#123 Cybersecurity in Public Sector
Subscribe to get the latest
on Wed Feb 15 2023 16:00:00 GMT-0800 (Pacific Standard Time)
with Darren W Pulsipher, Jim Richberg,
In this episode, Darren interviews Jim Richberg Forinet's Field CISO of the Public Sector, discussing the differences in cybersecurity in the public sector. The federal government is very different from state and local governments concerning cybersecurity and their approaches.
Keywords
#cybersecurity #ransomeware #automation #government #people #process #technology
Listen Here
Jim has extensive experience in cybersecurity, and the public sector, including as national intelligence manager of cybersecurity for the director of national intelligence. While working in the public sector for several years, he has played offensive and defensive cybersecurity roles. He is now working in the private sector as a Field CISO of the Public Sector.
Differences between Federal, State, and Local Governments
There are fundamental differences between the federal, state, and local governments, including funding, expertise in cyber warfare, and attack surface. Even the threat actors for each level of government are fundamentally different from each other. For example, the federal government tends to deal with highly sophisticated nation-state cyber-attacks, while state and local governments rarely see these types of attacks directly. This is primarily due to the cybersecurity preparedness of federal agencies compared to state and local governments.
Where the federal government primarily deals with attacks that gather data, compromise data or shut down assets, state and local governments tend to deal with ransomware attacks where data and infrastructure are held hostage. These attacks differ from the typical cybersecurity threats the federal government deals with daily and require different skill sets and cybersecurity positions.
The Cyber Talent Shortage
One common problem that all levels of government deal with is a need for cybersecurity talent. Most talent tends to move to the private sector, where salaries are higher and more attractive to top cybersecurity talent. However, the federal government has attracted top talent through interesting “mission impossible” programs that attract top talent looking for challenging problems.
The same is not valid for state and local governments where financial resources are tighter, and cybersecurity projects are less attractive to type cybersecurity professionals. This has left several state and local governments with a significant gap in cybersecurity talent and, consequently, vulnerable to cyber-attacks. Sometimes, local governments don’t have a strategic cybersecurity plan or a professional on staff.
The private sector is beginning to offer cybersecurity as a service for many of these local governments that need help finding and retaining talent in their organizations. These services include cybersecurity strategic planning, ransomware negotiation, cyber attack forensics, cyber threat detection, and cyber prevention technologies.
Ubiquitous Cyber Attacks
In the past, state and local governments rarely concern themselves with physical attacks from other nations. However, because ongoing cyber wars between countries and states have no physical boundaries, there are times when state and local governments are collateral damage in these cyber battles. Often, targeted cyber-attacks from one nation to another have “gotten loose” and severely damaged state and local governments.
CISA has created regions to help state and local governments deal with cyber attacks that penetrate the borders of the United States. Additionally, state and local governments are beginning to share best practices, detected cyber attacks, and common vulnerabilities found in their infrastructure. Additional funding from the federal government is helping these organizations shore up their cybersecurity positions.
Critical Infrastructure Cyberattacks
One of the most concerning trends is the increased attack on systems that manage critical infrastructure, specifically power generation and distribution. Because the power grid comprises several private, state, and local government collectives rather than a centralized federal government agency, managing and protecting the nation’s power grid is complex and daunting. Larger organizations tend to have a better cybersecurity position than small municipal utility companies leaving them at risk of cyber-attacks. However, not all is lost in protecting our critical infrastructure, as organizations in these vertical industries share the best physical and cyber security practices.
Zero Trust Architecture
Jim and Darren agreed that the term zero trust architecture has been overused and lost its impact as the private sector quickly adopted this term and attached it to everything dealing with cybersecurity. However, they both agree that zero trust principles must be adopted in organizations to protect their valuable assets fully. These principles include: verifying explicitly continuously, using least-privilege access, assuming a breach, and automating context collection and response. These principles can be implemented through technology, process improvement, and training.
Podcast Transcript
1
Hello, this is Darren
Pulsipher, chief solution,architect of public sector at Intel.
And welcome to Embracing
Digital Transformation,where we investigate effective change,leveragingpeople process and technology.
On today's episode, Securityin the Public Sector with special guest
Jim Richburg Field CSO of Public Sectorat Fortinet.
Jim, welcome to be with you.
Darren, It's great to be here with you.
Hey, Jim,we had a just a brief discussion.
It was really interestingand you brought up some thingsand you wanted to go more.
You were so excited.
I said, Stop, Don'twe want our audienceto hear this discussion?
So I know we're going to havea great discussion day.
But first, Jim, tell us a little bit aboutyourself and your background.
Okay.
Well, thanks, Erin. You know, I spent.
This is my second careerand I spent my first careerin the other older intel community,not the people who use Intel products,but the U.S.intelligence community.
I spent 20 years for one of the threeletter agencies, and then I was thenational intelligence manager for cyber,for the director of National intelligence.
So I've seen cyber,you know, from both sides, played offense,play defense, helped build cyberthreat intelligence, ran whole of nationcyber programs under two presidents.
So I retired from government.
I went to Fortinet, you know,one of the biggest cybersecurity companiesin the ecosystem because it does a lotof work with governmentand I understand governmentand I was always good at being ableto not only answer the immediate questionssomebody had, butput it in a bigger picture and say, okay,this is a symptom of a broader problem.
And that's what I do a lotwith public sector in the United Statesand also globally.
I think I was a cyber evangelistbefore we had term.
But before they were there.
It's it sounds like it.
So you've got a large experiencein cybersecurity, in public sector.
This is great.
So and when you were talkingsays a not all publicsector, cybersecurity is the same.
So well because not all the public.
Should have read on with that.
Yeah, I mean.
Let's let's stick to the U.S.just for a minute.
You know, federal, state and localare all different.
They're different in terms of resources.
They're different in terms of mission.
They're different in terms of thecybersecurity challenges that they face.
And, you know, let's look at who do youinteract with as a citizen in the U.S.?
You interact with your local company.
You do a little bit less with stateservices.
Yeah.
When you go to get your driver's license.
But hey, we've been able to virtualizethat and you do lessdirect interactionwith the federal government.
So as we've talkedabout digital transformation,you know, it's been local government,the people who arguablyare the least resourced,certainly in terms of human expertswho've had to figure out how to dorobotic process automation.
You and I were talking about,you know, chat AI and thingsthat allow you to really use AI drivenautomation.
It's been more a back officeissue for stateand certainly federal governmentthan it has been for local government.
So the paradox has been the peopleyou interact with the most or arguablythe leastwell-positioned to competewith the private sectorin terms of offering those services.
End to our conversation, securing them.
That's that's really interestingwhen you think about it, right?
Becausethe things that yousaid, the things that are most importantto us in our day to daylives are the least fundedas far as cybersecurity protectionand and things like that.
I mean, one of the one of the and again,
I won't say all of the challengesare unique for each.
There are some common ones.
And one of them, frankly, isyou and I come from companiesthat are well-resourcedand can hire the best and the brightestpeople, including from government.
So government alwaysis going to have a skills and workforcegap, especially acute in an arealike cybersecurity.
They're people, you know,they get to a point in their career,their families say whatever,that sometimes the lure of public servicegets outweighedby the fact that they can come workon innovative thingsfor the private sector in cybersecurity.
So government is alwaysis never going to hireits way to cybersecurity Nirvana.
They're always going to have to findsmart ways to do it.
Or I come from the intelligence community.
They were always the farmteam. In one sense.
You had people who came onbecause we had a unique mission.
It was challenging,it was stimulating, it was rewarding,you know, But for a lot of people,when they got to a certain pointin even fairly early in your career,and they discovered a bureaucracyand somebody would come and say, Hey,you can come inmultiples, This might come work for youto come work for me.
You know, that's a gap that they'rethat's a challenge that's going totranscend state, local and federal.
But the feds are better resourced at thisand certainly local government.
Well, then that's what I was going to ask.
I mean, the feds, they work on somepretty fun projects, right?
So if you're a realtechno guy, you're going to go workfor the feds instead of Folsom.
The city of Folsom where I live.
Yeah.
And and, you know, again,
I come out of the intelligence community.
They were doing Mission Impossible stuffthat is cool to work on.
They're doing stuffthat you're relying on your expertise,your your company and my company have.
But they are doing stuff that is,you know,
Mission Impossible in some cases,and that's fun to do.
And some people I'm case in point,
I stayed for 30 plus yearsdoing that, you know, making a feelinglike I was making a difference.
But not everybody.
I mean, frankly, I think even a minorityof people who come into governmentare going to stickfor a career in government,frankly, is starting to recognize that.
So they're allowing they're beginningto think about how do you bring people inwho are mid-career, who come fromthe cybersecurity industry on the outside?
And we talk about and I'm hoping we coverin the course of this conversationthe need for trust andthe need for partnership, because neitherthe public or the private sectorcan do everything on its own.
And I certainly saw this in governmentwhen there would be a breachor an incident from the private sector.
We could talk into awere blue in the face about at that point,talk to DHS or talk to the FBI.
The reality is somebody inthe breached companywas going to callwhoever they knew in government,whether it was somebody at that agency,whether it was somebody at marinefish and mammals, they were going toyou're going to phone a friend and.
Somebody's friend Anyway.
Some of that social some of it is trustyou built up by working together.
So the kind of being able to rotate peopleback and forth work in adjacent cubiclesback when we were all in the officeallowed you to really get to knowsomebody, to recognizewhat their interests wereand develop that kind of trustthat really is instrumental.
And I think part of the challenge forgovernment is find smart ways to recognizeare people who may come on and say,
I appreciate public service.
It's an important calling.
I'm willing to come make a contributionfor a while.
I'm not going to stay for a career,but I really want to give back for a whileand similarly put people from governmentout in the private sector.
They become more. Than private sectorso they can learn.
I'm sorry, things that.
So a questionon that the the federal governmentcan can attract more talent than a local,a local or state government can.
So what hope do they have to attractthat talent that they needfor their cybersecurity positioningand in how they do their work?
Or are there some unique modelsthat we can maybe look at?
Well, and this is whereit gets really interesting,especially in the United Stateslocal government is is you know,
I talked to a lot of smallerlocal governments who don't even have
CISOs, forget cybersecurity staffwho are on government.
It's a contracted service,if you're lucky.
It's coming from elsewhere in your state.
It's not even always coming that way.
So they were having remote provisioningand remote services well before COVIDand well before, you know, all of usin the white collar world went to remote.
So, you know,even the smallest state out therehas critical mass at the state level.
There's a state, see?
So everywhere they all have,they may not have enough of them,but they have cyber security experts.
So they spend a lot of timehelping, helping them figure outhow do youhow do you regionalize some of this.
So sometimes you recognizethere are small jurisdictionsthat maybe they need to band together,they get critical mass,they become a big enough market,they get enough data that they canpotentially solve it that way.
And sometimes that meansit's done at the state level.
But then, of course,
I recognize that there's a dynamic at playbetween state and stateand local politics.
You know, sometimesif someone in a local jurisdictiondoesn'twant to have to do what they think, that,you know, the people in the Capitol statecapital are telling themjust as statesdon't want to do what Washington says.
So it's an attractive solution.
And I think a lot ofit works by federal or by federating.
It not not at the national level,but within a state becomesa provider, critical mass, etc..
Some places have work, some placesit doesn't.
But that's an attractive option.
You know, it's interestingwhen we were in talking about this,something puffed on my head.
It was theit was when we started movingwest back in the 1700s.
I don't know why this popped in my head,but it does in the cyberspace as well.
You started getting groups of peoplethat would work togetherto protect themselvesagainst the Native Americansat the time or against the Frenchor whoever was attacking them.
Right.
That they formed towns and communitiesand they formed countiesthat they had protectionagainst their enemy.
At the time, what you were mentioningthere is very similar right?
I've gotcities and towns that are like, well,
I can't protect myselffrom cyber criminals,so maybe I need to reach outto other citiesor the state to to get that.
And now we have national defense, right?
And we have state militias.
And maybe there needs to be a callfor a state cybermilitia or a regional cyber militia,the same way that that we didback in the frontier days.
Well, in ironically,some of that is actually being done.
You know, the National Guard.
The National Guard, you know,the military is big on cyber.
We have, you know, Cyber Command right.
As a unified command.
And there are essentially cybercomponents in everything,including the National Guard.
And there are states where recognizeand especially for small businessand for local governmentand we saw this a lot.
It just helpedsecure the midterm elections.
Cyber expertsfrom some of these National Guard unitswere called up by the governorand sent to actually help securelocal election infrastructure,recognizing that these peoplehad no internal expertise.
This was this is a governmental function,a governmental priority.
So, yeah, we actually did use expertisethat was residentin one part of governmentto help another part of government.
Yeah, that's National Guard and Reserve.
Force, you know that. Yeah.
We're literally called up to,you know, to active dutyto help secure election infrastructure,something a government can do.
They call it something governor could do.
But butwhat about a more generalized sense?
Because when we talked earlier,you said the attacks on local and stategovernments are different than the attackson federal government for cybersecurity.
Yes, they're very.
Do you remember we talk about,you know, it's those citizenfacing services that you especially haveat local government.
But, you know, the existential problemwhen you talk to stateand local government,you can't get far into a conversationwithout ransomware.
Coming upthat is top of mind for those people.
You know, and I remember the first time
I started reading about, you know,what is essentially a really tiny town ingetting hit with ransomwareand then paying, you know, $100,000.
And my first question was, where the heckdid they come out of with that money?
You know, very quickly.
Well, turns out that was insurance.
We were talking about collective defense.
I mean, at the end of the day,cybersecurity, you and I both recognizethis is about riskand it's about managing risk.
And one of the classic waystrying to managerisk is through insurance,transfer the risk to somebody else.
And that's one way to deal with ransomwarethat especially local governmenthas said, I'm going to try to rely ontransferring the risk to a third party,an insurer.
Now, the interesting thing,
Daryn, is I've been conflictedabout this for a long time,about whether that really helps or hurts.
Because, yeah,
I was just thinking that myself.
Government budgets are public,they're public record.
It doesn't take much to go onlineand look and say, Oh, look,here's a payment from this townto Acme Insurance Company,and it's for this amount where you canpretty much guess what their coverage is.
You can guess when they get here.
Insurance policy, huh?
Yeah. Exactly.
So when they get hit for ransom,where does it come infor a billion bitcoins?
It comes in for that level.
And when you have a ransomware,the insurer comes inand takes over the negotiationand takes over the payment.
In one sense, insurance is good because,you know, you put out the standard set.
You know, they helpto raise the tide of cybersecurity.
If you have to do certain things,you get a policy.
On the other hand, sometimes I feel likeit's the it's a publicizedeasy button for saying,okay, this is going to be a quick payout.
I'm not going to hit these peoplewho I'm going to have to explainhow does virtual currency work withand where do you get Bitcoin from?
You know, they're they're negotiatorfrom the insurance companies can come in,they'll settle the claim.
Yeah. I mean, these people work togetherall the time.
The negotiators are goinghigh, you know, basically, you know,
I dealt with you last week, you know, soinsurance can help and insurance can hurt.
But for local governmentin particular, ransomware,
I think has been the the top of my threat.
Elevate it to the federal government.
We talk about advanced persistent threats,those threat actorswho have got sophisticated capabilitiestend to be very clandestine.
They often do want to use the aviator'sterm, go low and slow.
You know, they're willing to get intoa network progressively over timeand they're trying to steal intellectualproperty or national security secrets.
And usually advanced persistent threat isa euphemism for nation state.
So when you're the federal government,you are disproportionately worried aboutbeing targeted by other nation states,less so at state and local government.
Now, you may have,you know, a country like Russiawhere their doctrine isyou go for the soft underbelly,you distract the adversary.
So especially withwhat happened in Ukraine,
I've heard an uptick in stateand local government saying, oh, my gosh,am I maybe in the crosshairsfor something happening around the world?
Or, you know, remember the not picturebotched ransomware,which is really destructive malwarein 2017 that which launched into Ukrainebut very quickly spread globally.
These people say, am I,you know, at a minimumat risk of being collateral damagefor a cyber conflictbeing wagedon the other side of the world.
That that is really interestingthat you brought that up, becausenormally a small town is like, well,
I'm protected.
I'm the middle of the United States.
I'm not going to be in a war.
Right.
Because I'm in I'm safe and protected.
But now because of the Internetand because of virtualeverything's a digital economy,
I can now be attackedfrom Ukraine or Russia or Chinaor North Koreaor who knows, or some scripted high schoolstudent somewhere.
I can nowbe attacked from anywhere in the world.
That that's kind of as kind of worrisomeas them.
Well, and Darren,sometimes it's on purposeand sometimes it's not even intentional.
You know, I remember about ten years agowhen we saw one of our adversary,nation states, starting to look atcritical infrastructure in the U.S.and starting to scan industrial controlsystem, ICS components.
And they were looking for things really inyou know, in pumping.
They were looking for thingsin the energy industry.
Well, guess what?
It turns out that a lot of thosesame components, programable logic chipsget used inelevator systems, in buildings.
So all of a sudden, real estateacross the countrystarts, you know, startsgetting hit by these people, not becausea bad guy wanted to seize controlof the elevator and never let you get off.
But because they were they were lookinggot out through too.
Yeah.
They literally ended up in placeseven they didn't intend to be.
You know.
So part of this is,yeah, you need to worrythat they may go after you intentionally.
I mean if you're if you are in a cyber,if you're in a geopolitical confrontationwith the U.S.and you can cause bad things to happen,alarming things to happenin the U.S., then, you know,you arguably will distract us.
Russia has thisdoctrine of escalate to deescalate,and that can mean broaden the conflict.
So, yeah, sometimes you worrysome of these more forwardleaning local governmentpeople are saying, you know,you're right, this is the first timethat I might actually be targetedbecause otherwise I look at it and go,
Why would they come after my watch?
Why do I keep yeah, why do I care?
I'm just a sweater.
I can't I'mjust a small municipality or whatever.
Yeah, but certainly was not petro.
And the fact that it spreadglobally rapidly and it was destructivehas made some of them say, look, you know,to your point, we're all interconnected.
This is globalized services.
And we certainly saw with somethinglike SolarWinds that everybody'susing the same things and inheritscommon vulnerabilities.
They may not recognize they have.
So it'sespecially scary for local government.
But then put yourself in the shoes of,you know, a federal see,so they know these peopleare coming after them and a lot of themalso move large amounts of money.
So they need to worry about the criminalscoming after them as well.
So they get,if you will, the worst of both worlds.
Right.
But on the other hand, their beliefs are.
Exactly.
Yeah.
That they are inand they know the space really well.
So I understand that.
Now, you you mentioned something
I want to dive into a little bitbecause it's dear to my heartand that is criticalinfrastructure, security and you mentionedindustrial control systems because
CISA has a list of what,but not all of them have industrialcontrol systems as part of it.
I worry about that partbecause they're actuallyaffecting the real world as we know itwith pumps and motors and sensors,and they're controlling dams and energyproduction and oil movement.
And it there's a lot in that space.
I really worry about this stuffbecause the traditional modelthat they've been using in the past,which is isolation,which is the Purduemodel, is starting to crumble.
And I mean.
It seems like we're vulnerable.
I mean, do you see that as well,or is this just, Darren, paranoid?
Because I don't know enough about it?
Well, I mean, I think the day, you know,we used to ten years agotalk about the first line of securityfor for operational technologyand for ISIS components wasthe air gap.
As you said, they were connected throughto the Internetand security through obscurity.
You know, a lot of these thingswere around for a very long time.
And who knows where to gofind that old component?
Well, thanks to searchengines, it's all discoverable.
And now, you know,just as we have digital transformation,you know,connected everything in our lives,you know, from our watches to, you know,our refrigerators to the Internet,that's happened on as well.
And I remember 15 years ago,if you had an old system that was Internetaccessible, it was probablybecause someone had made a mistake,they'd forgotten to shut something offafter maintenance.
Now, you know, I'm hard pressed.
For they put a patch cablebetween two switches for a.
Yeah.
You know, when security and convenienceclash, the convenience always wins.
You know, people want to get the job done.
That's job People want.
But now, you know,
I think it's almost by exceptionother than somethinglike nuclear power plantsassume I assume in my conversationswith organizations that have what is thewhat is connected to the Internetand in many cases this connectedconnected to the corporate I.T as well.
So that air gap has gone inand that has implications.
You said that we have the 16critical infrastructures.
They all have a lead federal agencyto be their partners.
The federal governmenthas carrots and sticks.
I mean, it can give you an incentiveto do somethingor it can create a requirement,whether it's a regulation or,you know, thethe legislative branch gets involvedand actually passes a law.
We try to shape behavior.
And obviously you win more friends,you get farther if you can, you know, usepersuasion and incentives to do somethingrather than say you must do this.
But, you know,the federal government tries to shapethe way these critical infrastructureswork.
And part ofthat is sharing information with them.
You know, so they all have informationsharing and analysis centers, ICE acts.
They all get information.
But to your point, Daryn, it'snot one size fits all.
It's a microcosm of the conversationwe had about the public sector.
All 16 sectors are critical.
That's what you know,what leads them to be that way.
That's in the definition, right?
But there's a subset of themthat, you know,they're called systemically important.
I mean, I hate this.
I actually I hateand love this acronym, six systemicallyimportant critical infrastructures.
You know,you know, there's three or four of those.
But, you know, at the top of the listthere and I call this the supercriticalthe hyper critical infrastructure of allis power, is energypower, generation of power transmission,because take that awayand in very short order,the other 15 are going to shut down.
You know, you run out of backup power,you're dead in the water no matter.
Yeah, that's, that's or protection.
Yeah, that's, that's true.
I didn't think of that right.
Without power,our economy comes to a screeching halt.
All the other critical infrastructurecomes down.
So in.
American power, General, nothing.
Yeah, Yeah, exactly.
So how secure is our power grid?
Which a good. News, bad news story there?
I mean, the the you know, the it'sit is a highly diversified verticalsector.
You know, you've got, you know, fouror five big tower companies at the topthat are really capable.
And then on the other hand, you have smallrural electrical cooperativesthat, you know, it's 25 to 50 peopleproviding power for a couple of counties.
They don't even have a full timei.t person, much less a security expert.
Now, there's fairlymuch resilience built into the grid.
Mothernature stress test it for us all the timeand we've got this big interconnectsin the electrical grid.
But, you know, they're used to dealingwith things that cause problemsso you can lose a certain numberof players and the resilience will kickin the problemis, you know, a lot of cascading failureswhen something goes down,it puts more pressure on the other things.
You know, you lose enough of themand it becomes something that causesa bigger problem.
And again, it's something where there'sthere's an issue of power generationand then there's an issue of powertransmission.
They're related,but they're separate problems.
And we've seen even on the physical side,when we've had people running aroundshooting at power substationsfor electricity, it turns outwe don't have a hugeit's not like you go down to Home Depotand get new generators and new, you know,this is or.
Insulators or whatever, they. Can go.
We don't keep a lot of that stuff.
It's just in time, you know.
You know, So there is some fragilitythere, some resilience as well.
But the big players,
I think, are in relatively goodposition in terms of their securityand their maturity.
It's the small guysyou got to worry about.
You can lose a certain number of themwithout reaching critical mass.
But you know, you never know.
Remember, some power outages,that one that turned out to be a squirrelchewed on a line and, you know,and it led to this cascading failurehere in the Northeast 15 years ago,which Murphy's Law strikes in weird ways.
But I worry more about power than anythingelse, because if you lose that one,you know, we're all we're all downand not just critical infrastructure.
Well, society, you know. Society.
I mean, we experience that in Californiaquite a bit because of the forest firesthat we have.
We and we've seen a major shift in powergrid.
They they movefrom really large grids to microgridsso that they could shut offinstead of several counties.
At the same time, they could shut offjust a community where where things were.
So I am seeing some changeon the physical sideand I'm guessing similaron the cybersecurity side as well then.
Yeah, Yeah.
But, but you know, to sort ofbring the conversation back to government,it's this is a real challenge.
It's local governmentwho really have been the onesinnovating in a lot of the digitaltransformation that they've been doing.
I think COVID for them, you know, putso much more stress on local government.
You know, the two months after March 2020,we watch unemploymentinsurance applications which go to stategovernment spiked by 3,000%.
At the same time,they sent their workforce homeand were working less efficiently.
Well, robotic processautomation, chat bots,that was a lifeline for get peoplefeeling like you're taking my job away.
This was the only thing that was keepingthese people from from sinking,you know, so so innovation becamereally, really critical and we innovated.
It's just likewe sent people home with laptopsand you wanted that kind of connectivityto occur and to occur securely.
Well, you can measure whether it'swhether it occurred or not.
Did they have the devices?
Do they have the platforms?
Do they have the bandwidth?
We couldn't directly measure security.
And I think in the year after COVID,we watched ransomwareand against statelocal government spiked by 1100 percent.
And most of itcame in through these endpoints.
People are working at home.
This is not industrial grade security,which they may or may nothave had in the office, but they almostcertainly don't have it at home.
And, you know, and that was a newsystemic weakness and it got exploited.
So, again, there's a lot of pressureon local government, state government.
But, you know, the paradigm is changingand, you know, one of the buzzwordsin cyber security of the lastcouple of years is zero trust.
You know,
I've always been conflicted about this.
I come from the national securitycommunity.
You know, in one sense,
I call this when old wine in new bottles.
You know, I come from a community wherewe were all about information was onlyyou're in California.
You go, Yeah, I like that.
But, you know, we talked aboutneed to know for access to information.
Heck, I worked at a in a facilitywhere you couldn't even gophysically to some parts of the buildingif you didn'thave the right kind of badge, the rightcolor badge.
So we were about segmentation and rolebased access controlbefore we even had that term.
So, you know, zero trust,you know, the idea that you want toyou will bestow trust, but ityou want to verify the user, the device,the activityis something that allows you to say
I don't need to workin a perfectly secure environmentto be able to secure the data,the process processing.
I can make this all work now.
Zero Trust is a terrible name becauseespecially for people in the public sectorwho may be making financial sacrificesto stay there instead of work for you.
And I, you know, you say,wait a minute, I'myou know, I'min a position of public trust.
But now you're telling me you have zerotrust in me.
I'm not trustworthy. Yeah.
That's not trustworthy.
And that's not reallywhat the paradigm means,but that is a tool that allows you to say,okay, I can allow youto work on the same networkthat your kids may be doing.
Who the heck knowswhat going to interesting places.
And yet the the workyou're still doing for me in governmentis secure or secure or and guess what?
It's just not Big Brotherlooking over your shoulder.
This is a safety net because I learnedthis in my time in government.
You know, if we in securitystand in the way of the mission,people are going to get the job done.
They're going to do what they have to doto get the work done.
Security needs to not be doctor.
No, you know, you can't you know,we have to give you tools and proceduresto get to do the work.
So is zero.
Trust becomes a way of saying,
I've got your back.
If you make a mistake, this is a safetynet that may say, did you mean to do that?
Did you know this is unusual?
I'm going to stop it.
I'm going to block it.
I may even warn you,because this is not Orwellian big brother.
This is this is something where werecognize security is trying to help youget the job done.
Well,and I like what you said about zero trustbecause I felt the same way around it.
It's a philosophy, non architectureand and what I saw was we're bundlingthingswe've already said were best practicesin the cybersecurity realmwith a couple small changeslike temporal access.
I only have access or authenticationfor a period of timewhere before we always said, Oh, I gotyou got access, you got access forever.
That has changedand I think that's a good thing.
So but I think
Zero Trust to me is a philosophythat brings all the bestpractices together, and that's why
I don't like the term either.
I agree with you. Yeah, Yeah.
But here's the interesting thing.
You know, it came from government.
It came from the federal government.
You know, they created this,you know, before we called it Zero Trust.
We were operating that way.
We had you know,we had segmentation of databefore segmentation was was even a thingfor the private sector.
They had flat networksand then the private sectorhad a series of breaches, high profilebreaches about a dozen years ago,and they figured outhow to work globalized enterpriseswhere you needed to access the data,sometimes even have sensitive accessin the to the dataand to be able tosecure it at scale. And I wasand yet governmentdidn't realize that this could be done.
I had people in governmentas I retire at the end of 2018who still said zero trust.
The only way to do zerotrust is to air gapand then to watch your networkfrom within.
And I said,
No, we've learned how to do this.
Now that I'm in the private sector,
I see this.
Well, it took the executive orderand President Biden signed in 2021where the federal governmentsaid, we're going to move to zero trust.
We're going to move there very quicklyfor government to then lookto the private sector for the solutions.
And government has federalgovernment has tended to be goodat generatingthe intellectual construct for things.
So in, you know,the next cybersecurity framework,which I helped build the first one.
Yeah, yeah, yeah.
Was intended as a model for riskmanagement in the federal governmentand it took on a lifein the private sector and arguably becamean international standard.
So the government tends to be goodat framing a problem in a technologyand vendor neutral fashion.
The people on the outsidego, Yeah, that works for me too.
So in the case of Zero Trust,the government put togethera strategy of multiple strategies.
They put together a maturity model,
They put together,you know, a list of a way to do it thatthe people in the private sectorsaid, Oh, this works for us too.
And the private sector then has servedgoods and services that map back to that.
So they're ablethat. Can support you. Yeah.
For governmentand for the private sector as well.
So it's an example of a partnership.
The government could drive thingsintellectually where if any of us did it,people would go, okay, well this is aboutcompetitive advantage for your company.
Yeah, yeah,yeah. What are you selling me? Andthe rules of the game.
The goalposts all got set, you know,by by government for its own purposes.
People agreed it made sense, and they wereall marching down the field the same,you know, playing by the same basic rulesand with the same equipment.
So that's an example of a partnership.
Yeah. Yeah.
Jim, this has been a wonderfulconversation and we could go on for hours.
I know we could, but we're out of time,so I appreciate.
Do you have any, any last wordsfor the people that are in public sector,whether they're at state and localgovernments or federal governments,
Any last words of wisdom on cybersecurityor how to move forward?
So so Darren, I've been talking a lotabout the differencesin the different partslevels of government, but there really arethree common problems,and I want to touch on this really quicklyin closing.
One is they're all focus now onhow do they integratesecurity across their government.
That matters, whether I'm trying to dodepartments in my local governmentor agencies, the federal government,you know, it's a two part problem.
I want to understandwhat's going on, situational awareness.
I want to drive integrated response.
And I've seen a number of different waysto do that.
And building blocks to apply for.
So, you know, don't reinvent the wheel.
Talk to others about how to framethat problem, break into bite sized chunksand make progress on it.
The second piece of is workwith not against technology trends.
I mean, we're seeing increasing powerdrivenby the things you all put together,an intel drivenby the kind of thingswe do here at Fortinet.
There's increasingly convergence betweenthings like networking and security.
The same products can do both things,so you can zero trust.
I can get the kind of connectivitythat I need,and it's innately done in a fashionthat's secure.
So work with Moore's Law,not in opposition to, you know, soso that's the second piece of advice.
And the third is partnership.
You know, I ran intelligence,
I ran threat information.
You can't secure yourself against a threatthat you don't understand,much less that you can detect.
And thenso build these bridges within governmentand with public and private sector.
But the thing that drives me crazy isespecially at National government,people say, I've got a problem.
I'm going to roll up my sleevesand build a solution from scratch.
Why don't you lookand see what somebody else is doing.
What someone else has already.
Done or something in the private sector.
If you need to make tweaks, that's good.
But it's, you know, odds are really,really high that somebody else has alreadythought of, addressedand probably solved that same problem.
Oh, that's awesome.
Jim, again,thank you for coming on the show.
I appreciate the conversation.
I learn every time.
Every time I do this,
I learn something new and today.
Must have I learned a lot. So thank you.
That's my pleasure.
Darren, I asyou can tell, I'm passionate about this.
Thank you for listeningto Embracing Digital Transformation today.
If you enjoyed our podcast,give it five stars on your favoritepodcasting site or YouTube channel,you can find out more informationabout embracing digital transformationand embracingdigital.org Until nexttime, go out and do something wonderful.