees the problems years in advance of what we're going to challenge. You remember the movie Minority Report with Tom Cruise? Do you remember the Precogs? The three people that sat in the water. That was AI, artificial intelligence.
But in a way you could understand it. It was statistically, if you were born and had all of these things happen, mathematically and scientifically, the likelihood that you would commit murder was higher. It was AI, brought you in a really, “Oh, it's precog.”
The second thing in that movie, and think about that, how old that movie is. This is 20 plus years old movie. They talked about he had to get his eyes replaced. He had to get new eyeballs. That was from retinal scanning. And do you remember, he would get on the train and it would scan his eyeballs? This is 20 years ago, this is all being told to you. Fast-forward, they called out the Twin Towers going down.
I can't remember what movie that one was.
The Silent Sleeping Giant
Katie: There was this movie called Phenomenon with John Travolta and Kyra Sedgwick. John Travolta had a tumor, farmer in rural Kansas, something. He was becoming the smartest human being because the tumor was making parts of our brain that we don't use, come awake. The subplot of that whole movie was him and his best friend, they were both farmers. They were trying to deviate and create this fence because these bunnies kept getting into the farm.
As he is getting smarter, he's coming up with new ways, like blaring music, radio frequency, building it deeper, making it taller, electrifying it. The last scene, he's dying. Kyra Sedgewick is there, they're bawling their eyes out. He says to his best friend, this should be the whole podcast, "We couldn't build a fence high enough or deep enough or wide enough, because the bunnies are in the farm."
You think about it, and you take that to our environments today, China's been in our networks. Low and slow, is their theory. They're a silent sleeping giant. They got into networks. Someone asked me the other day, "What would you do? How would you know if you had been hit?" I said, "Well, you have ransomware, first one." Generally you need network sensors that see the anomalies.
If you don't have that, that's why NIST 171 has that in there, that you have network sensing so you can see the anomalies. But the adversary has been embedded into chips and our systems for so long. I would say there are very few things that they do not know the origins, who's building it, and in them on any program. They come in at the lowest part of the supply chain. They are slow and patient, and worm their way up.
[11:15] Cybersecurity Has to be a Culture
Katie: Ultimately, human beings are involved. As much as we try, we always are the problem. Garbage in, garbage out. It doesn't matter if you get a secured cloud environment, if you don't know how to access it appropriately, you screwed it up. That's why cybersecurity is a cultural thing. It’s not a standard X, Y, and Z. It has to be a culture, it has to be a mindset of what are you doing. You can call zero trust cybersecurity. But I can guarantee you most small businesses will never understand that word and what it means. There's no compliance to it either.
Rachael: What's it going to take to get there, Katie? How do we shift this thinking? I'm a hundred percent with you. How do we get there, though? That's where I struggle.
Katie: Our pain tolerance, sadly, has gone up. This is the part where I keep trying to tell people, the taxpayer doesn't necessarily think about the $200 million that we're losing every day, or the fact that China has the same like capability.
It was only until the aeronautics industry would see that there were parts that were causing planes to go down that they started in saying that safety was something that they were willing to share risk across the aeronautics. If there is a part, a bad part, they say, "Okay, it's a recall." I believe it's only when human life becomes a part of the cyber warfare collateral, second-order and third-order effects, that they'll actually start making the changes. But we've already seen things like this happen and we want to brush it off as accidents.
The Katie Arrington Doomsday Scenario
Katie: Colonial Pipeline, that was passwords. If you ask Katie Arrington today why so many trains are going off the rails, it's because of Huawei routers and switches. There is loss of life. When the forensics on these come back and we start peeling the onion back, then people may or may not. Does Katie Arrington think that two Black Hawk helicopters just bump into each other by accident in training? Absolutely not.
What happened there? You and I will never know. I'm out of the DOD and there are things happening. I think it's going to be the Katie Arrington doomsday bad thing that will happen. Before Sandy Hook, I said to folks in that environment how an adversary would go about. Prior to Sandy Hook, it was several terrorist cells breaking into schools, putting all the fifth graders in the gymnasium in five minutes, sadly, taking them all out.
The first responders would show up, they'd take out the terrorist cell. Then all the terrorist cell needed to do is say, "We've picked 20 schools, 20 new cells today." We don't have enough first responders to be at every single school guarding them. We worked the equations. Within seven days the US would implode on itself because people wouldn't go to school, they wouldn't go to work, et cetera.
I think the next doomsday thing that's coming is the adversary using social media timed with a perfectly planned attack. If a health information exchange had malware inserted to it, example a pacemaker, and it deleted all pacemakers in the health information exchange. Then a tweet goes out on a Monday morning that says, "If you have this pacemaker installed, you will go into cardiac arrest within two hours. Go to a hospital immediately."
People Have Become Complacent and Lazy
Katie: Thousands, millions, of US people would run to emergency rooms. The emergency room would look and say, "But in your log it says you don't have a pacemaker. In your medical record I don't see a pacemaker. We can get you in for an ultrasound, but it might be next week." What will happen? Chaos. That's the type of event that I'm very concerned about.
That's why I don't hold back when I talk to people. You bring and tell me these things, and people say, "Well, that's a doomsday scenario." Kids, what do you think China's after? Do you really think China cares? They use children as labor. They create silica because they don't care about the human element. In the CCP, it's all for the party. If you die for the party, all the better. It's an honor for your family.
We've got to start thinking that our adversaries are going to use these tools against us. And what are we doing in the meantime? Whining to Congress and saying that it's too hard? I don't know. Back in the day, before the Industrial Revolution, you did the risk reduction strategies to make life work. It wasn't easy.
We're so apoplectic and complacent. We want everything to be easy. I have a tiny farm in the back of my house and 20 chickens. I was on the road, we had a freeze, I said, "Please go out and cover the plants." Bless my husband's heart, he covered the plants in plastic and left it on it for two days. He suffocated them. I know, it's okay. I love him still. But can you imagine, take yourself back to being in 1890 and you suffocated the plants. Your family's going to starve. We are so complacent and lazy.
Katie Arrington on Breaking a Cycle in the Government
Katie: Listen, if you all would just focus on the cyber stuff, I'd keep you busy. Don't worry about it. And it's the word, and the media, and I say not journalism, media, because I don't believe there's very many journalists out there. I miss them.
They're selling what will make the most ad revenue, not really educating people on what's really happening. And it's sad. My previous boss, my mentor, is Kevin Feige. I call him the father of acquisition. He was the Assistant Secretary for Acquisition and Sustainment when I was in the DOD. When I first met him, he was the Executive Director of Systems Command for the US Army. What does that even mean, like over all the systems? He is the one that keeps saying, and why we started doing all the things we did during that time in the Pentagon. The Adaptive Acquisition Framework, we created that.
We asked for a new color of money and different requirements because you can't put an earned value management program on software development. Because when is it good enough? Because it's software, it's continually evolving. You can't fit it into a milestone development. It doesn't work like that. And he says, and even today, he's like, "We need to blow up acquisition. We need to stop doing the things that we've done historically for all these years." And the problem in government is nobody wants to be the one to break it. And I broke it. I went in DOD, I was like, "I'll break it. I don't care. It's not working.
The self-attestment isn't working." So why, when critical infrastructure is so under attack, are they willing to accept self-assessment from critical infrastructure providers?
Katie Arrington on the War Game
Katie: Did you know that in February of 2019, Ellen Lord, the undersecretary back then, signed a memo and made all providers of critical infrastructure to any military installation or facility, either/or, they had to be 7012 compliant? Which means they had to be deploying. All attested they were compliant to the NIST 171.
Odd. My first war game, the first thing I did was turn the power off. Really hard to have a war game with no power. Took them a while to figure that one out. You do a war game, you take away their power. It's like, "We can't do a war game." I'm like, "Now you're seeing the problem, right?"
Now you see. You just won. There, you just figured that one out. The second-best thing I did in a war game, and I am not the world's greatest hacker. Let's really be honest, I'm bad. But self-taught. So own it, own it. I told my guys, "Let's just change the algorithm for diesel and unleaded fuel." Just in a small mom-and-pop shop that we're buying gas from for military vehicles.
They supply, they own the contract. Then they sell the fuel to the military base. And they incidentally don't realize that they've put a tanker full of unleaded instead of diesel. It's a mission kill. Any vehicle you put that into the engine's shot.
Those are easy things the adversary can do.
We're worried about, "Oh, it's too hard.” Well, I don't know, it's going to be too hard. You can buy this book, it's by Henry Ray. It's Learn Chinese in 21 DAYS! - A Practical Guide to Make Chinese Look Easy. Put it in your comments below.
Katie Arrington on the Pillar of Acquisition
Katie: You either wake up to our world the way it really is, take off your rosy-colored glasses and stop whining about it and do something about it. Did you ever read Delivered Uncompromised? It's this amazing report that MITRE put out. It was put out in 2018. It's called Delivered Uncompromised by MITRE.
It was sponsored by Information Intelligence and Security in the DOD. The report was phenomenal, but I disagreed with one fundamental part. It said that acquisition had four pillars: cost, schedule, performance, and security. And I argued that cost, schedule, and performance have no value without security.
So it can't be a pillar, it has to be the foundation on which all acquisition is built.
It doesn't matter if you agree to a cost. If you deliver at the cost you agree upon, but the adversary has it, doesn't matter. It doesn't matter if you deliver it on time if the adversary is meeting you at the same time you're at market because they've stolen it. Or the performance that you agreed upon because they got it before and they were able to change their program and it now outperforms yours, what does it matter? And I stayed true to that.
Bob Metzler and I used to fight all the time about that. "No, no, no. It's cost, schedule, performance, and security." No. That's why when we created the Adaptive Acquisition Framework, the baseline of all new acquisition programs is cybersecurity. Because the DOD isn't stupid. They realize that. It's just when is industry going to have enough pain points that they realize what they've lost and how it's going to be hard to get it back.
[24:38] Security, Safety, Zero Trust
Petko: Katie, is it because we call it security? If we called it safety, or if we called it trust, not playing on zero trust. But if you have a contract with a contractor, eventually they might deliver on cost-scheduled performance. I also have to trust them that they're not going to resell this to someone else. I have to trust them that they're going to use the right people.
There's a lot of trust there. And that's the baseline you're talking about. Same thing if you buy a house. You might have got it at the right price, you might be able to get it at the right time, and it has the right number of rooms. But from a safety standpoint, I really hope the water works properly, I'm not going to have a flood in the house.
Is it just because we use the word security, is that the problem? We need to start using the word safety or trust or something. It's bigger than security is what I'm getting at. When you think about cybersecurity in general, we always associate it to just the technical, and it's also people.
Katie: It's like zero trust. That's a strategy, which cracks me up. The basis of electronic warfare, this is the other part of it. And this is from a girl who is not trained in warfare. This is somebody who's been married three times. This is where I get it from. Once you fill a hole in electronic warfare, when you find a vulnerability and you fill it, the adversary just goes and finds another one, right?
NIST 171 Standards
Katie: I'm not smart, I just ate at a Holiday Inn last night. This is really kind of easy stuff. So zero trust, the moment you put out the definition of zero trust, which we did, because we, in America, and this is the part where I don't want to become like China. Full disclosure, though, it's like the CMMC and the 171.
Okay, so you're saying that the 171's hard. So I'm just going to start focusing on those controls above this line, I would say above MFA. I'd just start pounding the hell out of you because I know you're not doing them because you're telling me it's too damn hard. Even MFA. People ask all the time, "Why are you so hard up on MFA?"
I'm like, "Well, because during the pandemic, I watched so many of you use your government-issued laptops for your children to do homework."
Petko: The honesty that we're getting from Katie Arrington is just so refreshing. We're getting right to the meat of this conversation, to the point. And it's speedy. I can't wait for part three.
About Our Guest
Katherine “Katie” Arrington is a former member of the Senior Executive Serves and served as the Chief Information Security Officer for Acquisition and Sustainment (CISO(A&S)) to the Under Secretary of Defense for Acquisition and Sustainment (USD(A&S)). In this position, she served as the central hub and integrator within the Office of the Under Secretary of Defense for Acquisition and Sustainment. (OUSD(A&S)) to align acquisition and sustainment cyber strategy and efforts to enhance cyber security within the Defense Industrial Base.
She led efforts that help ensure a secure Defense Supply Chain through the implementation of Trusted Capital vendors and Supply Chain Risk Management principles, enhanced defense industrial Base security and resilience, and establish a common cyber security standard within Departmental acquisition efforts. She also spearhead the CMMC program and served as an information security officer in the U.S. Department of Defense during the Trump Administration.
Arrington was also the state representative for South Carolina’s 94th district from 2016 to 2018, briefly serving with Mace. Prior to entering politics, Arrington worked in defense contracting and real estate development. She is currently the owner of LD Innovations, LLC Cybersecurity. Arrington continues to use her platform to advocate for proper national security measures and inform the public on critical news. She attended Canisius College and Walden University.