Legislation & Litigation , Standards, Regulations & Compliance , Video
ISMG Editors: Inside the Politics of US Cybersecurity
Guest Grant Schneider on Security and Privacy Bills, AI Integration, CISA Updates Anna Delaney (annamadeline) • March 15, 2024In the latest weekly update, Grant Schneider of Venable LLP joined three Information Security Media Group editors to discuss the future of U.S. federal cybersecurity and privacy legislation, AI integration and recent CISA developments - all set against a backdrop of political complexities.
See Also: How Enterprise Browsers Enhance Security and Efficiency
The panelists - Anna Delaney, director, productions; Mathew Schwartz, executive editor of DataBreachToday and Europe; Schneider, senior director for cybersecurity services at Venable LLP; and Tom Field, senior vice president, editorial - discussed:
- How the Biden administration's budget and cybersecurity agenda will be received by Congress;
- Whether CISA's first-ever Secure Software Development Attestation Form, which is part of its push for secure software practices in government, can deliver on the promise of application security;
- Why the passage of the Federal Information Security Modernization Act of 2023 by the U.S. House Oversight and Accountability Committee is a pivotal step toward bolstering federal cybersecurity across governmental agencies.
The ISMG Editors' Panel runs weekly. Don't miss our previous installments, including the March 1 edition on OpenAI's response to The New York Times case and the March 8 edition on our pledge to readers in a new era of journalism.
Transcript
This transcript has been edited and refined for clarity.
Anna Delaney: Welcome to the ISMG Editors' Panel. I'm Anna Delaney, and today we're discussing the future of U.S. Federal cybersecurity, privacy legislation, AI integration and recent developments from Cisco. The question is how will these initiatives stand strong in the ever-changing U.S. political climate? Well, joining us to provide insights into the current state of federal security is Grant Schneider, senior director of cybersecurity services at Venable LLP. Grant, always a pleasure to see you. Great to have you back.
Grant Schneider: Anna, it is a pleasure to be here. And privacy sounds so much cooler when it's in the U.K. than in the in the U.S. So love the way you pronounce it.
Delaney: Bring this right. And completing the team are Tom Field, senior vice president of editorial and Mathew Schwartz, executive editor of DataBreachToday in Europe. Great to see you.
Tom Field: Thanks for having us. Grant, you mentioned it's going to be a busy year. Now already, we can see that cybersecurity is no longer a bipartisan issue. It causes discord wherever its raised now it's become very partisan. How do you feel that the President's budget and cybersecurity agenda will be received by this Congress in an election year?
Schneider: Oh, I am hopeful that cybersecurity is maybe still bipartisan, I think However, I definitely agree that we're shifting we're shifting away, I'm hoping we can keep the non-bipartisan part, if you will, kind of narrowly focus because certainly disinformation has I think driven the nonpartisan piece. Election security is definitely not a bipartisan thing. And both of those have kind of tainted CISA with Congress; and where CISA was very much getting more money in appropriations than the President had asked for over the last several years, significantly more money appropriated by Congress. , I don't think that will be the case or I would be surprised if that were the case this year. So the President's budget just came out. It's a healthy ask of $3 billion for CISA, $13 billion for not counting DoD, $13 billion in cyber across the board, which is a billion dollar increase. Billion dollar increase isn't that big when you talk about a $7 trillion budget that came out. And I think CISA while a $3 billion request, that's less money than was appropriated in the past versus because of those additional increases from Congress. And, again, I think it's less likely that that's going to happen this year to exactly your point because, again, I'm hopeful that we can still call cybersecurity bipartisan, because we need it to be. But the things that start getting added into that ecosystem are getting some partisan. And here in the U.S., we are adding partisan politics to almost everything at this point.
Field: Exactly. Well, along those same lines, Grant, we haven't been able to pass any meaningful federal privacy legislation over the past decade. What hope is there for AI now?
Schneider: It's going to be hard, there are/have been tons and tons of hearings on the Hill on AI. I think AI has crept into all of our... everyone's personal life and all of our professional lives, I would say as well. It is the new buzzword in this space, and it's what everyone is talking about. And so Congress is talking about it as well. But I think it's going to be hard because what is AI is still super, super nuanced, right? What each of us probably if we were to go into closed room and describe artificial intelligence to someone or write it down, we'd probably come up with for there, there'd be some Venn diagram overlap, but probably for different perspectives and points of view, because it is so personal of where you're coming from and where you kind of set. So I think it's going to be a challenge for Congress to be able to coalesce I think on the upside, there's strong agreement that they need to do something. But your analogy on privacy legislation, there's been strong agreement to do something around privacy for years and years. And just what to do and how to do it, and what the incentive structure is going to look like, and what the regulatory framework is going to look like. There's just not consensus on that. And I think we're much further away on AI than we are on privacy right now.
Field: We may get a hint of things to come even today, as we're sitting here speaking, I know the House has just passed a resolution banning TikTok in the U.S., and this is going to the Senate, the Senate may not agree, to be a sign of things to come. Meanwhile, I'll pass it on to Mat.
Mathew Schwartz: Yes. Thank you. Well, great to have you back. I know that we've spoken before about the secure software development attestation form these governments and their long names for things. But back to CISA. CISA on Monday had released this form for the first time, which it bills as taking a major step in the implementation of its requirements that producers of software used by the federal government attest to the adoption of secure development practices. So with this attestation form, do you think this is a good step in the right direction on the road to more secure development practices? And do you think it's going to deliver?
Schneider: So I would say this form has already gotten a lot of attention from software developers, right? They gave us a draft of it about a year ago, they took some industry comments, and they showed us another preview of it. And now we have the final form. So this is the form, it's out. This is the one that people need to, to attest to. And a couple things that they did in this revision they took accepted some changes from industry. The last version, wanted it to be signed by the CEO, the chief executive officer or the chief operating officer, this one has allowed for the CEO to designate someone, as long as they can still bind to the company to attest to the form, which I think is a positive step, it's going to make it easier for companies to get this form done and get it get it completed. That said, it's still going to bring a lot of attention inside of organizations. And I think that's going to be good for software development. I do think that this is going to have a positive effect because software developers, their legal departments are going to want to understand, are we compliant, like signing a form is easy, but are we compliant? Where's the body of evidence that we're going to present to the person who has to sign this. And I think the people that are going to have to sign this, whether it's the CEO or someone they designate are going to ask to understand where's the organization at. , we've seen the criminal cases against the Uber CISO, SolarWinds CSO, and the SolarWinds CISO clearly people in security positions and people that are going to sign this type of form, understand that it's not just a corporate liability that they're signing up for, it's a personal liability. And in fact, this form explicitly basically says that the Department of Justice could use the False Claims Act to come after someone who is signing this form in a way that's fraudulent. And the False Claims Act has a lot of potential penalties, big financial penalties on companies, but it also has a criminal statute, like this is a criminal statute that could be used. So I think it's going to get a lot of attention. , this is tied to NIST secure software development framework. It's not explicitly the framework, but it is tied to that. And I think, the administration has done a good job of identifying some core tenets and core elements of things software producers should be focused on. And I think people are going to get behind it. I hope to see consistency with this, right? We don't need for other versions of this, but either from the U.S. or from other countries. So I'm hoping we can get some consistency and coalesce around this now that it's out.
Schwartz: Fantastic. Anything that lights a fire with secure development is wonderful. It's overdue, like meaningful privacy legislation in the U.S. Other things that we have been working toward for a long time are threats, intelligence sharing, and CISA I know has a big mandate when it comes to all the different areas of cybersecurity is meant to meaningfully influence. But there are some hearings last month about CISA's joint cyber defense collaborative, and multiple people witnesses testifying said that it's not doing what they would have hoped, from an information sharing standpoint and public-private wise. And then recently, also, there was a GAO Watchdog Report, noting that CISA needs more people, especially with OT skills and expertise. And so you're I think I can call you a beltway insider, certainly more inside than I am. Is this a normal course of events, when you have an organization like CISA that's gotten all this additional responsibility? It's still possibly on its shakedown/ruse. Are these normal kinds of growing pains that we should expect to be hearing? Or is it possibly more?
Schneider: So a couple of thoughts on that - one, to your point, CISA has grown a ton, right? We just said it's a $3 billion organization right now. It wasn't maybe three years ago, it was a billion dollar organization in budget. So CISA has grown a ton during that growth, and even before the growth and budget, CISA has taken on just an innumerable number of new requirements and new initiatives; JCDC, being one of them, that started out as a pretty narrowly focused, right? It was kind of almost ... it came across the industry as we're going to have a club and some people get to be in the club, and we're going to share more information with them. And then it rapidly expanded for, I think, some pragmatic reasons, but also some you can't just have a club when you're in the government. And so what we've seen though, is, I think the focus of something like JCDC that maybe started out more narrow has become very broad. And when we talk about information sharing, and when I was in government, my question it's such an easy buzzword, we need more information sharing the world will be great if we just share more threat data. I always wanted to know like, what information ... if you could get your hands on any information in the world even if it doesn't exist, but you could have it like, what would it be? How would you want to get it? What would the time we need for it to be relevant to you? And I just think on information sharing, they've got to get a lot more granular about what they're sharing, when they're expecting to share it, and then who's going to do what with it? Right? What are we expecting industry to do? What are we expecting the government to do? So I think there's a lot of just refinement on the information sharing piece. On the manpower issues unemployment is low right now. And it continues to be very low and it is employees have a lot of choices in the job market. And CISA has their cyber pay. So they have a system where they can hire where the Department of Homeland Security has it and CISA can participate. And so they have opportunities to pay more money, but it's not always just about money. There's also a does the talent exist? Right? Are there the people out there, and, not to get back to AI. But the President's budget has a big initiative about surge in hiring of AI talent, I don't know where that talent is that they're going to hire from. Right? And I think CISA runs into some of those same challenges. So yes, these are growing pains. They're not unexpected to me. That said, we need to sit to get there faster just from a nation and our ability to defend. So this is going to have to make some prioritization decisions continuously and decide where they're going to invest in which of these initiatives are going to drive home. And which ones because I don't think they can do everything all at once.
Schwartz: High expectations, high need for delivery. Great, thank you; this is fascinating insights. I'm going to hand you over to Anna.
Delaney: Lots of education there. Thank you. So my questions revolve around FISMA reforming, if there are more long words. The U.S. House Oversight and Accountability Committee passed the Federal Information Security Modernization Act of 2023 earlier this month, which essentially shows lawmakers renewed efforts to update the main law governing cybersecurity in the federal government. Grant, what are your initial thoughts, takeaways on the Act passing out to Committee?
Schneider: Big step forward. Right? The Congress has been working on a FISMA update for the last two session now, this session and the two previous at the very least, I think there had been some holdups and language between what the House wanted in the Senate wanted and what the administration wanted. My understanding is that the house felt that they are at good agreement on the text between the House and the Senate. So the Homeland Security and Government Affairs Committee in the Senate was the other committee that will has jurisdiction on FISMA and needs to push this forward. And I think Senator Peters is supportive. My understanding is he's supportive of the language that came through the House. So definitely a big step forward. I'm not sure what the path forward will be for it. But definitely a step forward and maybe some bipartisan opportunities on cybersecurity getting FISMA out there, which would be helpful. And there's just a lot they need to add in FISMA. I think, as you mentioned, 2014 is when it was last updated. We've got a national cyber director, we've got CISA, we've gotten a lot of changes that need to be incorporated, and a lot of that got reflected inside of that legislation.
Delaney: And there were a couple of interesting features, notably, the inclusion of the role of the CISO at the Office of Management and Budget and assigning reporting duties for cyberattacks and incidents to agencies. So how do you see these provisions impacting federal cybersecurity practices?
Schneider: I think the recognition of the federal CISO role is great. I've decidedly a biased opinion on this, but I think it's great. Elevating it to be a presidential appointment is helpful. And it's helpful for that person inside of OMB, inside and working with the interagency and certainly the broader Executive Office of the President. So I think that's definitely a plus. The fact that they also went the step of codifying or potentially if this gets signed into law would be codifying, the dual hatted that, that Chris De Rusha is the current federal CISO has as being a part of the National Cyber director, or the Office of the National Cyber director. I think that's also great, because I think that having that connectivity between the Office of Management and Budget, and the National Cyber Director on federal cybersecurity is important. So I think that that's definitely, definitely going to be helpful. And I think there's also a whole bunch of like inside baseball, if you will focused on inside the government roles and responsibilities. There's a lot of collaboration and coordination in that bill right now. , they did assign some responsibilities to agencies, which is great. , if I have a concern, it's that in many areas, we haven't generated more clarity. We've sort of added more cooks to the kitchen, and cyber, it's a team sport. We need a lot of cooks in the kitchen, but someone's got to be the head chef. And I don't know that we've gone far enough on who the head chef is in every single instance. And some of that doesn't necessarily need to be codified in law. But I do think it's something that needs to be figured out, perhaps by the administration via some other policy directive.
Delaney: Excellent. Grant, lots of useful takeaways there. So thank you very much. Well, before I wrap, I have one final question for you all, just for fun. If you could attend a cybersecurity themed costume party, of which there are many I know, what outfit would you wear to represent your favorite cybersecurity concept or technology? And Tom, you're in there.
Field: Going back to an oldie but a goodie. Zero, my hero. And we're going to represent what else, zero trust.
Delaney: Excellent. Mat, what are you going as?
Schwartz: Like a massive nerd, because I'd dress up as a hardware security key. Probably YubiKey, although, as the BB says other options are available. Just because two-factor authentication is so essential and hardware security keys are gold standard, probably, as opposed to authentication apps, which I'm also partial to.
Delaney: So would you have a key around your neck or how would you ... would you be an actual physical key?
Schwartz: Probably an actual physical key with like the end that you kind of plug in, that'd be up here.
Field: You'd be Uber key, the YubiKey.
Delaney: Well, I'd go as a strong password. So I'd be dressed in the classic strong woman outfit for the circus, red and white striped t-shirt, and then the word password emblazoned on the front. And then a mixture of letters and numbers and special characters on the back. So I'm just embodying the challenge of strong password management with circus flair. Grant, up in your mountain, who would you?
Schneider: So I think Mat and I need to go together with this one, because I had the same thoughts as him. And I thought about being an authentication app. But I wanted to be a hardware token. But maybe we end up with it. Like one of us is a mobile device. And one of us is the hardware token so that you can see how it is multifactor authentication that you need to get to. So I think mine requires a partner.
Schwartz: I liked that challenge. We could do like an authenticator app and have six digits to change every 60 seconds or whatever.
Field: RSA is coming. We can some different programming this year.
Delaney: This is going to be one great party. But that's all I can say. Grant, your insights have been invaluable. As always, we appreciate your knowledge and perspective that you've shared. So thank you.
Schneider: Well, I'm just sad we didn't get to hear more about the beer museum because I thought when we got to you, Anna, that that's where you're going to ask about but next time.
Delaney: There's a crate from Homer Simpson from on the front of the museum. So I'll take up for next time. Thank you for joining us. We've had a lot of fun, and it's been informative.
Field: Thank you.
Schneider: Thank you all.
Delaney: Thanks so much for watching. Until next time.