Vancord CyberSound

065 - White House Announces Important Cybersecurity Measures

November 22, 2022 Vancord Season 1 Episode 65
Vancord CyberSound
065 - White House Announces Important Cybersecurity Measures
Show Notes Transcript

On October 11, 2022, the Biden-Harris Administration released a Fact Sheet revealing the increased efforts of the White House to improve the Nation’s cyber defenses. But how exactly are they promising to lead Americans toward a more cyber-safe future?

Today, Jason, Steve, and Matt divulge a few key ideas that may benefit our listeners, such as developing a new label, building up the cyber workforce, and security relative to quantum computing. Read the official document here.

00:01

This is CyberSound. Your simplified and fundamentals-focused source for all things cybersecurity, with your hosts, Jason Pufahl, Steven Maresca and Matt Fusaro.


Jason Pufahl  00:14

Welcome to CyberSound. I'm your host, Jason Pufahl, joined today by Matt Fusaro, Steve Maresca. Hey guys. 


Steven Maresca  00:20

Hey. 


Jason Pufahl  00:22

No "Hey" from Matt. 


Matt Fusaro  00:23

No, I'm reading.


Jason Pufahl  00:24

Oh, no hey at all.


Matt Fusaro  00:25

Yeah, sometimes I get too engrossed in this.


Jason Pufahl  00:28

That doesn't bode well, for this episode. Well, maybe it's because of the exciting topic today, right, I don't know, October 11th, the White House put out a, they'll release, about a fact sheet where to digest, where the current administration delivers on strengthening America's cybersecurity. I didn't count all the bold things 1,2,3, there's, you know, 10 or 12, sort of high-level bolded elements in here, I think we'll talk about, you know, three or four of them in general. But, you know, the sheet is intended to describe all the things that are occurring relative to cybersecurity during the administration of both Biden and Harris, so I think the first one we wanted to chat about was the bullet that says that they're ensuring new infrastructure is smart, and secure. And I think, so I'm gonna call Matt out, I think on this, one he didn't say hello, so I feel like he deserves to answer, rignt, but you had a couple of thoughts here, and I thought, maybe kick it off there.


Matt Fusaro  01:40

So I don't like how they're pairing the title of this particular thing that they're trying to do, ensuring new infrastructure is smart and secure. And then they're mostly talking about providing high speed internet to places, which I'm not sure that that really helps infrastructure be secure? Sure, I think it's something that probably should be done, especially in underserved areas. But then they go on to say that they're providing a billion dollars in funding over four years, which is not very much if you think about it from a large scale, right? You're talking about state, local and territorial. So this isn't just the contiguous states, you know, we're talking about a lot. A billion dollars isn't gonna get you much over four years, if we're talking about infrastructure, no way, and I'm not sure that all new infrastructure needs to be so smart.


Jason Pufahl  02:33

But it's the word smart that bothers me the most because nowadays, everything has to be smart. I think our emphasis should be on secure, and I think actually, they have a couple of ideas further down this list that are nice to hear about that. But yeah, the smart part, I don't know.


Matt Fusaro  02:48

Yeah, I mean, infrastructure lately, their danger problems aren't so much cyber, they're more being susceptible to elements.


Steven Maresca  02:58

So let's step away from the broadband internet kind of component of this, the State and Local Cybersecurity Grant Program that's being discussed here, really is a pretty open-ended funding pool is my understanding. Entities can apply, they have like 60 days to do so. Yeah, there's not a lot of money available for this fiscal year. But it's to fund, you know, existing or to be defined cybersecurity programs. It seems pretty, you know, generic about that, assessments, as well as corrections of things that are long standing like critical infrastructure-oriented, SCADA devices, you know, connected valves, things of that sort that they have need to replace. I think that's part of the underpinning here, not so much, you know, being too pigeonholed, right?


Jason Pufahl  03:51

The, I mean, personally, I'd like to see if they were more prescriptive about the things that people had to use the money for. But I think just generally saying cybersecurity improvements is so generalized. And I don't know that people always make the best decisions about what those improvements should be. I'd love for them to be more specific about implementing MFA or implementing things that we know to make sort of a substantive difference, especially for your organization that may not have a robust program. Alright, moving on down the list. I think we wanted to chat a little bit here about, which one here, developing the new label to help Americans know their devices are secure.


Steven Maresca  04:43

I'm actually really pleased to see this one.  So for some context here, easily six years ago, one of the programs to come out of, you know, a well-known individual in the cybersecurity research space, involves something kind of like Underwriters Laboratories for connected devices, for electronic devices, with the intent being that there's some sort of label developed to indicate the relative rigor put behind those devices development and whether they're secure. It never really panned out, it was a research effort, lots of good data collected basically to, again, justify it's the fact that it's a reasonable thing to do. But it petered out. If this is a reawakening of that same sort of effort, I am completely supportive of it. Specifically, they're talking about devices like internet connected cameras, and other IoT devices, home routers, yeah, the types of devices that are, you know, likely to fall over and do so with regularity. So if we're starting there, I think that's a great place.


Jason Pufahl  05:45

I know you are.  Well, and I'm particularly interested and think, the routers are nice, I think that'd be a great spot. But I agree with you, it's those devices where you have no visibility or ability to upgrade or manage or monitor them anyway, your smart cameras, like, I have one now that literally plugs into like a light socket, and you can run it out of a normal lamp post and it's a complete black box made by kind of some, you know, third rate manufacturer. I have no confidence at all in this, it would be great to have a label on that, I think, and I think people get a lot of value out of that.


Steven Maresca  06:26

Right.


Matt Fusaro  06:27

It'll be interesting to see how they actually develop this, the testing standards and the body that actually has to certify these things and apply the label it. That's not a small amount of work,


Jason Pufahl  06:38

And the development of the standards that you have to adhere to, right?


Matt Fusaro  06:41

Yeah, and you know, this isn't, this isn't something that's going to be a one time and done, it'll probably have to be reevaluated every time there's a small change to that product firmware upgrade.


Jason Pufahl  06:53

Right.


Steven Maresca  06:54

The biggest challenge with the earlier effort that I mentioned, which is called the Cyber itl, cyber-itl.org, if anybody wants to go check that out, basically, was that there's a lot of proprietary code, you can't assess how secure it is, if the vendor is not willing to give you a window into it. Similarly, you know, there's a lot of open source code, you know, things are built cheaply, things are built to a price point. Therefore, vulnerabilities tend to propagate simply to keep the cost low. And you know that's a hurdle, manufacturers may not want recognition that there's a deficiency because they're trying to keep the cost where they are.


Matt Fusaro  07:31

So I wonder if it's going to end up a lot like kinda the health department, right? You know, you get A, B, C, D, F for, you know, you're not necessarily sharing the secret sauce recipe, right? But they're gonna come and say make sure you're not making perpetual stew in the back.


Steven Maresca  07:49

I'd support that. I mean, it is a cyclical sort of thing, just like a health certificate. I mean, it makes sense. Products change over time.


Jason Pufahl  07:55

Well, then, you know, as much as we took umbrage with the language, like of smart in the preceding bullet, the reality is, that is the push for every manufacturer, right? It's the smart cameras, the smart refrigerators, etc, having some designation, right, some set of standards and sub designations to give people confidence. It's just one more element in the buying process, right, it's, there's a lot of value that comes out of it.


Steven Maresca  08:20

Using your, what was it, a light bulb, connected light bulb example, if if all that comes out of this truly is a labeling standard that says, this device connects to the internet, it only connects to this location, and any other traffic is unexpected, or, you know, something like that, I'd be pretty satisfied, candidly, 


Jason Pufahl  08:39

It'd be a great start.


Steven Maresca  08:40

Right, because at the moment, you have no real awareness of what they do in any capacity, and you just have to take as normal whatever they do. That's not reasonable in my opinion.


Jason Pufahl  08:53

So, trust, but you can't verify, right?


Steven Maresca  08:56

Right.


Matt Fusaro  08:57

Yeah, I mean, I think that this would be a successful endeavor, if at the end of it, it keeps the riffraff out, you know, not just anybody can come out with a device and slap a label on it. So there has to be some. there's a vetting process, and some recourse when you don't adhere to the stance, if you put a label on something, and then you program it to do exactly the opposite of what's on the label, there needs to be some recourse.


Steven Maresca  09:20

Here's what I expect. I mean, if we're talking about similar schemes, where you have to have your FCC ID for some sort of radiofrequency device, where you need to have your UL Certificate or equivalent for something that is life safety or, you know, electronic connected to the grid. You can buy stuff that doesn't have that. It's just that it has implications like for homeowners insurance, I'd expect that the backdoor path toward this becoming standardized is in fact that type of origin. Ultimately, net improvement is what I'm after. If it's a small incremental step, that's great. 


Jason Pufahl  10:01

So, little further down, building the nation's cyber workforce and strengthening cyber education, which is great to hear in the sense that we've chatted on previous podcasts about the challenge of finding good, you sort of trained or capable folks to work in the security industry. And there's a variety of stressors that maybe doesn't make this the most appealing position for a lot of people. But it's nice to see some some thought there.


Steven Maresca  10:32

There's power parallels here. And sort of a, the underpinning for this particular item in cybersecurity is actually the apprenticeship program for manufacturing. Long, long imprint in place for many industries. That's kind of what they're doing here. They're just introducing cyber and cyber adjacent disciplines to the set of apprenticeships, that the government incentivizes. Apprenticeship.gov, or something to that effect is where a lot of this information is housed. You know, there's a lot of good information there, for example, states that have tax credits for facilitating apprenticeships, that type of thing. It's just a way of encouraging growth in a field that, frankly, doesn't have enough staff to support it.


Matt Fusaro  11:18

Yeah, I think that this is a good thing coming out of coming out of the federal government for the state, a recognition that there's a there's a problem, and it does present an issue national, like for national security and stability. So I think it is nice to have this addressed. Well, there's, I wish that I wish they would do a little bit more advertisement around it, though. 


Steven Maresca  11:37

I agree. 


Matt Fusaro  11:38

We didn't know about it until recently, and we're pretty plugged into this stuff. This is something that would probably benefit us, right?


Steven Maresca  11:44

I'm keen on the apprenticeship aspect of it, because it removes the HR, thou shall not pass barrier of a bachelor's degree and x degrees of experience, which tends to be inhibiting applicants. That's a net win, because it's not the binary that tends to be represented. A lot of job descriptions say or equivalent experience, that's great, but this helps to quantify experience, it helps to get the experience.


Jason Pufahl  12:16

The, kind of continuing down then, and I think it's toward the tail end of this document. There's really two, I guess, two bullets, that are talking about security relative to quantum computing, right. So developing quantum resistant encryption. And then, you know, their technical edge through quantum initiative, which is kind of interesting, right? Because I think for a lot of people, quantum computing probably isn't top of mind. You know, maybe for a lot of companies not top of risk, right?


Steven Maresca  12:56

It's certainly in the news a lot lately, for example, Europe, the European Space Agency plans to launch what they call a Quantum Encryption Satellite sometime in 2024, or something of that nature. I'm going to use that as sort of a way of pointing out how much people need to pay attention to this. The ESA is the European Space Agency, we're talking about quantum stuff, which today remains very much in the realm of nation states. And, you know, keeping spies safe. The average bear does have access to some quantum technology, randomness generators, if you're in the electronic gambling industry, or anything adjacent to it, where you really want strong encryption, you can do that. For the most part, though, quantum oriented stuff, when you hear in the news, it's not the domain of businesses yet.


Matt Fusaro  13:49

Yeah, and as far as making sure that we're future resistant to encryption. Basically, what it's saying is that quantum computing can has the ability or theoretically has the ability to break encryption as we use it today. And we don't want things that have been encrypted to be broken by those systems, you know, a year from now, three years from now, they they might be stealing very sensitive data. And unless it's re-encrypted with new algorithms, it's susceptible to these computers being able to break that.


Steven Maresca  14:22

That horizon, though, still doesn't feel too near.


Matt Fusaro  14:27

Yeah, it's true. And at least, there's probably systems out there that can do it right now. It's just you don't have access to them. Yeah, it's not not readily available to anybody.


Jason Pufahl  14:38

Any other items in here that either of you felt you wanted to go through? I know, those are the your initial high bar topics that we wanted to cover.


Matt Fusaro  14:46

I mean, in general, it's nice to see a continued effort to push these things through, provide funding for it, provide some frameworks for things. So that's nice to see, you know, regardless of how you feel politically about the administration, I think they're over the past I'd say 10 years now, the federal government's done a pretty decent job of putting cybersecurity near the forefront of what they're thinking about.


Steven Maresca  15:10

Right, anything to keep it top of mind. I'm happy.


Jason Pufahl  15:14

Right, and it's evidence, one of the bullets in here was, really working with partners to deliver sort of more secure cyberspace. I don't love that last word, maybe. But really, right, it's something that's been going on for a long time, which is, you know, the big players in the security industry, kind of working more closely with the government or vice versa. You know, they're obviously positioned to continue to do that.


Steven Maresca  15:36

The government has a unique window and unique perspective, that businesses because of their deliberate competition, it's a different dynamic. Anytime a government is pushing forward, cybersecurity initiatives, I think it brings everybody up to a better level, ultimately.


Jason Pufahl  15:52

Yep, and that's what this is all about. So I think that's fair. So as always, right, certainly, we say you go take a look at the at the sheet that was released on October 11th. It's worth a quick read, it's worth understanding, you know what's in there. Certainly, I think, generally positive, generally directionally aligned, certainly with where we think you should be. We hope you got some value out of today. Hopefully you go back and take a look at this and we appreciate everybodies listening.


16:22

We'd love to hear your feedback. Feel free to get in touch at Vancord on LinkedIn or on Twitter at Vancordsecurity. And remember, stay vigilant, stay resilient. This has been CyberSound.