WEBVTT 1 00:00:00.450 --> 00:00:02.790 Anna Delaney: Hello, and welcome back to Proof of Concept, the 2 00:00:02.790 --> 00:00:06.210 ISMG talk show where we discuss the cybersecurity and privacy 3 00:00:06.210 --> 00:00:09.930 challenges of today and tomorrow with industry leaders, and how 4 00:00:09.930 --> 00:00:12.750 we can potentially solve them. We are your hosts. I'm Anna 5 00:00:12.750 --> 00:00:15.270 Delaney, director of productions here at ISMG. 6 00:00:16.230 --> 00:00:18.090 Tom Field: I'm Tom Field. I'm senior vice president of 7 00:00:18.090 --> 00:00:21.420 editorial at ISMG, and Anna, it's a privilege to record our 8 00:00:21.420 --> 00:00:23.670 first Proof of Concept of 2023. 9 00:00:23.940 --> 00:00:26.700 Anna Delaney: You're absolutely right. And this one is all about 10 00:00:26.850 --> 00:00:29.100 the U.S. cybersecurity strategy. 11 00:00:31.140 --> 00:00:33.300 Tom Field: Biggest news of the year so far, outside of some of 12 00:00:33.300 --> 00:00:35.730 the high-profile breaches. It's something we've all waited for a 13 00:00:35.730 --> 00:00:39.810 long time. It was released just over a week ago, and already 14 00:00:39.810 --> 00:00:42.270 we've garnered significant conversation about this. And 15 00:00:42.270 --> 00:00:44.550 there's some people very excited just about what's been 16 00:00:44.550 --> 00:00:45.630 articulated so far. 17 00:00:46.110 --> 00:00:49.530 Anna Delaney: Yeah, so it outlines five pillars that urge 18 00:00:49.560 --> 00:00:52.230 more mandates on the private sector that controls most of the 19 00:00:52.230 --> 00:00:56.130 nation's digital infrastructure and an increased government role 20 00:00:56.160 --> 00:00:59.340 to disrupt and dismantle threat actors. It's great language. And 21 00:00:59.340 --> 00:01:02.250 I particularly like this last point, because it highlights 22 00:01:02.250 --> 00:01:05.940 this idea to turn disruption into a business-as-usual 23 00:01:05.940 --> 00:01:08.910 activity. And then, you know, it's been widely praised, 24 00:01:08.910 --> 00:01:09.780 wouldn't you say, Tom? 25 00:01:10.200 --> 00:01:12.690 Tom Field: It has been. It names names, and it does outline some 26 00:01:12.690 --> 00:01:15.930 significant strategic changes, and as one of our commentators 27 00:01:15.930 --> 00:01:19.230 says, it represents the U.S. finally taking off the gloves. 28 00:01:19.230 --> 00:01:22.650 But the question becomes, who is going to pay for it? Who is 29 00:01:22.650 --> 00:01:25.410 going to execute this? And my question is, do we have a 30 00:01:25.410 --> 00:01:30.360 Congress that's got the desire and ability to execute some of 31 00:01:30.360 --> 00:01:32.280 these strategic elements? I do not know. 32 00:01:33.600 --> 00:01:34.860 Anna Delaney: And you've obviously had various 33 00:01:34.860 --> 00:01:38.790 conversations with industry leaders in this past week. What 34 00:01:38.790 --> 00:01:40.590 were the highlights from those conversations? 35 00:01:40.860 --> 00:01:45.060 Tom Field: Well, you know, on one hand, you've got people that 36 00:01:45.060 --> 00:01:50.190 will say that this is the one bipartisan issue in the U.S., 37 00:01:50.220 --> 00:01:53.310 everybody can agree on cybersecurity. But on the other 38 00:01:53.310 --> 00:01:56.640 hand, there's some language in the strategy that could be 39 00:01:56.640 --> 00:01:59.340 politicized by people that want to politicize it. And 40 00:01:59.340 --> 00:02:02.010 unfortunately, we've got an environment right now where if 41 00:02:02.010 --> 00:02:05.640 something can be politicized, it will be. I'm not so sure that 42 00:02:05.640 --> 00:02:08.520 cybersecurity remains a bipartisan issue. I guess we're 43 00:02:08.520 --> 00:02:10.980 going to find out. And we've got some guests today that will help 44 00:02:10.980 --> 00:02:12.210 us make some sense of this. Right? 45 00:02:12.540 --> 00:02:14.190 Anna Delaney: They definitely will have some interesting 46 00:02:14.190 --> 00:02:17.040 points to share with us. Why don't you welcome them? 47 00:02:17.280 --> 00:02:19.590 Tom Field: I'm happy to. They probably don't know this, but 48 00:02:19.590 --> 00:02:22.920 internally, we refer to them as the two Grants. You may know 49 00:02:22.920 --> 00:02:26.520 them as the Venable duo. We have got Grant Schneider, senior 50 00:02:26.520 --> 00:02:29.730 director for cybersecurity services with Venable and Jeremy 51 00:02:29.730 --> 00:02:32.850 Grant, managing director of technology, business strategy, 52 00:02:32.850 --> 00:02:35.970 also with Venable. Grant, Jeremy, thank you so much for 53 00:02:35.970 --> 00:02:36.930 being here with us today. 54 00:02:37.800 --> 00:02:38.220 Jeremy Grant: Thank you. 55 00:02:38.310 --> 00:02:39.180 Grant Schneider: Thanks for having us. 56 00:02:40.410 --> 00:02:41.910 Anna Delaney: So, Grant, why don't we start with you, as 57 00:02:41.910 --> 00:02:45.210 someone who knows Washington well, is serving as the former 58 00:02:45.210 --> 00:02:49.350 federal CISO for the OMB? What were your first impressions of 59 00:02:49.350 --> 00:02:50.220 what's laid out here? 60 00:02:51.840 --> 00:02:54.150 Grant Schneider: I think, I mean, I agree with Tom's 61 00:02:54.150 --> 00:02:57.900 comment. I think it's a solid document, right? It's long, 62 00:02:57.930 --> 00:03:01.620 there's a lot of things in this, there are a lot of activities 63 00:03:02.010 --> 00:03:05.280 that the administration wants to undertake. At the same time, 64 00:03:05.310 --> 00:03:08.100 this is a continuation of a lot of things this administration 65 00:03:08.100 --> 00:03:12.690 has been working on. So there are a few, you know, new items, 66 00:03:12.690 --> 00:03:16.050 and I think the newer items that are in there are the ones that, 67 00:03:16.080 --> 00:03:18.330 you know, potentially would require some congressional 68 00:03:18.330 --> 00:03:22.890 support. But, in general, this continues a lot from the Biden 69 00:03:22.890 --> 00:03:26.760 cybersecurity executive order. It plays off of that, it plays 70 00:03:26.760 --> 00:03:32.100 off of also, some of the Trump executive orders and continues a 71 00:03:32.100 --> 00:03:36.720 lot of the focus that we've had. So I think it's a good document, 72 00:03:36.720 --> 00:03:39.450 I think it continues a lot of the momentum that we've seen, 73 00:03:39.750 --> 00:03:44.580 and hits kind of the right balance of, you know, level of 74 00:03:44.580 --> 00:03:49.950 detail, and breadth of something that you really want in a 75 00:03:49.950 --> 00:03:54.180 national strategy to cover how do we, you know, move forward as 76 00:03:54.180 --> 00:03:54.720 a nation. 77 00:03:56.100 --> 00:03:58.950 Anna Delaney: Jeremy, it was great to see that digital 78 00:03:58.950 --> 00:04:02.070 identity solutions were singled out. There was reference to the 79 00:04:02.070 --> 00:04:05.940 fact that a lack of secure privacy preserving consent-based 80 00:04:06.150 --> 00:04:11.460 digital identity solutions allow fraud to flourish, and it states 81 00:04:11.460 --> 00:04:14.640 that the federal government will encourage and enable investments 82 00:04:14.640 --> 00:04:18.540 in strong, verifiable identity solutions that promote security. 83 00:04:18.540 --> 00:04:23.070 That must please you. Anything you want to pick up on regarding 84 00:04:23.070 --> 00:04:24.870 the language around digital identity? 85 00:04:25.050 --> 00:04:27.510 Jeremy Grant: Well, I think the thing that stood out to me and 86 00:04:27.510 --> 00:04:31.470 this may seem perhaps like a small item to some viewers, but 87 00:04:31.470 --> 00:04:34.710 this is the first time since the Obama administration wrapped up 88 00:04:34.710 --> 00:04:37.230 that we've had an administration actually say that digital 89 00:04:37.230 --> 00:04:39.720 identity is a cybersecurity priority in a document like 90 00:04:39.720 --> 00:04:42.270 this, not to say that there weren't some efforts in the 91 00:04:42.270 --> 00:04:44.730 Trump administration, not to say the Biden administration hasn't 92 00:04:44.730 --> 00:04:47.400 been doing some things in this space the last couple of years, 93 00:04:47.700 --> 00:04:51.510 but it's actually been some time since we've had this, you know, 94 00:04:51.570 --> 00:04:56.040 item formally included in a cybersecurity strategy. And 95 00:04:56.040 --> 00:05:00.000 given that we continue to see year after year, identity is the 96 00:05:00.000 --> 00:05:02.640 No. 1 attack vector that we're seeing in breaches and 97 00:05:02.640 --> 00:05:06.450 incidences, given all of the, you know, hundreds of billions 98 00:05:06.450 --> 00:05:08.850 of dollars that have now been documented between, you know, 99 00:05:08.850 --> 00:05:12.420 fraud and against government benefits and fraud targeting the 100 00:05:12.420 --> 00:05:15.030 private sector that's flowing to organized crime and nation-state 101 00:05:15.030 --> 00:05:17.520 attackers. It was really important, I think, for the 102 00:05:17.520 --> 00:05:21.540 administration to highlight the importance of hardening digital 103 00:05:21.540 --> 00:05:24.210 identity infrastructure. So from that perspective, it was really 104 00:05:24.210 --> 00:05:24.720 good to see. 105 00:05:26.010 --> 00:05:28.380 Anna Delaney: Anything you want to pick up on what Grant said 106 00:05:28.380 --> 00:05:30.270 earlier about, you know, first impressions? 107 00:05:30.810 --> 00:05:32.940 Jeremy Grant: I think, overall, I agree with Grant, I think it's 108 00:05:32.940 --> 00:05:35.160 a pretty thorough strategy. I mean, going back to what Tom 109 00:05:35.160 --> 00:05:38.160 said before, look, this has been, for the most part, a 110 00:05:38.160 --> 00:05:40.530 bipartisan issue, although there are some things that are in here 111 00:05:40.530 --> 00:05:43.350 that we're already hearing from Democrats and Republicans, they 112 00:05:43.350 --> 00:05:47.430 have different views on, for example, regulation. You know, 113 00:05:47.910 --> 00:05:50.160 industries, also, I think, pushing back a little bit on 114 00:05:50.160 --> 00:05:53.250 some of the calls that software makers be held liable. So I do 115 00:05:53.250 --> 00:05:55.230 think there's going to be some places where you'll see some 116 00:05:55.230 --> 00:05:59.100 breakdown, not necessarily 100% on party lines, but things will 117 00:05:59.100 --> 00:06:01.890 become a little bit more partisan. But for the most part, 118 00:06:01.890 --> 00:06:04.620 I think, you know, a lot of what's in here is a continuation 119 00:06:04.620 --> 00:06:08.970 of what we have seen from different White Houses, you 120 00:06:08.970 --> 00:06:11.730 know, helmed by both Democrats and Republicans over the last, 121 00:06:11.790 --> 00:06:15.420 gosh, I'd say 15 years at this point, or, you know, perhaps 122 00:06:15.420 --> 00:06:19.320 beyond. And so, I would say it is an evolution, not a 123 00:06:19.320 --> 00:06:21.930 revolution. There was nothing in here that I read and said, "Wow, 124 00:06:21.960 --> 00:06:25.350 this is, you know, something I would never have expected, this 125 00:06:25.350 --> 00:06:28.560 really changes the paradigm." But what I think is great about 126 00:06:28.560 --> 00:06:31.290 the strategy is it's very thoughtful, it's coherent. And, 127 00:06:31.320 --> 00:06:35.130 you know, certainly as you get back into how different 128 00:06:35.130 --> 00:06:39.990 policymaking processes will work within the executive branch, 129 00:06:40.410 --> 00:06:43.770 this is sort of a helpful, you know, touchstone to come back 130 00:06:43.770 --> 00:06:46.680 to, to say, "Look, okay, we put it in here, this is what we're 131 00:06:46.680 --> 00:06:50.100 focusing on." And, you know, it helps to reinforce, I think, in 132 00:06:50.100 --> 00:06:54.930 the years ahead, where different resources are allocated, and 133 00:06:55.140 --> 00:06:57.360 where, you know, priorities are determined. 134 00:06:58.860 --> 00:07:00.480 Anna Delaney: Well, Grant, some have said this strategy 135 00:07:00.480 --> 00:07:03.330 discusses short-term and long-term visions, but not so 136 00:07:03.330 --> 00:07:06.570 much about the intermediate steps. Would you agree on this 137 00:07:06.570 --> 00:07:09.990 front? And what else is missing in your opinion, or would you 138 00:07:09.990 --> 00:07:10.890 like clarity on? 139 00:07:12.360 --> 00:07:15.600 Grant Schneider: I think, short-term and long-term and not 140 00:07:15.600 --> 00:07:21.390 the midterm. And that's probably fair, I hadn't thought about it 141 00:07:21.390 --> 00:07:24.240 in exactly those terms. I think that's probably fair. However, 142 00:07:24.270 --> 00:07:28.410 it's a strategy, right? It is not intended to be the road map 143 00:07:29.370 --> 00:07:33.420 of how we get from point A to point B, it is really intended 144 00:07:33.420 --> 00:07:37.380 to, you know, set the direction, set the vision and be something 145 00:07:37.380 --> 00:07:42.540 that that we can get industry and government and people that 146 00:07:42.540 --> 00:07:45.180 don't interact with the government from a, you know, 147 00:07:45.840 --> 00:07:50.190 industry standpoint on a regular basis, all united around how do 148 00:07:50.190 --> 00:07:53.400 we increase our cybersecurity defenses? And how do we move 149 00:07:53.400 --> 00:07:56.490 this forward? And one thing I also wanted to mention is, from 150 00:07:56.490 --> 00:08:00.630 a process standpoint, Chris Inglis, who just departed as the 151 00:08:00.660 --> 00:08:03.930 national cyber director and led the effort of developing the 152 00:08:03.930 --> 00:08:09.270 strategy - he and his office did a whole bunch of industry and 153 00:08:09.270 --> 00:08:13.530 private sector outreach in the development of the strategy. So 154 00:08:13.530 --> 00:08:17.250 this was something that I think they had 300 or 400 engagements 155 00:08:17.670 --> 00:08:20.520 with various people, brought people in to do table reads, 156 00:08:20.550 --> 00:08:24.630 took feedback over a six- or eight-month period. So I think 157 00:08:24.630 --> 00:08:27.990 from a process standpoint, you know, they worked very hard to 158 00:08:28.110 --> 00:08:32.790 try and get feedback and not just hear it all from us after 159 00:08:32.790 --> 00:08:37.350 they sort of did the big reveal, if you will, which is why I 160 00:08:37.350 --> 00:08:42.330 think you see a good bit of cohesion across the strategy. 161 00:08:43.230 --> 00:08:45.570 But yes, there are definitely things that we're going to need 162 00:08:45.570 --> 00:08:49.530 to dig more into, of how do we get from here to there, how do 163 00:08:49.530 --> 00:08:52.050 we actually implement, what are some of the challenges, 164 00:08:52.260 --> 00:08:54.960 political budget, you know, others that have been mentioned 165 00:08:54.960 --> 00:08:55.950 already here this morning. 166 00:08:57.750 --> 00:08:59.610 Anna Delaney: Jeremy, thoughts on what's missing? 167 00:09:02.040 --> 00:09:03.690 Jeremy Grant: Nothing stood out to me in terms of what's 168 00:09:03.690 --> 00:09:07.800 missing. I think what's going to be really interesting is what 169 00:09:07.800 --> 00:09:11.820 happens next, which is the implementation plan. So, you 170 00:09:11.820 --> 00:09:14.340 know, the strategy, if you spend some time thumbing through it, 171 00:09:14.340 --> 00:09:16.410 you realize there's a lot of things in here that are great, 172 00:09:16.410 --> 00:09:18.990 but what happens next? What are we actually going to do on these 173 00:09:18.990 --> 00:09:22.530 issues? And, you know, I think the administration was pretty - 174 00:09:23.340 --> 00:09:25.560 there was sort of a conscious decision to lay out the strategy 175 00:09:25.560 --> 00:09:28.830 first, and then work on the implementation plan next. And so 176 00:09:28.830 --> 00:09:31.620 I think, you know, everybody's going to be really interested in 177 00:09:31.620 --> 00:09:35.670 seeing those details, because I think in terms of whether it's 178 00:09:35.670 --> 00:09:38.940 new initiative launch, changes to existing initiatives, new 179 00:09:38.940 --> 00:09:41.610 budgeting, whether they're seeking new authorities or 180 00:09:41.610 --> 00:09:44.730 looking to potentially reallocate or redirect some 181 00:09:44.970 --> 00:09:48.420 existing pools of money, certainly on the regulatory side 182 00:09:48.420 --> 00:09:52.320 and the liability side that could require, in some cases, 183 00:09:52.320 --> 00:09:54.870 new legal authorities, although in some cases, the White House 184 00:09:54.870 --> 00:09:56.850 has said they believe they have them in place for certain 185 00:09:56.850 --> 00:09:59.580 segments of critical infrastructure. So it's not so 186 00:09:59.580 --> 00:10:01.980 much what's missing, I think it's what's going to come next. 187 00:10:03.210 --> 00:10:05.220 Anna Delaney: Excellent. Well, Tom, handing over to you. 188 00:10:05.370 --> 00:10:07.410 Tom Field: And that's a perfect place to pick up because you 189 00:10:07.410 --> 00:10:10.170 talk about what needs to happen next. And Jeremy, you, or rather 190 00:10:10.170 --> 00:10:13.920 Grant, you were talking about the Biden Cybersecurity 191 00:10:13.920 --> 00:10:16.170 Executive Order, which is just about to enter its terrible 192 00:10:16.170 --> 00:10:20.640 twos. And as you know, we've been talking about critical 193 00:10:20.640 --> 00:10:23.940 infrastructure. We've been talking about software bills and 194 00:10:23.940 --> 00:10:27.330 materials and zero trust for almost two years now. And there 195 00:10:27.330 --> 00:10:29.970 are still some agencies trying to articulate what their zero 196 00:10:29.970 --> 00:10:34.350 trust strategy should be. So my question for both of you is, how 197 00:10:34.350 --> 00:10:38.970 do we take this new strategy and actually start to turn it into 198 00:10:38.970 --> 00:10:41.940 tactics? What do you expect to see happen next? 199 00:10:43.380 --> 00:10:46.920 Grant Schneider: Well, I think, two things that I would say on 200 00:10:46.920 --> 00:10:49.920 that from - you talked about federal agencies and their zero 201 00:10:49.920 --> 00:10:53.970 trust implementations. You know, the president just released his 202 00:10:53.970 --> 00:10:58.380 2024 president's budget, which, of course, is the one that goes 203 00:10:58.380 --> 00:11:01.290 to Congress, and then Congress gets to figure out what actually 204 00:11:01.290 --> 00:11:06.810 gets funded in that. But that is the first opportunity that 205 00:11:06.810 --> 00:11:09.900 agencies have had since that executive order, even though it 206 00:11:09.900 --> 00:11:13.410 was two years ago. This is the first opportunity, the 207 00:11:13.410 --> 00:11:16.590 government's really had to put something into the budget, to 208 00:11:16.590 --> 00:11:20.310 try and drive implementation of that executive order. And so, 209 00:11:20.460 --> 00:11:24.000 you know, we've seen in that increases for cybersecurity 210 00:11:24.000 --> 00:11:26.460 still need to dig into the details and see what that's 211 00:11:26.460 --> 00:11:30.360 going to mean. But that's, to me, kind of step one is agencies 212 00:11:30.360 --> 00:11:34.440 being able to have money to move this forward. Now, that only 213 00:11:34.440 --> 00:11:37.800 affects the the federal side, right? You know, private 214 00:11:37.800 --> 00:11:40.860 industry, a lot of - we already talked about critical 215 00:11:40.860 --> 00:11:45.150 infrastructure, and I mentioned being held by private 216 00:11:45.420 --> 00:11:48.510 institutions, you know, it's much harder for them to make 217 00:11:48.510 --> 00:11:51.420 investments, especially, if depending on if they're rate 218 00:11:51.420 --> 00:11:56.190 regulated, and how they're able to actually raise capital. So I 219 00:11:56.190 --> 00:11:58.620 think in addition to the budget gets to what does the 220 00:11:58.620 --> 00:12:02.220 implementation plan start to look like, and how much of that 221 00:12:02.220 --> 00:12:05.640 is actually made public? You know, there's a couple of 222 00:12:05.640 --> 00:12:09.150 approaches the administration can take, they can have a very 223 00:12:09.150 --> 00:12:11.460 thorough implementation plan that they don't share anything 224 00:12:11.670 --> 00:12:15.090 with the public. I think the intent is that they want to get 225 00:12:15.090 --> 00:12:17.790 something out there. But, of course, as soon as you put those 226 00:12:17.790 --> 00:12:22.860 implementation plans out there, every milestone you miss, you're 227 00:12:22.860 --> 00:12:27.900 going to get a lot of help and a lot of articles on and so, you 228 00:12:27.900 --> 00:12:30.540 know, they're going to want to balance that to be sure that the 229 00:12:30.540 --> 00:12:34.110 implementation plan are things that are achievable, as well as 230 00:12:34.110 --> 00:12:36.300 things that they need congressional help with, I 231 00:12:36.300 --> 00:12:36.810 imagine. 232 00:12:38.250 --> 00:12:39.000 Tom Field: Jeremy, your thoughts? 233 00:12:39.150 --> 00:12:41.730 Jeremy Grant: Yeah, one other thing on the President's budget. 234 00:12:41.730 --> 00:12:45.060 So it's exciting now that it's out, that you're actually 235 00:12:45.060 --> 00:12:47.490 starting to see, as Grant was pointing out, it's the first 236 00:12:47.490 --> 00:12:51.060 year that agencies are able to start to align budget requests 237 00:12:51.060 --> 00:12:55.350 to align with the zero trust strategy. The flip side of that 238 00:12:55.350 --> 00:12:57.750 is we're looking at sort of a macro budget environment. Now 239 00:12:57.750 --> 00:12:59.940 the Republicans have taken control of the House where 240 00:12:59.940 --> 00:13:02.490 they're saying, not only do they want to hold spending flat 241 00:13:02.490 --> 00:13:04.950 across the board, they actually want to roll it back. Right now 242 00:13:04.950 --> 00:13:07.920 we're in 2023 numbers. They want to roll it back to what they 243 00:13:07.920 --> 00:13:11.580 were in 2022. So, you know, I'm not sure if that's going to 244 00:13:11.580 --> 00:13:13.800 happen, it's still really early in the year. But I think the 245 00:13:13.800 --> 00:13:16.350 most likely scenario at this point is that rather than have a 246 00:13:16.350 --> 00:13:19.320 budget, we just would have a full-year continuing resolution 247 00:13:19.320 --> 00:13:22.230 where there wouldn't be any dollars for new starts. And what 248 00:13:22.230 --> 00:13:24.210 that would mean for cybersecurity, particularly with 249 00:13:24.210 --> 00:13:27.930 agencies looking to spend on the zero trust strategy is it would 250 00:13:27.930 --> 00:13:30.690 be another year where those dollars don't materialize. Now, 251 00:13:30.690 --> 00:13:33.180 I will say there have been times in the past where you've had a 252 00:13:33.180 --> 00:13:37.620 full-year CR, but you can still get agreement in certain areas 253 00:13:37.620 --> 00:13:40.410 to reprioritize some dollars or to plus things up in a couple 254 00:13:40.410 --> 00:13:44.040 places. So, you know, potentially, if there is 255 00:13:44.790 --> 00:13:50.940 bipartisan consensus on at least those elements of, you know, the 256 00:13:50.970 --> 00:13:54.930 24 budget, it's possible agencies could end up starting 257 00:13:54.930 --> 00:13:58.470 to see some plus ups next year. But I'm not overly optimistic 258 00:13:58.470 --> 00:14:03.360 right now. It's a pretty hostile environment, I would say right 259 00:14:03.360 --> 00:14:05.190 now, just in terms of where things are becoming more 260 00:14:05.190 --> 00:14:08.790 partisan and with divided government. And so it's not 261 00:14:08.790 --> 00:14:10.680 really clear, you know, what the budget picture in terms of 262 00:14:10.680 --> 00:14:13.140 actual dollars flowing out next year is going to look like on 263 00:14:13.140 --> 00:14:14.550 these different initiatives. 264 00:14:15.000 --> 00:14:16.770 Tom Field: Let's talk about that, because the three of us 265 00:14:16.770 --> 00:14:19.170 and Anna, you were involved too - we had conversations at the 266 00:14:19.170 --> 00:14:22.620 end of the year. And you both expressed concern that there 267 00:14:22.620 --> 00:14:26.460 were cybersecurity leaders in Congress that were stepping 268 00:14:26.460 --> 00:14:29.550 down. We've lost a lot of leadership there, even though 269 00:14:29.550 --> 00:14:33.300 it's early days. How do you look at this Congress and its 270 00:14:33.300 --> 00:14:36.690 willingness to take bipartisan action on something that we 271 00:14:36.690 --> 00:14:38.880 should all embrace: Cybersecurity? 272 00:14:40.560 --> 00:14:44.130 Grant Schneider: So I think I'm going to break that down into 273 00:14:44.220 --> 00:14:46.410 the two parts. I'm going to set the willing, I'll get to the 274 00:14:46.410 --> 00:14:50.610 willingness part maybe in a moment. I would say on the 275 00:14:50.670 --> 00:14:57.000 upside is, I have seen a lot of the new leaders, you know, come 276 00:14:57.000 --> 00:15:01.470 out and at least voice interest in cybersecurity, understanding, 277 00:15:01.470 --> 00:15:05.790 you know, particularly, if you look at, you know, the Homeland 278 00:15:05.790 --> 00:15:10.380 Security Committee and others, and Representative Green talking 279 00:15:10.380 --> 00:15:13.440 about cybersecurity being important. You know, obviously, 280 00:15:13.440 --> 00:15:16.110 there's going to be a big focus there on border security and 281 00:15:16.110 --> 00:15:19.590 immigration and things along those lines. But we are seeing 282 00:15:19.590 --> 00:15:23.880 more people at least talk about cybersecurity. I think they're 283 00:15:23.880 --> 00:15:27.870 all figuring it out, though. I think it's a new topic for a lot 284 00:15:27.870 --> 00:15:31.770 of people. And it's going to take them some time to get the 285 00:15:31.770 --> 00:15:35.850 comfort level and familiarity, and really be able to set some 286 00:15:35.850 --> 00:15:39.840 visions and move forward. So I still think we have that gap of 287 00:15:39.840 --> 00:15:44.010 people that departed. And then we've got, you know, 288 00:15:45.510 --> 00:15:48.900 additionally, this Congress has just been slow to get started, 289 00:15:48.930 --> 00:15:52.650 right? It's been slow to ramp up. Part of that was because of, 290 00:15:52.680 --> 00:15:55.800 you know, the delay in knowing exactly how the Senate races 291 00:15:55.800 --> 00:15:59.880 were going to turn out. But even since then, we're now into 292 00:15:59.880 --> 00:16:04.650 March. And we still don't have, you know, a lot of agendas set. 293 00:16:04.650 --> 00:16:08.430 So I think the other challenge, though, is just going to be - 294 00:16:08.430 --> 00:16:11.730 and Jeremy talked about this - like, we're in a very partisan 295 00:16:11.760 --> 00:16:15.000 mode right now, we're headed toward a presidential election 296 00:16:15.750 --> 00:16:21.510 in 2024. And that just makes things that shouldn't, that we 297 00:16:21.510 --> 00:16:25.590 might not imagine would be partisan become caught up and 298 00:16:25.590 --> 00:16:30.930 become partisan, just because of, you know, either not wanting 299 00:16:30.930 --> 00:16:35.100 to be seen as having worked with the other side, when you go back 300 00:16:35.100 --> 00:16:37.770 to your constituents. And so those are going to be 301 00:16:37.770 --> 00:16:41.220 challenges, both for the budget and for kind of anything new in 302 00:16:41.220 --> 00:16:46.320 cyber that's going to require congressional movement. Even if 303 00:16:46.320 --> 00:16:49.710 it's a topic that seems very bipartisan and has a lot of 304 00:16:49.710 --> 00:16:53.580 support, the mechanics of getting those things through the 305 00:16:53.580 --> 00:16:55.740 Congress is going to be a challenge this year. 306 00:16:56.610 --> 00:16:59.940 Jeremy Grant: Yeah, I agree with Grant. I mean, look, in terms of 307 00:16:59.970 --> 00:17:02.850 new players coming in, one of the things I think folks in our 308 00:17:02.850 --> 00:17:06.330 community, we're excited to see Mark Green was named as the new 309 00:17:06.330 --> 00:17:08.970 chairman of the House Homeland Security Committee. He replaced 310 00:17:09.120 --> 00:17:12.990 John Katko, who was the leading Republican, who was really 311 00:17:12.990 --> 00:17:15.150 strong on these issues, had a good background, and then was 312 00:17:15.150 --> 00:17:18.840 great, you know, to work with. Nobody was quite sure how Green 313 00:17:18.840 --> 00:17:21.120 was going to look at this. And, you know, he came in on day one 314 00:17:21.120 --> 00:17:22.950 and put out a statement. "So look, I care about the physical 315 00:17:22.950 --> 00:17:26.280 border. And I also want to prioritize the cyber border." So 316 00:17:26.820 --> 00:17:30.270 that was great to see. I think behind the initial statements, 317 00:17:30.270 --> 00:17:33.360 what we're still seeing is, particularly on the Republican 318 00:17:33.360 --> 00:17:36.120 side, because the staff ratio is changing the committee, some of 319 00:17:36.120 --> 00:17:39.450 them are still hiring up, the staff are coming in, you know, 320 00:17:39.450 --> 00:17:41.520 they're still figuring out their own internal agenda and how they 321 00:17:41.520 --> 00:17:44.640 want to push things forward. And as Grant pointed out, because 322 00:17:44.640 --> 00:17:47.040 it's a partisan environment, I mean, I think one of the things 323 00:17:47.040 --> 00:17:51.390 that, you know, is impacting things a little bit is - so, the 324 00:17:51.390 --> 00:17:54.000 Republicans do control the House, it's going to be very 325 00:17:54.000 --> 00:17:56.250 hard for them to pass any legislation with the Senate 326 00:17:56.250 --> 00:17:59.850 that's Democratic and a Democratic president. And so, 327 00:18:00.090 --> 00:18:03.240 you know, I think one of the things that, at least, we're 328 00:18:03.240 --> 00:18:05.970 certainly seeing is, you know, in those committees in the 329 00:18:05.970 --> 00:18:09.720 House, they're trying to weigh: do we try to legislate, or 330 00:18:09.750 --> 00:18:12.000 there's also things we can do, going into the presidential 331 00:18:12.000 --> 00:18:14.310 election to try and score political points by attacking 332 00:18:14.310 --> 00:18:17.490 the administration for different things. I'm really hoping on 333 00:18:17.490 --> 00:18:20.850 cybersecurity, we don't see much of that, and that we see 334 00:18:20.850 --> 00:18:24.180 Democrats and Republicans continue their tradition of 335 00:18:24.180 --> 00:18:28.200 working together on, if not all issues, at least most. But it's 336 00:18:28.200 --> 00:18:30.480 just a little early to tell right now. We're just starting 337 00:18:30.480 --> 00:18:34.440 to see some signals in terms of what different committees might 338 00:18:34.440 --> 00:18:35.250 want to focus on. 339 00:18:35.820 --> 00:18:36.510 Tom Field: Excellent insight. 340 00:18:37.320 --> 00:18:40.560 Grant Schneider: Tom, can I just add one thing, because I was 341 00:18:40.560 --> 00:18:42.960 recently up on the Hill for a couple of meetings with 342 00:18:43.710 --> 00:18:49.020 committee staff, and, you know, on a bright spot, we had 343 00:18:49.290 --> 00:18:53.700 bipartisan staff from both sides in some meetings, talking about 344 00:18:53.700 --> 00:18:57.630 cybersecurity. And while there is still staffing up and setting 345 00:18:57.630 --> 00:19:01.650 of agendas, there are a good number of staff from both sides 346 00:19:01.650 --> 00:19:04.530 that have worked cyber issues that are still there, that are 347 00:19:04.530 --> 00:19:09.300 still working, and still driving these issues. So I think that's 348 00:19:09.300 --> 00:19:15.540 a bright spot in some of the the partisan shift that we have. 349 00:19:15.540 --> 00:19:18.870 Still challenges ahead, without a doubt. But there are people 350 00:19:18.870 --> 00:19:21.510 trying to make progress on the Hill on these areas. 351 00:19:21.660 --> 00:19:23.550 Tom Field: That's encouraging. Anna, I know you've got a 352 00:19:23.550 --> 00:19:26.880 question about a threat that knows no party lines. So please 353 00:19:26.880 --> 00:19:27.390 go ahead. 354 00:19:27.750 --> 00:19:29.760 Anna Delaney: Absolutely. Well, Grant, I want to start with this 355 00:19:29.760 --> 00:19:33.300 new language around ransomware-as-a-national-security 356 00:19:33.420 --> 00:19:36.510 issue. Obviously, there have been various moves over the past 357 00:19:36.510 --> 00:19:39.330 couple of years to tackle the ransomware threats such as the 358 00:19:39.510 --> 00:19:42.900 creation of the Ransomware Task Force. How does considering the 359 00:19:42.900 --> 00:19:46.770 ransomware problem and national security threat change the 360 00:19:46.770 --> 00:19:48.990 nature of how the threat is addressed? 361 00:19:49.710 --> 00:19:52.830 Grant Schneider: Yeah, I think this is a really, it's a 362 00:19:52.830 --> 00:19:57.840 necessary statement. Right? Because ransomware has become so 363 00:19:57.840 --> 00:20:03.540 prolific and so impactful. And early on, ransomware was, you 364 00:20:03.540 --> 00:20:08.520 know, impacting mostly private organizations, but a lot of 365 00:20:08.550 --> 00:20:12.690 state and local organizations are starting to get impacted. In 366 00:20:12.690 --> 00:20:16.470 more recent years, we've seen healthcare organizations become 367 00:20:16.470 --> 00:20:21.630 pretty significantly impacted. And clearly, the malicious 368 00:20:21.630 --> 00:20:25.200 ransomware actors, you know, they've taken the gloves off and 369 00:20:25.200 --> 00:20:30.180 don't respect any, you know, in the world, certainly no borders, 370 00:20:30.180 --> 00:20:34.860 but even any sectors that we would say during ransomware on 371 00:20:34.860 --> 00:20:37.830 healthcare is really over a line, they don't see a line 372 00:20:37.830 --> 00:20:42.180 there. So, I think by designating it as a national 373 00:20:42.180 --> 00:20:46.770 security issue, you can bring a whole of government approach, 374 00:20:46.800 --> 00:20:49.800 you can get and we've seen this over the last couple of years, 375 00:20:49.800 --> 00:20:52.050 you know, you can get the intelligence community, you can 376 00:20:52.050 --> 00:20:57.090 get these tasks force, the task force's working on it, and use 377 00:20:57.090 --> 00:21:01.110 national assets, national security assets to really drill 378 00:21:01.110 --> 00:21:04.500 into both from an intelligence standpoint of understanding 379 00:21:04.500 --> 00:21:08.610 what's happening, but also from a disruption standpoint of being 380 00:21:08.610 --> 00:21:11.790 able to figure out, you know, what do we do about it? Do we 381 00:21:11.790 --> 00:21:17.400 take potentially offensive cyber operations or approaches to 382 00:21:17.400 --> 00:21:21.090 being able to disrupt and dismantle these actors? So I 383 00:21:21.090 --> 00:21:24.420 think it gives the government more options. And it gets a 384 00:21:24.600 --> 00:21:29.610 broader pool of individuals thinking about it beyond just 385 00:21:29.640 --> 00:21:33.720 law enforcement, who certainly have a super important element, 386 00:21:33.750 --> 00:21:36.120 but it just brings more resources to bear. 387 00:21:38.220 --> 00:21:39.600 Anna Delaney: Jeremy, thoughts? 388 00:21:40.740 --> 00:21:42.780 Jeremy Grant: Not too much to what Grant had to say. I think 389 00:21:42.870 --> 00:21:45.690 the more you can make this a priority, get more attention on 390 00:21:45.690 --> 00:21:49.950 it - I mean, look, it's been, it's not the story of the last, 391 00:21:49.950 --> 00:21:51.960 you know, two or three years, at least, certainly one of the 392 00:21:51.960 --> 00:21:55.470 biggest. And so I think just getting more coordinated 393 00:21:57.720 --> 00:22:00.660 policies, interagency responses, more collaboration with industry 394 00:22:01.230 --> 00:22:03.180 on these things, this is how you start to make a dent in things, 395 00:22:03.210 --> 00:22:05.430 not to mention, obviously, finding a way to take it to some 396 00:22:05.430 --> 00:22:08.790 of the bad actors, most of them are out of the country who are 397 00:22:09.330 --> 00:22:10.680 perpetrating these attacks. 398 00:22:12.090 --> 00:22:14.910 Anna Delaney: Well, Tom, over to you for making the software 399 00:22:15.420 --> 00:22:17.040 industry more accountable. 400 00:22:17.310 --> 00:22:19.110 Tom Field: Well, that's the big headline isn't it? That we're 401 00:22:19.110 --> 00:22:21.420 going to make the software industry accountable for 402 00:22:21.420 --> 00:22:25.200 vulnerabilities. So my question for the two Grants here is, how 403 00:22:25.200 --> 00:22:28.890 about that? Are we actually going to see software vendors 404 00:22:28.950 --> 00:22:32.460 held accountable for vulnerable software? Or are we just finding 405 00:22:32.460 --> 00:22:35.820 a new way to make their lobby more powerful and their 406 00:22:35.820 --> 00:22:38.730 litigation more fluid? 407 00:22:40.350 --> 00:22:42.750 Grant Schneider: Yeah, I think this one's going to be 408 00:22:42.750 --> 00:22:46.710 interesting to watch. There's going to be a lot of dialogue on 409 00:22:46.710 --> 00:22:51.180 this. How much actual movement there's going to be on this, I 410 00:22:51.180 --> 00:22:57.420 think it's going to be tough. The tech industry, you know, 411 00:22:57.420 --> 00:23:03.570 there's a lot of negativism toward big tech from Congress 412 00:23:03.570 --> 00:23:08.880 from both sides. However, it's not bipartisan. So the 413 00:23:08.910 --> 00:23:11.760 Republicans have their issues with big tech, and the Democrats 414 00:23:11.760 --> 00:23:13.770 have their issues with big tech, but they don't have the same 415 00:23:13.770 --> 00:23:17.310 issues. And so they really struggle to come together on, 416 00:23:17.550 --> 00:23:21.510 you know, how to push back against big tech. And I don't 417 00:23:21.510 --> 00:23:24.480 know that this liability issue, I think that's unlikely to 418 00:23:24.480 --> 00:23:27.360 become a bipartisan issue. I think it's, though some people 419 00:23:27.360 --> 00:23:31.020 that support it, some that are against, and big tech's got big 420 00:23:31.020 --> 00:23:34.770 lobby, right? They've got a lot of influence on the Hill and a 421 00:23:34.770 --> 00:23:38.880 lot of influence across the country. Technology drives, you 422 00:23:38.880 --> 00:23:42.990 know, so much economic movement in the country that I think this 423 00:23:42.990 --> 00:23:46.260 one's going to be interesting to see the dialogue. I think it's 424 00:23:46.260 --> 00:23:48.030 going to be a really hard one to move forward. 425 00:23:48.960 --> 00:23:51.330 Jeremy Grant: I would tend to agree with Grant, although I 426 00:23:51.330 --> 00:23:55.800 think there's still some value. You know, we talked about when I 427 00:23:55.800 --> 00:23:58.170 was in government, look, there's things we can actually get done 428 00:23:58.170 --> 00:24:03.600 through policy, a law passing, or regulation advancing, and 429 00:24:03.600 --> 00:24:06.120 then there's just the impact you can have by jawboning, you know, 430 00:24:06.120 --> 00:24:08.880 being out there as a leader and talking about this. And I think, 431 00:24:09.210 --> 00:24:12.870 to a certain extent, look, I'm not sure if any legislation is 432 00:24:12.870 --> 00:24:16.200 going to pass on this, but just the administration going out 433 00:24:16.200 --> 00:24:19.680 there, and talking about the fact that one of the problems we 434 00:24:19.680 --> 00:24:23.820 have is that, you know, we're consistently seeing vendors ship 435 00:24:23.820 --> 00:24:27.870 products that are insecure, talking about the duty of care 436 00:24:28.380 --> 00:24:32.280 that, you know, companies that are making these products have, 437 00:24:33.090 --> 00:24:36.450 in terms of actually putting things out there that are 438 00:24:36.450 --> 00:24:38.730 looking out for their customers and trying, you know, to truly 439 00:24:38.730 --> 00:24:41.220 help them and not putting them in a place where they're having 440 00:24:41.220 --> 00:24:43.500 additional vulnerabilities. And so I think from that 441 00:24:43.500 --> 00:24:48.750 perspective, look, this may start to break down on partisan 442 00:24:48.750 --> 00:24:52.200 lines, but there's still value just, you know, in being out 443 00:24:52.200 --> 00:24:54.960 there and sabre-rattling a little bit on this topic. It 444 00:24:54.960 --> 00:24:55.860 gets people's attention. 445 00:24:56.220 --> 00:24:58.020 Tom Field: Terrific. Anna, I don't think we're done talking 446 00:24:58.020 --> 00:24:58.980 about this. What do you think? 447 00:24:59.340 --> 00:25:02.520 Anna Delaney: Absolutely not. But for today, our time is up, 448 00:25:02.520 --> 00:25:05.910 unfortunately. Thank you so much Grant Schneider and Jeremy Grant 449 00:25:05.910 --> 00:25:08.700 for this informative, timely and important discussion. 450 00:25:08.970 --> 00:25:09.360 Tom Field: Indeed. 451 00:25:10.080 --> 00:25:10.410 Jeremy Grant: Thank you. 452 00:25:10.590 --> 00:25:11.190 Grant Schneider: Thank you. 453 00:25:12.270 --> 00:25:14.310 Anna Delaney: And it's goodbye from us. Thanks so much for 454 00:25:14.310 --> 00:25:14.790 watching. 455 00:25:15.180 --> 00:25:15.930 Tom Field: Till next time.