- By:
- Bill Tolson |
- July 6, 2021
Description:
In our latest episode, Bill Tolson and special guests Tyson Marx, Senior Associate at Ward & Berry and Chelsea Padgett, Associate at Ward & Berry discuss the details of President Biden’s Executive Order on Cybersecurity. Aimed specifically at the federal government and their agencies, the three main points of the order include improving communication between agencies and contractors with respect to cybersecurity incidents, modernizing technology and improving accountability.
President Biden’s Cybersecurity Executive Order a “Big ___ Deal” For Federal Contractors
On May 12, 2021, President Biden issued a lengthy Executive Order on Improving the Nation’s Cybersecurity (the “Executive Order”). Its directives are wide-ranging, cover the entire federal government, and demand coordinated action on exceptionally tight timelines.
Speakers
Tyson Marx
Senior Associate
Ward & Berry
Tyson Marx joins Ward & Berry as a Senior Associate, transitioning from the Navy JAG Corps after eight years of military service in Washington, D.C. Tyson spent the past six years in the Office of the Judge Advocate General on board the Washington Navy Yard. During that time, he served as an administrative law attorney— crafting Navy policy and helping to manage the Navy’s legal assistance mission while regularly briefing senior Navy leadership.
Chelsea Padgett
Associate
Ward & Berry
Chelsea A. Padgett is an Associate at Ward & Berry. Chelsea graduated from the University of Florida Levin College of Law, cum laude, in May 2020 with her Juris Doctor. Chelsea was a Senior Research Editor on the Florida Law Review – where she also wrote and published her first article in July 2020 on Fourth Amendment privacy rights. Prior to law school, she received her Bachelor of Arts from the University of North Florida in Political Science.
Bill Tolson
VP of Global Compliance & eDiscovery
Archive360
Bill is the Vice President of Global Compliance for Archive360. Bill brings more than 29 years of experience with multinational corporations and technology start-ups, including 19-plus years in the archiving, information governance, and eDiscovery markets. Bill is a frequent speaker at legal and information governance industry events and has authored numerous eBooks, articles and blogs.
Transcript:
Bill Tolson:
My name is Bill Tolson and I'm the vice president of compliance and eDiscovery at Archive360. With me today is Chelsea Padgett, associate attorney and Tyson Marx, senior associate attorney, both attorneys at the law firm of Ward & Berry based in Washington, DC.
Chelsea wrote a great article on President Biden's cybersecurity executive order that all federal government contractors should read. It is available on the Ward & Berry blog page at www.ward W-A-R-D berry, B-E-R-R-Y .com/blog. And I highly recommended it. It really does condense. I've read both the actual executive order and Chelsea's article and I much prefer Chelsea's article.
Chelsea Padgett:
Thanks, Bill.
Bill Tolson:
It's much easier to read, by the way. Let me kind of set the stage here. On May 12th, 2021, the White House issued an executive order on improving the nation's cybersecurity within federal agencies. This is specifically for federal government and all the agencies. In particular, the order seeks to improve US government cybersecurity and protect various agencies' networks following recent high profile security incidents, such as the big one involving SolarWinds and affecting Microsoft Exchange and many other things, the Colonial Pipeline ransomware hack and the JPS ransomware hack and these were really highlighted and really a big deal. And there's all kinds of stories going around about where they're based, all kinds of stuff. Won't get into that, but it's becoming more than a daily occurrence for this stuff. And I applaud the federal government for finally addressing this. With that, let me give you some statistics first and then we'll get into the discussion with Chelsea and Tyson.
Some of the statistics on cybersecurity problems and ransomware, all agencies, as well as industry and organizations face include 75% of organizations now use a public cloud environment and 40% use multiple clouds. There is a massive movement and this has been going on for several years, a massive moment of companies and agencies because we deal with many of the agencies moving to the cloud, this is kind of a cloud first type of thing. Only 10% of those organizations feel that their data is secure in a public cloud, but 30% say the benefits outweigh the risks. Now this has been an ongoing issue for many, many, many years. Lots of companies and agencies would put their less sensitive data up into the cloud and keep the sensitive data on prem. Everybody's really moving away from that because they're trying to save money on data centers and so forth so everybody's going to be in the cloud with all information here.
And the security capabilities of some of the better known clouds are very high and most market analysts will tell you that the security of the public clouds are much better than most on-prem installations. With that, let me start off our discussion with Chelsea and Tyson by throwing out the first question. Chelsea at a very high level, can you describe the issues, the president's executive order on cybersecurity addressed?
Chelsea Padgett:
Sure, Bill. Well, first of all, thank you so much for having us here today. It's great to be able to discuss this. The president issued this executive order on May 12th of this year and it mainly addresses ways for the federal government and the public sector to improve on the nation's cybersecurity overall. It mainly talks about, I would say three points, one improving communications between agencies and contractors with respect to all cybersecurity incidents. Secondly, it is modernizing the actual technology that the federal government relies upon to actually perform the cybersecurity functions. And lastly, it's improving the accountability through various measures that we can make the shift from being completely incident responsive to preventing incidents from ever happening in the first place. Overall it's basically kind of just changing the way that we approach cybersecurity incidents moving from more of a mindset of incident response to prevention.
Bill Tolson:
Yeah, that's great. And way overdue, by the way. It surprised me that the Feds hadn't really concentrated on this, but it sort of doesn't surprise me too, the way things work in the federal government. But Chelsea, you wrote the article titled, President Biden's Cybersecurity Executive Order? A Big Blank Deal for Federal Contractors. By the way, a very nice reference to Biden's past whispered comment to President Obama. In my own mind, I filled out the blank immediately.
Chelsea Padgett:
Leave it up to the reader's imagination.
Bill Tolson:
Oh yeah, no, I think that's great. In the first part of your article, you got into the executive order directive about sharing cybersecurity threat information. You highlighted the Federal Acquisition Regulations, otherwise known as FAR. Can give us a brief description of what FAR is and how it's tied to federal contractors?
Chelsea Padgett:
Yes. The FAR is the acronym that people used at Stanford, Federal Acquisition Regulation, as you said, and it is located in parts one through 53 of Title 48 of the code of federal regulations. It's basically a set of regulations that the government has in order to be able to purchase goods or services of any kind.
Bill Tolson:
Yeah, actually, I'm relatively familiar with FAR because I've been in the archiving industry for many, many years. I can almost recite FAR 4.7 from memory, which is the records retention part of the Federal Acquisition Regulations. And I know as I recall, the longest retention period in FAR 4.7 was 14 years. But when dealing with government contractors, a lot of them were unaware of what FAR was. And I question how they got the contracts and so forth. But like you say, it's kind of the playbook for companies that deal with the federal government and it's extremely important for contractors to know that.
Chelsea Padgett:
Yeah, I agree fully.
Tyson Marx:
Yeah. One of the big things that the executive order picked up on was the problem in information sharing stems from contractual language. Now it's not clear what contracts they're referring to, but you could imagine it's contracts with the big government contractors and they've got some sort of language in there that's the government or the contractors are blaming for why they're not able to freely share this information. And so kind of the first step of this executive order is to fix that within the FAR, to put in specific contract language into every. And it's not clear whether it's going to be every government contract or if it's just going to be contracts dealing with cybersecurity related matters. That'll be decided at a later point, but it's to kind of capture and work on some language that we can put into contracts, every government contract to kind of open it up for information sharing.
Bill Tolson:
Yeah. And that was kind of my thought in reading both the executive order and Chelsea's article, that section is really aimed at threat sharing between the government and the private sectors, specifically the government contractors. And my first response is isn't that already happening? Wouldn't the government contractors already be doing this? But obviously not. But I thought that was really kind of strange. How will Feds force contractors to begin passing threat information? We know government bureaucracies and you can lay down a lot of content and even regulations, but number one, it's going to take a while to get to that point, but in the executive order, Chelsea, was there any enforcement of that kind of stuff mentioned? Or was it kind of left nebulous?
Chelsea Padgett:
That actually kind of relates back to the FAR and what we were just discussing. The executive order specifically identifies contractual language as being impediment to information sharing. That's when the regulations and the rulemaking come into play with the FAR itself. That is kind of the way that the federal government can control the agencies and not even really implementing cybersecurity requirements and regulations, because as you were just saying, it would be weird if these agencies weren't already doing something of this nature, considering how technologically evolved we've become. It's not that they're not doing anything yet. It's that I think that technology is getting so far in advance that now we're kind of, like I said in the beginning, switching our mindset to being more so of preventing further things from happening. That's what they're doing by mainly contractual language.
Bill Tolson:
Probably included in the FAR regulations, right?
Chelsea Padgett:
Yes, exactly. That's kind of what, all throughout the executive order, it's talking about the office of management budget, the Secretary of Homeland Security, they're all kind of going through the FAR and the DFARS, which it's a supplement to the FAR regulation. And they're going to make recommendations for changes to the FAR. And this includes different types of contract language that will be implemented into contracts going forward starting at some point.
Bill Tolson:
Yeah, I noticed you wrote in your article specifically about this question, that by September 9th, 2021, the Secretary of Homeland Security and the director of OMB will take steps to ensure that service providers are sharing data with agencies. Ensure is kind of an interesting term, but they also bring in the Federal Bureau of Investigation, as well as the Cybersecurity and Infrastructure Security Agency. The fact that they're bringing all these agencies in kind of gives credence to its importance, I think and the fact that if they write it into the FAR regulations, then within some period of time, you would think that government regulators would be basically ensuring that the companies are following that to the T, I would hope.
Chelsea Padgett:
Yeah. Tyson and I were actually just talking about that September 9th deadline, not too long ago, because it seems like it's a pretty fast approaching deadline to be ensuring that agencies are actually following these new requirements by then. And so we kind of went back to, and we're looking at it again, and it does say to the greatest extent possible. There is the disclaimer there that you can only do so much by September 9th, depending on how fast this is moving, how quickly agencies are able to do this.
Bill Tolson:
Well and that's a great point. And one of the things that I also noticed and I was going to ask you about was I noticed in the executive order, there are a lot of deadlines that have gone by already number one. June 11th was one of the dates used but this is highly condensed. In my mind, even with very, very vanced industry players, some of those dates would be almost impossible. I'm wondering what you think about some of those deadlines and the federal government agencies actually meeting them.
Tyson Marx:
It comes into the interplay if you look at that September 9th deadline. Realistically, the actual FAR council, their recommendations are still going to be up for public comment at that time. There's not going to be a fully promulgated, there might be some sort of interim rule or regulation that'll get passed at that time that they will be to the greatest extent possible enforcing or highly suggesting that people comply with. But as a former federal government employee, maybe I've grown jaded in my day. I see it being very hard for them to pull this off in the timeline without having to rely on interim regulations or regulations that will be vastly changing from what gets set as an interim regulation.
Bill Tolson:
No, and I've written a decent amount over the last year or so about FOIA, Freedom of Information Act, laws, both state and federal, and they have, especially the federal FOIA laws have very, very specific timeframes, 10 days, 15 days to respond, another 30 days or 45 days to collect the data and get it back to the requester. And as far as I can tell, there are no state agencies as well as no federal agencies are even coming close to meeting the specific timeline requirements. They're way off. The Justice Department is a 150 days or sometimes 360 days to respond. And I'm sure they're getting overloaded with stuff, but I sort of looked at the dates on this one too. And I thought, hmm, okay what's going to happen if they don't meet them? And obviously they'll...
Tyson Marx:
Well Bill, as former agency counsel for the Navy, I can say that those deadlines, as long as you're keeping up and letting the FOIA requester know that you're in the process of trying to find the 50,000 pages that they requested. It gets a little mushy on what the law is actually with respect to those deadlines. And that's why I think they will mainly be implementing this through some sort of system of interim regulations, kind of like you see now with the CMMC guidelines, there's going to be a long kind of draw down to get the DOD up to kind of those cybersecurity and maturity model certification requirements that every contractor is going to have to do. And so I kind of see that being the same way here.
Bill Tolson:
Yeah. I would kind of view it as if the various agencies are showing some short of work and success on moving toward it, then they're probably going to be all right. And that's what I'd like to see too. This is very important stuff, especially with everything that's going on in the world around cyber, they need to follow up on this and take it very seriously. I'm sure they do, but I'm sure that bureaucracy slows people down too. The other kind of related point on this was the second executive order issue you addressed in your article, Chelsea, was about modernizing cybersecurity. And I think some listeners might be asking themselves, what do you mean modernizing? The US government should be the most modern, but I think Tyson, especially you and I've dealt with many of the agencies. I know they are not early adopters by any means and are usually way behind standard industry.
In fact, I was talking to the Veterans Affairs Administration six, seven months ago and were taking a long time to respond to my questions. I had somebody on the phone, but they were typing stuff in and I said, and they were very nice people. And I said, "What's going on?" And she said, "Well, our computers are very slow. We still use DOS." Not even early versions of Windows, but DOS. And she laughed and I said, "You're kidding, right?" She goes, "No, I'm not kidding." The whole Veterans Affairs still is on DOS and gets the blue screen of death and all those kinds of neat things.
Chelsea Padgett:
Oh my gosh.
Bill Tolson:
I felt very, very sorry for them.
Tyson Marx:
Yeah, I think that is the important thing to keep in mind. Not all offices within an agency are created equal. Some will be getting the good tech and some will not be. For instance, you've got your standard Navy command that's doing whatever that's not top secret or requires classified information or even requires handling a ton of unclassified information. But they're going to get the standard Windows 10 rollout, whenever it comes. Windows 9 probably still at this point. But then you'll have those offices that do have the funding to have a little bit more advanced tech and you would walk into their offices one day. Where did you guys get this equipment? Whose leg do we have to pull to get a new monitor?
Chelsea Padgett:
Yeah, exactly.
Tyson Marx:
But yes, as you said, that the government is very reticent to be an early adopter of any type of technology. And I think one of the main growth points that I see happening in the next five to 10 years is the use of blockchain. It helps solve a lot of these, but the government is very slowly dipping their toe into that sphere. The DOD kind of is trying to take some steps, but again, it's a very one off. One command here is trying it, one command there is trying it. The real commitment to these new technologies is not there. And I think part of it's just an education process. People in the government just don't understand the new tech that's coming out.
Bill Tolson:
Exactly. And you mentioned blockchain. And I know because I've talked to people at the National Archives in NARA and they actually have a working group going actually studying, storing the archives in the blockchain, which is a really interesting concept. Well, I won't get into it here, but at least NARA is looking at it. I thought that was, I was pretty jazzed about that. That was pretty neat that they, and that group started about a year ago. They're into it and I think blockchain is one of those things. It's get beyond the latest publicity around it about being energy hogs. Get by that.
Tyson Marx:
Yeah, most of the work being done in that sphere right now is being done through your sivers or those other kind of rapid acquisition models that people can put forth. And again, that's not the big government procurement contracts that are coming out. They're not coming out with respect to blockchain yet. And it's sad because blockchain, I think can solve a lot of these problems. Can make data secure. Can make it transferable amongst interagency transfers.
Chelsea Padgett:
Yeah Bill, you asked about how the government is actually kind of modernizing the cybersecurity. In the executive order, it talks about moving the government to secure the cloud services that they're kind of already using and going towards a zero trust architecture. And it requires the deployment of multifactor authentication and data encryption all within a specific time period. Bill, can you actually give us a brief description of what each of these technology requirements are?
Bill Tolson:
Yeah, this is really interesting stuff. Obviously encryption has been around a long time and I'll get to that. But zero trust has really just kind of started showing up more and more over the last year or two and zero trust is a strategic initiative within organizations that helps prevent data breaches by eliminating the concept of trust within an organization's network architecture. And I'll explain a little bit about that here in a second. It's rooted in the principle, zero trust is basically rooted in the principle of never trust, always verify. And this is the idea that you sign in once to your company's system and you're good to go until you turn your computer off. And in a lot of companies, a lot of organizations, you have access to most everything. But zero trust is designed to protect the modern digital network environments by leveraging network segmentation, preventing lateral movement, providing what's called layer 7 threat protection and really simplifying granular user access.
And that's user access, granular user access is really interesting point. It means you could be in your network and you might want to go somewhere within the network. And for example, active directory system within your network knows that you don't have those privileges so it stops you. But even if you have those privileges, if you're going into another system within your network, you're going to have to sign in. That's why they get into zero trust. You're not golden in any part of it, in any part of the network so you're always going to be being asked to sign in to specific areas. And behind that, they're actually auditing and tracking what you do. And now with machine learning and AI, it's going to be learning. The system is going to be learning. And this is already going on. Systems are learning what you're doing. And if you start to do something wildly out of character, it will start checking into that, popping up and asking questions, things like that.
And that's where zero trust, it's really a significant departure from traditional network security, which allowed the trust, but verify method. The traditional coach, automatically trusted users in all endpoints, meaning all laptops, workstations that were getting into the network or the organization perimeter. Zero trust is a big deal. And the big cloud guys, Microsoft and Google and AWS and the rest of them are building that now or have been building that into their cloud infrastructure for a long time. And I think zero trust is a big deal.
Multifactor authentication, I was just having a conversation about this earlier this morning, it's an authentic and most of you probably already run across it, but it's an authentication method that requires the user to buy two or more verification factors to gain access to a resource. I sign into my Fidelity account with my password and log in and it immediately asks me to do something else. It'll shoot a code to my registered cell phone and I have to input that or it has a secondary application, the random number generator that you got to put that in. Apple does that now, Microsoft, the rest of them and even end user based stuff. And I think that's a great idea.
Chelsea Padgett:
Agreed.
Bill Tolson:
Yeah, it's really, I know a lot of the systems give the end users the ability to not use it and I think we're rapidly approaching a time where they shouldn't have a choice to tell you the truth. I think it's very simple to navigate and I think that it does a lot of good. I'm a big fan of multifactor authentication. Especially for government agencies that are holding our data and others.
And then finally encryption. Encryption protects the content of data or a file from being read by anyone who doesn't have the encryption key. When encrypting a document or a file, the user will supply an encryption key in the form of for example, a password or a passphrase or something else. And this is the easiest version of it, which is then used to transform. That password is used in a numerical way to basically transform the data within that file using the mathematical value of that password so that it's basically unreadable until that same passphrase is used to unlock it. In the more technical world, in industry and stuff, basically you have systems that will generate very complicated encryption keys automatically based out of the computer. The end user has no say so about it, but then that encryption key is tied to that end user so they can use it in other things but it gets very CPU intensive, especially when you're dealing with terabytes worth of files and so forth.
But this is what's needed now in this cyber environment we have. I'm a firm believer. And I tell everybody, even personal people with their own personal clouds, like Microsoft One Drive or Google Vault or whatever it happens to be, I think it's a good idea to encrypt your stuff before you put it up there as well. And there's lots of freeware out there that encryption kinds of things from groups, organizations that keep it up that allow you to do that. And I think it's a great idea to do that.
Chelsea Padgett:
Yeah, I agree. I think it's nice to see the government moving in this direction. You would hope that they would have done this sooner, but as we were just talking about, it takes the government a little bit of time to catch up, but the rest of the world is already implementing these types of things. I have multifactor authentication on anything that I use ranging from my bank account, to even social media accounts. You would think that something as important as government data and the issues that are being talked about here in the cybersecurity world would be worth protecting more. And I think that it's important to really catch up and have these zero trust, the multifactor authentication, encrypting your documents. And I think it's really one step in the right direction.
Bill Tolson:
Well, and it's really needed now because ransomware and cyber hacking in the past has been something that a company has had to deal with and end users, employees or end user customers, it didn't directly affect them. It did in certain ways, but it wasn't you getting called up and being threatened. Nowadays they have now two stage and three stage extortionware which is a form of ransomware. The colonial pipeline by the way. Colonial or Continental? Colonial, I think, Pipeline hack and ransomware was actually a three stage extortionware attack, where ransomware went in, established itself, hid for a while. It searches out different kinds of data that it might find useful. It also searches out any backups and it destroys the backups so you can't can't restore. And then what it does is actually copy all of the sensitive data to the hackers' servers. And that's the second stage.
And then the hackers will basically, as part of the ransom, say, "We want a 100 grand in Bitcoin or four million in bit in Bitcoin or we won't decrypt your files. And oh, by the way, we're going to release all your sensitive information on the internet." Which can be even more. In fact, there was some cases last year where they threatened that and part of the ransom was we're going to release your clients' sensitive information and we're going to alert the GDPR authorities that you let all of this personal data out.
Chelsea Padgett:
Oh wow.
Bill Tolson:
With a potential 20 million Euro fine, much less than what the hackers were looking for. Within the Colonial Pipeline, the third stage hack, our third stage of extortion was once they copied all that data and they threatened the pipeline company, they then started going to each individual whose personal information they had taken and extorted them as well. They're getting very sensitive and this is where encryption comes in. If that data was encrypted, then they could copy it all they want, they can't read it. They can't do anything with it. This all kind of ties back into that.
Tyson Marx:
And to circle back to the executive order. Parts of these types of technology have existed for a while. GSA has requirements in a lot of their contracts that they need multifactor authentication for a lot that they do. The Navy, I've been encrypting my emails ever since I was a baby JAG just coming into the JAG Corps. The problem is getting everybody on the same sheet of music. I would try to send an encrypted email to the DOJ, they could never read it because they have a different type of encryption. They don't have the key. And to send something like that, you'd have to go through kind of a work around basically to try to send it. And those workarounds weren't always followed. And that's where you get kind of these gaps. And I think that's what the executive order is trying to address is again, get everybody on the same sheet of music, get the agencies playing together and attacking this from kind of a unique standpoint of the office of the president.
Bill Tolson:
Yeah. That brings up another point around encryption. And I'm sure both of you as attorneys, you may run across this in eDiscovery, but if you have encrypted files and the employee's left and the company doesn't have the encryption keys, I have seen cases where the discovery was basically accused of spoliation because you got potential responsive data there that we can't open. What do you do about that? But that's not part of the executive order, but I've been really interested and I've followed several cases on that over the time.
Tyson Marx:
It's an interesting topic. It's also interesting, that's how the government got back that cryptocurrency that was given to the Colonial Pipeline hackers is they had the keys. They were storing their private keys in a public.
Bill Tolson:
And you notice that the cyber hackers now are switching away from Bitcoin because the government was able to crack it and get back half of the ransom. And that fast too, I thought that was just absolutely amazing that they could do it that quickly. Obviously they were prepared.
Chelsea Padgett:
Kind of circling back to what we were talking about earlier that the EO establishes these tight deadlines for the government agencies to meet all of these different requirements that we're talking about, including moving to the zero trust architecture and the multifactor authentication. Bill, what's your opinion on the chances of the federal government agencies being able to actually hit these deadlines? And why?
Bill Tolson:
Great question. And I know I sort of asked you guys that. You were very polite about your answer. I don't see any way and you know what, for them to meet these deadlines. The deadlines were very short. Extremely short and considering the way that government agencies move, I just don't see it happening at all, at least hitting the deadlines. I hope that, and like both of you said, I hope that they keep progressing and it'd be nice to see kind of a scorecard of how far they are. Obviously they're not going to publish that to us, but the dates were so tight. Like I said, even in the industries I've been in, I don't see state of the art companies meeting many of those deadlines. I thought it was interesting they put those really close ones in there. I just don't see it.
Chelsea Padgett:
Yeah, the June 11th is one of the fast approaching deadlines that was in the EO, that's already passed. And Tyson and I, this morning, we're both trying to Google and research and see if there was any information as to whether or not that deadline was even slightly hit. And there's like you said, there's no information out there. There's no way that we would really know.
Bill Tolson:
Yeah, I sometimes wonder if those dates were not real, but a message to the bad guys out there that the government is going full bore on this. More than something that they expected the agencies to meet. But again, when I read your article, I looked at it and I said, "Geez these dates are two weeks off." And the original date of the EO, the executive order, was May 22nd. And the first date was June 11th. It's like, wait a minute.
Tyson Marx:
Not to circle back to another Navy war story.
Bill Tolson:
No, they're good. They're good.
Tyson Marx:
I've come and gone and seen many, many commanding officers come into a place, admirals come in and they always have their agenda and what they feel like they need to put forth to get something done to change the ways things are done. And they put forth the memorandums and the regulations and the directives. And at the end of the day, they're really all just kind of saying the same thing. The ship just keeps kind of moving in the same direction. Maybe a slight turn here, slight turn there but the ship is rolling.
Bill Tolson:
Well, that's a great way to put it. And that really is I absolutely agree with that with all the agencies I've worked with over the years. There are a lot of people that are in the agencies that are well meaning but it's just the way they're put together that you're not going to change them radically in very short period of time usually.
Tyson Marx:
But I think that's a nice segue into the last point you wanted to talk about, which is kind of the establishment of this board to kind of oversee things.
Bill Tolson:
Exactly. I applaud them for saying the EO directs the creation of a cybersecurity review board and it's both of, I think, both government as well as industry, correct?
Chelsea Padgett:
Yep, yep.
Bill Tolson:
Well, I was going to ask you Chelsea, of this cyber safety review board and what's its main focus? And I know the description of the board is relatively self descriptive, but you never know. And by the way, combining that with another question, it says the board will only be convened only after a significant cyber event. And I thought creating the board was great and then I read that and it's why? Why do you wait until a massive event to happen before you get these people together? Wouldn't it be nice if they were an ongoing kind of group? Our company belongs to the Cybersecurity Tech Accords, which is a large group of technology companies, I think we're at about a 150 right now. And we meet on a regular basis to discuss these things. And I would have hoped that the government would have had this board kind of meeting on a regular basis. What do you think?
Chelsea Padgett:
Yeah. The main focus is to review and assess, quote unquote, significant cybersecurity incidents like you just said. I think like we've been talking about this executive order is kind of the baseline for setting an aggressive movement forward and modernizing and changing the way that we're thinking about cybersecurity. I think for right now, the creation of the board is a good start and we don't really know whether or not this will change or not. They could get into this and have one significant event and say, "We need to have this group meet more often." It just depends on how things move forward. It might go in that direction. Who's really to say? But I think it's a good start.
And like we were talking about earlier also, this is kind of the entire point of the executive order is to move to a more prevention based system. We're putting all of these things in place to prevent cybersecurity from even happening but then we're also kind of having a review board, that's saying, "Sometimes prevention doesn't always work so we're going to have this defensive mechanism in place to learn from the mistakes that the government has made, learn from the loopholes that hackers might have found or gotten through." And I think that's kind of the point of having them there is to really make sure that our prevention based system is working, but have that defensive mechanism on the backend.
Bill Tolson:
Actually, I think that's a really great point and I hadn't thought of it that way. Also, I know the Feds, I don't know what agency they're in, but they have Cyber Command, which is obviously following and determining this stuff in real time. That takes some of that I think workload that I was thinking about from the group that they were thinking about, but I like the way you put that, to learn after the fact. And like I say, I know they have Cyber Command which would be acting as defense and offense and all kinds of neat things that we don't know about. That's really a great point.
Lastly, Chelsea, the executive orders really highlights the need to improve the government's ability to detect malicious cyber activity on federal networks, hopefully sooner rather than later, by applying endpoint detection and response initiative. Do you have an idea of what they mean by that?
Chelsea Padgett:
Yeah. To my knowledge, the endpoint detection response is kind of an initiative that implements technology that monitors and responds to cyber threats. But my knowledge to that is probably not as great as yours is. If you want to expand on that, that would be great.
Bill Tolson:
Yeah. You really don't have a whole lot of, well, no, not you. The government within the EO doesn't have a whole lot of description around that. And my thought immediately was like all of us personally or most of us, we have malware detection on our home computers and stuff and hopefully it's kept up to date and so forth. But when you're talking about endpoints, endpoints are usually those laptops and desktops at agency personnel are using. There's two levels of security. There's the infrastructure security not allowing bad things to actually get into the enterprise, but then like most cyber hacking and ransomware, most of those things actually get into a very secure network through phishing, email phishing.
An end user or an agency employee will click on a link within an email thinking that they're doing the right thing and all of a sudden they've let loose a virus. And if you have endpoint detection within the agency on all the various assets, then those things are alerted immediately and stop anything from happening. In fact, within the laptop or desktop, they can actually quarantine that piece of code immediately and then alert you and your IT folks that this happened and stop it from spreading.
And again, I think that's a great idea and that even goes to servers and stuff like that. But having that infrastructure security with the firewalls and all that kind of stuff and then the endpoint or the laptop and desktop and printer and all kinds of stuff security to where it recognizes that something just happened that's not supposed to, it can now basically shut it down and quarantine it immediately.
Chelsea Padgett:
Yeah, that's really interesting. It's good to see that they're implementing something like that as well. Bill, in your opinion, is there anything that's missing from the cybersecurity executive order?
Bill Tolson:
That's a great question. And I've been thinking about this and it ties back into all of these privacy bills that states you're coming out with and I think, I'm not an expert on executive orders, obviously. It's not a regulatory bill and they're not 3,000 pages long, obviously, but in my opinion, it would've been nice to see some goals placed in there around actual devices, equipment, not equipment but technology. It mentions encryption, but it really doesn't talk about gee, every piece of data within the government should be encrypted before it's stored somewhere. That's kind of commonsensical. Even in industry now, most personal information is encrypted and as we're moving into the cloud, it's going to be almost all data's encrypted because hackers can use that against you.
Having encryption in there, I would have thought that the EO would have had a little bit more discussion around breaches specifically and many privacy bills talk about breaches. The GDPR talks about it, the California CCPA, what is a breach? What happens when a breach occurs? How do you alert people? Those kinds of things. And even within a government agency, employees need to know that something happened. Otherwise they'll start to hear pieces of it through gossip and it'll probably be a lot worse than it was.
I thought the executive order did a pretty good job of kind of laying out the high level stuff and the goals and the dates and things. And I would suspect that the various agencies like Homeland Security and so forth and even the FBI will probably expand on those actual technical requirements as they move forward, because this stuff changes so quickly nowadays. You have to have a roadmap, with the kinds of technology you're going to be adopting over time. And that goes for any industry company, as well as an agency. But I thought it did a very good job of laying it out at the top. I only think the only flaw in the whole executive order was the dates. I think they were setting themselves up to fail there.
Chelsea Padgett:
Yeah. Those are all great points too and I think that's kind of the beauty of this executive order is that it's really a great start and it's allowing for improvement and so much room to grow after this.
Bill Tolson:
Yeah. Good point. Great point. Well, okay. Chelsea, Tyson, I think that wraps up this edition of the Information Management 360 podcast. I want to thank both of you for this insightful and actually very enjoyable discussion today. I had a lot of fun exploring this stuff with you and Chelsea, I really appreciate the article you wrote. And I advise everyone downloading this podcast and listening to go to the Ward Berry website and download and read Chelsea's blog. It's very good.
Chelsea Padgett:
Thanks so much for having us.
Tyson Marx:
Yeah, thanks Bill.
Bill Tolson:
Yeah, no it was great. And thank you Tyson as well. If anyone has questions on this topic or would like to talk to a subject matter expert at Archive360, please send an email mentioning this podcast to info I-N-F-O @archive360.com and we'll get back to you as soon as we can. And also you can contact Chelsea and Tyson via their emails at Ward Berry. Chelsea, can you give your email address?
Chelsea Padgett:
Yeah, my email address is Chelsea C-H-E-L-S-E-A @wardberry.com. That's W-A-R-D-B-E-R-R-Y.
Bill Tolson:
And Tyson, if you want to, can you give yours as well?
Tyson Marx:
Sure. It's P Marx, P as in Peter, M-A-R-X @wardberry.com. W-A-R-D-B-E-R-R-Y .com.
Bill Tolson:
Great. And for the listeners, also check back at Archive360, the resource page, we're adding new podcasts every week, every two weeks so check back. But again, really enjoyed this time discussing this executive order with you and really loved your article Chelsea and you as well, Tyson.
Chelsea Padgett:
Thank you.
Bill Tolson:
And very much appreciate you taking the time. Thank you.
Tyson Marx:
Thank you.
Chelsea Padgett:
Thanks.
Questions?
Have a question for one of our speakers? Post it here.