Robust and proactive cybersecurity is more critical than ever in our world, and today’s government leaders must have effective plans for protecting against cyber attack. So, how is President Biden doing so far? Digital Detectives Sharon Nelson and John Simek welcome Stewart Baker to discuss the president’s progress on current cybersecurity issues. Drawing from his many years of experience in government, law, and cybersecurity, Stewart outlines some of the existing problems and potential threats our nation is facing and critiques the president’s approach to these complex matters.
Stewart Baker practices law at Steptoe & Johnson in Washington, DC, and served as the first assistant secretary for policy at the Department of Homeland Security from 2005 to 2009.
Special thanks to our sponsor PInow.
Cybersecurity Priorities for President Biden
Intro: Welcome to Digital Detectives Reports from the Battlefront. We’ll discuss computer forensics, electronic discovery, and information security issues and what’s really happening in the trenches not theory but practical information that you can use in your law practice right here on the Legal Talk Network
Sharon Nelson: Welcome to the 124th Edition of Digital Detectives. We’re glad to have you with us. I’m Sharon Nelson, President of Sensei Enterprises, a digital forensics, cyber security and information technology firm in Fairfax, Virginia.
John Simic: And I’m John Simic, Vice President of Sensei Enterprises. Today on Digital Detectives, our topic is “Cyber Security Priorities for President Biden.”
Sharon Nelson: Before we get started, I’d like to thank our sponsor pinow.com. If you need a private investigator you can trust, visit pinow.com to learn more.
John Simic: Today we are lucky to have as our guest, Stewart Baker, who practices law at Steptoe & Johnson Washington, DC. From 2005 to 2009, he was the first Assistant Secretary for Policy at the Department of Homeland Security. His law practice covers cyber security, data protection, homeland security and travel and foreign investment regulation. He’s been awarded one patent. Mr. Baker has been General Counsel of the National Security Agency and General Counsel of the Commission that investigated WND intelligence failures prior to the Iraq war. He is the author of “Skating on Stilts,” a book on terrorism, cyber security and other technology issues. He also host a weekly cyber law podcast. It’s great to have you back with us again Stewart.
Stewart Baker: Oh, it’s great to be back with you guys.
Sharon Nelson: Well, we really do thank you for coming and before we get started on what President Biden is and should be doing with respect to cyber security, talk to us a little bit about cyber security under the Trump administration.
Stewart Baker: Well, you know it was typical of the Trump administration. A lot of good things got done and most of them got done when the president wasn’t paying attention to them. It’s just that – I hate to say that. I’m not a Trump hater but I think we are acknowledged that his attention sometimes detracted from the government’s ability to get stuff done and when he paid attention he was a mixed force. He was willing to take on China and the Chinese supply chain and to take tough action about very important things that needed to be done about China inducing our reliance by the United States on insecure technology. He was not at all willing to take on Russia and some of the things that Russia did to both interfering in the 2016 election and the hacking that they engaged in. So, when it got to his level it was a mixed bag but below him, the DHS really came into its own as a cybersecurity agency and it did very good work on election security for the 2020 election which of course, the mixed bag again got the head of DHS’ cyber security agency fired when he said no, the election was secure.
Sharon Nelson: Interesting because those were the times that we just lived through and there has been kind of a swing to a whole new approach to cyber security.
Stewart Baker: Yes, it’s going to be a lot more boring but a lot of more is probably going to get done.
Sharon Nelson: I’ll take boring.
John Simic: Stewart, I know you don’t lack for opinions but what do you think if President Biden inherits his biggest cyber security problem?
Stewart Baker: I think SolarWinds is probably the most pressing issue just because and it’s not fair to call it SolarWinds. We should probably call it holiday bear. It was probably the Russian intelligence and they were very, very good at what they did by breaking into some very high profile targets who were quite sophisticated in their own defense and they beat a bunch of them. That’s impressive and scary and it requires that we rethink what we have been doing for security especially for the federal government which probably wasn’t in a position to stop this even if these guys had been a little less sophisticated but certainly wasn’t in a position to stop these intrusions at this level of sophistication and the government is going to have to up its game and it’s probably going to have to take action to make sure that the critical infrastructure we care about has upped its game in response to the holiday bear intrusions.
Sharon Nelson: You know a lot of folks listening u they won’t even know what SolarWinds means so maybe you could just briefly explain that to them.
Stewart Baker: So, yes it was actually first discovered by FireEye. When FireEye, a particular security guy got a request to have a second phone be used as two-factor authentication to say, yes, this is this person checking in and getting onto the network and he had time to call the guy and say, really you’ve got a second phone? To which the employee said, no, I don’t. And that little call and that fact led to the discovery that FireEye had had sophisticated Russian intelligence operatives inside its network for months and that they had broken in in part by compromising Microsoft files that they had done so at a level of sophistication that we had not seen before the kind of discipline that no one expected even from the “the cream of the crop.” That means that we have to rethink how tough our cyber security practices have to be and I guarantee that very few people who are listening to this have cyber security folks working for them who call everybody, who tries to get another phone accepted for two-factor authentication but increasingly looks as though that’s what we’re going to have to do. Very scare some of the trade craft that they used. We’ve gotten used to the idea that once we’ve logged on, we can move out to cloud services and the cloud services will know who we are because – let’s say, Microsoft has already vouched for us. We’ve already logged on and the other party trusts Microsoft’s credentials but these guys got good at faking credentials. Indeed at persuading the entire ecosystem that the Russian government could vouch for particular employees of FireEye or SolarWinds and so the entire system of digital authentication markup language is enormously powerful and easily abused and these folks got really good at abusing it.
John Simic: Pretty frightening isn’t it that they “stumbled on to that” and imagine of they didn’t where we would be today.
Stewart Baker: They had been getting away with it for months.
John Simic: Yes.
Stewart Baker: And very carefully they deliberately did not use their access for much. They were looking for just the right people. They only wanted a COE or the CFO and the chief security officer and so they didn’t compromise anybody else. They were tiptoeing through fields that most hackers drive trucks there.
Sharon Nelson: Well, I’m pretty sure we’re going to see SolarWinds in a move form at some point. Knowing what that is indeed the biggest breach we have seen in some time and particularly of governmental agencies and organizations what else did President Biden inherit as other security problems?
Stewart Baker: So, I think there are a couple that I would identify. One, the supply chain and this is something – the fact is that much of our digital specially the lower value digital equipment that we rely on comes from China and it comes in some cases from Chinese companies that are entirely behold into the Chinese communist party and we’ll do whatever they’re told to do and so the possibility that our equipment is subverted from below is very real and finding a way to make sure that one, the equipment we buy only what works for us and not for our adversary is important and second that when we need it, we’ll be able to buy it because the Chinese have already begun to indicate that if they can cut off supplies of pharmaceutical precursors in a time of COVID or if they can cutoff rare earth’s exports to the United States which all of our tech sectors rely on and get diplomatic concessions, they’ll do it. And so, we need to make sure that we’re not dependent on them for both of those reasons. Those are problems that President Trump in his very – he would wake up in the morning and take a stab at the problem and then you wouldn’t hear anything about it for a couple of months and then suddenly there’d be a new executive order out. He did a lot of that but he did not have a very robust and comprehensive and disciplined approach to that. What we’re seeing with this administration is they’ve already put out the executive order that says we are going – in the 100 days, we want plans on several topics —
— and then at the end of the year, we want a whole new set of additional plans. So, I think I twitted – President Trump would’ve done this some Sunday morning before golf and this is a little slow but we’ll probably get a better more thought through outcome out of the supply chain executive order that President Biden has put together. That was one of them and then the other problem that I think is really just emerging in the last couple of weeks though it’s been around awhile is attacks on the grid. The Russians have been ENR grid for a while now and we were very unhappy about that. Probably became clear that they were in the grid in the Trump administration and of course saying mean things about Russia wasn’t on the president’s agenda at the time but it is a hostile act. There’s no espionage reason to be in our grid. The only reason to be on our greed is to keep alive the option of turning off the electricity for everybody in the country. And since Russia has done that in Ukraine twice I think we have to take seriously the threat that that represents and the rumor is that we are now all in their grid precisely to return the favor in terms of projecting a threat. That’s scary enough but now it turns out the Chinese are acting against India’s grid. They may well have already carried out electricity short from Mumbai. Cut off the power in Mumbai as a result of the fight that we saw on the border up in the Himalayas. Shortly after that, there are reports that large amounts of malware was aimed at India’s grid and then there was a blackout in Mumbai. Maybe that’s coincidence but it’s also highly likely that it was China sending a message to India to say if you keep causing military problems in the Himalayas, you could have power problems at home and this is a long process of normalizing attacks on our electrical systems which none of us can really afford to live with further along.
John Simic: Well, Stewart what do you think about the people that the president has chosen to lead his new cyber security teams?
Stewart Baker: I know most of team and I have great respect for them and Nuberg area is now the Deputy National Security Adviser for cyber. That’s by far the highest ranking position that anybody at the Whitehouse is ever been given on cyber security. She comes out of NSA. She’s a very thoughtful and polished member of the government with a lot of non-government experience as well. She’s definitely a talent. Another NSAer, Jen Easterly is going to come in. She may end up. There’s a lot of uncertainty about how these jobs are going to be organized because congress has weighed in but Jen Easterly may end up running the cyber security unit that congress imagined would be the entire thing for the Whitehouse but which almost certainly will not be. Michael Sulmeyer is going to be the National Security Advisor. He’s worked at DOD. He’s been up in Harvard. He’s very talented. Rob Silvers at DHS will take over from the guy that President Trump fired and he’s done this already in the Obama administration tomorrow the same. So, they’ve got a lot of people that I like and respect who will be taking on these issues. It’ll be regular government in a way that we didn’t see in the Trump administration.
Sharon Nelson: Well, go team. I’m like the sound of all that.
John Simic: Before we move onto our next segment, let’s take a quick commercial break.
[Does your law firm need an investigator for a background check, civil investigation or other type of investigation? PInow.com is a one of a kind resource for locating investigators anywhere in the U.S. and worldwide. The professionals listed on Pinow understand the legal constraints of an investigation, are up to date on the latest technology and have extensive experience in many types of investigation including workers’ compensation and surveillance. Find a pre-screen private investigator today. Visit www.pinow.com.]
Sharon Nelson: Welcome back to Digital Detectives on the Legal Talk Network. Today our topic is “Cyber Security priorities for President Biden.” Our guest is Stewart Baker who practices law at Steptoe & Johnson in Washington, DC.
From 2005 to 2009, he was the first Assistant Secretary for Policy at the Department of Homeland Security. His law practice covers cyber security, data protection, homeland security and travel and foreign investment regulation and he has been awarded one patent.
John Simic: So, Stewart do think that President Biden has made a credible start on addressing cyber security so far?
Stewart Baker: I think he has. I mean no one expects him to know a lot about cyber security. He and the senate before the internet was invented or at least it was commercialized.
John Simic: Before congress, right?
Stewart Baker: Yeah, exactly. So, it’s not natural to him. He’s not a native but he certainly appreciates National Security threats and he appreciate the politics, the bad politics of having a major energy outage for example. So, he has begun work on cyber security priorities. His executive order on the supply is exactly what you would like to see and the hard question and real judgment will come when he has to make decisions that somebody else doesn’t like and then we’ll see whether cyber security is being valued or whether its just getting lip service.
Sharon Nelson: Well, you know he’s really not had much time in obviously so.
Stewart Baker: Right.
Sharon Nelson: I’m hesitant to be anything but thankful that he has made the progress he has because it hasn’t been very long but what has he done to date that you’ve applauded, is there anything that he’s done that you wouldn’t applauded?
Stewart Baker: So, I think he has done as I said a good job coming up with the supply chain order. What I wouldn’t applaud is I think he’s kind of said why don’t we take a nice leisurely stroll to a conclusion asking for decisions at the end of a year. I’m sure that they will feel like everybody is working really hard for a year to come up with what they come up with but if they had been told to come up with it in six months they would’ve worked just as hard and come up with something that was almost as good. So, I think he probably could’ve shown a little more concern for getting this stuff done fast.
Sharon Nelson: I think he’s been focused maybe on COVID so much and he’s done so much.
Stewart Baker: Yeah.
Sharon Nelson: With getting the vaccine here. I suspect that may have been something that just delayed efforts in other places.
Stewart Baker: That could easily be. We will not know how he’s doing for a while I agree with you on that but as I say I would like it if he said, this is a crisis and I’m not going to give you a year to figure out what to do about it. The other thing that he’s done and this is a continuation of something that Trump did and the politics being what they are, it’s hard for President Biden to keep anything that President Trump did but he appears to be keeping an order that President Trump put in place, executive order I think 13873 which essentially said the President and by delegation, the secretary of commerce can designate any piece of technology or company that goes into our information and communications technology infrastructure and comes from a hostile nation as a product we don’t want in our infrastructure and that will be bind on the private sector. This is an authority that no one thought – the government didn’t think it had back in the Obama administration and they allowed a lot of stuff from China to be installed because they didn’t think they could stop it and President Trump just said well, I’m going to write an executive order that stops it. He did. He didn’t apply it very much. They say application of it was idiosyncratic but it is a valuable tool in the new kind of competition we’re in with China over technology and National Security and the administration has sent a signal that it’s going to keep that authority, keep those regulations in place. They will probably take comments and adjust but I thought it took a little bit of courage to say we are not getting rid of everything that has Trump’s signature on it.
John Simic: Well, Stewart we all know money makes the world go round. So, is it going to be hard for President Biden to get the kind of money he’s really going to need to fund the cyber security measures that are being contemplated?
Stewart Baker: Yeah, I think if it’s not in the COVID relief bill, he’s not going to get it. That’s my guess. We have gone to a system really for the last 10 years or so of funding stuff in spasms. I’m guessing that the basic structure of the budget was set in the last couple of years of the Obama Administration, hasn’t been changed because there hasn’t been enough votes in Congress to actually change any of the priorities except in big lumps of money like the 2008-2009 stimulus and the CARES Act and now maybe this latest bill.
There is, if I remember right, I think maybe the CARES Act originally had $10 billion in it for CESA, that is to say DHS’ civilian cybersecurity entity to spend on cyber security. That’s not more money than is needed because what we’re going to see, I believe, is a pretty dramatic centralization of cyber security responsibilities at DHS. They haven’t been able to do that, most companies to have one CISO. The federal government has 50. You got a CISO for every department and every independent agency and it’s money in their budget. It’s people that work for them. They don’t want to give that up, but some of them are good and some of them are terrible at doing this. And if one of them is terrible, they can infect the rest.
So DHS is probably going to have to take some action to start setting more and more floors for cyber security, providing more and more cyber security services that previously we’d relied on each individual agency to decide to buy, and that will certainly use up big chunks of that $10 billion.
Sharon Nelson: Yeah it sure will, but it will hopefully make sure we get rid of some very bad CISOs too?
Stewart Baker: Yeah.
Sharon Nelson: That’s a good objective.
Stewart Baker: We have to get used to the idea that this is an extraordinarily expensive thing that the digital infrastructure we are substituting delivers all of its benefits in the first year and the price doesn’t show up until four or five years later and it’s a lot bigger than you thought it was going to be.
Sharon Nelson: All right and on that note, I’m not sure that people who don’t want
to see the government spending more money are going to be happy with that, but it is a necessity to be sure. Do you have, number one, any final thoughts? And number two, how can people listen to your podcast that you do with your law firm? And is there a favorite episode from the recent months that you’d like to call out?
Stewart Baker: Yeah why don’t I do two. One is about an issue that I think your audience will be really interested in, and the other is just an episode I really love. We just finished an episode in which we usually do a news roundup and then an interview or some longer feature, and the longer feature in the one we just finished is an exchange I had with a high-ranking justice department official about the OFAC Advisory that said, “You know you can’t pay ransomware to Evil Corp and the North Koreans because we have sanctioned them and you’re not allowed to have any dealings with them at all. And if you do, we will punish you.” And to boot, if your forensic firm gives you bad advice and says, “Oh yeah this is not DryDex. This is not
Evil Corp” and it turns out that you paid them on the strength of that advice, they could be liable for facilitating a violation of federal law. So I’m a little skeptical of this whole approach to ransomware, but it is the law and so we talk in detail about what might trigger liability for insurers, for forensics firms, for people who are doing attribution of a particular form of ransomware and then of course for the victims. So that’s something that people might find useful as education and maybe a little bit of reason to worry about their practice in dealing with ransomware.
But the one I really loved was the one before that, where we interviewed the author of a book about Elizabeth Friedman who was married to a pretty famous cryptographer
named William Friedman who was the intellectual founder of the National Security
Agency. It’s the story of the two of them, because she was, by his estimation, at least as good a cryptographer or a cryptanalyst as he was. And the story of how they got started with this lunatic — he wasn’t a billionaire, but he was close. He was a very rich man out in Chicago, who recruited Friedman to come to his weird compound near Chicago where he was working on a project to find secret code written by Sir Francis
Bacon in the works of Shakespeare to prove that he, and not Shakespeare, had written it and deliver a whole set of messages.
The theory was that he had been varying typography of the particular text and they end up doing all of the government’s decryption for World War I out of this unit. So these two these people with no training are suddenly the entire National Security Agency for the US Government. It’s a great story.
John Simic: I’ve read that, it is wonderful.
Stewart Baker: Yes, it’s called The Woman Who Smashed Codes.
Sharon Nelson: Well, Stewart, as always, we want to thank you for coming back and being with us again. It’s always a joy, always a really nice conversation about cybersecurity and your insights are always wonderful to share with our audience. So thank you again for being here today.
Stewart Baker: I’m always glad to come back and talk to both of you.
John Simic: Well that does it for this edition of Digital Detectives, and remember, you can subscribe to all the editions of this podcast at legaltalknetwork.com or on Apple
Podcasts. If you enjoyed our podcast, please rate us on Apple Podcasts.
Sharon Nelson: And you can find out more about Sensei’s digital forensics, technology and cyber security services at senseient.com. We’ll see you next time on Digital Detectives.
Outro: Thanks for listening to Digital Detectives on the Legal Talk Network. Check out some of our other podcasts on legaltalknetwork.com and in iTunes.
<a href=”https://www.tech-synergy.com/podcast-transcription” target=”_blank”>Podcast transcription</a> by <a href=”https://www.tech-synergy.com ” target=”_blank”>Tech-Synergy.com</a>