Transcript: Securing Cyberspace: Investing in Cyber Resilience | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware

MS. BAIRD: Good morning. I’m Kathy Baird. I’m the chief communications officer and the general manager of Washington Post Live. Thank you all for joining us for this important program about investing in cyber resilience.

As the world becomes more digitized and interconnected, it also becomes more vulnerable to cyberattacks. From the war in Ukraine to the newly declared war between Israel and Hamas, hackers are there playing a destabilizing role. These are the challenging times, and today we’ll take stock of the ongoing battle to secure cyberspace.

First, national security reporter for The Post, Ellen Nakashima, will speak with Brandon Wales, the executive director of CISA. Then Tim Starks, the author of The Post’s Cyber 202 newsletter will talk to Clar Rosso and Victor Piotrowski about the shortage of cybersecurity workers in the United States, and unfortunately, former Principal Deputy Director of National Intelligence, Sue Gordon, had to cancel unexpectedly early this morning, but we do have a great program for you.

I want to thank today’s sponsor for the event, AT&T Business. We appreciate everyone joining us today.

My colleague, Ellen Nakashima, and Director Wales will be out on stage following this short video.

MS. NAKASHIMA: Good morning. I’m Ellen Nakashima, a national security reporter with The Washington Post, and thank you all for joining us for what promises to be an engaging discussion here with–on the latest trends in cybersecurity with Brandon Wales, the executive director of the Cybersecurity and Infrastructure Security Agency, or CISA. Really pleased to have you here. Thank you, Director Wells. Welcome to Washington Post Live.

MR. WALES: Thank you, Ellen. It’s really fantastic to be here and join you and The Washington Post team.

MS. NAKASHIMA: So I want to open with the most significant long-term strategic challenge to the United States, whether in national security or cybersecurity, and that’s China. Historically, we’ve been focused on Chinese attempts to use cyber for political and economic espionage, but now that threat is evolving. And, Brandon, tell us, what’s your latest understanding of what China is attempting to do in cyberspace against the United States, allies, and partners, and why should we be concerned?

MR. WALES: Sure, Ellen. I think that really is an important question to start with because China really is the number one geostrategic challenge for the United States, both broadly and then absolutely within the cyber realm, and I’m going to draw upon kind of two public documents that the U.S. government has released over the past year to help, I think, paint the picture of kind of the evolution of the Chinese strategic threats that we face.

One was released earlier this year by the Office of Director of National Intelligence, the annual threat assessment that they release at the unclassified level. In it, it presents a really stark warning that in the event of conflict, China would look to target U.S. critical infrastructure for disruptive operations, and they’re going to do this for three reasons: one, to affect U.S. decision-making; two, to induce societal panic broadly inside the United States; and three, to disrupt the ability for the U.S. to project power into Asia. And, importantly, it notes that China has the ability to do that today and targeting U.S. critical infrastructure like transportation systems or oil and gas pipelines.

And then more recently, just a couple of months ago, CISA, along with the NSA and the FBI, released a public advisory on a series of intrusions that China has executed directly targeting U.S. critical infrastructure, compromising that infrastructure to preposition for future disruptive or destructive operations, and I think that shows this evolution that you painted to. If you had asked me 10 years ago, the answer would have been China is primarily focused on economic and political espionage, looking to advance their economy, looking to steal secrets or plans for fighter jets, but that threat is absolutely evolving. I think it is far more serious today, and it presents a really strategic challenge for the United States. If we want to enjoy the freedom of action on the geopolitical stage and we want the ability to ensure that we can defend our friends and allies around the world, we cannot let hostile nations like China into our critical infrastructure and hold it at risk.

MS. NAKASHIMA: That’s a really disturbing development with respect to China, which is our biggest near-peer competitor in military terms, and tell us, how long ago did you start to detect Chinese efforts to preposition malware in telecom systems, oil and gas pipelines, rail systems, critical infrastructure, which we all depend?

MR. WALES: So I would say that Chinese targeting of our critical infrastructure has been underway for a long time. Even just in the past two years, we’ve gone back and attributed compromises going as far back as 2012 and 2013 into certain critical infrastructure sectors to state-sponsored Chinese actors. But I think we are–increasingly have a better understanding of why they’re trying to do that, and I think that is what the intelligence community has come together and released. I think, as you would note, the advisory we issued on the compromises of critical infrastructure most recently, that followed a blog from Microsoft that talked about these–that these compromises of going back, you know, months.

MS. NAKASHIMA: What led you to determine that rather than just getting into these networks for espionage purposes, they might actually have the intention to try to disrupt in maybe the event of a conflict with China over Taiwan?

MR. WALES: You know, I would say two things. One is, you know, the DNI’s annual threat assessment kind of captures a kind of holistic look at all the intelligence that the United States has, and the assessments that they provide reflect that holistic assessment on what we understand about Chinese intentions, also, Chinese doctrine, what they write about publicly, about how they will conduct war.

But secondly, there are–some of these systems, there is no intelligence value. You don’t compromise control systems at oil and gas facilities to–for the purposes of collecting–for espionage purposes.

MS. NAKASHIMA: And you saw this on Guam, right, and was it linked to American military bases in Guam?

MR. WALES: Well, you know, I think there’s a–there’s obviously a reason why they’re targeting Guam, and it is because of the American military presence there. And the–Microsoft did identify assets on Guam that were compromised by China, so that is no surprise.

But I think going back to what China is trying to achieve, both the ability to disrupt the movement of U.S. military support into the region is one strand, but I think if you look at Chinese doctrine, if you look at what the intelligence community has said, they also want to induce societal panic. And that means that they could target critical infrastructure anywhere in the United States that could achieve that goal.

MS. NAKASHIMA: To turn off the lights, disrupt water systems, cause panic of the sort we saw kind of like with a Colonial Pipeline ransomware a few years ago.

MS. NAKASHIMA: Have you actually seen China attempt to use their access to carry out a disruption or destructive attack on critical infrastructure?

MR. WALES: No. And I think, you know, our understanding–and again, this is captured in the public documents that we’ve released–indicates that they would likely do this in the event of or, you know, on the eve of conflict. And so there are very narrow periods about when they would actually execute such attack, but the consequences of them conducting such an operation are so significant that it does require kind of the utmost urgency and attention to address it.

MS. NAKASHIMA: Okay. So what are you doing on an operational or policy level to address this?

MR. WALES: Sure. So there is a lot of work that we are doing to kind of buttress and support the cybersecurity of our critical infrastructure for exactly this purpose, and critical infrastructure is targeted from a wide variety of actors, ransomware operators, as we saw in the Colonial Pipeline, and many other attacks. There’s a number of things that we are undertaking, and you can see a lot of this captured in the national cyber strategy that was released by the White House at the beginning of this year. Whether it’s the move towards expanding the amount of baseline cybersecurity standards that our critical infrastructure is subject to, there are efforts underway at places like TSA and the Coast Guard to expand their regulatory posture when it comes to the cybersecurity of the infrastructure that they oversee, like pipelines and ports. There is a lot of work that we are doing with major technology platforms that have insight into the cyber ecosystem to try to detect these operations earlier, get that information out, identify where they are on networks, evict Chinese actors that may be inside.

And also, I think things like this. We need to make sure that we are raising awareness across the country that this is a serious threat that everyone who operates infrastructure that Americans rely upon need to take seriously.

MS. NAKASHIMA: And that critical infrastructure is like more than 90 percent in the hands of private-sector owners and operators, and I think, you know, we were talking earlier about this. It’s not that you can expect to prevent every single intrusion or attack. Sometimes things get through. Systems might get disrupted and taken down. But what’s important to understand and know about these sorts of attacks? What’s the mindset people have to adopt?

MR. WALES: Yeah. No, I think that is a really important point because this is hard. We’ve got a very diverse infrastructure. We’ve got a lot of potential targets that China could potentially exploit, and it is incumbent upon us to realize that we may not stop every attack. We may not be able to fully defend our way out of it, and so what we need to ensure is that we have the degree of resilience in our systems that will allow us to continue to operate, even in the face of an aggressive actor. And so–

MS. NAKASHIMA: What does that mean?

MR. WALES: Sure. And so I think it means a couple of things, and I think we want to take a look at resilience very holistically, that it starts broadly in terms of what are we doing to build national resilience against these threats, what are we doing to build resilience in communities. So earlier last week, I was with the deputy administrator of FEMA and the deputy commander of NORTHCOM out at the National Emergency Management Association talking to the directors of every state’s emergency management offices about what they need to do to plan and prepare for disruptions so that they are ready to make sure that their communities can go on.

Our infrastructure needs to have operational resilience, functional resilience, that even in the face of degradation, even if their systems are under attack, that they can continue to deliver the vital functions that America needs.

MS. NAKASHIMA: Electricity, water.

MR. WALES: Yes. The water should continue to flow, even if there are a loss of the operational control technology that they utilize, and so, you know, what are your backup plans? How are you able to kind of get back up and running quickly, even if you have a disruption? What can you do to minimize your–the opportunity to have wide-scale impacts on your networks?

MS. NAKASHIMA: In fact, isn’t that what we saw in Ukraine over the last year, year and a half? I mean, it’s not that Russia didn’t try to attack Ukraine with cyberattacks. They did. They actually did do some disruptions, but the Ukrainians were resilient. They had backup systems. They got things back up and running soon. Can you talk a little bit about–

MR. WALES: Yeah. I mean, I think the Ukraine is a really excellent example of how to think about preparing for aggressive cyber activity by a nation-state. So Ukraine, going back to 2014 during the first Russian invasion, saw fairly significant cyberattacks, including some that caused disruptions of critical infrastructure like the power grid.

MS. NAKASHIMA: Blackouts, yep.

MR. WALES: And they have worked hard over the past–you know, in the eight years between 2014 and 2022 when Russia re-invaded–to build that resilience into their systems, one, to kind of improve their cybersecurity, a lot of hard work by Ukrainian cyber defenders, supported by the U.S., supported by other Western countries and the private sector. They made things harder for Russia to achieve their goals, and more importantly, they demonstrated that they worked across their critical infrastructure to ensure that they can continue to operate in the face of both kinetic attacks, missiles, bombs, direct targeting of their critical infrastructure, and cyberattacks.

You know, I think there’s often a question about why we did not see catastrophic cyberattacks on Ukraine, and the pace of cyberattacks against Ukraine never let up. Russia has been extremely aggressive in targeting. Some of those attacks did have broad effects, like when Russia targeted the Viasat satellite network–

MS. NAKASHIMA: Satellites.

MR. WALES: –and caused disruptions in communications, both in Ukraine and other parts of Europe. But ultimately, Ukraine built a really–worked together to build really resilient posture for their country, and even in the face of those operations–

MS. NAKASHIMA: And they did it–

MR. WALES: –they’ve been able to kind of maintain their society.

MR. WALES: And that is by bringing their society together, their critical infrastructure–

MS. NAKASHIMA: Working with private-sector partners, including in the U.S. and elsewhere, working with CISA, working with cybercommand, working with NATO. They had a lot of collaboration and partnership.

MR. WALES: Yeah. No one does this work alone. Every bit of it requires deep partnerships and real operational collaboration. It’s, you know, I think one of the hallmarks of our agency, CISA, is that we really were purpose-built to kind of engage with the private sector, engage with critical international partners, to make sure that we are as ready as possible for our worst day.

MS. NAKASHIMA: Right. A couple of quick things there. One is, I think one of the things that really helped them was they moved a lot of their information into the cloud ahead of time with some help in advance from cybercommand, helping them figure out which systems were being targeted.

Looking–turning to the Middle East here, we’ve–we’re in the midst of a horrific war with Hamas having launched an attack on Israel, which has so far killed over 1,300 people in Israel, including at least 22 Americans. What about the cyber aspect of that? Have you seen any significant attacks or efforts by either Hamas or its allies to disrupt Israeli critical infrastructure? What about Iran? Tell us what you’re seeing.

MR. WALES: You know, I think the attacks obviously were horrific, but we have been lucky in the cyber realm. There has not been significant cyberattacks as of right now. We are in very close contact with our counterparts there in the Israeli National Cyber Directorate, working in partnership to make sure that whatever information we have that could help them protect their systems, that’s being shared, and they’re giving us insight in terms of what they’re seeing.

But right now, we’ve seen kind of low-level cyberattacks, the types of, you know, denial-of-service attacks and web defacements that are fairly common from less sophisticated actors. But we are constantly on the lookout for what could be more significant.

I think we are lucky that Israel has a very sophisticated cybersecurity operation both in their government and in their private sector, and so we have a lot of confidence in their capabilities. But this is going to be extremely challenging time for Israel, and we’re providing whatever support we can to protect them.

MS. NAKASHIMA: And, you know, Iran in the past has been active in cyberspace, including to attempt to meddle or interfere in U.S. elections. You haven’t seen them step up any actions here in the Middle East in this case?

MR. WALES: Not right–not yet.

MS. NAKASHIMA: Okay. So let’s move now to another major focus for CISA, which is election security and combating disinformation. After Russian efforts to sow discord in 2016, CISA and other U.S. agencies put a lot of effort into election security, and in 2020, CISA really amped up its efforts with its rumor control website and an outspoken director. But the effort to combat disinformation, whether around elections or covid, has become politically polarizing of late, and a group of conservative Republican state officials has sued U.S. agencies, including CISA, arguing that such efforts violate the First Amendment.

So, recently, the Fifth Circuit Court of Appeals said that CISA cannot communicate directly with social media companies regarding election hoaxes or disinformation. Brandon, how does that ruling, that injunction affect your efforts to raise awareness around disinformation, especially as we’re moving into a presidential election?

MR. WALES: Sure. So there’s limits to what I can say about the ongoing litigation. I think the filings from the Department of Justice will speak for us, and they’ve filed an appeal with the Supreme Court. And I’d refer people to that filing that I think lays out the government’s position, and we have been very clear that we have never censored anyone’s speech.

But I can–what I can say is kind of what we are doing in this area, and I think we have been clear, both when we’ve worked with folks across the Hill, when we work with our state and local election officials. When it comes to disinformation, we’re focused in three areas. The first is helping people understand what are the tactics that foreign–influence operations–what do they look like? What should they be prepared for? And to help build resilience of the American people, give them an understanding of the tactics that are used and are being used against them to cause and to sow discord and cause societal division inside the United States. Second, we are continuing to put out accurate information about how elections work. We think this is really a key aspect of building civic literacy, and elections are complicated.

MR. WALES: It’s a complicated topic, which makes it more susceptible to potential disinformation, and so the more accurate information we put out the better. One forum we do that in is our Election Security Rumor v. Reality website, Rumor Control–

MS. NAKASHIMA: Rumor v. Reality.

MS. NAKASHIMA: –which we think is a good way for us to explain how elections work, how they are secured, and give people kind of further reading for how they can get more information.

And third–and I think most importantly–we have tried to amplify the voices of state and local election officials. Elections are conducted locally in this country. They’re not conducted at the national level. States are constitutionally charged with this, and the people who have the best information on how elections work and who can best debunk myths that are out there and counter disinformation are the local election officials that live throughout our country and that support the 8,000 election jurisdictions that are out there. And, actually, on our Rumor Control website, ahead of the 2022 election, we updated it with links to the state-level websites that have been set up by almost every single state election office that provide their own kind of rumor v. reality or frequently asked questions about how elections work, because we want to direct more and more people down to the local level to get the most accurate information possible.

MS. NAKASHIMA: How much engagement or interaction did you actually have–or do you actually have with social media companies on election disinformation?

MR. WALES: Sure. So in–you know, ahead of 2018 and the 2020 election, we were having regular meetings with social media companies, but that is to provide very broad information, “Here are the broad things that we’re seeing.” We want to know about–we wanted to know about the broad things that that they were seeing, that some of those meetings continued on into 2022. But we have not been engaging with them since the 2022 election.

MS. NAKASHIMA: And you actually really don’t have much direct interaction with social media companies, say, pushing to them posts or tweets that might–you might see as disinformation.

MR. WALES: That is correct. We, since the 2020 election, have not provided any specific information on potential disinformation to social media companies.

We did that in 2018 and 2020 at the request of state and local election officials, and in that case, we were simply a pass-through. State and local election officials were identifying potential disinformation to us.

We had directly sent that on to social media companies. We did not independently verify whether the information was true or false. We didn’t think that was our role. We were letting the social media companies review the information to determine whether it violated their terms of service.

But, again, that work stopped in the aftermath of the 2020 election and has not resumed since.

MS. NAKASHIMA: So we talk about building resilience to counter cyberattacks. What about disinformation? What is the real way to defuse the effects of disinformation and attempts to sow discord? What is the role of resilience there, and how do you build it?

MR. WALES: Yeah. So, you know, I think this is something where there’s work that we can do at the national level to highlight what disinformation looks like, how our foreign adversaries are attempting to utilize disinformation to divide Americans, but ultimately, this is really a challenge for the American people. Everyone needs to understand that when they amplify information that’s been promoted by foreign actors and when they amplify disinformation, that they are kind of contributing to the work that our enemies are trying to use against us. And that’s why we put out accurate information to make sure that the American people have something to rely upon and particularly when it’s something as important as our democracy. We think it’s essential that the American people have accurate information about how our democratic processes work so that we do not let our adversaries take advantage of us.

MS. NAKASHIMA: And isn’t it the case that what these foreign adversaries are doing were actually inflaming preexisting social fissures in society that they didn’t create? They’re there. They are coming from within our society, and they took advantage of them, and so in order to really build the resilience, you have to try to get at healing those fissures, right? And that’s hard work. It’s not sexy.

MR. WALES: It’s absolutely hard work, and obviously, a lot of that is beyond the scope of what the cybersecurity agency should be doing. But I think it’s important for the American people to understand that, that we see foreign actors amplify and try to sow discord on every topic where Americans are divided. And oftentimes they’ll amplify information on both sides of contentious issues. Everything from gun control and police brutality to elections, we have seen foreign actors attempt to influence or sow discord, and I think even more aggressive is they try to use weak moments against us. So the recent wildfires in Maui, well, it came out one of the private sector companies identified Chinese state actors were spreading disinformation that the Maui wildfires were started by American military tests, you know, complete nonsense. But our adversaries were trying to use weak moments against us.

MS. NAKASHIMA: How much traction–how much traction do those efforts get?

MR. WALES: You know, they vary. In some cases–you know, I think this one was able to be debunked relatively quickly, but it was out there. And it just shows you the lengths that our adversaries are willing to go to get inside the American’s head.

MS. NAKASHIMA: And, generally, Brandon, which efforts are more concerning or impactful when it comes to sowing discord and disinformation here? Foreign or domestic?

MR. WALES: You know, I don’t think I’m in a position to be able to kind of answer that. We don’t have the ability to study the effects of disinformation.

But I think many of us kind of can look at what’s happening inside of these–you know, in the information ecosystem right now and recognize that it poses real challenges to our country.

MS. NAKASHIMA: So, in a few minutes we have left, I wanted to turn to another issue that’s very much top of mind for people: artificial intelligence. Glenn Tiffert, who chairs–co-chairs a project on China’s influence campaigns at the Hoover Institute, said that technologies such as artificial intelligence could allow Beijing to better interfere with U.S. elections. What are you seeing from your perch about the emergence of artificial intelligence, and what concerns you the most? And how sophisticated is its use today in election interference or cyber in general, or how not?

MR. WALES: Yeah. So, you know, this is obviously a topic that the entire government and a good chunk of industry is extremely focused on right now. I think it is no doubt that anytime new technology is introduced that it is a race, a race between what we can do to utilize that new technology to extract all of its benefits and all the tremendous opportunities we get, and minimize the risks that are posed because adversaries are trying to exploit that same technology. And in this case, it is without a doubt that our adversaries are looking at this technology to see how they can use it to scale existing operations, how they can improve the sophistication of disinformation operations through things like improved deepfake videos, et cetera. And we know that adversaries are attempting to use that technology today. They will write better phishing emails by using large language models. It is a–

MS. NAKASHIMA: But can we use the AI to also develop better defenses?

MR. WALES: Absolutely. And I think that’s the tension here. Can we extract all the opportunities while minimizing these risks? And so I think this will be a continued cat-and mouse-game between the defenders who are trying to use these same technologies to improve our cyber defenses, our ability to spot disinformation.

We’re also doing a lot of work with the companies who are most engaged in AI, whether the companies at the frontier who are developing the models or other companies involved in the AI supply chain, building those into software applications of the future to–what can they do to build security in, because I think we do not want to repeat some of the challenges of the internet age, where we’ve raced out with technology before building in security.

We have an opportunity here at the dawn of the AI age to build security in, to make sure the technology that comes out is secure by design, secure by default, secure in deployment, and I think that has–that is certainly from the–you know, with CISA’s authorities, that’s where we’re engaging industry to try to make a difference.

MS. NAKASHIMA: How concerned are you, thought, about China, which doesn’t have maybe the same sorts of norms or, you know, will abide by such standards, given it’s more of an authoritarian state?

MR. WALES: We know that hostile nations are going to use this technology for ill. That’s not a question. I think, one, we want to make sure that within the United States, we are minimizing the opportunity for the technology that we’re deploying is well protected and that it is secure because U.S. is the leader here, and kind of where we start will have a tremendous influence globally on how these systems look and the security that’s baked in; and two, we want to work with these companies so that we can extract as much benefit as possible and use these systems to protect against enhanced threats from China in the future or other threat actors. I mean, certainly, in the AI space, you’re already seeing today open-source models that are going to approach the capability of the frontier models in the not too distant future. So the genie, in some respects, is going to be out of the bottle, but we’re going to do everything we can to make sure that we’re extracting the benefits from this technology to protect Americans.

MS. NAKASHIMA: Okay, great. And last question is we’re a year out from the next federal election. How secure is America’s election infrastructure? How well prepared are the states and the federal government here to counter threats?

MR. WALES: Yeah. So, you know, CISA has worked tirelessly, and we have benefited from tremendous partnership with state and local election officials, who are really the ones on the front lines, and they have done tremendous work since 2016 to bolster the security and resilience of their systems. We believe that these systems are secure, far more secure today than they’ve ever been in the past, thanks to a lot of hard work. There is an active, you know, community of interest that’s working on them. They have deployed more cyber protections than ever, but importantly, I think we want to make sure that we’re meeting election officials where they are. As their understanding of threats and risks evolve, we want to evolve our support to them. So in the face of the 2022 election, state and local election officials were mostly concerned about physical threats, and so we surged support to provide them physical assessments, security assessments of polling places and election offices and storage locations. And we’ll continue to do that. We want to be flexible and adaptable to see changing threat environment, but we are very confident that with the strong partnership with our–with the election community that we’ll make sure that the election is as secure as possible.

MS. NAKASHIMA: Okay. Well, you heard it here. That’s all the time we have. That was a great conversation. Thank you so much for joining us, Brandon Wales, CISA executive director.

Please stay with us. My colleague, Tim Starks, will be out here next after this video, and I’m Ellen Nakashima. Thank you.

MS. KOCH: Good morning, everyone. I’m Kathleen Koch, a longtime Washington correspondent.

You know, the telecommunications industry plays such a vital role in our lives today, and we all want to be connected, right? But all of those connected devices can create vulnerability.

Well, here to talk with me today about cybersecurity and telecommunications is Rita Marty. Rita is vice president of Network Security at AT&T. Welcome, Rita.

MS. MARTY: Thank you. Good morning. Glad to be here. I’m looking forward to it.

MS. KOCH: Rita, you are in charge of keeping AT&T’s network secure. That is such a huge responsibility. How do you see the current threat network evolving, and how is your team staying ahead of those threats?

MS. MARTY: I can tell you the industry have changed so much over the last few years. Cybersecurity is a board-of-director topic today. The investment cyber has gone up significantly over the years. If you look at the White House, the recent National Cybersecurity Strategy tells a broader story. We all need to work together to improve the cybersecurity posture across the whole industry.

In terms of what we’re seeing, we’re seeing more frequent–we’re seeing more sophisticated attacks that we have seen–more than we have seen in the past. It’s–the landscape is changing significantly.

MS. KOCH: Who is behind them today?

MS. MARTY: It used to be rogue actors, and now it’s part of organized crime. It’s part of nation-state attacks. It’s also pivoting to industry, to financial gains. You’re seeing the rise of ransomware over the years. If you look at the impact of a cybersecurity–or a data breach, it’s significant. On the average, a data breach costs–in the U.S., it costs about $10 million, right, on the average. The high-profile data breaches that we have seen are hundreds of millions in terms of cost.

MS. KOCH: And no one really is invincible, right? They’re going after schools. They’re going after local governments, businesses.

MS. MARTY: Absolutely. I mean, I think it’s a great point because the small and midsized businesses are really prime target for this. They don’t have the IT staff. They don’t have cyber staff to really fight the war on cyber.

MS. KOCH: Now, I talk to a lot of leaders who say that tools–they are constantly getting inundated, you know, from tools all across the security landscape. How should organizations deal with that ever-expanding marketplace?

MS. MARTY: I mean, it’s an excellent question. If you look at the cyber market, it’s very segmented, a lot of point solutions that are available in the market. If you’re an enterprise customer, a large enterprise customer, you probably have 70 tools just to secure your enterprise, very hard to tackle, very–a lot of complexity. Especially when you look at the small business and the midsize business, they have a lot to deal with when it comes to cybersecurity.

I think one key point to make is we need to really pivot to more integrated solutions and also pivot to embedding a lot of this capability into the network. So–

MS. KOCH: What does that look like?

MS. MARTY: When you talk about embedding cybersecurity in the network, it’s more about bundling the connectivity with the security products and tools that are available in the market. For us, we are moving in that direction where we want to provide a one-stop shop for our customers, where they come in, they get the connectivity, but they also get the best tools and capability to protect them against cyber–

MS. KOCH: So it’s not something that’s added on, then.

MS. KOCH: It’s part and parcel.

MS. MARTY: It’s part of the solution that we offer, and I think it becomes low touch or even zero touch for our customers because security is embedded in the capability they have.

I mean, the beauty of that is they take advantage of our software-defined network, and we’re able to block malicious traffic in the network before it reaches the customer premise. Therefore, they don’t have to deal with that complexity and all these tools that they have to deploy into their own environment. So it’s really a win-win, especially given the increase in cyberthreats and attacks that we’re seeing across the industry. It’s leveraging things that we do internally will make them basically available for our customers.

MS. KOCH: Let’s talk about Zero Trust security, and as you know, that’s where basically no one is trusted by default, and verification is required from everyone. How do you apply that concept to 5G network security?

MS. MARTY: So Zero Trust is really about having a comprehensive cyber strategy, and it goes beyond the perimeter. The perimeter is no longer effective in protecting the environment because the network is a lot more distributed than it used to be given IoT, Internet of Things, and giving the migration into public cloud. So Zero Trust is really applying a framework that starts with the perimeter but goes beyond the perimeter.

So, when we talk about our 5G network, beside having a strong perimeter around the mobility core, we’re also encrypting data. So nothing is sent in the clear.

Authentication is a big topic, a lot of innovation when it comes to authenticating the user to the network. We’re going beyond the traditional username and password, right? That’s no longer effective. We need to move into multi-factor. So we’re adding another step to validate who you are. It could be a validation code. It could be your location. It could be biometrics. A lot of innovation in that space, because at the end of the day, social engineering is a big topic.

MS. KOCH: Social engineering, that’s the human factor?

MS. MARTY: Absolutely. You clicking on a URL and an email, a text message, and that would lead to your device getting infected. Social engineering is about 30 percent of the attacks surfaced today. It’s something that is still a big impact in the industry.

MS. KOCH: How do you fix that? I mean, I know that at AT&T, you helped start something called “Cybersecurity at Work” to foster more cybersecurity awareness.

MS. MARTY: Yes. So Cybersecurity at Work is a–think of it as an employee network group. The idea here is to increase cyber awareness, to create a culture that’s cyber-aware across not just AT&T but across the industry.

We believe everybody has a role to play when it comes to cybersecurity. It’s not just the chief security office. It’s everybody in the company, everybody in the industry. I think this is a call to action that we all need to work together, right? We believe that the vendors, the suppliers that we work with, they really–they’re a big part of the ecosystem, right? So we need to work together with federal agencies, supplier, vendor, our peers, whether it’s a service provider or cloud providers. So Cybersecurity at Work is more about increasing the awareness of cybersecurity, make it part of the culture.

We do a lot of outreach activities as well. We invite Girl Scouts, Girls Who Code, because we also have a cyber gap in terms of talent gap in the industry, right? That’s a big topic. How do we address the cyber gap over time and–

MS. KOCH: How do we address that, and where did that come from? Because we were discussing this backstage, and I said, why do we have a cyber gap? Cyber has been an issue for years.

MS. MARTY: I think it’s just that the cyber landscape have changed over the years. Things have intensified a lot more than it was, you know, five years ago. It’s becoming a board-of-director topic, and it’s really embedded in everything we do, right? If you think about technology in general, every new technology, including AI, has a cyber component. So cyber is really kind of a lot more presence in everything we do, and cyber talent is something we need to tackle over time. And I think the sweet spot is attracting talent where–when they’re in the–like early days, middle school, high school. So we’re doing a lot of outreach activities to bring more people in and women, in particular, right? This is a great place to be. They have a lot to offer in terms of their leadership skills, multitasking, attention to detail. So it’s really a rich environment for them to strive and do really well.

MS. KOCH: Let’s talk about–now, we talked about sort of the human factor there, but vulnerabilities that exist in software, libraries and tools that can create these openings for hackers. Talk to me about how a software bill of materials can help, and if you could explain exactly what that is.

MS. MARTY: I mean, one key thing that we do in cyber is making sure the code is vetted. Whether it’s internally developed, vendor provided, everything needs to be vetted.

Software bill of material is a tool that allows you to get a list of all the packages that are in your application, increases your visibility. Many, many benefits. One of them is supply chain, because now you have visibility into third-party code that’s embedded in your business. You also have a lot more visibility to what packages are up to date. You may have an old package, and that would call for vendors to provide patching. Another key thing when you have the software bill of material is if you have a zero day, now you have access to that information. Your ability to patch your environment goes from days and weeks to hours, a significant impact to the business.

I can tell you DHS and CISA are moving in that direction. They’re actually going–looking into potentially making it a requirement for all federal–for all government contracts that you have that information.

MS. KOCH: So that’s voluntary right now?

MS. MARTY: It is, but I think they’re moving in a direction of making it mandatory next year. And I think that would be a big win for all of us, because we also–our challenge, we want to make sure our vendors and suppliers provide us that information. We’re starting to include that in legal contracts. So that, I think, is a win-win for all of us is to have more visibility into the code that we deploy

MS. KOCH: There’s a lot of debate right now about the risks and the rewards of artificial intelligence. How do you see AI playing out in the security space?

MS. MARTY: Great question. I get that question all the time. AI is just enabling technology. It’s really–has a lot of potential. Cybersecurity is a prime use case for AI, a lot of use cases, right, where we can apply AI to cybersecurity. You’re absolutely right. It is a concern because hackers or bad actors can use it to generate malware, and they can do that now quickly–quicker than before.

But, at the same time, you also have to look at the benefits. It provides a lot of advanced capabilities when it comes to cybersecurity, including generating countermeasures in a–you know, in less time than we have seen in the past. It also can help with the user experience. It can help demystify policy. A big organization or a big company have extensive policy, and with AI, they can guide the users basically through that policy. But most importantly, I think the–in terms of threat hunting, I think AI plays a critical role here because it can really sort through a lot of data and tell us where the anomalies are.

MS. KOCH: So we can spot cyberattacks much quicker?

MS. MARTY: Absolutely, much quicker, right?

So I think in like any new technology, you always have to make sure there’s guardrails around it so you can apply it securely to the environment.

MS. KOCH: Looking down the road, what trends do you see now in cybersecurity?

MS. MARTY: I mean, we talked about shift left. That’s a big topic. It’s–

MS. MARTY: It’s more about addressing vulnerabilities early on in the development cycle. Don’t wait till it’s in production. Then you have a technical–that issue to deal with. The cost of addressing vulnerability early on in the development cycle is significantly less than once a vulnerability is in production. So that’s a trending topic.

The other thing I want to mention is we–I invite you all, if you want to hear more about cyber and cyber trends, to join our upcoming virtual conference. It’s called “AT&T Secure Connection” on November 8th. We have incredible lineup of speakers and topics. We’re going to cover AI. We’re going to cover other trending topics in cyber. So I encourage you all to join that, that virtual conference.

MS. KOCH: Now, in the way of trends, do we need to–if it’s not a trend, need to start one where universities are doing more to address that, that cyber talent gap that you mentioned earlier?

MS. MARTY: Yeah. I think what we’re seeing is some schools are starting to offer cyber as a degree, as a curriculum, and that’s really great. The other thing they’re doing is embedding cyber best practices into their curriculum. Like if you’re a computer science major, now you’re getting a lot more exposure to cyber than you have seen in the past. So we’re seeing even academia start to pivot into that space.

MS. KOCH: So any closing thoughts? You got into STEM at an early age. Both your parents were engineers. You’re married to an engineer.

MS. KOCH: For those looking at the field and women in particular?

MS. MARTY: I am very passionate about cyber. I pivoted into cyber about nine years ago, and it’s never a dull moment when you work on cybersecurity. It’s really exciting every day. I encourage you all to consider a career in cyber. It’s really just–I enjoy it, and diversity is really key to us when it comes to cyber, right? When you think about innovation, diversity, you know, trigger innovation in a way. So having women and–come–you know, join the cyber ecosystem is really–but diversity is really, really key. So excited to be here, and thanks for doing this.

MS. KOCH: Rita Marty, vice president of Network Security AT&T. Thank you–

MS. KOCH: –so much for a wonderful conversation.

And if you would like to join the conversation, share your thoughts, add to–text #PostLive.

And now stay put. My friends at The Washington Post will be right back.

MR. STARKS: Hello. I’m Tim Starks, the author of The Cybersecurity 202 newsletter here at The Washington Post.

Today I’m joined by Clar Rosso, the CEO of ISC2, and Victor Piotrowski, who is a lead program director at the National Science Foundation, working on–focused on building out the federal workforce.

MS. ROSSO: Thank you. Great to be here.

MR. STARKS: So one of the things I hope to achieve in this conversation today is to take what might seem on the surface to some like a bland HR topic to something that’s actually fundamentally intrinsic to all–every other cybersecurity issue.

So let’s start with you, Clar. I hope you could set the stage of the big picture for us. First, tell us what ISC2–what their role is in this, and then give us a sense how big is the gap between demand and supply for cybersecurity talent, and how has it evolved over the years?

MS. ROSSO: All right. So ISC2, we’re the world’s largest association of cybersecurity professionals, and we certify cybersecurity professionals. Our CISSP is to cyber what CPA is to accounting. We have almost 600,000 members, associates, and candidates around the globe, and so our role is to support qualified people entering the workforce and to also support them through their whole life in cyber when new ideas come up like large language models and generative AI, how do we navigate that.

But one of the other things we do is we work with governments around the globe to understand the cyber policy landscape and make sure that it is sensible and, to the best of our ability, harmonized.

But here are the big numbers. So we haven’t quite released this yet, but I’m happy to share it. We do a workforce study every year. Our 2023 workforce study is going to show that we increased the supply of cybersecurity professionals. So we now have 5 million cybersecurity professionals around the globe. That is fantastic. That’s an 8.5 percent increase over 2022.

We also have 4.5 million unfilled positions, which is over a 12 percent increase over last year, and the great news is organizations understand they need cyber professionals. But there is no way we can quickly and efficiently fill that gap, and what’s even scarier than that gap is that most smaller organizations have no cybersecurity professionals at all.

Victor, I do want to hear about the CyberCorps program, which you’ve been so intrinsic to over the years, but in a few minutes. What I want to ask you about first is, before we dive into any kind of solutions to this problem, I think many people have heard about labor shortages in this space before, but why should people care? What are some of the real-world implications of not having enough cybersecurity professionals? And can you point to a specific example, threat, or issue that becomes heightened as a result?

DR. PIOTROWSKI: Well, so, as Clar said, we have an increasing shortage over the last 12 years. That gap of filled position versus unfilled position is increasing, and that one in three positions roughly in this country is unfilled, the same in federal government. That is main focus of the program that I’ve been running for 15 years.

What are the ramifications? Well, like in every other situation when you will have one in three positions on unfilled, right, there are things that can happen. We can miss some things.

The beginning of the problem is starting probably somewhere in K-12, in K-12 education, when we have shortage of students in STEM, what is science, technology, engineering, and mathematics. And then that repeats in–when they arrive at college. There’s less and less students studying STEM.

So National Science Foundation, where I’m employed, is investing in STEM research and education. Five percent of students, for example, are taking in high school. Only 5 percent of students are exposed to foundational cybersecurity courses. That’s, you know, very, very small numbers.

We have a lot of different initiatives. One is called “GenCyber” in partnership with National Security Agency. What–GenCyber is a short version of the next generation of cyber stars that runs about 150 summer camps in almost each state, where we expose students and parents to cybersecurity careers, because it’s not only students. It’s also parents that have sometimes that negative cliche about what a cybersecurity profession is. So that’s one way we mitigate that shortage of students.

MR. STARKS: Yeah. I definitely want to return back to that in a moment.

Clar, similar question for you. Where do you see the potential impacts of these positions going unfilled?

MS. ROSSO: So it’s actually frightening, and we actually started measuring it three years ago. So we found that when organizations do not have enough cybersecurity staff, they basically are not doing the basics. They are not patching their critical systems in timely ways. They’re misconfiguring systems. They’re not actively scanning their threat landscape. They are not upskilling their cybersecurity professionals and so on and so forth.

And those basic cyber hygiene, that’s your basic cyber defense, and that’s not happening in organizations, which is going to increase the threat within–in the cyber profile of the organization. So that’s really concerning, and you know, it sounds trite when you say “it’s not if but when.” But really we are in an environment where the cyber threat landscape is such that we’re just waiting for something to happen for every organization. Nobody’s not vulnerable.

And when you have–going back to those small businesses, when 95 percent of small businesses with 100 or fewer employees have no cyber professionals at all, it’s terrifying. When I talk to different leaders of governments around the world, they say, wait a second, 95 percent of our economy in Canada is run on small business; 98 percent of the economy in Singapore is run on small business. And if they are unprotected, yes, they as a single organization are vulnerable, but your whole economic security of your nation can be vulnerable.

MR. STARKS: Yeah. To your point about if not, if not when, I recall when I started writing about cybersecurity, if a new industry got hit, it was a big deal. But these days, when I’m writing about a company, an individual company being hit, I’m often can go back several years and find multiple occasions where they’ve already been hit. So it seems like the win has already happened to a large degree for people.

Sticking with you for a moment, Clar, we have been seeing labor shortages to varying degrees across the economy. Unemployment is low. Labor market is tight. How is this shortage in this industry different than shortages we are seeing in other industries?

MS. ROSSO: I think it’s different because of the specialized nature of what folks are doing, and I don’t–I think the interesting part of something else that we’ve learned, because let’s face it–and Victor, I think, will agree with me–what cyber historically has done in our very long three decades of existence is we’ve stolen people from IT, and we’ve pulled them over the fence to cyber.

But we can’t do that. There is–there are not enough people. I could hire every single person that was laid off by a tech company this year, and you wouldn’t even make a dent in the cybersecurity workforce gap.

So we had to first define what makes you qualified for cyber, and yes, there are many technical competencies. But there’s also a lot of nontechnical competencies that cyber professionals share: analytical thinking, critical thinking, problem solving, creativity, their communication skills. And we’re finding that when we look at those skills, we can start tackling our problem of filling the cyber workforce gap differently, and fortunately for us, those are the same skills that are also going to help us get over the AI security hurdle.

MR. STARKS: Yeah. I know that’s something Victor cares about as well.

Victor, can you go back to the–what we were talking about with some of the things that NSF is doing, CyberCorps is doing, and the Biden administration is doing to bolster the workforce and what sort of timeline are we looking at?

DR. PIOTROWSKI: So maybe in–I’ll give you 25 years of history in one minute.

MR. STARKS: You can take two or three, if you need.

DR. PIOTROWSKI: So the cybersecurity profession started emerging about 25 years ago, and U.S. was definitely ahead of any other country, thinking in a very holistic way about education, workforce development, and all the elements needed. So there were two government initiatives that started back then in 1998. National Security Agency introduced the concept of Center of Academic Excellence. The word “cybersecurity” did not exist then. We used “information assurance” but the same meaning. And in 2000, National Science Foundation created a program called “CyberCorps Scholarship for Service,” when–essentially secures workforce for government organizations, offers the wonderful scholarship package, and in exchange for that scholarship, students work for a government organization for as long as they receive support. So that was 2000.

And over the last 25 years, we’ve seen essentially overproducing cybersecurity people in the first decade, from 2000 to 2010, but everything around 2012–everything changed the other way. That means over–back then in 2012, for example, we had 120 cybersecurity professionals for 100 openings. Today we have 70 professionals for 100 openings. So that gap between what we produce and what is needed is increasing.

And the one last thing I wanted to add, that National Science Foundation has been investing also in fundamental research, right, because cybersecurity is not only things, operations, right, that we need workforce to operate systems today. We also need the research and development. We need to think what is going to happen in five years, what kind of tools we’ll need in five years. So we invest in fundamental research.

And also we perceive cybersecurity in a very holistic way. It’s not technical layer only. Unfortunately, you have humans on the top, and 70 to 80 things of breaches are due to the humans’ errors or humans’ action at the top. So you see–you have to think in cybersecurity also about social behavioral economics. You think–you need to think about insurance, about incentives, how people react to different kind of incentives and so on.

MR. STARKS: Yeah. So we have a question from the audience. Clar, I was hoping you could maybe address this. This is Lauren Patrick from Georgia who asks, “There’s a broken pipeline with a number of people who want to work in cybersecurity, but there aren’t enough entry-level jobs or apprenticeships to help develop a skilled workforce. What initiatives have you seen in both the public and private sector to help fix the talent development pipeline?”

MS. ROSSO: Well, I’m going to talk about two things. I’m going to talk about something that my organization is doing, and I’m going to talk about these amazing group of small nonprofits that are in this country that are doing just some phenomenal work.

So our organization, after we attended the White House summit in July of last year that was a precursor to the National Cyber Strategy, we announced a One Million Certified in Cybersecurity initiative, and so we had created–working with employers, working with cyber professionals, working with government–a foundational-level certification that covers the core domains of cyber that will help an employer understand that you, Victor–he’s a CISSP, though–that you, Victor, if you take this and you can pass that, that shows that you have the aptitude for the technical parts of cyber. And so that sort of changes the game. Instead of starting at the technical, we are starting with do you have the right nontechnical skills and personality attributes, and let’s see if you have the aptitude for the technical. And if you can do that, we can move you into cyber. You can be trained. So it was a tool we created for employers that turned out to be a fantastic thing for individuals as well to see if cyber was for them.

So we offered our course and our exam for free, and we said we are going to invest in this, one million individuals through the program. We launched that September 2022. As of today, we’ve enrolled 325,000 people in the program. We’ve certified 35,000 people so far, and we are now working with them to say, okay, what’s the next step? How do we help you get the next skills? Where are the hands-on skills that you need to get to help move into a job?

And we decided we don’t need to do this alone; we need to do this in coalition with others. So we have been working with a whole assortment of nonprofits–Cyversity, Minorities in Cybersecurity, WiCyS, and many, many others–to like build and amplify the great work that they’ve already been doing to take people from underrepresented groups and move them into cyber, and part of that is placing them in internships. Part of that is placing them in apprenticeships. Part of that is just helping people who don’t come from a cyber background understand how do you navigate this world that is very new and very different and has a whole lot of inside language.

So there are a lot of great work going on, and we are actively working to get the community to stop thinking of themselves as special little unicorns and to actually unite in solving this problem so that we can solve it at scale–

MS. ROSSO: –because we have to solve it at scale.

MR. STARKS: Very, very related to that subject, Victor, what do you see as some of the barriers to entry for folks who want to get into and stay in this line of work?

DR. PIOTROWSKI: Entry barriers?

DR. PIOTROWSKI: Well, I think in terms of resources, it’s very good situation. You can find a lot of fantastic, high-quality resources.

From the line of work that I’m involved, working with formal education with academic institution, the number one barrier that I will point to is the lack of faculty. The same way as you have a shortage of cybersecurity professionals in operations, you have a shortage of cybersecurity faculty at universities, severe shortage. Out of 102, I believe, doctoral recipients in North America in 2022, only 13 ended up on tenure-track positions at universities. Thirteen is not enough to replace retirements.

DR. PIOTROWSKI: But for the situation when every school wants to create cybersecurity programs is severe shortage. So what we see is essentially a musical chair. When University A offers competitive things to faculty from University B, University B from–steals somebody from University C, and so on, and somebody at the end is without faculty and has to close the program. So that’s what I would identify definitely a number one barrier. The second one, as you mentioned, WiCyS, I think you mentioned women in cybersecurity. By the way, this is CyberCorps project that was very successful and converted to worldwide nonprofit organization. Women–when we started the project in 2014, women were at about 11, 12 percent in cybersecurity profession. Now we are in 22 maybe, so we are making progress, but again, 80 to 20 is the ratio of male to female security, cybersecurity professionals. So this is another thing. It does not reflect the society.

On the subject of universities, Victor, we have another question from the audience. This is from Jeffrey Davis from New Jersey, “Can some cybersecurity jobs be populated with former blue-collar workers with some limited technical training and likely no college degree?”

DR. PIOTROWSKI: Absolutely. Think about–think about cybersecurity profession that is emerging, something like at the end of 19th century when health profession emerged, and if you think about the health elite, different kind of professions, you need technician, you need people with four-year degrees, you need people with advanced degrees to do research. But the same way, as you don’t say I’m a doctor, you have different specialization, or you have a technician, x ray-technician. The same is happening in cybersecurity, and community colleges, two-year degrees are fantastic. They are very hands on, technical education that prepares those technicians of the 21st century, right? So we don’t call this “blue collar.” We call it “next collar” in our strategic plans. It’s a technician in the very modern environment needed. Cybercrime scene. How are you going to secure that cell phone, right? That’s a technician. You don’t need four-year degree, right? A two-year technical degree is sufficient.

MR. STARKS: Yeah. This might be the last question we have here. We’re running out of time. Clar, are you satisfied with how the Biden administration has approached this issue? Does more need to be done, and what would you be advising them?

MS. ROSSO: Okay. So my favorite thing that the Biden administration has done with the National Cyber Strategy is introduced the concept that this is a whole-of-society problem, and that we need the cyber education and cyber literacy, we need in boardrooms and in classrooms. It has to be whole of society, and that we need to place the burden of security on those best able to do it. And we’ll see more coming there.

Where I am looking for something more is–this is a scale problem, and it is a rapidly moving problem. So we just can’t go to the well and look at the same small projects that we’ve done and hope we do them better. We really need to address the issue at scale, and in my opinion, one of the best ways that we have addressed the qualified cyber workforce at scale over the past–I say three decades; he says 25 years–is through certification. And that helps that nondegree professional. We have put hundreds of thousands. Our organization, ISACA, SANS and GIAC, CompTIA, we have put hundreds of thousands of qualified workers in the workforce, and we are all but not talked about in the National Cyber Strategy.

MR. STARKS: Yeah. So this was a very important conversation, but unfortunately, we are out of time. Clar Rosso, Victor Piotrowski, thanks for being here.

MS. ROSSO: Thanks for having us. This is great.

DR. PIOTROWSKI: Thank you.

MR. STARKS: And this concludes our program today.

MR. STARKS: To learn more about our upcoming programming, please go to Once again, I’m Tim Starks. Thank you all out there for joining us today.


Click Here For The Original Source.

National Cyber Security