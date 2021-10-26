SEN. PETERS: Joe, it's great to be with you.
MR. MARKS: Thank you so much for being here. So, Senator, cybersecurity has been a major issue in Washington for more than a decade now. There hasn't been a whole lot of major legislation in the area. That seems to have changed in, roughly, the last year. Your committee is all over this. There are a number of bills that have passed already, some that are in the works that we're going to be talking about in a minute.
What's changed in the last year or so?
SEN. PETERS: Well, as I came in as chair of this committee, I realized that this has to be a central focus of the work that we do in committee.
And Homeland Security Department, what we deal, homeland security, clearly, we have an awful lot on our plate right now. We're dealing with the issue of border security. We're dealing with the issue of rising violent extremist groups in the country. And within the Homeland Security Department, we also have FEMA, the Federal Emergency Management folks. So, between dealing with storms from climate change to the COVID pandemic, we've had no shortage of issues we need to focus on.
The cybersecurity, for me, is central. It is perhaps without question one of the most significant threats that we face in the homeland. You just have to look at some of the recent massive attacks, whether it's on the Colonial Pipeline or meatpacking plants. Also, I hear regularly from businesses in Michigan, and small businesses, in particular, that are getting hit by ransomware attacks. And we know how devastating these attacks are on our economy and on our companies. And especially small businesses, you know, I'm struck by a statistic that shows if a small business gets hit with a ransomware attack, nearly 60 percent are out of business in a year to a year-and-a-half. That's simply unacceptable. We need to have a whole-of-government approach. We certainly want to work and teamwork with the private sector to understand the threat, understand ways we have to deal with it. And that's why it's been a focus of my work as the chair of this committee--in fact, with all of those issues that I mentioned that we're dealing with already this year, we've had hearings that have either been focused on cybersecurity or cybersecurity has been a part of this discussion of, I think--I believe nine hearings. So, that's a large number of hearings focused in some way or another on cybersecurity.
And as a result of that work, and bringing people together, we've been able to craft bipartisan legislation, working in a bipartisan way. Certainly, my partner is Ranking Member Portman. We've worked very closely to draft legislation to deal with the significant issues. And what we know--what we've done so far, although I think is an important step, it's going to be one step of many that are going to have to come in the future.
MR. MARKS: Has ransomware changed the debate? Because as you say, it's hitting the private sector really hard. It's hitting everything from small businesses to these kind of economy-shaking or economy-scaring attacks, like Colonial Pipeline which shut down gas supplies for a short period of time on the East Coast.
Has that changed the debate and hit Washington in a way that things like the OPM hack, Sony, other things like that didn't?
SEN. PETERS: I think that's a fair assessment, is that ransomware has changed the equation. Clearly, those other attacks are very important, and the stealing of critical information and private information and data can be monetized and you can impact folks. But ransomware is very direct. It gets very big. The Colonial Pipeline showed what could happen when all of a sudden you see once again lines at gas stations and people concerned about fuel and what that could be.
Plus, it's very easy to wrap your head around a ransomware attack. It's really pretty much like a bank robbery, good old-fashioned crime, where you're bringing basically a gun in the cyber world and you put a gun to their head and said, give me your money and I'll give you your data back. So, it's something that is very, very tangible for people.
MR. MARKS: You and Senator Portman, the top Republican on the committee, have sponsored a bill that would require companies in critical infrastructures like transportation, aerospace, things like that to report to the government when they're hacked. It would also require companies--I forget the precise measure, but companies above a particular size to report any time they pay a ransom to ransomware hackers.
What's the big goal of this?
SEN. PETERS: Well, I'd say the main goal of this is just to get a sense of what exactly is happening and get it at--information as real time as possible.
One of the first steps in fighting cyber attacks is understanding who is attacking who and what methods are they using, and so that we can analyze that, as well as warn others that we know that these attacks are occurring. This is how they are occurring. This is the techniques that are being used. And you should prepare accordingly, knowing this is out there.
You know, I use the example actually in our markup. This is not different than in a neighborhood. If you live in a neighborhood and you have two of your neighbors that were--had a burglary, that's really great information for neighbors to know. It's like, in our neighborhood, we've had two burglary and this is how they broke into houses. You should probably be prepared. And certainly, the police want to know so they can have those resources put there. And it's the same way, we have law enforcement who will understand what the nature of this attack is and who they're targeting; but also those entities, whether it's a private business or nonprofit school, whatever it may be, could also anticipate what's happening.
So, it's critical for us to get that information, but we also know that we got to make sure that, given the fact that there are so many attacks that are occurring every single day, we want to really kind of focus on those that are the most significant and ones that we have good information on, and that's part of the essence of what's in this bill.
MR. MARKS: Yeah, and speaking of that focus area, there's been some push-and-pull in Congress. There are versions of this bill in other committees that require reporting within one day. Your bill requires it within--I guess no sooner than three days. There's also been some discussion about how broad this mandate should be, and whether it should be just critical infrastructure, whether it should apply to cybersecurity companies and some other groups, as well.
Why did you take that longer reporting timeframe, and what do you think is important about the scope of the bill?
SEN. PETERS: Well, you know, I think the reporting timeframe that we came up with was with collaboration with working with a lot of stakeholders, is to have a reasonable time. And you can do it quicker than 72 hours. It's just saying, within 72 hours, you need to report. But once you know that you have a reasonable attack--and it's also, how do you define that? And it all comes down to balance, is that we know that these attacks are occurring on a regular basis, but we want to get a sense that these are real attacks and we can confirm, at least reasonably understand, that this is exactly what we have.
Otherwise, you get a lot of noise, too. If someone has to report immediately when they think that's a--that perhaps we've had a cyber attack in the report, then we're going to just get overwhelmed with data, as well. And that's not going to help. That's not going to be helpful to getting information and knowing more. Plus, if you've been hit with a cyberattack, we don't want to have somebody having to report right away. We want to make sure that they're focused on exactly understanding what happened and that they're responding. We have to remember that they are victims. They are victims of these attacks. Respond, and then, once you have a reasonable belief that this is definitely a cyberattack, then let CISA know.
But I also want to stress that this is just a floor of reporting. You're going to see other specific agencies come out with cyber criteria, the reporting requirement. And as an example, with pipeline safety, for example, with the new regulations coming out from TSA related to pipeline safety, those companies need to report within 12 hours. So, you will see--and this does not change that. It says 72 hours or less, but if an individual agency puts out a regulation for a quicker response, that will be the law, as we're seeing with pipelines.
We also know there's going to be some new regulations related to airport security that will be coming out. I don't know what that will be in terms of the report, but if the pipelines is any indication, it'll likely be quicker than the 72 hours. But this was a way to balance competing interests, but certainly encourage other individual regulatory agencies to put a standard that they think is most appropriate for their industry.
MR. MARKS: You mentioned regulations. In addition to the reporting requirement for pipelines, TSA is now going to require them to meet certain baseline requirements for cybersecurity. It looks like similar requirements could be coming for rail systems, maybe airports.
The White House has said that if critical infrastructure can't get its own baseline cybersecurity up to snuff, they might be interested in more regulations like this across critical infrastructure sectors. They believe they probably need congressional authorization to do that. Do you think that's necessary? Do you think that's coming?
SEN. PETERS: I think it may be. I think let's wait to see how this plays out. There's no question that when it comes to critical infrastructure, there needs to be standards in place to make sure that they are taking every measure necessary to protect those systems. But I think it's also important that these regulations are flexible, understanding that the nature of these attacks, the technology used in these attacks, all of these things are going to be constantly changing. So, I want to make sure there's the flexibility in the approach that we're constantly keeping up with the nature of the threat, as well.
MR. MARKS: What is your overall sense of the relationship between government and industry on cybersecurity at this point? You know, it seems like most of these threats are hitting the private sector. Government has a role in that--it may be a regulatory role; it may be not. Are they on the same page or is there more work that needs to be done?
SEN. PETERS: I think they are getting on the same page. They understand that certainly they're not alone in these attacks, and they also know that there needs to be a coordinated approach to fight against those.
You know, going back to the example that I had of the neighborhood, businesses would like to know if other companies are being hit by these kinds of attacks so that they can prepare accordingly. They want--certainly have the ability for the federal government to provide resources, if necessary, on a broad basis to protect.
And I think the one thing, too, that I think is critically important as we're talking about cybersecurity, and something that I've stressed, and I've had this conversation directly with President Biden on a couple of occasions, is that it's not just important to put locks on the doors for cybersecurity, which is critically important. We've got to have locks on the doors and we have to make sure they're the most up-to-date locks that there are.
But we also have to be able to go after the bad guys, find out who they are, and make sure they're punished. Whether those are criminal organizations or state-sanctioned criminal organizations, or state actors, there needs to be a deterrence factor, as well. And certainly, I'm hearing a lot of that from private industry, is that we need to have a deterrence factor in addition to just safeguarding the systems.
MR. MARKS: There's another interesting bill that you and Senator Portman have worked on, which would create a cyber response and recovery fund. I believe it's been included in the bipartisan infrastructure bill, so there's a very good chance this is going to become law. I find this interesting because so much of what we've talked about is trying to prevent ransomware attacks. This is more about how do we deal with the attacks that we can't prevent.
Do you think that's a critical component, and could this be effective in reducing the number of ransoms that are paid?
SEN. PETERS: Well, I think it's part of the piece. I think you're absolutely right to ask that question is there's no one thing to do. We've got to do a variety of things.
You know, obviously, as I just mentioned, we want to have a deterrence. You want to put on stronger locks, but sometimes folks get through those locks. And we want to have the ability to respond to that quickly, particularly if you're dealing with critical infrastructure. So, part of that legislation creates a fund, a hundred-million-dollar fund that CISA can use to help entities that were the victims of a cyberattack, if it's considered a significant cyber incident. This is something that the Secretary of Homeland Security would have to determine. And then, there would be resources available to help that entity get through it, particularly if it's critical. You know, an example of infrastructure, we had the pipeline attack or electrical grid. If we need to put additional resources to get systems back up, we may need more cyber professionals to help that particular entity. We may have folks from across government will have to come in and get that infrastructure back up and running as quickly as possible.
Clearly, we want to prevent it from ever happening in the first place. That's got to be our number one focus. But should that occur, should an attack occur, we want to get those systems up quickly if it's critical infrastructure, because far too many people require it. And quite frankly, it may be related to our national and economic security.
So, it is of utmost importance.
MR. MARKS: If we get a fund like this in place, coupled with the other things you're working on, could we reach a point where we reasonably could or should ban ransomware payments, at least in certain circumstances?
SEN. PETERS: Well, right now, the FBI is very clear that no one should ever pay ransom, and whenever folks are reaching out to the FBI, they get that instruction very clearly.
Ransomware payments only--if people makes those payments, it only brings more ransomware attacks, because criminals know that that's going to be a source of revenue. So, certainly every effort is made so those companies don't pay. And you know, I think it's also important to remember, when we had the CEO of Colonial Pipeline before our committee, and who did pay the ransom. They did get the keys, but they're saying that, even with the keys that they got, after they paid the payment, it's still going to be 12, 18 months before they're back up and running the way they should. Paying the ransom is not a solution for what you will get. It's still going to be significant. And a large company can maybe go through that effort over 12, 18 months. Small businesses--and as I mentioned at the beginning of the interview, small businesses will be out of business by then. Even after they pay the ransom, they still are left with some difficulties that they have to overcome.
But I think it's also important, as we look at these ransomware payments, if I may, that most of these payments are done with cryptocurrency. And that's why we've begun an investigation in our committee into cryptocurrency and the use of cryptocurrency by ransomware criminals, kind of the currency of choice. And how do we better understand that and perhaps have countermeasures for it?
I certainly was encouraged by the FBI's actions in the Colonial Pipeline case, where they actually recovered it. And so, we need to look more at that, as well.
MR. MARKS: I just want to hit back on that question, again, though, because also the officials have generally acknowledged that, even though they don't advise ransomware payments, they do happen a lot. And there are cases, like Colonial Pipeline, where it's sort of critical to good functioning of society that we get these things up and running as fast as possible and paying the ransom ends up being the rational choice in those cases.
Can we get to a point where we can at least substantially limit those in cases where it's not absolutely vital, or is it never quite government's role to mandate that we ban ransom payments?
SEN. PETERS: Well, I think we got to--hopefully, we get to the point where companies realize that there are other alternatives for them. It's part of the response fund that we have in the bipartisan infrastructure bill to do that and that there are other alternatives for that.
So, it's a possibility that we ban it--I'm not closing the door on that, but I think it's something that we have to, right now, be focused on working with companies to understand that there are alternatives to paying a ransom, particularly if they get assistance from the federal government and look at the federal government as a partner. What I want to have private industry realize is that CISA can be a partner when it comes to dealing with these kind of crises. They should report early to CISA, and they should view that as not just another box to check that I have to report to the government, but there's actually something substantive in terms of help that is provided.
And I know our agencies are focused on ways to do that. We've got to do more of that, and that's going to continue to be a focus of what I'm going to work on in my committee in the months and years ahead.
MR. MARKS: One of the things that's guided a lot of the legislation that you and others have worked on, on cybersecurity in this Congress, has been the report from the Cyber Solarium Commission, about 40-some recommendations. It was led by Senator King and Representative Gallagher, a few other members of Congress.
One of their main recommendations, which they were both a little--both adamant about and a little bit cynical about when it came out, was that there should be, instead of the--I think Senator McCaskill once called it a spaghetti bowl of authorities for cybersecurity in Congress. There should be a select cyber subcommittee in the House and one in the Senate. What do you think about the way legislation on cybersecurity is moving through Congress now? Is what we have adequate or the best it can be, or is there any chance of it changing, given that, you know, you have a hundred different interests in various parts of the upper chamber?
SEN. PETERS: Well, I'm always open to look at ways for Congress to work more efficiently and more effectively. And certainly, I speak with Senator King an awful lot. He's been a great leader on these issues. In fact, many of the recommendations from Solarium have been put into legislation that we've moved through my committee, and we're going to move more in the markup coming up next week.
And so, I'm always open to that, but I think we do have a focus here in the Homeland Security Committee with CISA as really the central point of contact within the federal government to safeguard our systems. And with that, we can move meaningful legislation. I think we're proving that in just our track record over the last few months, in how we've been moving significant pieces of legislation, either as standalone bills or in packages, whether it's the bipartisan infrastructure package or hopefully the incident reporting bill as well as the FISMA bill that we have will go in the National Defense Authorization. Clearly, this is a national defense issue. So, certainly, I believe our committee is picking up the baton and running with it as quickly as we can, but the more folks that are focused on this, the better.
MR. MARKS: Thank you so much, Senator. I really appreciate you coming to speak with us today about your committee's role in protecting cybersecurity.
SEN. PETERS: Well, it's great to be with you. Thanks for having me on.
MR. JOHN: Protecting critical infrastructure in America requires consistent engagement and continued collaboration across the public/private technology ecosystem. From a Siemens perspective, it's this type of collaboration that allows us to partner with governments, customers, and suppliers to make sure that everyone's successful and we continue to deploy the type of cyber resiliency that we need.
I'm Kurt John, Chief Security officer of Siemens USA. I'm joined by Jesse Whaley, EVP and Chief Information Security Officer of Amtrak. Welcome, Jesse.
MR. WHALEY: Thank you, Kurt. It's great to speak with you again.
MR. JOHN: Great to have you. So, let's start with critical infrastructure. Tell us about Amtrak's role in America's critical infrastructure.
MR. WHALEY: Thank you, Kurt. That's a great question. And as Amtrak's Chief Information Security Officer, I'm charged with helping the company manage cyber risk to include making sure we have the proper controls in place to protect the critical infrastructure.
Now, most people know Amtrak provides passenger train service across the United States, which puts Amtrak in the owner/operator category for the transportation critical infrastructure sector. But did you know Amtrak also generates its own power for operations on the Northeast Corridor? So, our power generation and transmission capabilities also puts us in the energy critical infrastructure.
Additionally, Amtrak has a federalized police force to ensure employee, passenger, and asset safety in stations along the railroad, onboard trains. And this is where we are aligned to the emergency services critical infrastructure. And beyond all that, Amtrak owns a vast amount of property, from train stations, offices, maintenance facilities, and land that make it a significant real estate management company. Amtrak is also in the construction business, with maintenance and building of all this infrastructure in real property.
MR. JOHN: That's quite a bit, and I didn't know all of that. Fascinating. So, with such a wide range of responsibility, what type of trends are you seeing, or perhaps what focus areas do you think organizations should be paying attention to when it comes to cybersecurity?
MR. WHALEY: Thank you for that question. So, when I think about what organizations should focus their attention on for cybersecurity, I think about the ways and how threats gain access to corporate networks, and there are four main ways that threats breach a corporate network.
The first being service on the internet. That includes your websites, web applications, VPN solutions, et cetera. The second is endpoint or employee computing devices, such as your corporate laptops and mobile devices. And even personal devices can be included in this if a company has BYOD, or bring your own device, capabilities. The third is the supply chain, and third-party vendors. And fourth is insider threats, people that have inside knowledge and access to your corporate networks.
Now, most companies have been focused on protecting their services and endpoint devices, and a lot of them have been doing a pretty good job, but there's clearly--more focus is required on the supply chain and with third parties and our vendors.
Just this last year, we've seen the importance of protecting the supply chain and our third parties with compromises that SolarWinds, even at Microsoft and Kaseya, where the threat actors use these compromises at these companies to then turn around and compromise their customers.
MR. JOHN: Very interesting. So, I'd like to pull on that thread of supply chain a little bit more. How is Amtrak partnering with the supply chain to improve your cybersecurity posture?
MR. WHALEY: Well, at Amtrak, we have a lot of heavy equipment, like train sets. These heavy pieces of equipment tend to have a 10- to 30-year lifespan. Now, today, most of that heavy equipment has a lot of technology embedded in it. New train sets are often referred to as datacenters on wheels.
And historically, our original equipment manufacturers, our suppliers, our vendors have really had a "set it and forget it" mindset when it came to the technology embedded in this equipment. You know, with the evolving threat landscape that I've just described, with all the attacks on suppliers and supply chain, we can no longer afford to have that type of mentality of "set it and forget it" when it comes to the technology. And we're having conversations now with our suppliers, with our vendors, with original equipment manufacturers, to ensure good IT cybersecurity hygiene practices are incorporated into this heavy equipment.
So, remember, I said the life cycle of a heavy equipment might be 20 or 30 years, but the technology lifecycle might be refreshed ever 5 or 6 years. So, the technology might be refreshed five or six times during the lifespan of a heavy asset. So, strong cybersecurity controls and monitoring need to be baked into solutions rather than bolted on, or not at all.
MR. JOHN: You know, it's so thrilling to hear that, Jesse. We've recognized that, as well, which is why we've sort of started these strategic partnerships with our customers just to address that very issue. Jesse, I'd like to thank you so much for joining me, fascinating information. And have a good day.
MR. WHALEY: Thank you, Kurt. It's great to speak with you again.
MR. MARKS: Welcome back to Washington Post Live. Once again, I’m Joe Marks. I’m a cybersecurity reporter at The Washington Post, and I write The Cybersecurity 202 newsletter. And joining me now is SolarWinds CEO Sudhakar Ramakrishna. Sudhakar, welcome.
MR. RAMAKRISHNA: Good morning. Thank you for having me.
MR. MARKS: Thank you so much for being here. I want to start with a report from Microsoft that came out on Monday detailing efforts by the same Russian government-owned hacking group that went after SolarWinds--they call them Nobelium; it goes by a whole bunch of different names--has increased its activity. Microsoft has sent out alerts for about 140 organizations that have been targeted, mostly with relatively simple attacks--right?--you know, password spraying and phishing attempts. What’s your take on this report?
MR. RAMAKRISHNA: First of all, I’m not surprised by it. As you know, Joe, we have been the victim of a fairly significant attack back in December that we reported back in December of 2020. Even as we investigated our attack and took corrective steps, we got information from various agencies, including outside the U.S., that they were actively addressing supply chain attacks. And since then, as you even have reported, there have been other attacks, including on Microsoft and Kaseya and more recently on the Colonial Pipeline, as well. So supply chain attacks, unfortunately, and ransomware attacks, are on the rise. And while I cannot attest to the exact numbers that Microsoft reported in its blog, it’s not surprising given the number of enterprises that depend on software and digital transformation these days.
MR. MARKS: You mentioned the danger of supply chain attacks, especially those that go after cloud service providers and software providers, which is one of the things SolarWinds dealt with and also in the Kaseya attack. They can go into one organization, put a lot of effort into getting into that organization, and then get to all of their customers. What kind of new dangers does that present for the ecosystem?
MR. RAMAKRISHNA: Ecosystem is the right term in this context, because as developers of software, we’re not entirely dependent only on software that we developed. When we deliver products to customers and solutions, we also leverage third-party, including in many cases open-source software. So it is not a one vendor or one company issue; it is a broader ecosystem issue that we all have to be vigilant to.
And whereas previously cybersecurity and security at large was somewhat of an afterthought and was not considered as integral to supply chain even though software science always encouraged developers to think about security as they designed their software, now it’s taken a new and heightened significance that we must all pay attention to. And the most important thing here, going back to your term of ecosystem, is collaboration amongst the ecosystem to share knowledge, best practices, threats, threat intelligence freely so that we are able to more securely deliver solutions to our customers and keep their environments safe as well.
MR. MARKS: You mentioned security being an afterthought in the past. Why--you know, for people who are outside of this industry, if you just meet someone at a dinner party and they ask you why are we so insecure in 2021, how did we get here, what’s your answer to that?
MR. RAMAKRISHNA: First of all, we are a very trusting group of people, and unfortunately, that opens up challenges as it relates to security as well. So it is not a matter of negligence as much as trust, and there’s a lot of priorities placed on speed of delivery to our customers. That sometimes causes us to create tradeoffs. I believe what 2021 has taught us is that security and speed of innovation, or speed and product capabilities, are not incongruous and they go hand in hand together and must be addressed as such. That belief system always existed, I would say, except that it wasn’t fully actioned. And so the events of 2021 have caused all of us in industry and in the public sector to get a wakeup call, so to speak.
MR. MARKS: You said in a recent interview that some of SolarWinds customers were spooked by the attack in December. They were the minority, though. Why is that? Why wasn’t this more spooky and terrifying for your customers--give it a Halloween tinge.
MR. RAMAKRISHNA: There are many layers that are involved in an attack, as you know, Joe, before any possible damage happens. So I’ll give one example of why it did not impact a lot of our customers. Specific to the SolarWinds attack, even as we delivered code that, let’s say, was compromised and was deployed at a customer’s site, for the threat actor to do anything, they had to first and foremost gain access back to the internet and connect to another server in the internet. And most of our customers configure their firewalls such that our product is unable to go to the internet. So when that happens, even though their malicious code was in the enterprise customers’ premises, it didn’t really do any damage. It was essentially inert. So as we sifted through our various customer datapoints, we decided and discovered that not many of them were actually impacted.
MR. MARKS: Is there a--you know, a number of the ones that were impacted, however, included federal agencies and some really kind of scary customers. Is there a mismatch in the--is there a mismatch in the concern that various organizations have about these kind of breaches? I mean, if we want to reach a point where security is at the point that it needs to be, should there be more fear?
MR. RAMAKRISHNA: I would describe it in the following way. Instead of being anxious and fearful, we need to be conscious and urgent in our actions. So internally, the way we describe it is constant vigil, meaning you’re constantly looking out for what could happen, what may happen, think like threat actors, and so on; constant learning, because you’re always learning something; and then obviously you’re implementing based on that. So I would say consciousness and urgency are more critical to make us secure and safe than fear-based tactics, because that causes you to do a lot of artificial things that may be unproductive in my opinion.
MR. MARKS: I talked to Senator Peters earlier about congressional efforts to mandate cyber incident reporting among large swaths of critical infrastructure, including IT and software firms. This is also similar to a question asked by one of our audience members, Justin in Maryland. Do you support a requirement like that, and how do you think it should be formed?
MR. RAMAKRISHNA: I do support it. There are a couple of factors that we need to keep into account. One is, we should report it so that there is immediacy of information sharing. And one of the things that we have requested is to have a single clearinghouse to be able to do so. In other words, there are multiple agencies today that we can go to. CISA is becoming more and more the de facto, and the government centralized on CISA and provides it as a clearinghouse for all of us to go and share our information, as well as learn from them. That would be a huge step forward, I would say. It seems basic, but it is a huge step forward. But I am a supporter of reporting.
At the same time, one of the things that we need to be very conscious of as providers of software to other companies is what is the implication of reporting and what is the level of confidentiality of that, because ideally when you see an issue, especially a security issue, as you report, you need to also have the inoculation, so to speak, of it, of the remediation steps from a software standpoint. So those will need to go side by side, I would say.
MR. MARKS: Do you have a position on whether 24 hours is long enough to make reports like this? Is it long enough for some large companies but not smaller companies who are still figuring out what’s going on? Do you have a sense of how broadly this mandate should be implemented?
MR. RAMAKRISHNA: I--my opinion is that the mandate should be broad and should cover IT and software. In terms of reporting windows, the nature of these incidents is that you never have complete information. So as long as there is an understanding that information will evolve--and sometimes the initial impression that you may have on what happened could be completely false and then you may have to reset it. That shouldn’t be viewed as ineptitude or negligence as much as continuous discovery. So as long as there is empathy built on both sides of it, then I would say a 24-hour window is as good as any because the initial compromise has to be reported in the fastest-possible manner such that every possible resource is brought to bear to address the issues at hand.
MR. MARKS: That’s interesting. I think that puts you in the minority among people on the industry side. Why do you think so many others are concerned that their information isn’t good enough at 24 hours, or that it could take away from the response to the incident itself?
MR. RAMAKRISHNA: Let me put it this way. I wouldn’t say that I’m in the minority in terms of the thought process as much as I think there is a fear or a concern on part of private industry in terms of the amount of time that we will be sucked out of in terms of the reporting and analysis and the bureaucracy of the matter versus actually taking care of the issue at hand and resolving it. So that is a real issue that we must all align around what is the level of information content, what is the level of touch, and so on.
The second concern and fear I would highlight is that there is this notion of victim shaming. If you come out and say you were comprised, there is somehow a negative attribution to that, and then not to mention lawsuits and other punitive measures. So what enterprises need to be quick and timely with regards to reporting is an understanding that those are non-issues or those issues will be fairly addressed. And that causes the hesitation, in my opinion.
MR. MARKS: Does some of your perspective come from having lived through perhaps one of the most extreme cyber events of the last half decade or so? And what lessons have you taken from that that you would share with your industry colleagues?
MR. RAMAKRISHNA: Definitely. My experience is definitely shaped by my experience not just as SolarWinds but in previous companies having run a security software company as well as dealt with many customers who have gone through security incidents unrelated to even myself or my company. I consider myself part of the software community at large, and I consider myself part of the broader IT community. And in my opinion, no single company, no matter how large you are, how good you are, how many resources you have, you are immune to these issues, as has been evidenced multiple times over just in 2021.
So that has shaped my thought process on public-private partnerships--the need for collaboration, the need for urgent action, the need for us to be constantly humble because that has a connotation of learning all the time and improving and the need for communicating around this. It does take effort on our part, but my belief is that more and more of us that can do it, we will actually make it safer for all of us as well, and in the long run actually less expensive and more productive.
MR. MARKS: Another topic I discussed with Senator Peters is these minimum cybersecurity standards that government is now imposing on pipelines, perhaps in other sectors, and they’ve opened the possibility of doing this more widely with critical infrastructure, presumably including the IT and software sector. What is your take on that? Are government regulations necessary at this point?
MR. RAMAKRISHNA: I would say government regulations and recommendations are absolutely necessary in the spirit of public/private partnerships. At the same time, I like to say that the private industry has to take accountability in driving behaviors, driving processes, collaborating not just amongst their private industry but across the public sector. Going back to the reference you had earlier in the conversation about the term ecosystem, we need to more and more recognize that we are part of an interdependent ecosystem that we need to contribute to even as we compete with others based on value and other factors to serve our customer needs.
MR. MARKS: Industry has in some cases been slow, though, to take up the baton. You know, a lot of these breaches are shared passwords and not having multifactor authentication and all of the basic things that, you know, individuals are told to do. Why is that, and what can industry do proactively to change if it hasn’t happened yet?
MR. RAMAKRISHNA: There are multiple factors in this--in this regard. One is the level of cyber awareness--software awareness across industries is fairly limited, I would say. And as much as the industry has exploded over the last let’s call it 30 years, it is still early days. And so ultimately, if you think about cyber incidents, a lot of them can be attributed back to human behavior. So you can put all the technology assets in place, technology controls in place, but it goes back to awareness and behavior of humans at the most basic level. So constant education is very, very important.
So when we think about public-private partnerships, contributions will have to be made, in my opinion, on even things like education about software and security, regardless of whether some student wants to go into those fields or not, but about the awareness of those and the implications of not being fully aware of those. And so that needs to graduate to colleges, including community colleges, universities, and into professions. So I feel that is a significant thing, thinking about national security and security at large that we must all pay attention to.
MR. MARKS: You’ve talked about public-private partnerships quite a bit, which is one of the favorite words of the administration right now. But you’ve also talked about some of the difficulties--right?--you know, the numerous federal agencies you have to report to, you know, hoping that all of that can be combined into CISA. How, overall, would you describe the relationship between government and industry on cybersecurity right now? Is it where it needs to be, and what needs to change if it’s not?
MR. RAMAKRISHNA: I would say the relationship has taken a good first step or a good first few steps. It is clearly, in my opinion, not where it needs to be because a lot more work needs to be done by both sides. I’ll highlight a few aspects of it. I think Senator Peters talked about when there’s burglaries happening in your neighborhood, the police wants to know and you want to know what happened. That requires two-way information sharing. Today I would say a lot of the information sharing is asymmetric, meaning we are required to report, and we generally report, but then there’s not a lot coming back from the public sector. And to some degree, I understand their limitations. But the more symmetric that relationship becomes, I believe more aware and more sensitive all of this will become. So that’s a--that’s a step that needs to be taken.
The second is around the single clearinghouse that is required, because too much time and information is lost in figuring out who you need to communicate to. So centralizing it, simplifying it will be a huge step in the right direction as well.
And the third piece was either real or perceived punitive measures, the notion of victim shaming, those types of measures will have to be softened. And at the same time, I’m not suggesting that accountability doesn’t matter. Accountability matters, which is the reason why they have to come up with proposals, including some of the things that the Cyberspace Solarium Commission mentioned, and so on.
MR. MARKS: One of the things that both industry and government has struggled with is filling the ranks of cyber workers. There’s a report out this morning from ISC2 finds a workforce gap of more than 350,000. Other estimates are more than 400,000 in the United States. How are you looking at filling jobs, and do we need to try fundamentally different tactics to find cyber workers?
MR. RAMAKRISHNA: Absolutely. It kind of goes back to the basics. As I was mentioning early in the conversation, we need to start at high school, community colleges, university levels and certifications. You must not necessarily go to grad school, let’s say, or you need not go to a high-end college to be cyber aware. You need to be--and when I say cyber in this context, it’s broadly software. And the reason I mention that is there are two elements to security, at least. One is security as it relates to building of software itself, meaning it’s not separate from software. And that’s the reason I call it secure by design. And two is the environmental aspects of it, the usage aspects of it. So those two both have to be addressed. And in terms of education, as I mentioned, community colleges, universities, continuous training of the workforce and building of the workforce, and being able to invest in people who may not come from that background and educate them and train them in that background. I think that’s an obligation that we have to take on as an industry. And from SolarWinds’ standpoint, we are definitely committed to doing it across the board.
MR. MARKS: We’re going to have to leave it there. Thank you much for joining us, Sudhakar.
MR. RAMAKRISHNA: Thanks a lot. Thanks for having me.
