[00:50] Software Systems That Are Secure and Reliable
Rachael: They help government and industry organizations develop and operate software systems that are secure and reliable. They are the center of the cyber universe, and I am so excited to get this conversation picking back up. So now, let's get to the point.
Eric: I'm going to summarize those quickly. As I'm thinking through it, I was making some notes. Really, you brought all the federal CISOs together. You built the team, right upfront. And then, the second piece around multi-factor authentication. If you started in 2003, it's a core pillar of most zero trust architectures today, which started in 2010, which didn't get popular until 2018, maybe?
Eric: Like, really adopted, but you basically built the measurement, or the dashboard to, I don't want to say shame people, but show progress? To really drive a focus on it, across the team.
Greg: We were able to paint the picture that because of the lessons learned from the OPM breach, this could really make a difference. And if we didn't do it, then we were opening ourselves up to a repeat performance by the same or another bad actor.
Eric: Yes. So you built the team, you built the visibility around it, you tied it to something that was critically important. The cybersecurity of America's organizations, really, DOD IC.
Greg: Protecting the people's data, that's what we were doing.
A Lesson for People
Eric: That's your 30-year Air Force career, all those experiences. Like you said, you didn't come into the job, not having that background, bringing that together to lead from the front. That's impressive.
Rachael: That's fantastic.
Greg: Oh, thank you.
Eric: Looking back on it, that should be a lesson for people on how to start something new. And drive to results at a scale most of us can't even comprehend, but will certainly never approach. Meaning the government of the United States of America, that's a pretty big effort there.
Eric: What would you have done differently, while you were there? You're the first CISO of the United States of America. What's one thing you would have, "If I could do it all over again, I would have gone down this path, instead of that path?"
Greg: I really haven't given much thought to that.
Eric: That's why we're here today.
Greg: Yes. That's just not part of my ethos. Maybe it's the Air Force part of me. I got a wingman who makes sure that what's behind me is covered. I'm looking forward as the flight lead. I'm really proud of the work that my team did.
Greg: I'm proud of the fact that we still have a federal chief information security officer, and that it continues to be magnified in importance. I think that as we take a look, moving forward, more and more organizations are seeing the value of having a chief information security officer. To focus on, not just the systems, but the data itself, and protecting the data. And the shot clock ran out on me.
Securing and Understanding the Data
Greg: But as we were looking at my strategy for the federal government, securing the data and understanding the data itself was a centerpiece, the keystone of that all. And we didn't have chief data officers back then. I think, if I could go with Mr. Peabody into the Wayback Machine, I would have told the President that we needed to have chief data officers in every department and agency.
Greg: But at that point, we had the throttles fully up. We're pretty proud of what we did when we were in service, my team and I. But in retrospect, now that you've mentioned it, we probably should have pushed for chief data officers to be more prevalent back then.
Eric: Well, we do see a good bit. And I agree with that. I think it's a great thing. We are seeing a lot of organizations talk about high-value assets. I'm starting to hear them talk about risk. Where if you took me back, I don't know, five-plus years ago, everything was on a level plane. Everything was, "We've got to protect the whole organization from everything out there." And I think people are starting to realize that that's not very plausible.
Eric: That you can't protect everything. But with high-value assets, where are the crown jewels, and how do we protect them? What is the risk to this data, or this program or this mission? We're starting to see a turn there, which, I think it sounds like it originated from those first years.
Identifying the High-Value Assets
Greg: We did, with the Cyber National Action Plan, and I was on the executive steering committee on that. We went and we tasked all of the departments and agencies to identify their high-value assets. And we had to train them to think, what is your high-value asset?
Eric: What year was that?
Greg: I think, '15.
Eric: So I'll tell you of my experience. I was at a Department of Justice meeting. It had to be about, probably early '16, late '15, early '16. And I heard the term high-value asset for the first time, which wasn't very government-like.
Greg: Yes, we've been using that term in the military all the time so we would have priority resources. As a base commander at Keesler Air Force Base, where I had 18 C-130Js, I had four C-21s. I had a major regional hospital, I had the flight line, where the hurricane hunters would take off and land.
Greg: I knew I had Priority A resources that required armed guards, 24 by seven. I had Priority B resources that needed to be restored within two, three hours. And then I had everything else, Priority C resources. We knew what our high-value assets were, and we apportioned our resources accordingly. So here you get this military guy that comes into DHS, and is running the end kick.
Greg: And is part of that effort for the Cyber National Action Plan. Identifying the high value assets was a no-brainer. I mean, we needed to do that. There's a great quote from Frederick the Great, which every war college graduate should remember. Frederick the Great supposedly said, "He who defends everything equally defends nothing."
[08:30] Changing Mindsets
Greg: What we wanted to do is to apportion our cyber defenses in an intelligent manner. So we actually tasked every department and agency, "Identify your high-value assets." We trained them to understand, it's all about the data. But you also have to factor in, where does that data reside? Where is it processed? Who inputs it, who archives it, all of the above.
Greg: But we were trying to change the mindset, so that we understood the value of the data and where it lived. And then, from there, we could better apportion and allocate our defensive resources.
Eric: I think I'm saying in 2016, that was the first time for me, from an IT or cybersecurity perspective. I really hear clients, customers start talking about it. And I agree with you, from the military side, it's something that's been ingrained in the system. But from the security side, I didn't hear them thinking in that way, prior to that.
Greg: Well, we were bringing it in across the federal government in '15.
Eric: Well, a lot of talk.
Greg: I'm pleased that it's now part of the modern lexicon.
Eric: In fact, at CERT, you've got an enterprise risk and resilience management capability. So I hope that's thriving.
Greg: Absolutely. As a matter of fact, we're having a bunch of government agencies, not only the DOD, but DHS and other government agencies that are asking us, as the federally funded research and development center, to come in and help them understand their risk and resilience model. And we've got the copyrighted CERT Risk and Resilience Model, that helps them better understand where the risk exposure is.
The Cyber Risk Assessment Tool
Greg: Our cyber risk assessment is a tool, that we come in and we help unearth, just by question and answer. And some on-site work that we do, we help them understand where their blind spots are. But also, we just don't basically say, "Okay, so here's your risk. Bye." We help them understand what types of controls and countermeasures, business process improvements they can use, to better protect the information that they're trying to protect.
Eric: Do you see that folding in with concepts or certifications, like CMMC. Or do you see one as more compliant, and one as more as, risk and resilience of the business?
Greg: Boy, that's a loaded question these days.
Eric: Don't mean to set you up, I'm just curious.
Greg: Yes. I think that what we're doing with the CRA, the Cyber Risk Assessment, that leverages the CERT Risk and Resilience Model, is a very proactive means of assessing what your risk exposure is. Then it also provides you, as an organizational leader, a game plan for how to address those risks. To make your organization more resilient.
Greg: My students at Carnegie Mellon, because I teach at Carnegie Mellon as well, they say, "Hey, Greg, how do you define resilience?" I kind of jokingly say, "Well, I grew up in a household with a bunch of brothers, and I attended parochial school. And for us, resilience was being able to take a punch and keep on going." Eric, you're from Philly, you'd probably take the Rocky Balboa model.
How Winners Are Found
Greg: It's not whether you're going to get hit, it's about how hard you get hit, and keep on going. That's how winners are found. When we go in, we're being proactive. I think what we're seeing now, not only in the government, but in the industry is, there's a thirst to be more proactive than reactive.
Greg: You don't necessarily want to wait for a breach or a ransomware attack. You want to be able to identify your weak spots, so that you can make a value and risk-based decision as to how you want to protect against the threat environment that's out there.
Eric: That is the dream, for me, anyway.
Rachael: But we talk about that all the time, right?
Eric: We do.
Rachael: Have more of an offensive versus defensive strategy. I know you feel that private companies shouldn't execute that. That should be a government thing, but you got to get ahead of it. And it kind of leads me to this. I can't stop thinking about ransomware, Greg. I was looking before we got on the call, and what have we got? Fujifilm, Steamship Authority, McDonald's, JBS, New Zealand hospitals, Lincoln.
Eric: I mean, going on and on.
Rachael: Exactly, go on and on. CNA Financial, $40 million in ransomware, paid. Now I'm seeing these stats from former CISCO CEO John Chambers who said, "We can expect 65,000 ransomware attacks this year." I mean, how do we get ahead of this? And the search perspective about sharing information. I feel like that's got to be somehow key here, on how we finally get ahead of this. But what are your thoughts on this really scary, hairy problem?
Living In a Bubble
Greg: Well, if it were easy to fix, it'd already be done. I think we're going to have to do a couple of things to buy down our risk. And we're never going to get the risk to zero. Anybody who tries to get risk to zero, you might as well just bubble wrap yourself and stay at home.
Eric: Yes, I was going to say, you're living in a bubble. It's not going to happen. And even then, the bubble could pop.
Greg: That's right. You're never going to get risk to zero. So I think there's a couple of components. First of all, I think that from a public policy standpoint, we really need to make sure that this is identified as criminal activity. And the consequences for folks are going to be such that, our law enforcement officials, in concert with law enforcement officials around the world, we're going to hunt you down. If you are engaged in this, we're going to hunt you down, and you're going to be held to the full extent of the law.
Greg: And oh, by the way, it needs to be more than just a hand slap. It needs to be commensurate with the crime. That show when I was a kid, that was shown on TV, Beretta? And it was, "Don't do the crime if you can't do the time. Just don't do it." Well, we need to make sure, that from a public policy standpoint, and the law, that if you're engaged in this type of behavior, it's criminal. You're going to be held accountable.
[15:39] No Safe Harbor for Criminals
Greg: Secondly, from a diplomatic standpoint, we really do need to make sure that the folks that are able, or that are doing these types of attacks, are not given safe harbor in other countries. That is really difficult to do. If I were President Biden meeting with President Putin, that would be on my agenda of things to talk about, safe harbor.
Greg: But let's also remember, safe harbor goes both ways. If we're going to say, "Hey, these guys are in Russia and they're crooks," well, we got crooks everywhere, including in North America.
Eric: And we don't like to give up US citizens to foreign countries, right?
Greg: Exactly. But it's bad juju, and we should not tolerate the ransomware. Third is, from a best practices standpoint, there's some technology out there that can buy down your risk of ransomware. We know that most ransomware is delivered through phishing or spear-phishing emails. Some are spray and pray, others are very focused spear-phishing.
Greg: Some are even directed towards senior executives, which we call whaling. Where they're coming right in, and they look and smell legitimate. But there are ways, like implementing DKIM, and some other technologies that have been around out there. That can help you filter out those email sources that aren't legitimate, that aren't digitally authenticated. You know, the phantom VM, that comes up looking like it's coming from Acme Corporation?
Greg: But really, it's a phantom clone, that's just there to deliver ransomware. So technologies like DKIM, that needs to go down. We need to be putting them in place. The federal government finally put in DKIM, starting in 2017.
Greg: And we've seen some dips in organizations that have installed some of these countermeasures in place. The third thing on top of that is, we've got to train our people so that they are in fact keenly aware that this is going on. Then the final thing, well, maybe not the final thing, but the last for right now in this conversation is, don't pay architect so that you can be resilient. Don't pay.
Eric: Take away the incentive.
Greg: That's right. If you architect properly, so that you in fact have a pristine copy, and can make sure that ransomware is not in that final gold disk of repository of your data. Then you basically get rid of that whole criminal enterprise's raison d'être. Like Willie Sutton, these folks go to where the money is. And as long as they feel like they have a business model where they can get some money, they're going to go do it. So I think that's an important thing, too. Architect for resilience, and don't pay.
Eric: And there's very little risk to them. If the country they're operating from isn't going to even blink, and they can just spray and pray, and go after everybody until they pull in money, I mean, who wouldn't do it?
Eric: Assuming you have a criminal bent, right?
Eric: It's pretty easy, low consequence, low risk. Again, I agree. I think you've got to take the incentive away, and you get to increase the cost.
Greg: Yes. And there's a lot of folks that say, "Well, for those companies that are paying the ransoms, they need to be penalized."
We Have to Do a Better Job
Greg: No, this is America. We don't penalize the victims, for crying out loud. But we've got to do a better job on multiple levels. In public policy, diplomacy, educating the workforce, and then, architecting for resilience. And I think that will help buy down our risk, and our risk exposure.
Eric: A lot of times, when we talk about public-private partnership, we're talking about information sharing. There's breach disclosure that we've been talking about, but really, we need a public-private partnership on how to handle ransomware. Like, don't pay, but okay, government, are you going to help me? How are you going to help me? How are you going to take that incentive away, and increase the risk?
Greg: It's one thing for the government to say, "Yes, we're not going to pay." Because they're going to just pass on the cost to the taxpayers. But if you're a business person, and all of a sudden you're in gridlock, oh, heck yes, there's plenty of incentives to pay. The thing about it though, is, what, on $11 million that JBS put out there.
Greg: What could $10 million have done? Had they invested 10 million in better security, better architecture, better configuration, that would have had a much longer-lasting and better investment than paying off an $11 million ransom. So, having served on private boards, having served in profit and loss company boards, folks in the boardroom and the executive team of some business need to be taking a really introspective look right now. Saying, "I'm going to roll the dice on ransomware, or I can make these enhancements to my system. So that I can, in fact, take a punch and keep on going."
[21:37] Longer Lasting and Better Return
Greg: That's a longer-lasting and better return, than having to just pray that I'm not going to get hit with ransomware.
Eric: Well, I hope we get there.
Greg: Yes. And as a cautionary warning, take a really good look at your cyber insurance out there. Because not every cyber insurance policy is going to pay for ransomware, or reimburse you.
Eric: I hope we get there. My experience in 25 years now is, whether it's legal, with email archiving where there's a discovery or something, the office of general counsel will pay anything after the fact. They deal with it after the fact. But for the business to invest upfront at a greater level is always more difficult.
Eric: But you've got to go make the case, where once you get hit with something, whether it's a lawsuit, ransomware, you name it, there's no case to be made. Now, it's react time, and business is really good at that.
Eric: That's been my experience.
Rachael: It's so sad, because I could just keep talking about this. This is so fascinating, Greg. It's your insights that I really appreciate. All the great information you shared, and your experience, and what you've seen. And how to break down problems in a way that, you could start cracking them down, making some movement forward. It's very impressive what you've done in your career, and thank you for your service.
Greg: Well, thank you.
Rachael: It's great to have you on the show.
Eric: For more information, people can go to cmu.edu/division/cert.
Greg: Or you can go to cert.org, we have a shortcut there.
Federally Funded Research and Element Center
Eric: That's what I love, simplicity in my life. So find out what CERT is doing. It's a non-profit, correct?
Greg: It is a federally-funded research and element center.
Eric: FFRDC, okay?
Greg: Right, an FFRDC. You can go to sei.cmu.edu for the Software Engineering Institute, and that'll take you to our organization, and then you can drill down from there. But sei.cmu.university.edu, for Carnegie Mellon. When it comes to the CERT itself, you can go to cert.org.
Rachael: It's so easy. Love it.
Eric: Retired Brigadier General Touhill, I am looking forward to a lot more coming out of CERT over the next two decades. I think it's a great effort for this country, and really appreciate what you and the team are doing. That's as close as we've ever come to a commercial on this podcast. But I got to tell you, Rachel, it is absolutely warranted here, the work CERT has done.
Eric: For the world.
About our Guest