Episode #6 - Kiersten Todt - Protecting the Nation and Small Business in Cyberspace

GTCF6-blog-logo

Kiersten Todt shares a variety of insights about her cybersecurity work at both Congress and the White House and gives some perspectives on the major cyber issues facing the country today.  She is also passionate about protecting small business and discusses her work as the Managing Director for the Cyber Readiness Institute.







Transcript

Ron Gula: [00:00:00] Hi there. This is Ron Gula with the Gul-, Gula Tech Cyber Fiction Show. Today, our guest is Kiersten Todt, and we're going to talk about a whole variety of government cybersecurity politics, the cyber readiness Institute, and how we can actually get more women and minorities into this great cybersecurity field. First of all, I'd like to thank, uh, our friends over at Fort Point Capital. They just recently did an investment in a company called ONE KOSMOS, go ahead, check it out. So let's get right to the interview, Kiersten, how's it going?
Kiersten Todt: [00:00:37] Great, Ron. Great to be with you.
Ron Gula: [00:00:39] Thank you so...
Kiersten Todt: [00:00:39] Congratulations on the, uh, on the podcast.
Ron Gula: [00:00:41] Oh, thanks so much for coming, doing this in person.
Kiersten Todt: [00:00:43] Absolutely.
Ron Gula: [00:00:43] Um, we're we're doing it. COVID friendly. We were all wearing masks before and whatnot. So, uh, thanks for coming out. And your based in DC.
Kiersten Todt: [00:00:51] I am actually right in Arlington, Virginia.
Ron Gula: [00:00:53] How did you end up in Arlington, Virginia?
Kiersten Todt: [00:00:56] [Laughs]. So I'm an urban person, so Arlington while it's suburban, um, doesn't feel quite as urban as I've been, uh, but it lived in cities my whole life. Uh, and when I came, I lived in DC for a while, moved out to San Francisco and when came, when I came back, had children and that sort of shifted the, uh, the urban to suburban move, but Arlington is close enough, a few miles, um, but it can be a 45 minute drive to the White House, or it can be a, uh, a five minute drive to the White House.
Ron Gula: [00:01:21] That's excellent. And along the way, you kind of went to some interesting universities and schools, right?
Kiersten Todt: [00:01:26] I did. Um, I, interestingly there are probably others that are more interesting, but, uh, when undergrad, uh, to what was formerly the Woodrow Wilson School of Public and International Affairs now the School of Public and International Affairs at Princeton, um, took some time off, uh, uh, worked abroad in London in, uh, urban development and housing in, uh, emerging countries. Lived in New York for a while and then went to Harvard, to the ma-, uh, master's in public policy program at the Kennedy School.
Ron Gula: [00:01:50] That's excellent. And of course that, you know, created, uh, opportunity for you're in cyber security, right? [Laughs]. Nobody did cyber back then, right?
Kiersten Todt: [00:01:57] It wasn't even, I mean, we weren't even putting those words together. It's like Homeland we no long pushed...
Ron Gula: [00:02:01] [inaudible 00:02:02] that information, warfare.
Kiersten Todt: [00:02:03] Maybe.
Ron Gula: [00:02:03] -Computer network defense.
Kiersten Todt: [00:02:05] Absolutely.
Ron Gula: [00:02:05] Computer security, it's, it's um, it's, it's fun. So you got to work at the White House.
Kiersten Todt: [00:02:12] So I started when I was in grad school, there's a program in existence today called the Presidential Management Fellowship, which I highly recommend for anyone that's looking to get into government. Um, and I started, and there was, uh, a classmate of mine who had worked, uh, for advance for President Clinton. And then, uh, ended up just doing a short stint at the White House Drug Policy office. And he's the one that introduced me to the director at the time General McCaffrey. And so I started with a fellowship working in the White House Drug Policy office. Uh, and I've stayed in touch with General McCaffrey since then. It was a tremendous first job in government to learn from a retired four-star and learn about policy. And you know, that the, the power usually comes with budget, uh, and how you do that.
Ron Gula: [00:02:52] And that's probably a good experience for talking about cyber security, because of course the war on drugs is this whole nation of, I need to go quotes, right?
Kiersten Todt: [00:03:00] Yeah [laughs].
Ron Gula: [00:03:00] Whole nation, right? Where everybody's involved, there's joint task force, there's, there's budget, there's laws. It's probably right up your alley now to do cyber.
Kiersten Todt: [00:03:09] So it's a great point and a great correlation because what I always enjoyed about Drug Policy was that it was interdisciplinary. It wasn't just one piece. And so you were looking at the science of it, you were looking at the sociology of it, the behavior, the psychology, the history, all of those things went into solving it. And General McCaffrey was always adamant about saying, "This isn't a war on drugs because a war implies that somebody wins and somebody loses." He would say it's more of a cancer. Now I don't want to call cyber-security a cancer. But it is that, that same approach, which is that this is an ongoing effort and it's all about resilience, right? You're never going to completely annihilate the drug issue. Uh, but, and you're never gonna annihilate cybersecurity because we're also creating innovation. And so it's, how do you continue to stay strong against the threats, but also supporting innovation.
Ron Gula: [00:03:59] I think that's really well said. I could probably re-edit that and we can just use that for, for the cyber portion of the show, right? [Laughs]. So, so how did you get into cybersecurity then?
Kiersten Todt: [00:04:07] So as part of the fellowship, I'm from Connecticut. And so I cold called, uh, Senator Lieberman's office when I was working in the Drug Policy office to do a rotation because the fellowship, you do these different rotations around government. And I wanted just an, an opportunity to work on the Hill. I'd never interned there or anything like that. So I cold called Senator Lieberman's office, spoke with his economic advisor and said, "You know, we don't have anything now, but call us in six months." And I called back in six months and he was surprised the economic policy advisor that I had remembered, and I called back and he said, "Sure, I mean, it's free labor. Come on up." I worked in the senator's personal office as a fellow, uh, doing economic policy. And that summer of 2001 when I was there, was the summer that Senator Jeffords, the Senator from Vermont switched from being a Republican to an Independent.
And that flipped the majority of the Senate from being a Republican majority to a Democratic majority. So all of the committee, uh, leadership shift, uh, shifted. So Senator Lieberman became chair of the Governmental Affairs Committee that summer, which at that time was not a very exciting committee. Um, it did post office namings, it did some nominations. And he asked me to go over to his committee staff, which I hesitated on. Um, but I ended up saying yes, and my first assignment for him was a hearing on critical infrastructure protection scheduled for September 12th, 2001. So 9/11 happened on the Tuesday. We were the only hearing to move forward on the Wednesday with a very different hearing list. And he turned to two of us and said, in the middle of the hearing, "There should be a Department of Homeland Security." Long before we were putting the word Homeland together, long before Claire Danes had a hit TV series or anything like that.
And, uh, in we, a group of us worked on this legislation for several months, which seemed like a pretty feudal task because we were never going to create a new agency. Uh, and then I woke up to speak at the Woodrow Wilson Center in June of 2002, and read the papers and sen-, uh, President Bush had come out with a counter. And so I ended up being a co-drafter for the directorates for DHS in cybersecurity, infrastructure protection, R&D and bioterror. And that's how it all shifted from being urban development and economic policy to cybersecurity and had to do a deep dive.
Ron Gula: [00:06:07] That, that's excellent. So I, I, I really appreciate kind of the, the, the history lesson there and, and you were there when, when it was created, which is really good. But another thing I really appreciate about that is a lot of people ask us, "How do I get involved in the government? How do I get involved in cyber security? How do I..." You did a small thing. You said I wanted to be a, a fellow, you know, I wanted to volunteer and you were then in the right place at the right time. And so many of the people I know who are anybody who's anybody in cy-, they all started out like that. So I just, I like, I, like, I shared that story. That's awesome. So what do you do now?
Kiersten Todt: [00:06:40] So, uh, it also has a little bit of history. Uh, in 2016, I ran President Obama's commission. And when we finished that commission, uh, some of the commissioners and myself co-founded a nonprofit called the Cyber Readiness Institute. And so I do two things. Uh, I run the Cyber Readiness Institute, which provides free cybersecurity tools for small businesses, with the idea that small businesses are critical components of a global value chains, but don't have the resources often to invest in cybersecurity. And so we focus on human behavior. So the idea is that you can do better in cybersecurity by helping your employees, whether it's two 20, 200, uh, become more informed. And so human behavior is not your greatest vulnerability. It ultimately becomes one of your greatest assets. And I also, I founded a consulting company back in 2011, which I still run and provide, uh, guidance and risk management guidance to, to companies and do some informal work with the government.
Ron Gula: [00:07:34] And the name of the company is?
Kiersten Todt: [00:07:35] At Liberty Group Ventures.
Ron Gula: [00:07:37] Probably one of the better names as far as, uh, appealing to both, [laughs] both parties and all that kind of good stuff. That's, that's awesome. Well, let's talk about the Cyber Readiness Institute a little bit. So, um, when I was running, uh, Tenable, you know, we would always target large enterprise.
Kiersten Todt: [00:07:53] Mm-hmm [affirmative].
Ron Gula: [00:07:54] And when I say target, it was sorta like that was, uh, a group of, of people we could have a conversation with, right.
Kiersten Todt: [00:07:59] Yeah.
Ron Gula: [00:07:59] You know, portability management, software procurement, you know, cyber risks that comes up. But soon as you started getting out of the Fortune 2000, it was really hard to have that kind of conversation. I get the sense Cyber Readiness Institute is more for like that other 90% of America, American businesses.
Kiersten Todt: [00:08:15] Well it is. And there's statistics that last year in April, Brian Moynihan, the CEO of Bank of America, went on, uh, one of the Sunday morning talk shows to talk about the percentages. And, you know, it's 95% of small businesses essentially are the US economy. Uh, the Cyber Readiness Institute focuses on small businesses globally. But it is very much that idea that it is the small business that actually is the, the link in the value chains that keeps security. I also in 2013 and 14, worked with the National Institute of Standards and Technology on the development of the voluntary cybersecurity framework. And I mentioned that because when we were doing that, it was about infrastructure protection. We were very adamant about, this is not about the Mom and Pop Pizza Shop on the corner. This is about critical infrastructure.
And the fascinating pieces, you fast forward a few years and to the commission. And one of the commissioners, uh, was the CEO of MasterCard, Ajay Banga. Who's a co-founder of the Cyber Readiness Institute. And he said, "We are now in a place where it is absolutely about the Mom and Pop Pizza shop on the corner, because they're using an iPad, they're using square, they're using, you know, Apple pay."
Ron Gula: [00:09:19] Solarwinds.
Kiersten Todt: [00:09:21] In other words. Exactly. They are connected to our, uh, our supply chain. And as the increase in proliferation of the internet of things occurs, we're all connected. And so you can no longer silo critical infrastructure. And we only need to look back a week to see what happened in Florida with a water hack to know that there is just this connectedness and it doesn't have to be a big business that has a big responsibility. And so what we're trying to do is help small businesses globally, take those first few steps to be cyber aware, recognizing that cybersecurity just became a line item in their budget, you know, within the last decade. And starting by educating their employees, something that doesn't require a huge financial investment, but absolutely a personal one.
Ron Gula: [00:10:02] So I like that. There's a couple of things about the Cyber Readiness Institute, I like so one, you've got some great, we call them founders, sponsor, right? You got MasterCard.
Kiersten Todt: [00:10:10] Mm-hmm [affirmative].
Ron Gula: [00:10:11] You've got the, is it Bank of America?
Kiersten Todt: [00:10:13] Uh, we have MasterCard, Microsoft-
Ron Gula: [00:10:15] Microsoft.
Kiersten Todt: [00:10:16] -Principal.
Ron Gula: [00:10:16] Yeah.
Kiersten Todt: [00:10:16] Uh, financial investment, General Motors.
Ron Gula: [00:10:19] General Motors. That's right.
Kiersten Todt: [00:10:20] ExxonMobil, and then now PSP Partners, which is the company that, uh, Penny Pritzker runs.
Ron Gula: [00:10:24] And, and what, what I found is like, let's say you just went by yourself and created this and put the same content out there and shouted as loud as you can. Cyber folks have a hard time reaching the general population, but you know, those people have their own supply chain. They have their own, I mean, MasterCard, ho-, how many companies work with MasterCard? Just so to have somebody like that say, "Here's content, you know, that, that you can use to protect your business in a very simple business where I think is, is really good." So I always like talking about this though. So like, what are some of the things they recommend for, for small business?
Kiersten Todt: [00:10:56] So you, you hit on the whole premise of the business model, which was we ourselves couldn't do this. I mean, it would be great and people would say good for you for going out and doing that. But if you bring the big companies to the table to say, "We care about small businesses."
Ron Gula: [00:11:09] Mm-hmm [affirmative].
Kiersten Todt: [00:11:09] That creates this different level of awareness. And what's fascinating is that, you know, just even most recently, when we were going through the pandemic, a couple of the members talked about the way that ransomware was impacting their supply chain. So they have small businesses and their manufacturing, supply chains, or any other places, and they were getting taken down by ransomware. And that absolutely impacts their ability to produce whatever product they're producing. And so ransomware, I would say across the board has been the big piece. But what's important about that is it's not just, how do you solve ransomware? It really goes back to authentication. And one of the things, we focus on four issues, it's authentication, pa-, meaning passwords.
Ron Gula: [00:11:49] Mm-hmm [affirmative].
Kiersten Todt: [00:11:50] And all of that as, you know, phishing, software updates and USB use. And so it's the, the basics. And what's fascinating about all of this is it always comes back to the basics. You know, how strong is your password, whether it's SolarWinds , whether it's Equifax, you know, there, all of these, uh, situations come back to somehow breaching a weak, uh, authentication. And it can, the good news there is it's easy to address, the bad news is we still don't do it.
Ron Gula: [00:12:13] And a lot of te-, I like that. So for folks who didn't hear that, I'll put this in the notes, right. So it's authentication, right?
Kiersten Todt: [00:12:19] Yeah.
Ron Gula: [00:12:19] So strong passwords. Do you guys talk about two factor authentication?
Kiersten Todt: [00:12:21] We do.
Ron Gula: [00:12:22] Okay.
Kiersten Todt: [00:12:22] That's absolutely, um, both for that and for phishing.
Ron Gula: [00:12:24] Software updates. So patching-
Kiersten Todt: [00:12:26] Right.
Ron Gula: [00:12:27] -You know, making sure your phone's up to date.
Kiersten Todt: [00:12:29] Mm-hmm [affirmative].
Ron Gula: [00:12:29] You know, all that kind of stuff, um, phishing. So do you guys preach more awareness about what a phishing email could be, or do you, do you actually talk about phishing software and-
Kiersten Todt: [00:12:39] We-
Ron Gula: [00:12:39] -That kind of stuff.
Kiersten Todt: [00:12:39] -Right now, we stay away from the technology piece.
Ron Gula: [00:12:42] Mm-hmm [affirmative].
Kiersten Todt: [00:12:42] But I think this year we're going to look more at recommending-
Ron Gula: [00:12:44] Yep.
Kiersten Todt: [00:12:44] -Uh, what the technologies that's out there. 'Cause I think there is such a broad base of, of easy to use and a reasonably priced, economically efficient, you know, uh, software. But we very much focus on what an employee should look out for now, not just with obviously emails, but with mobile texting and things like that.
Ron Gula: [00:13:03] Excellent. And then the last one of course is USB use as you know. What, what am I going to plug into my, my computer? This laptop in front of me, we ordered, uh, you know, have a separate, pristine laptop for the, for the show here.
Kiersten Todt: [00:13:13] Yeah.
Ron Gula: [00:13:14] It came with two USB sticks that I didn't ask for [laughs]. So I don't know, I don't know, kind of, I know where they're at, but I didn't ask for them [laughs]. So that's, that's interesting.
Kiersten Todt: [00:13:21] Yeah. That's fascinating.
Ron Gula: [00:13:22] What I like is, is like, so you had some experience with the NIST Cybersecurity Framework-
Kiersten Todt: [00:13:26] Mm-hmm [affirmative].
Ron Gula: [00:13:26] -As well. And, and this is something we did a lot at Tenable, right? What we actually measured was like 200 things, 250 different parts.
Kiersten Todt: [00:13:33] 98 control-
Ron Gula: [00:13:34] Exactly, right.
Kiersten Todt: [00:13:34] -And all the different pieces.
Ron Gula: [00:13:35] And I've got a lot of friends that I'm sure you do at the Center for Internet Security, where they come out with, you know, the engineer in me is like, yeah, you've got to write all this stuff down, right. You gotta secure your backups. You gotta, uh, you know, make sure your hardware vendor supplier... I mean, there's so many things you gotta do.
Kiersten Todt: [00:13:49] Mm-hmm [affirmative].
Ron Gula: [00:13:50] Boiling it down to four, a lot of cyber, people are gonna say, "Well, look, there's a lot more to do than these four, right." So how did you guys come up with these four?
Kiersten Todt: [00:13:59] These four, because they are all focused on human behavior. So the idea is these are the basics. This is the 80% foundation. And one of the other interesting pieces is when I worked on the commission, the statistic at the time in 2016 was that every major hack that happened in the United States was sourced from an authentication failure. Just a password that was breached. So if you even just take that one statistic and you get individuals and employees educated on what a strong password looks like and multifactor, which is even easier now to, to convince people of than it was three years ago. But if you under-, help people understand their role in cybersecurity and what they can be doing, then that human behavior piece becomes so critical. And what we're really trying to enforce is that if you have a phone, if you're on a computer, if you're an employee, you're typically connected to the digital infrastructure. You then have a responsibility and accountability for cybersecurity.
It's not something you delegate to your IT department. The same way, I mean, we all know the analogies, but I think the car analogy is a great one. You know, you don't have to be a mechanic to drive a car, but you put your seat belt on, you know what it means to check the oil, you know what it means to make sure that there's air in the tires. And that's really what we're focused on is just start with the foundation. If we start talking about network security and all of that, we'll lose initially a big portion of the population and small businesses. So we're in this crawl walk, run approach to helping small businesses be more secure.
Ron Gula: [00:15:23] Excellent. So a couple more questions on, on the Cyber Readiness Institute. So did COVID change any of the messaging? Did you have to lighten up anything or say, "Hey, look, you have employees working from home. So now, now worry about, I don't know, VPNs." You know, that kind of thing.
Kiersten Todt: [00:15:37] So we pivoted a little bit to immediately put out a lot of guides around how to se-, secure your remote workforce. Um, the [inaudible 00:15:45] component of the Cyber Readiness Institute is a five step self guided program. That's what we developed in the first year. We assure small businesses through it. But what we did as a result of, of COVID was we just started putting out these two to three page guides on here are the top five things you need to know about working from home. Again, focused on human behavior, but just trying to get at the, how can we help you? Um, we did a ransomware playbook with the department of Homeland Security.
Uh, just on, again, these are the basics. We did a decision tree if you've backed up, if you haven't backed up. So what we tried to do in COVID, and I think, uh, it was effective and an important learning for us was just create and develop that digestible, accessible information on the, you don't need to necessarily know the why, but here's how. And, um, we got a lot of positive feedback globally, and I think, you know, one of the upsides was the ability to connect with small businesses globally because everybody was online.
Ron Gula: [00:16:37] Excellent. Does any of this change with SolarWinds where trusted software is now being used to attack us by our adversaries?
Kiersten Todt: [00:16:45] Well, I think, you know, the, the, the piece that we can't, uh, over-rotate on, but is certainly notable is that people got hacked by doing the right thing, you know, by updating. That's this huge issue. That's the, counter of that with NotPetya was people weren't updating. And so they were vulnerable and now they updated and the malware was in the update. Um, but I try not to focus too much on that because it's very much about it that, if it hadn't been that it would have been something else. Uh, but the key here is often we get from small businesses, you know, why would a malicious actor care about me? And the two points that we make are, you know, data is a critical asset. The, uh, documentary, the social dilemma has a statistic in it that says data surpassed oil as the most valuable global commodity about two years ago.
So if you have data you're valuable. But even more importantly, you, as a small business can be an, uh, opening a door to a, a bigger company. And that's really what SolarWinds demonstrated. So not so much in the fear perspective, but the, you are interconnected to the global digital economy. So you a responsibility. So, uh, a malicious actor could care about you and you may not know why.
Ron Gula: [00:17:53] I think all malicious chara-, uh-
Kiersten Todt: [00:17:55] Yeah [laughs].
Ron Gula: [00:17:55] -Actors care about us. Right?
Kiersten Todt: [00:17:56] Yeah. [Laughs].
Ron Gula: [00:17:56] That's, that's awesome. Well, let's, let's pivot a little bit from this, on that SolarWinds topic to more national policy. Now you've been working national cyber issues for a long time, right? You got to work. Uh, well, I, I'll let you tell a story, but you, you've got to work with some, some of my favorite people, right. You did Good Harbor Consulting for a little bit.
Kiersten Todt: [00:18:13] Yep.
Ron Gula: [00:18:13] Um, and that was your friends that, uh, that maybe why don't you tell us that story? I don't want to steal too much there.
Kiersten Todt: [00:18:19] Yeah. So, I mean, after, uh, working in government-
Ron Gula: [00:18:22] Mm-hmm [affirmative].
Kiersten Todt: [00:18:22] -And then in the nonprofit sector, uh, Good Harbor Consulting was started by Roger Cressey who worked, uh, in the White House Counter-terrorism and then he, uh, uh, brought in, uh, Dick Clarke, John Tritak, Paul Kurtz to be partners. And they were really looking at cyber risk management. And so when I came to Good Harbor, I was focused on the domestic cyber risk management piece. And then from there I started, uh, Liberty Group Ventures and got brought into NIST. And then through the work on the NIST framework was asked by, uh, President Obama and Secretary Pritzker to run President Obama's bi-partisan commission on cybersecurity.
Ron Gula: [00:18:54] That's, that's excellent. So John Tritak was actually an advisor for Tenable very, very early on. So I got to learn about a bunch of stuff. We actually had dinner on my birthday on August 14th, which is some PII, we, everybody can abuse [laughs]. But when the Great Northeast Blackout happened.
Kiersten Todt: [00:19:10] Oh, yeah, 2003.
Ron Gula: [00:19:10] And he was literally like former head of the Critical Infrastructure...
Kiersten Todt: [00:19:14] Infrastructure Assurance office.
Ron Gula: [00:19:14] Exactly.
Kiersten Todt: [00:19:15] Yeah.
Ron Gula: [00:19:15] And we're like sitting there going, is that an attack or is that a, you know, some gopher, like, you know, blowing up a wire somewhere. So I thought that was interesting. And of course, Paul Kurtz is still very active-
Kiersten Todt: [00:19:24] Yeah.
Ron Gula: [00:19:24] -With the Truestar.
Kiersten Todt: [00:19:25] Mm-hmm [affirmative].
Ron Gula: [00:19:25] And I talk to him occasionally, we, we always like talking about the market and stuff like that.
Kiersten Todt: [00:19:29] Yeah. He's doing some good work.
Ron Gula: [00:19:30] So that's, that's really good. So what was, how about Dick Clarke? What's, what's uh, what's it like working with Dick? He's got really, really good, I think both of his books I think are spot on as far as like Cyber Strategy and whatnot.
Kiersten Todt: [00:19:42] Mm-hmm [affirmative].
Ron Gula: [00:19:42] What was that like working that in the moment?
Kiersten Todt: [00:19:44] Well, I think, you know, anybody that's been there from the beginning, there is a, a history and knowledge and experience that is unprecedented and unparalleled. So, and, and Dick's approach, I mean, I think obviously what he's so well-known for is, uh, your government failed you after 9/11, taking that responsibility. Um, but then taking all of that knowledge and he continues to apply it to where the threats are. And obviously now, um, he's become certainly a senior cybersecurity expert. But I think, you know, one of his, uh, strengths certainly is the ability to pull in the counter-terrorism experience, the national security experience into the threats of today because, you know, cybersecurity is no different than anything else.
And that history repeats itself. It may have a different name, but a lot of the problems, a lot of the issues, uh, do repeat themselves. And so when you have somebody like Dick, uh, who has that knowledge and that experience across so many issues engaged in this issue, it can only help us be more creative in how we're looking to address them.
Ron Gula: [00:20:44] So what are, what do you think are some of the national cybersecurity issues that are, that need to be addressed or maybe are being addressed right now, whether they're tactical or even more strategic.
Kiersten Todt: [00:20:53] There are many ways [laughs], we cou-, we can take this into the evening.
Ron Gula: [00:20:56] We've got all day. We'll pour suburban. And, and [inaudible 00:20:59] Yeah.
Kiersten Todt: [00:20:59] I appreciate that. What about the cigars? [laughs].
Ron Gula: [00:21:00] There you go, soon.
Kiersten Todt: [00:21:02] Um, so there, there are many, I think the first piece right now, because if we're dealing with what's happening today, SolarWinds certainly, you know, put light on supply chain security. It's not that we haven't talked about it before. There have been a gagilion conferences. There are work groups, um, all of that. But clearly we haven't gotten into the real issue. Is it that we've exposed ourselves too much with multifaceted supply chains from a government and an industry perspective? Uh, how are we looking at our open environment? I think that there are important questions that we have to be asking. I know today the White House just announced, uh, an ICT supply chain working group to look at liability protections for information sharing that obviously is, comes on the heels of solar winds to look at what are the things that we can be doing to help secure our supply chains.
I think certainly that's a piece of it. The other piece is we have identified critical infrastructure as these 16 sectors. However you want to look at it, but that, the definition of what is critical to me is evolving. We certainly have those infrastructure sectors. But I would assert that cloud service providers are, have become part of our critical infrastructure. Also, we look at social media and the role that social media has on the national and economic security of the nation. We've got to understand are they critical infrastructure? And that doesn't need to be a burden. That title doesn't need to be a burden as it currently is viewed. But it should be a responsibility and a privilege. And how government works with critical infrastructure, I think is a, is a key component of where we're going in cybersecurity. The only other piece and we can talk a little bit more about this is, um, the diversity of the workforce, because we're only going to get to these issues if we bring in a diverse workforce and we make technology more accessible.
Ron Gula: [00:22:42] I think that's well said. So you mentioned supply chain. Uh, do you want to comment at all on the, um, the Cybersecurity Maturity Measurement, cer-, CMMC, right, right?
Kiersten Todt: [00:22:51] [Laughs]. Yeah.
Ron Gula: [00:22:52] I didn't have to put that in all my notes, but I mean, that's a DOD standard to, if you sell widgets or computers to the, to the DOD, you have to have a minimum level of cybersecurity. It's a good thing. How do you feel about that?
Kiersten Todt: [00:23:03] So I think we've got to be careful in government about compliance and risk management. And actually the Cyber Readiness Institute has been brought in by CyberHawaii to work with them on a DOD grant that helps small businesses get to the point where they can engage in CMMC. Almost like they need a primer to get to those standards because you can't expect every company to go from zero to CMMC without this interlude, this bridge of knowledge and awareness. And I think if we can make sure that these CMMC looks at a risk management model, uh, and not just a compliance checklist, then that's a step in the right direction. Um, certainly I understand the approach, uh, but we, then we also have to make sure that we're adhering to it. I mean, I think there are challenges with government standards like FedRAMP and others that have some inconsistency in their execution. And so in theory, we're always, you know, helping small businesses, helping businesses, uh, become more mature is an important goal. But how we get there is really, uh, where the criticality of the success is.
Ron Gula: [00:24:05] Do you think if we're giving companies money to stay in business due to, due to COVID, should we give them, you know, maybe money to be compliant, or at least do some of these basic cybersecurity things to get them started?
Kiersten Todt: [00:24:16] So with some of the CRI members, I put together a legislative proposal that gave businesses grants, or loan forgiveness from money that they invested in cybersecurity. Um, because I think that we do have to start looking at how we can support these businesses in cyber and whether it's tax incentives, um, the same way we look at economic development plans. I think there's opportunity for creativity in doing this, but we have to support small businesses and, and businesses to do this.
Ron Gula: [00:24:42] And this is all, we're talking about this at the federal level. Have you seen any States at the state government level do programs that you were really happy with as far as incentivizing businesses to be cyber ready?
Kiersten Todt: [00:24:52] It's a great question, because I think a lot of times with cybersecurity, you're going to see this happen at the state and local level. Uh, CyberHawaii, which is a group out of Hawaii that I mentioned we've done some work with. They are really working very hard with their small businesses. They actually bring the cyber readiness program for employee onboarding and for some of the small businesses that we're working with. Uh, I think you're seeing other States start to look at this more closely. Uh, Michigan has done some great work. Texas is working with a lot of their businesses. So I think oftentimes you can see the effectiveness at the state level and potentially hopefully translate some of the most successful efforts to a federal policy.
Ron Gula: [00:25:31] Another way outside of federal. How about the insurance industry [laughs], is the insurance industry any much of an incentive for, for these because everybody's buying ransomware insurance right now, right?
Kiersten Todt: [00:25:40] Yeah. So cyber insurance to me is a, it's a big challenge. Uh, in 2016 with the commission, we had eight issues that President Obama gave us. And the commission actually said, "We want to add two more. We want to look at..." And cyber insurance was one of them. We did a whole, uh, panel discussion, brought in experts from the insurance groups. That was our first meeting. And we determined eight months later that we really didn't have enough. I think the challenge with cyber insurance right now is that it is a, uh, re-, it has reversed incentives. A small business, or really any business is deemed negligent if they don't have it. But if you're truly analyzing it from an ROI perspective, you wouldn't choose it. And I think you've got to get the insurance industry to incentivize good behavior the same way you did with, uh, good driving, you know, in auto insurance.
So that there isn't, there are financial incentives for doing the right thing to putting in technologies, human behavior. And there is a program with the insurance industry called the Cyber Catalyst Program, uh, which started a couple of years ago. They just announced kind of 10 technologies that they recommend. I'd like to see that expand more to behaviors and overall incentives for investing in cybersecurity that businesses can get credit for it. And we're not, we're just not there yet.
Ron Gula: [00:26:54] Wh-, what are you on some of these other sort of big issues like separating cyber command from the NSA, or, you know, giving more powers to CySA's Department of Homeland Security to defend the, you know, businesses, which they really don't have any, there's no CDC for businesses and cyber, right.
Kiersten Todt: [00:27:09] Right.
Ron Gula: [00:27:09] So what, what about some of those kinds of issues?
Kiersten Todt: [00:27:11] So I think CySA is an interesting, uh, case study right now. We have to remember that it's only two years old and having worked on the legislation for DHS, I actually worked with Dr. Fauci back in 02, on emergency preparedness. And there was an under secretary for emergency preparedness and response in Homeland Security that morphed into the national programs and protector directorate, which then morphed into CySA. So a conversation I had with Chris Krebs at the end, um, but then also in June was, there was a point in time, let's say met last May, when we know SolarWinds was happening, where sensibly CySA was responsible for securing the presidential election, for helping the nation respond to the pandemic.
And for fighting an attack that they didn't know was in the networks. 2000 people, two years old, definitely not enough. So I do believe we have to look at CySA and its capabilities and what its role is, but I think that's going to be important vis-a-vis the other roles in government. So as you know, there's the, uh, identification of a national cyber director, which is going to be in the White House. I think that's going to be an externally facing role to work with industry.
Ron Gula: [00:28:14] Is that going to be a Dr. Fauci for cybersecurity?
Kiersten Todt: [00:28:16] [Laughs]. Well, I mean, it's interesting, right? I, it, I think it's part of that. It's, it's an ind-, an individual who knows industry, is respected in industry, also knows how government works and can hit the ground running in understanding, not just the theoretical philosophical, how does this work, but actually, how does this work and what do we need to do? And I think, you know, a cooperation between the NCD and the, uh, CySA director is going to be an important next step, as well as, uh, capabilities and resources for CySA.
Ron Gula: [00:28:46] Excellent. Well, we could talk a lot more about government policy-
Kiersten Todt: [00:28:49] Yeah.
Ron Gula: [00:28:49] -And offensive cyber and, and, and, and whatnot. I would just tell folks if you're interested in hearing her opinion, sh-, you were just recently on a couple of other podcasts, right? The, um, uh, Oh my gosh. Meet The Press.
Kiersten Todt: [00:29:00] Yeah.
Ron Gula: [00:29:01] That, that was, could you do a whole bunch of that kind of stuff. So I'll put, put some of those in the show notes. Let, let's talk a little bit more about another way to defend the country in cyber is that getting more people into cyber and specifically minorities.
Kiersten Todt: [00:29:13] Mm-hmm [affirmative].
Ron Gula: [00:29:13] Uh, people of color, uh, women just, I mean, I, I like to always talk about, you know, people who might have been farmers like in Iowa, you know, or whatever.
Kiersten Todt: [00:29:22] Absolutely.
Ron Gula: [00:29:22] Like, can we bring more people to this, to this fight? So what are some things that you've been working on there?
Kiersten Todt: [00:29:26] Well, first of all thanks to you and Cyndi for the work that you're doing with the Gula Tech Foundation.
Ron Gula: [00:29:30] Thank you. Yeah.
Kiersten Todt: [00:29:31] Because you are absolutely taking action where words have existed to say, "Hey, this is so important. We're actually going to, you know, roll up our sleeves and figure out how to do this." And that's tremendous leadership as, as you always do, the two of you. Uh, I believe very strongly that cybersecurity is not just about Math and Science. That solutions and efforts are going to be interdisciplinary and that we need people, whether it's farmers who have solved other issues, um, that require different types of thinking. So that it's backgrounds in history, psychology, sociology, the conversation that we had about drug policy. Uh, Ron, one of the places that you and I recently saw each other was at the Moonshot workshop. And, uh, one of the speeches that was given before we did our breakouts was a woman from USAID, and I've never forgotten this.
She was talking about a grand challenge for creating Ebola suits, and they were reaching out to people about how do you create these Ebola suits? And one of the primary designers was somebody who designed wedding dresses. And it's this reminder that there are, there's expertise that we may not be thinking about, that we can apply to this space. And another example is the current CSO of Equifax who was brought in after the breach, used to work at NASA. And what he'll say is the challenger, uh, catastrophe was going to happen no matter what, because of culture. And so culture in cybersecurity is important. And I think we've got to look very broadly to understand that solutions for cybersecurity don't just come from Science and Math, but actually come from how people have solved other types of serious, significant world problems.
Ron Gula: [00:31:04] That's um, I, so I was there for that-
Kiersten Todt: [00:31:06] Yeah.
Ron Gula: [00:31:06] -That, uh, uh, the, the speech and I really, when people talk about diversity, you know, there's obviously the social needless white men, you know, that kinda... But I, I actually like the proper definition, diversity, which is diversity of thought.
Kiersten Todt: [00:31:18] Right.
Ron Gula: [00:31:18] You know, bringing all of these different solutions, the scientific method, you know, let's not try to do the old way just because we're, we're doing that. I'm, I'm trying as investors to look for that lady who's making the wedding dress-
Kiersten Todt: [00:31:31] Mm-hmm [affirmative].
Ron Gula: [00:31:31] -To solve an Ebola suit. And you know, every now and then we do find new breakthroughs in cybersecurity, but there's so much of breakthrough. It's, there's no market for it.
Kiersten Todt: [00:31:39] Yeah.
Ron Gula: [00:31:39] You know, we're so conditioned [crosstalk 00:31:41].
Kiersten Todt: [00:31:40] Not ready for it.
Ron Gula: [00:31:41] Oh, you can't sell that to the enterprise. You can't, you can't do that. So, uh, one of the things I like about what my wife are doing with, with our investing is we can't fund some of these things that I think are very business savvy and are just completely to artists. Like we recently did, uh, Trinity Cyber-
Kiersten Todt: [00:31:56] Mm-hmm [affirmative].
Ron Gula: [00:31:56] -Which is where Tom Bossert went.
Kiersten Todt: [00:31:57] Yep.
Ron Gula: [00:31:58] And that's a completely different way of doing intrusion prevention, you know, at, at, at scale.
Kiersten Todt: [00:32:02] Right.
Ron Gula: [00:32:02] And, um, you know, I've had a lot of fun talking to CySA, all that won't work. I'm like, "Oh my God, that's amazing."
Kiersten Todt: [00:32:07] Yeah.
Ron Gula: [00:32:07] If, if they can do half of what they say, I do it. So it's just, it's, it's interesting. But back to like getting people inspired to come into this career field, I like what you said, it's not just tech and computer programming. I mean, that's, that's part of it, but we need, we need artists. You know, we need people who understand how to communicate this to non technical people and inspire them.
Kiersten Todt: [00:32:28] Yeah.
Ron Gula: [00:32:28] So, uh, and some of that folds into the Cyber Readiness Institute, I would imagine, right?
Kiersten Todt: [00:32:32] It does because I often say it's about problem solving and building solutions. And I think everybody has different capabilities for those two goals. And so when we're looking at small businesses, um, you know, we're focused on being able to draw people from different walks of life. And I, I very much ascribed to what you said, which it's not about checking a box for diversity, it's about finding the people who have this thought, and you will organically then have a diverse workforce.
Ron Gula: [00:32:58] And, and unfortunately that's a controversial statement sometime.
Kiersten Todt: [00:33:01] Yeah.
Ron Gula: [00:33:01] You know, because it's, it's, it's, uh, and again, we're, we're all for helping out, whoever we can help out, but it's, it's, uh, it's, it's really interesting. Especially coming out of tech where, you know, we might have, um, you know, Chinese employees, uh, Indian employees, uh, folks who not are normally not on the, um, uh, what you think of when you think of diversity.
Kiersten Todt: [00:33:20] Mm-hmm [affirmative].
Ron Gula: [00:33:20] But they're discriminated against all the time, especially with the Chinese flu, right.
Kiersten Todt: [00:33:24] Right.
Ron Gula: [00:33:24] With, with coronavirus. There's definitely a rise in that. So, uh, so it's definitely, definitely interesting. What is your opinion about how best to get into cyber security? Should I go to college? Should I get certified? Should I teach myself? Should I get an apprenticeship? What's your experience there?
Kiersten Todt: [00:33:38] So I'm first a big believer in following what interests you the most. Um, because I think that where you followed that passion, the aptitudes that you have, you will be led in, in these directions. I think if you're somebody who's right now interested in that you can get into companies where you think you could play a role. Um, fortunately now you're starting to see a bit of an expansion within companies about where cybersecurity is important. It can be in human resources, it can be in different, different entities and, and divisions. And I think keep your eye out for where those opportunities lie. But recognize that if your aptitude and your skillset that you enjoy may not come under that heading that you can absolutely position that for something in cybersecurity. And you're starting to see businesses being much more open to bringing in that diversity of thought, um, which I think is going to be critical to how we address it, um, for companies and, and for the nation.
Ron Gula: [00:34:32] So last topic, this is the Gula Tech Cyber Fiction Show. So cyber is often kind of, um, I'll just say abused.
Kiersten Todt: [00:34:42] Mm-hmm [affirmative].
Ron Gula: [00:34:42] Uh, in, in media, in, in, in whether it's reporters and wh-, what are some movies or shows that you've seen that you've been just like, I, I, I can't believe I saw that.
Kiersten Todt: [00:34:51] [Laughs]. Well, I think for me, you know, it's, I've never been a big science fiction person, but when I think about being in cybersecurity and I kind of look historically what I'm shocked by or stunned by is the history of science fiction movies, how they kind of got it right. I mean, whether you look at WarGames from the eighties, whether you look at, you know, military shows like Strike Back or others that have all of this AI and machine learning, this idea that we've kind of anticipated where the nation was going and where the world was going in cybersecurity. And we can look back on some of that now and, and laugh.
But there's actually, you know, kind of counter to the fiction, there's more accuracy to the science fiction. Um, historically then I think, you know, and I just think about movies that I watched as a kid and growing up, um, that have really come to fruition. So we should be looking at the current science fiction movies to say, "Oh, is this where we're going?" Um, and you wonder if it's a little bit of a self-fulfilling prophecy too.
Ron Gula: [00:35:46] I, uh, I just recently read, um, Peter Singer's, um, Burn-In.
Kiersten Todt: [00:35:51] Yeah.
Ron Gula: [00:35:51] Which I really, really enjoyed. And it's, it's about an FBI and no spoilers, right?
Kiersten Todt: [00:35:56] Yeah.
Ron Gula: [00:35:56] It's about an FBI agent who gets a robot partner. And even though that's been done like, like 50 times in the movies and on TVs and stuff like that, this was done really, really well. And in my opinion, none of that, Oh, the robot was more human than-
Kiersten Todt: [00:36:11] Yeah.
Ron Gula: [00:36:11] -Us. But the, the tapestry of like the, what the world's going to be like 20 years from now, or even 10 years from now in this book, I thought was spot on. Drones, computers, immersive, uh, stuff. It, it was really interesting and of course, and we have to secure all of that, right?
Kiersten Todt: [00:36:25] Also drones are great example, right? I mean, there was huge debate within government at high levels, pre-9/11 about the use of drones. And, you know, now you see them everywhere. I mean, kids using them and, you know, whatever they're being used for and just the ability and the accessibility of technology. And I think that just, that does go to an important piece around how innovation and security have to be aligned, um, that we've gotta be looking at these things, not just from a, you know, first to market over secure to market. But how will these play in a broader, a broader picture? And I think from technology, it's anticipating some of the, uh, the uses that you're not building the technology for, but what that could be, um, and, you know, looking, paying attention to, to broader use and, uh, cross purpose use.
Ron Gula: [00:37:12] Excellent. Where, where can, what, what kind of clients are you looking for, for, for Liberty? Um, Oh my goodness, Liberty Group Ventures.
Kiersten Todt: [00:37:20] So we love to work with companies, um, and helping them with risk management. And I think in response to what's going on right now, um, we do, have done a lot of tabletop exercises. I think one of the pieces that is evident about where we are with the pandemic was SolarWinds. And we take from some of the work we did, uh, following 9/11, which was that, you know, we knew Al Qaeda was going to attack us. We didn't expect it to happen on our Homeland. We didn't expect a pandemic. We didn't expect a vulnerability of a supply chain like this. And so doing more work with businesses on pushing imagination, um, and the stressors and thinking through not just the sequence of events that you've prepared for, but what haven't you prepared for? Uh, again, not to instill fear. But just to create resilience, uh, for businesses in, uh, this environment of overwhelming threats.
Ron Gula: [00:38:05] Excellent. Excellent. Well, thank you very much for joining us today on the Gula Tech Cyber Fiction Show. Also, thank you, you're one of our advisory board members for the Gula Tech Foundation, and we're really enjoying working with a lot of the nonprofits that have applied for this current grant. We'll be announcing that March 9th, two o'clock. You can go to the Gula Tech website and, and register for that. Kiersten, thank you very much for joining us today.
Kiersten Todt: [00:38:28] Thanks so much, Ron. It's great to be with you.