Government

EP#94 – Mark Montgomery – US Gov. Cybersecurity Roadmap: Where it came from and Where is it Going?

podcast94

powered by Sounder

Today, information is worth more than riches. The new currency is data. With this being true, the state of cybersecurity within the upper branches of the government was shockingly under-prepared.

In this episode, I speak with Mark Montgomery, the former Executive Director of the Cyber Solarium Commission, about the report the commission published in March 2020 and how that document has influenced the US Government’s roadmap to improve cybersecurity, prevent cyber attacks, and protect the nation’s data.

Join us as we discuss:

  •  Critical steps forward for cybersecurity 
  •  Six pillars of importance in federal circles
  •  Challenges in the cybersecurity workforce

To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here.

If you don’t use Apple Podcasts, you can find all our episodes here.

Listening on a desktop & can’t see the links? Just search for The Virtual CISO Podcast in your favorite podcast player 

Speaker 1 (00:06):

You’re listening to the Virtual CISO Podcast, a frank discussion, providing the best information, security advice and insights, for security, IT and business leaders. If you’re looking for no-BS answers, to your biggest security questions or simply want to stay informed and proactive, welcome to the show.

John Verry (00:25):

Hey there and welcome to yet another episode of Virtual CISO Podcast. With you as always, John Verry your host and with me today, Mark Montgomery. Hey Mark.

Mark Montgomery (00:35):

Hi John. Thanks for having me.

John Verry (00:36):

Oh yes and I’m looking forward to this conversation, sir. Always like to start easy. Tell us a little bit about who you are and what it is that you do every day.

Mark Montgomery (00:45):

Thanks. Well, I served 32 years in the Navy, retired as a Rear Admiral about five years ago. I went to work for John McCain, really one of the honors of my life, for about two years as his Policy Director. After he passed away, I took a job with a Senator I had met during that time, Angus King from Maine. He’d just been selected as chairman of the Cyberspace Solarium Commission.

I was aware of it, because I’d helped pass the legislative package that it was in and he and Representative Mike Gallagher, interviewed me and took me on as the Cyber Solarium Commission Executive Director and from there, I did about two and a half years with that. It sunsetted and now I’m running a non-governmental 501C3, to implement the remaining effects of the Cyber Solarium Commission and it’s housed inside Foundation for Defense of Democracies, where I also serve as a Senior Fellow on issues like Taiwan, Israel and missile defense.

John Verry (01:49):

First off, thank you for your service. Second off, I was a John McCain fan. I think he was a true American hero, whether you agreed with his politics or not, whether you’re a Republican, whether you’re a Democrat, he was a good man and I think he served us well and I appreciate his service as well. I always ask, what’s your drink of choice?

Mark Montgomery (02:11):

Diet Coke. I’m going to disappoint you.

John Verry (02:17):

Yeah. I will tell you that I don’t drink any diet soda. Yeah, I have nothing to say and that’s rare. Anyone who knows me, knows that me having nothing to say, is extremely rare. All right. Let’s get down to business. You mentioned the Cyberspace Solarium Commission. In my humble opinion, that report that was published in March 2020 I believe, is really arguably one of the most influential pieces of information security guidance ever developed, yet I would say outside the Washington inner circle if you will, for lack of a better word, very few people are even aware of it. Can you give us a bit of backstory on how the CSC report came to be and a little bit about what the report actually says?

Mark Montgomery (03:00):

Sure. As I mentioned, I was working on the Center of Services Committee. The solarium piece had been battered around for a few years, but Senator Ben Sasse took it up. He was on the Armed Services Committee. He brought it to John McCain and said, “I think we really need this.” It was perfect timing, because McCain, who could be a bit mercurial, was definitely mad at that moment. He was mad at our inability to influence the cyber security of the .gov, our own federal systems and build the public private partnership, he knew was necessary.

The proof to him about this, was first the Chinese theft of OPM records, $24 million, including his and mine. That bothered him. The really inept response to the North Korean attack on Sony disappointed him. The idea that the end result was after about four months, we finally attributed it and indicted three North Koreans. Obviously, none of them were extradited and in fact, I’m sure they all received medals the next week, from Kim Jong-un, but also the reports he’d been getting of Chinese intellectual property theft from the Blair commission, that put it at hundreds of billions of dollars, rising up to in total, a trillion dollars of lost GDP, through this intellectual property theft and then at that very moment, the Russian cyber enabled IO attacks, information operation attacks on our national election infrastructure.

You added that up and he reached his melting point. We were going to do this commission and this is where he was really brilliant and working with Senator Sasse and others, they agreed to put legislators on the commission and then all four corners, that’s to say the Senate and House, Republicans and Democrats, eventually picked members from Congress, from the Armed Services Committee. You had four sitting Armed Services Committee members, sitting on a commission. That’s critical, because fast forward to when we have recommendations, the way you get them implemented, is to have Congressmen put them over their shoulder and walk them down the aisle, right?

John Verry (05:11):

They’ve got to believe. If they don’t believe in it, right, if they don’t understand what the rationale is, if they’re not committed to it, they’re not going to drag it through the process.

Mark Montgomery (05:18):

They’ve got to own it and we’ll talk later on about National Cyber Director, but I’ll say right now, if you’d asked Senator King, before the commission started, “What do you think about National Director?” He would not have had a good feeling either way about it. By the time we were at the end, he personally had the National Cyber Director provision on it, strapped to his back, taking heavy fire, marching it to conclusion and that’s a significant thing. All the other Congressmen helped with that one, but he’s the one who strapped it on his back and took it over the finish line and the commission was created and another thing about McCain, why wait for tomorrow, what you can do tonight? He said, “I want this report done in less than a year and I want it ready for use in the fiscal year ’21 NDAA,” and we met those goals.

We went out there and I’ve got to tell you, starting up a commission, it’s a small federal government agency and let me just tell you, words that should not occur in the same sentence, startup and federal government, right? They don’t mix well, but we started up a federal agency and I just had one or two staffers, that could just cut through all the BS, that makes up the federal government bureaucracy, take care of that stuff for me, I could then hire about 20 thinkers, a good about half detailees from agencies, about half young, just postmaster’s degree students of cyber policy and strategy, from the best schools who’ve been studying this and they done a little bit of work out in the private sector, brought those 20 people together and started tackling the issue.

They got the report done in nine months, including getting it through the 14 commissioners, who weren’t just the four congressmen, but four government officials, like Director of the FBI, Deputy Secretary of Defense and others and then also, six private sector experts, either academics, federal government, former senior officials or CEO of a major energy company, Tom Fanning, things like that. Got it through there and then another good trick and being a former Senate Staffer helped me here. I was just smart enough to know, that coming to a Senate staffer and saying, “Hey, we’ve got 80 recommendations. 50 of them are legislative. Here they are, written down in a PowerPoint.”

That’s not going to work. We handed them 50 written pieces of legislation and the where for art thou, semi colon and all the stuff that you see legislation written as, by professional legislation writers. Now look, none of what we wrote is exactly the text that happened. That’s great. That’s the key to success, is to not get too concerned about that, but intrinsically, myself and the four Congressman, knew that we had to write this for the staffs, because they’re overwhelmed, they’re working hard. It wasn’t like any staffs were taking excess holidays. They were working hard and us giving them completed legislation was critical. We came up with a report, put it out in March 2020, really it was March 11th, the last event before Congress shut down, from doing external events on March 12th. Had a nice, good rollout and then throughout the COVID period, just pounded our legislation into the committees, for two legislative cycles, through the summer of ’20 and the summer of ’21 and ended up with about 70% of our legislative recommendations being turned into law over time.

John Verry (08:40):

Which is insane. Now, just to frame it for people, I believe and correct me if I’m wrong, because I wrote this down, that the goal of the commission was to develop a consensus on a strategic approach to defending the United States and cyberspace, against cyber attacks of significant consequences, right? That’s what you started with this idea and you came up with, if I recall correctly, 80 recommendations across these six pillars and then you said, you converted that into 50 literal pieces of legislation, which I also think what was smart about that, was not just helping them do the work, but I would imagine many of these staffers are not cybersecurity experts, right? They come from a political background, legal background. They probably felt a little uncomfortable with technical cybersecurity subject matter. I must imagine that was also something that was a great lift for them, as well.

Mark Montgomery (09:32):

Well, you’re exactly right. First, I’d say this on the staff, the Armed Services staff, the Intelligence Community staff and the Homeland Security staffs, have dedicated cyber experts. That only leaves 64 other staffs, that feel they have a role in cyber security, that don’t necessarily have the dedicated cyber security expertise they do have people, especially in the appropriation staffs, that have become very good at it, but I think those big three I mentioned, Homeland Security, Armed Services and Intelligence, are where the people who did cyber for a living somewhere else in the federal government or in the private sector and then roll into the committee, exist and that’s a very limited footprint, but those people were critical. We would not have been successful without very positive support from the Armed Services, Homeland Security and Intel Committee staffs, in both the house and the Senate and it was stronger in some than others, but still broadly across all six of those committees, really helpful.

John Verry (10:26):

Gotcha. Can you talk a little bit about the six pillars and why you guys organized it into those six pillars, because I thought that was really effective.

Mark Montgomery (10:33):

That’s a great question, because there’s two ways to look at it and in the end, we were melding together two thoughts. One was from my bureaucratic experience in the military and in the Senate staff, you cannot eat an elephant in one bite. You had to get these things into edible groupings and breaking it down into these pillars was critical. Kelly, the more creative members of my staff would say, “Well in reality, we began to think about cyber across these six lines of effort,” and when those melded together, we ended up with these six pillars under which, the different legislative and executive branch recommendations, were binned and it did make it much easier organizationally and it also allowed you to say to committee, “I have these three or four just for you, but just so you know, in the same area, here are two or three others,” because they don’t like to be bushwhacked later on, with a similar provision and a different committee, that they hadn’t seen.

That way, it helped me keep everyone with good situational awareness and I think we did a very good job of that in the first year, particularly. Particularly in COVID conditions, where everything was being done by Zoom and phone calls and emails. As I said, we released our report and the next day, went into lockdown and the NDA cycle started three weeks later and again, a lot of credit to hill staffers, they did not act, particularly the Armed Services ones, as if COVID had any impact on their legislative writing requirements. They really did produce a fantastic NDAA in the middle of COVID. The six pillars that you mentioned, the first one and I think one of the ones that we considered most important and for which I think we probably have the best current grade, we grade ourselves every year and we will do that for two to three more years and overall, we’re probably a C right now, but one of the areas that I think is above that, is organizing the US government.

We were not properly organized. We still are not completely properly organized, but we definitely did have strategic leadership at the White House and we didn’t have the organizational, the quarterback of all the federal agencies, at that one federal agency that’s really leading these efforts, either properly authorized and resourced. The first thing, is the National Cyber Director, that strategic leader at the White House. I think that has evolved. A job was created by the NDAA, we got it done and it’s taken about a year so far, to populate it properly. It’s not quite a year yet, but another month or two, it’ll have been a year and it’ll eventually be 80 people inside the White House, which is a good, healthy number, for coordinating the inner agency, on a really significant, challenging issue and you can’t have the National Security Council with five or six people do it. They can do fantastic work. They can’t do the grunt work of organizing 102 federal agencies, to be generally pointed in one direction and yeah, go ahead.

John Verry (13:39):

Can I ask a quick question there, because I think what you just said, which is amazing to me and I didn’t know this, is that there are now 80 people that work at the White House, 80 some odd people, that are responsible for helping to establish our cybersecurity posture, across the government?

Mark Montgomery (13:58):

Currently 50, headed to 80, I think within the next two to three months, at the one year point and it could get higher. Frankly, I think legally it could get up with detail, at least about 105 and that would be fine. US Trade Representative office is in the high 100s, National Drug Control office size technology policy is in the low 70s.

You can have an effective leadership organization in the White House, if it’s properly manned and then the second element of that, was the getting CISA a right, the Cybersecurity Infrastructure and Security Agency, Department of Homeland Security, created about now four years ago, run first by Chris Krebs and now by Jen Easterly. Chris did a great job, focusing it outward, getting it known out in the hinterland, so to speak, IE outside the beltway and I think did a good job with that.

I think internally, whenever you carve… Like I said, startup in federal government is bad. Having yourself cleaved from a portion of a federal agency and then have to come back and work for them, is a tough thing too and I guess, we’ve actually ordered a for structure assessment through Congress, of that’s an idea of how many people do you need for your missions and what type of people do you need? I think we’re going to find out that CISA needs 50 to 75% more people than they have, the 2,300, 2,500 they have and a good portion of their current people, are not actually properly trained and aligned, for the billet they’re in. They just happen to have been dropped into it, from where they were before the cleaving.

They’ve got to get the right people, with the right numbers and the right billets and I think they’ll be in good shape, but that’s going to take years. We did some authorizations to help that, some appropriations to help that. I think we’ve done some, I think we had a total of 10 recommendations for CISA. I think seven are done so far. They have to do with establishing different organizations within it, authorizing to do different types of work, particularly threat hunting inside the .gov. Really and then significant appropriations changes. They’ve gone from about $2 billion to $2.6 billion this year. About a 30% increase and then our recommendation for next year, is just a shade under $3 billion. I think the growth will slow down there, but if you ask John Katko, who’s a pretty experienced Congressman on this, he would tell you $5 billion.

I think Director Easterly, who’s probably not allowed to say that out loud, $5 billion, but I think they would support our $3 billion, if brought up to Congress to talk to it. My point on this, is strengthening CISA, was a big part of that US government one. We also codified the sector risk management agencies and I can’t understate the value in this, this is all those federal agencies, that are the partner with the private sector, across our 16 critical infrastructures. There was a wild west of how they were organized and a massive disparity between how treasury and the financial services work and energy works and then, which is very…

I’m sure there’s a complaint about too much regulation, but in terms of that support and interaction and discussion, there’s a lot of it and that down at water, where EPA has literally two people running this sector management in cybersecurity, for 52,000 drinking water utilities and 10 or 12,000 waste water. You’re not doing oversight. When you have two people watching 52,000, you’re doing website management and that’s a big deal. You had this disparity. We said, “Hey, here are the rules for being a sector risk management agency. You need to do these six tasks. One or two of them, you can be helped by CISA, but the vast majority of them are core issues for you,” and I think that’s important, because we need to hold federal agencies accountable for their role in this. We can’t just have… Because in the absence of this people go, “Well, let CISA do it.” Well, the problem with that, is CISA already has seven number one priorities.

You don’t want to add in, “And by the way, manage the water sector,” because these guys who otherwise manage water pretty well. There’s a lot of lead pipe work going on, tens of billions of dollars being spent making our water and air more safe and secure. They can do the cyber security if they want to. They just hadn’t prioritized it. They’re starting to now, because I think to some degree we’ve embarrassed them, but that sector risk management agency stuff was important. A second pillar was norms and this is norms and standards and here, this is an incomplete grade right now. Our biggest… We’ve got some minor things, like more cyber law enforcement at taches and embassies. We’ve got improved sanctions for China doing cyber events and cyber malicious activity, but we have not done the big things.

One is the Cyber Diplomacy Act, establishing an Assistant Secretary level Ambassador at state department, reorganize the state department to get out of the Byzantine structure they’re in and get into cyber management from the top down of, “Here’s how we’re going to get ready.” Where’s this really important? We’re getting our butts kicked at international standard setting organizations, where the Chinese and the Russians are rolling in with a sovereignty based, state owned enterprise view, no accounting for personal rights or human rights, in comparison to our traditional push for transparency, in a rules based system and we have had advocated our role there, as a government and we weren’t supporting the private sector and in those standard making bodies that they were involved in, as the Chinese and Russians did for their companies.

We’ve suggested some provisions on that. That stuff is in the innovation bill, what used to be called the China Bill or the Chips Act or the Competes Act or USICA. It’s now being conferenced under the name, the Bipartisan Innovation Act. If our standard stuff gets passed in there, we’ll really have made a big change, but that’s an incomplete, because it hasn’t happened yet. I’ve got a couple more pillars if that’s okay. The military one, was pretty straightforward. We came up with 12 military recommendations, handed them to the [inaudible 00:20:29] service committee. They put all 12 in. I won’t say there was minimal thought, but we were in total… We’d been working with them very closely and that was good, but one of the biggest ones, is the national mission force, our on net operators, we really rely on them to do cost imposition on Russia, China, North Korea, Iran.

The size of it was set in 2013, by a 2012 assessment of the threat. Well, now it’s at this point, 2021, when we were doing this 2020 and 2021. We needed a new for structure assessment, of the national mission force. How many people do we need? We think the number was probably 40 to 50% higher, over the 6,000 people they have right now, on these on net operators and 40 to 50 or even 60% increase in that. I think they’ll come out with a slightly lower number. They would’ve never really gotten started on it in my opinion, without congressional push, because it’s very hard to convince the services, to give up bodies to this, because it means less people on ships or aircraft or army battalions.

The Army, Navy and Air Force, would’ve pushed back against this, but we gave, I think helped cyber-com, by creating some working space and he’s already asked for about a 10% increase, over the last two fiscal year budgets. That’s a good sign that we’re making some headway there. There’s some other ones, on making sure cybersecurity is in your weapon systems, in the nuclear command and control system, that you’re properly doing the assessments of that and I’m pretty excited about the military stuff. I’d give that an A, on getting it done and getting it implemented. One of our best pillars and there’s a couple more pillars, but one last one I’ll talk about right now, is resilience.

Here, we did a pretty good job. Again, we recommended something called Continuity Economy Planning. That’s the idea that, “Hey, we’re good. If there’s a significant attack on the United States cyber or otherwise, we have continuity government, continuity of operations, but we haven’t thought about how you recover the economy and a lot of people just say, “Don’t worry, FEMA does that,” and they absolutely do, for a storm that hits one state, except they’re not recovering the economy. They’re recovering public health and safety. They get water down there, tents down there, food down there, they get diesel generators up to the hospitals, but when the Northeast power grid goes down, we don’t need FEMA bringing… Well, they do need to bring some water and tents in, but in reality, what we would need them to do, we need the federal government to run a prioritized restoration of our infrastructure, to ensure that we can rapidly restore our economic vitality.

When you think about the Northeast, returning the exchanges that are run out of New York City, the commodities over the counter, all the different exchanges that are run there, you have to bring them back, which means you have to integrate the tel-com, power, water coming back, so these services can go back online in just a day or two of loss, because every day they’re down, you’re going to lose maybe $100 billion or more in lost GDP opportunity. That adds up fast and then you lose your credibility for running these exchanges, when international competitors want to run some of them. I think it’s very important, that we have a plan for how we restore ourselves, not just electrical power grid, but the whole integrated structure. That’s called Continuity Economy Planning.

We recommended it and Congress directed the administration to do it. They’d been a little slow on that. That’s one where they had two years to work on it and I think they took the first 15 months, admiring the problem. Now with nine months to go, they’re working on it. I suspect with only a nine month job, we’ll get a plan for a plan and Washington’s famous for this. We need a plan. We’ll come up with a plan for the plan. When you’re really in trouble, you’re going to have a [inaudible 00:24:23].

John Verry (24:22):

You’re one you’re one step closer though.

Mark Montgomery (24:24):

Yeah, you’re one step…

John Verry (24:27):

One plan down, one to go. That’s not bad. Sometimes, just a little bit of progress Mark, is enough, right?

Mark Montgomery (24:34):

Yeah. I’m afraid though, we’re going to end up with a framework for a plan, for a plan and then I’ll be like, “Jeez. I could have done that. My son and I could have went back then,” but…

John Verry (24:43):

Yeah, you could argue that the CSC report, was a framework for a plan for plan, right? They really didn’t move anything forward. Exactly.

Mark Montgomery (24:50):

That’s a great point. Look, across six pillars, we had mixed results and I want to be clear, if we were taking an actual grade at my son’s university, we’d probably have a D, maybe a C. Now I will tell you, historically, commissions get Fs. They get 10 to 15% of their things done. We got a really high number and I attribute that, not totally, but really, really significantly, to the four Congressional Commissioners, [inaudible 00:25:19], King and Sasse and Representatives Gallagher and Jim Langevin. I’ll just say this real quick, Jim Langevin by far, the most cyber proficient legislator we’ve had in decades.

The only one comparable was Will Heard, who resigned about a term ago, a Republican from Texas. Jim Langevin, a Democrat from Rhode Island, has been a leader of unparalleled knowledge and success. He also gets things. He’s a brutish legislator. When he decides he wants something done, it happens. He’s built up the relations. He knows how to get things done. He knows where the skeletons are, however you want to attribute it. When he wants to get something done, it gets done. I give him a lot of credit, for the success of the commission.

John Verry (26:06):

Like I said, I think the report has been remarkably successful, because if you just look at what’s going on in the US government in the past, let’s say two years. We’ve got CMMC, we’ve got the DOJ putting together their civil cyber fraud initiative, which is an enforcement mechanism, that’s being used not only for CMMC, but across other government regulation, government guidance, the presidential executive order, was I think very significant, whatever, that was 14027. Within there, you really started to see the concept of the secure software development framework come to fruition, zero trust initiatives. You’ve got the IOT labeling idea that came out of that, maybe I think it was the FTC, they were guiding to produce that. They asked NISS to create the guidance for it.

I just think you’ve seen a ton. Now, from my perspective, looking at the six pillars, a lot of those to me, feel like might fit into, where is it, the Operationalized Cybersecurity Collaboration with the private sector, because these are all things you’re saying to, “Hey, you’re an IOT manufacturer. Hey, you’re a member of the Defense Industrial Base. Hey, you’re you’re an entity in one of the 1716, whatever it is, critical cyber sectors and ceases guidance.” From my perspective, that’s where I see huge value and I agree with you, that we don’t want more regulation in life, but isn’t regulation necessary, because if we don’t have a good public private partnership and if we’re both not secure on both sides of the equation, isn’t literally our sovereignty and our economy, just in extreme peril?

Mark Montgomery (27:52):

That’s a great description of the executive branches. Look, I think the executive branch did a great job. They’ve grabbed some of our ideas, grabbed their own ideas, but the principles that we were putting forward, I think broadly have been carried out by the administration over the last 15 months and you’re exactly right. It’s in two of the pillars, the building the public private collaboration and in developing a more secure cyber ecosystem and the reason and one really applies to those critical infrastructures. The ones that are… The public private collaboration is about dominion power and things like that. The ecosystem’s about Vick’s Dry Cleaner. You want everyone to be…

In one of them, you’re trying to very carefully ensure that the critical infrastructure’s identified and properly protected for our national security, economic stability, public health and safety and the other one, you’re trying to raise everyone’s securities, so we’re less vulnerable to adversaries, whether they be nation states or criminal actors and in that public private collaboration, I do think the biggest thing left on the table right now, is something we call systemically important, critical infrastructure, but it’s basically, what are those most important, we’ll say 120 to 150 companies, that facilitate national security, the movement of our troops, the transportation, power, water, that allow our troops to move to their jump off points, wherever they’re going, that facilitate our economic security, the telecommunications, financial services and electrical power, that allow us to continue to run the world’s largest economy and rapidly recover from and restore, following a significant event and then the third element is the public health and safety, those companies that really are important.

Big water, big power, big hospital systems. What those 120 to 150, have to maintain a certain standard. You can call it a regulation. You can call it a standard. We need to say there’s a floor for those and if that floor is already set by your regulation, by the SEC or the FDIC or some other financial group, or by FERC, in the energy world or the NRC, if you have new nuclear problems, great, you already meet it. We do want to have third party assessments of that and if it’s already being done by your regular, great. If not, we’ve got to have a system center for that. We need to have really quick incident reporting, not the stuff that they debated and passed last year of 48 or 72 hours, but really quick. We’re seeing these things, you don’t have to attribute it.

It’s going to be protected under liability when you give it to us. It’s not going to go right to law enforcement or anything like that. It’s going to allow us to get a hint that, “Hey, seven electrical power grid comp generation companies are experiencing the same attack at the same time,” or, “Three banks saw this.” You can see a campaign being run against you. That’s the commitments from the companies, a floor of security, third party check, incident reporting, but in return, you’re going to get improved access to classified information, an ability to help establish what our intelligence collection methods are. You may have specific unique infrastructure networks, that the intelligence community wouldn’t normally collect it, seeing if an adversary’s working them, but you could ask for that and in addition, you’re going to get some liability protection.

If you meet a floor we set and you’re attacked by a foreign adversary, because you’re a critical infrastructure of the US and you’ve met the third party check, we’re going to have to give you some liability protection against loss of business operations, just like we would if Russia took you out with a cruise missile, no one would think twice about some liability protection, but suddenly you say it’s a Russian cyber attack and like, “Well, I don’t know. Why didn’t you go counter attack?” Well, we don’t want you doing that, just like we don’t want you building your own cruise missile defense systems around your station. I don’t want to fly in a Southwest flight, if you’re going to start launching cruise missiles at what you think are Russia…

You know what I mean. We’ve got to be realistic about this. That’s systemically important, critical infrastructure. Everyone has to… We always say cyber security, we generally say it’s a non-partisan issue. When you start throwing around words like regulation, security standards, third party checks, liability, it gets a little less nonpartisan, but if we have a comprehensive deal, where everyone’s giving up a little, to get a better process, to get that end result that we know we need. Chris Ingles, he says, “To beat one of us, you’ve got to beat all of us.” That’s the idea, that you’ve got to have this public private collaboration that works. We’re not going to get there without some [inaudible 00:32:38] legislation. This is not something you can executive order into existence, that kind of liability protection. This is something that’s got to stand up in court.

You’re going to need the law and we’re going to need to pass that. To me, that’s the biggest thing we could do this year. I hang my head on that. I do think there’s lesser things being done in the public private collaboration, the joint collaborative environment, which is a better information sharing. It’s part of the [inaudible 00:32:59], but it’s the information sharing infrastructure. I think Jim Langevin is going to push that through this year and in that thing, I talked about the cyber ecosystem, some good stuff’s happened. I support what Chairman Gensler, at the SEC is pushing, for good cyber, good governance requirements in publicly traded companies, that they have to report who’s on their board, what they’re doing to mitigate risk. I think that’s important. I think that gets at the spirit of our [inaudible 00:33:30] recommendations that we had in the commission. Bottom line is, there’s work to do, but that systemically important critical infrastructure, probably the most important thing remaining.

John Verry (33:38):

Yeah. A couple of those ideas, I really like. The NACD a few years ago, came out with the same recommendation, that boards have to have that. I do think some level of encouragement, is a good thing and I also like the idea that the government’s taking a little bit of a carrot and a little bit of a stick approach. The carrot is, there’s value to you doing this and you’re going to get a little bit back out of it and the stick is, if you don’t, we’ve got mechanisms of making life a little uncomfortable for you, as an example, through false claims acts and things of that nature.

Just out of curiosity and you might not want to comment on this, with the DOD taking a step back with CMMC and taking a more straight NIST based approach and taking a more basic rulemaking process, CFR32, if you believe what Stacy [inaudible 00:34:31] is saying, probably hits in March 2023. In theory, if CFR32, that would protect all types of Cooey, which are a lot of the critical infrastructure and a lot of the people that you’re covering talked about, in theory, we already now have the regulation, that goes into almost every contract, that flows that. Are you guys, is there a position within CSC or within the entities that are doing this, towards following on to CMMC in this 800-171 and the existing CUI protection mechanisms? Is the idea of promoting a new mechanism or is that not something you either want to talk about or you don’t know the answer to right now?

Mark Montgomery (35:09):

I appreciate what they’re doing in CMMC and I think they’re stepping off in the right direction now and I’d say first, I do support that. I do worry that with so many people, there’s a risk of this defaulting into checklist management, vice having iterative assessments going on. I think we do have to over time, figure out how we get ourselves… It’s got to be a handshake, that we’re allowed to run either a third party running un-qued pen testing or some un-qued assessments of your systems.

We eventually have to get to that, where threat hunting’s allowed throughout the DIB, by something, whether it’s DOD or not and we recommended that in our commission report. I know DOD owes a report to that to Congress, but I recognize, CMMC is a pretty big elephant and you’ve got to eat this a couple bites at a time. Probably with their head for next March, is about right, but the threat hunting can’t be far behind. It’s more than management by checklist. I don’t want to be unfair, but something that’s broadly compliance checks, is going to be tough.

John Verry (36:27):

Yeah. it is the proverbial catch 22, because audit by its nature, is comparison to a standard. Anytime you create a standard, you effectively have a checklist and then you get a compliance app mentality approach, versus security mentality approach. Finding that right balance, if the standard is good and you actually truly are compliant, you’re probably secure. That’s not saying you are. I think what you’re advocating is more, some type of mechanism by which there is an ability to validate in an unscheduled way, that the security systems are working as intended, correct?

Mark Montgomery (37:04):

And that is what we recommended in our thing and came into, but in the way it turned into law, was DOD had a year to think about it. They’re a little overdue on that report and I think it’s coming in.

John Verry (37:16):

Well, that’s not an… And look, I agree with you and I think you’re talking about a holy grail, but I do think that is going to… No, no, you look, you guys knew when you made that recommendation. You’re trying to get them to sprint. You were just past walking or jogging. It’s not an easy one.

Mark Montgomery (37:38):

No, I’m with you [inaudible 00:37:40]. As I said, that’s not the March 2023 deadline and on top of it, the one that makes me smirk a little bit, is bringing that over to the .gov. Eventually, the .gov needs to get to the right standards for these things, the non-DOD federal agencies, but I think they could learn a lot from watching DOD go through these growing pains and then figure out how to bring it over and I think that’s a great job for the National Cyber Director. He needs to look at it strategically to get the timing right and then work with his deputy, who’s also, he’s a dual added deputy, who’s the CISO for the federal government, Chris DeRusha and then Jen Easterly and say to the two of them, “All right, how do we begin to implement this,” along with the other work they’re doing and they’re doing a fantastic… You’ve mentioned some of it. They are the zero trust, architectural [inaudible 00:38:30], they are working another thing.

John Verry (38:31):

No, I’m amazed. The amount of progress that we’ve seen in the last two years, is remarkable relative to what I saw in the last 20 years of doing this.

Mark Montgomery (38:40):

And the budget numbers really are bigger and every time they put out a budget, we hammer it, but we start it by saying, there’s a lot of really good stuff in here and we give at least two paragraphs of good stuff, then spend eight paragraphs explaining where they could have done better, because we then try to turn that into congressional language, to get Congress to plus it up and I have to tell you, Congress did a fantastic job last time. The President increased CISA’s budget 5%, Congress increased at 25% and that 20% was meaningful things, that will make CISA a more effective agency and that same effort, is repeated across numerous federal agencies, as the Congress gets more involved in the cybersecurity budgeting.

John Verry (39:23):

Well and look, they wake up every morning and there’s something. We’re now to a point, where they’re getting it right. Even the guys that, like you said, are a little bit old in the tooth, been in Congress a long time, not necessarily most technically proficient, you can’t hide from what’s going on every single day. It’s good that they’re giving these people the money that’s necessary, for us to be secure. I apologize for this. I said a lot of people don’t know what you guys are doing and then I was surprised, when I went to the CSC website and I was not aware that you’d released five white papers since the report. Are those intended to support, provide additional guidance on addressing the recommendations you already made? Do they cover new ground?

Mark Montgomery (40:06):

They’re a mix. One of them was a National Cyber Director, a very specific one we were asked and that one’s not posted, we provided back to Congress. It was very specific. Here’s what we plan to do. Here’s how we would implement this. They said, “Look, your two paragraphs in the report were great. Your legislation’s great. We need 10 to 15 pages, explaining how the job works, before we embrace your legislation.” We did that and obviously, it was successful as we got the NCD passed. Another one was on pandemic. What could you learn from the first year of response to the pandemic? And the answer was particularly about leadership.

It’s not hard to recognize, that our failure to have a strategic leader at the White House on COVID, slowed and complicated our response and we were able to show similarities with cyber and then show how the NCD could have helped. I think it really helped on that and then we also said, “Hey, here are a few things that studying COVID, we didn’t think about.” Now that we’ve had COVID and we think about cyber and a little bit had to do with, what happens when you start to tele-work the whole federal government and there were some lessons we had there, for security and then the other big one, was disinformation. The amount of disinformation flowing, particularly foreign disinformation, Chinese, about origins and things. Originated out of Fort Detrick or whatever it was, but also just other Russian disinformation about a few things. Bottom line was that, “Hey, at this time, we have to be really attuned to foreign disinformation and make sure that we’ve set up,” and we said very explicitly, the government should not be the arbiter of truth.

I guess we wouldn’t have been the biggest fan, if you’d asked us at that moment, of a disinformation board and that’s apolitical, that was Republicans and Democrats, they weren’t looking to be that, but we said someone needs to do that and that the government should support NGOs that do that. We probably had a middle ground between what each side’s thinking about now on that, but that we had some good disinformation content there. The other three white papers were on issues that we’d explored during the report, but had not fully developed and there’s about eight or nine of those issues. Three of them, we got white papers done on. One was supply chain and that ended up with about 12 more recommendations, a handful of which have been done and a handful more in this innovation bill and a handful more we’d like to get done and another was on cyber workforce and I had to tell you, I just…

Stop there for a second. We’re continuing to work workforce in our next iteration and I’ll probably mention that later, but I’ll just say, it is so disappointing that you can read a federal cyber security workforce, \policy paper from 23 years ago. It identifies 10 problems. Seven of those problems still exist, exactly the same way. Very few people think that a grade of 30, after 23 years of effort, is redeeming, unless you’re a baseball hitter, then it would be okay, but I have to tell you, there’s then workforce studies from 2010 and 2015, that from those, we’ve probably only gotten one or two things done. It’s not okay, that the federal government has not been able, particularly in the .gov to solve its cybersecurity workforce challenge.

Like the public sector, the companies, it’s manned at two thirds, roughly speaking and when you’re manned at two thirds, it means you’re probably not getting the job done, but your people are unhappy while they do it and most importantly for cyber, unlike almost any other skill set, the requirement for recurring frequent training is significant. You need to go get certifications and training, every 24 to 36 months. Let me tell you, if you’re manned at two thirds, the last thing leaders are thinking of doing is saying, “Hey, I’d like to send half of my two thirds of guys and gals, to go get some training and lose them.” You have this problem, where you have an underperforming, unhappy, untrained or poorly trained, cybersecurity workforce. Shockingly, that doesn’t lead to high retention.

John Verry (44:34):

Well, when the government figures it out, they can share that with the private sector, because I can’t… Listen, we all love bashing the government and saying they don’t spend our tax dollars, as smart as we’d like them to be. That’s one place I feel bad for them, because we see the same thing. I go into any organization, I go into and they’re under manned. The government’s not alone there, unfortunately. Yeah. Here’s an interesting question for you. The CSCs mandate ended in 12, 2021, if I’m not mistaken and now the CSC2 is picking up this effort. Couple things there. I guess the first one to ask, is in addition to following onto the original report, there are five new areas of focus that you guys are driving into. Can you talk a bit about those and why those specific five areas of focus?

Mark Montgomery (45:35):

Sure. Yeah, we did sunset at the end of December and Senator King thought about it and Representative [inaudible 00:45:42] when they talked and it’s the right thing to do. We need to end that commission, in case there’s a reason for another cyber commission for some reason, you want to be… Let’s clear the battlefield, but they knew we had at least two more years of implementation work left on the existing legislation and on the handful of things we knew we were still working and they said, “Let’s go ahead, set up a NGO.” We ended up setting up the Foundation for Defense of Democracies, no foreign government think tank, has no foreign government funds. It was perfect for legislators working with it and set up the IGO there, so that I have a small staff, because most of my staff is now working at National Cyber Director, CISA or on the Capitol Hill, where they can bring the expertise they got in the commission, right back in the government and that’s fantastic.

They’ve got one, just a treasury. Really like that. Hired some new staff and we started to tackle and the issues, you said five issues. That’s exactly what we’re doing. The first thing we’re doing, is supporting the legislation that’s left over. Second thing we’re doing, is that annual assessment I mentioned and then we’re looking at some topics, the water cybersecurity worries, as I mentioned it earlier, it’s that, we’re in a position now where water… The cybersecurity has industry concerned so much. They’re asking to regulate or at least set up standard setting bodies, in the absence of EPA guidance, can we just get that… They’re asking Congress, they’re like, “Take action,” and EPA’d have to be involved in it, but that’s a weird thing when industry’s leading the call for setting up a standard setting organization, but we’re studying that water, trying to figure out, what are the right provisions to both get EPA healthy, but also to immediately begin to attack the cybersecurity in the water sector, which I think is something along the lines of an industry led government oversighted, mandatory standard centered body and then that’s the first issue, water.

The second issue, is workforce. We’re working at federal workforce, because we didn’t come up with legislative proposals in our white paper. This time we did and we’ve got them and they involve things like having a cyber accepted service, which is going to mean better pay for cyber security workers and better job descriptions. We also are trying to get better data on the cybersecurity workforce and I hope we’ll try to set up a cyber security development institute, a remote learning institute run by the federal government, for federal employees, to get them their certifications and move them along more quickly, as they get the workforce experience. That’s the second one. The third one, is the Continuity Economy I mentioned. We’re trying to help a little bit with that, by getting some policy papers done, the framework for a plan for a plan, as I mentioned, we’ll probably try to get that out.

Maybe we’ll do the plan for a plan. I don’t know if we can have that much bandwidth. We’re also looking at space, whether it should be a critical infrastructure and aviation cyber security, within that. We’re taking a look at that issue and we’re taking a look at maritime transportation security. It’s one of those weird ones. It was a tough Christmas, with the ships backed up at Long Beach and Charleston. Just think how it could have been worse, which is a cyber security attack on our sea points of departure, our major civilian ports. All those gantries and cranes are operated by position, navigation, timing, circuit, they’re very cyber vulnerable and we’ve got real questions about that and about some of the other elements in the maritime transportation security infrastructure. We’ll be working on that. That’s a bunch of issues that we’re working, over the next, I think two years, along with those assessments and getting legislation done. Obviously Senator King gets the final vote, but I think two more years from this past January, is probably how long we’ll take this out.

John Verry (49:37):

Gotcha. Now, in looking at that, they’re very consistent with what you talked about earlier, some of these critical areas that are… Some of them though are covered technically by CISA. They’re critical infrastructure sectors, like water waste, water, the healthcare sector, maybe not maritime transportation specifically, but transportation.

Mark Montgomery (50:01):

No, no, those are all sectors. MTS is covered by the Coast Guard under DHS, water is covered by EPA. Space isn’t one.

John Verry (50:06):

Right. Now, I noticed that. It’s funny. Well, if you saw my eyes moving, I literally was looking up the 16 critical infrastructures and I’m going, “I don’t think space is on there,” which is interesting. Okay. Here’s an interesting question for you. The Cyber Solarium Commission was commissioned by the government. Now, you guys are part of a 501C3, the foundation for the defense of democracies, is now driving this. Now that you’re no longer a government commission, will CSC2 still have the same sway, the same influence that CSC did?

Mark Montgomery (50:47):

We’ll see. It depends. First of all, it’s definitely being driven by Senator King and Representative Gallagher, the two chairman still and I think Representative Langevin and Senator Sasse have a big push on it too, as do the other former commissioners, Suzanne Spalding, Samantha Ravage, Tom Fanning, Patrick Murphy and Frank Ciluffo. Those nine people are moving us. That’s who’s moving us and the question is, particularly the four congressmen, to what degree do they stay involved? If they stay involved, we’ll have sway. If they don’t stay involved, we won’t. It’s as simple as, we only had sway because of them. There’s tons of federal commissions out there, that produce a door stop and wedge the door open just fine and there’s tons of things that aren’t handled by commissions that get done, because they have motivated congressmen, pushing them.

If we have motivated congressmen pushing them, what we provide is a staff of reasonably intelligent cybersecurity people, to help push things through and tons of support. One thing about CSC and I’m still seeing it now, is people reach out to us and they still can and we listen to them. If it’s appropriate, we get them talks with some of our commissioners. If it’s not appropriate, if we can get it and understand it, get the information and get it to the commissioners. It’s valuable. 50% of the ideas we had, were stolen, minimum that’s low. 75% of the ideas we had, were stolen. If this had been a PhD thesis, the CSC2.0 report would’ve been embargoed and stripped and thrown out of the academia, the academy.

John Verry (52:19):

Well, what’s the old adage? There are no ideas, only recycled ones. You’re just building on somebody else’s shoulders. Hey listen, I don’t give a crap how you got there. I just like the fact that we’re actually seeing some movement.

Mark Montgomery (52:33):

I agree and I also say there’s people like Senator Peters, Senator Rounds, Senator Portman, Congressman Katko and Yvette Clark in the House. If we had not had those leaders moving these issues beyond our Congressman, we wouldn’t get anywhere.

John Verry (52:55):

Well, all good stuff and my thanks to them. This next question I have for you, is that a couple of our guys that are very active in federal defense, industrial based stuff specifically said, “Please ask him this.” It’s around the threat intelligence programs. I know you guys did a good job with that whole information sharing and threat intelligence sharing. They were asking, “Does this look like it’s going to expand beyond the 4-70-12, 72 hour cyber incident reporting requirements? Do you think it’s going to go beyond the DIB?

Mark Montgomery (53:28):

Yes, I think on expanding beyond the 72 hour. We’ll have to see the report we get back. I hope it’s yes, extending beyond the 72 hour requirement. I hope it…

John Verry (53:36):

Because 72, I know it’s hard to know when you have an incident, but the sooner that you get that information out there, the better it is for the community as a whole.

Mark Montgomery (53:45):

Since I know they take much more than 72 hours to determine they had an incident, I’ll just say, it should affect that. I don’t think it’ll go outside the DIB, but we’re asking DOD to comment on this, that they would refuse to comment on anything outside the DIB. I think they’d keep it inside the DIB. I know that’s not a perfect answer and we’re still waiting on responses from DOD and that they’re… Look, the DOD is late on every report. I don’t think they’ve ever been on time, on a report I’ve asked for and I’ve probably asked for 50 to 100, as a Senate staffer, they’ve sometimes been close. They’re never early. They’re almost always late and these are getting very late.

John Verry (54:22):

All right and then their second question was, any new information on how federal agencies will incentivize prime contractors, to “Disclose their subcontractors to DOD?”

Mark Montgomery (54:32):

I don’t know. I don’t think that would be the use of incentivize, as a positive term. Incentivized sounds so positive.

John Verry (54:41):

This is definitely a stick, not a carrot, I think is what you’re saying.

Mark Montgomery (54:43):

I will say this, I’ll go out on a limb and say, “It’s a stick incentive, not a carrot incentive.” How’s that?

John Verry (54:51):

Yeah, but it does tie to what you were talking about earlier, that the idea of really understanding your supply chain and securing the supply chain. Anything we missed? We beat this up pretty good. Anything we missed? Anything else you think we should cover?

Mark Montgomery (55:05):

No. You’ve got it. I appreciate… Look, let’s be clear. We benefit from hearing from people and any CISA group that ever wants to talk to me, I talk to them, because I know that’s the heart of this issue. I’m at [email protected] and the advantage of being a very small organization, you can have your first name as the title and then we’re at www.cybersolarium.org and we’re building up a new website, as we take that over. You can see all our products on there and I was given the right to bring over the CSCs products as well. Everything’s loaded there if you want access to it and you can certainly see all our legislative requirements, but I certainly appreciate everyone’s support and we’ll always entertain talks with people, who have ideas or products or thoughts, on how to do better.

John Verry (56:01):

You told me you’re prepared. We’re going to go, we’re going to go for it. Give me a fictional character or a real world person, you think would make an amazing or horrible CISO and why?

Mark Montgomery (56:10):

Well, a horrible CISO would be Barney Fife, because you can’t keep that bullet… I’m dating you and me here, I know, but…

John Verry (56:17):

Yeah, I shouldn’t be laughing, because I have no idea what you’re talking about.

Mark Montgomery (56:21):

Yeah, that’s right. Yeah.

John Verry (56:21):

Sadly, I do.

Mark Montgomery (56:24):

You can’t keep that bullet in the pocket. You know what I mean? The CISO’s got to be someone who’s out front leading and I’m not saying you should shoot people on the job, but I’m saying that you should be out there leading from the front and that wasn’t Barney Fife.

John Verry (56:40):

And Don Knotts very much appreciates the fact that you acknowledged him. I think I remember seeing, that he died a couple years ago.

Mark Montgomery (56:48):

I think with Aba Vigoda. Yeah.

John Verry (56:50):

Yeah. Fish, from Barney Miller. That was a great TV show by the way. If you go back in time, Hal Linden was great. Anyway. Listen, this was fun. I appreciate it. I also want to very sincerely say thank you to you and the entire commission, for your service. I think that what you guys did was extremely important and I think that it will pay dividends for us as a nation, for many years. Much appreciated and best of luck with the new stuff and if by chance, I could ever be of help, but please don’t hesitate to reach out.

Mark Montgomery (57:23):

Well, I hope you’re right, John and thank you very much for hosting me.

John Verry (57:26):

Thanks again, Mark.

Speaker 1 (57:27):

You’ve been listening to the Virtual CISO Podcast. As you’ve probably figured out, we really enjoy information security. If there’s a question we haven’t yet answered or you need some help, you can reach us at [email protected] and to ensure you never miss an episode, subscribe to the show in your favorite podcast player. Until next time, let’s be careful out there.