Proof of Concept: Is New US Cyber Strategy Really Viable?Panel Discusses Political and Policy Realities of Mandates, Vendor Liability, Costs
In the latest "Proof of Concept" panel discussion, two Capitol Hill observers at Venable, Grant Schneider and Jeremy Grant, join Information Security Media Group editors to break down the Biden administration's new U.S. national cybersecurity strategy and answer the question, "Is it really viable?"
See Also: 2022 Unit 42 Incident Response Report
The new cybersecurity strategy outlines five pillars that urge more mandates on the private sector, which controls most of the nation's digital infrastructure, and an increased government role to disrupt and dismantle threat actors. Panelists said the plan faces an uphill political battle.
"This has been for the most part a bipartisan issue, although there are some things in here that Democrats and Republicans have different views on - for example, regulation," said Grant, managing director of technology business strategy at Venable and former White House senior adviser. "Industry is also pushing back on the call that software makers be held liable. So, I do think you'll see some places where there will be a breakdown, not necessarily 100% along party lines, but things will become a bit more partisan."
In this "Proof of Concept" video, Anna Delaney, director of productions at ISMG; Jeremy Grant and Grant Schneider of Venable; and Tom Field, senior vice president of editorial at ISMG, discuss:
- How the national cybersecurity strategy will be executed;
- How willing Congress will be to take bipartisan action;
- How likely software companies - in reality - will be held responsible for securing vulnerable products and maintaining the burden of cybersecurity.
Prior to joining Venable, Schneider served as the U.S. deputy federal CISO and the U.S. federal CISO and as senior director for cybersecurity policy on the White House National Security Council. He previously served for seven years as chief information officer for the Defense Intelligence Agency.
Grant was the founding leader of the National Program Office for the National Strategy for Trusted Identities in Cyberspace and senior executive adviser for identity management at the National Institute of Standards and Technology. He led the White House's initiative to catalyze a marketplace of secure, easy-to-use, privacy-enhancing identity solutions for online services through government and private sector partnerships.
Don't miss our previous installments of "Proof of Concept," including the Oct. 17 edition on California's first consumer privacy fine and the Sept. 20 edition on what CISOs can learn from security incidents at Twitter and Uber.
Anna Delaney: Hello, and welcome back to Proof of Concept, the ISMG talk show where we discuss the cybersecurity and privacy challenges of today and tomorrow with industry leaders, and how we can potentially solve them. We are your hosts. I'm Anna Delaney, director of productions here at ISMG.
Tom Field: I'm Tom Field. I'm senior vice president of editorial at ISMG, and Anna, it's a privilege to record our first Proof of Concept of 2023.
Delaney: You're absolutely right. And this one is all about the U.S. cybersecurity strategy.
Field: Biggest news of the year so far, outside of some of the high-profile breaches. It's something we've all waited for a long time. It was released just over a week ago, and already we've garnered significant conversation about this. And there's some people very excited just about what's been articulated so far.
Delaney: Yeah, so it outlines five pillars that urge more mandates on the private sector that controls most of the nation's digital infrastructure and an increased government role to disrupt and dismantle threat actors. It's great language. And I particularly like this last point, because it highlights this idea to turn disruption into a business-as-usual activity. And then, you know, it's been widely praised, wouldn't you say, Tom?
Field: It has been. It names names, and it does outline some significant strategic changes, and as one of our commentators says, it represents the U.S. finally taking off the gloves. But the question becomes, who is going to pay for it? Who is going to execute this? And my question is, do we have a Congress that's got the desire and ability to execute some of these strategic elements? I do not know.
Delaney: And you've obviously had various conversations with industry leaders in this past week. What were the highlights from those conversations?
Field: Well, you know, on one hand, you've got people that will say that this is the one bipartisan issue in the U.S., everybody can agree on cybersecurity. But on the other hand, there's some language in the strategy that could be politicized by people that want to politicize it. And unfortunately, we've got an environment right now where if something can be politicized, it will be. I'm not so sure that cybersecurity remains a bipartisan issue. I guess we're going to find out. And we've got some guests today that will help us make some sense of this. Right?
Delaney: They definitely will have some interesting points to share with us. Why don't you welcome them?
Field: I'm happy to. They probably don't know this, but internally, we refer to them as the two Grants. You may know them as the Venable duo. We have got Grant Schneider, senior director for cybersecurity services with Venable and Jeremy Grant, managing director of technology, business strategy, also with Venable. Grant, Jeremy, thank you so much for being here with us today.
Jeremy Grant: Thank you.
Grant Schneider: Thanks for having us.
Delaney: So, Grant, why don't we start with you, as someone who knows Washington well, is serving as the former federal CISO for the OMB? What were your first impressions of what's laid out here?
Schneider: I think, I mean, I agree with Tom's comment. I think it's a solid document, right? It's long, there's a lot of things in this, there are a lot of activities that the administration wants to undertake. At the same time, this is a continuation of a lot of things this administration has been working on. So there are a few, you know, new items, and I think the newer items that are in there are the ones that, you know, potentially would require some congressional support. But, in general, this continues a lot from the Biden cybersecurity executive order. It plays off of that, it plays off of also, some of the Trump executive orders and continues a lot of the focus that we've had. So I think it's a good document, I think it continues a lot of the momentum that we've seen, and hits kind of the right balance of, you know, level of detail, and breadth of something that you really want in a national strategy to cover how do we, you know, move forward as a nation.
Delaney: Jeremy, it was great to see that digital identity solutions were singled out. There was reference to the fact that a lack of secure privacy preserving consent-based digital identity solutions allow fraud to flourish, and it states that the federal government will encourage and enable investments in strong, verifiable identity solutions that promote security. That must please you. Anything you want to pick up on regarding the language around digital identity?
Grant: Well, I think the thing that stood out to me and this may seem perhaps like a small item to some viewers, but this is the first time since the Obama administration wrapped up that we've had an administration actually say that digital identity is a cybersecurity priority in a document like this, not to say that there weren't some efforts in the Trump administration, not to say the Biden administration hasn't been doing some things in this space the last couple of years, but it's actually been some time since we've had this, you know, item formally included in a cybersecurity strategy. And given that we continue to see year after year, identity is the No. 1 attack vector that we're seeing in breaches and incidences, given all of the, you know, hundreds of billions of dollars that have now been documented between, you know, fraud and against government benefits and fraud targeting the private sector that's flowing to organized crime and nation-state attackers. It was really important, I think, for the administration to highlight the importance of hardening digital identity infrastructure. So from that perspective, it was really good to see.
Delaney: Anything you want to pick up on what Grant said earlier about, you know, first impressions?
Grant: I think, overall, I agree with Grant, I think it's a pretty thorough strategy. I mean, going back to what Tom said before, look, this has been, for the most part, a bipartisan issue, although there are some things that are in here that we're already hearing from Democrats and Republicans, they have different views on, for example, regulation. You know, industries, also, I think, pushing back a little bit on some of the calls that software makers be held liable. So I do think there's going to be some places where you'll see some breakdown, not necessarily 100% on party lines, but things will become a little bit more partisan. But for the most part, I think, you know, a lot of what's in here is a continuation of what we have seen from different White Houses, you know, helmed by both Democrats and Republicans over the last, gosh, I'd say 15 years at this point, or, you know, perhaps beyond. And so, I would say it is an evolution, not a revolution. There was nothing in here that I read and said, "Wow, this is, you know, something I would never have expected, this really changes the paradigm." But what I think is great about the strategy is it's very thoughtful, it's coherent. And, you know, certainly as you get back into how different policymaking processes will work within the executive branch, this is sort of a helpful, you know, touchstone to come back to, to say, "Look, okay, we put it in here, this is what we're focusing on." And, you know, it helps to reinforce, I think, in the years ahead, where different resources are allocated, and where, you know, priorities are determined.
Delaney: Well, Grant, some have said this strategy discusses short-term and long-term visions, but not so much about the intermediate steps. Would you agree on this front? And what else is missing in your opinion, or would you like clarity on?
Schneider: I think, short-term and long-term and not the midterm. And that's probably fair, I hadn't thought about it in exactly those terms. I think that's probably fair. However, it's a strategy, right? It is not intended to be the road map of how we get from point A to point B, it is really intended to, you know, set the direction, set the vision and be something that that we can get industry and government and people that don't interact with the government from a, you know, industry standpoint on a regular basis, all united around how do we increase our cybersecurity defenses? And how do we move this forward? And one thing I also wanted to mention is, from a process standpoint, Chris Inglis, who just departed as the national cyber director and led the effort of developing the strategy - he and his office did a whole bunch of industry and private sector outreach in the development of the strategy. So this was something that I think they had 300 or 400 engagements with various people, brought people in to do table reads, took feedback over a six- or eight-month period. So I think from a process standpoint, you know, they worked very hard to try and get feedback and not just hear it all from us after they sort of did the big reveal, if you will, which is why I think you see a good bit of cohesion across the strategy. But yes, there are definitely things that we're going to need to dig more into, of how do we get from here to there, how do we actually implement, what are some of the challenges, political budget, you know, others that have been mentioned already here this morning.
Delaney: Jeremy, thoughts on what's missing?
Grant: Nothing stood out to me in terms of what's missing. I think what's going to be really interesting is what happens next, which is the implementation plan. So, you know, the strategy, if you spend some time thumbing through it, you realize there's a lot of things in here that are great, but what happens next? What are we actually going to do on these issues? And, you know, I think the administration was pretty - there was sort of a conscious decision to lay out the strategy first, and then work on the implementation plan next. And so I think, you know, everybody's going to be really interested in seeing those details, because I think in terms of whether it's new initiative launch, changes to existing initiatives, new budgeting, whether they're seeking new authorities or looking to potentially reallocate or redirect some existing pools of money, certainly on the regulatory side and the liability side that could require, in some cases, new legal authorities, although in some cases, the White House has said they believe they have them in place for certain segments of critical infrastructure. So it's not so much what's missing, I think it's what's going to come next.
Delaney: Excellent. Well, Tom, handing over to you.
Field: And that's a perfect place to pick up because you talk about what needs to happen next. And Jeremy, you, or rather Grant, you were talking about the Biden Cybersecurity Executive Order, which is just about to enter its terrible twos. And as you know, we've been talking about critical infrastructure. We've been talking about software bills and materials and zero trust for almost two years now. And there are still some agencies trying to articulate what their zero trust strategy should be. So my question for both of you is, how do we take this new strategy and actually start to turn it into tactics? What do you expect to see happen next?
Schneider: Well, I think, two things that I would say on that from - you talked about federal agencies and their zero trust implementations. You know, the president just released his 2024 president's budget, which, of course, is the one that goes to Congress, and then Congress gets to figure out what actually gets funded in that. But that is the first opportunity that agencies have had since that executive order, even though it was two years ago. This is the first opportunity, the government's really had to put something into the budget, to try and drive implementation of that executive order. And so, you know, we've seen in that increases for cybersecurity still need to dig into the details and see what that's going to mean. But that's, to me, kind of step one is agencies being able to have money to move this forward. Now, that only affects the federal side, right? You know, private industry, a lot of - we already talked about critical infrastructure, and I mentioned being held by private institutions, you know, it's much harder for them to make investments, especially, if depending on if they're rate regulated, and how they're able to actually raise capital. So I think in addition to the budget gets to what does the implementation plan start to look like, and how much of that is actually made public? You know, there's a couple of approaches the administration can take, they can have a very thorough implementation plan that they don't share anything with the public. I think the intent is that they want to get something out there. But, of course, as soon as you put those implementation plans out there, every milestone you miss, you're going to get a lot of help and a lot of articles on and so, you know, they're going to want to balance that to be sure that the implementation plan are things that are achievable, as well as things that they need congressional help with, I imagine.
Field: Jeremy, your thoughts?
Grant: Yeah, one other thing on the President's budget. So it's exciting now that it's out, that you're actually starting to see, as Grant was pointing out, it's the first year that agencies are able to start to align budget requests to align with the zero trust strategy. The flip side of that is we're looking at sort of a macro budget environment. Now the Republicans have taken control of the House where they're saying, not only do they want to hold spending flat across the board, they actually want to roll it back. Right now we're in 2023 numbers. They want to roll it back to what they were in 2022. So, you know, I'm not sure if that's going to happen, it's still really early in the year. But I think the most likely scenario at this point is that rather than have a budget, we just would have a full-year continuing resolution where there wouldn't be any dollars for new starts. And what that would mean for cybersecurity, particularly with agencies looking to spend on the zero trust strategy is it would be another year where those dollars don't materialize. Now, I will say there have been times in the past where you've had a full-year CR, but you can still get agreement in certain areas to reprioritize some dollars or to plus things up in a couple places. So, you know, potentially, if there is bipartisan consensus on at least those elements of, you know, the 2024 budget, it's possible agencies could end up starting to see some plus ups next year. But I'm not overly optimistic right now. It's a pretty hostile environment, I would say right now, just in terms of where things are becoming more partisan and with divided government. And so it's not really clear, you know, what the budget picture in terms of actual dollars flowing out next year is going to look like on these different initiatives.
Field: Let's talk about that, because the three of us, and Anna, you were involved too - we had conversations at the end of the year. And you both expressed concern that there were cybersecurity leaders in Congress that were stepping down. We've lost a lot of leadership there, even though it's early days. How do you look at this Congress and its willingness to take bipartisan action on something that we should all embrace: Cybersecurity?
Schneider: So I think I'm going to break that down into the two parts. I'm going to set the willing, I'll get to the willingness part maybe in a moment. I would say on the upside is, I have seen a lot of the new leaders, you know, come out and at least voice interest in cybersecurity, understanding, you know, particularly, if you look at, you know, the Homeland Security Committee and others, and Representative Green talking about cybersecurity being important. You know, obviously, there's going to be a big focus there on border security and immigration and things along those lines. But we are seeing more people at least talk about cybersecurity. I think they're all figuring it out, though. I think it's a new topic for a lot of people. And it's going to take them some time to get the comfort level and familiarity, and really be able to set some visions and move forward. So I still think we have that gap of people that departed. And then we've got, you know, additionally, this Congress has just been slow to get started, right? It's been slow to ramp up. Part of that was because of, you know, the delay in knowing exactly how the Senate races were going to turn out. But even since then, we're now into March. And we still don't have, you know, a lot of agendas set. So I think the other challenge, though, is just going to be - and Jeremy talked about this - like, we're in a very partisan mode right now, we're headed toward a presidential election in 2024. And that just makes things that shouldn't, that we might not imagine would be partisan become caught up and become partisan, just because of, you know, either not wanting to be seen as having worked with the other side, when you go back to your constituents. And so those are going to be challenges, both for the budget and for kind of anything new in cyber that's going to require congressional movement. Even if it's a topic that seems very bipartisan and has a lot of support, the mechanics of getting those things through the Congress is going to be a challenge this year.
Grant: Yeah, I agree with Grant. I mean, look, in terms of new players coming in, one of the things I think folks in our community, we're excited to see Mark Green was named as the new chairman of the House Homeland Security Committee. He replaced John Katko, who was the leading Republican, who was really strong on these issues, had a good background, and then was great, you know, to work with. Nobody was quite sure how Green was going to look at this. And, you know, he came in on day one and put out a statement. "So look, I care about the physical border. And I also want to prioritize the cyber border." So that was great to see. I think behind the initial statements, what we're still seeing is, particularly on the Republican side, because the staff ratio is changing the committee, some of them are still hiring up, the staff are coming in, you know, they're still figuring out their own internal agenda and how they want to push things forward. And as Grant pointed out, because it's a partisan environment, I mean, I think one of the things that, you know, is impacting things a little bit is - so, the Republicans do control the House, it's going to be very hard for them to pass any legislation with the Senate that's Democratic and a Democratic president. And so, you know, I think one of the things that, at least, we're certainly seeing is, you know, in those committees in the House, they're trying to weigh: do we try to legislate, or there's also things we can do, going into the presidential election to try and score political points by attacking the administration for different things. I'm really hoping on cybersecurity, we don't see much of that, and that we see Democrats and Republicans continue their tradition of working together on, if not all issues, at least most. But it's just a little early to tell right now. We're just starting to see some signals in terms of what different committees might want to focus on.
Field: Excellent insight.
Schneider: Tom, can I just add one thing, because I was recently up on the Hill for a couple of meetings with committee staff, and, you know, on a bright spot, we had bipartisan staff from both sides in some meetings, talking about cybersecurity. And while there is still staffing up and setting of agendas, there are a good number of staff from both sides that have worked cyber issues that are still there, that are still working, and still driving these issues. So I think that's a bright spot in some of the partisan shift that we have. Still challenges ahead, without a doubt. But there are people trying to make progress on the Hill on these areas.
Field: That's encouraging. Anna, I know you've got a question about a threat that knows no party lines. So please go ahead.
Delaney: Absolutely. Well, Grant, I want to start with this new language around ransomware-as-a-national-security issue. Obviously, there have been various moves over the past couple of years to tackle the ransomware threats such as the creation of the Ransomware Task Force. How does considering the ransomware problem and national security threat change the nature of how the threat is addressed?
Schneider: Yeah, I think this is a really, it's a necessary statement. Right? Because ransomware has become so prolific and so impactful. And early on, ransomware was, you know, impacting mostly private organizations, but a lot of state and local organizations are starting to get impacted. In more recent years, we've seen healthcare organizations become pretty significantly impacted. And clearly, the malicious ransomware actors, you know, they've taken the gloves off and don't respect any, you know, in the world, certainly no borders, but even any sectors that we would say during ransomware on healthcare is really over a line, they don't see a line there. So, I think by designating it as a national security issue, you can bring a whole of government approach, you can get and we've seen this over the last couple of years, you know, you can get the intelligence community, you can get these tasks force, the task force's working on it, and use national assets, national security assets to really drill into both from an intelligence standpoint of understanding what's happening, but also from a disruption standpoint of being able to figure out, you know, what do we do about it? Do we take potentially offensive cyber operations or approaches to being able to disrupt and dismantle these actors? So I think it gives the government more options. And it gets a broader pool of individuals thinking about it beyond just law enforcement, who certainly have a super important element, but it just brings more resources to bear.
Delaney: Jeremy, thoughts?
Grant: Not too much to what Grant had to say. I think the more you can make this a priority, get more attention on it - I mean, look, it's been, it's not the story of the last, you know, two or three years, at least, certainly one of the biggest. And so I think just getting more coordinated policies, interagency responses, more collaboration with industry on these things, this is how you start to make a dent in things, not to mention, obviously, finding a way to take it to some of the bad actors, most of them are out of the country who are perpetrating these attacks.
Delaney: Well, Tom, over to you for making the software industry more accountable.
Field: Well, that's the big headline isn't it? That we're going to make the software industry accountable for vulnerabilities. So my question for the two Grants here is, how about that? Are we actually going to see software vendors held accountable for vulnerable software? Or are we just finding a new way to make their lobby more powerful and their litigation more fluid?
Schneider: Yeah, I think this one's going to be interesting to watch. There's going to be a lot of dialogue on this. How much actual movement there's going to be on this, I think it's going to be tough. The tech industry, you know, there's a lot of negativism toward big tech from Congress from both sides. However, it's not bipartisan. So the Republicans have their issues with big tech, and the Democrats have their issues with big tech, but they don't have the same issues. And so they really struggle to come together on, you know, how to push back against big tech. And I don't know that this liability issue, I think that's unlikely to become a bipartisan issue. I think it's, though some people that support it, some that are against, and big tech's got big lobby, right? They've got a lot of influence on the Hill and a lot of influence across the country. Technology drives, you know, so much economic movement in the country that I think this one's going to be interesting to see the dialogue. I think it's going to be a really hard one to move forward.
Grant: I would tend to agree with Grant, although I think there's still some value. You know, we talked about when I was in government, look, there's things we can actually get done through policy, a law passing, or regulation advancing, and then there's just the impact you can have by jawboning, you know, being out there as a leader and talking about this. And I think, to a certain extent, look, I'm not sure if any legislation is going to pass on this, but just the administration going out there, and talking about the fact that one of the problems we have is that, you know, we're consistently seeing vendors ship products that are insecure, talking about the duty of care that, you know, companies that are making these products have, in terms of actually putting things out there that are looking out for their customers and trying, you know, to truly help them and not putting them in a place where they're having additional vulnerabilities. And so I think from that perspective, look, this may start to break down on partisan lines, but there's still value just, you know, in being out there and saber-rattling a little bit on this topic. It gets people's attention.
Field: Terrific. Anna, I don't think we're done talking about this. What do you think?
Delaney: Absolutely not. But for today, our time is up, unfortunately. Thank you so much Grant Schneider and Jeremy Grant for this informative, timely and important discussion.
Grant: Thank you.
Schneider: Thank you.
Delaney: And it's goodbye from us. Thanks so much for watching.
Field: Till next time.