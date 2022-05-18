Placeholder while article actions load

Unlock This article is free to access. Why? The Washington Post is providing this news free to all readers as a public service. Follow this story and more by signing up for national breaking news email alerts.

MR. MARKS: Hello. Welcome to Washington Post Live and our “Securing Cyberspace” episode." My name is Joe Marks. I’m a Washington Post reporter, and I write the Cybersecurity 202 newsletter you can also subscribe to. Wp Get the full experience. Choose your plan ArrowRight I am joined today by‑‑first, by two members of Congress. We have Representative Michael McCaul, Republican of Texas, and Representative Elissa Slotkin, a Democrat of Michigan. Thank you both for joining us.

REP. McCAUL: Thank you.

REP. SLOTKIN: Thanks for having us.

MR. MARKS: And I should mentioned‑‑oh, thanks. I should mention Representative McCaul is the founder of the Congressional Cybersecurity Caucus way back in 2008. Representative Slotkin is a member of that.

We're going to have two panels today. If you stick around, we'll speak with Bob Kolasky, of Exiger and formerly of the Cybersecurity Infrastructure Security Agency, later.

Advertisement

And I'm going to ask most of the questions, but I hope you guys will join with some also. You can tweet those at @PostLive.

So I want to begin with Russia. Representative McCaul, how concerned are you about Russian cyberattacks hitting the United States or NATO allies as a result of the conflict in Ukraine.

REP. McCAUL: Well, you know, first, to step back, there's a lot of talk that Russia had not conducted a cyberattack in advance of the invasion. That's just simply not correct. They did attack the satellite systems to bring them down. That's why Elon Musk brought Starlink into the picture to provide the ability for Zelensky to be able to project around the world.

But they also hit a lot of command‑and‑control systems, the parliament, a lot of other government entities, but not with great success. They were successful on the communication towers and the satellite systems, but with respect to threats to the United States, of very concern, they have demonstrated the ability to do this in the past. I think Colonial Pipeline is the best example of that, a very destructive attack, a denial‑of‑service to bring down critical infrastructures in the United States.

Advertisement

They conduct two types of cyberattacks in my judgment. One is sort of an organized criminal ransomware‑style attack, and the other one is a more, you know, destructive attack. They're both equally capable of carrying that, those types of attacks in the United States. Ransomware is very prevalent in the United States right now.

And, you know, they also attacked Finland and Sweden after they agreed to be part of NATO with defacing their websites and with DDoS, denial‑of‑service attacks. So they've been very active in this space.

MR. MARKS: Representative Slotkin, as Representative McCaul laid out, a lot of people initially thought that there wasn't a great cyber component to this conflict. As we're learning more and more, it seems there has been some. What's your assessment now on the role that cyber is playing in this conflict?

Advertisement

REP. SLOTKIN: Well, it's interesting. I agree with Representative McCaul that they have used it, but I'm sure many of us were thinking that they would have launched some sort of cyberattack, serious cyberattack in the United States in response to our support for the Ukrainians. I just think it's been interesting that they have not done that. I interpret it as them not wanting to pull us further into the conflict, that as they've had some failures and some problems, they don't want to further, you know, globalize the conflict and potentially risk us getting in it in a more serious way, but the capability is there. It is not for want of capability, as we know.

And I just think it's an extremely interesting conflict from a cyber perspective, A, because they used it, as Representative McCaul said, but also there's just a whole lot of different tech, cyber currencies that are being used by the Ukrainians to help fund themselves. I mean, it's just a very sort of interesting place in history to have a war with so much cyber going on. So I think it's notable.

MR. MARKS: Yeah. Did you expect‑‑do you expect things to stay as they are now, that there won't be major attacks against the United States, or is that going to change as the conflict drags on?

Advertisement

REP. SLOTKIN: I don't think‑‑

REP. McCAUL: I mean, I‑‑oh, I'm sorry. Go ahead.

REP. SLOTKIN: Go ahead, Mike. Go ahead.

REP. McCAUL: You know, I think Elissa is correct. I mean, I think they're very careful not to trigger Article 5. They know if they attack a NATO power, that could potentially trigger that. In fact, in 2014, after Crimea, NATO did come forward saying a massive cyberattack would constitute a triggering of Article 5.

But I think the broader point here is there are no rules in the international space on cyber warfare, cyberattacks, would this legally trigger Article 5. But I think Putin has been very careful not to go to that point, and I think, to Elissa's point, an attack on the United States would, in fact, trigger that. And that's why I think you haven't seen that kind of attack, you know, in the United States.

Advertisement

You know, I stood up CISA into law. So that's‑‑you know, we do a good job, DoD and NSA, on the offense. CISA is sharing information with the private sector.

But, Joe, the real deficit here is on the international stage. My Cyber Diplomacy Act, we hope to get passed out of the Senate, which would lay basically an ambassador‑at‑large position to negotiate norms and standards with our NATO allies and partners with respect to what is an act of cyber warfare, what is an Article 5 trigger in cyberspace, and it's desperately needed.

MR. MARKS: Are you concerned that that ambassador hasn't been appointed yet?

REP. McCAUL: Yes, I am, and I don't know why the Senate‑‑they want to‑‑they like the bill. They're just kind of holding onto it to put on another piece of their legislation. I think the State Department is going forward, but we really need to appoint that ambassador position.

Advertisement

MR. MARKS: Representative Slotkin, it sounded like you were going to weigh in.

REP. SLOTKIN: Yeah. I just wanted to foot‑stomp Mike's point about the need for norms and standards, right? The average American just does not feel like they are protected from cybercrime.

You know, I had all of my superintendents from my K‑12 schools in town a couple of months ago, and I said, "Raise your hand if you've ever been the victim of a ransomware attack at your school," and every single hand went up, right? It's just become mainstream that people get attacked, their identities get stolen, and sometimes it's just for money. But it has the same effect on the public.

And Mike's right that we have good offensive tools. Of course, we can't talk about them, right? So the public doesn't understand what we can do on the offensive side, and they still don't quite understand like the 911 line that you call when you have one of these major cyberattacks. So I think there's some education to do.

Advertisement

But there's also the need for doctrine, right? So if, for instance, God forbid, the Russians or the Chinese attacked infrastructure, you know, our natural gas infrastructure in Michigan in the middle of winter and 26 elderly people freeze to death in their homes, what is the right proportional response for the United States? What do we do back to that nation state where those attacks are emanating from? We don't have real doctrine on this, and we certainly don't have anything like an arms control regime for cyber that lays out the rules and standards for the international communities, but that there's some sort of agreed‑upon framework by which we prosecute these new wars, basically.

MR. MARKS: You know, one of the problems we've always run into in the past when we look at norms and rules of the road in cyberspace is you can get allies to agree to things. You can't get Russia and China to agree to things, and when you do get them to agree to things, they tend to be pretty watered down and open to interpretation. Is there a way to get around that, and is there a use for these things if the nations who are perpetrating the worst attacks aren't parties to the agreements?

REP. McCAUL: Yeah. I think getting four nation adversary states to agree to anything, particularly cyberspace doctrines, I think it would be extremely difficult. You know, they profit off of this. Iran uses it to get around the sanctions. North Korea uses cyberattacks to steal, you know, bank accounts. Russians are using it to get around the sanctions. And it's in their best interest not to agree to anything.

Advertisement

I remember and Elissa remembers this attack on OPM by China when they stole 23 million security clearances, including mine and I'm sure Elissa's. Very disturbing, but yet there were no consequences, right?

So I know just‑‑you know, I've got five children, right? So I boil this down to very basic‑‑if my children, if there's bad behavior and no consequences, bad behavior continues. And I think they've been getting away with this for a very long time, and it's because we haven't quite gotten a handle on cyber as an act of warfare, cyber as an act of‑‑you know, when they steal intellectual property. What are the consequences? There are no consequences today. I think there will be tomorrow.

MR. MARKS: So what are those consequences going to be, Representative Slotkin? I mean, we've tried sanctions, and we've tried indictments. None of the things that have happened so far have had much of an effect. Is there something left in the toolbox that we haven't tried yet that we would be willing to try?

REP. SLOTKIN: Oh, yeah. I think that there's a lot of tools left in the toolbox, but it means the United States doing something that we don't do a lot or we don't like to do, which is sort of mixing our military policy with our economic policy and just making sure that people understand that if we want to stop‑‑if we want to put some punishments in place, if we want to have consequences and build back deterrence on cyber threats, those consequences are not just about a military response or an offensive cyber response, but maybe your access to the international financial system is in question. Maybe the free trade that so many of our adversaries enjoy, they don't have access to. I'm thinking of China, in particular, right? They have full access to the international system and none of the consequences when they steal intellectual property or allow cyberattacks to be launched from their soil.

So, for me, it's about doing something we don't do that often here in D.C. and mixing and kind of being very deliberate about the economic consequences of launching these types of attacks.

REP. McCAUL: Yep.

MR. MARKS: Representative McCaul, do you think is there stomach in Washington to impose those kinds of economic consequences on a nation like China that is a huge trading partner?

REP. McCAUL: Well‑‑and I agree with Elissa‑‑we need to‑‑we need to look at the economic consequences and both military response. You know, I think, you know, it's a lot easier to sanction Russia than it is China for a variety of reasons. One, we're not intertwined with their economy the way we are with China, and we are so dependent on supply chains coming out of China, that being, you know, medical that we sought for COVID, rare earth minerals, and semiconductor chips, sadly. The CHIPS for America Act, I hope we get that passed. It would be very difficult to sanction China, just given the interrelationship and our economies of scale.

And also, the other point that Elissa has talked about is, you know, this whole central bank digital currency, the digital yuan. Our concerns down the road‑‑and also through Belt and Road, they're going to‑‑they're going to force a digital yuan in a lot of different countries, which will tie them to the China central bank digital currency, which over time, if it could rise to the level of the dollar on the world stage, could surpass and evade the SWIFT sanctions, you know, the SWIFT system, where they could use this central bank digital currency to evade sanctions. And I think that technology‑‑quite frankly, Russia is not there‑‑and the interrelationship in our economies makes China far more difficult to sanction.

MR. MARKS: I want to move on to what you folks are doing in Congress. The biggest cyber legislation of this Congress so far‑‑and quite a few Congresses‑‑has been the Cyber Incident Reporting Act, which requires companies in critical infrastructure sectors, such as transportation, energy, and so forth, to alert CISA, the Department of Homeland Security, when they have a cyber incident. Is that going to be enough to really turn the tide on all of these cyberattacks and ransomware attacks, and are we going to reach a point at which the government is really going to have to step up its cyber regulation and mandate certain minimum requirements for companies?

Representative McCaul?

REP. McCAUL: Great question, and I think that's the piece left undone domestically.

You know, again, I stood up CISA into law. We've provided a lot of resources now. I think they‑‑initially, do they have the capability, DHS, to do this? Capabilities have increased exponentially. The one thing they need as a tool is this critical incident response system, so that when a company is hacked or attacked or ransomware. You know, the average company, because of fiduciary duty to the shareholders, are not‑‑they don't want to share that information with the federal government, and that would be CISA at DHS. You know, that's a knee‑jerk response.

But, if we had a mandatory reporting requirement that could basically sanitize as we do classified information, we don't care about the company's name itself, sources or methods. All we care about are the codes, the ones and the zeroes, so that we can apply that across the board and across the country so that companies can patch their networks to protect them from that kind of attack.

One good illustration of this, Joe, was when Russia launched the NotPetya virus. It was supposed to be very targeted to shut down the ports in Ukraine from the Black Sea, but what happened was it infected Maersk, which is the largest shipping company in the world, and it literally shut down the Los Angeles port for a matter of days. That's the kind of thing that, you know, you want that warning in advance so you can protect companies here in the United States.

MR. MARKS: Representative Slotkin, I want to get back to that question of‑‑we have the Cyber Incident Reporting Act. It's being implemented over the course of a couple of years. Is that going to be enough, and at some point, do we need to start mandating certain cyber protections for companies?

REP. SLOTKIN: Well, I think we're already kind of walking down that road, particularly with folks who are contractors for the federal government. I mean, it's no longer sort of socially acceptable to just let your cybersecurity kind of be a willy‑nilly affair if you're looking for government contracts, and I think that's the beginning edge of what's just going to become normal, which is we're going to want to know before we do business, what your cyber hygiene looks like.

I mean, I've even thought about whether we create a standard and there's like a stamp. Just like you stamp food organic, you stamp a business. You know, they've got good cyber hygiene. So you know that it's worth doing business, sharing your personal data, contracting with the federal government, whatever it is. So I think we're moving in that direction, and I think that, you know, this is obviously harder for mom‑and‑pop shops that don't have the cybersecurity expertise, maybe don't have the money to hire, but for some of our bigger companies, they're already hiring private cybersecurity firms. They should, and I think that's going to become standard for our significantly sized businesses across the country, if it's not already, and I think that's a good thing.

I remember‑‑you know, we all remember in the '90s when, you know, the World Wide Web was just starting out, and it was like socially acceptable for your business to get your web page made by your 14‑year‑old nephew, and then at some point, that wasn't acceptable. You had, you know, professional companies that did your web page because it was outward facing, and I think it's the same thing with cybersecurity. It's just no longer okay to just have someone kind of do it willy‑nilly. You've got to hire out.

MR. MARKS: You mentioned mom‑and‑pop shops. You talked earlier about the ransomware threat facing schools. I checked with the firm, Recorded Future, before we did this. They are‑‑they track this regularly. They said 150 attacks that have‑‑ransomware attacks have hit 150 school districts last year, 50‑some so far this year, a little more than a dozen of them in the United States. These numbers keep growing. Is there more that the government should be doing to help schools and small businesses defend from ransomware attacks?

REP. SLOTKIN: Yeah. I actually had a bill that was signed into law that's the K‑12 Cybersecurity Act that is literally helping to provide expertise and resources to our schools so they can learn how to defend the kids' data online.

There's a bunch more that we need to be doing. I think Mike was right when he said there's just no deterrence, right? I mean, if you're a group of folks and you're sitting in the middle of Russia or China and you carry out an attack and you succeed and there's no penalty, there's no punishment, then the next week, there's going to be five groups that are going to do the same thing and ten groups and more and more sophisticated attacks. We have zero deterrence in the cybersecurity fight. So I think we need to be treating it as sort of a five‑alarm homeland security issue, and we're not, right? We haven't had our‑‑the attack on the Colonial Pipeline, some people say it was kind of like the attack on the USS Cole, right? Remember the USS Cole in Yemen before 9/11? And that at some point, we're going to have our cyber 9/11, and it's going to wake everybody up. Everyone in America is going to say, "What the heck have we been doing? Why have we been letting people get away with this?" And I think we need to be trying to get ahead of that cataclysmic attack before it happens.

MR. MARKS: Representative McCaul, I mentioned earlier that you've cofounded the Congressional Cybersecurity Caucus. That was way back in 2008 when you and Representative Langevin, the other cofounder, were just a handful of members that were paying attention to these issues. How do you think Congress' understanding of and ability to deal with these issues has developed during that time period, and are they‑‑are you as a body in a place to respond to the cyber USS Cole at this point?

REP. McCAUL: Great question. Jim Langevin is a great partner on this issue and my go‑to Democrat. I'm going to miss him. He's retiring. But when we formed the Cybersecurity Caucus many years ago, nobody even understood what it was, and it would be kind of like cryptocurrency today. A lot of members have no idea what that means.

And I always say we were into cybersecurity before it was cool to be into cybersecurity. You know, and since that time, Joe, we've been‑‑we formed the caucus to really raise awareness to the members of Congress about how important this issue is, and I think, you know‑‑well, I think Jim and I had the foresight and the vision to know that this is going to be a major issue in now 2022, and now it is. And I think most members now understand because of the threat. They know what a cyberattack can do, and the fact, like Elissa talked about, so many mom‑and‑pop shops now being impacted by this, it certainly raised the awareness, legislative agenda. Back in that time, we didn't even have a cyber mission at DHS. We had the three bubble charts, right? There's DoD, offensive; FBI, investigation. And instead of putting this information‑sharing vehicle at NSA, where a lot of people wanted it‑‑and, of course, Snowden happened and made it almost impossible to do that‑‑we decided a civilian agency to share information with the private sector probably made, you know, the most sense. And that's how we came down with this decision to put it, you know, at the Department of Homeland Security.

And the last point, you know, we did‑‑one of the tools CISA has are these critical incident response teams, or CIRTs, these flyaway teams that can literally go in after a breach, but also, they can go and do diagnostic checks to any small business that would like them to go in and sort of do an evaluation about their cybersecurity hygiene, whether they're secure or not. And I would encourage people to use that.

MR. MARKS: I want to jump to disinformation for a second. The Homeland Security Department, there was reporting this morning, is pausing, may abandon its Disinformation Governance Board, which got a lot of flack from the right, concerns that the government should not be the arbiter of disinformation.

Starting with you, Representative Slotkin, good idea, bad idea? What role should government have in disinformation?

REP. SLOTKIN: I'll be honest. I'm on the Homeland Security Committee, and this thing sort of popped in the press and then was reported to have been suspended in the press before we even got a formal brief on it. I mean, we never even heard officially on this office, and so I can't tell you much more than, frankly, what's in press, and obviously, even the name, I think, is‑‑raises eyebrows, period.

I do think we have a problem particularly with disinformation, and while it's controversial, the place to start for me is foreigners putting purposeful disinformation and misinformation on American airwaves, in American social media. That to me feels like something we should all get behind.

REP. McCAUL: Yeah, yeah.

REP. SLOTKIN: And while it's a much more murky conversation when you come to sort of freedom of speech issues for Americans, I don't see why anyone would want Russian or Chinese propaganda coming across our airwaves. So I think that to me is certainly a place we can agree and a place to start.

REP. McCAUL: Yeah.

MR. MARKS: Representative McCaul?

REP. McCAUL: Can I‑‑you know, I completely agree, 100 percent, with what Elissa said because anytime you start trying to regulate domestic speech, you get into First Amendment issues and political speech, and it's just a‑‑even the whole domestic terrorism issue. It becomes more dicey.

I know when we passed, you know, the‑‑you know, after 9/11, legislation that deals with, you know, foreign nationals, and it's a lost easier to designate terrorist organizations, you know, of foreign designations than it is, say, domestically, and when you do it domestically, you get into a lot of political problems and free speech issues.

And, you know, I agree with Elissa that‑‑Secretary Mayorkas even admitted that the way he rolled this thing out was inadequate. No members of Congress had any briefings or knowledge that this was going to happen. So I think they did a terrible job rolling this thing out.

And I do agree that, you know, there's a lot of disinformation and always has been for quite some time coming from Russia and China and other countries, and that's to me a bipartisan effort that endangers our national security. We've got to be really focused on that issue.

And, you know, as I take that, you know, what's happening in Ukraine, for instance, and the Russian disinformation, China disinformation, to back to Russia's interference in the elections in 2016, to China's interference in the presidential elections going back in the '90s when I was a DOJ federal prosecutor. I prosecuted Johnny Chung that led us to the director of Chinese Intelligence and China airspace, putting money in his Hong Kong bank account to influence the presidential elections. So it's nothing new for them.

And then when you look at Taiwan and China right now, when you look at what happened in Ukraine, we worry about Taiwan. I predict that President Xi is looking at the military invasion as a less palatable option, and perhaps a disinformation campaign would be the way they would proceed, particularly when you look at President Tsai's term ending in two years, and there will be another national election.

MR. MARKS: That's very interesting.

Thank you very much, Representative McCaul, Representative Slotkin, and thank you, everyone, for joining us here. We're going to be back quite shortly with the second segment with Bob Kolasky. He is the senior vice president of Critical Infrastructure at Exiger, former CISA guy. Please stick around with us.

REP. McCAUL: Thanks a lot.

[Video plays]

MS. KELLY: Hello. I'm Cipher Brief CEO and publisher, Suzanne Kelly. The Cipher Brief is a national security‑focused media organization that puts issues vital to national security in the forefront, and that's why I am delighted today to be talking about how recent events are impacting cyberthreats to businesses in particular.

And joining me to talk about this is Shena Seneca Tharnish, vice president of Secure Networking and Cybersecurity Product Solutions at Comcast Business.

Ms. Tharnish, thanks for joining me.

MS. SENECA THARNISH: Glad to be here today. Thank you, Suzanne.

MS. KELLY: You know, I wanted to start a little bit by talking about the cyber threat landscape that we find ourselves in today. We're just coming through a pandemic that disrupted how companies really do business, making it more challenging to ensure the security of their networks, their data, and of course, their digital assets.

I'd like to ask your thoughts on two things. One, how has cybersecurity needs have changed, and then how you think the role of service providers has change as well.

MS. SENECA THARNISH: So, to answer the first part, Suzanne, I would say, you know, cybersecurity needs have changed post‑pandemic due to the shift in assets outside of the traditional business perimeter. With this distributed workforce, you also have distributed data, and businesses are catching up to extend the same data center‑level defenses that they had pre‑pandemic to the distributed ecosystem they have post‑pandemic. So, in my opinion, this shift combined with the increase in devices has caused the most significant disruption to cybersecurity.

And regarding the second part of your question, the role of the service provider has changed in several ways. Pre‑pandemic, most businesses were looking to service providers to support their brick-and-mortar locations with connectivity and services in those buildings. Post‑pandemic, there became a tremendous dependency on capacity and reliability for these businesses to support their employees and customers wherever they may have been so‑‑and they were no longer in those brick-and-mortar offices.

So service providers worked feverishly at that point to increase capacity for businesses to allow customers and employees to engage with them digitally inside and outside of the office.

MS. KELLY: Let's talk about some of the actionable steps that companies can take to protect their networks. Now, what do you recommend that businesses do right now to adapt to protect their systems and to keep these networks secure?

MS. SENECA THARNISH: Actionable steps that companies can take to protect their systems and networks right now go across people, process, and technology.

First, you need to make security and agenda topic in each strategic business discussion, from the top down and back up again. Include security considerations at the beginning of your planning phases. Don't make it an afterthought. Security risks and gaps and implications and practices should be discussed at every level and actively managed as part of strategic programs.

And then, second, if the company does not already have a well‑documented and practiced security program in place, you should make it a priority. The program should include regular risk and vulnerability assessments and practices that include tabletop exercises that simulate what stakeholders will actually have to do in the event of a breach. You change the mentality to when it happens instead of if it happens, and this prepares the business to act swiftly in the event of a compromise, which will limit impacts.

And then, finally, with technology, unfortunately, there is no silver bullet to address all the risks, and so you need to prioritize your investments by first defending the areas that have the greatest risk and impact to the business.

As you know, cyber requires defense in depth, and determining which investment should come first can not only be overwhelming but costly. So focus on technology investments where they can protect the most critical data and close known gaps.

MS. KELLY: Just in the last minute or so that we have left, I really would love to know how Comcast Business is seeing the opportunity for businesses to improve their network security.

MS. SENECA THARNISH: Areas to improve network security, you know, in this digital world, it really requires an end‑to‑end approach, but it starts with the network, and, you know, with the network, you need to have architectures that aim to reduce latency and provide for those sensitive systems and applications while also providing tools to control access and communication to that data and systems and so forth.

Security policy should be enforced with secure network solutions that can also segment traffic and limit access, and Comcast Business has secure networking and cybersecurity solutions to help enterprises improve their security in this digital era, and we have managed SD‑WAN that enables advanced security functions, both locally on premises and in the cloud, which allows this remote workforce to securely access systems and applications from anywhere.

MS. KELLY: Shena Seneca Tharnish is vice president of Secure Networking and Cybersecurity Product Solutions at Comcast Business. I want to thank you so much for joining me to talk about this today.

MS. SENECA THARNISH: Thank you, Suzanne.

MS. KELLY: Now back to my colleagues at The Washington Post.

[Video plays]

MR. MARKS: Welcome back. Once again, I am Joe Marks. I write the Cybersecurity 202 newsletter for The Washington Post, and I am joined now by Bob Kolasky. He is senior vice president for Critical Infrastructure at Exiger and formerly an assistant director at the Cybersecurity Infrastructure Security Agency.

Bob, how are you doing?

[Pause]

MR. MARKS: We're having a little trouble getting audio on Bob. I wonder if they're going to fix that for me.

I hear you now.

MR. KOLASKY: Okay.

MR. MARKS: Yep. I think I just heard you now, Bob.

So, presuming things are in shape now, I want to pick up where we left off with the lawmakers with the DHS Disinformation Governance Board. You worked at DHS. CISA did some mal‑information work. What's your take on the pausing of this organization?

MR. KOLASKY: So, first of all, I think it is a continuation‑‑can you hear me?

MR. MARKS: Yep.

MR. KOLASKY: It's a continuation, first and foremost. What we‑‑what I did while I was at DHS is I was working on this dis‑ and mal‑information as it pertained particularly to what Representative Slotkin was talking about in terms of foreign interference on our elections, on our democratic processes, and that was important work. And that work needs to continue because we can't allow foreign adversaries‑‑we as a country can't allow foreign adversaries to unduly influence things that are important to us as a country, and we have to take information‑‑bad information seriously as a homeland security risk.

I think what the department was trying to do was enhance the structure by which they were going to deal with bad information as a homeland security risk, and particular areas that I think DHS still needs to do more work on under whatever name they want to call it is what is their strategy for making sure that disinformation does not lead to violent activity and cause attacks on the homeland. That has to be an element. I don't think the department has enough attention on that strategy. I don't think the administration does at this point and so working on that strategy.

Other areas that are important, making sure that that strategy account for privacy and civil liberties, and one of the things that I know the department was trying to do through the board was take into account the protections that need to be in place to protect privacy and civil liberties.

And the third area that remains important is coordinated ways of the government working closely with social media companies to take down inauthentic foreign activity or activity that would‑‑is intentionally designed to incite terrorism, and so those are areas that are important.

I don't care what you call the structure. I agree with everyone who says that the Disinformation Governance Board was perhaps an inartful way of doing that, but I do think it's important that the Department of Homeland Security takes these issues seriously, I think that the administration takes these issues seriously as a homeland security threat.

Another thing I had another opportunity to do a lot while I was in government is talk to our European allies who have dealt with this firsthand and the structures that they were putting in place to deal with this, particularly the European allies that were dealing with a more active threat from Russia, the Nordic countries, Finland and Sweden, what the UK was doing, what France was doing, and you see these countries setting up these structures, setting up new processes, and developing strategies to make sure that Russians and others can't cause harm to their national interests through disinformation.

That's what the department hopefully will continue to try to figure out the right way to do. Congress should be involved in those discussions. It should be done in a transparent way, but we need that strategy.

MR. MARKS: How are we going to get from here to there, though, given that, you know, so much of our populous doesn't trust what's‑‑doesn't trust information coming from the government when it's controlled by one party or another and isn't going to want to hear about disinformation depending on who's in office.

MR. KOLASKY: Yeah. I mean, I think you start with the term "disinformation," which is different than "misinformation" or "mal‑information." Disinformation is information‑‑information that is factually untrue, that is designed to cause harm, and the two areas‑‑again, it came up in your earlier conversation‑‑that are clear is when our adversaries, whether it's Russia, China, or Iran where we saw in the 2020 election, when they're passing disinformation to undermine America's national interest. That could be a universal call that us as a country need to stand up against that disinformation. So, too, is disinformation that is explicit, against First Amendment, calls for violent activity.

So let's start by setting the threshold high in terms of what kind of disinformation we're talking about as a homeland security threat. We had some success in doing that in the last 15, 20 years as it relates to the international terrorism threat, and let's learn from that. Let's work collectively with public and private partners, let's us as a country, to address that information.

We need leaders who are out there and hopefully from both parties, who are out there calling for addressing misinformation.

MR. MARKS: So moving on to critical infrastructure, which is in your job title now, that's a really big category. Can you explain, I mean, first of all what government means when it says critical infrastructure, but also, where do you think the largest critical infrastructure vulnerabilities are right now?

MR. KOLASKY: Sure. You know, I'll talk from my former government perspective and then some of the observations I saw that I'd like to see some reform along the way.

So government has traditionally framed critical infrastructure in the sector structure that's laid out in policy documents, most recently Presidential Policy Directive 21, which has 16 critical infrastructure sectors: energy, banking and finance, financial services, water, chemical, commercial facilities, et cetera. And we called businesses in each of those 16 sectors "critical infrastructure." That was done intentionally to involve the private sector more in national security considerations, but I think what the government has done there is create a very large pool of potential critical infrastructure which sometimes makes it hard to separate between what is really critical and what is something that's important from a business continuity perspective but maybe isn't critical to national security. And what I'd like to see as government continues to evolve critical infrastructure policy is a little more delineation between the things that are really critical to the national‑‑nation's security, to our economy, to our communities and really put the focus there from a risk perspective, clearly, things like Colonial Pipeline in terms of critical infrastructure, energy facilities, electricity substations, communications companies, big banks. And that's where we should start with the most important elements of critical infrastructure are share information, prioritize, understanding vulnerabilities of those critical infrastructure, including the digital technology they use, the suppliers there, and start there.

And I think from a risk perspective, it's not necessarily‑‑it shouldn't be the federal government's top priority, every commercial facility or every school out there. I mean, those things are important to communities, but federal government needs to put attention to continuity of functions, critical functions, and that's where I'd like to see‑‑I'd like to see CISA do some of that work as it goes about defining what is critical infrastructure for the purpose of incident reporting legislation as well.

MR. MARKS: And what is that work going to look like? Because one‑‑we talked in the earlier conversation also about, you know, we finally got to the point of this incident reporting law where the critical infrastructure providers are going to start telling CISA when they suffer a cyber incident. You know, for these really critical functions that affect national security, are we going to reach a point where there is some kind of blanket rule that they have to have certain cyber protections in place, where the government is taking a more active role in ensuring that they're protected up front rather than hearing about it later?

MR. KOLASKY: I'm a big believer that the government needs to have confidence that that is occurring. That does not mean that the government needs to mandate how it occurs or necessarily be involved in the actual process by which that occurs, but it is absolutely important in the government's‑‑to accomplish our‑‑the government's national security and to protect its citizens to make sure that the most critical infrastructure‑‑I like the term that the Cybersecurity Solarium Commission adopted, and there's congressional debate about it, but systemically important critical infrastructure to make sure that there's demonstrated cybersecurity practices in place for the critical functions for systemically important infrastructure and for the suppliers of systemically important critical infrastructure. And I think that's where Congress' attention should be. Again, you know, the Committee on Homeland Security was doing great work in terms of coming up with legislative ideas on how to designate that systemically important critical infrastructure, and then have a conversation about what that means in terms of government information sharing, government relationships with systemically important critical infrastructure, and what benefits and burdens that those companies need to bear as being important to our nation's security.

MR. MARKS: Can you just‑‑for the sake of people listening, can you draw out what is systemically important critical infrastructure? I know one of the things you spent a lot of time working on in government is all of the interdependencies and the things that have these great interdependencies where a hack in one place is going to really ricochet all over the place. Can you give us an example so we can understand what that is?

MR. KOLASKY: Yeah, yeah. I mean, we started with what we called "lifeline functions," communications, transportation, electricity and water, infrastructure, which communities rely on, on a daily basis, and particularly communications and electricity and the banks‑‑and communications, electricity, and banks are thinks that if something happens, the impact of what happens can have cascading impacts across communities, can have real‑world impact. And so that's how you start to think about systemically important infrastructure, and then it's the hardware, software, control systems that enable that infrastructure to function that also hold some systemic importance because there's systemic vulnerabilities if they're exploited. And that's how I would start with the framing.

You know, one example I was working on a lot at the National Risk Management Center at CISA was on satellite communications and position navigation timing services and things like that that weren't immediately obvious, the importance across infrastructure sectors, but an attack on the GPS system or satellite communications cascades across multiple infrastructure and has a systemic impact.

And by prioritizing, making sure that those services are protected, we can minimize the consequences when cyberattacks happen.

MR. MARKS: You talk about the importance of ensuring that they have the right protections in place, and that the government should ensure that in some way, whether it's requirements or not. What's your assessment of how the most systemically important critical infrastructure sectors are protected right now? Are we‑‑is it an A? Is it a B? Is it an A minus, a C plus?

MR. KOLASKY: I think the level of investment has increased, and the protection against‑‑the plans and the protection against cascading consequences among companies that have been thinking this way for a while, a lot more resilience has been built in the system.

You know, from a risk reduction term, Joe, you know, I think about, you know, how much resilience, if something happens, how big an incident will that be? And I think that's probably more important than whether you can stop incidents from happening.

And so my sense is we built‑‑and the companies have worked to build in it more resilience into managing the impacts of a cyberattack that happens in their system. They put more investment into cybersecurity and cyber planning, and we are in better shape for that.

How that then relates to the advancement in some of the adversary capabilities, particularly toward attacking things like software vulnerabilities and finding, you know‑‑finding things further down in supply chains, I think that's an area where there's still some gaps right now, which is why‑‑you know, one of the things I'm doing right now, professionally manage right now, is focusing on sort of supply chain risk management, supplier third party risk management. So, even if you're‑‑so to recognize that even if you're good at what you're doing on your own systems, there's still some inherent risk by who you do business with, and managing that risk is important.

MR. MARKS: Your old employer, CISA, has been talking for several months now about putting shields up because of the enhanced threat from Russia. Are you seeing that, and what kind of shields up can you do in that couple of months' time frame when you're talking about such big systemic risks?

MR. KOLASKY: So, you know, I'm not in government now. So what I'm seeing, I don't have quite as good insight as I did a couple months ago. I think the reason we went to the shields‑up posture was because we were concerned. We know what the Russian capability was in terms of attacking our critical infrastructure, and we were concerned that they would use that capability. Putin has certainly proven he's willing to do anything in Ukraine. For a variety of reasons, as was discussed earlier, that capability has been brought to bear by Russia here in the United States or, you know‑‑here in the United States, although, you know, it doesn't mean I still wouldn't be worried that it could happen, the mad man theory or fog of war or something happens that wasn't intended like NotPetya‑‑but it could happen. So I think that shields‑up message was important.

What that started was just making sure that you‑‑companies were listening to their CISO and their security team in terms of having the best case of their cybersecurity in place. That presumably‑‑those investments had been made, and that presumably can continue.

But we were also asking‑‑the government was asking at the time companies to consider making some operational decisions to even change how you operate, where you were sharing information, how you were connecting to different networks, and do that because you wanted to maybe, you know, change your potential attack space during this period of time. I think those sorts of things can't endure forever, and so, you know, let's use the shields‑up moment as a moment to get out the message to be on your A game, and then start to think about what you can do longer term so the next time we get to this period of heightened risk, you have less inherent risk. And that's the message that I would be out there right now talking about. Continue to make visual on the current situation, but what does a less risky portfolio look like for you as a business in the future?

MR. MARKS: I was interested in another portion of our earlier conversation focused on trying to establish international norms to reduce the cyber threat. Is there any possibility of actually deterring Russian attacks?

MR. KOLASKY: I mean, I think so. I think‑‑I think we found here in the last four months that Putin is not using every weapon he has, right? And, you know, in some level, he's deterred from using different weapons and crossing whether it's Article 5, as was being talked about, or whether it's other consequences that he's worried about or he's just overextended. That's an example where at least I think some level of deterrence is part of the equation. Of course, other conversations of deterrence are how we would react if something happened.

But nation states and evidence I've seen is nation states are rational actors within their own rationality. I wouldn't call Vladimir Putin a rational man, but in his own crazy belief system, he's probably acting somewhat rationally there. And I think the government, the interagency process, should think about how we can create deterrence against, you know, that irrationality of our adversaries there. That has to be part of the cybersecurity discussion because that's a much more effective discussion than just throwing up your hands and saying, well, attacks are possible, so there's nothing we can do about it.

MR. MARKS: You talked a few times about supply chain risk in this conversation. To close out, can you talk about where we are as a nation on figuring out what the risks are up and down your supply chain? I was interested that the Biden administration is now looking at ways they can further limit the Russian antivirus, Kaspersky, being used by private companies because it's still being used widely by private companies, despite all of the reporting about it being a threat. How are we doing on that?

MR. KOLASKY: So, you know, one of the things we have the capability to get better‑‑and Exiger is certainly in this business‑‑is gaining visibility around supply chains, and by gaining that visibility around companies like Kaspersky, you knowing where those things are in the supply chains, and so visibility and enhancements in technology and analytic capability to advance visibility is an important element.

But then two questions where I'd like to see us continue to get better as a country, one is alternatives. Are there other things you can buy in your supply chain that are affordable, to do so to replace the untrustworthy pieces, you know, whether we're talking about Kaspersky or we're talking about Huawei or Hikvision or other companies that Congress has concerns about, rightfully around, you know, we need to have alternatives that we can buy as a country around that. That includes the commodities that are being manufactured, critical minerals and the like there, and then there needs to‑‑if possible, if the finance elements aren't there, there need to be government incentives to stimulate more development of the alternatives and the affordability of the alternatives.

And I think that's an undone area in Congress. The CHIPS Act, et cetera, is a good start on semiconductors where we're actually putting financial incentives into producing alternatives so that companies can replace their untrustworthy supplies with affordable alternatives. That's the vision that I'd like to see in terms of supply chain.

MR. MARKS: Thank you so much, Bob Kolasky, for everything. That was a fascinating conversation.

Thank you, everyone, for joining us. If you want to see what is coming up, please go to WashingtonPostLive.com.

Again, I'm Joseph Marks. I write the Cybersecurity 202 newsletter, and if you want to check that out, you can go to my Twitter handle and subscribe there. Thanks, guys.

[End recorded session]

GiftOutline Gift Article