Phil Goldstein, Senior Editor of FedTech and StateTech joins the podcast this week to discuss government cybersecurity challenges including election security, artificial intelligence and ransomware attacks.

Don’t forget to sign up for upcoming episode alerts!

How to Listen

Episode Table of Contents

• [4:09] The Similarities and Differences Between State and Federal Tech
• [6:30] Cybersecurity As A Utility Service
• [12:12] Protecting Our Crucial Infrastructure from Cybersecurity Challenges
• [15:32] Facebook and Twitter's Take on Political Ads

Meet Our Guest, Phil Goldstein

Arika: And so this week we're excited to have Phil Goldstein, Senior Editor of FedTech and StateTech. How are you doing Phil?

Phil: I'm great. How are you?

Arika: Doing great. So again, thank you for joining us. You must have nothing to write about these days, huh?

Phil: Nope. Nothing at all. Cybersecurity is --

Eric: Boring. Very boring space, right, Phil?

Arika: Nothing's happening.

Phil: Nope. Nothing ever happens in the areas that I cover. Nothing.

Eric: What did you write about before cybersecurity?

Phil: So before I was writing about topics like cybersecurity and government IT, I spent seven years covering the wireless industry. So I was working for a business-to-business, a media publication called FierceWireless and wrote basically exclusively about the wireless industry, which was pretty cool because I started doing that in the fall of 2008. So if you think back, that was a couple months after the iPhone 3G had just come out, and I wound up covering that all the way up until the end of 2015. So when we were kind of in the early phases of adoption of 4G LTE. So I got to see kind of the whole smartphone revolution take off. And that was really cool.

Eric: I'm always interested in an individual's journey to cyber. There's some many diverse paths, but everybody seems to be coming here. It's great.

Phil: Yeah.

Arika: Good job security, right?

Eric: Yeah. At least for now. I mean, problem isn't getting any better, worse each year.

State Vs. Federal Tech

Arika: So, Phil, you cover both state as well as federal, in terms of government and cybersecurity and technology issues. And, so just would love to first start there. I mean, what are you seeing across state and federal tech that's different? That's similar from a security perspective. You know, there's a lot of efforts happening I would imagine at both levels of government local as well. But that's a different story in terms of just the strategy, realizing that the threat is very different and I think we hear a lot about, or I personally probably hear a lot about, what's happening at the federal level, at the state level.

I tend to hear more about into some of the threats that are happening that are shutting down, state government and local government. But what are you seeing when you look across both state and federal? What are your thoughts in terms of how things are being done in a similar fashion, and how things are done different and what challenges are different and the same?

Phil: Sure. That's a great question.

Eric: It's a long question.

Arika: I know. As I was saying at the end I was like, okay, this is a very long winded question.

Phil: I get where you are coming from. I also tend to ask really long questions, long windup. So I would say that some of the similarities that I'm seeing in terms of the things that I'm reporting on are that both federal IT security leaders and state and local government, IT security leaders are facing a skills gap. That's nothing new, that's been kind of a concern for a long time, but they're starting to think about creative ways to approach that skills gap.

The Similarities and Differences Between State and Federal Tech

Phil: Whether that's through increased use of artificial intelligence and automation tools to kind of augment the capacity of the staff that they have, or allow their staff to spend less time on kind of rote cybersecurity, a lot of monitoring type activities and focus on more higher-level analytical activities. You're seeing at both levels of government a need to kind of continuously evolve security defenses because the threat landscape is always evolving, and the threats are growing more sophisticated.

So I think that a couple of years ago, the shift away from signature-based cyber security defenses to behavior-based. And I think that is now kind of evolving even further where you're starting to see a major shift away from a purely perimeter focused cybersecurity approach in government to more of a data protection focus.

You know, you're seeing this most significantly in the federal space when it comes to the focus on high-level assets or high-value assets, rather. And you're also starting to see a tentative, I would say, embrace of the Zero Trust cyber security model. So those are the similarities. I think that there are some things that are quite different. I think that the threat of ransomware for example, is much more prevalent at the state and local level than it is in the federal environment.

Eric: We're certainly seeing that.

Eric: Right? For whatever reason, they're easier targets or nobody wants to really piss off the feds. I don't know. But we're definitely seeing that at the state and local level. Yes. Arika, I'm sorry.

Using AI Tools to Quickly Sift Large Data

Phil: No, I mean it's... I think part of that is because the attackers know that the state and locals just don't have the resources and the know-how that the federal government does. So they are seen as much easier and softer targets.

Eric: Right. So do you have any good examples that you've seen in your travels of an agency or an organization using artificial intelligence? I hear a lot of talk but I don't see the... I don't see the actual applicability yet.

Phil: So it's interesting. I was just at the Imagine Nation ELC conference in Philadelphia, and we asked some federal IT security folks about this specific topic. And the one example that I could point to is, I spoke with Guy Cavallo, who's the deputy CIO of the Small Business Administration, and he was talking about how they are using AI tools to really sift through large amounts of data very quickly, to detect and respond to threat indicators that they see. And they're also using AI based tools to detect anomalous behavior more efficiently, so that staff can be alerted and remediation can occur.

So Guy was talking to me about if you saw him logging on from a different location in the country, than he normally logs in on, that would be flagged. If you saw him logging in from an international location, that would raise even more suspicion. So I think that it's not really very, I would say, sophisticated analysis. It's more kind of using these tools to sift through log data and find anomalous patterns and then have that alert IT staff.

Cybersecurity As A Utility Service

Arika: Interesting. Would be curious to know, what was the conference call? The Imagine Nation ELC?

Phil: Yeah. It's the Executive Leadership Conference put on by the organization ACT-IAC-

Eric: ACT-IAC, yeah.

Phil: and so the past couple of years they've had it in Philadelphia. It used to be held every year in Williamsburg. There are a lot of great conversations there about cybersecurity and how things are evolving. There are definitely folks from OMB and DHS there, in addition to all the other agencies that you could expect.

Arika: Anything that surprised you that you heard while you were there in terms of the look to the future?

Phil: It was interesting. I spoke with Dorothy Aronson, who's the CIO of the National Science Foundation, and she said that she would love it if, as things evolved, cybersecurity for government agencies became more of a utility service, so that every agency didn't need to specialize in cybersecurity and have cybersecurity take up so much of their IT resources. They would prefer, she said to focus on their mission. They could kind of buy or access cybersecurity is kind of a common shared utility service that can be available to different agencies across the government.

Cybersecurity as a Supporting Component of IT

Arika: So that's interesting. Phil. Eric, what do you think about that? Be curious to hear your opinion on cybersecurity as a utility.

Eric: Well, I think IT as a utility or a service is a great idea, cybersecurity being a functional supporting component of IT, which enables the business, is really Nirvana in my opinion. Right? The business, the National Science Foundation's business is not to run an IT shop, it's not to do security, it's to do National Science Foundation activities. And anytime we can free up an organization, whatever it may be, to do their primary mission and make it easier, that's what we should do. It should be like electricity. You plug into the wall and it's just there for you. You're secure and you can take care of business.

Arika: Good points. Good points. Phil, want to switch it up a little bit? You know, we are actually recording the week of November 4th. So we had an election this week, and so I know election security, not so much with the election we had since this was a midyear, but I'm certainly gearing up for next year, is a huge issue. We had Chris Krebs on our podcast a few months ago and he said, really from his perspective, it's one of the number one issues that they're focused on right now. What are you seeing in terms of election security both at the state as well as as federal level?

Election Security at State and Federal Level

Phil:

 I think that the activity is more pronounced right now at the state level since the states do administer their own elections. So you're seeing a lot of state CIOs and CISOs coordinate with their Secretaries of State's office and their election officials.

You know, some of that kind of basic blocking and tackling that needs to happen when it comes to cybersecurity in terms of training and awareness. You know, just making sure that everybody's coordinated and on the same page from a technology perspective. You are seeing things like risk-limited auditing and more advanced firewall and intrusion protection defenses. You're seeing those kinds of investments being made. And the federal government is obviously, through the department of Homeland Security and the Cybersecurity through CISA at DHS, they're working with the states to try to get on the same page and coordinate and make sure that the state and local officials have all of the knowledge and resources that they need to protect their election infrastructure.

Eric: To me, this is such a critical issue. I mean the difference... We've always had voting challenges. Any country out there, it's easy to lose paper ballots, it's easy to add some, change some whatever it may be. To me, the difference as we go into this cyber connected world is that the ability for somebody external to the United States to reach into the United States and actually change the will of the people. Right?

Protecting Our Crucial Infrastructure from Cybersecurity Challenges

Eric: It's very easy to get into the United States from a far away land. We know this. I mean, if you don't know that, I don't know where you've been. We've got to protect this crucial infrastructure, this component of our... The foundation of the United States of America, because it's so easy for somebody to come in and cause disruption. Maybe not change the state of the election, but there are a lot of nation states, there are a lot of individuals, there are a lot of organizations who would like nothing else for the United States of America to be very distracted and focused on something else.

Phil: Yeah, I agree. And you know, I think that since 2016 a lot of state officials have really kind of woken up to the threat that's out there, not just from a pure kind of intrusion into voter registration logs or voter registration books and things like that, but also disinformation and media manipulation, social media and manipulation.

I spoke at the NASCIO conference a couple of weeks ago, with the Chief Security Official for Michigan, and he said that they're focusing part of their cybersecurity efforts specifically around combating what they expect to be misinformation campaigns going into the 2020 election. The threat landscape runs the full gamut, and it's not just your typical nation state actor trying to break into infrastructure. It's more sophisticated than that.

Swaying the Election from Fake News and Misinformation

Eric: Phil, that's a great point. I mean, the ability to sway the election from misinformation, fake news as we all talk about, right? But really put out information that is not accurate that people believe. They believe it. As a journalist, I'd love to hear your thoughts on that. You put out your spoken word, I'm assuming you believe in it or it's factually reported when you report.

Eric: What happens to all the third party material that isn't coming from an American or isn't coming from somebody that's going to sway opinion? That may be the bigger issue than actually hacking into a voting machine or a district.

Phil:

Yeah, I tend to agree with you. I think that state officials need to do a better job of combating that misinformation and being kind of the arbiters people can either go to or better, proactively kind of weeding out that disinformation and reaching out to the public to make sure that they're getting accurate information. Because let's be honest, folks, media literacy in general is probably not that great, especially with a lot of people getting their news these days from places like Facebook.

They're doing, the social media companies are doing some things to kind of flag content and make sure that things are as verified as they can be. But there's a lot of misinformation that's being spread around. And I think that what we saw in 2016 with the Russian activities was, that was a big part of it. It wasn't necessarily trying to change the vote tallies, it was trying to influence away that public opinion was going, and have that kind of ripple through to the election.

Facebook and Twitter's Take on Political Ads

Arika: Well, it's fascinating how Facebook is now banning all political ads, right? I mean we're having, it-

Phil: That's Twitter. Facebook is not doing it.

Phil: Facebook is actually said, and it's taken a lot of heat for basically saying, "We're not going to fact check political advertising. We don't think that that is our role." And I think that Mark Zuckerberg has taken a lot of heat and criticism from that. And then, shortly thereafter we saw Jack Dorsey from Twitter say, "No, this is our kind of responsibility as this kind of a platform."

Eric: So as a journalist, the First Amendment: Congress shall make no law respecting an establishment of religion or prohibiting the free exercise thereof, or abridging the freedom of speech or of the press.

Eric: As we get this fake news, this information that is not accurate. Where do you sit on that? I mean, we don't want to stop people from being able to say something, but somebody could literally come in and publish incriminating information about me they stole off my phone or out of my house. Or they could spread disinformation, information that's not accurate. It's so easy these days.

Phil: I would say that it is becoming much easier to spread disinformation. There are so many fewer gatekeepers than there used to be, certainly in the media landscape. And social media kind of just turbocharges that and allows information that is hearsay and not based on any verifiable facts to really ricochet around the internet and then get into the bloodstream of public opinion.

Facebook on Embracing Its Role as a Media Platform

Phil: As a journalist, and somebody who's committed to reporting the truth about everything that I write about when it comes to government IT, that is something that's deeply disturbing to me. And obviously there's only so much that Congress-

Eric: We can do, right?

Phil:

 There's only so much that Congress can do to kind of a limit that. I think that what we're seeing in the debate between Facebook and Twitter about political advertising is that these companies don't want to, at least in Facebook case, don't want to sort of embrace their role as a media platform the way that CBS or the New York times is.

But really they are, and a lot of people are getting their information from that and that influences elections and that is kind of a... I think in government, a under discussed aspect of how cybersecurity is evolving, is the way in which things can be manipulated that are not directly tied to government entities but that still have a profound influence and impact on our government, in this country.

Eric: No, exactly. It's funny, my dad will get something off of Facebook, usually, and it's like, "Okay you do you really believe this?" He'll send it to my son and I don't do anything on Facebook. He'll send it to my son, the doctor who's got a history of research and, studying things and they fundamentally disagree with each other politically too. So it's usually political. My son will come back with the research and "Here are the five reasons why that is factually inaccurate and I can't understand..." And then they get into the spat, but my dad truly believes like that is what happened. And it's bizarre.

Combating Misinformation

Phil: Yeah. I mean it's a real, real phenomenon and it's something that I think is growing more sophisticated and pernicious and it's something that I think everybody who is kind of involved in cybersecurity, whether you're in government or in the private sector, has a responsibility to work against. I spoke also at the ELC conference with somebody from the Census Bureau-

Arika: Yeah, that's a big issue.

Phil: ... about 2020 census, and they have a whole operation that's being dedicated to combating misinformation about the census. And making sure that people have accurate information and that they're not dissuaded from not participating in the census because of misinformation.

Arika: Thanks Phil, and thanks to everyone that tuned in this week and please continue to check us out. We are here every week talking all things cybersecurity and please give us a rating on iTunes, subscribe to us, tell a friend and tell a neighbor and just keep listening. So thanks so much for being as a listener. Until next week. Thanks guys.