“I think the public-private partnership model is so important. And if we jettison that in favor of mandates and regulation, you’re going to change that relationship between the government and the private sector, which is already tenuous but really needs to be nurtured and not dialed into a bunch of heavy handed regulation.”

That’s Megan Brown, a partner at Wiley Rein. She has deep expertise in cybersecurity and data privacy issues, working for national and global companies on cutting edge compliance and risk management. Megan joined us to talk about the Biden Administration’s cybersecurity executive order signed in May in the wake of ransomware attacks that drew national attention: Solar Winds, Colonial Pipeline, and more.

This episode of Hack the Plant does a deep dive into the Executive Order, and what it means for public and private efforts to keep our critical infrastructure safe.

Megan is joined by Liz Wharton, the Chief of Staff at SCYTHE. In this capacity, she serves as a strategic advisor for the CEO and leadership team, building and maintaining cross-department relationships, crafting external initiatives, and driving day-to-day projects and tasks. Previously she was the Senior Assistant City Attorney with the City of Atlanta, where she served on the immediate incident response team for the City of Atlanta’s ransomware incident.

Join us in this episode to learn more about the Executive Order and how it could impact our critical infrastructure moving forward.

(Subscribe to Hack the Plant on Spotify or Apple, by RSS feed or search for it wherever you listen to podcasts.)

TRANSCRIPT

Joshua Corman:

Our dependence on connected technology is growing faster than our ability to secure it, especially in areas affecting public safety and human life.

Bryson Bort: 

I’m Bryson Bort. And this is Hack the Plant. Electricity, finance, transportation, our water supply. We take these critical infrastructure systems for granted, but they’re all becoming increasingly dependent on the internet to function. Every day I ask and look for answers to the questions. Does our connectivity leave us more vulnerable to attacks by our enemies? I’m a senior fellow at the R street Institute and the co-founder of the nonprofit ICS Village, educating people on critical infrastructure security with hands-on examples, not just nerd stuff. I founded GRIMM in 2013, a consultancy that works the front lines of these problems every day for clients all over the world.

Bryson Bort: 

I’m Bryson Bort and this is Hack the Plant. The last few years have seen an increase in ransomware attacks that have drawn national attention including from the White House.  Solar Winds. Colonial Pipeline. And More…

Liz Wharton: 

Knowing that, for example, a certain threat actor may be coming after that certain type of ransomware is coming through or targeting certain sectors is helpful, is great information to have. This is nice, this is helpful, but now we just know how our ship is going to sink. We don’t really have anything other than a bucket, a pail to keep the ocean at bay.

Bryson Bort: 

Most recently, the Biden Administration issued an Executive Order on May 12th “On Improving the Nation’s Cybersecurity.”

Megan Brown:

The Cyber Safety Review Board in the EO is described as being modeled after the National Transportation Safety Board, right? If there’s a plane crash, God forbid, NTSB, they go in and they look at what happened, root cause, et cetera. Section five of the executive order establishes a Cyber Safety Review Board. It’s going to be co-chaired by government private sector leads.

Bryson Bort: 

For today’s episode, I’m joined by two attorneys – Megan Brown and Liz Wharton -who help us unpack this Executive Order and what it means for public and private efforts to keep our critical infrastructure safe. Megan Brown is a Partner at Wiley Rein. She has deep expertise in cybersecurity and data privacy issues, working for national and global companies on cutting edge compliance and risk management.  Liz Wharton is my Chief of Staff at SCYTHE where she serves as a strategic advisor for the CEO and leadership team, building and maintaining cross-department relationships, crafting external initiatives, and driving day-to-day projects and tasks. Previously she was the Senior Assistant City Attorney with the City of Atlanta, where she served on the immediate incident response team for the City of Atlanta’s ransomware incident.

Megan Brown:

I think the public private partnership model is so important. And if we jettison that in favor of mandates and regulation, you’re going to change that relationship between the government and the private sector, which has already tenuous but really needs to be nurtured and not dialed into a bunch of heavy handed regulation.

Bryson Bort: 

What does this new Executive Order propose? What does it change? What are its strengths and weaknesses? Join us as we discuss this, and more, in the episode.

Bryson Bort: 

Okay. Megan, the executive order that was issued on May 12th from the White House, improving the nation’s cyber security, what was in that?

Megan Brown:

Wow, that’s a good and broad question. A lot, it turns out, the executive order was certainly anticipated for some time. The pace of public concern about certain cybersecurity events brought it to a head, so no one, I think, was surprised when it came out. But it covers a lot of ground. Its goal is to try and quote bring the federal government’s power to bear the full scope of its authorities to protect and secure its own systems.

But then also, it really has a lot to say about private systems and private software. It’s got several pieces of it, each of which have a lot of sub-parts, and it kicks off several activities across the federal government, both at the National Institute of Standards and Technology, at the Federal Trade Commission, at the Federal Acquisition Regulation Council and others in the alphabet soup.

The goal is to try and improve the security of, for example software, that the federal government buys, but also software in the commercial space, not specific to the federal government. It looks at IOT software or IOT devices, and how to improve the security of those devices among other new obligations starting with federal contractors, but quickly moving beyond those. So it’s a lot and we can dive into any one of those topics, Bryson.

Bryson Bort:

Liz, anything you want to add?

Liz Wharton:

Well, really Megan, I’m impressed with her ability to simply summarize it, but also would love to delve into where you look at both the IT and the OT side when we start talking about critical infrastructure. So the operational technology, as well as the information technology.

Megan Brown:

I think that’s one thing that the private sector, at least a lot of the folks I’ve talked to, find to be a little, maybe frustrating about the executive order, is it lacks certain definitions. So for example, it’s focus on information technology versus operational technology, some people have suggested that maybe that’s a little confusing in the executive order.

But the goal is the parts that are super interesting to me are how the government’s going to define “critical software”, and then determine whether that’s OT or IT, what obligations should attach to critical software for both the government, but then also really how to nudge the private sector by putting out some standards that they hope that the use of federal procurement power will change the private sectors incentives.

I’m not so sure that that’s true, but a center piece of the bill or of the executive order is this definition of critical software, which is being decided right now in fact, moving very quickly. So I think that’s the other thing to pay attention to is, these timelines are fast for this level of activity and the difficulty of some of these questions, including, Liz the distinction between IT and OT.

Liz Wharton:

Well, yeah. And especially if you were listening in to the Senate’s hearings on colonial pipeline. But hearing the distinctions between, well, was it your financial software versus was it the actual pipeline, the technology running the pipeline itself. And that was fun to listen to the Senate, you could tell who had great staffers that had briefed them well and who had just phoned it in.

Megan Brown:

Yeah. I thought the hearing was really interesting. I may have a slightly different take on the quality of the questioning and the briefing, they’re close, but respectfully they’re not quite there in certain respects. I thought, for example, some of the questions early on about ransomware and the dynamics there in cooperation with the government, were predicated on some, I don’t want to say naive, but some maybe less realistic understandings of how this stuff rolls and how companies actually deal with incidents in-flight, so to speak.

Bryson Bort:

Liz, you talked about how you could tell which members of Congress were phoning it in. Do you think that those phones are going to be part of critical software?

Liz Wharton:

Well, yes and no. When you look at the fact that these are the individuals who are in and going back to the distinction between what an executive order can do, and then the implementation, because Megan really did a good job of highlighting all the different agencies who are now participating in the decision making process, the actual implementation of it. And when you look at what Congress could do, would do, should do, and the responses to that.

So when you have a different [inaudible 00:07:36], well, did you have a playbook for this? And, or did you call this person first or this agency first, some of this is picked up in the executive order of, hey, let’s create those common playbooks, let’s create that process so that you don’t end up with misquoted either questions or the hit journalism pieces of, well, you didn’t directly. Well, did we, or did the other federal agency we call say that they would coordinate for that or that for us, because as Megan noted, it becomes a fire drill regardless of how well you’re prepared with tabletop games.

Megan Brown:

Yeah. That’s one of my abiding frustrations here is the Monday morning quarterback aspect of a lot of this that it’s very easy after an event to look back at a company and pick it apart. And I’m not here vouching for Colonial pipeline, but I think the idea, for example, that every company facing an issue needs to run to DHS’s CISA, that might be ideal, but they’re not required to, and the incentive structure might not be there for that to happen.

So it does feel a bit like a game of gotcha, particularly where things are happening so quickly, that remains a frustration of mine and how we talk about cyber. And quite frankly, I think in some of the respects the EO buys into that. But these are tough questions, I credit the policymakers for trying to understand it better, I just think the theater of a hearing for example, can be a suboptimal. Well, we’ll say that.

Liz Wharton:

Absolutely. And it’s so easy to do the Monday morning armchair quarterbacking of, well, how do you know which legacy VPNs that you’re not using anymore, versus whether they, in the heat of the moment, turning off a pipeline or thinking, again, applying it to the critical infrastructure and energy sector and pipeline. Well, when we don’t know what exactly is being impacted, of course we have to basically shut everything down because the chance that something is impacting that.

I always go back to the city of Atlanta, and when we had to deal with whether our watershed department and whether the aviation department, so the world’s busiest airport, whether that was impacted by the city’s systems. And you’re hoping your network segmentation is holding, but you don’t know. And so to think, well, of course they shut down the pipeline as much as they could, because they didn’t know, they were still assessing that in the minutes after, and it’s too critical to get wrong.

Bryson Bort: 

How do you think this is going to change the relationship with private sector? The first thing I want to throw under the bus is, okay, more information sharing. We’ve been hearing more information sharing for what? Going on two decades? Is something really going to change?

Megan Brown:

I think information sharing sometimes doesn’t get quite the credit it deserves because we haven’t put in place arguably some of the best encouragements and incentives for information sharing. We still have this blame-the-victim mentality. So there are barriers to information sharing that continue to exist. I think the government sometimes doesn’t fully appreciate the risks and uncertainties that come with sharing information.

And so you look through the EO and you look at, for example, the push both in the executive order, but also in the Cyberspace Solarium Commission for dramatically increased information sharing and mandatory sharing and reporting obligations such as, war imposed on the pipeline and energy sector by DHS and TSA recently. And some of that I think is just unrealistic in several respects.

One, the nature of the information that’s available at 12 hours or 72 hours may not be particularly helpful. So a massive reporting obligation, which is what I understand TSA and DHS have come up with or about to come up with is likely to be counterproductive. But even if you look at things like organizational readiness or for instance, the assessment that the pipeline directive requires right within 30 days.

Entities have to do an assessment against a 2018 set of standards and report that to the government, is that information sharing ultimately going to be helpful? I’m a little bit skeptical because I don’t know what the government does with that information that is going to be timely, relevant, and actionable to the people who have to own the responsibility at the companies.

Information sharing, I totally take your point. We’ve been talking about it for 15, 20 years. I do see good work going on in other sectors in their ICEX and in the partnerships with DHS. So I’m just not ready to call, to throw in the towel on information sharing or as I’ve seen some in the InfoSec community mock info sharing as like the thoughts and prayers of cybersecurity. I can’t remember who coined that, but I thought that was pretty clever.

But I’m not ready to give up on it because I think the public private partnership model is so important. And if we jettison that in favor of mandates and regulation, you’re going to change that relationship between the government and the private sector, which has already tenuous but really needs to be nurtured and not dialed into a bunch of heavy handed regulation.

Liz Wharton:

And certainly having that, knowing that, for example, a certain threat actor maybe coming after that certain type of ransomware is coming through or targeting certain sectors is helpful, is great information to have. But as you said, the thoughts and prayers, are they empowered or do they have the ability between different sectors to respond accurately? Or is that information, well, this is nice, this is helpful, but now we just know how our ship is going to sink. We don’t really have anything other than a bucket, a pail keep the ocean at bay.

So that’s another aspect of it is, what are you supposed to do with that information? Where does the funding come from? And then also dipping into where Megan’s world lives as well on the liability side of, all right, what can we share? What should we share, and how where’s the liability protections? As well as, okay, now that we’ve shared it, federal side, what about the state side? Does that trigger with each state having its own data breach and other legislative regulatory schemes? How does that all play into it?

Megan Brown:

Yeah, Liz, I think you make a great point. One of my concerns is, this move towards more of a mandatory information sharing model as opposed to a voluntary one doesn’t seem to take into account the realities of concerns about information sharing and it doesn’t answer the question of what will be done with the information that’s shared.

So just to look for example, at the executive order, right, a big chunk of it is about information sharing by federal contractors. Section two directs the creation of some of these new requirements for contractors who are IT and OT service providers, right? But it doesn’t define what makes you an IT or OT service provider. So TBD on who’s going to actually have to live with these new requirements.

But it pivots for those folks from a voluntary information sharing regime, of course DOD, and some of the agencies have long had incident reporting, but this pivots more broadly and moves to require those covered service providers to do a whole bunch of collection and preservation about event prevention, detection, response, investigation, on “all information systems over which they have control.”

That’s that’s a novel idea because right now most contractors are responsible for the information systems, the house and process government information. So right there we’ve had a pivot, right? We’ve had broadening, But going on, the coverage service providers are required to share data with the government in the event of an incident or equal potential incident and collaborate with federal investigations into those incidents and potential incidents.

And the EO contemplates that that kind of cooperation could include implementing technical capabilities, again, not defined, but examples are listed such as monitoring networks for threats, and threat hunting has been something that some folks have wanted to accomplish for the government contracting universe. But I find it perilous, there is already options for consensual monitoring with the government, you can negotiate that and there’s protections for your systems and you work it out with the FBI or the agency.

But this, I think would open the door to a much broader set of government monitoring of private systems in response to this information sharing that I think is really difficult to put your arms around. And the government’s going to have to, I think really bound it. So that’s when I think of the pivot for information sharing, the email has a lot in it, but this is one thing that jumped out at us as potentially quite fraught.

Liz Wharton:

Well, you also, with the information sharing, as you hit the nail on the head, who gets access to it and what information, and if you look at, for example, Freedom of Information Act requires, a lot of times you can exempt out information about your systems and your network, because that’s considered a risk for the security of it to begin with.

And when you have a whole slew of different regulators, other companies, all these different parties coming in, the likelihood that something is breached or leaks, or I’m not saying that there’s ever been a breach of government system or contractors. See, I almost said that with a straight face. But that does, when we start talking about the critical systems that are impacted by this, it’s like, huh I don’t know if we want one repository or one ring or one sword to rule them all.

Megan Brown:

I think that’s a really good point, Liz, and it’s that concern about access to private sector information, one, because it’s confidential and proprietary. Companies aren’t splashing that information around in the public domain. And two, there’s also concerns and this animated discussions about the Cybersecurity Information Sharing Act from 2015, how is that information going to be used? Is it going to be used really to help secure government systems? Is it really going to be used for a “cyber security purpose”?

Which was critical to that law, or is it going to be open season with that information to then have say, a regulator look at, were your actions reasonable? What should we do to you? So those other activities like the CISA law from 2015, the Protected Critical Infrastructure Information Program at DHS, they have protections and limitations on the use of the information and prohibitions on its use in regulation down the road.

I have been troubled by commentary from some in government about what they envision as a result of this mandatory information sharing, the Solarium commission, for example, wants to have a giant data lake on a lot of this stuff. And then that really goes to your initial point, Liz, which is, who has access to the data lake? How are you securing it? And all of those are very legitimate questions that private companies ask about requests to provide information.

Bryson Bort:

The data lake is referring to the Bureau of Cyber Statistics that was recommended in the Cyberspace Solarium Commission two years ago. Following this, so what’s going to be a Cyber Safety Review Board then, and what’s that going to look like?

Megan Brown:

So I’ll jump in on that. The Cyber Safety Review Board in the EO is described as being modeled after the National Transportation Safety Board, right? If there’s a plane crash, God forbid, NTSB, they go in and they look at what happened, root cause, et cetera. Section five of the executive order establishes a Cyber Safety Review Board. It’s going to be co-chaired by government private sector leads.

The idea is, it’ll convene after a major cyber incident to look at what happened and recommend improvements. There’s an idea that it’s going to take a deep dive on solar winds and then maybe on being on standby in the future for similar engagements. And then it will offer recommendations. I think on its surface, not a bad idea, the devil of course is in the details, who’s on that review board? Is there really a good private sector representation?

Solarium Commission. So I’m hopeful the NSC, the National Security Council here will really be thoughtful about who they’re going to put on this review board because it could be helpful, but it also could create yet another layer of regulatory review post-talk Monday morning quarterbacking.

And the problem with some of that is, you look at an event, you look at an issue, you come up with a bunch of recommendations, those recommendations then may end up in legislation like the National Defense Authorization Act without much input, or they might turn into another emergency directive like TSA and DHS put out recently. So I do have some concerns about it.

Bryson Bort:

Liz, anything you might jump on there?

Liz Wharton:

Well, when you, again, go back to second guessing and pulling apart, you also have to worry about the lens through which it’s being viewed. And is it the hindsight is 2020 or okay, did you check the boxes? Were there issues that should have been anticipated in what happens when you have an organization that perhaps was already struggling with prioritization, and budget, and taking it down a little bit from that big picture?

Colonial pipeline certainly has the budget, the resources at their fingertips, but when you have some of these smaller, I’m even thinking of co-ops, electric co-ops or so this where they have a team of one, and you’re going to have this perhaps regulatory review and second guessing if you’re already struggling to meet certain standards and doing that, is that actually going to help or is it going to hinder and just add one more layer of complication?

Megan Brown:

Yeah. Liz, I could get psych about a Cybersecurity Safety Review Board, if that review would take on and supplant some of the congressional hearings or agency investigations. But it seems to me, what you’re more likely to do is just have one more thing to chew on you after an event.

Now, it was supposed to be for after significant cyber events, so there may well be incidents where it does make sense to have someone hopefully a little more expert, hopefully outside of the regulatory space to take a clear-eyed look of what happened. But I think that lot remains to be seen and what, what protections they have for the information they collect, how they might overlap with, or defer to existing investigations, all of that remains to be seen.

Liz Wharton:

And also, does it become a well which subject matter experts are put on this were who had the bigger lobbying budget? Because we’ve certainly seen that, and I’m not saying FAA drone regulations or any of that, but that does become an issue and a concern because sometimes it is done well, and then other times you end up with death by a thousand paper cuts of well paid, well fed but not necessarily well knowledgeable experts.

Megan Brown:

Well, also there’s a dynamic in this industry when you look across who the players and who shows up at meetings, there is a subset of the private sector here that is in the business of selling cybersecurity services. And so what I see occasionally in incidents or preparedness exercises is a consultant who maybe overheads things a little bit, or once you to meet best practices instead of requirements.

I could easily see some complex, I don’t want to call it conflict, but some interesting questions about who sits on the board and what their perspective is being shaped by what chunk of the industry or the private sector they come from. And I think that’s going to be a tough thing to manage for this board and for the government.

Bryson Bort:

We talked earlier about the lack of definitions in the executive order. And operational technology was mentioned, certainly the internet of things, IOT would be in scope here. This podcast is primarily driven by critical infrastructure. We had Daryl Haegley on a month ago who leads the Critical Infrastructure over at the Department of Defense.

And we don’t see a whole lot of the government itself taking its own critical infrastructure, whether that’s in DOD or beyond a lot of typically wagging of fingers at private industry where a lot of critical infrastructure is in public trust. What can we expect for this order is going to change things or going beyond this order? Because there have been additional proclamations that are come from the white house where critical infrastructure is going to come into scope.

Liz Wharton:

Well, one of the first things you have is when you look at this executive order, and we talked about that IT, OT, OT is mentioned once and that’s it out of the 30 pages of this executive order and all the approaches. So, and yes, as we’ve seen with various incidents, a word document, a business compromised email, those things, those issues are going to be across the board. But when it comes to the critical infrastructure recognizing that there are some differences and there are different challenges.

I think it is going to be interesting in recognizing that, yes, some of the same vulnerabilities exist no matter whether you’re talking about the Department of Defense, or the mom and pop company that just happens to be the single provider for some of these services, as you see with aviation, for example. Where you have one company that provides a certain software to everything. So it’s going to be interesting to see how that gets applied from a definitional standpoint of, well, how are we looking at this to also the implementation?

NIST published the update for the definition of critical software after this recording defined as any software that has one or more components with at least one of these attributes:

  • designed to run with elevated privilege or manage privileges;
  • direct or privileged access to networking or computing resources;
  • designed to control access to data or operational technology;
  • performs a function: network control, endpoint security, and network protection.
  • operates outside of normal trust boundaries with privileged access.

Megan Brown:

And so it’s important for them to do that, to keep that in mind. And I’m very curious, cautiously optimistic, I suppose, about what this definition is going to look like. But I think if it’s really inward looking at the capabilities of the software without putting it in that broader context, I think that’s going to be a challenge for the further implementation that’s required to meet the deadlines of the EO.

Bryson Bort:

What would you add to the EO? What’s something you wanted to see that you didn’t?

Megan Brown:

I wanted to see a recognition of the need of the government to look at the incentives and what they need to really grapple with on the risks and liabilities in this space. I think the Solarium Commission overlooked a lot of that. I would have liked to see, for instance, in the discussions of these pilot projects, for labeling of IOT and consumer software, I think that’s an important discussion to have.

Which is validating and grappling with the very legitimate concern, caution, and fear that companies have about a game of gotcha, about class action litigation. So I think that’s a piece that I really wish they would have at least given a nod to. So that, that could be part of the discussion. Even if the EO didn’t take a position on it, I think just not discussing that or not having it in the mix was a miss.

Liz Wharton:

Agreed. Some of the biggest concerns I had were on funding. And you’ve seen some of that, granted that’s not necessarily something that comes from an executive order, different members of Congress have introduced legislation to address some of that. But I see a very complicated, a very dense executive order that is putting a lot of boxes to check, and a lot of steps, and a lot of some of it basic, but without really providing that insight of, okay, great, how do I pay for this?

How do I hire there’s? How do I do that? Sure. It’s a good first step, but at the same time, coming from it, from a perspective of the actual businesses, the contractors, the companies that are providing this thinking, well, once I can decipher what all these obligations are going to be and what I need to be doing, this is awesome. Now where’s the money going to come from?

Megan Brown:

Yeah. I think that, in the minds of a lot of contractors as well, is this core and quite frankly others, which is, is the government going to pay for that which it is talking about here? One example is, for instance, the EO contemplates removal of software that doesn’t meet the standards to be identified, that could be quite costly. Elevating the basic standards for software may input may raise costs. And I think it’s going to put some strain on the government to put its money where its mouth is to be willing to pay for some of this security. All of these things that they want to do come with a cost.

Bryson Bort:

All right. Wrapping it up with the last question. So this is going to go a bit beyond the executive order, and so it’ll be your personal opinions, unaffiliated with your places of employment, et cetera, et cetera, Italax, small prints. I’m talking to two lawyers. What is one good thing, and what bad thing that you think is going to happen in cybersecurity in the next five years? I’ll start with you, Megan.

Megan Brown:

I think we’re going to see for a few sectors over-reactive obligations and mandates put in place on the thinking that you got to break some eggs to make the omelet. And I think that we’ll have a variety of unintended consequences. So that’s one thing is the overcorrection, and perhaps it will be in response. You see it already with pipelines, so I’m not rocket science here, but that I think will unfortunately continue to be a piece of our policy-making apparatus in cyber. And I find that a little bit worrisome.

Bryson Bort:

Liz?

Liz Wharton:

And really, part of the executive order, and also stepping outside of it then gives me hope. For one of the good things it’s putting this focus on and really driving attention to what I hope to see more of, are these collaborations of, here’s a process. My mind starts working logically and recognizing that, hey, we need to have a step-by-step, let’s all get on the same page about who to call, bring some order to the chaos in a chaotic time when you have an incident.

And also the supply chain, looking at that and hoping more attention starts getting paid to the responsibility of, hey, do you know where all of this goes and everything that touches and comes into this and be it the data, the software itself. So that’s one good thing, but also as part of that awareness, it’s part of the bad thing. You see a lot of folks not paying attention and issues arising. So I don’t see that stopping anytime soon, but that awareness would be the good aspect of it.

Bryson Bort:

Well, IOT can have an impact and there is certainly the IIOT, industrial internet of things perspective, but yeah, for the way it’s written, it’s really just looking at what the surface area is into traditional enterprise IT, which is really my read on most of the EO is that, IT, IT, IT, because that’s what everybody knows and understands. And poor Daryl Haegley over at DOD has the same problem where, ideas he even has, there’s not even like the right place to do it and the CIO’s office doesn’t want it.

Megan Brown:

Yeah. No, that’s fair. And I think, no, I’ve heard from several clients’ real frustration that they’re missing the forest for the trees here, right? Now, there’s a piece of the private sector that is psyched to have some obligations put on to the IT sector, right? I think various reports have over time called for more focus on it security as a software development model. But if you’re talking about the existential risks here, they feel, at least from what I’ve heard, that the failure to look at OT in a meaningful way is a miss.

Bryson Bort:

Bingo.