Join us on Tech Transforms Federal News Round-up segment, So What? Hosted by Carolyn Ford and Tracy Bannon. This week, we talk to Katy Craig, retired Navy Chief, now Adjunct Faculty at National University, & Director, Security Architecture at Aquia, Inc. about some of the biggest news in the federal space. Listen in to hear her thoughts around deep fakes, non-traditional warfare, and President Biden's recently released announcement to protect against cyber attacks.
Carolyn: This week, we are launching our newest series, 'So what?' It is Tech Transforms' federal news roundup. Every month, Tracy Bannon, senior principal at MITRE joins me to unpack some of the biggest trending news topics in federal technology. Tracy, we've been trying to do this, make this happen for a while. I am so happy that this is our inaugural episode.
Tracy: Thank you. I'm really excited because there's so much incredible stuff going on and we keep talking and now we want to talk with others and I'm doubly excited to have a good friend and mentor with us today for our first episode, Katy Craig.
Carolyn: Yes, and Katy is a return guest. We've had her in the past on Tech Transforms and Katy is Acquia's chief of staff, cyber security expert, and retired Navy chief. Today, we're going to talk about, really the number one headline in the news these days.
We keep hearing terms like nontraditional warfare, which is essentially the fifth domain of cyber, and President Biden's recent cyber security fact sheet. And just what it all means, like why is it all happening right now? And I want to just go straight to President Biden's recent announcement, this fact sheet that is. It's titled 'Act Now to Protect Against Potential Cyberattacks'. I want to go to you Tracy, and just unpack this for us. What does it mean?
Tracy: So I believe it was March 21st, the White House released this set of guidance and it is really practical, general guidance. And it really is focused on two different areas. It's kind of like for everybody, for corporate America back up your data, use multifactor authentication, encrypt your data. There's also a call to arms, to tech companies and software organizations that says, you know what, there's a NIST standard and we have an order out here, it's order 14028. We can provide all the links later.
But those two things, they're saying we got to get real about this. And the reason that it came out now is that we need to hear it now with all of the things that are going on in the Ukraine. It was an opportune time. We've had all kinds of security incidents and breaches and other things over the last year or two, but there are some shockers that are coming to the surface that made this very timely for the White House to release this guidance.
Carolyn: So you really feel like this guidance came out because of the war in Ukraine?
Tracy: I think it was probably teed up before that, probably for quite a while. None of goes very quickly. Any kind of guidance that comes out in this way has good generalized information. I would've put it out a year or two ago at least, if not before that. So for me, a little late to the game, but I'll take late because it's there and we've got to have a full-court press around this.
Tracy: I'll say the one thing that I found super curious in the entire set of materials was that there is a call that says, "Hey, all of you corporations, doesn't matter how big or small you are, get to know your local FBI field office or your CISA regional office." Which is your, I think it's cyber security and infrastructure security agency. I thought that was curious because it kind of meant to me, it was kind of a leading indicator that there might be more that's on the horizon that we're not anticipating, if I need to have a relationship with the FBI.
Carolyn: Interesting, this is a call to our federal agencies and to industry to commercial.
Tracy: It is absolutely. The first section is a call to corporate America. Hey, corporations do this and get to know your FBI field offices. The second part of it is all around tech companies and software companies. He doesn't necessarily directly say, "Hey you government agencies, hey DoD, hey IRS, hey any of your organizations." It's for the population. This is a broad sweeping set of recommendations.
Carolyn: Katy, do you want to comment on the significance of the timing and just this announcement in general?
Katy: Yes. I agree with Tracy that I think it's probably been in the works for some time, better late than never. I think the encouragement for agency or organizations and industry to reach out to CISA and FBI speaks to both pre-positioning for if something else does happen and we have to coordinate. It will be helpful for organizations to know their local FBI and CISA rep.
Katy: But it ties back to the executive order that he released on zero trust, 14028, Tracy mentioned. There's guidance in there for government agencies to encourage vulnerability reports. Almost like if you find something vulnerable in our site or any of our systems or services, please tell us.
So this move toward transparency, it's new and it's not yet been codified. Don't forget, there are still some states where if you report a bug in a website, they can arrest you for violating computer privacy statutes and regulations.
So this is very curious because it's kind of out ahead of the legislation, but it really does point to, we need to be transparent. We can't have silos. We have to share the information across, especially if we're worried about critical infrastructure, like we are.
Carolyn: Okay. You've talked about this a lot, Katy, about trust in culture, our work environment culture, and you just said that if I report a bug, I can get arrested. How is this going to work? If we're being called to, if we see something, say something, and oh, by the way, you might get arrested. Did I just interpret that wrong?
Katy: No, you didn't. That's the conflict that currently exists and why government and the administration is making it very explicit and overt. Please get to know CISA, get to know FBI. I'm sure there's federal encouragement across the states to update their cyber legislation.
Katy: Because the law currently is like, if you hack, or if you use a system not for the intent that it was meant to be used for, the laws are currently written to punish the person who got in.
So it's a sticky wicket, something that I'm sure they're thinking about. But to me, that's what I hear the president saying. Like, we know that we have been very discouraging in the past when you let us know we had vulnerabilities in our systems. That time's over. We want to encourage, we want to have bug bounties, we want to splash on our pages that say, "If you find anything, let us know." And so I think that's really what's being discussed here. It's time for us to be more trusting and transparent between industry and government.
Carolyn: Okay. I see. So this fact sheet is hopefully a way to build some trust back.
Katy: It restates what's in executive order 14028, which encourages more transparency, which tells the federal government, you will be more welcoming to vulnerability report. So that is the direction we have to go in if we expect industry to do this with us. with the government.
Tracy: I mean, at the core center of this is getting back to trust, trust, and trust. Which is boy, that's quite a commodity right now. And I don't mean that in a negative way. I mean, it's hard to come by trust and trustworthiness at all different levels, interpersonal, corporate, governmental, government to government. It is messier than it has ever been. And yet now is when we need more trust than we've ever had, or at least the scaffolding to provide us with that trust.
Tracy: I kind of think that's where you're going, Katy, is that this gives some scaffolding. If we're going to be transparent, this gives more scaffolding to people to react.
Katy: Yes. I mean you think about private industries, they're not required to. And so what incentives do they have to be open about a vulnerability they've discovered, right? So it's going to take some time for policy and legislation to catch up, but I agree. The scaffolding, it needs to be in place so at least there's a means and a method for sharing the information, especially if something major happens.
Tracy: And do you think any part of this was driven by, the timing of this was driven by what we're seeing in the Ukraine or any other catalyst moment?
Katy: Yes, I do, I think we've seen this before this isn't new, right? We can think about the last time critical infrastructure was brought down by cyber. There's been several incidents in recent history. I mean, we saw the signs, the intel was there, and when Russia annexed the Crimea, they used cyber also. I think all of us are seeing the impacts of the Russian invasion in Ukraine.
Some of the coverage, how certain American social media companies like immediately shut down. The fact that so much of our world economy is supported by cyber, by the networks, by internet protocol traffic, logistics is impacted, all of it. There's so many ways to hurt a state or a country. And cyber is a very low barrier to entry now.
Katy: And it's kind of like, what can you trust if anybody can get in there and start mucking around with your networks? I think the fact that Russia and Ukraine are at war, it's obviously a catalyst for why president Biden is paying more attention to the fifth domain, in my opinion.
Carolyn: How important is the fifth domain in any war, but specifically right now with the Ukraine?
Tracy: I think it's front and center. We're watching what's happening on the ground. We are seeing new technologies like the usage of drones, and so we're seeing six gen and other UASS. So the autonomous vehicles, unmanned autonomous vehicles. But at the end of the day, we're also seeing this dramatic impact on the different pieces of cyber, how we can impact the population, how we can impact the country, how we can shake the foundations in very different ways.
It's not only mucking with the network as Katy would say, it's not just that. Also, it's being able to find different ways to affect people groups. It's interesting, my daughter did some studies in how social media could help as there's new government uprisings. And she was looking in the middle east a number of years ago, and I paid attention to it a little bit, but didn't apply it in my day to day. Until this Ukraine thing popped up on the horizon and we started to realize how much you could influence a population.
I mean, think about the deepfake that came out in March about Zelenskyy. It was very poorly done, thank heavens, and he had already prepared for it. But here he is in this deepfake.
Tracy: If you're not familiar with what a deepfake is, they can sample enough of your different recordings of you and your voice to be able to put together an algorithm of you saying something.
And there have been some famous ones of Tom Cruise and other people that are wonderful and fun. This wasn't wonderful or fun. This was Zelenskyy saying, "Hey, countrymen, we're going to surrender." And he very quickly, immediately shot back so there was that fast credibility. It was poor quality, and he immediately was credible to come and say, "This is bunk. This is not me."
But just imagine, imagine as those deepfakes get better and better, that's got to scare people. Not just from a government perspective, but that has to scare corporate America as well. Katy, are you seeing people concerned about deepfakes or doing anything to obfuscate or to protect themselves or, what do we do about that piece? That's such a scare. For me, I normally don't believe something. I go and look at it. Well, now I'm going to look at it and now I find out that my reality is bunk.
Katy: Yes. I'm scared too. I don't even know how to respond. I mean my mind is churning like how would I validate it? Because I usually believe my eyes. I'm like you, I go and look it up. I want to validate what I'm being told or what I'm reading. And so these deepfakes are super concerning. I know that there are people who are less skeptical than I am, who just believe what they see or what they hear. I mean, like even in my own family. So I do get very, very worried about that type of technology in the hands of very skilled propagandists.
Tracy: There are a couple of companies that I'm learning about who are debunking deepfakes. They've got algorithmic techniques that they can figure out very quickly if it was manipulated.
Katy: Fantastic. That's what's wonderful about cyber, right? Something happens that we didn't know or didn't have before, and maybe it's used for bad. So up springs a counter force to fight for good. And so that's how the cyber domain keeps evolving. We don't even know yet what the future's going to hold really.
Carolyn: So yes, we talk about the deepfakes and they are very scary. And then I think about guys on the ground that are fighting with guns and dying. How does cyber tie into the kinetic part of warfare? So we hear this untraditional, nontraditional warfare. I was like, that's not right. So deepfakes definitely like the psychological part of it is devastating, but I feel like there's a tie into the kinetic part of it too, from the cyber angle. Can either of you, Katy, can you speak to that?
Katy: Everything's enabled by cyber, so it's not any different for armies and navies either. And you know, like Tracy was mentioning unmanned craft, autonomous vehicles, that is the future of warfare. When you think about like Navy ships out in flotillas, they chat. I mean to be sure there are fallback methods. But when you think about GPS and timing and how easily you can take down a force's ability to fight back by attacking a logistics chain. Or disrupting their air traffic control, all the systems, all the infrastructure that is facilitated by cyber then becomes part of the battlefield.
Katy: And so the fifth domain, cyber, being added to sea, airspace, and land that's in there for quite a while. I think DoD has been dealing with cyber as a war-fighting domain for well over 10 years. So now it's almost like in a lot of ways, it's still the same as the other wars in the past. It's just, we have better means and greater reach and technology is just making the battlefield and the war smaller. But psychological operations, propaganda, misinformation, those have always been part of the approach.
Carolyn: And easier to do because of cyber.
Tracy: It is easier.
Katy: Low barrier to entry.
Tracy: It's a much lower barrier to entry. Again, going back to the deepfake mentality, before it might have been a leaflet or a pamphlet, right? A couple of generations ago. I could choose to read that and say, it's bunk or it's real. But it's much harder when you are looking for right, we used to turn on the TV to get on news and the news was true. Now, what do we turn to? And I'm not talking about news sources. I mean, what if that deepfake, getting people to identify that as early as possible.
And Katy, you brought up something else about trying to reduce the number of humans on the battlefield. It brought to mind an example of a cybersecurity, one of many, many, many cybersecurity risks. If we're thinking about a drone, for example, if we're thinking about the ability to have unmanned weapons. So there's talk about what that's going to look like in the future.
Tracy: There are a number of different protocols that are being discussed on what you can and cannot do. But imagine the situation where they send an armed drone to take out a tank. From a cyber perspective, somebody taps into that and changes the algorithm. So it's not really seeking a tank. It's now seeking a school bus.
That potential is hyper-scary from that perspective when we think about tapping into networks. So the core of all of this, our ability to rapidly identify, predict, identify, and to deal with cyber is an amazing thing that we have to double down on. And I know, Katy you've been in this space for a long time dealing with that. But how does that change or do you think it changes? Do you think it amplifies what we're doing these days from a ZTA and from looking at the threat modeling? Does it change the threat model? Does it make it bigger?
Katy: Absolutely. It does make the surface bigger, but arming an autonomous vehicle with live ordinance and then pointing it at an adversary's infrastructure or enemy armored vehicle, I don't know how soon we're going to get there. There's just so much like international laws about armed conflict that I think would have to be revisited. It's still kind of a gray area when we cross from cyber to kinetic. Whether or not the nation is justified and you in escalating to kinetic, for example.
Even today we're not really responding or hacking back. If someone hacks us, we say we're defending forward.
Katy: Nobody's really stepped out there yet to clearly define how using cyber with kinetic impacts, how that's changing the laws of armed conflict. I don't think we're going to be able to answer that today either. But it's definitely introducing far more complexity and it's moving so much faster than we can actually codify and update laws and policies and treaties.
Tracy: And I think it's going to depend on the different nations, right? The different actors in all of this. My question kind of came from some reading I was doing. I read a book recently called 'The Kill Chain'. I think it's by Cameron Boozer. I'll find the name and post it out.
But that led me on a little bit of an afternoon Google chase one day, trying to understand. And there have been some recent tests by China that would point to them preparing and trying to figure out how they would do this....