Insights From The Cyber Front Line with CTA's Michael Daniel - Ep. 120

Episode Table of Contents

  • [00:41] Cyber Front Line and President of the Cyber Threat Alliance
  • [06:29] The Automated Side of What Cyber Front Line Does
  • [12:37] Have We Hit Rock Bottom
  • [19:05] Cyber Front Line Works to Impose Costs on Cyber Criminals
  • [28:02] A Combination of DHS and Law Enforcement
  • About Our Guest

 

Cyber Front Line and President of the Cyber Threat Alliance

Rachael: I couldn't be more excited for our guest today. Michael Daniel, CEO and President of the Cyber Threat Alliance.

Rachael: He spent 21 years in the federal government, he worked in Obama's administration cyber czar, serving as special assistant to President Obama. Cyber coordinator on the National Security Council, helping bring together government, companies, non-government organizations on cyber initiatives.

Rachael: Now, he’s with Cyber Threat Alliance. He helps in doing the threat sharing among organizations, which is so critical today. 

Eric: Michael, I'm excited about this one. I feel like we don't talk enough amongst each other. We all have this shared problem, but we just don't effectively communicate. Public-private partnerships, private private, the ISACs are about as good as we've gotten outside of the Cyber Threat Alliance. I'm really excited to talk to you.

Rachael: I was looking at your website today and Cyber Threat Alliance makes member companies more competitive, not less. When we can share information, it makes us all stronger. I think it’s such a great position to have. You look at something like the recent SolarWinds, Sunburst, supply chain attack.

Rachael: Just the cascade impact among enterprises and government organizations. It underscores the importance of threat sharing today and how we just have to make each other stronger.

Michael: Here’s one of the underlying theories there. What really provides a company the competitive edge in the cybersecurity market is not the raw data itself.

All the Raw Data You Want

Michael: That's because nobody has all of the raw data that you want. In fact, actually making the argument that, buy my stuff because of my data. It’s like saying, "Buy my product. Because my inadequate pool of data is bigger than her inadequate pool of data." Not a terribly strong argument. Instead, the real competitive advantage comes from what you do with the data.

Michael: The competitive advantage comes from the processing, the analysis, how you present it, how you interact with your customers. That's why we can make the argument from CTA's perspective that we're about enabling everyone to be more competitive.

Michael: Then the other advantage is it pushes the competition higher up the value chain so that's more valuable too. We want companies competing on what they do for customers. That makes the customer better off. It makes the whole digital ecosystem better off. Both encourages competition and makes the digital ecosystem better in the long run.

Rachael: I love that. Customers first.

Eric: How would you categorize the mission of the Cyber Threat Alliance? Is it really just sharing information across organizations? Or would you categorize it differently?

Michael: I’d say that CTA has really three missions that we try to accomplish. One of which is that we enable our member companies to better protect their customers and clients. First and foremost, we're a membership association. We're about enabling our members to do a better job at whatever it is their mission is.

Michael: But we also look at our mission as enabling disruption. How do we take the shared data that CTA has and better enable cybersecurity providers, governments? All sorts of actors across the ecosystem to better disrupt what the bad guys are doing.

There’s a Lot of Bad Cybersecurity Policies

Michael: How do we work together to actually impose costs on the bad guys? Third, we actually view ourselves as having a mission to improve the cybersecurity of the digital ecosystem as a whole. We also advocate for good cybersecurity policy because goodness knows there's a lot of bad cybersecurity policy out there. We try to advocate for good policy outcomes. But we’re also working with different industry groups, other nonprofits to strengthen the whole digital ecosystem.

Michael: We're really about those three missions. Now we use our information sharing as kind of the core of our operations. That's how we do those three missions, but we really view ourselves as having those three missions.

Eric: When you say information sharing, member companies will literally have the conduit, the ability, the legal protections. Everything to have researchers communicate with other researchers and share what they're seeing. What their customers are experiencing on the back end so that they can make better tailored, better-targeted products.

Michael: We talk about doing our information sharing mission in two different ways. One is our automated sharing. We operate a platform that all of our member companies contribute to. In fact, one of our business rules is that our member companies have to contribute to that. If you're a member of CTA, you have to be contributing automated threat intelligence.

Michael: That's primarily technical intelligence. Malware files, hashes and the binaries, URLs, domain names, U-texes, all that stuff and their associated context. MITRE ATT&CK phase or where did you see that indicator? What malware family do you think it belongs to? That kind of thing. We have all of that automated context.

The Automated Side of What Cyber Front Line Does

Michael: We actually share somewhere between 175,000 to 250,000 indicators a day right now, going through our platform. All of our members can then take the data that's been shared by all the other members. Take that back into their companies and incorporate that into their products and services.

Michael: That's the automated side of what we do, but you're absolutely right. There's also the human side of what we do. The researchers can come together and we convene them quite regularly to talk about what they're working on. What are they seeing? We also have a process where member companies can share pre-publication versions of blog posts.

Michael: Or research papers under embargo with other CTA members. So that they can give them a heads up about what's about to come out. Our members love that because it gives them usually a day or two lead time. To get ready for something coming out from one of our members. All of that is actually enabled by the Cybersecurity Information Sharing Act of 2015.

Michael: Along with our membership agreements and other things that provides the legal framework for all of the sharing to occur. It's really quite amazing to actually see all these competitors really get together to share in this framework. But to do that, we also make sure that we exclude certain things.

Michael: We don't talk about individual company's products, we don't talk about pricing. We don't talk about customers, we don't talk about customer info. All of that stuff is out of bounds for CTA. We work very hard to focus our sharing on the parts that are inbounds and exclude the parts that are out of bound.

A Front Row Seat for a Cyber Front Line

Michael: I would say that over the last few years, I've learned more about US antitrust law. I’ve also learned more about European antitrust law than I ever thought I was going to have to know.

Rachael: You've had a front-row seat for many years here at the cyber forefront. I'd be curious, being so close to it, especially seeing it at national and kind of global levels of cybersecurity. How would you say it's changed in just the last five to seven years if you will? It just blasted itself out exponentially. Has it always been this bad and we're just hearing more about it in the media today?

Michael: I think it’s getting more intense. If you really look at the issue, when I first started working in cybersecurity in the mid-2000s or so. We had to work really hard to convince people that it belonged in the boardroom. That it was a topic that was worthy of a strategic discussion.

Michael: Even when I started in as President Obama's cybersecurity advisor in 2012. There were still some people that were not entirely convinced for example. That it belonged in the White House situation room as a topic of discussion. I don't think anybody has that view now.

Michael: Clearly that's because of what has happened and how things have developed. If you look at how the world has developed, you begin to pick out some big trends that are driving that. One is we keep making cyberspace bigger.

Michael: We keep hooking more and more stuff up to the internet. I go back to when I first started in this and we thought that cybersecurity was wired desktops and maybe some laptops occasionally.

A Universe Where Cyberspace Is Just Enormous

Michael: Now it's your refrigerator, your car, your coffee maker, the doorbell.

Eric: Your lighting, everything.

Michael: It's your car, the industrial plant, the chemical plant down the street. We've created this universe where cyberspace itself is just enormous. It just keeps getting more and more enormous. It's also really easy for the bad guys to get involved, whether they're criminals or nation states.

Michael: Everybody's discovered that getting cyber capabilities are relatively low barrier to entry and for the criminals, it's pretty profitable. There's a big expansion there. The other thing I just say is, we've made ourselves more digitally dependent.

Michael: I think back to when I first started in government in the mid-1990s. If the network went down, we just did something else for the day. We worked on our non-networked computer. We’ve picked up the phone and we actually called people, we met with people in person. Now if the network goes down, your company or your organization is dead in the water.

Michael: We're both at an organizational and society level. We're way more vulnerable, way more digitally dependent. So anything that happens in cyberspace is now way more important. You combine all of things and I think that's why it has that feeling, that sort of exponential explosion. Because of all of those factors combined.

Rachael: You look at what we've had with the pandemic and remote work and everything that happened. We still had access to all of our essential services. But think about the cyber disruptions to come that we haven't really seen yet. They’re also kind of scary when you think about it, just hitting the right grid.

Have We Hit Rock Bottom

Rachael: You can knock out power and all these other essential services for folks. I know a lot of people ask, have we hit rock bottom? When are we going to hit rock bottom? Are we prepared for that day when it comes?

Michael: We're not anywhere close to that. It's not because people haven't been trying to think about it. There are different groups. You look at what the Solarium Commission has put together. There's also the New York Cyber Task Force out there. Some of its work, it'll come out later this spring, some of its work will focus on that. It's going to be very shocking to people when it finally happens. I suspect that it's going to happen in a way that none of us really are projecting right now.

Rachael: Things are going to happen and you can't change them. Looking at the current administration and you having worked in the Obama administration for so many years. You’ve had a front-row seat there, what's your perspective? I know Biden's made a lot of financial commitments for modernization and cyber initiatives for his administration. What could the next four years look like and the evolution of cyber from a national policy and strategy perspective?

Michael: There are a few different things that the Biden administration should really focus on. One is on the threat side. Clearly, we have to get our arms around the scourge of ransomware that has morphed. Essentially from an economic nuisance into a full-blown national security, public health, and safety threat.

Michael: We simply cannot continue on the path we're on with ransomware. So we're going to have to get our arms around that. That's going to have to be a policy priority.

Cyber Front Line Moving Into Actual Coordinated Operations

Michael: Beyond that, the administration really needs to think about how it does operational collaboration. How do we move beyond just information sharing between the government and the private sector? Then move into actual coordinated operations against the bad guys. Now you've seen this, we've got models for this. This is not completely novel.

Michael: We've been doing this for years. In fact, you just saw last week, there was some action against EMOTET. Some of that involved some private sector actors, but we really need to scale that up. So that it's happening at a frequency and at a pace that will actually impact the adversaries.

Michael: Then there's a whole set of things that the administration is going to need to do there, to build that out. To solve policy problems that exist in that space and to overcome some of the challenges there. That's a multi-year effort. We really have to be looking at what we want the standards of care and other things in the private sector to be.

Michael: What is our expectation of cybersecurity that companies and other organizations are going to have? We will probably have different expectations of Flo's Flower Shop versus Duke Energy. Or a major financial institution or some Aetna Health. We're going to have different expectations for those entities. But we really need to get at that point so that we can actually decide.

Michael: That will take a lot of issues off the table in terms of we don't want to re-victimize the victim. We don't want to provide a moral hazard for not doing cybersecurity. The reason we're in this dilemma is because we don't know what the right level of cybersecurity investment is.

A Step In The Right Direction

Michael: We need to work towards that, inside the federal government.

Eric: Do you think CMMC is a good step in that direction? At least as it relates to the DIB, and some of the companies that we'll be working with, DHS?

Michael: It's actually a step in the right direction. I'm sort of on the fence about certain aspects of it and how it's been implemented. The fundamental concept behind the Department of Defense is saying, "Look! If you’re going to supply us with products and services, some of which comes with embedded IT and software."

Michael: "Things like that, and some of which is IT and software. You’re going to have to demonstrate for us how you meet certain cybersecurity standards and levels." I absolutely think that is the right concept. Frankly, more of the federal government's going to have to move in that direction.

Michael: Then we can get into the debate about the level one, two and three. Is that all set correctly and so forth and so on? There's legitimate discussion among vendors and providers about how DOD is rolling that out. Those need to be dealt with, but I think the underlying concept is absolutely right.

Eric: We're talking about commercial industries.

Michael: You're going to see other companies, integrators and things doing that themselves with their own customer base. The other couple of things for the administration. One, they've got to continue down this path of consolidating cybersecurity services inside the federal government.

Michael: Modernizing the government's IT not just for cybersecurity purposes, but just so they can do service delivery better. Internationally, we need to focus on building up our ability to collaborate across international jurisdictions.

Cyber Front Line Works to Impose Costs on Cyber Criminals

Michael: To work together to impose costs on cyber criminals and work more effectively in that regard. To really rebuild some of our international alliances there.

Eric: I call it deterrence. We miss on the deterrence side quite frequently.

Rachael: Which is challenging.

Michael: It's incredibly challenging and there are countries with a lot of different capabilities out there. Whether you're talking about from a law enforcement standpoint or a cybersecurity standpoint. It's a very complex international environment. But it's definitely one that we've laid a lot of good foundations in over the years. We need to continue building on that.

Rachael: This might be kind of a lofty goal, will we ever get to something a cyber UN where there is this global cooperation? Given the amount of disruption that can happen from a cyber attack on any nation, to the community. To the global economy and what have you. Is there an ultimate end state that we could get to in terms of global cooperation? Or is that going to be just too hard?

Michael: I think we’ll eventually get to some norms of behavior. There’ll eventually be an emerging kind of understanding about acceptable uses of cyber capabilities and offensive cyber capabilities. You will always have the outliers who don't adhere to those. By and large, the international system will drive in that direction.

Michael: It's actually in most countries' interest most of the time to have the international system be stable. You will see that. One of the things that is very interesting is the US and the West in particular have a very binary view of war and peace, we tend to think either you're in one of those two states.

You’re Either At War Or At Peace

Michael: You're either at war or you're at peace and most other countries actually don't quite view it that way. They actually view it as a continuum of conflict. We have to get used to low-grade conflict in cyberspace in a way that we don't see on land or at sea or in the air.

Michael: Cyberspace is going to be a domain where there's some sort of low-level conflict almost always going on. It's putting some boxes around that so it doesn't sort of escalate into a broader conflict. That's going to be really important.

Eric: I think we're in that now.

Rachael: That's a very good concept.

Eric: Consistently.

Michael: I’d agree with that. I don't think that that's going to change over the near term. Part of what we're trying to do is put in place the international structures to contain and control that level of conflict. So that it remains manageable and doesn't become unmanageable.

Eric: From your time on the National Security Council staff, advising the Biden administration on cyber, what's the one thing you wish you could have gotten across or done that you just weren't able to do? Because the rules are so tough in this cyber world we live in. One recommendation, what would it have been?

Michael: When I look back, we accomplished a lot, obviously in the Obama administration. Really moved the ball way down the field. A few of the unfinished pieces of business that we had was one, improving election security. Because that really emerged very late in the Obama time.
Cyber Front Line Should Work With the State and Local Governments

Michael: I don't think we fully appreciated the impact of the digitization of our voting process. That the threat would go up there. So I actually have to give credit to people like Chris Krebs, Kirstjen Nielsen.

Eric: CISA.

Michael: All those that continued that forward and did really good work in that area. There's a couple of other areas where I wish we’d been able to really start to think about how we could have worked with state and local governments even more effectively. Because they are in a very weird position a lot of times. They're affected by many of the same issues that affect both the federal government and the private sector.

Michael: But they don't have nearly as many resources as the federal government. Having worked through some of those, we've made progress. Continuing to work through a lot of those issues with the state and locals are really important. Finally, this idea of the standard of care, that’s something that evolved a lot during our time in the Obama administration. But we still need to make a lot more progress on that.

Eric: When you talk about standard of care, can you articulate that a little more? What should we be thinking about?

Michael: It means, what is the minimum level of cybersecurity sort of activities investment that we would expect a company or an organization to do? You see this in a lot of other industries and it helps define your level of liability. It enables you to say, "If you have been providing a reasonable standard of care, and something bad happens. If something happens, you can't be held liable for that."

Not Meeting the Minimum Standard of Care

Michael: Sometimes that has to be adjudicated in court. The example I give is that we definitely don't want to re-victimize people. But if you manage to U-Store-It location, and you said, "Come store your stuff at my secure location." And some criminals broke in and stole things, still going after the criminals.

Michael: But if the customers then started looking and saying, "You said your place was secure. But you didn't have any fences. You didn't have any cameras, you didn't have any locks on the doors. Maybe you weren't meeting the minimum standard of care for a secure storage facility." Now, if all of that was in place and the criminals still broke in because they were from Mission Impossible 3 or whatever, well okay.

Michael: We've got to solve this issue. We don't want to re-victimize the victims. At the same time, there’s a level of cybersecurity investment we should expect companies that hold our data to have. It’s how you navigate between those two things is by defining that standard of care. You have that level of expectation of what we expect our companies and other organizations to do for their cybersecurity.

Michael: What is unreasonable for them to do? They're not going to be able to prepare to take on the Russians or the Chinese by themselves. But there is a minimum level that we should be expecting organizations to do in terms of cybersecurity in today's world.

Eric: Who should help them? Let's take Sony, for instance. North Korea comes after Sony, who should help them? Is that DHS, the local police, FBI, private?

Michael: I think it's going to be a combination of those things. There's always going to be a company like Sony.

A Combination of DHS and Law Enforcement

Michael: They're going to have private-sector resources that can help them. It's probably not the state or local government, but it is a combination of DHS and law enforcement. Primarily FBI on the federal level, that will be doing the investigation. Doing the assistance when you have a major incident like that.

Eric: What if it's not Sony? What if it's the local pizza franchise?

Michael: That's one of the key questions. How do we get more resources out there? To organizations that aren't going to rise to the level of a national security incident. That's where we need to begin to empower our state and local governments to provide those kinds of services. You're starting to see some nonprofits that specialize in that.

Michael: Things like the Cybercrime Support Network that are designed to help organizations. Help small businesses deal with cyber incidents more effectively. That's a piece of the ecosystem that we really need to build out. There’s that broad question of what I’m supposed to do if I'm Sal's Pizza Joint or whatever? Then I've been hit with a cyber incident.

Eric: You're used to pepperoni or extra cheese and now you're like, what's this ransomware? I don't really understand it. But I'm out of business. Sunburst, one to 10 scale. How significant is this as an event in our time here in your mind?

Michael: It's probably about an eight or a nine in terms of significance. But not for some of the reasons that people think. So far all of the evidence shows that that was an espionage campaign. A really sophisticated, enormously broad, really well thought out espionage campaign. So as a result, I think the impact for the government is eight or nine.

A Better Job of Managing Supply Chain Security

Michael: For your average, even up to large enterprise, maybe a five. Because the real impact is on those that were actually exploited. It was a very small number of organizations that downloaded the Trojan. Now I do think from a broader standpoint, it has an implication for supply chain security.

Michael: Thinking more about it, we were just talking about DOD and the CMMC. How you're going to need to do a better job of managing your supply chain security. But at the same time, I've been very clear with a lot of people. To say, "That is still, if you are," again, going back to Sal's Pizza Joint. Or even if you're sort of a Midwestern bank or a manufacturer somewhere in Montana or Washington state.

Michael: You're probably not going to run into a SolarWinds or a Sunburst actor. You're going to run into ransomware, you're going to run into a business email compromise. And you're going to be dealing with phishing. So what I don't want is for the entire cybersecurity ecosystem to over-rotate.

Eric: To Sunburst.

Michael: To Sunburst when in fact those other threat vectors are still way more common. They're going to impact way more people than the supply chain compromise. Now, if you're the federal government, you've got a whole different picture.  Or if you're one of those that's actually been targeted by that because of your circumstances, that's a totally different threat picture.

Eric: Different perspective.

Michael: It's why I think the industry as a whole does not need to over-rotate on Sunburst. Paying attention to it is really important, but don't over-rotate on it.

From Espionage To Sabotage

Eric: Now, I do think of some of the cloud security components that we're hearing about, the techniques. The TTPs that were used, I think will make us better. Regardless if you're Sal's Pizza or the federal government. If we switch Sunburst from espionage to sabotage, would that change your rating?

Michael: No. Then that goes off the scale. That's why I've been very clear to always say based on what we know so far. If we discover that there were in fact little presence left behind by the adversary given their access. That totally changes the picture of this. That’s why I don't totally drive it down, even for the ones that weren't affected by it.

Michael: The potential for using this kind of access to cause widespread destruction is very real and very dangerous. That's why we have to really be looking at that broader supply chain security. It's why I come back around to this standard of care. Things we expect pieces of our ecosystem to do.

Rachael:  That's a great point. We could dig into that topic of the standard of care for a completely another episode. That's a really great point you make and something that folks do need to start thinking about.

Rachael: You have a virtual panel coming up, some of the founders of the Cyber Threat Alliance. I’d love to give our listeners a chance to learn more about what you guys are going to talk about. When is this happening, how can they access it? Do you have any of those details you can share with our folks?

Michael: Coming up on February 17th and you can find the links and things on our website, cyberthreatalliance.org. It’s also on our LinkedIn page and our Facebook page. We try to cover the bases.

A Sort of Looking Backwards

Michael: What I'm going to be talking to some of the founders about is sort of looking backwards. Sort of what inspired you to actually take this risk of some competing companies. Saying, "You know what, we're actually going to try to do business a little bit differently. To actually collaborate in this area while still competing over here." 

Michael: What drove them to that. These are some people with some really important perspectives on the entire cybersecurity industry. So where are things going? Where are nonprofits like CTA going to fit in? That sort of thing.

Rachael: That's going to be great.

Michael: It should be a really interesting discussion.

Eric: I'd love to hear that, I will be joining that. For any of our listeners who are hearing about this, we will link. Just look in the show notes and you'll be able to register and join the event.

Michael: Absolutely, we'll be glad to have you.

Eric: I love looking into the future of cyber.

Rachael: Yes, with the crystal ball.

Eric: We need some help.

Rachael: Thank you so much, Michael. This has been an awesome conversation. Would love to have you back again soon. There's a lot more we could double click into. It's really exciting to hear all the great work the Cyber Threat Alliance is doing, the important work you're doing. We definitely look forward to the February 17th virtual panel.

Eric: Michael, if you could just fix the cyber problem for the world, we'd be very happy. Thank you, again for joining us.

About Our Guest

Michael Daniel leads the CTA team and oversees the organization’s operations. Prior to joining the CTA in February 2017, Michael served from June 2012 to January 2017 as Special Assistant to President Obama. He was the Cybersecurity Coordinator on the National Security Council Staff. In this role, Michael led the development of national cybersecurity strategy and policy. He ensured that the US government effectively partnered with the private sector, non-governmental organizations, and other nations.