ISMG Editors: Will Federal Budget Cuts Bite US Security?Also: Advice for the Next White House Cyber Director; CISOs' Liability Concerns Anna Delaney (annamadeline) • November 24, 2023
In the latest weekly update, Grant Schneider, the former U.S. federal CISO, joins three editors at Information Security Media Group to discuss important cybersecurity issues, including a 25% budget cut some lawmakers want for the U.S. Cybersecurity and Infrastructure Security Agency and a Pentagon-backed proposal for greater public-private threat intelligence and information sharing.
The panelists - Anna Delaney, director of productions; Mathew Schwartz, executive editor of DataBreachToday & Europe; Grant Schneider, senior director for cybersecurity services at Venable LLP; and Tom Field, senior vice president of editorial - discussed:
- Liability concerns facing CISOs following SolarWinds and its CISO being accused of fraud;
- What the next White House cyber director will need to succeed;
- The proposed 25% cut to CISA's budget included in the fiscal year 2024 Homeland Security Appropriations bill and how that might affect the agency's mission.
The ISMG Editors' Panel runs weekly. Don't miss our previous installments, including the Nov. 10 edition on the latest updates on AI tech and regulations and the Nov. 17 edition on the relentless cyberattacks on hospitals and their effect on patients.
This transcript has been edited for refined for clarity.
Anna Delaney: Hello and welcome to this government security special edition of the ISMG Editors' Panel. I'm Anna Delaney, and on this episode we're discussing particular challenges facing U.S. government agencies, but also security leaders, more generally, including the cybersecurity and infrastructure security agency's, or CISA's updated self-attestation form for secure software development, increasing liability worries for CISOs post SolarWinds SEC lawsuit and concerns about a 25% budget cut to CISA and potential alternative strategies. And to do this, we are honored to be joined by former federal CISO Grant Schneider, senior director for cybersecurity services, Venable LLP. Grant, it's been a while but it's always great to have you join us.
Grant Schneider: Great to be here with you guys. It's fantastic seeing you and I'm excited about the conversation.
Delaney: Yeah, absolutely. And also with us are my colleagues, Tom Field, senior vice president of editorial, and Mathew Schwartz, executive editor of DataBreachToday and Europe. So Grant, as you know, we like to start these sessions off by sharing where we are in our virtual world. So where are you?
Schneider: So I am clearly in Washington, DC. The important part though is that I'm finally alone in Washington, DC. So 535 of our best friends in Congress have departed last week for a much needed recess. We were talking a little beforehand about some of the antics that happened over the last few weeks. It's been a bit of a crazy time. And I think that members of Congress need a break. They need to settle down and hopefully come back rested and ready to get some work done.
Tom Field: It's a nice way of saying they need a time out.
Delaney: Time out in the snow perhaps, Tom Field?
Field: This is what I woke up to this morning. I was expecting maybe an inch of snow overnight, but woke up to the news is 1 to 3. So in New England, it indeed is the Thanksgiving holiday with frosting.
Delaney: Well, very pretty indeed. And Matt, are you out on the town?
Mathew Schwartz: Yeah, the only thing cold here Anna is the Guinness. This is Dublin where I was for the annual IRISSCERT, Irish, anti-cybercrime conference, which is held every year, again by IRISSCERT, which is Ireland's first Computer Emergency Response Team. It's always a fun event, gathers a bunch of different security practitioners together to chase down the latest trends and advice in cybercrime and for cybersecurity professionals.
Delaney: But you could have fooled us there because that is not an Irish flag, is it?
Schwartz: There seems to be some crossover here with the American, I don't know, vibe. Yeah, this is Temple Bar. So I lived in Ireland about 30 years ago, and it was a bit rundown in this area. But it's a bit of a tourist trap these days.
Field: You've seen the American flag, I saw the Guinness, I thought that was the flag.
Schneider: I had to look for it as well, Tom. It's like there's something besides beer there.
Delaney: Well, I was in Frankfurt, Germany last week, and I'm sharing a snapshot of the main square, Ram-Berg already with its splendid Christmas tree. And the buildings appear to be medieval, which is quite cool. Frankfurt was heavily bombed in the Second World War. So all the buildings have been reconstructed in the past 70 years or so. And it's very impressive. So worth a visit if you're in the area. Grant, we have a few questions for you. So I'll hand over to Tom, at this point.
Field: Thank you very much. Grant, Anna mentioned upfront the updated secure software development self-attestation form from CISA. And it reminds me of something as CISA once said to me, which was "attestation is not a security control." So your thoughts on this new updated form?
Schneider: Yeah, so I agree. Attestation is not a security control. And the Secure Software Development Framework is indeed intended to be a framework and not be a security control as well, I think if you talk to folks at NIST. So CISA put this out as a draft about - I don't know, five months ago, maybe even six months ago, they received a lot of public comments. They didn't make many changes, if any, to the form though. Candidly, I was a little surprised and a little disappointed. , they made one that basically had the signature saying to the best of my knowledge as opposed to an absolute like, , these are 100% accurate, so I think that was helpful, but they changed the signature back - it originally was CEO or their designee, and they've now changed it to be a company's CEO or their chief operating officer, and , many big companies, it's a significant hurdle to get the CEOs signature or even the COOs signature on something, particularly that implies the level of liability that this potentially has with an administration that's talking about shifting liability to, , providers of software and services. So if I'm an industry and people I'm talking to in the industry have significant concerns. There's a couple things in the attestation that I think are going to be very problematic. One of them is around provenance of software, and it explicitly includes third party, which would include open-source software. And no one knows the complete provenance of the people, the processes and the technologies that go into open-source elements that companies using their software. So I think that one's going to be problematic. This is out for another 30-day comment period, with OIRA inside of the Office of Management and Budget. I don't think they're going to take a lot of comments, we're certainly going to reengage and try to explain some of the more challenging aspects of what this form could bring for discouraging - and my concern is - driving people out of the federal ecosystem, right. Companies are getting piles and piles of things on them, requirements to work with the government, and it's a lot of work to work with the government. The margins aren't always great. So I think this might cause some challenges.
Field: So something to look forward to in the new year. Grant, also look forward to in the new year, we expect we're going to have a new national cyber coordinator, as the acting coordinator Kemba Walden stepped down recently. Not sure when we're going to have one, up for approval, but what is your advice going to be for the person who occupies this role next?
Schneider: Yeah, I think for the person that occupies this role, my advice is, I think Chris Inglis came in and did a fantastic job of building out the organization. And going from zero people, one, himself, to the 85, or so that they have now, getting the footprint inside the Executive Office of the President and becoming an institution there and did an amazing job. And I think Kemba picked up with the strategy and getting the strategy over the finish line and the implementation plan over the finish line and out, I think for whoever the next director is, presumably, it will be Harry. I think it's building relationships inside the compound, inside the complex, inside the Executive Office of the President. There's a lot of external work to do, and the workforce needs to do that. But I would recommend that they spent a concerted amount of time of meeting with their peers and other politicals inside the Executive Office of the President, and understanding, I'm certain having worked at the EOP that bringing in a new organization that's now the third or fourth-largest inside the EOP of the 19 or 20 organizations there, you ruffle a lot of feathers, you stole people's office space, you got more budget than they've had. So I think going and doing some work with your peers would be helpful on making sure that the ONCD becomes a long standing part of the Executive Office of the President and becomes part of that institution, as well as obviously all the cyber work they need to do with the agencies and the policies.
Field: Well said. I speak for many, when Congress comes back, all we want for Christmas is a new cyber director. I'll pass it to my colleague Matt. Matt, your witness.
Schwartz: One of the things I've been looking at and hearing about recently, is this question of CISOs being under fire. Are you hearing increased liability concerns from your peers, from other CISOs, in the wake of the SEC lawsuit, for example, your most recent example, against SolarWinds? Do you think these concerns are justified? Is there any advice that you've been promulgating to CISOs for how they might need to better protect themselves?
Schneider: There's a lot of concern with this. It's become personal. I mean, that's exactly what the SEC is about. They've made it personal, by actually charging an individual person and it just shouldn't to the organization. And I think most people know they're part of an organization that's probably going to be sued or hasn't been sued or is currently being sued for one thing or another. But to say that he personally had a role in personally misleading investors, right, which is essentially the charge with some of the things that, , the comments that he said, and so CISOs are definitely concerned, they're concerned of what their personal liability is going to going to be. I am certain there are conversations happening about liability insurance, and what that will look like. And are they covered by directors, D&O insurance inside the companies. But I think, , the advice are, people are going to need to think about is clearly both public statements, and in this case, internal statements, right, internal emails, are being potentially used against the CISO, and being sent back as, "Hey, you said we were actually doing fine." And then something bad happened. And I've long said that if a CISO's conversation with the CEO is the CEO saying, "Are we safe yet? Are we secure yet?" Right? The CISO either has to say yes, to keep their job, but get fired the first time something happens because no one's secure, right? Or they say no, and they get fired right then because we're not secure. And so you need to have a far more nuanced conversation. And I think we've got to find a way, working with the SEC to be able to have more nuanced conversations with investors, which they're trying to do, because there isn't a state of your organization that's now secure. You can do all of the right things and still have an incident. And tying back and being able to say, well, this is the thing that caused the incident or wasn't - like being able to prove that the incident was not caused by a failure or a lapse someplace, is , hard, very, very time consuming, very resource intensive. And so I think my concern is that this is again going to have a chilling effect on CISOs, it may have a chilling effect on people wanting to become CISOs. Right? If that was your "what I want to be when I grow up," maybe I don't anymore, but also is it going to either mute some of their conversations, or make them have to run around internally saying the sky is falling, the sky is falling, the sky is falling, right, which I think in a business context is going to be hard because senior leadership wants to understand risks, but they want to understand what are manageable and acceptable risks. And if the CISO is in a position where they can't talk about acceptable risks because those might be considered misleading statements, I think that's just a challenge going forward. So we're going to have to figure out a balance with this. And it's going to be interesting to watch. And I think a lot of eyes are on this. And there's a lot of concern.
Schwartz: I'm struck by the boilerplate you see in so many SEC quarterly filings from public businesses: "unforeseen events may yet occur."
Schneider: I think you will get a lot of - I want to say weasel words. Maybe that's inappropriate. But hygiene, yeah, great hygiene in comments that people are coming out with which, again, is that a service to investors as well? You're going to see liability statements, as opposed to, again, more nuanced conversation around security and real risks. And with cybersecurity, there's just so many unknown risks and potentially unforeseen events, as you pointed out.
Schwartz: Well, in terms of dealing with these risks, having good threat intelligence is something that people have been seeking for a long time. And the government is getting behind this as well. There's a new proposed rule from the DOD, the GSA, and NASA, of all people, on modernizing cyberthreat and incident reporting. And as I understand it, this aims to remove contractual barriers that might be in place with contractors, I believe, and to facilitate easier sharing of data, so the government has a better defensive posture. Am I reading that correctly? And I'm just interested in your perspective about what this rule is trying to do? What's required to make it successful and if you think it might be successful.
Schneider: So this is another thing that's creating a little consternation inside of industry, I would say, and, , the way you phrase it, removing contractual barriers, I think that is probably the way the government would look at this, that it's removing barriers where, , they heard during SolarWinds and during some other incidents, where agencies said, "Hey, I either can't share that with you," or probably it was "I don't want to share that. And I don't have to, and therefore, I'm going to say I can't." I think industry says that this is imposing contractual barriers, if you will, or mandates that are going to require a lot more sharing around incidents. And which I think, in general industry is probably okay with, Hey, we should share more information. Because this is about being able to protect federal information, federal information systems, the broader ecosystem, and this type of sharing can be helpful in that way. Some of the things that are in this proposed rule, though, is it talks about a lot of access for the government on to contractor systems. And the way it's phrased is a little unspecific because it talks about, , the FBI and CISA. And then I think later it talks about or anyone, the U.S. government wants to designate as a third-party person would have access to any system used in the performance of this contract. And in the performance of the contract could mean directly here, this is the software I'm providing to the government, or it could mean my HR system, because that's what I use to hire the people that perform a service for the government. So it's pretty broad. And there's a lot of concern around essentially what reads like potentially unfettered access for the government to just come in whether you've reported an incident or they've identified that you had an incident or had a potential incident. And so the scoping for it is very broad. And I'm hopeful that we're going to be able to narrow that down. Also, the reporting timelines are, I think, it's within eight hours of discovery of an actual or potential incident. And again that means someone in the middle of the night at a company is having to make the determination that their company should report something to the federal government that was a potential incident, not even an actual incident. And so I understand that I'm wanting to get information quickly. What I hear from the government is, "Hey, if you want to be played with the government, if you want to be a contractor, you need to play by the government's rules, you need to play by the same rules that government agencies play by and they have to report within an hour's timeline to CISA." And I appreciate that, having been the federal CISO, but the challenge, or one of the differences, is that federally, there's no federal agency jail, there's no FISMA jail. We say this all the time when I was in government, there's no FISMA jail. So if an agency doesn't actually meet their requirements, or they fall down somewhere, they can get yelled at. There are ramifications. I don't want to imply they're right, but there certainly can be. But for a contractor, it's illegal false claims, right. And it's a false claim that can come back to every invoice that they send to the government, if it turns out that they didn't report something that the government thought should have been reported. So I think I'm a big fan of information sharing, I'm a big fan of getting more information so that we can help protect the ecosystem. There's nothing in this rule about how the government's going to use this information and how they're going to share back with industry. It's an information sharing requirement that you share more information with us or report it to us. It's an information reporting requirement, as opposed to information sharing, in my opinion, so I think they're going to get a whole lot of comments on this. These were originally due on December 4, they did give us - the industry had asked for a 60-day extension, and they provided that. So industry gets to work over the holidays on this, but I think it's going to be important work. So understand what the government's trying to get to. I think there's some ways to improve this though.
Schwartz: Fantastic, wonderful, nuanced reading there, especially with your experience. Thank you. Handing you over now to Anna.
Delaney: So I want to discuss concerns about a proposed 25% budget cut to CISA as part of the fiscal 2024 Homeland Security spending belt. Grant, how might this cut impact CISA's core functions? And what do you think the potential ramifications will be on CISA's ability to fulfill its cybersecurity mission?
Schneider: It's unfortunate that this cut is in the House bill, because cybersecurity for so long has been a bipartisan, , a bipartisan topic, we've been able to get bipartisan work done. And it's becoming more partisan. And it is related, I think, to CISA's work around elections and election security, and the perception that CISA was doing censoring of messaging on some of the disinformation campaigns that they had worked on. So, it's concerning to me from a political a broader ecosystem where we've had bipartisan support. I think, to your question, though, on, like, where the rubber meets the road - 25% is a big cut. Now, CISA has grown a ton, they've grown a ton over the years. And with that, they're able to do a lot more, they are far more involved in the ecosystem, they're far more able to provide alerts, provide information to industry, to critical infrastructure, to work with government agencies, and I think they've stepped up across the board there. It is concerning to me of what a 25% cut would look like. Obviously, CISA would have to determine what to reduce, and how to do that, and would ultimately be the one driving the impacts. But this is something that it could end up a lot of manpower, it could impact some of the pay scale that CISA has been using. So CISA has a cyber, basically personnel system that they're able to ideally hire and bring in and recruit good talent, because they can pay them a little better than normal government salaries, maybe they have to pull back on that. And it's going to make them harder to retain people, harder to recruit people. So it could have a lot of impacts on CISA's ability to be, as I think they like to refer to themselves as the "cyber risk manager for the nation" with a far smaller budget.
Delaney: In the event that budget cuts are implemented, are there alternative strategies or even approaches that could be considered to mitigate the impact on cybersecurity efforts?
Schneider: Anytime you're faced with - and I have in my career before, I've been faced with some pretty drastic budget reductions, , you can run around with your hair on fire and say, "The sky is falling," and there will be a lot of that. And you need to sit down and say, "Okay, where am I investing my core money," and in the government, , we usually talk about, spend a lot of time focused on, potential new money, we don't spend a lot of time focused on how we're spending the money that we get every year, if you will. And so this is an opportunity for Jen Easterly and Eric Goldstein and others to sit down and say, Okay, what are we investing in? Where are our resources, prioritized? What are the efforts that are generating results for us that we can see tangible, measurable results? And are there any that aren't, and maybe we should think about realigning or adjusting in some way, shape or form. So, at the same time, there's a little bit of it, it's an opportunity there, I don't know specifically because I don't have the metrics inside of CISA - where they may pull, decide to de-emphasize and emphasize other areas. But I would imagine that they're going to pull back toward more core functions, which is supporting federal agencies and Federal Information Systems and critical infrastructure and work they're doing beyond that will be a little harder to justify in that type of budget scenario, if that's where we end up.
Field: Ultimately, Jen Easterly will be hosting a GoFundMe.
Schneider: She might do well with one. We can auction off Rubik's cubes. I think there's a lot of options they could take.
Delaney: 25% increase! Well, hopefully won't be introduced - these cuts. But for now, that was an excellent overview of situation, Grant. So there's our fun bit. Finally, and for fun, we're talking about fortune cookie. So if you have to put a cybersecurity tip inside of fortune cookie, what would it say? Tom, do you want to start us off?
Field: Well, two sides, one side, you get the lottery numbers, of course. So, probably 123456. On the flip side, it would say change your bloody password.
Delaney: Wise words. Matt?
Schwartz: Yes, I don't mean to repeat, but I would say - my fortune cookie would say use a password manager and two-factor authentication.
Delaney: I would say beware the fishing tides to keep cyber dragons at bay. Grant, anything to wow us with?
Schneider: So my fortune cookie would say the only limit to our realization of tomorrow is our failure to implement multi-factor authentication today. So similar to Matt and Tom on the identification focus.