Effective or Confusing: New Structures and Regulations in Cybersecurity


Posted on in Podcasts

Over the course of the last two years, cybersecurity planning and thought leadership have picked up with a parallel increase in regulation, Congressional action, and government reorganization. The Cyberspace Solarium Commission recommended and got a National Cyber Director and incident reporting legislation through the hard work of the SASC, HASC, and HSGAC, but where do these changes leave us now? Is the National Cyber Director leading the federal government effort, or are government turf battles making leadership in cyber confusing? And what about incident reporting - how many new proposals have we seen, and which are the most critical to understand? Join us for a discussion of all of these issues and what the cybersecurity landscape might look like in a year or five years from now.

Podcast Transcript

Introduction:
You're listening to the RSA Conference podcast, where the world talks security.


Kacy Zurkus:
Hello, listeners, and welcome to this edition of our RSAC 365 podcast series. Thank you for tuning in. I'm your host, Kacy Zurkus, content strategist with the RSA Conference. And today, I am pleased to have Tatyana Bolton, policy director of cybersecurity and emerging threats at the R Street Institute with me, to discuss new structures and regulations in cybersecurity. But first, I want to remind our listeners that here at RSAC, we host podcasts twice a month, and I encourage you to subscribe, rate, and review us on your preferred podcast app so that you can be notified when new tracks are posted. Now, I'd like to ask Tatyana to take a moment to introduce herself before we dive into today's topic. Tatyana, over to you.


Tatyana Bolton:
Well, thank you for having me. It's a pleasure to be here. As you said, I'm the policy director for R Street's cybersecurity and emerging threats program. I came here from the Cyberspace Solarium Commission and CISA before that. At R Street, the program revolves around data security, data privacy, supply chain security, critical incident response, and other critical infrastructure work, as well as diversity in cybersecurity.


Kacy Zurkus:
Excellent. Well, we are definitely thrilled to have you. And as I mentioned in our warm up sound check, you were a moderator at Conference earlier this month and somewhat of a similar topic. But it's great to have you here with us today. When you talked about new regulations in cybersecurity earlier this month, I want to sort of take a different twist on that conversation and try to make sense of things, maybe asking some questions about what lends to greater clarity or heightened confusion when these new regulations come into play. So the session you participated in was Cutting Through, Getting Real Answers on Supply Chain Security. And I'm wondering if you have any takeaways from that conversation that can offer clarity around supply chain security policy for today's listeners, specifically as it relates to the question of what should the government steer toward and away from when crafting an effective innovation policy? But you don't necessarily need to limit your response to that. That was just one thing that I wanted to hear about.


Tatyana Bolton:
Sure. Yeah. So I did moderate that panel. We had a great range of experts on that panel, including Mark Montgomery who's the former executive director of the Cyberspace Solarium Commission, Lauren Zabierek, who I work with on a number of different projects, including supply chain security, she runs the Harvard Belfer Center's cybersecurity program, and Steven Ezell from ITIF, who works a lot on these issues.


Tatyana Bolton:
We talked a lot about the need for better strategic thinking around this problem. Because it's not really getting better. In fact, it's getting much, much worse. The pandemic obviously sort of highlighted these issues for consumers. And we continue to see the threat from China grow more and more. And because we're so interconnected, it just increases the concern that policy makers have about how tightly tied we are to a significant adversary for the United States and what that means in terms of securing our supply chains.


Tatyana Bolton:
Not only is that important for general consumer goods like masks or toilet paper, like we saw in the pandemic, but it's also very much true for supplies that we need for more critical technologies, not that toilet paper's not critical, I think we all realized just how much we need that a couple years ago. But for things like cell phones, communications equipment, and that's not just for consumers, but for the military, rare earths, the semiconductors that are made to create fridges and smart home electronics, computers, and all kinds of other military hardware. And so all of that has become a huge problem and one for which we don't have a coherent strategy.


Tatyana Bolton:
So if there was one thing, I'd say that that was the main takeaway from our panel, that we really need to focus on bringing together all the brilliant minds across America to come up with a way forward in this fairly significant challenge we now face where we're very tied in with an adversary. And so I think that all the panelists agreed that that's the first place to start. Now, it's not the place we have to end. Obviously, there's all kinds of other things we need to focus on and worry about. And that includes how do we incentivize production here at home? Do we work with our allies and partners? Or do we do this just with made in America pushes?


Tatyana Bolton:
I think from the conversation we had at the panel, we all agreed that the made in America push is not ideal. One of our greatest strengths is our alliance structure and the international relationships that we have across the world. And I think the main thing that we wanted to stress was it's important to work with those allies and partners on such challenging topics as supply chain security. As we are trying to limit the challenge when we're so interconnected with China or limit the exposure, we want to increase our reliance and connection on those allies and partners that are much more safe for our supply chains. So, I think there's a lot of different issues out there, but I think those are the two main takeaways for me.


Kacy Zurkus:
I love that. And listeners, if you haven't had a chance to view the session, it is still available to digital passholders online. And then it'll be shortly, in another month or so, it'll be available for free to view in our library. So definitely take a look. It's a great conversation. And what I love about it, Tatyana, is the points that you're making, those takeaways, are critical to that supply chain security challenge, but also this need for a coherent, cohesive strategy is universal regardless of the cybersecurity issue that you're trying to solve for. It's not specific to supply chain. I think that everything that you said, I kept thinking like, "That's great, that's great, that's great." But it's also this, it's also zero trust, it's also ransomware. It's so relevant to every challenge that any cybersecurity professional is trying to solve for.


Tatyana Bolton:
Yes. And I think that's why the role of the Office of the National Cyber Director, or ONCD, has become so necessary and critical. It's one of the major recommendations and action items that we saw coming out of the Cyberspace Solarium Commission. And they are currently working, that office is currently working, to create a larger national cyber strategy that includes not only the supply chain challenges, but addresses issues across the ecosystem. And I don't envy them their job. It's a very complicated question. What do we focus on? What vision do we set for the future? They're working on sort of framing a vision of the internet and cybersecurity in a way that inspires, in a way that brings together our allies and partners and encourages people to join our efforts to build an open, secure, and free internet, opposed to the sort of authoritarian digital world that China and Russia are pushing.


Tatyana Bolton:
We are going into a very competitive and partly antagonistic, possibly bipolar world, somewhat like we saw in the Cold War. And I hate to see us go down that path, but at the same time, is it inevitable? If it is inevitable, what is the answer? Do we want to end up in a Chinese-led world where they set the standards, Somewhat like they tried to do for 5g, do we want to live in that world? Or do we want to set our own vision? I think the ONCD has started to push back against sort of the digital authoritarian internet vision that China's putting out. And we're trying to battle back. We're trying to battle back against it and create these strategies that give every federal agency, every American, every private company that works in this ecosystem, a roadmap for where we're trying to go. Because I think the Solarium said this as well, if you don't have a vision, nobody knows where they're going. We've got a lot of people trying to address various issues that we see in cybersecurity. And I'd add ransomware to that list.


Tatyana Bolton:
But without that coherent vision, we're not going to be successful. I would argue the last national cyber strategy was not successful because it was a series of independent recommendations and actions and was not a cohesive vision. It identified particular items that if accomplished, would improve cybersecurity, but not in a way that inspired others to sort of see our vision and row all in the same direction. And so I think that's the challenge right now for ONCD and the executive branch and the White House more broadly is how to frame this time that we're in and the critical steps that we need to take in order to improve our cybersecurity.


Kacy Zurkus:
Yeah. And certainly we've seen a lot of executive orders, legislation, regulations coming out over the last two years. And to your point, it's evidence of a lot of planning, a lot of thought leadership, a lot of forward movement that is an indication of future change, but also can feel very confusing. And it also can have the result that we've seen with this feeling of turf battles, which makes leadership in cyber very confusing. So can you speak to that, just about how these changes have caused confusion and how do federal government offices work together to sort of solve for these government turf battles and create this cohesive strategy to move forward?


Tatyana Bolton:
Well, the question of government turf battles is one as old as time, and cyber is no different. So, certainly interagency battling is going on. Right now, as it was a few years ago when I was back in the government, it's always a question of sort of power and access and who's got the pen, who's the person who's leading the charge and determining the direction that the federal government takes? Some of this happens sort of across agencies with fights between CISA, FBI. You saw that sort of come out when the incident reporting law was being passed and FBI being unhappy that they were no longer the primary receiver of incident communications from the private sector or incident alerts from the private sector, and CISA got that responsibility, the cybersecurity agency got that responsibility. And sometimes you see it sort of within agencies, even within DHS, CISA and DHS have an interesting relationship where they both are responsible for cybersecurity policy for the federal government and are the cyber experts. And sometimes that can be a challenge. But obviously they're working together.


Tatyana Bolton:
There's a number of examples that recently came out as well as we're starting to see a lot more of this regulation come out in terms of incident reporting, DOD engagement in cybersecurity, and everything else that cybersecurity touches. Incident reporting is a perfect example. R Street just came out with a tool about incident reporting federal legislation. 26 different federal requirements for incident reporting. That's insane. We started looking into this when [inaudible 00:13:07] came out and required the critical infrastructure entities to report incidents to CISA. And it said that as CISA is setting rules for this reporting, they have to make the effort to streamline the existing regulations. So we started looking into that. And we found 26 different versions, all with different offices to whom to report, different timelines on which to report, and different types of information to report.


Tatyana Bolton:
So I understand what the private sector's saying, where it's so, so complicated. All of this creates a lot of confusion and needs to be streamlined. And an article came out today from SC Media as well, another example, the complicated nature of DOD relationships on cybersecurity within their own department. The CIO's office has cybersecurity coordinators. The office of the Secretary of Defense for Policy has a cybersecurity office and director, undersecretary of defense. And Cybercom obviously plays a huge role. So you can see where as cyber becomes more and more critical to the operations of a particular agency, or is critical to the mission of an agency like CISA, obviously there's a lot of moving parts and new bureaucracy that builds up around it. And I think it's very important that we try to streamline it and make sure that we're speaking with one voice, especially when we start talking to the private sector.


Kacy Zurkus:
Absolutely. Yeah. Because it's so overwhelming in and of itself, and then to have, like you said, 26 different incident reporting regulations that you've got to somehow understand how do you determine which of those are most critical? Which ones can you pay attention to, should you pay attention to, you don't necessarily need to pay attention to? There's just so much that can cause more confusion, which then just opens up more risk, right?


Tatyana Bolton:
Yeah. And I will say, that was the number one thing we heard when we were talking to the private sector at the Solarium Commission, that the private sector was most frustrated that there wasn't one person or one office with whom to discuss things like this, or to bring incidents to. And hopefully, [inaudible 00:15:34] is the answer to that.


Kacy Zurkus:
Yeah.


Tatyana Bolton:
At least on [inaudible 00:15:40].


Kacy Zurkus:
Right, because there is so much conversation about the need for public/private partnerships, and this collaboration between private organizations and federal agencies. And certainly that will help to advance national security as well as sharing threat intelligence benefits both parties. But, we had recently done a study with [inaudible 00:16:02] talk that found, to your point, this sort of frustration on behalf of the private sector respondents that there is no singular voice and they don't know to whom they should be sharing this information. So definitely, in order to move forward effectively, there needs to be that unity of voice and cohesive strategy.


Kacy Zurkus:
So I guess to that point, do you anticipate seeing, recognizing how critical those relationships are between the public and private sector, do you anticipate seeing any new regulations around threat intelligence sharing, public/private partnerships as part of this national cybersecurity strategy?


Tatyana Bolton:
So I'm not sure that this is going to be part of the national cyber strategy because I expect that will be a vision setting document. But, there is the very critical National Defense Authorization Act process that's ongoing right now on Capitol Hill, and that I believe will, or may have some parts of this included within that legislation. There is a very important joint cooperation center or joint information sharing center proposal that representative Jim Langevin is supportive of and has been pushing on behalf of the Commission and others that believe that this is a very important piece.


Tatyana Bolton:
There is also the intelligence side. The authorizing legislation for that just got passed by the Senate and included cybersecurity regulations for its contractors and the intelligence community as a whole, and may create better processes. Also, Congress has started to take up its role more strongly in terms of its oversight over cyber. In that SC Media piece, that's what they were talking about was how the [inaudible 00:18:01] reached out to the DOD and required them to provide a report on the actual structure of cybersecurity positions within the DOD. So I think through all of these sort of efforts, congressional oversight, the NDAA provisions on intelligence sharing with the private sector, and all of the work that's happening at CISA right now in terms of trying to streamline all of these processes, and the ONCD trying to play the coach on this field of a lot of different players. We're going to try... I have a feeling we're going to see some streamlining.


Tatyana Bolton:
I know that my former colleagues are, are working as hard as they can to make this an easier process, one where the private sector wants to come and talk to CISA and to the federal government, where we share information to ensure a stronger, more resilient ecosystem. So, we may also see other various pieces of regulation like the SEC is looking into for incident reporting. But I think broadly speaking, we're moving towards the space where we've got the pieces in place, but we need some coherence and some ground rules. And I think ONCD, in partnership with CISA, will be able to set those.


Kacy Zurkus:
So to that end, I want to ask, because we've talked about the last two years have delivered a lot of different executive orders and legislation, congressional involvement, and you made the point that we're at this sort of critical stage right now where we need to streamline and be more cohesive and strategic. So I would love it if you could share with our listeners your opinion on what the cybersecurity landscape might look like a year or even five years from now.


Tatyana Bolton:
The biggest change that I think we're going to see is the growth and the strengthening of both the ONCD and CISA, which over the past two years, we've seen this sort of turnaround from no one caring about cybersecurity to five bills a year passing through Congress, which is almost unheard of on any particular issue. And I think that speaks to just the lack of regulation that we had and the lack of structure we had in the field.


Tatyana Bolton:
So as those offices are standing up on the part of the ONCD, and strengthening on the part of CISA, you're going to see a lot more cohesion and regulations starting to come out. You're going to see a lot more rules, hopefully toolkits for small businesses and things like that, that are effective and bring more people into the fold. It's also hard to tell what's going to happen with the last two years' worth of legislation that got passed and what that'll look like five years from now. I don't know that anybody can really say what that's going to look like because the legislation has been so varied. We've passed a billion dollars of funding for state and local cybersecurity and a bill to provide tools for state and locals. We've passed rotational cybersecurity fellowship program, which is extremely critical. There's also some consideration about cybersecurity clinics and getting those out there. Hopefully we'll pass [inaudible 00:21:25] Competes or Competes, whatever it's called at this point, which is currently in conference and may provide a significant influx of cash towards our CHIPS Act and may resolve some of our supply chain security issues. But, we've got a lot going on. We've passed a lot of things, a lot of incident reporting requirements, etc.


Tatyana Bolton:
And so five years from now, I think it's going to look completely different. I think it'll be a much more mature field at that point. I think there will be a lot more... It'll start to look a lot more like a maturing adult, going towards what DOD looks like now with sort of a full compliment of policies, regulations, contractors, systems and processes, a lot less like the kind of wild wild west that the cyber is now. So, I think it's going to be an interesting ride over the course of the next five years.


Kacy Zurkus:
Well, that's a very hopeful answer. So I appreciate that. Tatyana, thank you so much for joining us today. It was great to have you on. Listeners, thank you for tuning in. To find products and solutions related to policy and government, we invite you to visit RSAconference.com/marketplace. Here, you'll find an entire ecosystem of cyber security vendors and service providers who can assist with your specific needs. Please keep the conversation going on your social channels using the hashtag RSAC. And be sure to visit RSAconference.com for new content posted year round.


Participants
Tatyana Bolton

Security Policy Manager, Google

Law Policy & Government

governance risk & compliance government regulations incident response innovation law legislation policy management practitioner perspectives standards & frameworks technology sovereignty threat intelligence


Share With Your Community