Cybersecurity remained a top concern for the Biden administration and Congress this week as the White House finalized an executive order in response to the Russian SolarWinds attack, the Justice Department kicked off a 120-day cyber-preparedness review (in addition to its newly launched ransomware task force), and a House cybersecurity subcommittee heard from experts about how to prevent ransomware attacks — and the severe damage they inflict on businesses.

Meanwhile, the push for increased cybersecurity funding continues. The top Republican on the House Homeland Security Committee called on Congress to give the Cybersecurity and Infrastructure Security Agency (CISA) a $5 billion budget, which is more than double its current funding level. And experts urged lawmakers to include cybersecurity funding in the $2-trillion-plus infrastructure proposal. The plan will fund new bridges, roads, ports, and other facilities.

“Designing and building security into any complex infrastructure with digital components in the beginning is far more effective than trying to ‘bolt’ it on after the fact,” Grant Schneider told Politico. Schneider served as the federal chief information security officer and as a National Security Council senior director for cyber policy from 2017 to 2020.

Also this week, the Cyber Readiness Institute (CRI) called on the Biden administration to prioritize small-business cybersecurity. It recommends, among other actions:

  • launching a national cyber awareness campaign to promote cyber readiness
  • creating a cybersecurity resource center for SMBs within the federal government
  • offering cybersecurity tax credits; and
  • setting minimum cybersecurity standards via a public-private collaboration

SDxCentral sat down (virtually) with Kiersten Todt, a former cybersecurity advisor to President Obama and current CRI managing director. In addition to discussing the CRI report, we chatted about Biden administration’s cybersecurity strategy and key hires, the role of government in helping organizations prepare for and respond to attacks, and what cyberthreats keep her awake at night.

There’s so much happening right now in Washington, cybersecurity wise, but maybe we can start with funding.

Todt: With the budgeting of resources, one of the good pieces that we’re seeing is a unified opinion identifying CISA as the operational agency for cyber. I’ve heard this from senior leaders in industry as well as some members of Congress that CISA is this agency, it has these authorities, so now let’s give it the money to do the work. I absolutely agree with that approach, and particularly looking at the need to focus on the defense of network. Networks are critical. After-actions are nice to focus on because they can be very compact. We can discuss what happened and lessons learned, but what we really need to be looking at is how to prevent the events, and how do we defend our networks in a way that encourages us to be more resilient. The money that is currently allocated — but then even additional monies to be allocated — to CISA is important and necessary to evolve the agency and to evolve our government approach to cybersecurity.

Do you think it’s likely that Congress will approve a $5 billion budget for CISA?

Todt: I won’t speculate on where I think the number is going to be. What I do think is that it’s going to be a statistically significant amount that will make a difference.

Looking at overall cyber funding, what are going to be the key indicators that cybersecurity is a top priority, both in terms of securing our infrastructure and IT and OT systems, as well as overall cyber preparedness and readiness for the government?

Todt: Money is obviously the first step. The second step will be the people that have oversight over that money, and the nomination of Jen Easterly to be the director of CISA is absolutely a tremendous step in that direction. Jen has deep operational experience at a Fortune 100 bank over the last four years, and she’s worked in the White House. It’s one thing to have the money, which is absolutely an important step, but then it’s another to have the vision for how to have oversight and execution of that, recognize the depth and the breadth of the issues around the defense of our networks.

There’s also been a lot of discussion around the importance of small businesses. I was just catching a little bit of Ali [Alejandro] Mayorkas’ talk on ransomware [in front of the House subcommittee] and how important small businesses are in our infrastructure. That’s the mission of CRI, and I think you’re seeing the recognition that small businesses are a fundamental part of our digital economy, and helping small businesses is a national security interest. Seeing that [small-business focus] as a component of this money and as it’s being spent will be important.

What are some of the concerns that are really specific to small businesses, and what do they need from the government to be prepared and protect their networks?

Todt: There are a couple of ways to look at this. Given the interdependencies of our digital economy, small businesses are part of our global supply chains. Right now they’re often the weak links because they don’t have the resources to defend their networks. If you think about a small business in a manufacturing supply chain, it runs on a budget that it has for several years to deliver the product, and now you’ve added a line item called cybersecurity in the last decade or so. Businesses that are still figuring out what that looks like and what they can do without having to break the bank. The basic steps, and providing a repository of vetted resources for small businesses so they know where to go, is obviously very important.

And we’ve seen some really important behavioral change in this country as a result of campaigns. If we had one that focused on authentication, given that authentication really comes back to being the primary source of compromises across all major breaches, we could potentially go a long way in creating these cultures of security — not just for businesses, but for the nation at large.

What are some of these earlier successful campaigns that have changed behaviors?

Todt: The seatbelt campaign.

So, more general campaigns, and not specific to cyber?

Todt: I don’t think we’ve seen any specific to cyber. But, actually one of the interesting things that Jen Easterly was working on while she was at Morgan Stanley was kind of a "Schoolhouse Rock" for cyber, which is something we talked about on the [Presidential Commission on Enhancing National Cybersecurity] as well. It’s this idea of how do you make this information accessible to everybody so that it is understandable? You create that culture where people are not necessarily experts, but they have to be cyber aware.

I like the idea of a cybersecurity tax credit, and wondered if you are seeing any momentum behind that?

Todt: The idea for this actually came around the [Paycheck Protection Program] loans. We started talking with some of our member companies about how can we use these resources to help small businesses be more secure in the pandemic because we were seeing small businesses get destroyed by ransomware and phishing attempts. We were trying to look at this as how do we use this opportunity for the fast-moving funding that was going through, and dual-hat it with cybersecurity education. We’re now going to have a more deliberate effort, and I think we have a more open audience with some members of Congress and also with the administration in looking at how do you help small businesses invest in cybersecurity basics.

What else have you seen on the legislative front that would help not just small businesses but also enterprises and government be more prepared?

Todt: You just said the right word right at the end. I don’t think anyone would argue against the importance of notifying the government after a data breach. But I worry that if we only focus on what happens after an event that will distract us from focusing on preventing the event itself. And I haven’t seen any legislation that really looks at the defense of networks from the public and the private side. There are some great industry leaders that have talked about collaboration with government to do so. And the way that Ann Neuburger after SolarWinds activated the Unified Coordination Group with industry, while that was in response to something, it certainly shows a shift in thinking about how industry and government could come together before an event to share actionable intelligence and nation-state activity.

What do you think about the recent ransomware task forces, both the DOJ and the private-sector-led efforts?

Todt: [Acting Deputy Attorney General] John Carlin is tremendous to do this because he was dealing with this in the first degree in the private sector before he took on the role [at the Department of Justice]. His awareness of what’s happening in industry and putting forth some real, legitimate recommendations is important. I’ve talked a lot with [Institute for Security and Technology CEO] Philip Reiner and Megan Stifel [executive director at the Global Cyber Alliance and co-chair along with Reiner of the Ransomware Task Force] on this work, and hopefully CRI is going to be involved in helping them execute some of these actions. This is becoming such a huge weakness of our supply chains, and having these efforts that really look at not just the symptoms but the causes are very important. They bring forward some really thoughtful recommendations, and now we need to get these recommendations implemented.

How do we take that next step and move beyond recommendations to action?

Todt: I’m influenced by work that I had done a few years ago with the National Institute of Standards and Technology (NIST) on the voluntary Cybersecurity Framework, and that model of government as convener to bring industry together to discuss what works and what doesn’t. When we’re looking at ransomware we’ve got to make sure that we’re hearing the voices of those most affected by it, in collaboration with those who will legislate or create standards and regulations around it.

For example, last year when Treasury came out with the large penalties for companies that paid ransoms, my first reaction was that you can’t just impose the penalty without helping them understand how they can be a part of the solution. And so just telling a small business that they’re going to get penalized for paying a ransom doesn’t take into account where they are in the supply chain. Now this administration, with these task forces, is absolutely taking all that into consideration. So the hope would be that these recommendations can be converted into either policy, standards, or legislation, but they have to be developed with industry and government coming together to make sure that there is an awareness and a recognition of the real-life circumstances that these businesses are in.

What should the government’s role be in helping businesses recover from a ransomware attack?

Todt: It depends on if the business has done what it could to try to prevent itself from being a victim, and something still happens, particularly if it’s by nation-state, then I think there is this opportunity for government to step in. Cyber is the only domain where we ask businesses to defend themselves, and I do think there is an opportunity here for government again to work with industry. It’s a hard question because it’s so much of an: if this, than that. Because if a business hasn’t done anything and if it’s been negligence, then what's the role of government to come in? Versus if a business has done the standard of care, then what’s the role of government? These are some of the things that these task forces are really trying to understand.

That’s a really good point: Cyber is the only domain where we ask businesses to defend themselves.

Todt: It’s this constant understanding of where government and industry work together. I believe we’re getting greater clarity on that. One of the silver linings of SolarWinds was that we saw how the private sector was collecting actionable intelligence on adversary activity, and when you combine that with the government’s awareness of nation-state activity across sectors, then there is this very important, complimentary information exchange that can happen, which quite frankly we haven’t had before. There’s always been a part of industry saying government doesn’t give us valuable information, and if they do, it’s too late. But what we saw with Solar Winds is that there was a mutual exchange of valuable information where we had the sum of the parts being stronger than the pieces themselves. That collaboration is an important step in hardening our networks.

I want to talk about SolarWinds and the upcoming executive order. First, have you seen the executive order?

Todt: I have not.

What are you hoping to see in the executive order when it’s released?

Todt: I would hope to see some thoughts on how to secure the supply chain, how to help businesses understand what their requirements are for being a part of the government’s supply chain. We’ve heard about the bill of goods and having transparent understanding into how software is developed. All of these pieces are important, and it would certainly seem logical that you would see some of these ideas represented.

And what should the government response be as we see more of these nation-state attacks? Is sanctions the way to go?

Todt: I believe that the sanctions on Russia were a first step. I don’t believe that this administration believes that’s the final destination. It was a quick and early action to say our efforts to stop you are underway. We have to look in collaboration with our like-minded economic partners and internationally at what are the consequences for malicious activity on the global stage against our infrastructure. I don’t think the United States should do that on its own, it should be in collaboration with other countries, you know [National Cyber Director nominee] Chris Inglis was quoted recently as saying, “To beat one of us, you have to beat all of us.” That’s a very important conceptual framework for how to look at this because we are not a country or an island. We are much better if we work together to deter nation-state activity, but also to identify consequences and penalties that compel our nation-state adversaries to change their behavior.

I go back to the Cuban Missile Crisis, and we were comfortable with the idea of going to war at the thought of just knowing that the Russians had put missiles on Cuba 90 miles off our coast. There was no intelligence saying they had the plans to do so, but just that idea that they were there was enough to bring us to that point. That’s not to say that we’re going to go to war, but it’s the idea that we’ve got to take action that compels a change in behavior on the part of a nation states, or on the part of our adversaries. And again, that doesn’t come by us alone. It’s got to be in collaboration and collective action with our economic partners and allies.

What crosses that line? What constitutes an act of war versus a cyberattack, and do you see the new administration moving the needle on this?

Todt: The good news is that the people that are going into the senior cyber positions are those who had real understanding of defense and offense, military analogies and security analogies. It’s hard to know what cross crosses that line, but that’s where you come together to say here are the tipping points. SolarWinds is interesting because in the previous administration it was just this discussion around it being well-done espionage. It’s espionage right up until the point that malicious code is activated on a critical infrastructure network and it takes it down. That’s the challenge: We don’t often know the reasoning, or the desired effect of activity, and so being able to define what a serious act that mandates consequences or action is going to be something that has to be very well thought out, across countries, based on how countries feel their national and their economic security is vulnerable.

What keeps you up at night? What do you see as the biggest cyberthreats?

Todt: There are a lot of answers to that, and it cuts across a lot of issues is — our human psychology, and our nature is to prepare for that which we know we can respond to. I’ve done a lot of work with tabletop exercises and scenario planning, and this is a key tool that I agree with. But what you find often is that you put forward these scenarios where you know the end, we know we can respond to. I come from the national security, homeland security space, so when you think about 9/11, we knew that Al Qaeda was seeking to attack us, but what we expected was for them to use similar tactics that they had before, which was to not attack us on our homeland like the USS Cole or the embassy [in Kenya].

When you look at SolarWinds, CISA said we had put sensors on a network to prevent the tactics, techniques, and procedures that the adversary had used before. But our technology was not set up to detect novel tactics, techniques, and procedures. Again, going back to this idea of prevention, we have to do a better job of stretching and pushing our imagination to think about what are the scenarios that could take us down. So, to me, our greatest danger is not pushing our thinking to truly put ourselves in the adversary’s position to say, if I were looking to attack the United States, how would I do it? We’ve got to do a better job again in that prevention, preparedness, and the pre-event work with industry and government to harden our systems, and to push ourselves to prepare for what is, quite frankly, most scary.