Transcript: 2022 Cybersecurity Policy Priorities
Perspectives from the Executive and Legislative Branches,
Thursday, January 13, 2021
DISCLAIMER: This transcript was generated using an automated transcription service and may not be fully accurate. Please check all quotations against the original audio before publication. Full audio and video is available here: https://www.youtube.com/watch?v=88yNnfyWFXE
SPEAKERS: Silverado’s Co-Founder and Executive Director Dmitri Alperovitch; Congressman John Katko (R-NY), Congresswoman Yvette Clarke (D-NY); Department of Homeland Security Under Secretary for Policy Robert Silvers; FBI Cyber Division Assistant Director Bryan Vorndran.
Dmitri Alperovitch: 00:25
Welcome everyone and Happy New Year. Silverado Policy Accelerator is thrilled to have you with us this morning to talk about cybersecurity priorities in 2022, with perspective from the legislative and executive branches. We have a great group here today on Zoom and watching live from media to academics to industry and government, and, of course, our all-star tar panel. I’d like to first introduce Congressman Yvette Clarke, member of the US House of Representatives serving New York's ninth district. She's the chair of the House Homeland Security Committee Subcommittee on Cybersecurity, Infrastructure Protection and Innovation, and as a member of the House Committee on Energy and Commerce. We're lucky to have her here with us. She'll join a few minutes late, so we will jump straight to her once she joins with some questions. We're also joined by Congressman John Katko, a member of the US House of Representatives, representatives serving in the 24th district of New York, and he's a ranking member of the House Committee on Homeland Security and a member of the House Committee on Transportation and Infrastructure. Congressman, thank you so much for being with us today. I know that you recently announced that you've got COVID, unfortunately, but we really appreciate you joining us despite the circumstances.
Congressman John Katko 01:50
I'm still kicking this off. I'm just fine.
Dmitri Alperovitch 01:54
We love it. We love it. Thank you so much. And we have two great members, two great leaders from the executive branch joining us today as well. Very, very pleased to welcome my very good friend and respected colleague, Rob Silvers, the undersecretary for policy at the Department of Homeland Security. Undersecretary Silvers is responsible for driving policy and implementation plans across all of DHS missions, including cybersecurity, and he previously served as assistant secretary for cyber policy at DHS during the Obama and Biden administration. Last but certainly not least, please welcome Bryan Vorndran, the Assistant Director of the FBI’s Cyber Division. Before joining the Cyber Division, he served as a Special Agent in Charge of the New Orleans field office and Deputy Assistant Director of the Criminal Investigative Division. Thank you so much, Rob, and Bryan, for joining us.
At any time throughout the event, we welcome audience questions, so please submit them using the Q&A function and we'll reserve some time at the end to turn to those. We're also live streaming and recording this event on both YouTube and LinkedIn, and we will make it available on our website after the event.
Before we turn to the panelists, I'd like to share a little bit about Silverado Policy Accelerator. As the world competes for the newest technologies, the smartest economies and the broadest sphere of influence, the nations that assert bold, long term strategies will shape the global order for decades to come. At this pivotal moment of geopolitical competition, the United States must chart a course toward economic prosperity at home, and competitiveness on the world stage. My co-founder Maureen Hinman and I started Silverado to help forge that path by working to identify the best solutions to critical policy challenges, and then incubating and accelerating those ideas into concrete results. Today's event is designed to do exactly that. So let's jump in.
2021 was certainly a historic year in cybersecurity, marked by a slew of major cyber incidents affecting government and private sector targets and a dramatic rise in ransomware attacks and ransom ransoms paid to criminals and cryptocurrency. In May ransomware criminals targeted the Colonial Pipeline, causing gas shortages up and down the East Coast. In June, the Russian ransomware group REvil targeted JBS Meatpacking, affecting the US meat supply over the Fourth of July weekend. In July, REvil also targeted the managed service provider Kaseya, leading to one of the most far reaching cyber incidents in US history. The list could go on and on.
It was also the year that cyber assumed a newfound prominence on the national stage as Congress, the administration and law enforcement agencies took critical steps to address these threats and secure and secure American cyberspace. Recent federal action on cyber included the $1 billion authorization for the technology modernization fund as part of the bipartisan American Rescue plan, the Biden administration’s Executive Order on Improving the Nation's cybersecurity and finally the Infrastructure Investment and Jobs Act passed by Congress in November, which included $1.9 billion for a range of cyber-related investments.
I think there's widespread agreement that even with these steps, there is still much to be done to ensure that American citizens are protected from cyber attack. Last night Silverado released a new white paper outlining six policy ideas that we think Congress and the administration should prioritize in the coming year, including passing cyber incident reporting legislation; adopting speed and outcome based metrics for federal agencies to measure their response to cyber events; expanded sanctions authority to include credit cards, bank accounts and crypto wallets, not just individuals and entities on the specially designated nationals list maintained by OFAC and to sanction foreign cryptocurrency exchanges that do not comply with KYC know your customer, and AML anti-money laundering requirements; and mandatory threat hunting on the defense industrial base networks is also very important. And finally, we recommended an expanded role for CISA to become the CISO, or Chief Information Security Officer, for the civilian federal government—excluding, of course, the DOD and the IC, who manage their own security. We'll dive deeper into these proposals during today's section. Silverado’s full report is available on our website (www.silverado.org) and is in the Zoom chat.
So with that frame, I want to start off by asking each of our speakers to comment on how they perceive the current cyber risk profile for the nation, grade the US response to date, and offer their views on what more can be done, and what additional resources are needed. So with that, let's start with you, Congressman Katko.
Congressman John Katko 06:52
Thanks for having me here, and I hope you folks are warmer than I am here in Syracuse. So I'm looking out the window and the temperature is going straight to zero and probably well below zero this weekend. But glad to be here. Again, with Silverado. It's a wonderful group, and Dmitri, thank you for your leadership in this area. To answer that question, it's somewhat of a mixed bag as far as where we are. But where we're going. I'm very excited about if you think about the last couple of years, Chris Krebs, you know, shepherded the system into existence. And then Jen Easterly has just taken the baton and run with it. And she's done a terrific job. And we've done an awful lot legislatively to support them, to expand their role to give them more money. And I firmly believe that system needs to be at least a $5 billion agency, not because I like to spend money, but because I know the need is there. And I think they've done tremendous work. And I think we're kind of at a crossroads where it says they're going to be strictly a regulatory agency, or are they going to be a collaborative agency, working with the private sector and developing those relationships that allow trust and better product to prevail. And I think the log4j incident recently really kind of shows that that collaborative effort is a model that I would like to see more of going forward. They worked with the private sector, they are working with the private sector. And they've done an awful lot to get patches and, and help get past what Jenny Easterly seems to think is one of the biggest vulnerabilities that she's detected since our time there. So we need to build on this success. And I think we need to bolster assistance, resources and authorities and get the word out about things CISA can offer and it's funny—last night, I read over Silverado’s cybersecurity priorities, and it's very good to see that because it's a lot of what we on my side of the fence want to do.
There's something I want to do, kicking off an initiative called “CISA”2025. And its purpose is to take a deep dive into six focus areas to ensure that as CISA matures into an operational agency, it has a clear line of responsibilities, authorities and capabilities. And for each of the focus areas, we will include oversight letters, briefings, industry perspectives, leading to a legislative proposal that's ready for the next Congress. And I just want to touch on them briefly. If I may, I'll be very brief. There's six main points. Operation organizational efficiency is the first one and that's a very important information enabling system that must be able to quickly identify threats and then declassify information and share it, enhancing operational visibility, for example, incident reporting and things like that, that Dmitri mentioned, the centralizing of federal network security. We can't have 130 CISOs in the federal government. We need CISA to be that quarterback and that CISO as Dmitri said, and identifying and prioritizing the most critical points of failure and layers of systemic importance across the system. And we need to enhance its ability to understand what is truly critical and systemically important, critical infrastructures very important. And we need to continue to have a professional workforce. And that's going to continue to be a huge portion of every day that Jen Easterly is there. It's hard to keep the private sector, but we have to appeal to people's better angels, at least to come and serve for a while, because we need them. So those are kind of the priorities. And I think you'll agree to kind of jump back with what Silverad’s priorities are. And I'm excited about that, and much more to talk about, but I don't want to hog your time here. And I'm happy to yield back.
Dmitri Alperovitch 10:35
Now, that's great. I'm sure Rob is very pleased to hear about your continued support for CISA and the authorities and resources that it needs. Rob, what’s your view on what else needs to be done and how we're doing today?
Robert Silvers 10:49
Yeah, absolutely. First of all, thank you, Dmitri, and thank you to Silverado. What a great and timely event at the start of the year. So at DHS, we are focused primarily on two priorities when it comes to cyber. The first is protecting critical infrastructure. The second is protecting our federal civilian agency networks, both categories the American people rely upon every day. And so that's where we're laser focused, you know, on the .gov protection side. Our strategy is to increase our visibility into what's happening across US government networks, and then to get more operational, and how we can help protect those networks. I think, as ranking member Katko said, having 100 plus different CISOs, all acting independently is not the correct model. And what the ranking members supports and where we really have been focusing is having CISA taking a more and more empowered role to know what's happening first. And then to be able to step in. And I think some examples, for example, is how CISA has been deploying endpoint detection and response technology across the federal enterprise. And then using authorities that were passed in the National Defense Authorization Act, two acts ago, is implementing its persistent threat hunting authority, so that not only that CISA knows what's happening, but can actually go in very quickly to federal agency networks, and hunt for threat actor activity. And that's just an absolute game changer. And we can't do that without Congress. And so it's just a great example of a joint effort.
I think this year, we're looking to just absolutely scale up and get more operational. And I think, Dmitri, the proposals that Silverado put out last night in that regard are just absolutely terrific and really deserve a lot of very close attention from the executive branch and the legislative, on the critical infrastructure and protection and private sector side. Our strategy is to move from declarations of partnership to operational collaboration, really working shoulder to shoulder with the key private sector participants who sit on top of the infrastructure that our businesses and our people rely on in this country. And that's a force multiplier, if you can be working with the cybersecurity companies and key technology platforms that are providing the infrastructure that underpins basically everything. And if you can do that successfully, you then ripple out better security to hundreds of millions of Americans and businesses. And that's the whole goal. We've been doing that through the joint cyber defense collaborative at CISA, which was rolled out last year by Director Easterly. And it's just amazing to watch how we get an initial sense of something that's of a threat, we pass that around to JCDC members, they look for it in their environment, we enrich the data. And when it comes out the other side, we have something that really represents a view of that threat from all the key for many of the key players in the system. So that is our strategy and stepping that up with Congress's support is also going to be what we're looking at in 2022.
Dmitri Alperovitch 14:09
Great, and thank you so much. I noticed Congressman Clarke, you're able to join us. I know you had a very busy morning. Really appreciate having you with us. And we'll go straight to you, if you don't mind. We just kicked off the introductions. And really I posed the first question to the panel, which is to grade the US response to date on cyber issues and cyber threats and and offer your views on what more can be done going forward, what resources may be needed, and how do you see cyber priorities in your subcommittee that you chair.
Congresswoman Yvette Clarke 14:45
Well, let me first of all, thank you for having me, Dmitri. And good morning to everyone. You know, the 117th Congress began in the midst of the federal government's response to the SolarWind supply chain attack, the sophistication of that coupled with how long our adversaries were able to persist when our networks undetected, rattled all of us and served as a critical call to action. You know, as Congress and the administration work together to enact meaningful overdue cybersecurity legislation, foreign governments and cyber criminals continue to exploit vulnerabilities to gain unauthorized access to US networks and extort money. The end of our grueling year of network defenders was ultimately capped off by news that a piece of widely used open source software log4j could be easily exploited to grant an adversary access and control of an affected system. So I'd like to commend Rob Silvers at DHS who has worked through the holidays to help government and private sector entities remediate the log4j vulnerability.
The past year has taught or reinforced three lessons that I think should inform our work as policymakers. First, we will never be able to prevent all cyber attacks, but we can limit their impact. We must rapidly report and share information about cyber incidents to stop malicious cyber campaigns in their tracks, and then focus on building resiliency. Second, we cannot take the security of our network devices or software for granted. We must adopt zero-trust policies to secure our networks and rigorously and continuously vet the security of our devices and software. And then finally, the government alone cannot address the cybersecurity challenges we face. It is critical that we look at making sure that all we have accomplished in terms of making sure that there's an appropriate role for everyone from the federal government and big businesses to small companies and individuals. And toward that end, my priorities for the remainder of the 117th Congress are to get Cyber Incident Reporting Legislation across the finish line, continue oversight of implementation of executive order 14028 to ensure that federal security efforts are resulting in security gains, and further clarify the roles and obligations of government, big business and small businesses and raising our national cybersecurity posture. As we work to understand these roles and responsibilities I look forward to more closely examining the Cyberspace Solariums Commission's recommendation related to systemically important critical infrastructure which has been championed by Congressman Langevin and Ranking Member Katko.
I would be remiss if I did not also mention how disturbed I am by how the free flow of misinformation is undermining public confidence in the democratic institutions and faith and other parties, like the public health community. As a member of both the House Homeland Security Committee and Energy and Commerce Committee, I'm committed to doing my part to ensure that federal agencies like CISA are doing everything within their authorities to build the confidence in democratic institutions, to debunk misinformation, and rein in unchecked social media companies to confront the erosion of our information ecosystem. And next week, my subcommittee will hold a hearing on election security and I will introduce legislation to authorize the rumor control website. I will continue efforts to rebuild public confidence and democratic institutions throughout the Congress. So once again, let me thank you, Dmitri, for having me this morning. I apologize for the slight delay, but I look forward to our discussion.
Dmitri Alperovitch 19:13
Thank you so much, Congressman Clarke, and thank you for your leadership and your comments. Bryan, let me turn it over to you. Because 2021 was a very busy year for the FBI in the cyber division specifically, and you've had some tremendous successes in the fight on ransomware. And certainly nothing sends a message to hackers like handcuffs. And you guys have had just a terrific set of initiatives to combat both ransomware and other forms of cybercrime and nation-state sponsored attacks. So what is your view on how the United States is doing particularly the FBI in this area and what more can be done and what resources may be needed?
Bryan Vorndran 19:55
Sure, thanks for the opportunity, Dmitri, and good morning to everybody. In terms of the question in terms of grading us, we say in the FBI—and I know our interagency partners at Cyber Command and NSA, DHS, CISA, all over say the same—which is that cyber is the ultimate team sport. And that means that it takes all of us and we all have unique authorities and unique capabilities. And it's the totality of that collection in the interagency with the private sector that ultimately allows us to witness war. We are getting better by the week. My time in this seat goes back almost one year now. And when I look at the maturation of the interagency and the maturation of DNR agency with the private sector, we are making progress every week. And I think that's something that the entire public should take comfort in and have faith that we're going to continue to improve as an interagency. One thing that I think to double down on is that it does take all of us, it is not just the Department of Justice or the Department of Defense or Department of Homeland Security. There are unique authorities and capabilities, appropriately by Congress in each one of our agencies and departments. And it will take all of us, the FBI specifically, moving away from an indictment and arrest first model and to the totality of imposing costs on our adversaries. And we're making tremendous progress there. There is a right time for indictments and arrests, and certainly one of our goals is to take players off the field. But at the end of the day, we're a team member first before we're prioritizing our own authorities.
In terms of resources needed, we can certainly do more with more. From the Department of Justice and FBI perspective, I would highlight one item. The Department of Homeland Security and Department of Defense both have special pay authorizations for cyber skills. We do not have that in the FBI, and that allows DHS and DOD to pay computer scientists at a rate of about 50% higher than the FBI can. And so that is a challenge for us to acquire talent. We've done great acquiring talent, but with the race for arms for cyber talent, that's going to be a focus area.
I think the other piece that's obvious is the cyber incident reporting legislation. That is a need. And so let me just say a few words on that. You know, it's a tough town and to get things done, and we at the FBI applaud the work done by those on the current Cyber Incident Reporting legislation. There seems to be a misunderstanding that the FBI specifically is looking for a dual seal program with the legislation, meaning that companies would have to report to both CISA and the FBI — and that isn't true. What the Department of Justice and FBI is looking for is legislation that includes language about the FBI having real-time and unfiltered access to instant information that is reported to CISA, and that can likely be accomplished by a few words or a sentence in proposed legislation. I think the obvious question from this group should be why do we want that language in the legislation, and the FBI and by default our government and the American people have invested enormously in. The FBI is a decentralized workforce. We have just this is just people working cyber 650 FBI agents nationwide. 150 intelligence analysts, 150 computer scientists, and that doesn't account for people in Washington, DC, dedicated cyber professionals throughout the country, that decentralized workforce is a huge strength for our government, especially given the FBI statutory authorities for incident response, counter intelligence, domestic intelligence and computer intrusions. You know, we can put a cyber-trained FBI agent on any doorstep in this country within an hour. And we can actually do that anywhere in this country or in 70 countries within about one day. And we know that getting to victims, that moment of cyber intrusion is really, really important in a quick time period. So my question is a simple one with that knowledge that time matters in our world of cyber. Why would we as a government not arm CISA and FBI with cyber incident reporting data at the same time? It just seems that we would want to provide our American people the full might of the US government immediately.
In terms of emerging threats, certainly China is a major threat to us. They are requiring US based companies to download certain software packages, and then they're stealing information from those software packages just for the ability to do work in China. You know, we have seen cyber adversaries increase their capacity for stealth type work in recent years. For example, over the next five years, we will see disruptive virtual asset innovations in blockchain technology, decentralized finance, central banks, digital currencies, which will very likely create unprecedented financial conduits for illicit actors. And we're very, very focused on what we refer to as synthetic content. What the general public knows is deep fakes. And I know Representative Clarke Has done some tremendous work in this area. But this is becoming a very, very significant concern for us in the cyber criminal space for basic tenets such as social engineering and spearfishing, but it then runs the gamut of what's in the realm of the possible for nation states.
We heard representative Clarke mentioned disinformation and misinformation. And certainly synthetic content is going to be a true catalyst for that as well. So Dmitri, I really appreciate the opportunity to look forward to any further questions.
Dmitri Alperovitch 25:34
Thank you, Bryan. And you know, you’ve spent some time on Cyber Incident Reporting, which is actually number one priority in our Silverado recommendations that we just put out. So let's jump in. And if I understand you correctly, Bryan, what you're asking for is really that as legislation mandates CISA is going to be the primary ingest for reports coming from the private sector, but you want that to be immediately shared with the FBI so that you can take action within your authorities on that information. Is that correct?
Bryan Vorndran 26:06
Yeah, Dmitri, I appreciate the opportunity again. So yes, we are completely supportive of the private sector reporting all of the cyber incidents to CISA directly. And for the audience's knowledge, our relationship with CISA, certainly at the headquarters level, but even nationally is tremendous. You know, my relationship with Rob is great. My relationship with Jen Easterly and her staff were fantastic. And I think that speaks to the spirit of our alignment on the support for the legislation. But, you know, in legislation, it's also important for us to have our authorities accounted for and that additional sentence would go a long way. So that we would have unfiltered real time access to the data so that we could truly leverage our deployed decentralized workforce as quickly as possible, given the countless number of examples we all have, about how important it is for us to engage victims face to face as soon as possible.
Dmitri Alperovitch 27:05
Got it. So Rob, let's go to you for your reaction to Katko's comments. And then we'll go to members of Congress for an update on that legislation that I know Congresswoman Clarkeand Representative Katko have been working very hard on.
Robert Silvers 27:21
So Cyber Incident Reporting legislation is our top legislative priority in cybersecurity for 2022. We were disappointed it didn't make it into the NDAA. But we are very optimistic about the really strong bipartisan support behind that kind of legislation. And so we're very optimistic that it will, working together with Congress that hopefully will get that through very soon through a different vehicle. And I just want to thank Chairwoman Clarke and Ranking Member Katko, who have both put their name on that legislation, it's hard to overestimate what a game changer. it will be in terms of giving the government visibility into the threat landscape, I mean, you cannot defend what you cannot see. And in terms of responding to particular incidents, we need it. And in terms of developing trend analysis and understanding what we're looking at in the big picture, we needed to add fields like ransomware, and otherwise and other emerging threats. So it's just critical, and it's a huge priority. In terms of sharing with the FBI and other federal agencies, with a need to know, there is just no question that however Congress decides to allocate the different roles and responsibilities in the bill. What we are going to do in the implementation is we're going to share the reports immediately, with the FBI, and with other federal agencies that have a need to know. I mean, we stand shoulder to shoulder with the FBI, we work with the network defender community on what we call the asset response. But the FBI is just indispensable when it comes to investigating the threats. And then you said, Dmitri, nothing puts the scare in someone like handcuffs. And that's what the FBI does, together with the Secret Service and other enforcement agencies. And so that information is going to be shared immediately in the implementation regardless of how an ultimate bill is cut.
Dmitri Alperovitch 29:33
Great. Well, maybe Representative Clarke, we will go to you and then to Representative Katko. You know, it was very disappointing to see that despite all of your hard work and the House passing the Cyber Incident Reporting legislation last year, it did not make it through the Senate in the NDAA. What are the prospects for that bill this year, and how do you respond to the comments from the FBI on the need for reporting to the FBI from CISA?
Congresswoman Yvette Clarke 30:06
Well, Dmitri, first of all, let me say to Ranking member Katko, it's good to see you this morning and that you're able to build up that energy, because we're in this fight together. I'm committed to getting the cyber incident reporting across the finish line. And I know that my colleagues on the Senate Homeland Security and Governmental Affairs Committee are just as determined. Last year, we worked diligently, tirelessly to reach an agreement on the final text. And we did reach an agreement, just not in time for inclusion in the NDAA. That said, this legislation is a top priority for Congress, the administration, and even many in industry, and with so much momentum on our side, I'm confident that we'll find a vehicle to move this legislation and get it to the president's desk this year. But now, it's no time for us to rest on our laurels, we have to fight to make sure that it gets enacted. And I plan to do just that, Dmitri, whatever is moving, we're gonna find a way to get this legislation passed.
Dmitri Alperovitch 31:15
That's great. I'm sure everyone's glad to hear that commitment. Representative Katko, your view and any thoughts on the FBI comments on this legislation?
Congressman John Katko 31:27
Well, first of all, good to see you. Thanks for the kind words. This did not get me very badly. And for me to be sitting home and doing nothing is very difficult. So I'm going to keep them busy. But I echo Yvette’s comments completely. We will find the vehicle to get attached to. Even if it doesn't pass on its own as part of a bigger, broader bill. I think we will get it done. And I just want to take a step back for a second. And you know, this segment is the FBI, because I worked with the FBI for 20 years before coming to Congress as a federal organized crime prosecutor and back pre-9/11. The problem was that the agencies weren't sharing information the way they should, and there wasn't that flow going across agencies. While the problem here is different in that it's the private sector with the government, in the flow of information, the end problem is the same. If you don't share that information, bad things are going to happen. And that's why the more views we can get on the playing field, as Rob said, the better we can all be effectively. We're already working very, very well together amongst the federal agencies, in my opinion. So this incident reporting is really kind of, I think, the last piece to really turbocharge that effort. And that's why this piece of legislation is so important.
I also would argue that the SICI legislation is equally important, systemically important critical infrastructure, because we've got what you know, the established flow of information. We’ve also got to look at the critical, the most critical of the critical sectors and say, Okay, how do we best make sure that bad things don't happen to them unless you have information. So we have to have that information going, flowing. And that's why this is so important. So it's, I hope it's heartening to everybody out there. I could give a damn whether that's Republican or Democrat, I think she feels the same about me. Nobody here cares about which agency to work for, we are all on the same page. And we just know that is what we need to do to make things better collectively. And incident reporting is a huge part of that. And going forward. I'm fairly confident we will get across the finish line this year. For all of you out there, I strongly encourage you to continue to make a lot of noise regarding this because the more noise you make, more likely action will occur. So keep it up.
Dmitri Alperovitch 33:48
That's great to hear. Let me turn it over to ransomware. The ransomware attacks are certainly proliferating. And as we face enormous tensions with Russia right now, or a potential invasion of Ukraine, we've already not been getting much cooperation, of course, from the Russians on ransomware actions, and should they invade and the relationship completely deteriorates, we can expect many more attacks than we're even seeing today. And Congressman Clarke, I know you just recently had a hearing at your cybersecurity subcommittee of the Homeland Security Committee that you chair on the issue of ransomware. Can you share some of the top takeaways that you had in that hearing?
Congresswoman Yvette Clarke 34:31
Absolutely, Dmitri, you know, we've got a lot of top priorities. Ransomware is one of them. And we held a hearing on the recommendations of the ransomware Task Force in May, and then days later, the Colonial Pipeline ransomware attack occurred. We, of course, have held hearings and conducted a lot of oversight on the response to that incident, and then, most recently, we held a subcommittee hearing On DHS his contribution to the whole of government effort to addressing this challenge where Undersecretary Silva's testify Undersecretary Silva's testify, if there's one single takeaway about ransomware, it is there is no silver bullet for addressing the challenge. And it really requires a multidisciplinary approach, which is why I'm glad that the Biden administration has brought together multiple departments to work on this challenge. Addressing ransomware requires looking to law enforcement, intelligence agencies, network defenders, diplomats and financial regulators, among others to work collaboratively. To reduce our risk, we have to lower the profits and raise the costs of ransomware attacks. And I think the Biden administration is on the right path. It's fully leveraging the authorities across federal agencies to claw back ransomware payment ransom payments, and shut down infrastructure cyber criminals use to carry out these attacks. It is doing a full court press public awareness campaign about how big corporations and small businesses alike can defend against and build resilience into ransomware attacks. And it is engaging the international community to disrupt cyber criminals tamp down on the use of cryptocurrency to launder payments and shame countries that harbor cybercriminals to step up. Despite these efforts, though, there's still a lot of work ahead.
A major takeaway from the ransomware hearing was that without adequate data, it is difficult to assess the scope of the ransomware epidemic and to measure it is our efforts of making a difference. So it is another reason why enacting Cyber Incident Reporting legislation is so very important so we can get a better grasp on the trends over time.
Dmitri Alperovitch 37:07
That's good to hear. Congressman Katko, we just put out at Silverado some recommendations because we feel that cryptocurrency really fuels this epidemic, and particularly foreign cryptocurrency exchanges. They're not doing KYC, they're not doing AML and they are being abused by criminals to take the Bitcoin or Manero cryptocurrencies that they get through these ransoms and then convert them into dollars and convert them into euros so that they can buy various goods. With those illicit profits, we believe that more needs to be done to give the government the authority to sanction exchanges that don't abide by those rules like the US exchanges do, and have an equal playing field. For US institutions that are engaged in cryptocurrency and are following those regulations to make sure that the foreign exchanges have to do the same. Any thoughts on our proposals here? And what else do you think should be done? On the issue of ransomware?
Congressman John Katko 38:08
Yeah, I totally agree with what you're saying. And again, I agree completely with Yvette. And Andrew Garbarino now is the ranking member on that subcommittee and his marching orders for me are to make sure that this is priority one along with everything else I've been working on. But you know, going back for days, as a prosecutor, the hardest thing for the bad guys to do when I was a prosecutor was to hide their money. And cryptocurrency is a game changer in that regard, because it's a much easier way and it's an unregulated area. And I think one of the best shockwaves that was sent to the bad guys was by Colonial Pipeline. In that incident, the FBI was able to go back and trace some of that cryptocurrency. That was a breakthrough for me, as far as sending a message to the bad guys. So obviously, bad actors like China and Russia, need to be held accountable for sponsoring or tacitly allowing these attacks to occur in the way they do. And we haven't clapped back.
And then the way we should, sanctions are very, very important. And coming back with a more than measured response is very important. I think, getting the C suites to understand and I think that getting there, not all of them, understand that their CISOs need to be in the C suite. They need to be there right alongside because if you have a cyber attack, and you and there's defenses out there now there's things you can be doing. And there's lots of technology, if you're not prioritizing and spending the money, shame on you, and there should be consequences for that. I'll give you an example. Colonial Pipeline came before us and hearing told us about all the things that we're doing to harden our networks now. And my simple question was, why weren't you doing that before? And I think that's the mindset we've got to get into corporate culture. And I totally agree with Yvette again, Incident Reporting again, is front and center here because Once we know the different tactics that they are doing, we can better work with the private sector to help them with advisories as to how to prevent these things. But everybody has to up their game. And I think, also the component that's lacking right now that we need to do more of, is how to better track the money, the cryptocurrency and how to really clap back against bad guys. So everything that was said plus what I said, I think that's what we need to do. And there's no doubt about it. This is probably the preeminent threat to our country right now. And we are in the infancy of this war. But we need to, we need to fight it on all fronts. And we got to continue to do that.
Dmitri Alperovitch 40:44
Well, if it is a war, I know the FBI is really on the frontlines here of the ransomware fight. And, as Representative Katko just mentioned, Bryan, you guys have had the number of successes of not just tracing cryptocurrency payments, but actually getting them back working with other agencies to get back the ransoms from the Colonial Pipeline hack and some of the others as well, and, you know, I wonder if you can elaborate for us. And for those that are listening, how is the FBI working with victims of ransomware attacks? Why is it important for them to contact you right away when they get a blackmail notice from a ransomware group? And also, if you're able to comment on the other part of our proposal here, which is really using OFAC authorities, that is doing good work on sanctioning ransomware entities to also think about, you know, adding Bitcoin wallets and credit card numbers and other things to the list so that those transactions can be blocked when those criminals go and try to procure infrastructure in the United States and elsewhere, that they use to facilitate those attacks.
Bryan Vorndran 41:59
Sure, thanks, Dmitri. You know, in terms of the FBI successes over the past, let's just say beginning with Colonial moving forward, specifically with REvil, I would just say that, while we may be the ones in the press announcing those wins, and those benefits the American public, the reality is that those are collective efforts between DOD through NSA, and through Cyber Command was CIA, with ODNI with DHS and CIS and Secret Service. And obviously, with the private sector partnership, some of which are Bitcoin exchanges that are cooperative and that are doing the right thing. But is the totality of those efforts that allow us to be successful, or the totality of those partnerships is probably better said, certainly, the colonial seizure is a big seizure, but there's certainly a lot more than that that's been seized. It just may not be public. But again, I would point back to the totality of the US government team working with private sector partners, because it does take all of us and we continue to mature very, very well in that space. In terms of the sanctions. My comment would be this, the more difficult we make it for our adversaries to do business, the more challenging it's going to be for them to be successful at winning. And National Cyber director Chris Inglis has a great line that basically says in order to beat one of us, they have to be all of us. And I think that's well said. And in beating all of us, we have to bring all of our instruments of power into play, certainly sanctions on Bitcoin wallets or money or virtual currency tumblers. The list is endless, right. But essentially, those entities out there that are doing business with criminals that are allowing them to facilitate virtual currency, certainly need to be a target and have been a target. But I would just bring it back to Dmitri, that is critically important in terms of sanctions and using OFAC regulations. But just as important as all national instruments of power, it truly will take the maturation of all those instruments of power to really make the cyber ecosystem just so challenging for adversaries to negotiate to actually win over all of us.
Dmitri Alperovitch 44:19
Thank you, Bryan, and thank you for highlighting the role that others in the intelligence community and other departments have played in this fight. But I do want to compliment all the agencies that have been involved for the incredibly rapid action, almost unprecedented rapid action on these issues. I think within a few weeks of the colonial hack, you were able to retrieve that money. You know, I never thought that the government could operate that quickly. And it was just amazing to see everyone coming together to deny criminals the benefits of their actions.
Bryan Vorndran 44:55
Let me let me just have one note that was a great day but probably an even better day. was when we heard that Yaroslav Basinski was in custody overseas after conducting the hack against Kaseya. That was a really great day. And the international partnerships through the law enforcement and Intel side is just tremendous to get something like that across the goal line, so credit to the entire global community is really acting in a way that benefits our national security.
Dmitri Alperovitch 45:22
Great. Let me turn it over to Representative Clarke and Katko. You know, one of the things that I've always been very passionate about is how critical speed is to winning this fight in cyberspace that at the end of the day, we have to be faster than our adversaries to win. I always thought that we needed to be able to hold agencies accountable and how well they're doing with the resources that Congress has given them to defend their networks. And we needed better metrics to understand who's doing well who's not doing well, and, and how to leverage, frankly, the learnings that we can get from the agencies that are at the forefront of being able to defend themselves extremely well and spread that across the entire US government. Whether it is speed based metrics that we have suggested in our Silverado priorities or something else. What else do you think needs to be done to protect federal government networks? Congressman Clark, let's start with Congressman Clark.
Congresswoman Yvette Clarke 46:19
Sure. Well, I think first of all, the President's executive order on improving the nation's cybersecurity posture is a historic effort to strengthen our cybersecurity defenses with the latest best practices and takes a lot of important steps to strengthen the protection of the federal networks. So we need to make sure we follow through on implementing those practices such as developing a zero trust architecture with basic hygiene, cyber hygiene like multi factor authentication. And unfortunately, the federal government is behind where a lot of the private sector is, even though defending the federal network is essential, so we need to progress quickly.
Additionally, as SolarWinds highlighted, some of our federal cyber defense programs are simply outdated. So we must modernize the Einstein programs to include the latest endpoint detection and response technology so we can better detect intrusions, the federal government needs to be able to respond faster. But first, we need to be able to quickly identify when an attack has taken place. Relatedly the SolarWinds attack created a sense of urgency related to updating FISMA. To reflect today's threat environment. The Senate Homeland Security and Government Affairs Committee has approved its own version of an updated FISMA and the House Oversight and Reform Committee released a draft this week. FISMA was last updated in 2014, before CISA was even created. So a major priority for me is ensuring sister's central role in defending federal network is emphasized in this critical legislation, if we learned nothing else this year is that we cannot wait for a crisis to evaluate how we defend our federal networks, we must continue to assess and improve and that's why I'm pleased the FY 2022 NDAA included language directing CISA to regularly assess, assess and improve the federal network security programs to reflect the threat environment and evolutions and technology. But more broadly, FISMA reauthorization is our best opportunity to raise the bar of federal network security in my view, FISMA must codify the central operational role of CISA a set forth in the executive order and ensure that CISA’s capabilities and expertise are fully leveraged to developed to drive better security concerns and outcomes and develop a framework that drives strategic decision making and investments to manage risk. I will continue working with my colleagues on the House Oversight and Reform Committee in the Senate Homeland Security and Government Affairs Committee to ensure that we can enact a bipartisan, bicameral bill.
Dmitri Alperovitch 49:33
It's great to hear. Congressman Katko, your thoughts on this issue?
Congressman John Katko 49:38
Speed in response to cyber attacks obviously is a critical issue. If you have 100 and some odd different agencies with different CISOs dealing with it differently with different competencies and skill sets and funding levels, you're going to have problems and that's just another reason why if you want to have speed and response to these things CISA needs to be the quarterback. And not just a name, not quarterback in name only, it has to have the tools at their disposal to have kind of the governance over the entire .gov domain. And if they have that, I think response times naturally much quicker, and much more competent. So, as we've all been talking about building up, sis out, and continuing to get put into directions it's going is gonna be critically important, I think. But this log4j showed that the model can work and it does work. And we've got to do that even more. So going forward, I agree with about two of the FISMA pledges reauthorization, percolating in a sentence can be very important. But from a conceptual standpoint, smooth, smooth things out and putting CISA at the helm, and allowing them to make sure that they can respond to that, or if it's a attack at one agency or all agencies that they can respond in a very quick, very confident manner. That to me is absolutely critical.
Dmitri Alperovitch 51:04
Great. Let's go to audience questions. We had a number of questions that came in, one from Eric Geller from Politico, who is asking this for Congresswoman Clarke and Congressman Katko. Can you be more specific about the vehicle that you're hoping to attach the incident reporting legislation to? When major bills are coming out that you think you can slip this into any thoughts that you're willing to share at this moment?
Congresswoman Yvette Clarke 51:30
Let me just say that, you know, where we can find a nexus, we're going to attach this legislation. It's just really critical. We all understand. And I think we've come to a consensus. So I can't be as specific as I'd like, because we know things are fluid in the House, but where we can find that next is we're going to move.
Congressman John Katko 51:54
Yeah, I totally agree with Yvette and you know, the Senate seems to be able to take about 50 or 60 different bills rolled into one one bill and then pass it and, you know, in the dead of night, suddenly, it's done. So, I mean, last term, I think I had six or eight of my bills thrown into the NDAA at the last minute. So whatever vehicle we can find, to get it, we were going to get it. And I think that's the goal of everybody. I would probably look on the Senate side probably is a better, better opportunity to do that. But we'll see. I like it, like you've said, anything anybody can find, whether it be the budget, whether it be whatever, we're gonna throw it into it, and keep trying to get it done. Because I think everyone realizes that was a mess last year, we need to get it done.
Dmitri Alperovitch 52:38
And Ranking Member Katko, let me take the opportunity to follow up on another issue that is adjacent to cyber, but certainly very, very critical. And that is the USICA bill that is in Congress, and particularly the CHIPS Act authorizes funding for our semiconductor industry to give us a competitive edge, particularly over China's, which is making a lot of headway in that. I know this is an issue that you're passionate about. What are your thoughts on the chip sack and its prospects this year.
Congressman John Katko 53:04
What I can tell you right now, we gotta get that done. And we should have gotten it done last term and or last year. And I'm hoping that this is a high priority. I know there were a lot of other legislative priorities on the Democratic side in the house. And I completely respect that and understand that from a strategic standpoint, but from a vulnerability standpoint, I can't think of anything that's more important right now than trying to get work on supply chain issues. And CHIPS Act is certainly supply chain issue. We, at one point this country had close to 40% of the world's chip manufacturing, and we're down about 12%. You can't afford that, especially when China's rattling its saber at Taiwan, if they decide to go into Taiwan, we're in real big trouble. Look how many cars are sitting there, not being able to go to market because the rate for the chips to come. So really domesticating chip manufacturing is critically important. And I may say so selfishly as well. We have an unlimited supply of water here. We have a 1000 acre campus that's ready to roll and we have a power source that's second to none in the country. And we're about at the five yard line with a major chip manufacturer to relocate into Central New York, which would have an unprecedented impact on Central New York at universities. It's worried that with employment here at the academy, but also for national security, we cannot afford to be vulnerable with supply chain issues now like the chips act. So I'm hoping that we move it soon. I know in the House the theory was to break it up a bit. But let's not forget, that came out of the Senate in a very bipartisan manner. And that can't be lost on anybody. And so to me, the ACT Act actually be priority one on both sides of the aisle this term and I'm very hopeful, and maybe Yvette can shed a little more light on what she's hearing from her side because I know if it goes up for a vote on our side, there'll be plenty of votes to support it. So I'd love to hear what events are in from our side.
Congresswoman Yvette Clarke 54:58
Well, I can tell you that we've got so many different priorities, we've thrown a venue right now to talk about at least five of our top priorities. Clearly, you know, we have to widen our aperture to address the issue of chip manufacturing, semiconductor manufacturing here in the United States of America. I mean, that is a major vulnerability to our modern civilization. And so, you know, we'll, I'm sure the conversations will continue, how we can get that to the top of the pile will be something that we could discuss together, John, but at this stage, again, there are just so many top priorities. It's not lost on anyone. It's how do we sort of the playing field to make sure that we can get as much done as quickly as possible before the end of the session?
Congressman John Katko 55:56
I'll add one thing that I just reminded myself of. Senator Schumer is up for reelection this year. And he would really like to be able to announce a chip manufacturing plant in upstate New York. So I'm relatively confident he'll figure out a way to get it done. He's a very, very smart man. So I'm hopeful.
Dmitri Alperovitch 56:13
Great to hear. Rob. I know that even though Commerce has been leading some of the efforts on the chips issue and our secretary my orcas has been very supportive of trying to address the challenges of the sector from a national security perspective and securing the supply chain. In particular, any thoughts that you have on this problem?
Robert Silvers 56:36
We endorse the CHIPS Act in the strongest possible way. This is critical to our competition with China, it's critical to our national competitiveness. It will create jobs and opportunities here. I also think it's important from a homeland security perspective, when we're talking about a chip shortage, you know, critical infrastructure uses chips to and in terms of ensuring reliable supply chains, and reliability and continuity of essential services. This is just absolutely an essential and probably underappreciated national priority. Secretary Mayorkas endorsed the CHIPS act publicly last month, and we are all-in behind it.
Dmitri Alperovitch 57:21
Well, unfortunately, we’re at time, but this was such a great discussion, and I can't tell you how heartened I am to see a very bipartisan discussion between a Democrat and Republican on these issues, truly showing that cyber is a bipartisan issue. And it's great to see the cooperation between DHS and FBI to work hand in hand together to solve our critical national priorities on cyber. So again, just want to thank you so much for participating in this discussion. We hope to have many more of this kind at Silverado, and we urge everyone to take a look at the priorities that we put out last night on our website at www.silverado.org that we think Congress should consider this year and beyond to get our nation on track to resolve these issues. So thank you to our fantastic speakers and for taking the time to share their views and their recommendations. And we're really, really appreciate your leadership, particularly the leadership of Congresswoman Clarke and Congressman Katko in Congress, leading the path on Cyber Incident Reporting legislation, empowering CISa and so many, many other priorities and of course, Rob Silvers at DHS, Bryan Vorndran at FBI, thank you again for what you do day-to-day to keep our nation safe and secure. Thank you very much and we look forward to having you at our future events. Take care.
Pillar
Cybersecurity