Keith Lowry has more than 25 years of experience implementing, managing, and directing insider threat, counterintelligence, and intelligence collection...
Sharon D. Nelson is president of the digital forensics, information technology, and information security firm Sensei Enterprises. In addition...
John W. Simek is vice president of the digital forensics and security firm Sensei Enterprises. He is a nationally...
With the rise of legal technology came a heightened awareness amongst lawyers and law firms of the importance of cyber security to ensure that one’s own, and the clients’, assets are protected. In this episode of Digital Detectives, hosts Sharon Nelson and John Simek sit down with former law enforcement officer and High-Technology Crime Unit detective Keith Lowry to discuss governmental cyber security policy under President Obama and how those policies might change during the administration of President-elect Trump.
Keith Lowry has more than 25 years of experience implementing, managing, and directing insider threat, counterintelligence, and intelligence collection programs.
Obama vs Trump on Cyber Security
Intro: Welcome to ‘Digital Detectives’, reports from the battlefront. We will discuss computer forensics, electronic discovery and information security issues and what’s really happening in the trenches, not theory, but practical information that you can use in your law practice, right here on the Legal Talk Network.
Sharon D. Nelson: Welcome to the 74th edition of ‘Digital Detectives’. We are glad to have you with us. I am Sharon Nelson, President of Sensei Enterprises.
John W. Simek: And I am John Simek, Vice President of Sensei Enterprises. Today on ‘Digital Detectives’ our topic is “Obama vs Trump on Cyber Security”.
Sharon D. Nelson: Before we get started, I would like to thank our sponsors. We would like to thank our sponsor SiteLock, the global leader in website security solutions. Learn more about SiteLock at HYPERLINK “http://www.sitelock.com/legal/digitaldetectives” sitelock.com/legal/digitaldetectives.
We would also like to thank our sponsor PInow.com. If you need a private investigator you can trust, visit HYPERLINK “http://www.pinow.com” pinow.com to learn more.
John W. Simek: We are delighted to welcome as today’s guest Keith Lowry, a Senior Vice President of Nuix specializing in Business Threat Intelligence and Analysis. Keith has more than 25 years of experience implementing, managing, and directing insider threat, counterintelligence, and intelligence collection programs. He is a former Law Enforcement Officer and High-Technology Crime Unit Detective with the City of San Jose, California and a United States Navy Mobilized Reservist. He also served as Chief of Staff to the Deputy Under Secretary of Defense for Human Intelligence, Counterintelligence and Security at the Pentagon, and as an information security consultant in the private sector.
Thanks for joining us today, Keith.
Keith Lowry: Thank you. It’s a pleasure to be here on the Legal Talk Network, and it’s a great topic, something that I’m very excited about. So I’m looking forward to our discussion.
Sharon D. Nelson: Well, let’s start from a more general question before we drill down, how important is cyber security today from a government perspective?
Keith Lowry: It’s kind of an interesting question, because so many people want to understand the importance, but all you have to do is pick up a newspaper. Think about the OPM hit and how many people, 21 million people for the government were affected by one cyber security incident. It’s extremely important. In fact, in my opinion it’s probably the most important thing that the government has to deal with.
Look at the last election. You could say it that the election was possibly altered by someone who had a very poor cyber security posture and an insider threat. So I think it’s extremely important.
John W. Simek: So Keith, can you tell our listeners about some of the key components of a good cyber security program?
Keith Lowry: Sure. The basic three things that people need to do is, first, agencies have to appoint a senior official who is in-charge of the entire cyber security program.
The second thing they need to do is, be able to look at this not only from a technical perspective, but include in there the human perspective. Too many agencies avoid the human piece and try to solve their problems or attack it from purely a technical perspective, and that is short-sighted.
And the last thing they need to be able to do is, is write good policies that support the posture that the agency wants to take in regards to cyber security and insider threats.
Sharon D. Nelson: Well, we gave President Obama eight years in office, so how did he change cyber security in his eight years as President?
Keith Lowry: He did some interesting things. The first major thing that he did was create the insider threat definition and establish the Insider Threat Task Force. In my opinion it didn’t go far enough because it was only for government agencies. And so all the work that they did, all that good work couldn’t be shared with corporate America or the private sector and the private sector felt excluded, so it’s very difficult to get the private sector to share their information.
He also did some things that were very good. He created the Cyber Security Advisory Commission. He also created the Computer Security Information Sharing Act of 2015. Those are all good things.
He also appointed a Chief Computer Information Security Officer for the U.S. Government. Those are all interesting and good steps, but I don’t think his administration really captured the essence of the threat.
And so I think some of the things that he did, did not encompass what needed to be done in order to have a good cyber security program.
Sharon D. Nelson: Tell us what you mean by the essence of the threat?
Keith Lowry: The essence of the threat is just as I talked about at the beginning, should we have — how important is for the government to have a cyber security program? Let’s talk back just for a moment to the OPM incident. Most people don’t realize — it’s been labeled as a hack, it’s been labeled as a weakness in the firewall, a technological issue, but the OPM attackers were inside the OPM system for over a year. And to me, that’s just totally amazing that our government allowed somebody to roam around inside of a highly important set of data for a year and they weren’t able to recognize it or stop it.
So that’s kind of the threat that we are talking about. People do not recognize that this is not some esoteric threat, this is a real threat that is out there that people are going to come and take whatever critical value data you have or alter it or delete it or hold it for ransom, that’s the kind of world we are living in.
John W. Simek: Well, Keith, that the conclusion of Obama’s term, do you think Americans have less privacy, and I know there is some criticism that’s going around about whether or not he made the right calls when balancing threats and privacy. I believe that you can respect privacy at the same time putting together policies and processes that will enhance our security posture. And by that I mean I am not an attorney but you can put together a policy that allows people to look at things like system’s audit and monitoring, and define that from a standpoint of its not delving into privacy issues and then compare and contrast it with user audit and monitoring, which does then have the ability to go in and start looking at individual and privacy issues.
But if you begin to put the program together with sound policies, you don’t ever get to the user audit and monitoring unless you have reasonable suspicion or probable cause to use a legal term.
Sharon D. Nelson: While speaking as a lawyer we have some difficulty understanding exactly how the balance can be applied when courts make those decisions in secret.
You mentioned a number of things that you thought that President Obama did well, maybe not enough, but if you had to give him a grade on cyber security what would that grade be and why?
Keith Lowry: I would give him a C, and let me back up and defend it first, and then I will tell you why. I give him a C because he did what I would think any administration should do at a minimum. But he didn’t understand or somebody on the administration didn’t understand the danger that exists out there and the threats as a given example for the OPM.
If people truly understood that anything that’s electronic or digitally stored is susceptible to being attacked, then the posture they would take would be something different. And I, for one, have even said that in this particular environment that we live in, we’re in the digital world. The digital defenses to me is so important that it could even deserve a Cabinet-level position, because it affects everything and everyone and all the information that we have is susceptible to it.
So to me, giving a CISO is important, putting together a commission is important. But it doesn’t go far enough to protect us because it doesn’t recognize the threats and the various threats and position the government to protect against them.
John W. Simek: Well, we really don’t know where President like Trump is going to go with all of this but he has reversed himself on some things that he said during his campaign. Do you have any sense as to how he’s going to handle cyber security in his term?
Keith Lowry: That’s a good question and I’m not a good prognosticator for the future.
John W. Simek: You don’t have a crystal ball, Keith?
Keith Lowry: No, but I have picked up a couple of things that kind of raise my eyebrows to say maybe he does understand the threats in one of them and again, this is pure speculation on my part but the fact that the name Mike Rogers has been floated, who is head of NSA, and the Cyber Command, has been floated should be the Director of National Intelligence, whether or not that’s a political dancing or not, the fact that that name has been floated, tells me that he really understands that he needs to get someone who understands the threat, to have them start digging into what’s the best possible path forward. So that’s one indicator.
Another indicator that I think he understands is that he is going to the private sector and not necessarily getting — he’s getting good people who have good private sector experience as well as government experience, and truly that’s what this needs.
The cyber threats can’t be just divided between government and private sector because the threat is the same no matter where you go. And truly what he needs to do is, by going out into the private sector it looks to me like he is trying to get the best people he can to solve the problems. And that’s what’s needed, it’s a combination of government and private sector, because if you try to do it with government alone, it will never be successful in my opinion.
John W. Simek: Well, before we move on to our next segment, let’s take a quick commercial break.
Sharon D. Nelson: At least 80 of the 100 biggest law firms in the country had been hacked since 2011. Protect your firm and your clients from cyber attacks with SiteLock. Their industry leading cloud-based suite of website security solutions includes Website Scanning, Web Application Firewall, including DDoS mitigation, and 24×7×365 US-based customer support. Give your firm and your clients peace of mind knowing their information is secure. Learn more at HYPERLINK “http://www.sitelock.com/legal/digitaldetectives” sitelock.com/legal/digitaldetectives.
Advertiser: Does your law firm need an investigator for a background check, civil investigation or other type of investigation? PInow.com is a one of a kind resource for locating investigators anywhere in the US and worldwide. The professionals listed on PInow understand the legal constraints of an investigation, are up-to-date on the latest technology, and have extensive experience in many types of investigation, including workers’ compensation and surveillance. Find a prescreened private investigator today, visit HYPERLINK “www.pinow.com” www.pinow.com.
Sharon D. Nelson: Welcome back to ‘Digital Detectives’ on the Legal Talk Network. Today our topic is “Obama vs Trump on Cyber Security”.
Our guest is Keith Lowry; Senior Vice President of Nuix, specializing in business Threat Intelligence and Analysis.
Keith, what do you think the focus of the cyber security program will be for the new administration?
Keith Lowry: I don’t know what it will be, again, I’m not a good prognosticator and I can’t read my own mind much less a political – a potential political mind. But I can tell you what I think he should do and we’ve touched on it before in the previous segment, which is this is such an important topic and it covers such an important array of issues that I think it deserves a look at expanding the Cabinet-level influence.
I think that appointing a federal CISO was a great thing but if you look at this from a CISO or too many CISOs look at this from a technical perspective and don’t look at it from a threat perspective, and they think they can solve it with a new piece of technology. But unfortunately the world doesn’t work that way in these threats because the threats aren’t technological threats, they’re human threats that use technology to accomplish their goal. So that would be the first thing, just raise the awareness, raise the influence within his administration.
Another thing that I think he should do is create a breach notification standardization within the government and then make sure that people stick to it. One of the things we talked about briefly with the OPM case was that, it actually to my understanding there were two incidents. One of them was something that they were watching for several months but while they were watching for several months, there was a second one that was going through and collecting all of the data and sending it out, and nobody notified anybody except for the FBI who came and said let’s watch it somewhere.
I also believe that he should again engage private sector expertise because it’s really hard to get really good expertise and house it strictly within the government. So in addition to what Obama did, I think he should expand these commissions and put together an organization that even resides outside of the intelligence community because so much of what goes on, goes on in the non-intelligence world.
Right now, the Insider Threat Task Force and some of the other things that he has done are inside of the intelligence community and that restricts their knowledge and being able to share that with the rest of the country.
The other thing that I think is important is recognizing the threat is not just external and it’s not technological, it’s human-based, and there’s a lot of ways to go for people to look at that human-based information and develop programs and policies that recognize that. So that’s what I think the focus should be now whether or not the new administration does that is hey, up in the air.
John W. Simek: Well, Keith, you talked about whether or not the new administration should expand upon the things that Obama did, but do you think that Trump people try to undo anything that Obama’s administration did?
Keith Lowry: Another good question. My gut feeling is that there is not a whole lot that needs to be undone because there wasn’t a whole lot that was done.
John W. Simek: There is that perspective again.
Keith Lowry: From a technological standpoint, this committee that he established is a great step forward. Unfortunately, the majority of the people who were picked for the cyber security advisory committee, they had very few people that had cyber security knowledge on that committee. It was a committee that was established as a good step, but it didn’t have the right makeup in my opinion. So that’s one thing that I think we should change but not necessarily undo.
I also liked the fact that Obama put in a CISO. Now, I’ll just briefly switch roles here for a second, in my role to go off and talk to Corporate America, I constantly tell Corporate America do not put cyber security underneath a CISO or underneath the IT department because then it gets commingled with people who think technology can solve the problem; and that needs to change, it needs to be altered, it needs to be elevated above that.
So when I go into a corporation, I’ll tell them, you should put a cyber security czar on your Board and you should have the CISO and the Insider Threat Program have all of those things report directly to the Board. So if we translate that to the government, that’s why I think it should be at the Cabinet-level position. That kind of influence needs to be brought to bear on this problem, it’s not something that’s going to go away and it’s something that’s increasing every single day.
One other thing I’ll talk about is that when he put together the Insider Threat Task Force, once again I’ll say that he made it government-centric and that was one of the biggest frustrations I had when I worked in the government was that, how do we get Corporate America involved in this to get the expertise? Their answer was, well, they can just give us the information, but because it was connected to the intelligence world, no information flowed out.
So there wasn’t a good methodology for exchanging of information, and unless he takes it outside of the intelligence community, now it doesn’t alter the intelligence community’s job and it doesn’t alter their role and responsibility, but it opens it up so that we get expertise from where expertise truly resides.
Sharon D. Nelson: Well, I think one of the things that a lot of folks have worried about and at least expressed concern that there might be something different about is the fact that the president-elect and his family have strong ties to Russia, particularly financial ties. Do you think that that might have any impact on how Russia is treated when it comes to being a cyber security threat?
Keith Lowry: Wow. Let’s separate politics from reality I guess. Is that possible? No.
Sharon D. Nelson: No. No, unfortunately, we can’t even separate it from reality TV.
Keith Lowry: Yeah, I have read the same material and regardless of who won the election, there was going to be this question of foreign influence. So just setting that aside for a second, yes, I firmly believe that whoever — in this case president-elect Trump, should not be influenced by foreign connections in his private business. Just like I didn’t think it was proper to have foreign contributions go into a fund, either one of those things are not good; but what really is the point here is, if the president-elect understands the threat and some of it comes from Russia, some of it comes from China, some of it comes from Iran, and around the globe, an individual actors some of it’s coming from organized crime, some of it’s coming from individual people.
That they have to keep in mind that it doesn’t matter where the threat comes from they have to deal with it, so do I believe Trump can separate himself? Sure, he can do that. Will he do it? That’s one to look back and ask me again in two years.
Sharon D. Nelson: I will look forward to that Monday morning order backing.
John W. Simek: Well, in the end how do you think the Obama approach and the still as yet to be determined Trump approach is going to be judged by historians?
Keith Lowry: In case you haven’t noticed, I’m quite opinionated on this topic.
John W. Simek: Well, then you fit in well with this crowd, Keith.
Keith Lowry: And to me no one other than the military, and that is a separate discussion, but no one in the general government, the non-title 50 side of the government, and no one within the administration so far and the upcoming administration other than just giving some outside signals has really come forward and said cyber security and insider threats is a huge problem and we need to be very serious about how we do that.
So until we actually get our arms around that and I don’t know what it’s going to take to motivate it, is it going to take another two or three OPMs?
Let me just give you a quick thumbnail, one of these things that I used to do was counterintelligence risk assessments of agencies within the government, and everything I’m going to say here is unclassified, you can read in the papers, but one of the things that astounded me was that in the Center for Medicaid and Medicare services their budgets roughly around a trillion dollars a year and they publicly state that their loss to fraud is estimated at $60 billion with a B a year. And I’m just amazed that that just – hey we lose billion to fraud, so on one of my questions I said to the seniors there, what if I showed you that $10 million of that went to support ISIS or $10 million of that went to support a foreign intelligence service? And they gasped, said, how could you know that? I said, if you’re telling me you’re losing $60 billion a year and you don’t know where it goes then you have to assume that bad people are doing bad things with that money.
So to me the judgment is going to come only in retrospection and that will be — it’s going to happen again, are we going to be prepared, are we going to be able to look and say, we’ve got our arms around the problem?
I’ll give you another kind of an interesting in the commercial world. The timeframe between when an event occurs and the time the organization recognizes the event has occurred is generally speaking in the banking world about six months, in the non-banking world, it’s about a year, and that fits right in with the OPM event that it went on for a year, somebody was rooting around inside of their system for a year and they didn’t know it, unless and until the government recognizes the threat and develops programs and policies that shortens the timeframe between the event occurring and the recognition or you can begin to fight it, and stop it until that timeframe can shrink, significantly, I will say that they’re going to fail, but they are going to take a lot of work to get there.
Sharon D. Nelson: Well, we’ll have to bend our elbows somewhere in a pub and look back at this after a couple of years because I think it will take some time to play out. But, Keith, we sure want to thank you for being with us today and for lending your expertise to the discussion. I think that there’s a lot of concern about what may happen in the future, cyber security certainly is on people’s mind, and although we know what Mr. Obama did, we don’t yet know what Mr. Trump will do and that has a lot of people worried, but what’s great is that you’ve given a really balanced view of the two gentlemen and what may or may not happen, and all we can do is project, we know what one guy did, but we don’t know what the other guy will do. And so, you did a really nice job of drawing those lines for us, and we very much appreciate your taking the time to be with us today.
Keith Lowry: And thank you very much for the invitation, and yeah, let’s go tilt some elbows in a couple of years and let’s come back and see how well we prognosticated.
Sharon D. Nelson: You are on, my friend, you are on.
Keith Lowry: Okay.
John W. Simek: Well, that does it for this edition of Digital Detectives. And remember, you can subscribe to all the editions of this podcast at HYPERLINK “http://www.legaltalknetwork.com” legaltalknetwork.com or on iTunes. If you enjoyed this podcast, please review us on iTunes.
Sharon D. Nelson: And you can find out more about Sensei’s digital forensics technology and security services at HYPERLINK “http://www.senseient.com” senseient.com. We will see you next time on ‘Digital Detectives’.
Outro: Thanks for loosening to ‘Digital Detectives’ on the Legal Talk Network. Check out some of our other podcasts on HYPERLINK “http://www.legaltalknetwork.com” legaltalknetwork.com and in iTunes.
Sharon D. Nelson and John W. Simek invite experts to discuss computer forensics as well as information security issues.iTunes Google Play
Sophia Cope talks about the EFF and ACLU challenge against the government’s warrantless searches of cell phones and other devices at the border.
David Ries talks about whether Kaspersky Lab is safe for lawyers to use, diving into where the controversy started and what the results have...
This legal technology podcast covers the Equifax breach including who was affected, the resulting lawsuits, and whether or not the hack was preventable.
Ben Kusmin talks about the proper handling and format of spreadsheets.
In this legal technology podcast, Brian Wommack talks about the correct way to handle a data breach.
Denver Edwards discusses cybersecurity, including the National Institute of Standards and Technology’s (NIST) cybersecurity framework.