A Focus on Resiliency with CISA’s Eric Goldstein - Ep. 130

This week we discuss the importance of focus on assuring resiliency of critical functions as the cybersecurity path ahead. We’re with Eric Goldstein, Executive Assistant Director for Cybersecurity for the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA).

Eric also shares insights on executing CISA’s mission in today’s dynamic and exciting cybersecurity landscape. The criticality in prioritization and a risk-based approach in addressing security for critical infrastructure. The role of visibility and continuous assessment in addressing today’s cyber landscape.

As well as pathways to standardizing cyber breach disclosure across government agencies and businesses of all sizes. Visit CISA.gov to learn more about CISA’s mission and programs as well. There are many professional opportunities to join one of today’s most essential frontline cyber defense agencies.

TTP Ep. 130 - CISA's Eric Goldstein

 

Episode Table of Contents

  • [01:24] A Really Exciting Time in Cybersecurity
  • [08:34] Partnerships That Allow Us to Scale Broadly
  • [14:13] All Entities Are Trying to Drive Focus on Resiliency
  • [00:00] The Trust Relationship of Organizations
  • [29:04] A Good Place to Go To Focus on Resiliency
  • About Our Guest

A Really Exciting Time in Cybersecurity

Rachael: Our guest today is Eric Goldstein. He’s the Executive Assistant Director for Cybersecurity for the Department of Homeland Security CISA. He too is vaccinated. Thank you so much for joining us on the podcast this morning.

Eric G: It's good to be here. I'm really looking forward to chatting with you both.

Rachael: This is a really exciting time in cybersecurity. You're coming back to CISA from being at his predecessor agency. Where to start really? There are so many huge things happening, huge expansive attacks, SolarWinds, Microsoft Exchange. The attackers are getting aggressive. How does CISA even start to figure out focus areas on how to move ahead?

Eric G: I really look forward to chatting about my agency's role in national cybersecurity. It is as you note, a really exciting time, that's one word for it. We are certainly seeing intrusion campaigns of heightening scale and sophistication. These present a challenge for all organizations, big and small, federal, state, and local private sector.

Eric G: At CISA our role really is twofold in this area. It's to provide generally applicable services, best practices, assessments, guidance that all organizations can adopt. Because a truism that we're seeing across many of these intrusions is still cybersecurity best practices.

Eric G: Patching, demising end-of-life assets, using multi-factor authentication. These are still tried and true mechanisms that are effective in dealing with most, although not all potential intrusion.

Enough’s Enough: It’s Time to Focus on Resiliency

Eric T: One of the things we see though, is most organizations still can't get basics down. Things like updating and patching and basic cybersecurity hygiene. At some point, do we say, "Enough's enough?" Do we say, "Look, this just isn't possible. There has to be a better way."

Eric G: It is a true statement that there has to be a better way. It's useful to think through why organizations are still struggling with these basic practices. It could be a problem of awareness, it could be a problem of resources.

Eric G: It could be a problem of prioritization. Each of those three areas, there's a solution set that we as a cybersecurity community can work through a drive. I think awareness, we need to be deeply focused as a government on sharing alerts. Warnings to make sure that organizations understand when to patch the most critical vulnerabilities.

Eric G: From a resource perspective, we need to figure out how to drive risk management investments across all organizations that allow them to take these basic steps. Where an organization is unable to manage their IT in a way that allows them to patch known vulnerabilities that perhaps they shouldn't be managing their own technology.

Eric G: There are many highly capable third parties that will gladly take that burden off of a given company's hands. Then there's the aspect of prioritization where you have companies that are able to manage their own IT. But for whatever reason, they’re unable to prioritize these key measures.

Eric G: That's where agencies like CISA have a key role to play to arm CISOs and CIOs with the risk-based information they need to make the business decision to invest in cybersecurity.

Weighing the Bottom Line

Eric G: It may not be self-evident to non-technical individuals who are weighing the bottom line when deciding whether to invest in a given area.

Eric T: There's really not an easy answer to this. But we're just still struggling.

Rachael: The interesting thing is it's almost like you have to go back to the stone age in some regards. We were talking about it. One of the SolarWinds incidents, some company was so far behind in patching, they weren't even affected. They hadn't patched in three years or something like that.

Rachael: I know critical infrastructure is one of your big rocks as well. Do we just go back to where everything's manual and driven by a human? Which is so inefficient and not realistic. What's the answer ahead?

Eric G: We need to take a risk-based approach with thinking about critical infrastructure because it is not the case for any environment. That we are able to prioritize everything equally that is not prudent investment, is not prudent risk management. Anybody on the business side of a given organization will say, "This is not making the best use of our shareholder dollar, of our taxpayers' dollar, et cetera."

Eric G: From the point of view of critical infrastructure, it's critically important to begin with these questions. What’s the function or service that we are trying to provide? What are the critical technology assets that are essential to providing those essential functions or services?

Eric G: Once you have that conversation, once you identify what we call in CISA the high value assets then you can prioritize both your security and your resiliency measures to best assure the availability. The integrity of the confidentiality of those assets under all conditions.

Fully Duplicated Focus on Resiliency Measures

Eric G: There are certainly technology assets that are so critical to a given service or function. Perhaps you do want those to have manual failovers. And perhaps you do want to make absolutely sure that those are not accessible on the internet. Perhaps you do want to make sure that they have fully duplicated resilience measures.

Eric G: That if there’s a loss of integrity or availability, you still have confidence in the viability of that underlying service or function. But beginning with that service approach allows you to then figure out what's most important and how to prioritize scarce dollars for security and resilience.

Eric T: How does CISA look at that? You can't order, you can't mandate that a power company or a water plant protect themselves. Even look at the risk-based equation and say, "Let me understand prioritization as you talk about."

Eric T: Yet if they get popped by an adversary, there's a good likelihood that that ends up on your desks. How do you approach that from CISA, where you really have the responsibility at some level? But you don't necessarily have the control and power. Is it education or what do you do?

Eric G: It's useful to look at the levers of change in this space and what CISA can do. What our partners can do to drive investments and prudent cybersecurity, particularly across these critical entities. The provision of voluntary services, what we call the partnership model at CISA, is a critical element here.

Eric G: Our ability to communicate broadly through info sharing and analysis centers, through sector-specific agencies. You mentioned water, we work in close partnership with the EPA, with DOE for the energy sector.

Partnerships That Allow Us to Scale Broadly

Eric G: Those kinds of partnerships allow us to scale broadly in addressing the resource. The awareness gap that we discussed previously to ensure that these entities at least understand what to do. But we also know that that won't resolve the whole problem. It particularly won't resolve the resource challenge.

Eric G: Even if a company says, "I understand all the right things to do. But my security budget is X and you want me to do X plus Y. Something has to give."  So we also need to work closely with our partners in the regulatory community. With our partners in state local government and across the executive branch.

Eric G: To make sure that we're providing assistance, we're providing resources, including through grant funding where appropriate. We're having these business conversations with executives outside of the IT community.

Eric G: To help them understand that underinvestment or mis-investment in key security capabilities will actually result to greater impacts their bottom line if an incident were to manifest versus just under-investing in perpetuity.

Eric T: You left DHS in June of '17? You're now back. You were at NPPD before now, you're with CISA, which is the evolution if you will. How have you seen the landscape change not from a threat actor perspective necessarily. I do care about that, I know our listeners do but from the recipient?

Eric T: The organizations that you work with, the state and local governments, the private sector information sharing. How has that changed in the last four years almost?

Eric G: We're seeing a few trends intersect. Some of which are positive, some of which are less so.

The Importance of Cybersecurity and Increased Focus on Resiliency

Eric G: One of the positive trends is an increased recognition among organizations of all sizes of the importance of cybersecurity. A few years ago, cybersecurity was a priority for big companies. Certainly in the financial sector, energy sector, telecommunications, but with a lot of other sectors it was really much less of a focus.

Eric G: We’re seeing that really change, and both high-profile incidents and epidemics like ransomware campaigns. We are seeing that really raised the recognition of cybersecurity as a preeminent risk facing all organizations.

Eric G: At the same time, we are also seeing tremendous increases in the use of network technologies. Although somewhat of a buzzword, the real avid and adoption of the internet of things moving towards 5G, moving towards edge computing. We are seeing a rapidly increased attack surface.

Eric G: Therefore we're seeing our adversaries develop techniques to compromise organizations that just weren't commonplace a few years ago. We're seeing more recognition and more investment, but we're also seeing the vulnerability space increase.

Eric G: The impact of compromises increases as more and more pieces of infrastructure are interconnected and come online. It's also worth noting that we're also seeing our adversaries increasingly mature and invest in their capabilities. Compromise both critical infrastructure and government agencies.

Eric T: Organizations, in general, are adopting these new technologies, 5G, IOT, you name it. The attack surface is becoming more expansive and the adversaries are evolving also. Not a great ending to the story.

Rachael: But will we say necessarily the events in the last four years in the ratcheting up, if you will, is almost a blessing and a curse.

Why This Is a More Exciting Time

Rachael: Because what you’re saying and talking to business leaders, until something catastrophic happens they don't really want to invest in it. They think, "Oh, we're okay. It's not going to happen to us."

Rachael: But as we know, it's actually going to happen. That contributes to why this is a more exciting time, even though we're getting it from all sides. Everyone's recognizing this is something that we have to really address. I read an interview that you did with Federal News Network.

Rachael: I really liked how you outlined some of the four focus areas for CISA ahead. Looking at zero trust principles and getting away from this perimeter-based approach. But looking at the network, endpoint, servers, workstations, I love that you're leading by example, showing the path forward. Is this how we're going to get ahead of the threat?

Eric G: I think so. If we think about a few principles that as a country, we are already moving towards in cybersecurity. Certainly CISA is doing our part to catalyze and accelerate.

Eric G: One is this focus on visibility, on getting visibility at every layer of a network stack. So that we can rapidly identify adversary activity and possible intrusions. Ideally very shortly after an intrusion occurs and certainly before lateral movement ex-filtration, other damage occurs.

Eric G: This is really important. Because what we have learned over the past decade of cybersecurity is we are not going to block every intrusion at the perimeter. Those days are over in cybersecurity. So really what we need to focus on are first of all, these layers of defense. Then also this move towards zero trust architecture is where we're focusing on protecting assets.

All Entities Are Trying to Drive Focus on Resiliency

Eric G: Protecting accounts, and moving towards more of a micro-architectural paradigm. Where even if an adversary makes it in a network, we strictly limit what they're able to access. How they're able to move about, and most importantly, the damage you're able to cause, or the data they're able to steal.

Eric G: This visibility focus is one key priority that entities are trying to drive. Another aspect, building on one of your questions earlier, is this focus on resiliency. This focus on figuring out at the end of the day, technology is an enabler. Technology is not an end in itself.

Eric G: Technology is used to provide a service, provide a capability, offer a business offering. So figuring out what we use technology for and how we protect the most important technology assets in a way that lets the business keep running. Let the agency keep running, keeps the power and the water still on, those are critical aspects to focus on.

Eric T: I've seen a huge uptick in zero trust in the last probably two years. The message, the concept is getting out there. What I'm not hearing people talk about yet is resiliency. I'm not hearing them talk about visibility. I almost called it SolarWinds, I'll call it UNC 2542, that's the number at this point. So many names, holiday bears, we'll go with that.

Eric T: We had that and so many organizations are still trying to figure out what happened. Talking about that visibility and that resiliency component. I'm not hearing government employees necessarily talk about that, a little bit on the risk side. But zero trust is certainly top of mind.

Everybody Wants Zero Trust

Eric T: That's because it's coming from the top down. Everybody wants zero trust with the generals, the admirals. The heads of agencies are talking about it, so therefore the organizations are aligning right behind zero trust. I'd love to hear a little more on visibility and resiliency because I think you're right.

Eric G: Certainly in some ways zero trust has been the focus of a lot of really thoughtful standards. Development and proof of concept development and architectural work, of course led by companies like Google originally and now adopted far more broadly.

Eric G: Looking at how we achieve this full environment visibility. How do we move to this functional resiliency? I think there is great work being done there as well. Particularly on the resilience side, that's a really challenging problem. It's a problem that is going to require levels of investment that we frankly haven't necessarily fully conceived of yet.

Eric G: And also move us outside of just looking at IT investment. Because if you're talking about functional resiliency, that might mean changes you have to make to your business processes or to your physical plant outside.

Eric G: That you can do in an IT environment, which is absolutely critical, particularly for these kinds of essential services. But it does broaden the conversation in a way that we haven't fully seen manifest yet in most areas.

Eric T: Well it's a much more difficult conversation to have.

Eric G: That's right. Although in some ways, it's the conversation that we should be having.

Eric T: We need to have the right conversation. It's just, you can't have an IT person or an InfoSec person make a decision. Now we have to involve other members.

The Right Way to Go Is to Focus on Resiliency

Eric T: We have to understand the business better. It's the right way to go I think which I haven't seen a lot of that over my career. So we need to evolve.

Eric G: That's right. The one thing I'd add there is that it’s also how we should be doing cybersecurity in general. We should not be thinking about cybersecurity of course as an IT function. We should be thinking about cybersecurity as a risk management function. If you're going to have an effective cybersecurity risk program, it needs to involve, if you're a private company, the lines of business and the legal department and the communications department.

Eric G: Really the full portfolio of groups in that company so you can actually drive the change that you need to seek. We see the same thing in the federal civilian government where our cybersecurity programs can't just be the IT teams.

Eric G: They need to also include the mission delivery teams who are delivering services to the American people. To make sure that we are able to achieve our shared goals of ensuring efficient service delivery that's done in a secure manner. You really can't effectively separate those two.

Eric T: I want to switch it a little bit on you, but same line of talk. Have you seen a change with Sunburst? I'm going with a different name and the HAFNIUM Exchange attacks of late. Have you seen a change in thinking at the CISA level on how we approach the problem set? Or are these just grave attacks to the country, to the infrastructure? It's really the same old problem just on a larger scale.

The Risk Management Challenges We Faced

Eric G: These attacks have illuminated a lot of the risk management challenges we faced as a cybersecurity community for years. If you survey practitioners in this space, you will probably not find a person who says, "Oh, you know, we didn't think this was possible. This is something that we hadn't thought of before."

Eric G: There's nothing inherently novel here. Except that it just catalyzes known areas for improvement that all organizations have long confronted. What it has done is catalyzed some real attention. Cybersecurity was always going to be a focus area for the Biden Harris administration.

Eric G: These campaigns have really just accelerated and catalyzed that critical focus area. We are seeing similar focus on Capitol Hill and similar focus in the private sector to really now invest with urgency in some of the key changes that we've known were needed for quite some time.

Eric T: But it almost gives us a monument or a pivot point to say, "Hey, we had Sunburst. We need to do something."

Rachael: I do like your point about how the administration is looking at investments in this pending executive order on breach disclosures. How is that managed? Because this is starting to get into really meaty topics that we have to address. As we've seen with these huge supply chain attacks and again, the criticality of visibility.

Rachael: How do you determine the thresholds though for some of these breach disclosures? Or how do you get to something that works for everyone, if that's even possible?

Eric G: Looking at how an organization understands the IT risk posed to its supply chain.

The Trust Relationship of Organizations

Eric G: It could be the software and hardware that it's introducing into its network. Or it could be the trust relationship that a given organization has with a vendor or other third party. It’s really critical. The part of that relationship and part of that risk management process needs to be what kind of information does a vendor or a third party needs to disclose to their customers.

Eric G: Right now, that’s asymmetric across organizations. When I've worked previously in the private sector, there were thresholds that were defined sometimes at a business level, at the level of an organization. Or even by a sector that would say here are some best practices.

Eric G: Understanding, first of all, the key for all organizations to be receiving information on incidents. On vulnerabilities from their vendors to understand the risk that third parties are introducing to the customer network. Then to the extent, possible standardizing what those disclosure data elements look like.

Eric G: Our prudent risk management process for all entities to adopt, the government included. Certainly there are levers that the government is thinking through to allow us to implement that sort of a process going forward to the extent that a given agency hasn't already gone down that road.

Rachael: Every agency is going to approach it differently anyway, depending on where they sit. DOD is going to be much different than say health and human services.

Eric G: It's sort of abstracting a little bit. There’s probably a common set of best practices for third-party risk management. Obviously there are plenty of standards and guidance out there on this point. There's probably a baseline standard of due care most organizations of significant cybersecurity maturity should be thinking through.

A Unique Mission Element

Eric G: Outside of baseline practices, there may be a unique mission element for a given organization. Because of the service they provide, the data they hold, the relationship they have with their vendors. They might need some additional layering on top of that baseline.

Rachael: That makes sense. I like getting to a baseline, starting from the same place.

Eric T: Do you think it differs, small versus large agency, or really the principles are pretty common?

Eric G: The principles are likely common across all organizations. I don't think there’s a deeply unique government aspect here. All organizations that utilize third-party IT services or vendors bear some degree of risk to their networks and their infrastructure.

Eric G: For those trust relationships, that's an inherency. Thinking through, are there standard practices that should be adopted by all organizations? The answer may be yes, the challenge would be how are those best practices implemented.

Eric G: Do all organizations have the resources to actually execute a third-party risk management program to protect their networks? Is there some heterogeneity there where these small and medium and large organizations? Even if the principles are the same, the way they implement them is different.

Eric G: Similarly because of their capacity to actually internalize that due diligence. Or is there a way to actually have a third party, have the vendors do that for them? There are different models there that scale differently for various sizes of organizations.

Eric T: If I ran a small business these days or even a small organization of any sort, I’d just try to find an MSSP and just outsource it. I wouldn't want to deal with it. I'd be like, "Here, you deal with this problem. Keep me safe." That's a tough challenge too.

The Focus on Resiliency Is a Tough Challenge

Eric G: It is a tough challenge, but there is a real argument. We spent the last half hour discussing how hard cybersecurity remains in this environment. Certainly, every organization should not be held equally responsible for securing their own networks. Especially if they don't reasonably have the resources, the capacity, the workforce to do that.

Eric G: Within CISA, one area that we're really focused on going forward is providing cybersecurity shared services to other agencies. It follows that exact same model. A small agency likely doesn't necessarily need to provide its entire cybersecurity program. There are likely efficiencies to be gained from CISA providing certain shared services to other agencies. That's a model that is generalizable across organizations.

Eric T: When you say that, are you talking predominantly Einstein CDM, group F and efforts like that?

Eric G: It's a bit broader. We have some authorities providing a, particularly in a bill from Congress last year. It’s where we are able to provide a broader spectrum of shared services. We are now on the roadmap of finalizing what those will be. But certainly, this is a growth area for CISA that we feel will yield real advantages for federal civilian agencies.

Eric G: To the extent possible reduce the need for some of these smaller agencies to manage their full cybersecurity program. CISA may be able to do it more cost-effectively and more efficiently.

Eric T: Let the agency get back to what they need to do. Knowing they're better protected than they would be if they had to do it themselves. That's a great idea.

The Exciting Breakthrough Happening For Cyber

Rachael: You have been on the cyber front lines for a really long time. You've been in the private sector, you've been on the public side, so you have a really good perspective. I'm always interested in the next five years. What's that exciting breakthrough that you could see happening for cyber and turning a corner if you will? What do you think that would be?

Eric G: The breakthrough that I’m looking to see is this focus on ensuring resiliency of our critical functions. I'm just going to fall back on that. The reason I say that is because for many of us in this field, the aspect of cybersecurity that keeps us up at night is the possibility of a cyber attack.

Eric G: Causing the destruction or the change in a physical function that results in loss of life, that results in injury. It is of course terrible when sensitive data is stolen that can have tremendous harms to its victim. We want to limit data loss to the extent possible. But that is still a limited risk when compared to a cyber attack on a critical infrastructure.

Eric G: That, again, could manifest with life safety or public health implications. So moving towards a model where we are really looking carefully at our most critical functions. We're figuring out which technology assets are most critical to these functions upon which American lives depend.

Eric G: Then ensuring that we have these security controls built around these functions to offer a reasonable sense of security. Then move the focus on resilience so that we can ensure these functions remain viable even if targeted by an adversary. That is the trendline that I'm very excited to see continue in the years to come.

A Good Place to Go To Focus on Resiliency

Eric T: That would be a good place to get to if we assume the breach. If we assume that it will never be perfect. Because the adversary has most of the advantage. How do we become more resilient? So that we will continue the mission regardless of what that mission is when breached, when attacked?

Rachael: Thank you so much for the awesome work that you guys are doing at CISA. It's such an important agency and your mission is so critical today. Particularly today and ahead, so thank you for all the awesome work that you guys are doing.

Eric T: We need more CISA these days to protect the country and the organizations and our people.

Eric G: I couldn't agree more. My bigs to you both for the work that you are doing in spreading the word and having these important conversations. I’ll also put in a plug for two fronts for organizations interested in learning more about the services that CISA offers free of charge. Please do visit CISA.gov. And also for anybody currently in or entering the cybersecurity workforce.

Eric G: Those who are interested in an extraordinary national mission, we are focused on hard issues. We’re protecting our federal government and critical infrastructure from cyber threats. We would love to have more folks join our team, and we are always hiring and CISA.gov is the place to go. So hopefully we can find some more folks to join our already awesome team.

Eric T: CISA.gov, or do you go to USA jobs?

Eric G: CISA.gov is probably the easiest starting point, there will be links there to USA jobs. But CISA.gov is our single portal to learn more about what we do and opportunities that may be available.

The Economy’s Coming Around Again

Eric T: The economy's coming around again. There are amazing jobs open at CISA.gov. Go there and help protect this country from our adversaries.

Rachael: Have an awesome time working on the coolest stuff at the front lines too. Let's be honest, that's where you want to be.

Eric T: Talk about a mission. I could work at the local tractor supply store or I could protect the country and our people. I'm going to CISA.gov. You're hiring across the country?

Eric G: We are hiring across the country. We’re looking for a highly diverse and highly qualified workforce that can help rid America from these kinds of threats.

Eric T: I'm in Kansas city or I'm in Missoula, it really doesn't matter. Wherever I am, I go there and probably there are jobs local to me. I can work remotely in some cases, a lot of opportunities.

Eric G: We move urgently towards a highly flexible workforce as accelerated as with most organizations by the pandemic. Wherever you live in this country, please look at what we do, consider joining, it is the mission of a lifetime.

Eric T: That's going to make a big difference in the world. You don't have to be in Washington DC, you don't have to be in these big cyber centers necessarily. But you can work more remotely. That's going to get more of the workforce in to help us with this workforce shortage problem. Thank you so much for your time, we really appreciate it.

Rachael: Thanks everyone for joining us for this week's episode of To The Point with Eric Goldstein. Please subscribe to the podcast, will get delivered to your email inbox every single week on Tuesdays. Until next time, take care.

About Our Guest

TTP Ep. 130 - CISA's Eric Goldstein

Eric Goldstein serves as the Executive Assistant Director for Cybersecurity for the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) as of February 19, 2021. In this role, Goldstein leads CISA’s mission to protect and strengthen federal civilian agencies and the nation’s critical infrastructure against cyber threats.

Previously, Goldstein was the Head of Cybersecurity Policy, Strategy, and Regulation at Goldman Sachs. He led a global team to improve and mature the firm’s cybersecurity risk management program. He’s served at CISA’s precursor agency, the National Protection and Programs Directorate from 2013 to 2017 in various roles.

That includes Policy Advisor for Federal Network Resilience, Branch Chief for Cybersecurity Partnerships and Engagement. Senior Advisor to the Assistant Secretary for Cybersecurity, and Senior Counselor to the Under Secretary.

At other points in his career, Goldstein practiced cybersecurity law at an international law firm. He led cybersecurity research and analysis projects at a federally-funded research and development center. He’s served as a Fellow in Advanced Cyber Studies at the Center for Strategic and International Studies, among other roles.

He is a graduate of the University of Illinois at Urbana-Champaign, the Georgetown University School of Public Policy, and Georgetown University Law Center.