President Joe Biden has four years to strengthen and possibly rebuild the nation’s cybersecurity posture, but the first 100 days in office will likely set the tone for how cyber is prioritized.
SC Media spoke to Ron Gula, former NSA hacker and cybersecurity investor through Gula Tech Adventures, who has advised Congress and the White House, about what those first 100 days should look like and why, in the wake of SolarWinds, it’s time for the cybersecurity equivalent of a Dr. Anthony Fauci to lead the charge.
The U.S. has a new administration and we’re still dealing with the fallout from the SolarWinds attack – all during a pandemic. Do you think our cybersecurity literacy is where it should be?
As a nation, the average citizen is still not [aware]. One of the reasons they don’t understand it, is we don’t really have sort of a Dr. Fauci for cybersecurity. I mean, the first time a lot of people heard of [former CISA Director] Chris Krebs was when he got fired. And then it became a support Trump, not support Trump issue versus what was this guy doing before. I believe when you look at Anne Neuberger going to the National Security Council and rumors of someone becoming a cyber czar, what we really need is a Dr. Fauci of cybersecurity. We need someone to go on and not talk tech but relate [cyber] to Chinese economic predatory practices, talk about how personal data might be hoovered up by Facebook, talk about how a small business might be targeted by Russia to break into the Pentagon. That’s just simply not outside the cybersecurity industry.
Why do you think that is?
It’s a few things. There is a lack of what I consider leadership. Who’s really in charge? So, if you look at NSA’s statement that came out on SolarWinds, there’s like nine agencies on that. DoJ, Cyber Command, NSA. It’s not like people aren’t doing work, but it deludes the message. The NSA hasn’t said [SolarWinds] was the Russian government. They said it was a Russian entity. Those are the nuances that the general public doesn’t know, because we don’t have good cyber citizens who learn how the internet works in the same way they that learn about how banking or life insurance or credit cards work.
The nation’s divided and that’s not new. During COVID, I was really hoping that everyone understood that my computer is not that far from you; that we have a shared risk from a cyber point of view. That message was starting to come out when everybody was dealing with Zoom bombings for school meetings, but that opportunity was never capitalized on by the cyber industry, because we’re still focused on enterprise tech and not the other 90 percent of America.
If you don’t have knowledgeable cyber citizens then don’t you put everything at risk, even for business?
I’ll give you a good example. We have the Cyber Maturity Measurement Certification (CMMC), the DoD standard for supply chain. And I have friends who work on it. They told me the pushback from industry was ‘why are you taxing us?’ In the meantime, that same industry could not have detected or stopped a SolarWinds exploit. You’re talking about an approved piece of software compromised, and now does any of that supply chain have monitoring in place to find this? Absolutely not.
The government was making good headway with the Cyberspace Solarium and CMMC, but then COVID happened. And obviously, the health and well-being [of citizens] is more important than my computers, but if SolarWinds had been a destructive worm and not just an intelligence operation that could have been an actual act of war and we could have been in a hard position to respond.
The general public doesn’t realize that a lot of these major attacks could be done by small cyber businesses here in the U.S. It doesn’t take a nation-state to pull off something like SolarWinds. It takes patience, it takes funding, it takes know-how. I love it when people jump to the fact that it’s Russia or it’s China, when the reality is that there are hundreds of threat actors out there that could pull this off.
Has SolarWinds – and incidents like it – eroded public confidence in the government’s ability to protect us from cyber threats?
I don’t think the general public understands that Cyber Command’s role, Defend Forward, is to find those people and interdict them before they do something like the SolarWinds [attack]. So in many ways, you can say it’s a failure. But maybe they stopped a hundred other attacks and should be commended for being 99% effective. We don’t know, because it’s [classified] intelligence, but the public sees it as a failure. I think a lot of people in intelligence are going to tell you sometimes you win, sometimes you lose. When I talk to folks at the NSA, they seem to be very satisfied with the work they’re doing. It’s just hard to communicate that to the general public.
Let’s circle back around to the notion of a Dr. Fauci for cybersecurity. What type of person would that be? What characteristics are important?
So it’s got to be somebody who’s has the ability to speak to politicians, to speak to the public and to speak to the folks who are actually doing the work. And [he or she] has to be fairly consistent. My choice would be somebody like [former NSA Deputy Director and Cyberspace Solarium Commission member] Chris Inglis. I volunteer at the Wilson Center as a global fellow and I’ve seen Chris come in and basically teach cybersecurity, cryptographic policy, governance, command and control to staffers in a bipartisan manner and do an amazing job. Frankly, then he communicates the same thing to a group of Navy cadets going through cybersecurity training. You need somebody who has that much command of it. I thought his involvement in the Cyberspace Solarium was really good and he’s got the right temperament. Like Dr. Fauci, some of the questions he answers are way, way below his pay grade but how he answers them is so important for confidence from the general public.
But what about resources?
So, it’s interesting, we don’t have a CDC for cyber. I think the general public doesn’t understand that Cyber Command is there to protect the DoD. DHS, CISA, is there to protect the civilian government. They might share information, they might collect information but they’re not there [to protect the public]. They’re a really good partner, but their job is not to do that. From a resources point of view, I would start talking about what we could do to get industry more involved in the defense of the nation, very specifically the other 90 percent. It’s great that we can spend more money to make it better for Citibank and Capitol One, but what about the auto dealers? What about the small hospitals? What about those stressed by COVID? So, I would like to see policies that really inspire and energize and invest in the commercial industry. The CDC is really defending the country in health care. I’d love to see something like that [for cyber].
Is that something we might see?
When you look at Australia and the United Kingdom, they’ve got organizations that do offensive and defensive cyber. It's a one-stop shop. The problem with the United States is it's so complex. We have such a leadership position when it comes to software development, cloud and telco; we’re not going to have one agency that can do all that. It’s not as simple as Space Command where flying airplanes and flying satellites are different things. What is cyberspace? It is this weird [combination] of social issues, technological issues, sometimes borderless issues. The NSA doesn’t get enough credit for the work they do. If you look at that organization and you combine it with CISA, now you’re on to something. But you’re still kind of focusing on preventing government cybersecurity issues.
Five years from now we’ll be talking about fighting cyber wars inside the Amazon infrastructure, inside other technologies that are out there. We really need to be thinking about bold changes.
Before we sign off, what would you like to see happen regarding cybersecurity during President Biden’s first 100 days in office?
We need to pass as much legislation as proposed by the Cyberspace Solarium. I mean stuff like tax credits for retraining to cybersecurity. The Trump administration was anti-regulation; that’s kind of the cloth they’re cut from. But I think the Democrats will be more open to legislation.