[0:47]CISA's Vision to Secure Our World with Eric Goldstein

Rachael: I am so excited, today we welcome back to the podcast actually, Eric Goldstein. He is the executive assistant director for cybersecurity for the Department of Homeland Securities Cybersecurity and Infrastructure Security Agency. Better known as CISA, as I think most people know it. In this role, he leads CISA's mission to protect and strengthen federal civilian agencies and the nation's critical infrastructure against cyber threats. What an exciting job. 

Eric: It is great to be back. So excited to be here on a Friday and we are finally out of summer here in the DC area. So hopefully after this podcast, we can all go for a walk outside.

Rachael: Oh, that would be amazing. I haven't done that in months. So, Audra, you're going to kick it off today. What are we going to jump into? 

Audra: So where I wanted to jump off is one, it said that leaders in CISA like security so much that it's important that they put it in their name twice. So in that same rationale, let's kick off by talking about CISA's first-ever cybersecurity strategy plan that you're putting in place for 24 to 26. If you're happy to kick off there, Eric.

Eric: I would love to. There's no first topic that is near to my heart. So it's been a, I think really big year for cybersecurity strategies, right? So we began with the National Cybersecurity Strategy coming out of our friends in the White House in the office of the National Cyber Director and the National Security Council. And that strategy of course really orients our national and even global course for improved cybersecurity, including how we really shift accountability for cybersecurity to those who are able to bear it. 

 

Charting a Course to Secure Our World

Eric: Our agency at CISA, of course, earlier released our agency's strap plan, which outlines how we as an agency are going to work across our partners to achieve our cohesive vision, to reduce risks to both cyber and physical infrastructure. But we recognize that there really was a gap, which is subordinate to the National Cybersecurity strategy and our agency strategic plan.

There's a question of where are we focused in our cybersecurity mission, and most importantly, how do we know if we're succeeding? So we were really excited to release our first ever. As kindly noted cybersecurity strategic plan, which covers the next three fiscal years, doesn't actually even go into effect until two weeks from today with the beginning of fiscal year 24. And the reason why we structured it that way is that we're making some really ambitious, even audacious steps forward in this strap plan. 

Principally because we are for the first time outlining measures of effectiveness that actually will show whether or not national cybersecurity is getting better or worse. And in many ways, whether we at CISA are making the best use of taxpayer money, are doing our jobs in contributing to that positive change. And so some of these are really true outcome metrics, like can we in fact track progress in reduced impact from cyber incidents affecting American organizations?

Some of them are measures that we think are well correlated with those outcomes. Can we track the real adoption of our cybersecurity performance goals? Can we track progress more quickly remediating non-exploited vulnerabilities and adoption of our shared services? 

 

Shifting the Cybersecurity Burden to Secure Our World

Eric: But really we are trying to, as they say in the financial sector, mark ourselves to market here and really hold ourselves accountable to do the work that we say that we should be doing. Most of the content of the strap plan, things like drive secure by design, roll out effective shared services, respond and coordinate cyber incidents. This is the work that CISA does every day, but for the first time, we're putting on paper and saying publicly, here's how we're going to do it. One other point that I'll mention in the strap plan that I'm really proud of is the strap plan contains four principles.

A few of them are things that would be intuitive. Cybersecurity is a whole nation government society mission. But there are two that I think are unique. One is our need to prioritize our resources to have the greatest impact, right? We know that the cybersecurity problem facing our country is enormous in many ways. And unmanageable for one organization to handle alone. And so at CISA, we need to partner but also prioritize. 

So we make clear in the strap plan the groups, the entities that we need to serve first. For example, those entities that are, as we call them, target rich, cyber poor, and those entities that are essential to national critical functions. Then finally, we note our principle of achieving impact or failing fast and the need to be disciplined across what's working, and what's not working. And if something's not working, celebrate a past a fast pivot, and move on to something.

Audra: So could you focus in a little bit on some of the comments that you made around shifting the burden of cybersecurity to those? Who can bear it?

 

From End Users to Product Vendors, A Path to Secure Our World

Rachael: What do you mean by that?

Eric: Absolutely. So if we look at the history of cybersecurity, a lot of the focus has fallen upon the end user enterprise, hospitals, small businesses, and school districts. Patch faster, hunt for adversaries, and make sure your users are clicking phishing links. And then when something goes wrong, we look at the victims, we look at the school district, at the hospital, at the water utility. And we say, how is it that you didn't patch that vulnerability faster? 

We haven't looked at the technology manufacturers. The product vendors who are delivering products that were designed to be more secure by design and default in the first instance could actually have prevented the incident from occurring in the first place. And so as one example, whenever there is a widespread intrusion campaign, the first question is, how many organizations have patched the vulnerability that is being exploited?

And if they didn't patch fast enough, why not? What did that victim do wrong? Well, we know in reality the velocity of new vulnerabilities is more than almost any organization can keep up with. And certainly our organizations like small school districts, and small businesses, there's just no hope. 

So we should ask the question, well, why are there so many vulnerabilities to begin with? And are there steps that the product vendor could have taken to eliminate that vulnerability before the product went to market? Or are there stronger default controls that the product vendor could have put in place to mitigate the likelihood of that vulnerability being exploited to cause harm? 

 

[7:36]Secure Our World Through Open Source Software

Eric: Certainly, this is not to say that enterprises have no burden for their own security. Of course, there's a tremendous amount of work that enterprises have to do, but the accountability has been dramatically shifted towards the enterprise. And we think consistent with the national cybersecurity strategy, that recalibration to focus on technology manufacturers and product vendors is really what's needed.

Rachael: I like that. Sorry, I want to talk about the, it sounds like a nice dovetail into the open source. The open-source software security roadmap too that you've recently been talking about.

Eric: That's exactly right. And I think open source is a uniquely critical and uniquely complicated aspect of this ecosystem, right? Because for proprietary software, it is fairly trivial for us either through guidance or through our shared role as customers to ask major technology companies to design and build software in a different way. It is a different proposition in open source. When in fact, we know that open-source projects that underpin everything we do every day across sectors are developed and maintained by volunteers without any expectation of compensation. 

But who is under-resourced to actually put in place the investment in security that would be expected of a commercial provider? And so what our goal is through our open source security roadmap. Is to really act as a leading partner in the open source community. To figure out how can we drive resources to those open source projects that are most critical to government and critical infrastructure sectors.

 

Leveraging Intermediaries and Lessons from Cyber Attacks to Secure Our World

Eric: And then how can we look for points of leverage in the ecosystem? One area that we're really excited about working on is the intermediaries. The repositories that the package managers are in fact, how most organizations consume open-source packages and libraries. And we think that those intermediaries, as one example. Could do a lot more to remove malicious packages before they're ingested to nudge developers towards the most recent nonvulnerable version of a given package or library. 

It's remarkable that the percentage of versions of Log4J that are still being downloaded today. A lot of them are vulnerable versions. And that's why we can, as a society, and as a community, do better. And so we think that both by partnering with the community, by supporting the developers and maintainers who really do heroic work in building technology that all of us rely on. But also looking for points of leverage to drive positive change. We think that we can make progress even in this uniquely diverse ecosystem.

Audra: So can we go from your strategic plans to talking about some of the biggest cyber attacks that happened during 2023?

Eric: Certainly.

Audra: So if we start talking about the June hack of MoveIt, the file transfer software, which is the largest breach so far this year that impacted more than a thousand organizations and 60 million individuals, what from that incident one are some of the biggest lessons that come out of that in terms of how has that changed your thinking? How has that influenced your strategic plans and things that you're working towards?

 

Evolving Threats and Lessons Learned

Eric: Yes. It is certainly the case that the impact of the widespread campaign targeting MoveIt-managed file transfer applications had real impacts on a wide range of MoveIt customers. I think there are a few takeaways that we draw from that campaign. The first is the extraordinary speed with which adversaries utilize new vulnerabilities to execute intrusions. And it used to be that there was a window of days, even weeks before a new vulnerability would be exploited. At least at scale. 

Usually, you'd see some proof of concepts trickle out, and you would see some initial intrusions. But it would be a bit before we would see a global campaign unfold, stop. And now we're seeing these campaigns unfold in hours from the vulnerability being initially disclosed. The second is we are seeing adversaries, particularly ransomware groups, focus on very similar types of applications. This is at least the third campaign that the LOP group has undertaken targeting very similar kinds of applications, doing very similar things.

So I do think that that should cause us to reflect on how we harden those applications that we know are being targeted by adversaries rampantly. And if there were three, there would probably be a fourth and a fifth where these kinds of groups look for other ways to monetize these vulnerabilities. And then I think the third, really, without speaking about the practices of any given company. 

Again, this does take us back to our secure-by-design doctrine. Which is there are, as long as humans are developing code, there will always be some flaws that we missed before production. But we know that we as a community can do better. 

 

Holding Cybercriminals Accountable to Secure Our World

Eric: And we know that a lot of the vulnerabilities that are so prevalent, whether they're memory safety issues, whether they are issues like SQL injection, we know how to fix these vulnerabilities. And we've known in some cases for decades. And so I think reflecting on the practices of the vendors of who we are relying on, so ubiquitously should cause us to take a step back and make sure that we're driving incentives in the right direction.

Rachael: And I'll say on this particular incident with the CLO group. I noticed that there's a $10 million bounty, so the US State Department put it out there, which I like, right? Because there has to be ramifications, there has to be accountability. And I know that sometimes or a lot of times that struggles, right? In terms of capturing the people who are executing these attacks, they live in the shadows. Or maybe they're in a country where it's acceptable for what they're doing and they're protected in that way. Do you see more of that happening in terms of accountability and bringing these folks in?

Eric: Yes, we have to figure out as a society and really globally how to increase costs for these adversaries. Because we know that these ransom groups, they're seeking financial gain. It is really purely an economic calculation. And so the more that we can do to increase the marginal cost of a given attempted intrusion or a given campaign. Whether it is by taking action against their infrastructure. Seizing some of their financial gains, taking law enforcement action to actually take them out of commission. Or improving our defenses such that their success rate per target reduces. 

 

[14:32]Recovering and Rebuilding in the Quest to Secure Our World

Eric: Those are all steps that increase the marginal cost of a given campaign. If we can ratchet that cost high enough, at a certain point. These groups are going to decide perhaps ransomware is not the most cost-effective type of crime to be involved in. And that's really the future that we have to build towards. But that really does an all-solutions approach where we are focusing not only on defense. But also on activities that impose costs on these adversaries in other ways.

Rachael: Absolutely. Particularly when I think IBM had estimated that it's about 9.9 billion. Something around there is the estimated cost to those affected by this particular attack. It's kind of staggering that kind of amount.

Audra: That's huge. So talking on other kinds of areas more with a focus on how companies or large organizations recover from these kinds of cyber attacks. So they fell victim to two data breaches this year. Which compromised the personal information and data of about 37 million user accounts.

Rachael: Nope, I was one of them. I got a lot of notifications just saying

Audra: Excellent. You were like, I was breached. I was breached. Awesome. So Eric, how do you recommend or how are you recommending and laying out strategic plans on how to recover when these things happen?

Eric: Yes, without speaking about a coverage recovery from a particular incident. First of all, Rachel, I think you know well, that we've in many ways normalized these sorts of letters. I mean, we all get them three times a year and we say, well, at this point, 2023, what do we do? That's just life in the modern era. 

 

From Crisis to Opportunity

Eric: I do think that what we see increasingly is sometimes, unfortunately, a crisis is the best opportunity for a company to really reinvest in and recapitalize both its security and resilience program. We know that ultimately cybersecurity is not a technical issue or a technical decision. It is a business decision. And where we see breaches occur, it is almost never because there was, at its core a technical flaw. It is almost always a business decision in many cases at the time. A reasonable business decision led to a choice to not deploy control and to not conduct security testing to an appropriate threshold on a product. 

And to not deploy a security feature down the line. There are dozens of these, but what these breaches offer almost universally is a chance for the business to step back and say, as we think through how we prioritize and invest against the enterprise risks that we are facing, how do we think about cybersecurity? Unfortunately, because truly impactful cyber incidents are fairly rare, a fortunate fact overall in many cases, driving that business change by way of analogy saying, see what happened over here? 

It works to some extent, but in many cases, it takes either a real near miss or an actual impactful breach to change that business culture. That's one reason why at CISA, we are so focused on speaking not only to CISOs and their teams. Which really is preaching to the very well converted, but also talking to board directors, talking to business leaders, talking to general counsel about what this risk looks like.

 

Navigating the AI Frontier

Eric: What are the trend lines and the threats that we are facing really are. And how now is the time to really invest in cybersecurity as a critical driver of business risk. And an enabler of business success and not solely as a technical or IT issue?

Rachael: And do you think you can't escape AI right now? I mean, it's everywhere. And do you see that potentially helping people may accelerate some of that thinking? Everywhere I look, it's security and AI, security and AI, what are we going to do? How do we do it? How do you regulate it? It's just such an enormous threat factor that is kind of squishy, right? With no defined lines, if you will. And how do you secure against that, but also the regulations, right? Is that something that you guys are seeing kind of bubble up a lot today?

Eric: Absolutely. I think probably in every conversation any of us are in these days, AI comes in at least once. If not dominates the dialogue. I think, Rachel, you framed it as How do we respond to the threats posed by AI? How do we regulate or address the harms? It's also the question of how do we benefit. So I think as a cybersecurity community, I think the challenge we face is to let's not let our conceptualization of AI risks be a failure of imagination, right? 

Let's really think through not only what these models and tools can be used for today. But what they might be used for two years from now, five years from now, recognizing the extraordinary trajectory of innovation here. But also make sure that our operators are defenders, and our analysts are fully benefiting from these tools. 

 

Charting a Path to Secure Our World in the Age of Innovation

Eric: And already, even in the relatively early days of commercial AI solutions. We're already seeing security tools adopt AI in really meaningful, impactful ways. And I think if we think through some of these strategic challenges. For example, for products with insecure code, well, AI can be maybe the only way to address that problem at a real scale. And so I think we are certainly at CISA really excited about the security benefits that AI may have. 

We are trying to work with the community to really think over the horizon about, well, today GPTs can be used to write better phishing emails. Well, that's great, but what's it going to look like two years from now? Let's think ahead of that. And so really making sure that we are leaning forward in the benefits of AI while being really thoughtful about how we manage the risks.

Rachael: I like what you said there. It does make me excited too, to think that this could be a possibility to help us maybe catch up to maybe the attackers, if you will. They always seem to be so far ahead. But I love the idea of shortening that gap between the two because ultimately, right, we want to get ahead of 'em. And I think there are just so many opportunities for AI. I'm really, really excited to see what happens. Yes,

Eric: Absolutely.

Audra: So I'd like to jump off here and start talking a little bit about Cybersecurity Awareness Month.

Rachael: Yes. Did you know it's the 20th annual, Eric? I didn't realize. 20th Annual.

Audra: It's pretty

Eric: Remarkable.

Rachael: I mean, Yes, it shows

Audra: You we're in a long-running thing.

Rachael: Yes.

 

[21:45]CISA's Four Steps to Secure Our World

Audra: Cybersecurity is not going away. So as part of celebrations for the 20th annual Cybersecurity Awareness Month. This October CISA is releasing a new awareness program that shares four steps that people can take to be safer online. Eric, can you talk to us about that?

Eric: I most definitely can. First of all, Cybersecurity Awareness Month is really a great opportunity to make sure that we are not only talking within these same communities that we're always talking to. But we are actually reaching out to individuals across the country from every walk of life to make sure that they understand that cybersecurity isn't just a technical issue that their IT person will take care of. But something that really we can all focus on. 

And so our goal with our secure our world rollout this October is really to focus on a few simple things that all of us can do. Steps like making sure that we're using strong passwords. Ideally managed by a password generator that we're using multifactor authentication, ideally, the phishing resistant kind that we know how to. Of course, recognize and report phishing emails and that we're making sure that the software we're running is updated and that we have auto-update.

I think one exciting piece here as well is that we're also because everything we do here is pushing security by design, we're also including a bit of an ask-your-vendor aspect to this. Because I think all of us if we think through those four areas, one thing that will pop into our heads is, oh, my bank doesn't offer multifactor authentication. Or, oh, I want to use a strong password, but my doctor's office lets me use ABC 1 23. 

 

Secure Our World through Everyday Cybersecurity Practices

Eric: And those are all things that we need to drive a grassroots movement to say, if your provider is letting you use ABC 1, 2, 3 is a password, if your bank or your retailer isn't offering an option of multifactor authentication, ideally by default, if you're using a product that doesn't enable auto-update, ask why. And if enough of us ask that question why, that's how we really drive a cultural change to say, I don't even want the option to use an insecure password. 

I don't want the option not to turn on MFA. I don't want an option to have to worry about finding the silly auto-update radio button. And I want all that to be done by default every time. And the less that we can push down to everyday users and the more that we can have done for us, that's how we really get to that future where our world is demonstrably more secure.

Rachael: I like the speaking out part, I have to say, I have some doctors that send me links, text messages, links to pay, and I'm like, but you can't log into the portal to do it. You have to pay only through this link and text message. And Eric, I'm quite nervous to click on that link. So I think it's wonderful, right, that you absolutely have to have these initiatives because I think a lot of organizations think that they're kind of modernizing, but not really thinking about all the vulnerabilities that could come with that, right? But again, security by design. I love that. How do we make that just everyday standard practice in what we do?

 

The Secure Our World Campaign

Eric: And I think if we think even about multifactor authentication. For many people hearing about a hardware token might be more than they're going to do. But having a soft token authenticator app under a mobile device isn't actually any harder than using SMS authentication. It's much more secure. And frankly, it is fairly trivial to implement. 

And so we'd love to get to a world to say where there is just an understanding that if you're a provider, doctor's office, bank. What have you, isn't providing you with these features, they're not securing your information. And the more that we can drive that from the bottom up. We think that's going to drive some really important change.

Audra: I totally agree. I have to admit, I have like three, or actually no, four different authenticators on my phone for different services. But a lot of that's work-related.

Rachael: I love it. So I do want to be mindful of time. I'd love to talk a little bit more though about the Secure Our World Campaign. Because that sounds very exciting, what you're kicking off there. And it's kicking off what's in the next couple of weeks as we kick off Cybersecurity Awareness Month.

Eric: That's exactly right. And I think what we had a realization about here at CISA is Cybersecurity Awareness Month is great, right? It is our focus time, four weeks of the year. 

 

From Moment to Movement

Eric: You really drive the message about the importance of cybersecurity across ideally every corner of our country and even around the world. But it's not enough. And we really need a sustained year-long campaign to keep driving the message. And so as you noted, this is kicking off in Cybersecurity Awareness Month. But it really is going to be our national scale campaign where our goal is to have that sustained message across different mediums, different audiences, different partners to make sure that ideally we are not just making this a moment, we're making it a movement, love it. 

And we can keep driving not only that adoption of the right practices. Every American, but also as I mentioned, make sure that every American is asking the right questions and really conveying the point that you have a right to be secure. And if you're a provider, you're vendor is not giving you that, right? You should ask why.

Rachael: I love that. I want to end on that. It's not just a moment, it's a movement. I think that's fantastic.

Audra: I also like the fact that you have a right to be secure.

Rachael: I love that too. I don't know that people think that way.

Audra: They don't. I don't believe they do.

Eric: They absolutely don't. And I think to our prior point about we all receiving these data breach letters once a month and throwing them in the trash. 

 

The Secure Our World Campaign

Eric: We have normalized this environment of insecurity. And there is work that the government can do to help drive chains. There's work that we can do to drive change through procurement. But really it's got to come from the millions of people who are using online services every day to really understand that we could live in a different world. We could live in a world where we have more trusted security and the products we use every day. But to have that world, we have to ask for it.

Rachael: That's great. Take the power back into our hands to chart our destiny. I think that's fantastic. Well, Eric, thank you so much for joining us again on the podcast. This has been such a great conversation. I'm so excited for the kickoff of your campaign as well. I think it's such an important movement. I look forward to following it throughout the year and how it expands as folks get on the program, so to speak. Because this absolutely needs to happen. And it's such a great time to start making that happen

Eric: And onto the next 20 years of Security Awareness Month.

Rachael: Exactly. It's an exciting thing where we're going to be in 20 years. So to all of our listeners, thanks again for joining us.

 

About Our Guest

 

Eric Goldstein serves as the Executive Assistant Director for Cybersecurity for the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) as of February 19, 2021. In this role, Goldstein leads CISA’s mission to protect and strengthen federal civilian agencies and the nation’s critical infrastructure against cyber threats.

Previously, Goldstein was the Head of Cybersecurity Policy, Strategy, and Regulation at Goldman Sachs. Where he led a global team to improve and mature the firm’s cybersecurity risk management program. He served at CISA’s precursor agency. The National Protection and Programs Directorate, from 2013 to 2017 in various roles including Policy Advisor for Federal Network Resilience. Branch Chief for Cybersecurity Partnerships and Engagement. Senior Advisor to the Assistant Secretary for Cybersecurity, and Senior Counselor to the Under Secretary.

At other points in his career, Goldstein practiced cybersecurity law at an international law firm. Led cybersecurity research and analysis projects at a federally-funded research and development center. And served as a Fellow in Advanced Cyber Studies at the Center for Strategic and International Studies, among other roles.

He is a graduate of the University of Illinois at Urbana-Champaign. The Georgetown University School of Public Policy, and Georgetown University Law Center.