Deep Dive Episode 182 – Cybersecurity Threats and the Regulatory Response

The Biden administration had barely named a cabinet, let alone staffed the government, when it began taking cybersecurity hits from all directions. The Russian government was revealed to have carried out a sophisticated supply chain attack through SolarWinds. Then Chinese government hackers launched attacks through Microsoft Exchange, often using extremely irresponsible and promiscuous tactics. Then Russian ransomware gangs threatened a fuel pipeline to the East Coast and beef supplies nationwide.

And that’s just the first six months. What has been the fallout from these events and how is the administration responding? The calls for regulation of critical infrastructure, of cryptocurrency, and for aggressive retaliation have never been louder. Which will have a long-term impact?

In this live podcast, Stewart Baker and Tatyana Bolton trade insights on this pressing topic.

Transcript

Although this transcript is largely accurate, in some cases it could be incomplete or inaccurate due to inaudible passages or transcription errors.

[Music and narration]

 

Introduction:  Welcome to the Regulatory Transparency Project’s Fourth Branch podcast series. All expressions of opinion are those of the speaker. 

 

Colton Graub:  Good afternoon and welcome to The Federalist Society’s Fourth Branch Podcast for the Regulatory Transparency Project. My name is Colton Graub. I’m the Deputy Director of RTP. As always, please note that all expressions of opinion are those of the guest speakers on today’s call.

 

If you would like to learn more about each of them and their work, you can visit RegProject.org where we have their full bios. After opening remarks and discussion between our panelists, we will go to audience Q&A, so please be thinking of the questions you’d like to ask our speakers. 

 

This afternoon, we’re pleased to host a conversation discussing the recent uptick in cybersecurity threats against U.S. companies and infrastructure assets and the regulatory response to these threats. We’re pleased to welcome two distinguished speakers to discuss the implications of this topic. Stewart Baker is a partner at the firm of Steptoe & Johnson. Prior to joining the firm, Stewart served as the General Counsel of the NSA and the first Assistant Secretary for Policy at the Department of Homeland Security.

He’s joined by Tatyana Bolton, who is policy director for the Cybersecurity & Emerging Threats team at the R Street Institute. Before joining R Street, Tatyana served as senior policy director for the U.S. Cyberspace Solarium Commission and at the Cybersecurity and Infrastructure Security Agency as the cyber policy lead in the Office of Strategy, Policy, and Plans.

 

Stewart and Tatyana, welcome to the podcast. 

 

Stewart Baker:  Thanks, Colton.

 

Tatyana Bolton:  Thanks for having us.

 

Colton Graub:  Do you want to kick of the discussion by telling us about the most recent cyberattacks?

 

Stewart Baker:  Yeah, it’s been a — I won’t call it productive, but it’s been a busy time in the last six months. And not only busy in terms of attacks, but busy in terms of policy responses to those attacks. The two most obvious ones are SolarWinds and the Colonial Pipeline/JBS ransomware. Since SolarWinds came first, I thought I’d introduce that, and then we can talk a little bit about how the policy machinery responded to that.

 

It’s kind of odd and hard to remember exactly what happened with SolarWinds because it’s two or three incidents back, but it was a big deal just at the turn of the year. It was actually still on the Trump administration’s watch, but the Biden administration knew they were going to own the response. And so I actually think the Biden administration probably had a chance to do some more thinking about this before they actually took office, and that may in part account for the comprehensiveness of their response.

 

But the incident itself was pretty quickly attributed by the intelligence community to Russian intelligence. It was a supply chain attack, which is an enormously productive but hard attack to pull off in which you first find somebody whose products are valuable and widely used to buy the targets that you have in mind. You go after that company. You modify its products to make them easier to hack, and then when they are updated and sent to all of your true targets, you have an easy way in.

 

That’s what Russian intelligence did to SolarWinds. They modified SolarWinds’ products, and when the update occurred, they had access to thousands of computers. I think that the Russians don’t often get credit for restraint, but they did show restraint here. They did not compromise everybody who got the update. They seem to have been pretty selective in their targets. That’s not necessarily a sign of virtue. It may just be a sign that they are wise, that if you compromise everybody, you’re going to get caught. And if you compromise a few people, you might be able to run the operation for a lot longer.

 

But they did run it for a while, and they were not found by SolarWinds. They were found by FireEye, which in kind of a remarkable story that tells you how cybersecurity really works in the real world, one guy at FireEye who was in charge — who had a security role saw a very low priority anomaly, a person asking for a second phone to be used as an authentication device. And he called him up to ask him why he needed two phones to authenticate. And the guy said, “I didn’t ask for a second phone.”

 

And that answer started to unwind the entire operation. FireEye figured out how the Russians had gotten in to be able to make that request. They notified SolarWinds. They also notified the government. And the government began looking around. Treasury, Microsoft both discovered that they had been compromised. DHS had been compromised. And the response was generally to say, “We had no idea this was happening, and as far as we can tell, people who knew about it as much as six weeks in advance didn’t say anything. They just quietly fixed their own problems.”

 

There was a lot of criticism of SolarWinds on the ground, that they had not prioritized security. Instead, they had been sort of slowly milking their franchise. They had a “solarwinds123” password that had been disclosed. So there was a general sense that SolarWinds, considering the significance of its product to a lot of high-priority intelligence targets, hadn’t lived up to its end of the responsibility bargain.

 

And that produced an immediate reaction on the part of DHS, which issued a binding directive telling other agencies, civilian agencies, to disable SolarWinds software. And then we got the government’s response in the form of an executive order on May 12. And I’m happy to talk about that, but Tatyana, if you want to talk about that or other policy responses, this would be a good time.

 

Tatyana Bolton:  Well, yeah. Let me get into that in one second, but I think that we also wanted to touch on what happened with Colonial Pipeline and the attack there. So let me introduce that, and then let’s immediately jump into the executive actions that happened after all of these cyberattacks. Not only did we have the SolarWinds attack at the end of last year, but arguably really happened in March of 2020, or perhaps even earlier, but we also then had the Microsoft Exchange hack, and then in the recent past, last month, we had the Colonial Pipeline attack. 

 

And so what happened there, unlike the SolarWinds hack, which was a supply chain compromise, this was a directed ransomware attack by a criminal group called DarkSide, which is sort of a conglomeration of a bunch of hackers that work together in a pay-to-play system where they’re part of this group and they provide services to each other, or there’s an organizing group that manages payments and services, and some hackers offer services, some hackers buy services. This group, DarkSide, theoretically working within the borders of Russia, again, attacked and blocked Colonial Pipeline’s internet facing systems, their IT systems.

 

I want to be clear that the attack wasn’t on the actual systems that ran their fuel pipelines up and down the East coast. But because of they way that a lot of companies run their systems, because of the lack of strict firewalls or separations and air gaps between the IT systems of computers and billing and payments and all of that with their operational systems that actually turn fuel on and off, they shut down all of it. And that’s why we had half of the East coast without gas or panic buying at the pump, putting gas into coolers and plastic bags, and generally panicking about whether we would have gas to fill our cars in the next week. And that went on for about a week.

 

What happened is as DarkSide blocked all access for Colonial Pipeline to get into their computer systems, Colonial Pipeline immediately paid a ransom, almost immediately paid a ransom somewhere in the neighborhood of $5 million to DarkSide. And the payment, unfortunately, didn’t get them back enough of their information to actually restart services. 

 

And also, because of the attack and because of obviously now a known vulnerability in their systems, they still had to take certain steps and took some time for them to get back online, which is why you saw gas shortages starting even though they paid the ransom almost immediately. That is sort of a lesson to all of us that even though ransoms get paid, even though they’re illegal, technically, that doesn’t necessarily mean that companies won’t be affected, or consumers won’t be affected by ransomware attacks.

 

And we’ve seen the rise of those in the last six months to a year. It’s become such a significant issue that CISA, the cybersecurity agency, as well as DHS and the White House have labeled ransomware as the biggest threat to national security in cyberspace.

 

So you see, back to Stewart’s point, not only are you seeing the EO and you’re seeing these binding operational directives, BODs, as we call them, but you’re also seeing action within the executive agencies and on the Hill to try and address some of these bigger issues like ransomware and supply chain through interagency groups. They’re trying to pull together all the different agencies that work together on cybersecurity and criminal activity like the FBI, CISA, the intelligence agencies, Commerce, Treasury, to try and address all of these issues, and there are a lot of them. So you’re seeing a lot of different things crop up on supply chain security, on ransomware taskforce. You’re seeing a lot of different action. So I’ll stop there.

 

Stewart Baker:  I think, stepping back and asking what came out of these incidents, the principal thing that came out of the SolarWinds incident was the executive order, and it was mainly, although not exclusively, aimed at government, other agencies, and at government contractors, the notion that we’ve just discovered that SolarWinds and a whole bunch of other things are part of the government’s supply chain, and we have no idea how much vulnerability that creates.

 

And probably the biggest impact on contractors was mandatory notification of cybersecurity incidents to CISA, or “seesa,” as I tend to call it. I know that CISA would prefer to be called that, but I’ve said if you want to be called “sissa,” you need another S in your name, and since they’ve got “security” in there twice, they’d have to have it in there three times. But in any event —

 

Tatyana Bolton:  — I’ll go with what the former director Chris Krebs always called it.

 

Stewart Baker:  He always calls it “sissa.” I think “seesa” is better, but we can all agree to disagree.

 

But CISA was not getting notice of these things. In some cases, there were contractual provisions saying, “We’ll tell the FBI because have a contract with you, and we won’t tell anybody else.” Or there’s no provision at all, and the contractor didn’t have to tell anybody. So this imposes a mandatory notification requirement.

 

And I will say I think it has made mandatory notification of cybersecurity incidents the flavor of the year. We’re going to see a lot of that. In fact, we’ve already seen that at Treasury, which has a reg out that they’re pursuing telling financial institutions to do it. Tatyana, I think Cyberspace Solarium also has proposals for notification of cybersecurity incidents, don’t they?

 

Tatyana Bolton:  Yeah, absolutely. So from the commission’s perspective, notification of breach reporting is one of the biggest stumbling blocks to an improved cybersecurity posture across the country and the world because if you don’t know when something has happened, when a breach has happened and a vulnerability exists, you can’t fix it. And so you’re right that there are certain agencies that are taking proactive steps to try and use their existing regulatory authority to require reporting. And the EO does that for federal agencies and their contractors. 

 

The commission recommended that a national data breach reporting law be passed through the Hill because CISA needs a broader—and so does the FBI, to be quite honest—a broader sense of the threats and vulnerabilities to our ecosystem. And we can’t have that when we have very little reporting and very little transparency, even between agencies, let alone between the private sector and the public sector. 

 

So when CISA, for example, has a reporting mechanism through their CISA Central, what used to be called NCCIC or US-CERT, where companies could report incidents to the federal government. But there are a lot of problems with that system, one, because companies don’t feel comfortable sharing because of liability concerns, even though there was legislation passed in 2015 providing liability protection for companies for reporting cybersecurity incidents.

 

So liability protection exists. However, that still wasn’t sufficient impetus for companies to share that information with the government. And so I’m a big believer that a national reporting law is critical because voluntary reporting has not proven sufficient to get the appropriate level of visibility into the threats that exist in cyberspace to address them.

 

Stewart Baker:  Tatyana, the one — I don’t disagree with that. I think we do need to know this. There are some issues about the details of this. DOD’s had mandatory reporting of cyber incidents for a while, and I’ve worked with clients on that. And it feels a little like the closing scenes in Raiders of the Lost Ark. You send your report in, and it disappears. It’s not clear what the government is doing or that the government is really well set up to respond in a method that reassures the people making the report that they’ve actually been heard and that somebody’s thinking about the problem.

 

Tatyana Bolton:  Well, I agree. I think that not only do we need national reporting requirements, but I think that there’s a significant push that needs to happen to invest in CISA and their capabilities to respond to incidents, to engage with the private sector because I think the example that you’re using right here with DOD is the perfect example of precisely why the system is broken. You can’t report cyber incidents to DOD and expect DOD to coordinate with CISA who is the actual cybersecurity agency.

 

And this is what we repeatedly heard at the commission and at CISA as well—I used to work there before the commission—is that there’s no one-stop shop for a company to engage with the federal government on cybersecurity incidents. And let’s not even bring up state and locals. But you’ve got a system where there’s 18,000 doors in, and inside is a maze of regulation and bureaucracy and missed communications, and an agency, CISA, which is barely trying to get off the ground and is underfunded, under-resourced, and doesn’t have enough people to do the job that it needs to do. 

 

Stewart Baker:  I do think that the major thrust of the executive order from May was to elevate CISA to the status that NSA has in DOD cybersecurity. And that’s a big deal. It is on its way to saying, “Look, we have a CISO for the civilian sector, and it is CISA. They’re going to tell you what you have to do. They’re going to have the authority to go into your network, and hunt threats to see what’s going on on your network, and look for anomalies, and report them and act on them.”

 

Those are things that every other agency fought for decades, and most of those barriers have been swept away. And the question now is can CISA actually do the things that it’s been authorized to do?

 

Tatyana Bolton:  Well, I really hope so. Obviously, Jen Easterly recently got passed through the Senate on her way to full confirmation or passed through committee and on to full Senate confirmation for her role as the new CISA director. And she’s got credentials and fantastic experience in both the private sector and the public sector working on cybersecurity threats. So I have the utmost respect for her and her expertise in order to try and lead CISA in this next phase of its growth.

 

Right now, as it stands, CISA faces a number of challenges, authorities being one, but resources being the biggest, in my opinion. And I think that what you’re pointing to is just the lack of resources. CISA is not only supposed to be the intaker of all cyber reporting, but also the responder and the trainer and the federal cybersecurity agency, the integrator with the private sector. So as you can see, the agency is wearing so many different hats.

 

And as these incidents keep increasing, I think that you see more and more of a need for CISA to be better resourced. DOD’s got $700+ billion a year for DOD for national defense. And as cybersecurity is part of our national defense, I think it definitely deserves more funding than $2 billion a year as a portion of that giant DOD budget. It’s not within the DOD budget, but I just point that out as a comparison.

 

Stewart Baker:  Yeah, I sometimes say that if you were being generous, you would have said that five years ago, CISA’s performance was C-, that Chris Krebs raised its reputation to about a B and its performance to about a C+. But we’re a long way from having really strong performances from CISA, largely because of resource constraints, and resource in the sense of not having people who have made it their career to do this kind of cybersecurity in the government.

 

They’re going to fail again. They’re going to need more resources to address those failures. But they are at least credible as the recipient of those resources and as somebody who should be carrying out those responsibilities. 

 

Tatyana Bolton:  I agree. I think that we’ve seen from the experiences of Estonia, the United Kingdom, and Israel, in terms of some of our allies that are good on cybersecurity, that strong leadership and resourced, centralized cybersecurity agency is one of the keys to improving your cybersecurity across the board. And I think you’re going to see the importance of the national cyber director as Chris Inglis comes in, again, one of the preeminent recommendations of the commission because we saw the leadership of it, the strengthening CISA, and improving the workforce as three key pillars of trying to improve cybersecurity.

 

I think that I agree that — listen, CISA is not the DOD. A lot of people within the government, for example, will say, “Well, if you want to do it right, just give it to the DOD.” I don’t think that’s the right answer. I think the right answer is not giving money to the people who currently  can do it well. I think the right answer is not to play favorites but instead to give the responsibility into the rights seats of power that exist within the government that we’ve created as a structure, and resource those people accordingly, invest in that, invest in them, and then make them rise to that challenge.

 

And I think CISA can, particularly with the movement to a better hiring system as they’re trying to do because I think that’s one of the keys to the success of NSA and CIA, for one, who have unique hiring authorities. And I’m sure you could speak to that more than I can. But those unique hiring authorities and ability to attract some of the best talent is what CISA needs right now so that it can compete with some of the largest banks, Google, and all the tech companies for that talent because that’s what you’re going to need to respond to all these incidents.

 

Stewart Baker:  The executive order had a couple of additional things that might be important to private sector lawyers. There’s a Cyber Safety Review Board, kind of like the National Transportation Safety Board, and a requirement or the aspiration to a requirement for a software bill of materials for people who are providing software. What do you think the impact of those two things is likely to be?

 

Tatyana Bolton:  I have mixed feelings about the cyber NTSB, as it were. I think that a lot of the recommendations that we heard about improving cybersecurity made reference to the ways in which NTSB and flight regulations exist to report incidents, which has drastically improved the safety of our transportation system, as well as specifically airline safety. I think that there are important parallels there, but I think we need to be cautious in drawing too many parallels. 

 

And I’m still interested to see how the federal government will implement those, implement that EO, and what rules and regulations they will come out with to extend that through the federal government because it’s such a complicated web of agencies that have different responsibilities in cyber. And we have 16 critical infrastructure sectors which all respond differently and have different levels of security.

 

And so, for example, the financial sector, with Treasury as its SSA, that’s a sector-specific agency. They’re very good. They’re very strong. Same with Energy. They have authorities, regulations. They already have some of these reporting requirements. They have certain standards for cybersecurity, although I believe all of them can be improved. But we’ll see how this is implemented across those sectors. The proof is going to be in the details of the rules that they put out.

 

Most importantly, I think the federal government needs to focus on good goals when setting standards and maturity model frameworks, things like that. I think you need to focus on the goals and not on specific steps that any company or agency or sector needs to take because that is where the pitfalls are. If you’re too specific in those regulations requiring companies to do specific cybersecurity actions, you may, in fact, cause problems. Jamil Jaffer was one that made those arguments, has made those arguments many times.

 

Stewart Baker:  Compliance is the — compliance culture in which you do everything the regulator tells you to do is the enemy of actually meeting cybersecurity requirements, yes. Well, fair enough.

 

And if you’re looking for a performance requirement, one pretty good one would be don’t let ransomware artists get hold of your network and wring it out because you’ve obviously failed at that point, and it’s not for lack of compliance. It’s for lack of cybersecurity. And so maybe we should just talk a little bit about what came out of the Pipeline by way of policy because that was probably the first time that ordinary Americans took seriously the cybersecurity complaints that they’ve been hearing from government since the ’90s and said, “Wow, this really is dangerous.” 

 

And I would say the first victim of the outrage over the gas lines and the tech was what I have occasionally called TSA’s “tea and cookies” approach to achieving cybersecurity in which they invite people in. They provide the tea. They provide the cookies. Everybody will talk and agree on some voluntary measures to make security better. And if they don’t show up, then nobody calls them.

 

That’s all gone. That disappeared in part because Colonial Pipeline’s response to that initiative had been mostly, “You know, we’re busy in 2018. And actually, we’re kind of busy in 2019 and 2020. And maybe in 2021 when our new building is done, you can come in and talk to us about cybersecurity.” And people said, no, that’s not good enough. And TSA has now said they are going to require cyber incident reporting—they’ve already said that—for pipelines, and they’re going to start specifying the cybersecurity measures they want to see people adopting.

 

I think the first response of most Americans to all that activity is to say, “What? The people who pat me down at the airports are regulating pipeline security?” But they are. They’ve had that responsibility. They just haven’t had much of a regulatory culture. And interestingly, there’s now kind of a turf fight over whether TSA will get to keep that responsibility.

 

Tatyana Bolton:  I think TSA is going to win on that one.

 

Stewart Baker:  I think they are too because they have basically admitted that they don’t know that much about cybersecurity and they’re going to bring a bunch of CISA people, draft them to help them to come up with cybersecurity standards. So we’re going to see pretty hefty regulation as TSA demonstrates that it can regulate, and that will fend off, I think, the Commerce committee, who otherwise would say, “Hey, why don’t we give it to somebody that we have jurisdiction over like DOE?”

 

So that regulatory impulse hasn’t been fully satisfied by TSA’s announcements. We’re starting to see legislation proposals, enthusiasm for doing more about crypto currency, which is seen as a key enabler for this kind of cybercrime. What kinds of legislative changes do you think we’re actually going to get, Tatyana?

 

Tatyana Bolton:  I don’t have a magic ball, but I do think that the push from the Solarium Commission last year to get 25 of its recommendations into the NDAA is something similar to what we’re going to see this year, and that’s the majority of the cyber regulations that we’re going to see. There’s good work on the HSGAC and the Senate, the Senate Armed Services Committee, the House Armed Services Committee, all of them working diligently to try and protect national security, again, of which cybersecurity is part.

 

I think that you’re going to see — I think we’ll get that national data breach reporting law, or at least I very much hope so. It’s a minimum, honestly. It is a minimum to at least know what the threats and vulnerabilities are. I don’t think — if you are one that believes that we shouldn’t have a national reporting law, then I would venture to say that just like when you don’t vote, you don’t get to complain about the winner. If we don’t know what’s happening about threats and vulnerabilities and you’re not supportive of the federal government knowing that, you can’t possibly also expect the federal government to be able to respond appropriately.

 

One of the other things I think we will see is some debate. I don’t know if we’re actually going to see it pass, but I think we’re going to see some debate around this concept of SICI, systemically important critical infrastructure, and the rules and regulations regarding what you must do if you are a SICI entity. I know, it’s the worst acronym in the history of the planet, trust you me. And as some of my good friends at the commission spent a whole day trying to come up with a new one, and the SICI thing stuck. 

 

But the basic concept there is that if you are one of the most critical of the critical — right now, there’s a Section 9 list which came out of EO 13636 under the Obama administration which designated the most critical entities. However, that list is classified, even though companies that are Section 9 entities can talk about the fact that they’re Section 9 entities publicly, but the whole list itself — the full list is classified. 

 

Stewart Baker:  Even though President Biden handed a list of his strategically important industries to President Putin in this latest summit?

 

Tatyana Bolton:  Well, I think he talked about in generalities like the 16 sectors, but the specific entities like JPMorgan Chase, and other banks, and energy companies like Southern and companies like that. The specific list, I think, is still fairly private. Some companies talk about the fact that they are Section 9 entities, and that’s fine. But I think what we need to do is actually make that — put that into law so that we can talk about what those entities must do to protect the criticality of the services they provide and then what benefits they’re going to receive from the federal government in order to do that. 

 

Liability protection is on the table, and I think that stronger liability protection, particularly in the cases of state actor hacks into their systems is critical to getting this done. But those companies, theoretically, will be held to a higher standard. A lot of them, to be honest, already meet these standards, for example, financial services and energy sector.

 

A lot of those entities, a lot of those sector-specific agencies that handle the security for those sectors have more regulatory powers than other agencies like EPA, for example, that doesn’t have any cybersecurity expertise, let alone the regulatory power to actually improve the cybersecurity of our water sector, for example. But financial services, telecommunications, energy, they already have some ability to protect those, and so you’re going to see a big debate about whether the specific pros and cons or the benefits and the requirements for those entities will get that piece of legislation through on the Hill this year.

 

Stewart Baker:  Yeah. So I’ve noticed that there’s been cybersecurity legislation in practically every Congress in the last 10 years. And it tends to follow a pattern that Chris Krebs was a master of, which is the executive branch announces it’s going to do something with or without clear authority and starts doing it, and then when Congress is casting about to show that they care about cybersecurity and they’ve done something, they say, “Ah, well, CISA’s already doing this, and nobody’s really complaining. Why don’t we just write something that says, hey, do that, CISA.” And so as policy has evolved, CISA’s gone a long way just by announcing initiatives and then having them ratified by Congress. And we could see some of that happen as well.

 

Tatyana Bolton:  We could. I’ll push back a little bit on some of that because if you look at DHS authorization, the last time that was authorized and changes made to DHS and its authorities, under which CISA sits, was back when it was originally set up in 2003, so hard pressed for any agency to continue operating without actual reauthorization every year. So I don’t hold it against them for trying to move forward and do the good work of the people as they try to respond to some of these critical issues.

 

But CISA is very clear in that it doesn’t want regulatory authority because it wants to protect — it jealously protects the relationship it has with the private sector, as well it should, because those relationships are the ones that will bear fruit in the long run in terms of protecting our cybersecurity. But I do think you will perhaps see some codification of the authorities that CISA tries to use in order to improve cybersecurity. I doubt that regulatory authority will be in there. CISA will fight that tooth and nail.

 

Stewart Baker:  Well, I think the last CISA would have fought that. I am not at all convinced. When you look at what TSA did, that’s what you have to do at the end of the day. So I guess I am — they may take away my Republican Party membership card for this, but I do think if you want industry to truly have a public-private partnership with you, you’ve got to have a stick in the closet, and regulation is the stick.

 

Tatyana Bolton:  Perhaps. Obviously, a lot of the other countries across the world, the ones I mentioned earlier, Israel, U.K., Estonia, all have strict regulatory authorities within their cyber agencies. But we are just not set up that same way.

 

And so while CISA is the sector-specific agency for a number — I think it’s like eight or nine of those sectors, it still wants to allow other areas of either DHS like TSA, or other SSAs like Energy, Treasury, DOD, EPA, to be the regulatory authority, or FTC has been proposed, SEC for some of the telecommunications regulations, to use those authorities instead of bringing in CISA to be a regulatory watchdog over certain agencies because the way that they see their role — and you’re right, perhaps it will change under Jen Easterly’s leadership.

 

But generally, they see themselves as the nation’s risk manager, and the connection to the private sector, the go-to, go-between, and they cybersecurity experts in the government. So they’re trying to keep one foot out the door of the whole requirements game because if you are seen as an expert and a non-regulatory agency just providing your expertise and your knowledge, for example, NIST, more people — CISA believes more people will listen to you when you provide recommendations than if you are also the hammer that comes down if you don’t meet those requirements.

 

Stewart Baker:  We’re going to want to take some questions, but there are two things I thought we probably ought to talk at least briefly about. One was the attack that was every bit as bad. It was an attack on the supply chain going in, compromising Microsoft’s Exchange product. It was done by China, not by Russia, although there hasn’t been a formal attribution, which is interesting by itself.

 

And the Chinese behavior when they got caught and Microsoft patched the hole, China’s reaction to that, Chinese intelligence reaction to that, was to say, “Oh, you’re going to make it hard for us to get into Exchange service? Why don’t we get into all of them now.” And they just released a capability as just a storm of compromises on people they had no interest in actually exploiting, just because they could, and they saw the door closing, very irresponsible. 

 

I don’t hold up Russia as a model of responsibility, but in this case, it looked a lot better compared to China. And the government response to that has been crickets. Nobody’s talking about it. Nobody’s saying we need to do something about it. We need to confront the Chinese over it, nothing. I don’t get it.

 

Tatyana Bolton:  It’s a really challenging and interesting case. The whole attribution, sort of global power competition between these great powers is also always playing in the background of all of these cybersecurity incidents. So I think that what we’re seeing play out here, and I could be completely wrong, is that the United States has a much different perspective on China, what they’re trying to do, which is, to be fair, mostly intelligence gathering, to what Russia’s trying to do. Russia is trying to infiltrate certain either — you’ve seen them hack elections, our electrical grid, attack SolarWinds and get specific intel to use against the United States, specific people and specific companies, so there’s a difference there.

 

I think the United States has seen the Microsoft Exchange attack like they did the OPM attack, perhaps, where there’s bigger things happening with China and they’re perhaps unwilling to take the same steps of attribution and retribution towards China, given the tense relationship we have at this point. But it is crazy that there was such a large hack right after the SolarWinds hack got announced, and we’ve heard so little about it.

 

Stewart Baker:  Last question before we take questions is we just had a Biden-Putin summit. They talked about cyber. As we said, the president suggested that Putin not attack 16 sectors and handed him a list. What do you think actually was accomplished on cybersecurity at the summit? And I think expectations were pretty low, so I’m not suggesting that a failure to accomplish a lot would be a surprise.

 

Tatyana Bolton:  Yeah, and I’d also like to get your thoughts on how Biden did on the summit and how far we’ve come on cybersecurity. But my position is that I think we need to be far more aggressive with Russia, particularly because Russians only understand strength. I say this as someone who was born in Russia and raised in the culture, within the United States, but still in that culture. 

 

And I think that it’s safe to say that the previous interactions we’ve had with Russia were not sufficient to prevent them from doing these hacks and attacking our country. And so we need to be stronger, and we need to have a different policy towards them. I think the comment that was focused on that Biden said about, “Well, how would you feel if your oil pipelines were attacked?” A lot of people took that as a threat, and Biden denied that it was a threat.

 

But I think that what you’re seeing is sort of the beginnings of some of these interactions where hopefully the United States is giving subtle but clear rules of the road to Russia. They’re trying to set red lines. They’re trying to be clear, although to be honest, in the cyberspace, there’s not really red lines, and it’s questionable as to what we would mean by those. But I’m hopeful that some of these subtle but clear messages will be picked up by Putin, who I think knows exactly what Biden is saying there.

 

Stewart Baker:  Yeah. He also did say the U.S. has very strong capabilities. There’s a message in that. What I worry is that the message is, “And we’ll use them,” because I’m not sure we will. 

 

And if you’ll forgive me a personal story, in the early ’90s right after Gorbachev took over, I helped briefly start the Steptoe & Johnson Russia Moscow office. And we had an office manager who was a very smart guy, and I relied on him and gave him a lot of space and a lot of respect. And I was just surprised at how insubordinate and contemptuous he seemed to be of the things I suggested he do.

 

And then finally, at one point, I got angry. And I called him into my office, and I said, “You ever do something like that again, you’ll never work here. You’re out.” And immediately after that, he was the most pleasant person to work with I have ever dealt with in Russia. It really was — he had to see the stick in the closet to decide that I was a person worthy of respect.

 

And it is deep in the Russian soul that the right response to weakness is to crush it. And I worry that we can talk about the rules of the road, but if we’re not enforcing them, the Russians are going to figure it out in 20 minutes. And we have yet to decide if we’re willing to take risks of an attack against us in order to enforce these rules. So I think we’re in for years of trouble on that front until we decide, okay, this is it. We know it could mean problems for us at home, but we’ve got to show Putin that there are consequences he can’t handle for attacking us. 

 

All right, Colton, do we want to take questions?

 

Colton Graub:  I think so. We actually have a couple already in the queue. Given that we’re 10 minutes out from the end of this discussion, I’m just going to run through those. So the first one, which I think is tangentially related to what you guys were just talking about, is from Carlos. I’m summarizing the question a bit for brevity, which is can you discuss whether policy coordination among transnational pseudo-regulatory bodies such as the World Bank or IMF would be helpful in mitigating future cyberattacks, and how so?

 

Tatyana Bolton:  Stewart, do you want to take that one?

 

Stewart Baker:  Sure, I’ll be glad to take it. I’m not sure. Yes, there’s value in having similar standards, but if you think that regulation is a bad way to achieve cybersecurity, internationally negotiated regulation is even slower and less likely to keep up with the steps that need to be taken. So I’m not sure that coordination of regulatory standards is as important as coordination of response to the transnational crime so that we know that actually other institutions will track the attacker, track their funds, track their bitcoin, take action against people. The more that you can have coordination on the penalties and the law enforcement side of stopping attacks, I think the better. 

 

And this is me in my most Panglossian. I actually have hope that the Chinese and maybe even the Russians could agree with us that people who attack financial institutions need to be tracked down wherever they are and brought to justice because Chinese banks are at risk. Russian banks are at risk. And getting the treasury and finance secretaries of all of those countries together coordinated response to certain kinds of cybersecurity attacks I still think is a promising approach internationally.

 

Tatyana Bolton:  I would also add that I think that we really need to change our view and our culture to acknowledge that the frameworks and the systems in which we all work, including the international system, isn’t set up to deal with the cyberattacks of tomorrow, or today, honestly, because the internet is all across the world. It’s interconnected. It’s open, mostly. And we need to acknowledge that reality and stop thinking about regulations and laws is if the internet stops at our border. 

 

Stewart Baker:  That’s a great point, and I would say I am disappointed but maybe not surprised by the lack of imagination about how to deal with some of these problems. China already has its own internet, and they don’t need us. And yet, we let them operate on our open and global internet, which really isn’t open and global anymore. The Russians are moving in the same direction.

 

I think it’s a fair question. Since our adversaries are already doing this, maybe we should just embrace it, recognize that there is a Balkanized internet, and work with likeminded countries to create one that is both relatively open and doesn’t allow bad actors from Russia and China, North Korea, to get on and have free access to the open, global system that we’ve created. I know that the lobbyists from Silicon Valley have heart attacks when I say stuff like that, but that’s because they like feeding the illusion because it’s good for the bottom line. It’s never going to happen, and we might as well start recognizing it.

 

Tatyana Bolton:  Well, I don’t know about whether we should give up our — I would see that as giving up on our ideals. Our country was based on the concept of freedom and openness and  trying to include as many people in our great experiment as possible. We’ve always been supportive of including everyone we could in all of the things that we do and sharing our thinking across the world. And I think it would be a mistake to close off and follow the paths of China or Russia in terms of Balkanizing the internet.

 

I think that perhaps — well, one, I disagree that I think that it’s not the direction we should go, but I also think that, two, it’s probably not feasible at this point. Even in the most secure systems right now, adversaries get in. So how would we possibly keep everybody out if we were to create a system that is theoretically closed? I’m not sure that’s the direction we want to go. I’m a “keep your friends close, keep your enemies closer” kind of person.

 

Stewart Baker:  I’m not sure I’m ready to do that, but look, I agree that no one has asked the question how could we do that if we chose to do it. But I think it’s time to ask could we do it if we chose to do it, but that issue we’re not going to resolve today. 

 

Colton Graub:  I have one more question, and then we can probably wrap up with closing remarks. Something that we’ve touched on but not really discussed is the fact that the Colonial Pipeline breach was paid in Bitcoin, which elicited strong reactions from government entities and officials, the news media, and cryptocurrency experts. My question is, is regulation of cryptocurrencies a potential solution to inhibition actors from extracting ransoms from their victims, and to what extent does the perfect traceability and auditability of certain blockchain-based cryptos like Bitcoin actually help law enforcement in recovering ransoms?

 

Stewart Baker:  I’ll start, and then Tatyana can finish. Yeah, we’re going to get more cryptocurrency regulations. It was proposed at the tail end of the Trump administration and is being continued — the same proposal is being continued by Treasury in this administration, know your customer rules for people subject to U.S. jurisdiction who are handling cryptocurrency. 

 

I think, at least to my relatively untutored eye, something that would reach international agreement on treating tumblers and mixers as essentially money launderers whose business really doesn’t have much of a business justification would make the theoretical traceability of Bitcoin much more real. 

 

And we’re also seeing the Justice Department and the rest of the government has begun to get creative about finding ways to defeat the Bitcoin incentives. They were able to seize big chunks of the ransomware that was paid by Colonial Pipeline, take it back from the guy who received it, by getting hold of his private key. We’re going to see more of that. I don’t think that’s a solution, but it certainly feels good every time it happens, and it probably does discourage attackers if they can’t actually get paid. So yeah, we’re going to see both regulation and more aggressive and more creative law enforcement.

 

Tatyana Bolton:  I agree. I just think the biggest issue here is that Treasury, for one, will have to, I think, finally reckon with what they consider Bitcoin. Is it a currency? Are we finally going to deal with the big question there? And then, also, cyberattacks are not caused by Bitcoin or cryptocurrency. It is merely a form of payment. And does it make it easier? Yes, but would ransomware stop if Bitcoin didn’t exist? No. People can pay in cold, hard cash. Is it, again, more difficult? Yes, but I think we need to address the underlying issues. And if we address those, then most likely you would — and improve enforcement, then you would really address the issue.

 

But I wanted to also take on this question from Jeffrey here in the chat about government’s role in protecting against cyberattacks versus private individuals and businesses because I think it’s an interesting question. I would say to you, Jeffrey, that this is an all hands on deck situation. We are right now being attacked from all sides, and everyone is doing their best. I would argue big companies, small companies, state and locals, federal government agencies, they’re all trying to improve our system and improve the cybersecurity of the country and their respective piece of that. 

 

So the question, I think, is not whether the government has or should have a prominent role, but rather what role it should play and which specific actions they should take. For example, I think it is imperative on the federal government to set minimum standards where we can be assured that certain companies aren’t taking shortcuts and aren’t leaving us open to threats. And the private companies should absolutely, and individuals absolutely should take more steps to improve their cybersecurity as well. So I think it’s not an either or. I think it’s all of the above.

 

Stewart Baker:  Yeah. And just to close from my end, I think the lesson of the last six months is pretty much what Tatyana said. It’s no longer going to be adequate to say I think there are downsides to regulation, and therefore, we should do nothing because too many people now feel aggrieved by cybersecurity failures to make that a credible response.

 

So if you’re talking to clients, I wouldn’t encourage them to think that they’re going to beat regulation by getting the chamber to show up and fight it. This is a different administration, and there is a different spirit abroad in the land. That doesn’t mean that regulation is going to be really aggressive. I don’t think it will be, but we are going to see a much greater and, as I’ve said a couple of times, a much more stick in the closet approach to cybersecurity from the government over the next five years compared to the last ten. 

 

Tatyana Bolton:  Yeah, and I’ll close with this. I will even say that having worked with the chamber at the commission, even they are supportive of some of these reforms that can improve all of our cybersecurity because I think we generally need to come to a reckoning before a massive cyberattack cripples our energy grid or releases, heaven forbid, nuclear weapons into the hands of criminals, that we need to do something. We need to do this better. And so I think that there’s a general consensus that that’s the case, and I think we need to take it and run with it. 

 

Colton, thanks for having us.

 

Stewart Baker:  Yeah, this was a real pleasure. And Colton, if you can speak, please take us out.

 

Colton Graub:  Thank you both for joining us. We are very grateful to you both for taking the time today and for the insightful discussion on this important topic. We welcome listener feedback by email at [email protected]. Thank you for joining us. This concludes today’s call.   

 

[Music]

 

Conclusion:  On behalf of The Federalist Society’s Regulatory Transparency Project, thanks for tuning in to the Fourth Branch podcast. To catch every new episode when it’s released, you can subscribe on Apple Podcasts, Google Play, and Spreaker. For the latest from RTP, please visit our website at RegProject.org.

 

[Music]

 

This has been a FedSoc audio production.

Stewart A. Baker

Partner

Steptoe & Johnson LLP


Tatyana Bolton

Director, Cybersecurity and Emerging Threats

R Street Institute


Cyber & Privacy

The Federalist Society and Regulatory Transparency Project take no position on particular legal or public policy matters. All expressions of opinion are those of the speaker(s). To join the debate, please email us at [email protected].

Related Content

Skip to content