Biden’s Cyber-Everything Bagel with Carole House

Biden’s Cyber-Everything Bagel with Carole House

SCW's Picture
SCW #episode #security #cryptography #cyber #webauth #tls #nist #cisa

Just a few days before turning off the lights, the Biden administration dropped a huge cybersecurity executive order including a lot of good stuff, that hopefully [cross your fingers, knock wood, spin around three times and spit] will last into future administrations. We snagged some time with Carole House, outgoing Special Advisor and Acting Senior Director for Cybersecurity and Critical Infrastructure Policy, National Security Council in the Biden-Harris White House, to give us a brain dump.

Links:

This rough transcript has not been edited and may have errors.

Carole: You know what? Government needs to drink our own champagne. If we’re asking industry to do it, we’re going to do it too.

Deirdre: Hello, welcome to Security Cryptography Whatever. I’m Deirdre.

Thomas: I’m Thomas, here on behalf of my client, David Adrian.

Deirdre: And we have an incredibly wonderful special guest today. Carol House, Special Advisor is acting Senior Director for Cybersecurity and Critical Infrastructure Policy of the National Security Council in the Biden Harris administration. Hi, Carol, how are you?

Carole: I’m doing great. You know, our EO got issued today, so it’s been a busy day.

Deirdre: I can imagine it came out bright and early this morning and we’ve all been, it’s been, it’s big. So like the title of the title of this order, this, this executive order from, from the President is strengthening and promoting innovation in the nation’s cybersecurity. And like there’ve been a couple of EOs from the Biden administration on cybersecurity on post quantum readiness. Post quantum is the thing that I focus on a lot. But this is like the kitchen sink of cybersecurity orders. Can you tell us what’s in this and how this came to be?

Carole: Awesome. Thank you so much for the opportunity to chat about it too. Because it’s really our capstone is how we characterize it as really the culmination of the review of a lot of the major incidents that have occurred over the past few years. You know, the administration has really bookended both sides of the administration with major executive orders. And then there have been a lot of national security memoranda and other initiatives all throughout the entire admin. But this one really builds on the successes and lessons learned of what we’ve seen over the past four years to implement very specific protections and to mitigate specific vulnerabilities that we continue to see as a root cause. Across most of these incidents. You see a lot of focus there on like securing our communications and securing cloud environments and software security are a major element there.

Some other areas of lessons learned are that we need to be able to sanction more effectively so we fix our sanctions authorities and cyber enabled fraud. Absolutely. A huge problem that’s affecting Americans and costing us billions. So we need to do something about it. So we did. And it’s just. Yeah, I’m really excited about this as the culmination of all those efforts.

Deirdre: Yeah. And I’m just as a top line, there’s a lot of exciting stuff in here and like I mentioned post quantum, but embedded in the post quantum stuff is literally the Entire federal government has to transition to TLS 1.3. You got to do it and you got to do it in like five years or something like that. Yeah, even. Even ignoring the post quantumness of it, which is, you know, we think is important, but also, yay, a modern TLS protocol. It’s been out for a couple of years now. That’s exciting.

Carole: Yeah. So we think that 2030 is, is doable for us. So. Yes, absolutely. Very excited. A lot of things that are in like BGP protections, like encrypted DNS, things that we really should have been doing for years and that now we’re directing it because we, you know, we’re driving some efforts like there was an FCC rulemaking related to, related to BGP protections and other things. So like for secure routing. So you know what? Government needs to drink our own champagne.

If we’re asking the industry to do it, we’re going to do it too. So there’s a lot in here that’s really taken from the best practices that we’re seeing in industry.

Deirdre: I love that. Encrypted DNS. That is DNS over encrypted channels, not dnssec. Right. Because we have our opinions on DNSSEC and how it can be annoying to deploy in practice.

Carole: Yes, I know. Yeah. Oh, sorry. Go ahead, Thomas. Yes, I have heard.

Thomas: I think we know a little bit about where the network controls in this EO came from, the source of expertise and the curation of those things, like some of the people involved there. Without getting too deep into the specifics of how you guys curated the network controls that you came up with, what was kind of broadly the deliberative process here. I think the obvious reaction a practitioner would have looking at the CEO is that you guys came up with an everything bagel. Right. Literally every conceivable thing is here. So clearly there’s gotta be multiple stakeholders, multiple people driving this. You can actually see shifts in the way things are structured in different sections and things like that. So, yeah, what was the.

Thomas: How did you. How. How did you do this?

Carole: Yes, that’s fair. And I will. Just to give credit to the fact that we did edit, there were longer versions of this and there are more things that. I’m actually very sad. We’re not ultimately in it, but. But also like, this is a wonderful document and I think they made. They struck the right balance on like we all did. And by they, I mean like the president in the direction for us to pick the highest impact initiatives, make sure that we were striking the right balance of like high impact measures, things that the American people would understand that would really help them and that wouldn’t just help the government, but also drive positive benefits out for industry and try to try to minimize burden wherever we could and focus on centralized actions where we could there.

So you’re going to see a lot of cisa, gsa, nist, a lot of the like powerhouse force multiplier players in the US Government became a major, certainly a source of collaboration with them, but also a major focus for where we wanted as many initiatives as possible to be on those agencies to try to help help the CIOs and CISOs, not just feel the weight of a lot of obligations because as you intimated, there’s a lot of things that they have to do in here. But on the process. So I’m a special advisor at the National Security Council. I was leading this work and bringing together the interagency and driving coordination with the interagency and with the rest of the NSC team. So NSC Cyber, there’s a Cyber Directorate at the National Security Council, the National Security Council being the kind of penultimate policy body for the President on national security policy. So we were working, working with the interagency to bring together a really wide representation. We had CIOs from agencies, we had certainly all the policy shops from all the relevant agencies and we worked with them in development of this. So there was a huge amount of collaboration over many, many months, well over half a year on this.

So this really does represent the culmination of a lot of different ideas, collaboration from agencies on what do you want, what will have the best impact. So this reflects the thinking of the whole government and not just the thinking of one office in S.C. of the White House.

Deirdre: Yeah. Oh yeah. Some of the things that really jump out as like a practitioner is we mentioned to 13, but in here is multifactor, specifically phishing resistant multifactor like Yubikeys, Webauth and or other ways to achieve phishing resistant authorization at least in the federal government. And of course all of this stuff about like provisioning and procurement and requirements of a huge customer like the federal government, the US Government means that hopefully that will help trickle out into more of our general products that like people who don’t have anything to do with the federal government also use, that’s huge because a lot of the attacks that like we just kind of mentioned in passing often are just like credential stuffing attacks. And like, you know, even if they have two factors, sometimes it’s you know, a code or an SMS texted code and you just, you know, you just fish for it. And this really, really could help with that. So yay.

Carole: Yes, I know. I also love this and like phishing versus an MFA was really emphasized in the zero trust strategies and architectures that we’ve worked with the interagency and with a lot of industry collaboration to put together. But we needed to tell industries like this is the North Star, we mean it. This is already a problem of being exploited and fraud is only increasing right now with the democratized access to really sophisticated AI and other capabilities that can more widely purport and push forward a lot of things like phishing attacks and stuff more successfully. It’s not a fair fight. What makes it a fair fight is using encryption and things that can’t be spoofed and competed against. So we need to use the best in class tech. That’s the only thing that will level the playing field against adversaries that are coming for Americans and their money.

And I love your point about why focusing on government only. And there’s certainly regulatory efforts that we have underway. We’ve been pushing some rules related to try to help healthcare information be better secured and we’ve done that for ports and other systems in the energy sector as well, and transportation sector. But just trying to leverage the power of the federal government procurement capability and like over $100 billion worth of procurement and cybersecurity spending that the federal government uses every single year, we are putting that to work to try to drive the market evolutions that we need in this space. We’re a customer, just like many others in industry are. The software that we use is typically software that a lot of other people are using as well as other services like cloud environments. So just like you said, we want to set a North Star of highlighting that these are the best practices that we’re seeing from industry. We need to adopt them.

Carole: But also we expect vendors that we purchase from, that we rely upon and Americans rely on us. So you need to be using these best in class capabilities.

Thomas: So that was my next question. Right. So if you read through the whole eo, there’s sort of three senses in which this could actually act on whoever’s doing better cybersecurity stuff. Right. So there’s the sense in which you’re instructing the agencies to adopt better practices, and there’s the sense in which you are instructing vendors to the agencies, people going through the GSA process to enact better processes. And then there’s the sense in which you are instructing the market directly, whether or not it’s dealing directly with the government, that these are new expectations or practices. Like, do you have a sense of what the balance is between those three ways of looking at this? Like in terms of what you were going for with the CEO, was it more getting agencies to modernize? Was it more getting vendors to raise the bar? Or was it more like the goal here is actually to raise the bar for the industry across the board?

Carole: Because my answer is a totally unsatisfying yes, all three, because yes, like, absolutely. Basically we definitely need federal agencies to pick up the pace. Right. And to heighten the bar. Problem is, most of our software is not government created. It is commercially created. So we definitely need those vendors to pick it up. But also we recognize that our, you know, certainly our purchasing power and our weight is often like much larger than a lot of other parts of industry.

Now, it depends on which vendors. There’s certainly plenty of vendors where the government isn’t a massive proportion of their market share, but there are some where we absolutely are. And either way, we have a lot more money than many other customers do to be able to put to work here. So we do view that the government part of the role, in my own personal view of where we’re supposed to insert ourselves, whether through regulation or other types of incentives, is where the free market has not fixed itself. And this is a great example of what’s happening. And so through incentives of saying, look, we’ll buy you if you are this tall in cybersecurity and encryption and pqc, et cetera, is a really important role that we need to embrace. Regulation is another incentive. I also call regulation.

A public private partner doesn’t love that joke very much, but it’s all of it. Like, I appreciate that. That’s not a terribly satisfying answer. It’s sort of me cheating, Tom.

Thomas: Sure. So there’s like nine broad sections in the eo. There’s more than that. But then like definitions and stuff. Right? But like you’re still in like meat of the recommendations at section 9, right? Like some of them are kind of very clearly directed at modernizing the agencies directly. So for instance, there’s directives in here to get all of the agencies up on EDR software. So that’s like agent based software to monitor endpoints for threats and then, you know, have a system for sharing the intel from those things. Right.

That’s, that’s really directed, it seems like that’s directed at agencies. Right. Or there’s communication Security which is like, you know, we’re going to do TLS 1.3. We’re going to do post quantum encryption. Right. That seems like it’s targeted at agencies. Right. But then early on like a lot of it is attestations from vendors.

Are there things in this EO that jump out at you as targeted at industry versus things that jump out to you as, you know, targeted at the agencies? Like which, which is which there.

Carole: Yeah, I’ll do my best since I do think that there’s like a mix of both, but it’s probably different weights and proportions. So I’ll I’ try to navigate that for software. It is very much at like that is pointed at the vendors. Absolutely. And pointed at the market. So that is like we, we see where despite what we already put in place in the first cyber EO in 2021, right. Where we, we required CEOs to self attest essentially the pinky promise saying yes, I use these secure software development practices. And, and that’s good.

That was a good evolution. It’s been, it’s been under implementation for the past like three and a half, four years now at this point. But we’re still seeing Russia and China absolutely exploit vulnerabilities and commercial software at the root of so many different attacks and supply chain attacks that are hurting industry and that are hurting government. And again, if it’s hurting industry, if it’s hurting government, it is hurting industry and it is hurting Americans because we are providing services back out to them. And either way we’re also using software that the other definitely also uses. So either way we need to fix this. We definitely need more security in the services that the federal government relies upon. We have really sensitive mission sets and that is first and foremost absolutely what must occur.

But we also really expect this and want this to drive the development of secure software. Like we certainly would not expect or look to CEOs to be only using secure software development practices for Gov only software and not using them at all for their other software. So we view it as both. But I mean if I had to pick one over the other, it’s more like vendors for government. The software section is, is absolutely pointed straight at the vendor community and then also rewarding the vendors that actually follow those practices. Right. Like the requirement of submission of artifacts to do that validation and then publishing those results back out to the marketplace where we want, I want other buyers of that software to know whether or not the government has assessed, validated one way or another that the artifacts have in fact Substantiated or not, the fact that that vendor is using secure software development practices. So that’s a good example for the software one.

Deirdre: And how does that touch on some of the open source that a lot of our software uses? Whether the actual final product that gets provisioned and deployed is closed source, it often uses open source dependencies or libraries or you might be using an open source server to do your tls. You can have open source all the way from the thing that you quote, buy or provision. How do we fit those things together? Because if you’re going to be like do you have to go to your open SSL and be like fill out this form to attest that you have done secure development practices or is that sort of like we can just go look for ourselves?

Carole: Yeah. So at least for us right now when it’s a vendor to the government, since normally those are commercial providers that will leverage open source software and other things. But I guess in that case the requirement still sits not on you know a like non sentient library or whatever, you know until, until one day the AI. Now that the coder. This is the future. Oh God, sorry. I work in blockchain cryptocurrency stuff too. So like now that smart contracts could actually be smart.

It’s a thing. We can have that conversation in a bit. So now that that’s a possibility. But let’s go back to practically what’s happening right now is that generally like yes.

It’s normally comm. Vendor like software that relies upon all these open source tools and capabilities. So we’re not asking for them to go back to every one of their vendors to also attest but we expect them and whatever they’ve created to use secure software practices and part of the ssdf, the Secure Software Development Framework and like other. What those secure practices are does mean having a general understanding of like what is it that you’re using and like what does give you some confidence that it’s secure. And we know that there’s lots of benefits with open source security obviously. So like that’s, it’s part of, it’s all part of a risk of a risk framework and risk. Risk based implementation.

So but it’s something where we certainly expect them to know what it is that they’re using and maybe let’s say monitor for open vulnerabilities that are identified related to those because there are times where that is where those open vulnerabilities that are all public information not being mitigated and have been again at the, at the root cause of a lot of these incidents. So those kinds of practices would be the sorts of things that we’d be, that we would expect to see in those high level artifacts. This is part of that balance. Like we require artifacts, but not, we’re not into like pen tests and source code. We’re not doing that level of validation. It’s like policy and procedure docs and those sorts of things that help give, give confidence to some level of assurance. If we want an artifact other than a breach to be able to bring enforcement, then you have to do, then you have to get some kind of information up front.

Deirdre: Got it.

Thomas: It’s an interesting problem, right? Because like you can hear it just in the way you’re describing the motivations for the CEO. How many times you’ve talked about supply chain attacks. For obvious reasons, it’s top of mind for everyone, right? But to me, supply chains, chain attacks are almost a pure open source problem. Like the primary vector for supply chain attacks is repositories of open source code and custody of all that stuff. Right. And our listeners, if you haven’t seen the NIST SSDF standards, you can just go look them up, right? If you’ve done SoC2 before for a company, there’s a very similar flavor except that the SSDF stuff is much deeper into the mechanics of how you’re doing secure software development. So for instance, it’s more prescriptive about how you would do assessments for vulnerabilities. It doesn’t get into pen testing, but it’s like you have automated tools set up to scan for vulnerabilities and how you’re managing that stuff.

Right? And I think the thing I’m driving towards here is no matter how important the open source project is, none of them will comply with ssdf. Like the state of the art right now in open source project management, isn’t there? Right. Like some of these requirements are kind of benign, nine on paper, but having had the pleasure of doing them commercially myself, it takes some resources to actually keep it up to date and all that. Right. So how would you respond to a very annoying message board nerd who, by the way you’re talking to right now, who would say that they are concerned that this level of specificity for software security is going to deter people from using open source software because they’re not going to be able to keep up a record of all the stuff they’re doing as soon as they hit that point where They’ve pulled in a large rust hyper for the HTTP ST dependency. Like that kind of like really core big sprawling dependency. Right. That they lose the ability now to keep track of anything they’re doing there because that’s an open source project.

Carole: Yeah, I guess like this is where first I’d point to that we do have a section on open source security in the eo. So yeah, I know I’m a good architect of EO with some other really brilliant people I know including one who was on your, on your podcast maybe half a year ago.

Deirdre: We love that ekr..

Carole: Yes, I know, working on these issues. But so we do encourage like the, the in the EO we’re really promoting the creation of like open source security communities inside of the federal government as well as like directing the creation of some guidance to agencies on how to participate in and like leverage open source securely as well as participate in the community which is a complicated issue. But also like I think that some of this means that okay if you want to rely on open source and I, I’m a very, I’m a huge proponent of open source. I am but I recog recognize that like these issues on being able to understand and like keep up and maintain those libraries like that’s. If it’s not maintained then that’s you know, potential vulnerability which again back to the risk based approach. Need to understand how critically am I relying on this and how, how often is it being upkept and like what is that community? Because if the community isn’t like doesn’t continue then that’s something that like it’s, it’s a real, it’s a very real consideration that we need to have. Especially when such much like critical services are being relied on for them versus trying to create like a really cool go to market solution. Like we’re.

The services that we’re providing are often no fail mission sets. So it’s just something that we have to figure out. But we are committed to like to embracing promoting secure use of open source.

Thomas: Yeah, that’s great. So like just so I can make sure that my understanding of how this works is. So it seems like for this kind of like vendors building software security security stuff like the fulcrum of it seems to be that vendors will submit attestations to the that service that are the rsa. Do I have that right?

Carole: Yeah.

Thomas: Right. And so like the basic deal there is going to be at some point if you want to, if you want like if you want to close a six figure GSA contract they’re going to ask in that process, where’s your attestation going to look it up in the rsa. And then like and then today that’s like a PDF I literally fill out by hand. Right. And then EO talks about like over the long term we’re going to modernize that. So like maybe we’ll get to the point where it’ll be like a build artifact. When I build my software, it’ll also post the thing off to the rsa.

Carole: Exactly. We really want to try to drive like not just policy about tech, but tech that like, but also policy that embedded embeds tech in it or like is tech readable and machine readable. Like that’s whether it’s the rules as code pilot that we’ll be doing later with federal policy that we’re looking forward to. But also this specifically where we’re telling CISA to modernize guidance and the repository to be able to accept and ingest machine readable attestations as well as artifacts that come in. We do want to reduce inefficiencies and leverage that like the best in class tech and stuff and try to help modernize our, not just our like policy itself but approach to how we comply with policy by making it as machine readable as we can. So basically that’s, that is the future again the North Star that’s set out for what CISA needs to be driving towards here is something that will minimize burden and also like improve assurance and some of this stuff because there’s huge problems with PDFs and things that even from the world that I came from of anti money laundering regulation of financial institutions, the idea that law enforcement enforcement has to get records from structured data files in PDFs drives me absolutely mad. I cannot deal with this situation and it’s something I talk about at length with some of the nerds that I’m like this is, this is structured, this file was structured. Why am I getting this as a PDF? So anyway, it’s yes, that’s the hope in the future that we will drive towards.

Thomas: I guess. I love that. I guess I am actively in love with what you just said there. Right. I did read through that. I’m like, okay, so they’re just gonna, they’re building process, they’re going to modernize it. But I’m in the middle of this in my own municipality with open data stuff where like we get like you know, crime and police information and like, you know we get like these daily reports and they’re all exports of like spreadsheets in PDF files.

Carole: Yes.

Thomas: It’s like, just don’t do that extra step. Just give us the spreadsheet. I’m with you 100%. Okay. This is great. You should only do that. I don’t care about the rest of the CEO, just that thing.

Carole: Recoding America. Yes, absolutely. I know. Um, it’s funny. Sorry, we’re just, I was just having a discussion about that book and we’re like, yes, if we could work that into some of our regulatory and law enforcement processes and other things. Like, because we’re, we’re, you’re right, we’re telling industry to inefficiently go through another step to then give us a thing that def, like deprives us of being able to do any of the steps effectively. And I’m like, this is just like, it’s just not, it’s just not working. That is not solved in the CEO.

But it, it is at least hearkened to in the sense that we’re like, okay, if we’re going to ask for these forms of evidence in this for us to do, it’s not a regulatory process, it’s a procurement process. Right. But like it feels like a regulatory one a little bit when you’re submitting these documents for validation. So we’re like, okay, let’s make sure that this one is done in a way. So I’m also excited that we’re leaning into the machine readability piece and embracing tech and how we implement this. Not just cybersecurity controls, but how we do the policy.

Deirdre: And then of course there’s like sections in here, there’s like a National Security system section, but there’s others about inventory of everything that you have. And like, especially for me, in a post quantum world, before you can migrate your cryptography, you have to figure out what cryptography you have. And that requires some sort of inventory and that requires some sort of format and ways to process it in a kind of, you know, formatted data way and not a PDF, another human readable PDF. Hopefully it’s a machine readable format as well. Specifically moving away from software development practices is there’s stuff in here about end to end encrypted communications inside the government and not just at the network layer, but like for email, voice and other encrypted communications. We have opinions about like whether email can be meaningfully securely encrypted, period. But we know that it’s like a thing that people use. Like it’s a, it’s a full on thing and people need it.

Can you talk a little bit about like what you’re trying to get at there? And like we just saw an FBI directive because of Salt Typhoon in our, in our communications companies and our telecom companies and saying hey, you should switch off, you know, voice calls, not voip but voice calling and SMS to end to end encrypted communication because we don’t know if the networks are secure. And now this is sort of like the internal side of that. Well, not because there’s this assault typhoon inside the government, but just because, because you know end to end encrypted communications are good for almost everyone. Can you talk a little bit about that? And also almost not everything inside the government needs to be like completely you have to have records of everything, especially inside defense, but you do need to have a lot of records about government internal government communication. So can you talk about how those things will intersect?

Carole: Yeah. So that’s where I think why you see as practical in. Because you’re right, some of the nuanced implementations are going to be tough based on. On so certain things like records requirements and ultimately this is where I’m just personally hoping that where certain solutions for encryption as they continue to modernize and implementation start to get better might be able to be some of our longer term fixes on this front for us to like to be able to do both. Well, but basically yes, like you’re right that the guidance that you saw related to Salt Typhoon which yeah like the salt typhoon incident is not accounted for here. Like it is accounted for here. Sorry for the double negative. It is, it’s absolutely one of the incidents that we’re taking lessons from and you’re right that even though this doesn’t mean that there’s a breach inside of the government, we recognize like okay, communication sector targeted here in the and targeted in other ways by PRC actors too.

Right. Like it’s one of the sectors that’s being hit in Volt Typhoon activity as well that we’re seeing targeted and specifically for pre positioning for disruptive effect in the potential wake of a. Of a conflict conflict. So basically we see communications is a really attractive high value target. We need to make sure that we can communicate with each other securely. And the most common means of those communications really with a lot of information all in one place are places like email. Just tons of data there and then also collaboration tools. I know we didn’t get into phone stuff here.

You’re right, that’s for another day and issues, but basically these were some, these were the practical steps that after a lot of examination and discussion that we thought we could meaningful take and put into effect to allow for, you know, at least transport layer encryption and at least putting trying to encrypt email to the greatest extent that we possibly can. You’re right. There’s going to be some real, some real tough nuggets to nuts to crack. And I’m great at metaphors, so real tough nuts to crack. And I think I’ve actually joked about in my office because I’m so bad at metaphors, but I always mix them up, but they’re really tough nuts crack.

Deirdre: That’s going to be interesting because you know, part of the whole, part of the whole value add and the risk mitigation of end to end encryption is you can’t just have some very handy logging service just auditing your things going back and forth over the wire in the middle. You have to have it on the end. So if you need to do disclosure or record keeping for very good public service reasons, it has to be on the end. So what does that mean? Do you have some kind of bot that’s an end? What does that mean? Is it really end to end? So you know, that’s, that’s a whole nother thing. It can be done. It just, you know, especially if you have a government device that’s issued to you by your agency and it’s like, cool, we’re going to log your communications on your device, but that has to be secure. So it’s this whole nice rabbit hole that the end to end encryption people, you know, are very aware of.

Carole: Yeah, and it’s, and it’s really tough when like, you know, people like, even if we solved it for, let’s say inside of one agency, then we got to get other agencies on this platform. If it’s not something that’s been like implemented or it’s interoperable with like many different vendor implementations, you have problems of like lock in and like all the, all those fun problems come up of only one solution being used or being seen as being preferred. And then of course there’s the fact that, that we deal, we call and talk to people outside of the government all the time, international partners, state, local, tribal, territorial industry. There’s a lot of like this is a tough issue. These are, these are the first, these are the first steps, the first practical steps that we saw that we could try to put into place. But ultimately this is a longer road of figuring out how to better ensure like encryption More broadly around all the comms. And you’re right. Not to mention that like places like the White House have totally and even, not even just the White House, different offices in the White House have different recordkeeping requirements. Like the NSC requirements are different from omb are different from like, it’s just. So. Yes, it’s definitely a complex issue. Saw a lot of CIO eyes get very big in thinking about like, how do we do this, guys?

Deirdre: Yeah, yeah, maybe we’ll have you back to talk about messaging layer security instead of email. And then we might talk about federation and. And we’ll leave that for another day. Anyway, there’s also stuff about post quantum cryptography in here, which is like the thing I work on the most in my day job. It’s really cool because NIST came out with the first three post quantum standards a couple of months ago.

Carole: Yeah, I think in August.

Deirdre: Yes. And so now everyone have been kind of keeping an eye on Those for almost 10 years, I think since the beginning of their post quantum competition. And they finally landed and, and like all these birds flew, flew and they’re, you know, saying, I need this to be recommended. I need all these things from my standards. Because now this is a real FIPS standard. A if you need to be FIPS compliant, which practically, I think everything in the federal government or anything you procure to the federal government needs to be like FIPS compliant or you know, blessed in a certain way and then not even including national security systems. Now it’s a real boy and you can get PQ and you can be FIPS at the same time and oh boy. And so in this eo, it basically is a couple of four major directives around adopting PQ stuff.

And there was other executive orders about pushing for PQ adoption about like the 2035 timeline or something like that. But this is one we Talked about the TLS 1.3 adoption, which is great because it is the only version of TLS or SSL that allows PQs. So that’s great. But also one of the big things is directing CISA to keep a list of product categories and specific products of like, what is PQ ready? And you can just like go look at your list for your product category of, you know, a VPN for, you know, firmware, signing or whatever the thing is you might need. And you can go there and be like, get, get a handy dandy list of stuff that is rubber stamped and approved and you can just start using that. One thing that’s interesting about that is that widely available was the key language in that section. And I have a little bit of questions about what does widely available mean per product category. And I might ask you questions because another important line was prioritizing key establishment above other capabilities, which we cryptographers generally agree on.

Deirdre: That is the most pressing risk of our encrypted systems, again against a theoretical quantum attacker. Because the stuff that you are encrypting right now under a key you determine with key establishment is vulnerable because you can just record it all, save it for the day when you have your nice big quantum computer come online and then you can pick through your treasure trove of encrypted data and theoretically decrypt it. So what is widely available? And for me looking at this, this seems to be like, like this, this seems to be where a lot of people are going to be paying a lot of attention because this is going to be like the laundry list of products and services for the US government. So is there any, is there any tension, one, widely available and two, any tension about like how much attention is going to be on this list of products and services?

Carole: Yeah, we do anticipate that there’ll be some of that and that’s since there’s time because the market is not currently flooded with a bunch of DQC capable products. It’s just something that, that CISA is prepared to be like working on and figuring out how to best implement in a way that allows them to monitor the market sufficiently enough and then get the list updated in a way that is pointing agencies to the fact that like hey, the market has spoken, these capabilities exist. Like we, we need to use it. So first I’d say that widely available. I was very happy that no lawyers made us define the term widely available. So now I am positive that in like at the, at the EO level. So part of this policy document, document like it’s representative of a document from the President, presidential voice at that level, representing the kind of directive that we want the, the, the outcome oriented objective to be for the whole U.S. government.

Carole: But ultimately a lot of this really comes down to the nitty gritty in actual implementation. And that’s what’s going to happen here. So what I expect that a place like CIS I will not be around since I’m outgoing with this administration. But what CISA will probably be looking to is like, oh, okay, are there tools that have been created that are not just prototypes, whatever. Like these are actual things in production that are being available. How like, like, you know, how big is that company how many products is that? Like how many products? Like I again this will be a bit up to their, to their determination and implementation. But I don’t know if like just one product is made available generally across the market in like large enough numbers that it can be that it can serve all of the, the federal government requirements in that space is basically what you’d need. So that and, or that multiple market providers and capabilities have now arisen.

I think that those are going to have to be the considerations that get put into effect there. Since for those of you that haven’t read or memorized that section yet, I’m sure you’re working on it. But basically that, with that, with this list, the idea is that any federal agency solicitations past that point of certain product category having these PQC capable tools and solutions that are listed there, they for any of those future solicitations must demand that the products be PQC capable. Like great once the market. So we’re not being, we’re not trying to front run the market in the sense that like demand something from agencies that is unable to be met, but we are trying to help create and foster there being a marketplace by saying like okay, like there is an advantage to starting to integrate this solutions and tools and capabilities because like ultimately once these things start to be available to be made available by your competitors in a widely available enough way, then agencies will only be able to use those tools because we need to make sure that we’re not buying things that are going to last and be in our Systems for another 10, 15 years or whatever that are going to put us at risk for a bunch of sensitive information being, being able to be decrypted or being able to be compromised.

Deirdre: Yeah. And what I found one nice thing in that section is that it kind of has this like little, little carve out of basically like you don’t have to wait on this sisal list either. Like if you have a product and it provide and it becomes available that you’ve already provisioned and it comes available with PQ capability as like an upgrade, you can just go directly there, just apply the upgrade and it’ll, you’re ready to go. So like if you are, if you’re already in like a pretty good place and you can get that automatically from your vendor, you don’t have to go buy a new thing and provision a new thing like go directly, you know, go directly to go, you know, collect $200 or whatever. That’s great. That’s great. It just Makes it’s one less thing. And so that’s awesome to see.

One other thing that I only realized that like the like last second is basically like there’s for the Federal, for the US government, there’s agency stuff, which is usually FIPs, and then there’s National Security Systems, which is DoD, NSA and other things like that. And it has this whole other much more restrictive thing is called the CNSA Suite. And this is CNSA2O for the PQ stuff. And it does say they have. They’re also on like a, you know, they’re under directive of this eo, but it’s kind of at the bottom of like, yes, you. The DOD has to go figure out its own version of doing this eo. It’s not like to the letter. Under the order of this eo, you’re sort of like, you have to go figure out the thing that is appropriate for national security systems that is like, compliant with the spirit of this executive order that applies to the agencies.

Deirdre: Am I reading that right?

Carole: Yes. Although I will say that, like, we have been working hand in hand with, with the National Manager on, on those things and stuff. So like there’s basically just notes that we’re not just throwing them out there with no collaboration and guidance. So we were absolutely working with them on what this new National Security Memorandum to be and what the CNSS guidance needed to be for. For like there were. That’s hearkened to in a couple of different sections. And so like all those are things that will occur and need to occur and are coming up. So yes, that’s basically what’s happening is this happened with the first cyber EO and with the AI EO2 where there was a first piece that didn’t cover the national Security systems and some of the more sensitive national security applications.

And then the NSM came out that really covered. Covered those things. So requirements for the IC DoD system kind of stuff that and other sensitive systems, like classified systems and stuff that are national security systems for agencies.

Deirdre: Okay, cool. And one last thing. On PQ, within 90 days of this order, the NIST and the under Secretary for International Trade, which I’m less familiar with, shall identify and engage foreign governments and industry groups in key countries to encourage their transition to PQ outcomes algorithms standardized by nist. That’s interesting to me because I know a lot of standards bodies that are independent of states or countries and bodies that are doing cyber or things like that for Western allies are already paying attention to these NIST standards and they’re saying, yes, we like that one, and we recommend it to our users or whatever. Not exclusively, but they’ll say, yes, we like FIPS 203, and we like this other one. Both of them. We recommend to our people that we serve. This is interesting because it’s now transitioning this duty to go and advocate for adoption of these standards.

And I want to see how people react to that kind of overt advocacy, because they’re already, like, not everybody, but there’s a lot of people who are like, yes, look, that’s good. Like, that’s good enough for the US Government, it’s good enough for me. But if their US Government people are going out and saying, hey, come take our stuff. That’s different than it just kind of being sitting there and then like, being like, it’s good enough for us, it’s good enough for the nsa. Like, we’re fully trusting it. No, no exceptions, then going out and saying, please, please use our stuff.

Thomas: It’s also, if it’s. If it’s NIST, right? Like, you know, in the public consciousness, people think of NIST as a really huge organization. And then, like, people who do a lot of cryptography that, like, the conventional wisdom is that there’s, like, three people in a closet doing this at nist. Like, does NIST have the capacity to advocate internationally?

Deirdre: That’s a good point.

Carole: So NIST doesn’t tend to, like. Like to operate in a. Like, well, they, like, never operate in a vacuum, really. So just all their processes are really collaborative. But ultimately, they do participate in a lot of international standards bodies, right? And they go there and they represent USG and, like, so that, like, there’s some advocacy there. I recognize that it’s not there. Like, wait, maybe they’re not there standing with, like, an American flag and, like, next. And in one hand, in the other hand, the technical standard that they’re saying and like, but.

But instead, like, being there and making sure that pushing for, like, for standards that we know meet the level of security that we need out there and that need to be adopted across and integrated and accounted for as other standards bodies are looking at what needs to be. To be integrated, that is something that NIST kind of already does. It’s just in a, like, less boisterous manner than what I was characterizing it as. So I do think that some of it’s more just characterized a bit as stuff that NIST already does, but then also things that, like, we’re NIST partners with other. With other entities in usg, like state and stuff. To be a part of some of that advocacy. I’m sure like at the root cause of some of this is some concerns not just about that we have less time than we realize for pqc, we think, or that we’re worried we have even less time than we realize because it’s just like a decade isn’t very long for massive IT modernizations across really like entrenched sectors that we’ve seen take a very long time to modernize their tech. So there’s that issue, but then also the fact that like we’ve, we’ve had issues of standards bodies that we feel are being leveraged for like purposes that we think are counter to like the, to security and other purposes that we want to.

Carole: So we want things that we like, we trust these standards, we want these incredible standards that were developed with great collaboration with industry and the best experts in the world to be advocated for in the right for us. So I think that all those are really at the heart of why that’s listed. But for the most part I think this is, it was more meant to be characterized as like business as usual for next and it’s participation and standards bodies. So. But I take to heart the way, like the way that it’s perceived in the way that it’s worded. So I appreciate that.

Deirdre: Yeah, no problem. Okay, cool. Thank you.

Thomas: Silly. Some other hits here. Right, so, so one thing, I brought this up earlier, but one thing that jumped out to me was the EDR stuff, right? So like my immediate thought reading the, you know, all of the agencies will adopt EDR stuff is just the money hats that are being printed at the EDR vendors. Do you have a sense of where the agencies were with EDR adoption before this? Like what do you think the Delta is going to be there? Is this like a momentous change or is this really just a, you know, getting current practice down on paper kind of thing?

Carole: So it’s really pushing. There was an initial direct directive for implementing EDR from the first Cyber eo. And honestly we’ve, we’ve made a huge amount of progress there. So most of this is just getting it over the finish line and then specifically pushing the Access to pac, the Persistent Access Capability Program where CISA then now that agencies have like, you know, have been implementing these EDR tools, which is really great, right? Like we need to know what’s on our network and be able to have this capacity for monitoring, et cetera. We now need CISA to be able to conduct their threat hunting activity across the, across the Federal civilian enterprise to be able to look for where we have these apt and sophisticated threat actor campaigns that are targeting federal agencies across the whole federal enterprise. So basically this, that the EDR section, besides just like finishing up the final, the final round of like getting that implementation from the first eo because the first EO wasn’t as directive and explicit, this one just sort of codifies like that in a little bit stronger language. But then also really is to build the foundation for. And this is why pack why PAC needs to be implemented.

And then we’ve got some very specific instructions on implementation there to make sure that the most sensitive forms of data don’t ever get compromised and other things and to make sure that the right kind of like spread.

Thomas: Yeah, okay. All right, so another highlight of this. So fraud and account takeover. So there’s a whole section here. The thing that jumps out to me in the fraud section there is like advocacy for states with like online driver’s licenses or things like that, that like some kind of secure digital identity, a shift towards digital identity. How, how optimistic are you about that section of things? When we talk about like fraud and we talk about like how this EO is going to like combat like online fraud and things like that, like there’s a sense in which it’s like there’s a lot of benefits fraud that you guys have like are directly implicated in. Right. And there’s like banking fraud which you guys are not directly implicated in.

Like what’s the vision for how you’re going at that? It’s a super interesting section of the whole year.

Carole: It sure is. And honestly this is, this is initial steps and initial building blocks that help to address the cybernet fraud issue. Ultimately I, I hope that one day there is a like whole of government bigger picture strategic approach on how to fix the whole digital identity issue and then also the fraud issue. This is again lessons learned from some of the like the, the highest impact, lowest cost and burden and like nearest term actions that we can take. And ultimately identity is a really. I know that I’m setting the backdrop for this more before I get into the specifics, but basically I feel like the backdrop is important to answering your question about how we’re getting at this. Identity is a really tough issue. Everybody hates fraud, nobody likes getting robbed.

Fraud is nuanced. The kind of fraud like you were mentioning that like this doesn’t get at every different kind of fraud necessarily. The fixing for business email compromise fraud are different from synthetic identity fraud, different from account takeovers, different from deepfakes some of the deepfakes can potentially be used and all those other ones. But like, it’s basically the nuance of it, the political lightning rodness that comes from just the term digital identity. We were very calibrated and pointed here to try to make it again very concrete. Specific measures that we feel are nonpartisan and should get a lot of broad support, support that, that do not try to create a federal identity. Like let me reinforce not creating a federal identity. We are reinforcing the exact same relationship that the federal government like and that states have with Americans by pointing to things like mobile driver’s licenses.

We’re not proposing for that to come to the federal level at all. So basically note that we’re reinforcing that, but in the same way that a lot of the other sections point to changes that we make related to getting access to federal benefits for programs we think driving a marketplace and sending a signal to, like you said, the states and to industry about what is acceptable, about what can and should be used in certain ways, like in here we’re encouraging acceptance. So not exclusive or primary use of digital identity documents. Optionality has to exist in some cases. Digital identities are more inclusive in other ways. They may not be to a blind person or something like I just, there’s like, did they solve some problems, create other new ones? That’s why it’s got to be part of a suite of options. But they should be accepted. We do need the infrastructure to be evolved to be able to accept digital identities, including things like MDLs, as long as they ex, as long as they are interoperable with international standards and, and reflect different principles like privacy preservation and data minimization.

So we’re trying to be very targeted and clear that like this is not about state surveillance, this is not about the federal government trying to own your identity at all. We’re trying to make sure that, that the right architecture is put in place to allow you to establish greater trust in cyberspace and more securely conduct transactions on either side of the Internet. So basically that’s what’s there. So with federal benefits programs, GAO published a study at the beginning of last year that the federal government loses between, I think it was 250 and $512 billion a year to fraud, that’s half a trillion. That’s a huge number. That’s a huge number number. So I don’t mind like if we’re going to start somewhere, I don’t mind starting with federal benefits programs. That’s a very big number.

This is a problem But I do think that the signal that we’re sending to states and others about what it should take to accept these digital identity documents, how we should be building them, that’s great because you know, driver’s licenses are accepted in tons of different use cases. So again, we’re creating a marketplace for IT attribute validation services. We were encouraging in a privacy preserving way to be. So that goes beyond benefit stuff that can to be an overall benefit for the ecosystem.

Thomas: I feel like I touched a nerve

Carole: I was so sorry.

Thomas: I wasn’t worried about like, I wasn’t worried about the federal ID thing. I just want to get rid of my driver’s license card out of my mind.

Carole: Well, sorry, that was great. You know, you’re right. I was, I was assuming a certain feeling. Sorry. Normally when I talk to cryptography folks and like, or Barry pro privacy as like, you know, they make sense. But so the issue of identity is just a really, it’s a really interesting one. So you’re right, it’s a nerve. It’s a, it’s also just part of the like beating heart of this issue and why it’s a really tough one to tackle these stuff we could do.

Deirdre: Speaking of the next administration. Hold on one second.

Thomas: Before we get there, I got one thing. I really want to hit this one right. Because it’s, I don’t know, so Section 9 and the Annex of people that you’re going after. So there’s a section at the end of this which is like, you know, people deemed basically, I don’t know, orchestrators of cybercrime. It looks like. Yeah, looks like there’s a named list of people.

Carole: So this is the weirdness of ipa and the way this, sorry, IPA is the International Economic Emergency Powers act, which is the statute from which you get sanctions authorities basically when you change those, those laws, sorry, those EOs, the cleanest way to fix them. Especially when it’s not just fixing like one clear place, like we don’t like doing it. Like when you change law and you have all this like totally incomprehensible like, oh, I’ll change this word to say this and this word to change to say this. That would have been really tough with this. If you look at the delta between what this version looks like and the old one did. So we just rewrote the whole thing. The annex is actually referring back to the original annex from the first eo. There’s not a new annex to this one.

It’s just like, it’s so. Because basically if we removed that annex, we would be removing those sanctions designations from the first time and we are not interested in doing that. Those guys are still problems. So it’s still that old annex. So there’s not new sanctions released with this EO right now. So that’s what that’s referring to. But the expansion here is really making sure that we can, we can cover a variety of other types of activities. We point to ransomware activities.

We make sure that activity that’s captured as part of this is not just about cyber enabled activity. Like if you think about ransomware as a service and you have like specialization like HR recruiters, negotiators, financial facilitators and money launderers, like guys beyond those creating the exploit kits and doing the recon and actually deploying them all where on network. Like with the way that we had framed some of the wording before we were like, we were concerned that like that we needed to make sure that we had the flexibility to cover those who may not be directly cyber actors, but are absolutely part of that despicable ecosystem. We also expanded to make sure that we included that the targeting of allied or partner networks, if they present a threat to us national security and economic security still has to present a threat to us. But if the, if the targeting of others networks present a threat to us because we have, I don’t know like this is me making right now, but like military servicemen and women reliant on, you know, on the infrastructure of some other service or nature. Like we needed that to be able to be captured here as part of the authorities for the Secretary of the treasury to be able to designate.

Deirdre: I had to go find a good link for aipa, but. All right, this is a big kettle of fish. There’s some real cool stuff in here. You’re leaving, you’re all leaving. So like yeah, like how, how confident can we be that this is gonna going to have legs and it’s going to be actually try to, you know, give it, give it a good shake of actually enacting this into all the agencies with the next administration and future administrations who can, yeah this do their own executive orders.

Thomas: This EO really should have ended with the words 1, 2, 3, not it.

Carole: Yeah. So I’ll say first off that EOs take a long time to create. But I truly though the benefit of cyber as a domain space is that generally on most aspects of cyber, I think that we’ve really benefited from a huge amount of bipartisan partnership, whether it’s in legislation, like the creation of cisa the cyber and then Infrastructure Security Agency or the Office of the National Cyber Director or the Critical infrastructure reporting of cyber incidents, like all of these things have all the bipartisan legislation, people are targeted on both sides of the aisle. Cyber is not an issue. You know, the world isn’t getting less digitized either way. Neither, neither side of the aisle is saying, you know, what’s terrible is cyber. So understanding that we do see these issues as rising above partisan politics and being something that honestly, the exigency of the threats like these major incidents and these, these are driven from the concerned that we’ve seen, we’ve identified them, we’re trying to provide some momentum and set the next, the next crew up in the best footing to be able to focus on the things that they want to be able to focus on, to be able to keep track of the threat as it’s now currently evolving. These are the lessons learned from the recent incidents.

But as some of the folks at the NSC like to say, the adversary sets the pace and they are evolving and using a lot of emerging technology to do so. So ultimately, like we, we feel that we’ve set them up there. Even the direction of the nsm, which we have underway and are handing over like this is, this is all, you know, being part of the, of the transition over to the next crew. And ultimately we feel that this is, it’s more like a baton than it is something that’s partisan and, and not something that can include really good collaboration with the team. So I’m hopeful, I’m hopeful that it’s something that will absolutely continue.

Deirdre: Absolutely. I hope you’re right. Carole House, outgoing senior person at the NSC on cybersecurity. Thank you for joining us. Congratulations on this huge achievement. Thank you so much. Thomas, you got anything else?

Thomas: No, congratulations.

Carole: Thank you so much.

Thomas: No, really appreciate you being on this.

Deirdre: This is fantastic.

Security Cryptography Whatever is a side project from Deirdre Connolly, Thomas Ptacek and David Adrian. Our editor is Netty Smith. You can find the podcast online @scwpod and the hosts online at @durumcrustulum, @tqbf, and @davidcadrian. You can buy merchandise at https://merch.securitycryptographywhatever.com. If you like the pod, give us a five star review wherever you rate your favorite podcasts. Thank you for listening!

Latest Posts

Biden’s Cyber-Everything Bagel with Carole House
60 min read

Biden’s Cyber-Everything Bagel with Carole House

SCW's Picture
SCW
Quantum Willow with John Schanck and Samuel Jacques
54 min read

Quantum Willow with John Schanck and Samuel Jacques

SCW's Picture
SCW