CISA and Cyber Threats: How Government and Private Sector Secure Our Networks and Infrastructure

Listen & Download

Following passage of the Cybersecurity and Infrastructure Security Agency Act in November 2018, the Cybersecurity and Infrastructure Security Agency (CISA) was established under the Department of Homeland Security. CISA is responsible for protecting the Nation’s critical infrastructure from physical and cyber threats. CISA Chief Counsel Daniel Sutherland and Raj Shah, technology entrepreneur and former head of the Pentagon's Defense Innovation Unit Experimental (DIUx), will discuss the various ways that the federal government and the private sector work to counter emerging threats to our virtual and physical networks and infrastructure.

Featuring:

Daniel Sutherland, Chief Counsel at CISA (Cybersecurity and Infrastructure Security Agency)

Raj Shah, Technology Entrepreneur and former Managing Director, Defense Innovation Unit Experimental (DIUx)

Moderator: Daniel West, Associate, SCF Partners

Teleforum calls are open to all dues paying members of the Federalist Society. To become a member, sign up on our website. As a member, you should receive email announcements of upcoming Teleforum calls which contain the conference call phone number. If you are not receiving those email announcements, please contact us at 202-822-8138.

Event Transcript

Operator:  Welcome to The Federalist Society's Practice Group Podcast. The following podcast, hosted by The Federalist Society's International & National Security Law Practice Group, was recorded on Tuesday, June 11, 2019, during a live teleforum conference call held exclusively for Federalist Society members.     

 

Wesley Hodges:  Welcome to The Federalist Society's teleforum conference call. This afternoon's topic is on "CISA and Cyber Threats: How Government and Private Sector Secure Our Networks and Infrastructure." My name is Wesley Hodges, and I am the Associate Director of Practice Groups at The Federalist Society.

 

      As always, please note that all expressions of opinion are those of the experts on today's call.

 

      Today we have a very accomplished panel to discuss this subject. And our moderator for today is Daniel West, who is a member of the International & National Security Law Practice Group Executive Committee for The Federalist Society. After our speakers give their remarks, we will move to an audience Q&A, so please keep in mind what questions you have for this subject or for one of our speakers. Thank you all very much for sharing with us today. Daniel West, the floor is yours.

 

Daniel West:  Thanks very much, Wes. We're here today to talk about CISA and cyber threats, and we have two fantastic panelists to help us have that conversation. So first I'd like to introduce Dan Sutherland, who's the Chief Counsel at CISA. CISA's responsible for cybersecurity, telecommunications, risk management, and infrastructure resilience and operates with a budget of over $1 billion and a workforce of about 2,000 people. He leads an office of attorneys who negotiate complex technology agreements, provide daily operational support to a cybersecurity operations center, advocate the agency's positions in litigation, draft and negotiate legislation, and respond to audits and investigations.

 

      His position builds on a career focused on issues at the intersection of civil liberties and national security. In 2003, Mr. Sutherland was appointed by President Bush to serve as the First Officer for Civil Rights and Civil Liberties at the Department of Homeland Security. He provided advice to Vice Secretaries Ridge and Chertoff on intelligence policy, disability law and policy, emergency preparedness and response, and immigration law. His speech on the need for the government to engage with Arab and Muslim communities in the United States appeared in the publication Vital Speeches of the Day. He's also served in Senior National Intelligence Service at the National Counterterrorism Center, and he was referred to by Wired as "one of the government’s point people on stemming the appeal of al-Qaida."

 

      Also, we have with us Raj Shah, who is currently the Co-founder and CEO of Arceo, which is a start-up powering new approaches to cybersecurity through insurance and risk management.  He's a seasoned entrepreneur and national security leader, and he's transitioned often between the public and the private sectors.  Previously the Managing Partner of the Pentagon's Defense Innovation Unit Experimental, he reported directly to the Secretary of Defense.  He led DIUx in its efforts to strengthen our Armed Forces through contractual and cultural bridges between Silicon Valley and the Pentagon. Previously, he was Senior Director of Strategy at Palo Alto Networks, which acquired Morta Security, which is another cybersecurity company. And he's also a reserve fighter pilot in the Air National Guard.

 

      So thank you both for joining us. We're excited to have you today. And Dan, we'd like you to get us started, if you don't mind. So can you give us some background on CISA, tell us about its mission and what the team under Director Krebs has been doing to stand up the agency over the past six months?

 

Daniel Sutherland:  Great. Thank you. Thanks for this opportunity. I have the privilege of introducing you to the newest agency in government, so we appreciate the chance to explain what our mission is about. I think we have a lot to offer to companies in the private sector, and the more that we help the legal community understand what we have to offer, I think the better off it's going to be for all of us.

 

      So CISA leads the national effort to understand and manage cyber and physical risks primarily to our critical infrastructure. We like to say we're the nation's risk manager. We are a non-regulatory, non-law enforcement, non-intelligence community interface between the public and the private sectors. Those are important distinctives to remember. We're non-regulatory. We do not regulate. Our work is voluntary except for one small piece that I'll mention. We are not law enforcement, and we're not the intelligence community. We sit with law enforcement, we sit with the intelligence community, but we are an interface between the public and private sectors that is outside of those three spaces.

 

      We are the newest agency in government. We're really a pre-existing organization that was -- in the beginning, it was a small office that was attached to the Secretary's office, but this cybersecurity and infrastructure security mission has ballooned, obviously, over the past years. And so last year, the Congress passed a statute launching us as an independent operating agency of the Department of Homeland Security known as CISA.

 

      We do three things. One: we provide a full spectrum of cyber protection. We operate the National Cybersecurity & Communications Integration Center, or NCCIC, which is the largest cyber information exchange operations center within the federal civilian government. We operate sensors at the perimeter of all federal networks and have capabilities to detect malicious activity coming across those sensors and, in some circumstances, to prevent it. In any case, we are harvesting information that's coming out of that, and that provides us, through our NCCIC and other functions, the capabilities that we have, a very rich source of data about malicious cyber activity. We do a great deal of analytic work.

 

      We deploy hunt and instant response teams. We provide assessment services, for example, red teaming functions like penetration testing, phishing campaigns, other similar things like that. And we carry all of those functions out with a floor -- a top secret facility, but on the floor is members of almost every government agency you can imagine, including intelligence community, defense department, FBI, and others, as well as private sector partners, some of those who operate the infrastructure of the internet and others like that. So it's a very interesting information exchange that we have and operate.

 

      And I'll just give you a couple of examples. We have created a program that is machine-to-machine sharing, so more sophisticated companies or information sharing organizations can connect their machines directly with our machines and receive cyber threat indicators. And over the last three years, we've shared more than five million unique cyber threat indicators with those who sign up for that machine-to-machine sharing program.

 

      We do a lot of assessment services, as I mentioned, just in the last six months, we've issued over 30,000 cyber hygiene reports. Those are reports that companies, state and local governments, other federal agencies request of us. So as I said, we've done 30,000 of those in the last six months.

 

      We also deploy hunt and instant response teams. Just in the past year, we've had over 2,000 requests for our services there, cutting across all 16 critical infrastructure sectors. We deploy about three teams a month to go out in the field. Again, those are both to federal agencies, to state and local agencies, and to private sector companies.

 

      So basically, that's a broad overview—we're going to dive into it in more depth—a broad overview of what we do in the cyber area. We also have a division that works on physical infrastructure, and with that we coordinate security and resilience efforts with infrastructure owners and operators around the country. We do technical assistance. We help them with trainings. We help provide warnings. We're passing information to them. We're also helping them with doing proactive assessments of the security of their facilities.

 

      And we're emphasizing a lot of work in public places like schools, houses of worship, shopping malls, stadiums, places like that. And unfortunately, as we know, there's been a lot of physical violence in mass casualty shootings in both schools and houses of worship. We've been in over 1,000 schools in the past year and over 400 houses of worship in the past year. So it just gives you a sense of the kind of assessment kind of work that we're doing, technical assistance kind of work we're doing there.

 

      The third big thing that we do is we're responsible for public safety interoperable emergency communications. So that means that we're helping stakeholders around the country to develop their public safety communications networks. For example, we represent the Secretary as the board member of FirstNet. A lot of work done there too.

 

      And the last thing I want to mention that we operate is the National Risk Management Center, which is a place that houses a lot of analysts who analyze risk to critical infrastructure. And then we have paired them up now with teams of people who can, once we identify a risk, can work against resolving that risk. So we bring in people from the private sector, public sector, across different government agencies in teams that focus on particular areas of risk that we've identified. And those areas of risk kind of cut across those other three kind of divisions that we operate.

 

      So I think that's a broad overview of what our agency is all about. As I say, we have a lot of capabilities that we have available that is beneficial to the private sector, and I think that's one thing I particularly want to emphasize here. Our work is voluntary with regard to the private sector. We want to make sure that attorneys who represent clients understand that there is an agency in their government who can provide these types of services. One of the big questions that I think attorneys often have when we engage with them is, "How will you protect the sensitivity of the information that is shared -- that we might share with you?"

 

      And Congress, anticipating that, has created a number of information sharing protection regimes that really go a long way toward resolving that. And if information is shared, for example, under the Cybersecurity Information Sharing Act of 2015, the statute specifically says that we cannot turn any of that information over to regulators. We cannot produce it if there's a Freedom of Information Act request. You can't produce it if there's a state sunshine law request. Proprietary information can't be shared. Privileges that an attorney or otherwise might have are not lost.

 

      So it's kind of a laundry list of ways that they try to ensure that companies know that the information that they share with the government in these contexts would not be compromised. That's, of course, a key element here is that we have trust and confidence so that we're all sharing and learning from one another as we go through it. If we can help one another protect our networks, we're all going to be in better shape.

 

      So that's a broad overview of what CISA is and does, and I look forward to kind of going into some more depth as we go on in the next hour.

 

Daniel West:  Thanks for that, Dan. To Raj, I wonder if we could even just take a step back and discuss what exactly we mean when we say cybersecurity. So maybe you could talk to us a bit about what the cyber threat landscape looked like when you founded your first company in cybersecurity back in 2012. Who were your customers, what type of threats did they face then, and how has the cybersecurity environment evolved in the years since that time?

 

Raj Shah:  Thank you. Well, cybersecurity, quite simply, is how do we protect the digital life that we all live in? How do we maintain our freedom, our trust, and our security in our data which permeates all parts of our life? So when we started Morta Security, that was in 2012, so it was quite a while ago. And the objective of that company was how do you protect large enterprises from the most sophisticated attackers? So the team we had was some of the best offensive folks our government had, and we basically asked them, "How would you stop yourself?" And we focused on a lot of different techniques, one including lateral movement of APTs. So once a bad guy gets into a network, how do they move around?

 

      But I think the world has changed quite significantly since those days. We were defending against specific tactics by specific threat groups. Today though, those type of things have proliferated dramatically. Automation and other state-of-the-art technology and products has made things like ransomware something any criminal can use.

 

      So let me share a couple of facts. So the growth in the threat -- it's estimated that the global cost from cybercrime in 2021 will be $6 trillion, which is up from $3 trillion in 2015. So the magnitude of the threat has significantly increased over the years. The other key change is an increase in the sophistication of that threat. So many of the recent attacks like NotPetya had its originations in potentially nation-state level techniques, but they are now accessible to financially minded attackers or activists. It sort of democratized, if you will, the ability for people to launch attacks. The automation of it, if you will, has lowered the cost curve where it's much cheaper to attack than defend. The imbalance has never been greater.

     

      Conversely, you look at the defensive side, and the marketplace has gotten extremely noisy. And if you go to the RSA conference, they had nearly 1,000 vendors there selling different features and product sets. And so if you're a CISA information security officer charged with defending a NetForm, it's very difficult to understand what's working, what's not working, and how to establish best practices. And then finally, you're seeing convergence and focus on cloud enabled services and technologies which increases our systemic risk.

 

      So I would say these trends lead to a couple of conclusions. So one is we must think at a systemic risk level. Companies and organizations are not individual islands. They are all linked both by the technology infrastructure as well as machine-to-machine, API driven data contexts, and just the long supply chain of the digital universe that there is now systemic risk. You can't be immune.

 

      The second is an understanding and realization that we need to move towards cyber resilience, that breaches are going to be inevitable. There's no perfect security, and so then the answer will be how can -- the organizations that are successful and most protected are those that can respond in a timely basis. How do I get back up and running as quickly as I can? How do I minimize the damage to my IP or my customers' private information?

 

      And so I think the cyber security market landscape is slowly evolving to meet these challenges, and I think that's true both -- I know we're going to talk more about it later, but that's true both in the private sector and the public sector insists on being the best example of the government stepping forward to interface with the private sector in novel ways.

 

Daniel West:  Fantastic. Thank you. And could you just elaborate just a little bit on a systemic response? What would that mean?

 

Raj Shah:  I think there's a lot of different ways. So if you look at -- split it between vulnerabilities, infrastructure, and connectiveness. So if you look at vulnerabilities, NotPetya is an attack that exploited a certain set of patches that were not given, and it was able to quickly propagate around the world at extreme speed that outpaced the ability to patch, so it was a systemic vulnerability. If you think about our infrastructure, there's several cloud vendors that run the backbone of most SaaS applications, and if one of those were to go down, that would be a systemic risk. And then finally, no company operates on its own. If you look at attacks like Target, many of them were driven by third party vulnerability. And so even if you have perfect security, your essential suppliers could be a back door. So basically all three are to say that we're in this together, and cooperation is going to be required to stem the cyber challenge.

 

Daniel West:  Dan, can you cue in a bit on current threats? What is it? What are the threats out there that are keeping the guys in your agency up at night?

 

Daniel Sutherland:  That was really excellent. I'll just add when I started in this job—the predecessor job to this, about five years ago—and at that time, we were mostly concerned with individuals who were misbehaving online and international criminal organizations who were misbehaving online. Over these last few years—and Raj has said it, has laid that out, I think, more articulately than I did—but over these last few years, our area of concern has more and more become involved with nation-states. We're almost entirely concerned with how nation-states are instituting usually more sophisticated attacks. And another hallmark of them is they're not usually interested in money. They're usually interested in other things other than money, whereas a criminal enterprise, usually, they were looking to steal data that they would then sell in the marketplace.

 

      So that's one thing that has developed over these past five years, I think. And I think, again, Raj has said it with more sophistication. Let me tell you, in part, an answer is we have five top operational priorities, and so you'll see what we're concerned about in terms of threat, I think, as I tell you these five operational priorities. The first one is what we call supply chain risk or 5G, the emergence of this new 5G technology, and really, anything China, anything associated with China telecommunications and technology. So that's the first top priority. So that tells you a lot there. That's an hour-long podcast in and of itself, but that's the first of our five priorities, and I think we'll come back to it.

 

      The second of our priorities is industrial control systems. Those are usually the systems that operate or automate industrial processes. So we're trying to make sure through there that we have a really focused approach to the energy grid and other industrial control systems in that environment. So the first is anything China, emerging technology. The second is industrial control systems.

 

      The third is federal networks. Probably half of our organization is really just devoted to trying to ensure that other federal agencies have protections that they need. We're responsible not for the defense networks or the intelligence community networks, but for the federal civilian networks. We provide leadership there, so that's a major area of focus for us.

 

      The fourth thing that's a major area of focus for us is more on the physical side, which is soft targets, or places where people gather like schools, houses of worship, stadiums, shopping malls. That's a major area of focus for us. And I think the threat picture there is, unfortunately, obvious.

 

      And then the last area of focus for us is in election security. And we spent a great deal of time on this between 2017 leading up to the 2018 midterm elections, and we're going to be investing quite a bit of time leading up to the 2020 elections. Our particular part of the election security puzzle is to help those who administer elections to ensure that their networks are as secure as they can be. There are other parts of this problem set, but our focus area is to ensure that there's about, I think, maybe 10,000 different state or local entities that operate elections, and we're trying to make sure that their level of understanding of security, their networks is greatly expanded, and that we give them certain capabilities and tools that they can use. And so I hope that's part of an answer that's kind of implicit in that list of five.

 

Daniel West:  No, it is. It's helpful. And I'm wondering also a bit about physical threats. So we've talked a lot about data breaches and IP loss and other things like that, but probably the most famous instance of this was the use of the Stuxnet virus to sabotage the Iranian centrifuges using a cyber approach to actually impact the physical universe. As the internet of things starts to gain prominence and more of our physical infrastructure is computerized and connected, how would you assess that emerging set of threats and the interaction between cyber reality and physical reality?

 

Raj Shah:  Sure, I'll take it. And I think you highlighted the economic trends are such that the old ways of doing business across industries are being disrupted by networking, by automation, by artificial intelligence. And what these things are doing is, by these technologies, increasing the attack surface. There's novel vectors, particularly when we think about AI. And so this convergence of physical and digital—and I know you talked a little bit about OT, Dan, operational technologies and industrial control systems—but this convergence is impacting both consumers and businesses, which is, I think, pretty unique.

 

      The example of the baby monitor hacking is one that's been talked about a lot, the Nest, that that was pulled from where on cameras that adversaries used to get into consumer's homes and watch baby monitor video. To enlarge attacks on businesses in 2015 and 2016, the Ukrainian electrical grid was hacked. And so I think these are real threats, and the impact of these are only going to grow as we connect in systems that had not ever been designed to be connected to a public internet or an IP network and be connected for convenience and efficiency uses. This is another shout out I'd give to CISA. Their ICS-CERT is one of the smartest groups of technical people both in the government and in the private sector on what are best practices to secure it. So I'm just very glad to see the effort that Dan's team has been doing.

 

Daniel Sutherland:  This is Dan. Let me jump in and take the question kind of this way. In terms of emerging threats, we are really focusing on 5G technologies which are going to dramatically—and I think that's an understatement—increase the internet of things. The number of devices that are connected to the internet is going to absolutely explode over the upcoming 5 and 10 years. We have been trying to think this through in a systematized way and not just react to every -- not to just group every company from a certain country, for example, or every company that produces X kind of product, but try to think through it in a systematized way.

 

      And this started with litigation we were involved in last year and the year before with the Kaspersky Lab. We ultimately prevailed in that in the D.C. Court of Appeals. It was a fascinating decision. I'd be glad to talk to anybody about that litigation through which we learned a great deal, but essentially what happened was that Kaspersky Lab provides antivirus software. They were providing it -- we were concerned about that being provided in federal networks.

 

      And so we looked at three things. One: What is the product? What is that product doing? And in that case, the antivirus software transmits data out of your network to a central place so it can analyze it, combine it with other data, and then see anomalies and send information back to help protect your network. That's what an antivirus product does. So we looked at the nature of the product.

 

      Then the subset of that is where are the servers to which that data is being sent? And in this particular situation, that company, its servers are located in Russia. So that led us to a second question: What are the laws under which that company operates? We actually hired a legal expert who's an expert in Russian jurisprudence to analyze their telecommunications intelligence laws, and we looked at whether there was any meaning -- can the intelligence services of Russia get access to data that they want? Unfortunately, the way the law is written and their practices, the answer is yes. We looked at whether there was any meaningful legal constraints like independent judicial review or oversight of those types of requests. The answer is no. So we had serious concerns about the laws of the country under which that company was operating.

 

      And so then the third question we asked is what was that company's ties to the foreign government? To what extent is that supplier connected to or influenced by the foreign government? And again, in that case, there was a great deal of unclassified evidence of very close connections between the intelligence services of that country with that company. Therefore, the Secretary of Homeland Security issued a directive to federal agencies to remove that antivirus product from their networks.

 

      That framework that I just laid out, we are now adding to and putting some finishing touches on and is the framework through which we are thinking about all emerging technologies, and particularly 5G. And so I commend it to you. At least you'll know how we are thinking about the issue. The first issue is we need to look very closely at the product, the functionalities and vulnerabilities of the product. Does the product involve or could it permit transmission of data to non-U.S. countries? Does it receive software updates from the supplier, and a variety of questions like that, so really look closely at the product.

 

      The second thing to look at is the country of origin of the company, of the supplier and of the component suppliers. To what extent does that foreign government's laws or policies permit it to compel cooperations with its intelligence activities? Is there any meaningful legal restraint, or overview, or review of that type of access?

 

      And then the third thing is that company's ties to the foreign government. Is it owned or controlled or influenced by the foreign government? Maybe the foreign government has a financial stake in it. Or does it have other ties to it that might make it susceptible to coercion? So we're working though that three-part test as we look at emerging technologies to try to come up with a more rigorous way of evaluating the threats.

 

Daniel West:  Both of you actually now have mentioned the threat coming from foreign governments. And I'd like to pivot to talk a bit about how the private sector and government can work together or how they interact in providing defense against those threats. Historically, it was left up to the government to defend citizens and defend the private sector from foreign interference. You wouldn't see General Electric setting up anti-aircraft guns at their headquarters. That was left to DOD, but in an increasingly interconnected world, it seems that that paradigm is shifting. And now, in fact, private sector does have to worry about defending itself from these very serious state-backed entities.

 

      So I'm wondering if both of you could describe the relative roles of CISA and other government agencies and the private sector, and whether there's overlap in what you do, and what are the relative strengths and weaknesses of each? And additionally, what are the legal powers and the legal constraints that each of those actors have and how they might differ?

 

Raj Shah:  Sure. I'll take a crack at it first, and I will avoid having any opinion on anything legal. Since we have the chief counsel on the call with us, I'll defer to Dan. I'll maybe share some views from the private sector, which is it hasn't always been clear who you call when you're suffering a breach. And this is something where I think the government has begun to make the right steps, which is what Chris Krebs and Dan are doing. But that message still needs to be more widely sent, which is if you're a private company and you're suffering a cyberattack, who do you call, and for what and why?

 

      The traditional choices were you call someone from law enforcement, the FBI. If you needed -- if you had friends in the intelligence community, you could call them, or you could call your regulators. And all three had very different equities, none of which matched up to the company's needs, which is protection. I want to stem the bleeding now, and I want to prevent this from recurring in the future. And so I think having a clear agency or person that you can seek help from, but that agency also has the requisite technical skills, hasn't historically been the case. And I think we're starting to see that happen.

 

      And the one thing I would say is that the internet is a civilian space. It's not just a domain of war. And having a DOD entity at the lead of that, in my view, would not be appropriate.

 

Daniel Sutherland:  Yeah, there's a whole lot to discuss in that question. Maybe I'll take a shot at it. And I don't know if Raj will have reactions to maybe some things that I say too, but I think that Raj is right to say that it has not always been clear to a company who it is that they are supposed to interact with within the government with regard to these cybersecurity issues. It's often thought of as who do you call when you are experiencing a cybersecurity incident?

 

      But really, the question is broader than that. It's who should you have relationship with even before you ever have a cybersecurity incident? Each company, every company has responsibilities to protect the information, the data that they own. They have a responsibility to their board of directors, to their shareholders. They have responsibilities that regulatory agencies place upon them, and enforcement agencies, both the state and the federal level. And very, very broadly, the responsibilities that the government enforcement bodies are placing on a company is basically to demonstrate that you have reasonable cybersecurity practices.

 

      So what does that mean exactly? Well, they've made some effort to try and define that, but bottom line is you want to make sure that you have relationship with and awareness of what the government has to offer to a company in these contexts. What does law enforcement have to offer? What does a government agency like ours that focuses on network defense, what do they have to offer? What does a sophisticated cybersecurity company have to offer? So kind of your suite of places where you can get resources. Each are different, each have different purposes.

 

      For example, law enforcement agency, you definitely want to have relationship with your local FBI and your local secret service offices. The reason is because they can come and help you investigate an incident and hope to prosecute who has committed a crime against you. That's a very important piece. Both these agencies are very sophisticated in the cyber area. You need to have relationship there.

 

      You need to be aware of what CISA offers, what the network defense agency offers. We have capabilities and tools that you can access, a dozen of them, in different ways. Some of the capabilities and tools we have require us to actually send an instant response team or a hunt team, physically get on an airplane and fly to your place of business. But there are others that are at the most easy to access level.

 

      On our website, for example, we have assessment tools that you can use. I know a major law firm uses our cyber resilience review, which is an online tool. They just walk through that cyber resilience review. It's about 10 or 11 pretty complicated or in-depth series of questions, categories of questions, and they use that as their baseline assessment for where their cybersecurity posture is for the year. Then they build from that.

 

      So we have all sorts of capabilities and tools. I think a private company should know what the landscape is, and then they can make effective decisions about what reasonable cybersecurity practices means to them. So we'd like to see more awareness of why it's valuable to share information with the government and with each other, and we think that would be of great benefit to everybody.

 

      And I don't know if Raj has more he would react to out of what I've just said, but it's a big topic and I appreciate you asking about it.

 

Daniel West:  Raj, do your clients, do you think they see any downside with working with the government, or do you think they see just all upside there?

 

Raj Shah:  I think it's a mix. So they recognize the government does certain things that no one else in the world can do. So if you think about some of the predictive ability, meaning the intelligence gathering, so if they can predict or have warnings of an attack before it has really come to fruition, that's super valuable. And of course, the government also has the ability to help set standards and norms. And I think, again, with CISA, that they now have a pathway to get that without just going through disparate organizations. So I think from that sense, it's positive. I think sometimes in the midst of a crisis, they're so focused on solving their crisis that they're going to go to their traditional security vendors for help or other services.

 

      So I think, again, if we go back to the beginning of the conversation when we talked about the sophistication -- so techniques that once were exclusive domain of nation-states are now being proliferated, it's impossible for a private sector company to be fully responsive and protective. And this deepening relationship from the government and the private sector is getting to be the ultimate answer, as well as thinking about what are other ways to transfer and mitigate risk from both alliances from insurance, from mutuals, that there are other ways to begin to get the arms around the cyber resiliency problem.

 

Daniel West:  Okay, great. When you think about that interaction between the government and the private sector, and you think about private companies, as you said, having to grapple directly with foreign state actors, sometimes when they're in crisis mode, maybe being even less likely to reach out for help. Are there any gray areas there that concern you? I mean, any time I hear voluntary cooperation, is it voluntary, and do either of you see any legal or policy gray areas that concern you about these emerging interactions?

 

Daniel Sutherland:  I think when -- we have decided as a country to pursue a voluntary environment here. The theory is, I think, very strong. The malicious attack that has just hit your company is going to hit 1,000 other companies in short order, if it hasn't already. So if your company has learned about that malicious activity, has blocked it, or has experienced it and has learned something from it, if you can share that with other similar organizations, others can then build their defense. You will also benefit from that type of environment. That theory, I think, is a strong and sensible one. It depends, though, on companies being willing to have that kind of corporate view. And as Raj said, it's hard when you're in the middle of the incident.

 

      That's one reason why we're trying to invest a lot of time in speaking to audiences in the legal community because we do think that attorneys, in-house counsel and counsel from firms that are hired by companies, are trusted advisors. So we really want to try to make sure that attorneys understand what the capabilities and tools are out there, and that this voluntary information sharing world is actually a pretty safe place to be. As I talked about earlier, Congress has done a great deal to try to protect information to ensure that companies can be confident that their information would be protected.

 

      I only highlighted a couple of ways, but there's another one that I'll mention too, which is Congress passed a statute that created the Protected Critical Infrastructure Information Program, PCII. And basically, what that says is that a company may want to share with the Department of Homeland Security their plans for securing their stadium. Well, they want to get the benefit of our wisdom about ways they could improve or something. But if they give that to us, who's to say that information isn't going to get out in a Freedom of Information Act request or something else?

 

      So the Congress created the PCII program, and what that program does is if a company wants to share sensitive security information, they send it to us. We have a program that verifies that it fits within the program, and then the documents -- it's almost like a classification system. The documents, the information is stamped as PCII, and then a whole host of safeguards are attached to it, things that we can't do with it, even people can't get out of you in civil litigation. It's a mechanism that is very underutilized, but it's just an example of, I think, one of the -- a way to resolve this gray area. There are ways to protect proprietary and sensitive information and stimulate this kind of voluntary environment.

 

Raj Shah:  I agree with Dan on that, that these are tough ethical issues. But there is a solution to be had here, and I think the level of transparency that he's outlined and open conversation is the first right step because what we certainly don't want to do is, I think, see companies go down the slippery slope of going from defense, to active defense, to something that can look like nation-state level attacks themselves.

 

Daniel West:  Interesting. Raj, can we pivot a bit, and could you talk to us about your experience at DIUx, the Defense Innovation Unit? What was the motivation behind starting that unit, and how did you help to get it off the ground? Sort of a similar theme here of addressing emerging threats and working together with the public/private sector. We'd love to know, just from a research and development perspective, whether you think cooperation with the tech industry is even more important here in the cyber area than in other emerging areas?

 

Raj Shah:  That's great. So I had the privilege of getting to lead DIUx for two years. It was the brainchild of Secretary Carter with the realization that modern technology such as artificial intelligence and autonomy are going to be decisive on the battlefield of the future. But those technologies, the leaders of the development are based in the commercial sector, and it's far outpacing our traditional sources. And that's because the commercial sector is going after a much larger consumer market. If you think about things like facial recognition and voice translation, there's a much, much larger world out there. And so the ability to ingest and operationalize the commercially driven technologies is critical to our military innovation and strength. And so that was the purpose of DIUx.

 

      And so it was working to bridge a lot of divides, cultural divides, contracting divides, just whole philosophies of what speed is, because speed development in the private sector is so much different. And I think as you mentioned, cyber is a key area here in that there is a very large market for cyber protection tools and analytics. And to try to get entirely bespoke things for the government is difficult. What the government does do well is data. They have far more data, and so the combination of leading commercial algorithms, models, and technology coupled with government data is, in particular for cyber, one example of how this cooperation is helpful.

 

Daniel West:  Great. Well, thanks to both of you for sharing that. Wes, I think at this point, it would be good to turn it over for questions.

 

Wesley Hodges:  It looks like we do have one question. Caller, you are up.

 

Caller 1:  It seems to me that if I have something to worry about, it's not Putin because he can't arrest me. And there was a government agency called InfraGard which I think was a civilian auxiliary of the FBI back in 2005. It may still be around. And I went to a few of their meetings, and at one point, they sent an invitation to join along with a waiver that basically gave up all my Fourth Amendment rights.

 

      And at that point, I didn't go any further because I was more worried about my government than I was about various terrorist threats. And with good reason, because as a Libertarian candidate and someone who has sued to keep non-natural born citizens off the presidential ballot, I could expect some retaliation. What can we do to alleviate the concerns of citizens about misuse of information that our own government receives when they cooperate with various government agencies?

 

Daniel Sutherland:  This is Dan. I'll take a shot at it. We need to make sure -- people are not going to share -- companies, individuals are not going to share this type of cyber threat information with the government unless there is a foundation of trust and a level of confidence there. So I've laid out some of the information protection regimes that in statute. Another thing I have not mentioned that I should have is that we enjoy, RAC enjoys the benefits of one of the most robust privacy protection regimes in the government. We have in privacy and professionals who are embedded into our programs here. They're reviewing what our analysts are looking at, writing policies and procedures, training, and really embedded, sitting right here with our cyber operators.

 

      I think one thing is it's important to know what is the type of information that is being shared with us. Cyber threat indicators and defensive measures are information that is ones and zeros. It's not a lot of context. It's really what machines can talk to machines about. So when we establish this program, we wanted to make sure of that. So we created a protocol for the computers to talk to one another, and when a private sector computer sends information to us, we can accept about, I think it was 320, or something like that, fields of data.

 

      And we made sure that -- I think there were only two of the fields of data that could include, could even possibly include any -- what the privacy professionals refer to as personally identifiable information. There were only two. Everything else was populated with really technical information. So the name of somebody in an email, somebody's email address or something, there's only like two places in the entire -- all those fields that that data could even be included. And those two fields get human review before they're passed on to do any additional analysis, so they're always pulled out and get some sort of review.

 

      That's, I think, one of the ways that you really design the systems so that you can develop that type of trust and confidence. And I think once people see that the information that they're sharing with us really doesn't have personal information or contextual information, it's really about malicious code, I hope that people's level of confidence will go up.

 

Daniel West:  I'd like to ask one more question to our panelists. You might say that both CISA and the Defense Innovation Unit represent recent attempts by our government to try to grapple with this new technological environment. But I'm just wondering if either of you see any other areas where you think innovation or even formal restructuring is needed to maintain our national security readiness.

 

Raj Shah:  This is Raj here. So there's kind of three areas or three topics that I would recommend. So the first off is scale. These innovative organizations, I think, are wonderful, such as DIUx, but they need to be scaled. So in the case of DIUx, they have about a $30 million a year budget, which is out of $170 billion total procurement budget, not quite at the scale to do a big, massive transformation. So I would encourage the government to continue to grow the experiments that are successful.

 

      The second is I think the government still needs a better view of understanding hardware versus software. If we think about the rapid changing technology, our procurement systems are built for building hardware, not software; aircraft carriers, not iPhone apps.

 

      And then I think the third and final and most important things is at the end of the day, we think about cybersecurity, we think about national security, technology, it's all based on having the best human capital. That is how we will succeed or fail. And increasing pathways for our smartest technologists and cybersecurity people to serve in government, for our smart government technologists to spend time in the private sector, I think that cross flow is something we've historically done really, really well, but in recent decades, has dropped precipitously. And that would be the number one recommendation I would make.

 

Daniel Sutherland:  Can I take it in this direction? I'm a lawyer, so I'll take it -- this is maybe my personal interest, but it seems to me that one of the issues that we're dealing with is we have two disciplines that are possibly in conflict with one another. And by that, I mean technology and law. Law, as we know and appreciate, is build on the development of precedent, a slow careful development, whereas technology, of course, is built around speed of innovation and speed of deployment. So we have a legal regime that the genius of law really is that it promotes consistency and predictability. We can understand a problem and develop frameworks around it, and then that allows predictability, whereas technology is trying to identify new things and implement them as soon as they possibly can.

 

      The danger that we have is of these two disciplines conflicting with each other. Technology can move, and I think we've seen this in past years, move so fast that we haven't carefully thought through all the implications of it, and analyzed it, and made sure that we have governance around it. And then the opposite is that law could, by being ponderous, could cripple innovation. And so I think that's a thing that we as the legal community need to be thinking about is how to make it so that our two disciplines are mutually reinforcing one another.

 

      And I think we have really seen some positive kind of movement or breakthroughs in this area where law or governance has been able to make a big difference. For example, in the issue of supply chain, we put forward, coming out of the Kaspersky litigation, we put forward a legislative proposal to the Congress that they acted upon and passed the end of last year to create a new council within the Executive Branch called the Federal Acquisition Security Council.

 

      And this new council will think through any supply chain issues in a rigorous and disciplined manner so that it won't be just a black list of all companies who do X, or all companies from X country, or something like that. It'll be company by company, product by product. There'll be a staff there. They'll accept concerns, they'll do research, they'll invite the company in, if necessary, to give their side of the story and build out their argument, and then the council will evaluate that kind of risk.

 

      So we have these very complex emerging technologies, but we have created a legal framework that we're very hopeful about that will help us sort that through. So I just offer that as an example, but I think it's an ongoing issue that we as lawyers need to appreciate.

 

Daniel West:  Thank you, Dan, for that, and Raj. And thank you both for your time and for your efforts working on behalf of our national security. So thank you both, as well to our audience for listening. And Wes, we'll turn it back to you.

 

Wesley Hodges:  Excellent. Well, we are very grateful for your time. On behalf of The Federalist Society, I would like to thank our experts for the benefit of their very valuable time and expertise today. We welcome all listener feedback by email at [email protected]. Thank you all for joining us for the call. We are now adjourned.

 

Operator:  Thank you for listening. We hope you enjoyed this practice group podcast. For materials related to this podcast and other Federalist Society multimedia, please visit The Federalist Society's website at www.fedsoc.org/multimedia.