[00:00:00] Rob Aragao: Well welcome everyone for another extra episode of Reimagining Cyber. My name is Rob Aragao and I'm joined by my co-host, as always, Stan Wisseman. Today's extra episode is an interesting one. We're seeing a lot of policy globally come forward around cyber in general. And Stan, why don't you actually start us off as it relates to what's happening here in the US specifically.
[00:00:27] Stan Wisseman: So, Rob, at the beginning of March, the Biden administration announced, a sweeping new national cybersecurity strategy for the US and I actually see this as being a pretty sharp break from the past. You know, if it's fully implemented, I think the potential to change the US cybersecurity posture will significantly be improved for the better.
[00:00:46] Rob Aragao: Yeah, agreed. I think so too. I mean, there's a lot of excitement about this and excitement and legislation or law or strategy don't always go together. But in this world, it seems like right now, everybody seems to be really excited about what's happening here. So it seems like potential for a a great change in the way things have been done.
[00:01:04] Stan Wisseman: Yeah, he wants to build on the momentum from the three administrations prior to Biden. They've made steps, right? And he wants to build on that. And he's focusing this strategy on five pillars, as they call it. Critical infrastructure protection, the disruption of threat actor operations and infrastructure.
[00:01:23] Stan Wisseman: Promoting better security among software vendors and organizations, handling individuals data, and then investment in more resilient technologies cooperation internationally around cybersecurity. So, I mean, pretty ambitious as far as the, the scope of what they're trying to do now. Note that the scope does not include national defense
[00:01:43] Stan Wisseman: and intelligence which makes sense that they don't include that. I’ve seen some opinions of disappointment that some areas aren't addressed in cyber, but it's not cyber, it's not a national cyber strategy, it's national cybersecurity strategy.
[00:02:04] Stan Wisseman: So it is focused specifically on cybersecurity and not the broader cyberspace.
[00:02:10] Rob Aragao: That makes sense. And I think of the five pillars, I mean they, they're obviously, they're all important, but if you kinda start at the top, Stan, you know, the critical infrastructure one. No surprise, it's kind of listed as number one, right?
[00:02:20] Rob Aragao: Especially everything that we've seen over the past several years, knowing critical infrastructure is a huge target. Knowing what happened with Colonial Pipeline as an example, that kind of seems to almost be like, ‘this is time for change.’ So what are your thoughts just in general on that piece?
[00:02:36] Stan Wisseman: Well, I think one of the big differences in this approach is that the expansion of regulations in a minimum set of security requirements for the critical infrastructure sectors and, and while voluntary approaches have, have sort of moved the needle in the past in some of the sectors, lack of mandatory requirements has certainly resulted in inadequate or inconsistent outcomes in other sectors.
[00:03:00] Stan Wisseman: I'm thinking, you know, financial being sort of like the poster child of how it has done right. But they're 15 other sectors that really are not necessarily up to that standard. And they aren't really necessarily saying, create new standards and guidance. They wanna leverage some of the ones that already exist, like the NIS framework for improving critical infrastructure cybersecurity and what CISA has as far as performance goals.
[00:03:23] Stan Wisseman: So they're not recreating the wheel here.
[00:03:25] Rob Aragao: The 15 areas of critical infrastructure were called out, was it maybe last year? With again, a lot of emphasis on the things that needed to be handled. And to your point, the financial segment does fall underneath critical infrastructure, obviously, but is also where it's most mature, right? For reasons, you know, that could be associated, obviously everything that they're doing from a business. But also you have s e FCC behind it. You have F F I A C, I mean, there's so many different regulatory and compliance, auditing everything going on, consistently needing them to continuously evolve and invest.
[00:03:59] Rob Aragao: So it'll be interesting to see how that translates into, these other areas.
[00:04:02] Stan Wisseman: And, and that will be a point of, of pushback, you know, some of the sectors or organizations in them may push back on additional regulation. Now, one of the other things that I found is interesting, you know, I think we can all agree that the time where we expected end users and small organizations
[00:04:21] Stan Wisseman: to be able to handle their own cybersecurity has passed. You know, we as individuals many times are overwhelmed. If you weren't an expert on , what to do much less, you know, local governments or small businesses. And so the creators of the strategy are really looking to shift that balance of burden thinking that it's fallen too much on those that don't have the resources to really equip themselves.
[00:04:47] Stan Wisseman: they’re arguing to re-shift to those that have the means to do it and take the responsibility. And they aren't actually, you know, saying that you should absolve the end user from security responsibilities, but definitely take more responsibility if you have the ability to do so.
[00:05:07] Stan Wisseman: And it also puts some guardrails down on what the government's role is in cybersecurity. And it sort of defines that boundary where, protecting its own systems and networks and ensuring that the private sector does its part. And it sort of reminds me of that whole Michael Echols episode that we did.
[00:05:24] Stan Wisseman: I think it was episode 13 where he says that, you know, the government's not gonna be there to save you. You know they have their responsibilities and what they're gotta do, but they're not gonna be in your house or in your business to necessarily pick up the pieces if you're hit by a big attack.
[00:05:43] Rob Aragao: No, that's for sure. Now, now one of the other key aspects that I'm sure you're very interested in it's a kind of a sweet spot for you. It, it is around the software kind of liability aspect of it. I’d just be interested to hear your thoughts.
[00:05:55] Stan Wisseman: I think it will be potentially kind of controversial, but the strategy does put an emphasis on holding software vendors more directly responsible for the security of their technologies.
[00:06:07] Stan Wisseman: And, it recognizes that if left to its own devices, the software market many times rewards vendors that under invest in security and get things out to market faster. You know, I mean that's been proven time and time again that market pressures are not necessarily gonna result in more secure products, and it is, is shifting liability of insecure software and services to the vendors and away from the end user.
[00:06:38] Stan Wisseman: And that avoidance that many times software vendors use as far as in their contracts of acceptance of use of that software. And and this is again, one of those challenges as far as the implementation side of it. and the administration is gonna have to work with Congress to pass legislation
[00:06:56] Stan Wisseman: that'll prevent software manufacturers and publishers to really, you know, market insecure software and you know, disclaim away the liability by contract. And so, you know, that's interesting. I, think the other aspect of this is, establishing an adaptable, safe harbor framework to shield from liability companies that actually do
[00:07:20] Stan Wisseman: integrate in security into the development processes and maintain their software and products and services the way we want them to as far as with security in mind. So establishing that and enabling organizations to feel like they won't be liable if they're doing it right is gonna be important.
[00:07:37] Stan Wisseman:. On the US strategy, the regulators are encouraged to look at ways to either work on the tax structures or the other mechanisms to incentivize in a positive way but they don't have anything where we will not consume any of these products.
[00:07:57] Stan Wisseman: they are trying to simplify compliance by normalizing some of these regulations and, current standards. And so I think the White House national cybersecurity folks are taking lead on that as far as trying to orchestrate and ensure that we aren't overburdening these organizations for compliance.
[00:08:22] Stan Wisseman: But, this is gonna take time. You know, I mean, they're talking about a 10 year window here for the cybersecurity act, you know, strategy and some of that again, is, dealing with some of the technical debt. They want federal agencies to demonstrate by leading that, hey, we'll take this on and we will update and modernize and we'll implement zero trust
[00:08:51] Stan Wisseman: and, migrate to the cloud and get off these legacy systems that we can't secure, but that's gonna take years. So it is gonna be one of those things that the implementation of this through various administrations who may have different priorities is gonna be interesting to say how we can actually deliver on it. But I think, you know, one of the things this sort of ties into is what else is going on in the world. The EU has a resilience act also on the table, right. That has some of the same kind of themes around how to ensure that products are produced more securely
[00:09:35] Rob Aragao: it's interesting how theysomewhat overlap, right? This is a lot of consistency between the two. So back in September of 2022, the EU actually the European Commission published the EU Cyber Resiliency Act. So it's some proposed legislation that in essence, you know, really is a way of providing the kind of first global piece of legislation around how you actually secure IOT in general devices and services.
[00:09:58] Rob Aragao: And, you know, some of the key points you were talking about within the US national cybersecurity strategy definitely are very prevalent within this as well. So there's also five areas or elements, they don't necessarily call 'em pillars, but in their kind of frame it's elements.
[00:10:13] Rob Aragao: It centers around the cybersecurity setting, kind of a minimum set of requirements as well. It also extends into, again, this is about the manufacturer side of it. So the manufacturers need to include really a principle around security by design model, and also how they support the IOT devices or services through its lifecycle.
[00:10:33] Rob Aragao: So it's not, hey, we deliver and then, you know, you have a one year, two year warranty or something like that. They're actually doing a minimum of five years required.
[00:10:40] Stan Wisseman: And this is software and hardware right?
[00:10:42] Rob Aragao: Hardware and software, that's right. It's both. That's both. They also need to obviously provide a point of contact for, you know, consumers to be able to report any findings of vulnerabilities they need to
[00:10:51] Rob Aragao: the manufacturer needs to report any security breaches to the EU Cybersecurity Agency. So there's a lot of things going on there. And now what's interesting is the emphasis back to kind of security by design and, and default model is one where they've broken it into two different areas.
[00:11:05] Rob Aragao: There's the security requirements and then there's the maintenance requirements. Under the security requirements that's covering basically items around software security limiting the attack surface. They call it integrating with identity access management type of solutions to protect unauthorized access and also monitoring the devices for any modification to the data associated, at the device or backend, the transit, as well as that information.
[00:11:28] Rob Aragao: on the maintenance side, they actually are very focused on personal data, right? And ensuring that there's the protection and confidentiality and integrity of the data, right, of the individuals. There's vulnerability disclosures that are required, again, from the manufacturers and also of course, you know, continuing to keep a catalog of all the vulnerabilities associated to their particular devices or services, you know, from that regard.
[00:11:50] Stan Wisseman: But I think another aspect of this is to raise the visibility of how this product's security posture is to the buyer so that they can make a more informed decision, right?
[00:12:05] Rob Aragao: Ultimately, yes. So it is again, back to the consumer. So even as you stated around the US National cybersecurity policy and strategy
[00:12:15] Rob Aragao: it's offloading that kind of concern down to the end user at the end of the day. And pulling some of that back to the manufacturer. And, and to go a further extent, what they're doing is they're actually calling out they actually do a pretty good job of this risk levels. There's three different risk levels that they associate this to.
[00:12:30] Rob Aragao: So there's the default level, which basically is the majority of IOT type devices and services. You would actually kind of commonly see from an end user consumer perspective. So think about our connected home devices, connected toys, right? We saw security issues on that several years ago, right?
[00:12:46] Rob Aragao: But those following, they're like an eHealth application. You know, things of that nature. And, and for them, they're requiring that manufacturers for those types of devices do a self-assessment and self-report. Okay? You go to Class 1. Class 1 now really steps it up and basically says, okay, we're gonna require a certification type of process or model
[00:13:07] Rob Aragao: that you go through and vet out and come back with the actual findings. And we say, yes, it's good or not. But there's a third party assessment that would potentially be part of that as well to offload it from your requirement. And then the final class is level two and Class 2 is you have to go through a
[00:13:25] Rob Aragao: third party assessment. And the way they kind of break this down, so when you think about Class 1, Class 2, Class 1, they're actually talking about things like network devices you know, not anything that's kind of security oriented. Okay. Class 2 is basically, now we're talking about operating systems, security devices, you know, industrial IOT devices.
[00:13:40] Rob Aragao: So it's the things that you would expect that should make sure is being properly assessed and in compliance with obviously what they're calling out. So it's interesting to see kind of how that's gonna evolve. There was something that came out recently on the bit of confusion around the EU Cyber Resiliency Act and the EU AI Act.
[00:14:01] Rob Aragao: And it was basically where is there a crossover? Is there a crossover? Do we still kind of treat them separately? And so what they came back with, I believe it was just end of February, very, very beginning of March was basically saying, so if the AI system follows the guidelines basically of what's encompassed within Class 2 requirements
[00:14:23] Rob Aragao: then they're covered for the Cybersecurity Act all the way through and including the AI Act again. Still being proposed to be seen, kind of what comes to fruition. Yeah. So it is interesting. And then the other piece that's kind of, you know, where, where does the kind of ruler come across the knuckles?
[00:14:38] Rob Aragao: If you're not in compliance, basically you can be penalized up to 50 million euros.
[00:14:47] Stan Wisseman: I was wondering what the incentives were gonna be. either negative or positive
[00:14:51] Rob Aragao: , and I don't find that as being the actual issue, the actual issue. If you are to improve compliance, you're not doing business in the EU. Period.
[00:15:00] Rob Aragao: That's the one that really resonates, right? That's what's gonna make people say, well, I have to obviously to be able to generate the type of business I require from the entire EU marketplace. So we'll obviously keep a close eye on it and you know, when the time is right, we'll do another update on this and include it in one of our episodes.
[00:15:19] Rob Aragao: So, Stan, good conversation getting kind of the lay of the land of what we're seeing out there from a policy perspective. And I think, again, good momentum on some of these different pieces. Good to see what they're covering. And again, we'll keep an eye up seeing what's coming next.
[00:15:33] Stan Wisseman: Sounds good.
[00:15:34] Stan Wisseman: Thanks Rob.
[00:15:37] Producer Ben: Hello, producer Ben here. Now you heard Stan mention episode 13 of Reimagining Cyber, which features Michael Echols author of ‘Secure Cyber Life. The Government is Not Coming to Save You’ It's a great example of the many fine shows we have in our vaults. In the episode, Michael does a deep dive into the importance of industry standards, cyber threats, information sharing, and as we move to a digitized society, how critical it is to educate the masses.
[00:16:07] Michale Echols Cyber crime has reached a level that we could have never imagined, and this world is becoming digitized, and we are becoming more vulnerable every day. With all of that being said, I'm in Washington DC, I can get on the bus, I can go 10 miles around the city.
[00:16:22] Stan Wisseman: I can get on the metro, I can go into any building in the world's most powerful city, and there is not one sign that tells you that you should be digitally secure.
[00:16:37] Producer Ben: That's Michael Echols from episode 13 of Reimagining Cyber. Do go and give it a listen and whilst you're there, if you haven't already subscribe or follow the show, and if you're listening on Apple Podcasts, then please leave us a rating and a review.
[00:16:53] Producer Ben: Thanks.