Optimism For The Cyber Path Ahead?! - Ep. 124

Hacker turned lawyer. Professor. Geologist. Policy influencer. Just a few words to describe this week’s guest Evan Wolff, a partner in Crowell & Moring’s D.C. office and Co-Chair for the firm’s Privacy and Cybersecurity Group. After a career spent in cyber risk management and helping organizations through more than 1,000 breaches, Evan shares why he is optimistic for the cyber path ahead as well as insights around collective defense, re-victimization of companies after a breach, the new administration’s cyber focus, recent discussions on reporting and notification, efficiencies of a national data breach law, and the criticality of incident response plans.

Episode Table of Contents

  • [00:42] Evan Wolff’s Contribution in Our Cyber Path
  • [05:08] What Will Make Us Better
  • [13:01] Major Versus Minor Espionage
  • [15:37] Three Central Parts of a Playbook
  • [21:19] A Source of Optimism in Our Cyber Path
  • [34:22] A Need To Create a Better System in Our Cyber Path
  • About Our Guest

Evan Wolff’s Contribution in Our Cyber Path

Rachael: We've got Evan Wolff with us here. He's a hacker turned lawyer, professor, geologist, and spent a career in cyber risk management. He's worked on more than a thousand breaches and he's currently a co-chair of privacy and cybersecurity at Crowell & Moring in DC. And I couldn't be more excited for the discussion to come Evan.

Evan: Thank you so much. I'm super honored and excited to be here.

Eric: Evan, I have to ask, how do you feel about sleep?

Evan: I'm not a fan. It's optional. I get, we have to do it every now and then.

Eric: I mean, this bio is incredible. And you were part of the cyberspace Solarium Commission Report, right?

Evan: Yes. Well, I mean, I wasn't a part of those, I was a senior advisor and played a very minor role, but I'm super proud of the report itself and really the path forward. And I think given that we're at the beginning of a really exciting time for the Biden administration and the Solarium Commission itself and the commissioners that have won Montgomery, have been so effective at actually turning the recommendations into law. I mean, over half of them are now via the national NDA have actually been instituted. It's such an amazing time and process. So I'm super excited about that as well.

Thank You, Evan

Eric: I'm just going to start by thanking you. We had the Senate Intelligence Committee held a hearing with Kevin Mandia from FireEye and George Kurtz from CrowdStrike and Brad Smith from Microsoft and Solar Winds’ new CEO. I watched it yesterday, about two hours and 45 minutes. And I was just in the dumps. I was like, "Argh, we're better than this." And just in the prep, you brought me out of my funk. So I just want to say, thank you. Rachel show back to you. We can go on, but I just wanted to say thank you, Evan.

Rachael: I think that's a great point because I was going to say that as well. For as long as you've been in cyber risk management in the cyber world and the front lines of everything cool that's happening, but all the scary stuff as well, you still have a positive outlook. And I want to double click into that. I know people have said what, "Five years we could solve this thing." That's my dog. But, I mean really when we look at the road ahead and you're feeling good about it. I mean, what do you see in the next 10 years? How are we going to turn this corner?

Eric: Yes, how are we so positive?

Evan: My wife would say it's pure ignorance, it’s bliss on. As my therapist turned wife. But really, I think it's because I've seen the change over time. I mean, I started my career in government and then working at Mitre and in the early 2000s. And I've seen, everything we've done from how we think about network security and how we think about defense and offense to really how amazing the tech community has been. I mean, five years ago we were really talking about EDR and we didn't have sort of all the security solutions we have now agreed.

Things Could Always Be Worse in Our Cyber Path

Evan: We need a lot of evolution for them. But also, I think I will credit happily my father who was a Holocaust survivor who grew up in Germany and then in the ghetto of Shanghai. He just always taught me that things could always be worse and he spent his whole career working for the government. And so, I do genuinely believe that while I don't think there are like friends that say we'll solve cybersecurity security in the next five years.

Evan: I don't know if Sounil Yu is quite right on that. But we will be able to manage this better, and that's part of my day job is helping companies think of this, not as some exotic pet at a zoo. But really thinking about it more as, a CISO is no different than a CFO. And that they have risk and they have tools to manage the risk and they have an accountability structure and governance and we need more standards. And then we need to think about what role technology plays in that.

Evan: But it's that evolution of that process that I'm hopeful about and I've seen progress. I see how companies respond and not that we want to, so it's like some bad starfish thing where we're going to have every company be hacked in order to get better at it. But there is a lot of that going on.

What Will Make Us Better

Eric: So which components do you think will be most impactful to making us better? Because my career I've seen, it's just getting worse. We were getting better, but we're not getting better fast enough. I always quote Bruce Schneier on that. "We're getting better, but we're getting worse faster." Because the adversary keeps advancing. What areas do you think are going to be really impactful?

Evan: I completely agree with Bruce and may even have stolen this line from him that, "Offense is much easier than defense." 

Eric: A million times, right? You gotta try and try and try. There are very few risks. So much easier.

Evan: And as we saw from the SolarWinds supply chain attack, focusing on the last three words in the description, it is going to be easier to attack large enterprises, especially as we've seen recently. But what I'm hopeful about, and where I think we're going to get better at is I never played soccer, but I'll use the bad analogy of the midfield. Because we are really good at offense, and we have really good defensive capabilities.

Evan: What we don't have is that sort of collaboration in that midfield in the middle. Even though I really don't know what a midfield does. I do know having worked on both sides that we need defense. It can't be just companies working on their own, looking inside their network. 

Who Do We Go To When There’s Attack in Our Cyber Path

Evan: The government looking at the C2 and the infrastructure outside of the network. And then we have sort of an offense in some gray fuzzy box. We need to shrink the battlefield so we have people working together in real-time. And I see like glimmers of that in some incidents I work on with government where we either get notified or where there's sort of some sort of operational collaboration or collective defense. But if there's one thing I've really thought about for the last 10 years, it's how do we sort of operationalize the concept of collective defense or operational collaboration or use one of those terms.

Eric: And that's a challenge, right? There's really nobody responsible, nobody in charge. When somebody attacks an American organization or whether it be a government organization or company, who do you go to?

Evan: I go to the CEO or the general counsel because I work for a company. So there is someone in charge of the company.

Evan: I think you guys work for companies as well. I mean, we all have bosses.

Eric: Fair point. But when they get breached, like who does the CEO go to?

Evan: Well, he goes to the board, if it's a publicly-traded company.

Eric: Fair enough.

What We Need to Focus On

Evan: But I'm making the point that one of the pieces that we really need to focus on is governance. And governance isn't like just what does information governance in our world means. Who does the CISO report to? Whether it puts the lawyer or the CIO, which is like the raging debate. 

Evan: But really for me, governance means having worked at the Department of Homeland security and now worked in industry is really how do we all work together.

Evan: And I think to Eric, your actual question, not my smart ass version of your question is, how do we actually fix that governance piece. And we need to reassess sort of roles and responsibilities. I think that's actually one of the great gifts of the hearing on Monday that you referenced is that there's a bill or there's a discussion of legislation around notification. Governance needs to start with notification. The government needs to sort of have better visibility into what's happening.

Evan: And then from that visibility, we need to have better tools and operational capabilities for industry and government to work together. And right now they need to get together in a way that doesn't victimize or treat companies more poorly than they already are treated.

Who Is in Charge in Our Cyber Path

Eric: Yes, that government-industry partnership that bi-directional communication. There was a ton of discussion about that. I've been involved in a lot of discussions. I've seen a lot in the industry we've been asking for it for years. I think it was Kevin Mandia and George, one of the senators was asking some questions almost to the extent of, and I'm paraphrasing here, like, "What are you guys going to do about this problem?" And the response I got, and I'm watching this at midnight last night for two and three-quarter hours or whatever. But they were looking back like, "What do you want me to do? I do incident response. I sell cybersecurity tools."

Eric: And I'm thinking about it from a tool provider perspective. It's like, I can give you the tools, but I can't make you use them effectively.

Evan: And that's the promise that the recommendations of the cybersecurity solarium commission report, or actually tomorrow, I'm a part of the New York cyber task force. We have a report coming out that says, some things in this space as well, that, we need to create better roles and responsibilities. That's what industry and every company is focused on right now in the cyber privacy area, creating a level of accountability. So, one of the first incidents I worked on at the end of it there was a conversation between the GC and the CEO. And the short of it is, and there was a much better discussion because they both had very strong Southern accents was, who's in charge. And the CEO turned to the GC and there was a question of what, I'm not really sure.

We Have To Clear the Decks

Evan: And so then after a minute of silence, the GC said, "Well, I guess you are in charge." to the CEO and chairman of the company. And to which the chairman said, "That's not a very adequate answer. Let's fix that." And so, we sort of have that same problem in government and industry. So CISO clearly is going to be taking a more dominant role. They’re now an operational entity. Thanks to the hard work of Suzanne Spaulding and Chris Krebs and all the hardworking people there.

Evan: So we actually have an agency that can take some leadership. The FBI and the intelligence community are going to play a very important role in the notification process. But we have to sort of clear the decks in terms of who is responsible for this, how the notification works. And maybe we need to do it at the sector level. I mean, DOD has done a very effective job in both the notification piece. Using the DOD regulations, the 70/12 clause or the safeguarding rule.

Evan: And now with the Cybersecurity Maturity Modeling Certification or CMMC, they really have created very clear governance, and maybe we need to replicate that to other sectors. Like in the energy sector and transportation.

What Will Rachael Do

Eric: I think so. I mean, Rachel, you work with the CEO of Forcepoint quite a bit. And I know you have over your career. I mean, being in the position you're in, in PR, I mean, if we were breached, you would have a pretty prominent role in what to do, what we say. I'd love your thoughts on this Rachel. Not only think about how you're going to hunt on your networks, how you're going to protect your networks, but really put a plan in place before it happens on how you're going to communicate. Who you're going to reach out to.

Eric: So when that happens, you pull the SOP out of the old proverbial filing cabinet, whatever that is these days. And you say, "Okay, we've been breached." We're going to notify CISO, this person's going to call FBI. This is what we're going to do. The operational commander to your point Evan, who's in charge is this. I think a lot of organizations figure that out after they've been breached on the fly because they have to. Agree or disagree. You disagree?

Rachael: I agree.

Evan: I disagree, but I'll let Rachael go first.

Rachael: Well, interestingly enough, a few years ago we did this kind of play with the BBC and it was just on this thing, a theater. And all the different roles that have to be played with the CEO, the CFO, your CISO, your comms person, your security engineers. And you just been breached, what happens. We created this whole theater and it was built on that premise that most people don't have this incident response plan, or they don't have the phone tree updated. 

Major Versus Minor Espionage

Rachael: So maybe they made it four years ago. "Ah, it's good enough." And then people leave, so it's got to be a living, breathing document. And a lot of people just until something happens, then why spend time on it? I mean, that’s what I've seen.

Eric: A lot of the clients I work with, I don't think would even be able to categorize a major versus minor activity.

Eric: Like obviously something massive they would know. If all the computers go offline, they got a problem, they know. I don't know if they'd know how to communicate with anybody if the computers go offline. But major versus minor on espionage or something like that, I don't know that they would even know how to differentiate the two, let alone the escalation process and what to do certainly outside of the company. But Evan, I saw you shaking your head. So to talk to us.

Rachael: Yes.

Evan: I guess I'll key on Rachel's point she said, a few years ago when you did that. I think a few years ago, I would agree with you that there were a lot of instant response plans or playbooks. There were a lot of run books that certs used at companies. And so, having started off life and that sort of cert role, I mean, that's a really important process. But, I think, and I'll be completely biased here because this is what I do for a living.

We Need a Playbook

Evan: We put together incident response plans that have been involved in over a hundred, probably closer to 200. Putting together 200 plans for companies. So, putting together that playbook in sort of the group of lawyers, I work with DNA because in every incident I work on I have a standard set of opening questions or comments that I make. And the first one is, do you have an instant response plan? And then I follow up with great, what page are you on? Because if you aren't opening it up and reading it, then that's not very helpful. If you don't have one, then I take over the process. Then maybe we can talk about the other comments.

Eric: Without pointing anybody out of course, do most have one and it needs to be improved upon? Or most are like, "We're not even sure where to start. That's why we hired you, Evan."

Evan: Well, I mean, it's still half and half, I would say. But increasingly, companies and it's not just sort of companies waking up one day and saying, "I've listened to this awesome podcast that Rachel and Eric have. And so now I've decided to make the most important thing I do." But to be honest, it's not the CEO waking up one day and having religion on it. It's the board, it's the general council. It's the CISO realizing that after some of the litigation that the best defense a CISO has is to have an in-store response plan that identifies these pieces.

Three Central Parts of a Playbook

Evan: And so there's this funnel of nervous energy that is going into companies that are requiring them to develop an entire response plan and playbook. And at the end of the day, they're actually a pretty simple document as we said. There are sort of three central parts to it, assigning roles and responsibilities so we know who's in charge. Because sometimes especially for global companies that I work with a lot, the CISO isn't the one who's going to be the incident commander. It's going to be someone who actually is trained in incident command and knows what NIST 863 is and things like that.

Evan: And then second is, there's going to be an incident classification system. Because as you said, Eric, that's the most important. That's the heart of an incident response plan. Whether you have a set of zero through five or say, one through three or whatever the system is, do you know what a bad day in the office is from. This is a bad year and this might impact our stock value. And then do you have an escalation process. So who gets involved, how does this go from a call to ask or something we're working on and help desk to we are notifying the board, and we're going out to the SEC and we have a holding statement and we're in a blackout on our stocks.

Evan: If the one-on-one is just having the plan in place, the evolution, and most companies do annual reviews of it. I do a lot of tabletop exercises or scenarios. We do a ton of them and that's a super helpful exercise for companies to go through and say, are we ready? I mean, it's sometimes cool when they have like heavy tech involved and you have cool pictures and video. But, I'm sometimes an old school fan of just getting everyone around a table. Or I guess a Zoom now and saying, "Okay, this happened on day one. What are you doing three hours later this happened."

Assume the Breach in Our Cyber Path

Evan: And, and so the CEO and the general council and others can really see how everyone does their job so they can actually get better at it. And that training on the IRP is critical. And if there's anything that I believe in dearly, it's that sort of IRP or the salvation for company's ability to better manage their risk.

Eric: I see partially, why you're optimistic.

Eric: Like, that's great. You assume the breach, right. Rachel, how many times did we talk about that on the podcast? You've got to assume the breach. I think we have a lot of people out there that don't even assume that. They're still setting up perimeter-based security. And we're going to keep everybody on the other side of this wall. But if you assume the breach part of that is the incident response plan. What are we going to do as an organization? How are we going to handle this? How are we going to contain this as quickly as possible? I see the optimism.

Evan: If they want to buy any beta max or stock in like Rubik's cubes, let me know. Because if you're still thinking that you're going to prevent these things from happening, we have a bigger tech corridor of problem for them to talk about.

An Important Aspect of Security

Eric: I can share some stories off the air with you sometime. I got to tell you, I heard it in the hearing the other night. One of the senators was asking about the NIST guidelines. I think he referenced 853. I'm not sure and NSA guidelines on a firewall. And he threw a yes or no binary answered question to the four-panel participants. It was essentially something that, do you believe in these guidelines? If you do, is a firewall going to work to protect you from the adversary. And then, there were a bunch of, it depends, even though they were instructors. I mean, there are still people who understand that.

Evan: I'm a huge fan of firewalls. And I think there are some companies that make better firewalls than others. They're an important aspect of your security. If that's all you're doing, then that every firewall company in the world would say, that's a problem.

Eric: They’re like shoes. If it's cold out, you need shoes. But you probably want a coat too and some pants layered defense, right? Defense in depth.

Evan: Yes.

Eric: So what else makes you optimistic?

Evan: Ringlets on your shoelaces too, that's really helpful too.

An Administration With Clear Mandate on Cyber Path

Eric: Probably. Maybe that's a next-gen firewall. What else makes you optimistic? I know we talked about the new administration, some of the things you're seeing.

Evan: Having sort of started off at DHS, I'm super excited about the evolution of CISA, of where they're going. But also, this is an administration that has a very clear mandate when it comes to cyber. They have a group of people that are going in there that are just like awesome experienced leaders and practitioners. Some of them have been in government for a while, which is great. Because they actually know what to do and can hit the ground running and they are.

Evan: And so for me, as someone who grew up in Washington DC, that provides a lot of comfort when you have sort of experienced practitioners. Just like if I have a fire in my house and I'm calling local fireman, I don't want this to be the first fire they ever put out. And that's why having those sorts of people. But also, I think the Solarium Commission and the New York Cyber Task Force, there's a lot of good guidance coming from outside. If I think about when we were at DHS and even at the evolution when we were turning over the secretary, there wasn't a lot of external sort of think tanks and others involved.

Evan: DHS 2.0 was like a seminal document that Secretary Chertoff used to reorganize, to revitalize the department. And now we have so much focus on cyber that we're having two panels in one week. 

A Source of Optimism in Our Cyber Path

Evan: Two hearings in one week of the quality that have all those great speakers on it is awesome. And that we have as many podcasts as we do, and we have as much ideas out there. I think that's great because that's where solutions come from. But the other piece that makes me optimistic is the tech community.

Evan: I mean, I spend more than half of my time spending with technologists. I spend a lot of time listening to BD. I'm a huge fan of companies like Fortune 5 capital that are making great investments in next-generation security.

Evan: So I think the idea that we are developing today the solutions of tomorrow. I'm sure that someone's tagline, that I'll just infringe their trademark on. But the idea that we are doing that is encouraging because we've already seen that. I mean, look at sort of how we think about securing SAS based offerings today versus where we were two years ago, even.

Eric: Rachael, how good do you feel right now?

Rachael: I'm feeling really good. I think five years is attainable now. I'm feeling really good.

A Watershed Event

Evan: I love Sounil Yu. He's a dear friend. I do not think five years is attainable. But I think some amount of years is. I mean, I like the idea of having years. Ultimately the most important title is I'm a dad of a 15-year-old kid and I always set goals for him and me. So even if we don't meet them, it's important to have them.

Eric: So we're making progress. Things are getting better. When we look at SolarWinds or Sunburst, we'll call it UNC 24, 52. Do you think it's going to be a watershed event? Do you think it's really going to change the way organizations, the government, people look at what's going on? Or is it just another big checkmark on the cyber continuum?

Evan: I think watershed's a great description of it. Because there's going to be a trickle-down impact of the SolarWinds supply chain attack. And I purposely used that description of the event, because it wasn't an attack on a single company. It was a supply chain attack. Therefore is every company going to double its spending and create CISO positions within Q2 of 2021? No.

Evan: But are we going to see the trickle-down of requirements as the government better understands what the impact was on government systems, as we start seeing the implementation of programs, like the cybersecurity material modeling certification. And then we're going to see how that account changes, what are the best practices and standards?

Change Takes Time

Evan: The fact that companies are thinking about ISO standards or the sort of CIS 20 now, or even if you're not a defense company, they're looking at the NIST 800-171. That we even have congressmen talking about 53 and the FedRAMP standards, that's progress. But I was very disappointed, concerned, scared of all of those issues when I was hearing about, and working with companies that were impacted by the SolarWinds supply chain attack.

Evan: Similar to like midnight maze and some of the other big incidents that have the OPM attack that it takes time for us to work through how this changes our reality. But as like a science fiction fan, this is definitely going to change our reality. It just may do it slowly, and in some places faster. I think the role that the intelligence committee is going to have and sort of their thinking about this is going to be a lot quicker than ours obviously.

Eric: I hope so. There seemed to be a lot of surprise that NSA and the intelligence community can't look at attacks launching from US-based resources. And it was like, "Well, hold on a second. We've publicly post-Snowden." I think we couldn't have been more vocal about that. That the intelligence community doesn't do that. So, I mean, we've kind of broadcasted that. It was surprising to me. I don't know.

We Can't Have It Both Ways

Evan: I mean, that's a huge challenge and you can't have it both ways. You can't stay up all night and then expect to be super sharp in the morning. 

Eric: Or you can't have your privacy and then catch everything when you want to.

Evan: I mean, it's a pendulum. It's going to swing back and forth and it will eventually find the happy medium. That's the awesome thing about our democracy. I think the recent events have sort of demonstrated that it eventually finds that happy medium or finds the right path.

Rachael: Speaking of privacy, because I know you lens on this quite a bit. Right now it's kind of a state-by-state thing that we have here in the US. There's California, I think New York standing some things up. Where do you see that going here in the US? Are we going to have our own version of GDPR for North America? How do you see that playing out?

Rachael: And I ask too because I saw this article in Politico this morning, just kind of talking about like Amazon. And you have these behemoths with all of this data, of course, health data, buying data, advertising data. And heaven forbid something happen to someone like Amazon. It's a treasure trove for an attacker. How does that play out? I mean, when you have state-by-state protections versus some kind of national approach.

A Significant Issue Around Preemption

Evan: Just to be clear, I'm not talking on behalf of any companies. Even though we represent a lot of companies, this is just my own opinion. I do think that we've seen an evolution of GDPR. Like privacy requirements first coming out of California with CCPA and then CCPA 2.0. Now in Virginia, all of a sudden in the middle of the night, they passed a similar requirement and we're going to continue to see that.

Evan: To use the analogy when my son was younger and trying to pet my 100-pound dog. We are not going to change all 50 state privacy regulations without a lot of willingness from their end. He didn't get pet until he wanted to get pet. So I think we are seeing more willingness. I think eventually the efficiencies of a national data breach law will outweigh the protections of the 50 state laws.

Evan: But there's a significant issue around preemption. I mean, without sounding like a lawyer for a second. We have to understand the rights of the states versus the federal government and that there needs to be a balancing of that. But I think as someone who doesn't practice in that space at all, I do think it's solvable. Because we've solved this in other areas, environmental law and transportation law.

Stop Revictimizing Companies

Evan: So I think we can balance the equities. It is going to take a lot of, as you said, willingness of the tech industry to recognize the efficiencies. It's not just of large tech companies, it's also the victims. Since I spent all my time working for victim companies, it's really, how are they best served and how do we best manage the equities of companies that are being hacked.

Eric: Any guidance there or recommendations?

Evan: First of all, we need to stop revictimizing companies. We need to have a better system. And this is what I actually thought was interesting about the proposed legislation from this week. It is that we separate out some government notification versus a disclosure to affected companies and contractual requirements. Or if you have PII, Personally Identifiable Information or any other regulated data, what you have to do. We kind of have to separate that out if we really want to be efficient about this.

Evan: And this is where if we sometimes use the analogy of like my car gets broken into. I don't have to first go and tell everyone on my block and everyone that I know that my car got broken into. And anyone that's ever been near me and then tell the manufacturer of my car, and then I have to figure out what was stolen and then tell everyone that. And then the police come and it might not even be very helpful and may actually revictimize me.

Simplify the Process

Evan: And so we need to have a better system for working with companies that have been through these sorts of incidents in a way that they're in a very precarious position. Because they have everything to worry about, shareholder, equity issues, to mandatory disclosure, to customer issues, to if they're working with the government. Sometimes they'll have compulsory service, subpoenas and the like.

Evan: And that's a really complicated three-dimensional game of chess that they're playing. We need to make it simpler for them. And meanwhile, the CEO and the board is rightly worried about how is this going to impact the shareholder value and SCC and disclosures of material risk and things like that. So we need to simplify that process and we need to aid victims more in their response.

Eric: I don't want anybody to ever have to make a choice between staying solvent in their minds or the first responders asking for help reaching out and letting other people in the industry who may be susceptible to the same type of breach know about it. They should be able to reach out and be protected by doing the right thing. I mean, FireEye, I keep giving them credit. They were amazing. They figured it out and they let everybody know right away. I think the SolarWinds’ team was pretty good at it too.

Do the Right Thing

Evan: I mean, I think what FireEye Mandiant did and others in that time did, quitting Microsoft and others was heroic. Because they bravely went forward and the initial reaction from the security community, I think for the first moment was a cringe. And then everyone realized what they were doing. And once we understood the full story, we all sort of happily embraced them and thanked them for that. Because they did what they did, ultimately helped everything.

Eric: The community has been great, which I'm really happy to be in the community. I mean, for me, that's like, "Okay, these are the peers, the people we work with and we did the right thing." I’m a big believer of doing the right thing.

Evan: Same here. As a lawyer who's an officer, since I'm an officer of the court. The oath and I've taken the oath many times as a government employee, I agree it's generally the right thing to do.

Eric: But some people would argue doing the right thing is protecting the shareholder. Like not taking on that risk, despite the impact it may have on others, third-party downstream, whatever it may be.

Evan: There are legitimate reasons why companies do not disclose and I advise them not to and I will defend them all day long.

A Delicate Balancing of Equities

Eric: I agree with you.

Evan: And if there's no regulatory contractual or other requirements, and there is a potential risk and it's up to the leadership of companies. And there is no downstream benefit either to them or the community that they're in because there isn't always. I mean, if you're the 70th victim of a maze attack, does anyone gain benefit from that? So I think that's where it is a very delicate balancing of equities. But that's where if we had a better system in place for notification, I think that would help it quite a bit.

Rachael: I have a question. One of the things we talked about with Michael Daniel for the cyber threat alliance was this idea of standards of care. And I'm always wondering too, do these companies have to go it alone or should there be kind of more involvement or more expectations of someone backing you up? Is it like state national? There's always that question about cloud service providers, what's their responsibility and understanding the division there. I mean, what do you think? I mean, is there something there that we need to be thinking about?

Evan: Yes. I’m a huge fan of Mr. Daniels and of the organization he works at. So I do agree that we need to have and it's not just sort of standards of care, which I think right now, we have it sort of sector-based and we do have bits and pieces of it.

A Need To Create a Better System in Our Cyber Path

Evan: But also, it's understanding the role of different levers of these risk management levers, like insurance. Insurance providers play a huge role and an ever-changing role in how companies manage the risk. As does the advent of managed security service providers or managed service providers that now are taking over some of that risk that companies, especially if you're in the SMB, small, medium business market, you're not going to invest in a cert, you're not going to have a world-class CISO.

Eric: Right, you can't.

Evan: So we need to think about how do we do cyber at scale? And that's where I think some of those ideas are really helpful. Because ultimately this gets back to every company, especially if it's a medium or small business, can't be defending themselves against foreign nation-state threat actors that are trained and all sorts of evildoer type things.

Evan: And so we need to create a better system of putting elements between them. And if it's through ISPs or CSP management or better services. I mean, we do this in the automobile sector all the time and companies don't have to decide whether or not they want safety glass or seat belts.

Evan: We sort of require them to have it, and you don't have a choice of whether, or you have insurance, if you're going to be driving a car, you're required to have it.

Rachael: Exactly.

When Security Is Everywhere in Our Cyber Path

Evan: And there are even rules, even though there's no federal speed limit and there's no federal driver's license. Every state sort of, I can drive from Maryland to Virginia to DC, and I know how to follow the rules in all three states without having to take a new driver's license. Thankfully, because I probably would fail, but that's only if you ask my wife and son.

Rachael: That's an interesting point too. Because Eric, we've talked about this before this. Looking ahead, this ubiquity of security, it's just every part of your everyday life. And I think as that happens, obviously it's like your car, you just expect the airbag to work. Or there's always going to be a seatbelt when you get in the car. I think people's expectations could change when security is literally everywhere in every part of your day-to-day life. I just wonder as those mindset shift what does that mean? How does cyber keep up and who's kind of backing people up or who's responsible as well?

Evan: One of the fun things I get to do in my job, in my whole career, at least as a lawyer for the last 13 years has been standing between chief information security officers or CISOs and general councils and sometimes CEOs. And one of my colleagues gave me cling on Romulan translation God. Because they often think that I translate sort of legal into cyber risk and cyber risk into legal risk.

Evan: And one of the really fun things I get to do is work with new CISOs, who get to come into an organization. Or sometimes we're the first, but usually their a new one and they get to figure out, does the car have seat belts, or do we have a really good dashboard that tells us everything that we're doing.

CISOs Are Getting Better

Eric: Have we tested that?

Evan: Or our break sort of bear thread, and we need to replace them. And so learning as we develop that security culture as a community, as CISOs get better and I think every CISO community is getting better all the time. Both in terms of skills and diversity and inclusion and all the things that historically we aren't great at.

Evan: I think that is going to be a core part of how companies get better. Because they're the ones that are managing this. I mean, it's not the CEO, that's going to be trying to figure out how to work the airbags and deploy seatbelts and the like.

Eric: Evan as we're finishing up, I want to transition to your work at Columbia teaching. With your students, we often talk about the cyber workforce shortage. Over time, have you seen a change or are you seeing progress? Give us a great story.

Evan: Actually shortly after I started practicing law is actually Chris Krebs. So I can credit for giving me the idea, to teach a class at his alma mater at George Mason. And I taught a class with one of my best friends for almost I think 19 semesters. We taught a class on homeland and cyber law. And it was very focused on how the government functions and how to work with people.

We Need More Cyber Lawyers

Evan: So I took that approach and when Jay Healey and other good friends and awesome part of our ecosystem asked me to co-teach a class with him as a lawyer, sort of an operator. And so what we did is we actually took this year, the Cybersecurity Solarium Commission, since it had so many great recommendations. And at the time when we started teaching class, it hadn't been implemented and a third of the class itself is made up of students from the School of Computer Science. 

Evan: A third of them are law students, and a third are coming from the School of International Public Affairs. So they're sort of lawyers, policy and tech people. We divide them into teams and they have to work together. Because once again, that sort of in real life to prepare them for actually what they do.

Eric: Working together.

Evan: If you're a CTO, you're not only going to work with other people in your tech organization, you're eventually going to have to work with lawyers, and you're going to have to work with your board and CEOs. And so it's really preparing them for that. But that's why I've been teaching. I guess if I was like an antitrust lawyer, maybe I'd want to be the only antitrust lawyer in the world. But in reality, we need lots and lots of more cyber lawyers.

We Need To Give Back To Our Community

Evan: And so when I find people like me, I try to encourage and mentor and build them up. And once again, we, as a community really need to focus on diversity and inclusion. That's really important to the firm I work at. But also, I belong to some communities like the Security Tinkers, where that's sort of a core mission of ours. 

Evan: And so that's why, I mean, I guess the beer money that you get out of teaching is fun. But I teach because I'm trying to really be a part of developing that next generation of workers. And to be honest, earlier in my career, even when I was in grad school, I learned that you learn things better by teaching than anything else. I know the Cybersecurity Solarium Commission better now after spending a semester teaching it than I did before.

Evan: And students come up with, especially the students at Columbia were awesome and innovative and smart and learned a ton. And all my students are awesome, innovative, and smart, just in case any of them ever listened to this.

Eric: You didn't have me as a student. You're lucky.

Evan: So, I mean, that's a big part of like the, "My wife won't let me drive an Uber. So I have to do all these things when I'm not lawyering and teaching, or I'm a fellow at the Wilson Center being a part of the CFR." Those are all really important things back to the community point, this is a community, we need to give back to it.

There's a Lot of Hard Work Ahead of Us

Evan: I'm a core member of this Security Tickers community, that's the whole point of, we share with each other, learn collectively, and we need to do more of that. And eventually, we'll all look like CFOs or COOs, but we have a while to go between now then.

Eric: Okay. So not five years, but we're getting better. There's a lot of promise on the horizon, both tech, policy, you name it. And we've got a lot of people working and we need more people in this business?

Evan: Yes, and more tech, and we need to work together better. I mean, I recognize there are a lot of problems. The defense is hard and offense is easier right now, and we need to change that. And our legislation and the regulations are complex and difficult and don't always protect victims. So, I mean, there are other things that we can do better at, I'm not saying the system's perfect, and we have a lot of work ahead of us.

Evan: And since most of my work is done between Friday nights and Sunday mornings. Because that's when all companies seem to have cybersecurity incidents. There's a lot of hard work ahead of us.

Rachael: All right. Well, thank you guys. Thanks for joining us for, To The Point episode 124 with Evan Wolfe, have a great week, and we'll talk to you soon.

About Our Guest

Evan D. Wolff is a partner in Crowell & Moring's Washington, D.C. office where he is co-chair of the firm's Privacy & Cybersecurity Group and a member of the Government Contracts Group. Evan has a national reputation for his deep technical background and understanding of complex cybersecurity legal and policy issues. Prior to entering private practice, Evan served as an advisor to the senior leadership at the Department of Homeland Security (DHS). Previously, he held the position of principal homeland security policy analyst/project manager to The MITRE Corporation and also served as general counsel and senior geospatial analyst for sciences LLC; vice president and principal of Environmental Protection International; and senior geologist at the U.S. Nuclear Regulatory Commission.
Evan was inducted into the Council on Foreign Relations in 2017 and serves on the Sandia National Lab External Advisory Board, the U.S. Chamber of Commerce National Security Task Force, as a panel member on the Defense Science Board at the Department of Defense, and as a senior adviser at the Homeland Security and Defense Business Council. Evan is currently the co-chair of the ABA Homeland Security Law Institute, as well as a senior adviser to the ABA Committee on Law and National Security. He also serves as a senior associate (non-resident) of Homeland Security and Counterterrorism Program at the Center for Strategic & International Studies (CSIS). Evan also co-authored an ABA Section of Criminal Justice article titled, "Industry Collaborations on Cybersecurity: Protecting Against Antitrust Violations.”