Washington publishers. We do a lot of deep dive coverage into policy areas, including defense and health and energy environment, and cybersecurity kept popping up. This was in 2012 or so. We started looking at taking a deeper dive into it and myself and a colleague started to investigate. We decided to start a new publication called inside cybersecurity that with a focus on the development of cyber policy. That wasnt that long ago but it really was the stage of creation for a lot of this. I think president george w. Bush was the first one who really started getting into cyber as a major policy area, and then it just exploded under the Obama Administration. It was cutting across a different issue areas that we decided to create something that would give readers an idea of where the policy arc was going. We covered it through the Second Obama Administration into the Trump Administration, and a lot of the book, i wrote an earlier book called hacked which was about cyber during the obama years, and really the beginnings of a lot of this cyber policy. I i wanted to write a followupn how a new administration we treat this and thats what led to this book which just come up a little earlier this year. Host so when you look back at 2012 how was the sophistication of cyber and cybersecurity grown . Guest it was at a very low stage in 2012. There were a a number of people who were pretty savvy about it but with a congress in particular, the Knowledge Level was fairly low, and people were talking about we need to build walls that are a lot higher and all of this, and really didnt have a mindset around what the cyber challenge really required. That is grown and theres a lot more expertise and a lot more engagement in the executive branch as well. I think everybody was a little slow to come around to this. Some of the really smart cyber thinkers out there, people like jeff moss who founded the black cat and defcon conferences can be said the problem is that the attackers, the people who play offense and cyber and going and breaking in the system, they can have all the fun and be creative and all of that, and defenders are stuck with trying to come up with ways to defend against that. They are forced to fight over budget and forced to fight over things like jurisdiction and laws and things like that that attackers dont really have to worry about. Its been very, very complicated to get to the space but i think we can say that starting with george w. Bush through the Obama Administration there were a lot of efforts to build the structures around cyber policy. That was really very much a formative stage and when the Trump Administration came in people were seeing very abrupt changes in other policy areas but cyber not so much. There was a lot of continuity with the basic policy structures. I think the way i look at it is that under the Obama Administration you are really putting the pieces in place to try to have an effective policy. This continues to evolve and some of the cyber pros who came into office in 2017 took that and ran with it and theres been very much an evolutionary process. There hasnt been this hugely dramatic break in the basics between the Obama Administration of the Trump Administration with a couple of exceptions. The Trump Administration has been more willing to use offensive weaponry in cyberspace. I dont think the Obama Administration had quite gotten to that point back but again its an evolutionary process. The other really key difference i would say between obama and trump as quoteunquote cyber president s is that obama was pretty interested in the issue and obama gave speeches on it and would go out and visit dhs and talk to people at the National Institute of science and technology, standards and technology about this and was trying to project the idea that this was a Huge National issue. President trump doesnt really engage on the issue all that much and we can get into some of the reasons why i suspect thats the case but there has been a fairly sharp difference in the tone of approach, in the personal interest from the oval office in this, and that ends up creating an issue around leadership for cybersecurity. Peter, if i could say one other thing, that one of the things going back to the Obama Administration is a message that the u. S. Government has been really pressing industry and Business Leaders that the top person and organization has to really personally take responsibility for cybersecurity and show that they are interested in it and that this is this is a Cultural Values within their organization. The government is telling that the companies and i would think the same thing should apply to the government, that the top official in the government should be think this is a personal valley of mine, we need to do this. And spread that message both through the government but also to the partners in the private sector, and thats been a real missing piece over the last couple of years. Host Charlie Mitchell, well get into differences between the Obama Administration of the Trump Administration in a minute but can you put a dollar figure on how much is spent by the federal government on cybersecurity . Guest sure. There is a budget for dhs, department of Homeland Security and the cybersecurity agency, thats in, its a building and change as a like to say in washington, or for cybersecurity. And going across government, you know, if you throw in the defense departments spending you get into the low billions being spent on cyber. Some very smart people out there who work in this space will say they recognize the realities of federal budgets and the battle for every penny that you can get and the fact that cyber is in competition with every of the program, but they you like to h it up against the amount being lost in the Global Economy decide which ones into the trillions that cyber, this thia multitrillion dollar cost to the Global Economy. Its in the high hundreds of billions for the United States in terms of data theft and liability in all of these things. The amount being spent by the federal government is just a tiny fraction of the overall cost of this. And then because this is very much a government private sector issue and in the this i can don its own, you look at what the private sector is spending and companies are spending a lot of money on this in general, particularly the larger companies. They devote a lot of their spending tens of billions of dollars on security. It gets a little more complicated as you go down the scale and you look at small and small entities that particularly amid covid19 have to make some very tough choices about where theyre going to put the next dollar. Their spending is constraint and we see that across different business sectors and, of course, the problem here is that in cybersecurity, as the old saying goes, youre only as strong as your weakest link. If a Small Company that is part of the value chain for the supply chain in a critical area is vulnerable and gets hacked, that can allow bad guys into all kinds of systems. There is a lot of attention right now on trying to make sure that small entities have the resources they need to perform the security duties that they should. A lot of this is really being driven by the private sector. I think that the cybersecurity and infrastructure security agencies, sister, which is ina trip within dhs have been trying to a lot of work to get tools out to the private sector and really particularly focuses on the small and midsize businesses. But the challenges enormous. If cisa had doubled or tripled its budget, you know, that still might not be enough to do all of this work. So you have seen groups like the Cyber Readiness Institute and the global cyber of lines, both of which are led by former dhs cyber people and former Administration Cyber people, executive branch cyber people who have a lot of experience with this. You were seeing a lot of groups like that are going out and just trying very hard to get tools for free into the hands of the private sector so that Small Companies can look with a couple clicks online to see a suite of Security Services that they can use. Thats been a very valuable exercise by these groups. Host so Charlie Mitchell, is it fair to look at Cyber Threats in cybersecurity is simply a new form of espionage . Guest thats just an aspect of it, peter. Its a very true aspect of it and its interesting because you have to look at the threat acthar and what the threat acthar is trying to accomplish. And i think that theres been plenty of evidence in recent years even in recent months that countries such as russia and china and iran have been mapping u. S. Systems, use Critical Infrastructure systems and i would imagine that we do the same to their systems. When the event of conflict, this will be another area, another domain of conflict for sure. On the espionage side, there are generally accepted rules that you could do certain things related to gathering intelligence for your National Security purposes. Every side does that. The big departure that we saw in 2016 was, and this really created something of a redefinition of cybersecurity, was the activities attributed to the russian government to disrupt the u. S. Election. That involved direct things like hacks into email and all of that gather information within it involved these whole disinformation campaigns to use social media, to spread things that divided people and create antagonisms and all that. I was a real new wrangle. Im not sure that anybody was quite prepared for that, and then the response to it of course was heavily criticized in the aftermath. I think espionage is an aspect of it. I think the ability to use cyber as a quoteunquote military domain is an aspect of and i think this use of cyberspace, social media has a domain for disinformation to accomplish your goals is also a part of it. Host now, you talked about oval Office Leadership and the change in tone from the Obama Administration to the Trump Administration. Could you expand on that a little . Guest sure. I would say that president obama was very interested in this issue. He gave a big speech on it after a few months in office. He spoke on it repeatedly and he, through executive orders, launched a series of initiatives is to provide some of the foundation today for cyber policy. President trump doesnt want to speak on the issue. He doesnt much discuss it, but he is also issued a series of executive orders that have advanced the policy and have led the overall cyber policy into the next evolutionary phase, if you will. But you dont have that accompanying sense that the president is watching, the president is keeping track of this, that this is a hot priority for the president. That probably has an impact within government. Government agencies were directed by the president to follow the nist frame work which is kind of of standards for securing your systems. Also an early trump executive order he make clear that the agency heads are personally responsible for cybersecurity, was an important evolution which had somebody is taken responsibility. The potential downside of that is leading to more of a checklist approach of okay, i did this, i did this, rather than a Risk Management approach where youre really incorporating cybersecurity into all of your activities and you are thinking about it upfront and you realize that the cyber aspects of everything that you are doing as an agency are just as important as in other aspect. You dont really get the sense that that idea is being driven from top although the rules have been put in place if you will. I would say that the leadership question that i have been very interested in what i think that we probably need to see more of in order to be effective is in terms of engaging with the different communities in this country, and by that i mean the industry, the different business groups and Civil Liberties groups and Civil Society in order to really try to drive a new set of principles around data security. Where do the responsibilities lie . I dont think weve done a great job of spelling this out and i would say that in the transition from 20162017 that was my way of looking at it that was probably the next big thing that need to happen, that you needed a strong engagement between different groups, different entities, the government and private sector partners to say okay, this is a way we are defining your responsibility as a company in cyberspace and this is what the government is going to do to help and to protect you. This is what you need to do to help protect yourself. These are the rules about what you as a company need to do to protect consumers data. We had seen these massive hacks of consumer data being leaked out into the dark web in all of that. We havent really defined this as a get. And then i would take it overseas and say that u. S. Leadership is absolutely imperative in trying to drive Global Standards and create a global system of contact in cyberspace. And i think the Obama Administration was just get a come on that. As i said we were very much in the early days during the obama years, and creating a Broad International coalition of uncertain principles and goals seemed to me to be the next step but that hasnt really been taken. What we have seen is very particular steps aimed at Chinese Companies, for instance, huawei and zte that provide tech and telecom services. The Trump Administration has issued a series of orders that are largely aimed at getting those companies out of your systems. U. S. Telecoms have to strip huawei products out over the next year or so, over the next couple of years, sorry. Which, and theres a big effort in congress right now to make sure that is adequately funded. I think theres about a billion dollars available for and it will probably cost at least twice that much for these telecoms particularly and rural areas to replace their equipment. But the point is its been a very Company Specific get china out of here policy, rather than the policy when we engage with our friends in europe and japan and other countries, and try to create a very durable system of Global Cybersecurity and use that to confront adversaries in cyberspace. Host and youre watching the communicators on cspan. Our guest this week is Charlie Mitchell, author of this book, cyber in the age of trump. And, in fact, in your book, mr. Mitchell, youre right that the ubiquity of cyber problems might make cooperation between the u. S. And china conceivable, plus President Trump and chinese president xi form something of a Mutual Admiration Society but within a year the souring of u. S. Relationship with china was frontpage news, and that their transactional relationship harmed cybersecurity issues. Guest right, right. And i think that there was some thought that cybersecurity, some cybersecurity goals could be achieved within the context of a grand trade deal but, of course, that didnt come about. There was a trade deal. Its been called the phase one trade deal and it did have some elements of intellectual property protections but it didnt really get at the broader cybersecurity challenges between the two countries. And this is been really one of the fundamental issues during the Trump Administration and critics say about a lot of the trial actions in this space is it cyber or is it trade . That goes back to some of the issues raised by banning huawei and then zte. I think cyber professionals will tell you there is plenty of smoke around those companies. There is reason to be suspicious but they will also tell you that strictly going on a policy of banning Companies Rather than trying to create a system of standards that everybody has to meet is probably less defective. Another thing with this, peter, because trade and cybersecurity were so intertwined in the first part of these negotiations i just have to imagine that the Chinese Government look at it as the cyber aspects are just a piece of this, and maybe if we give the u. S. A little bit more over here they will not care so much about the cyber elements in a in a deal. And i think the Trump Administration in the weight encouraged that and the chinese were not quite sure where the lines were. You probably do want to leave some uncertainty in the negotiating process to maximize your leverage but im not sure this was the most effective way to go at cyber. Again, there are plenty of issues between the u. S. And china but there also were as you mentioned some commonalities. I saw on the Forbes International list that the chinese now have more companies than the u. S. Does, the top 500 internationally, the Largest Companies internationally. When the book was published the u. S. Was still narrowly in the lead but now the chinese had eclipsed that. As i say in the book these Chinese Companies all have boards of directors. They all have shareholders. They all have responsibilities beyond what we perceive to be their responsibilities and obligations to the Chinese Communist government. These are also businesses and they have their own hackers and plenty of them and so the face some similar challenges which could create that Common Ground to begin working toward Global Standards. The chinese might be interested in that kind of approach but we have been on a path where we are aiming to drive Companies Like huawei out of the u. S. Market, and with some justification. We really focus our International Efforts on persuading allies in europe and asia to go along with us on that, and for them to ban wildly as well, for instance. Which is fine but its not really creating a Global Coalition or Global Alliance around a specific set of principles. We want to get this company out and in which all the evidence is that we really want to knock them out, that cup win the biggest Chinese Tech Companies that Company Trust betrayed aspect to that, as they are a competitor and it would be in some ways the equivalent of a foreign powers saying we really want to take down ibm or General Motors im not entirely convinced of the efficacy of that approach. Host in fact, you quote senator ben sasse republican from nebraska saying chinas main export is espionage and the distinction between the Chinese Communist party and Chinese Private sector businesses like huawei is imaginary. Well have a few minutes left, mr. Mitchell, and i ask you about one of your recommendations, which is that a white house coordinator and powered by the president is a cinch it when to cybersecurity. Guest right. And i would say that the decision in 2018 to get rid of the white house cyber coordinator was, that was a mistake i think and a lot of people in the business community, the security community, and others agreed that that was a major mistake, that it was a john bolton decision but the president acted. The president hasnt moved to replace that position and, in fact, there is language in one of the annual house defense bills to create Even Stronger version of that, a National Cyber director, and the white house emphatically opposes that. Why is it important . Were a number of reasons. For one thing it signals to the government, it signals to the american citizens and it signals to the world that cybersecurity is a top priority. For another the issue is so dispersed as i mentioned at the very beginning it catches on every domain. Pics every department in government has a take on this. And also as a point of engagement for the international community. I have heard this repeatedly since the was abolished that foreign partners are not sure who they are supposed to talk to. They are not sure the level of which the official, you know, the authority of the officials they are engaging with, they are not sure how much authority to have. I would also mention that a relatively highpowered state Department Cyber coordinator position was eliminated also early in the Trump Administration. So this whole factor of engaging with foreign allies has been really affected by this. I think youre going to try to drive Global Action on cybersecurity, you need the structure internally. You need the structure within your administration to pull all things together, speak in one voice. Thats something that is been missing. Host do you foresee a potential Cabinet Department for cybersecurity at some point . Guest will be interesting to see in the second term. I dont think the Trump Administration would do that. I think there is a chance that they might come along with the cyber director position in the second term. I think if there is a biden administration, unless you would get to the point of having an entire department but in light of some the controversy over the use of dhs officers in the protests recently there has been a lot of chatter about getting the cyber agency either out of dhs and standing up as a completely independent agency or at least ensuring its independence and autonomy more so than it is now. The cyber work at dhs has always gotten a lot of very, very high praise and these folks are professionals and to doing good work. But they are in a department that is just perennially in the political spotlight. It is always being buffeted by political winds. And so a lot of people who spend a lot of time trying to build up dhs over the years and then trying to specifically build up this cyber agency and expressed deep concern that the politics that i just infected the department or overwhelmed the environment around the department can only have a negative implication for the cyber agency. So i think that theyre there h could be efforts regardless of who wins the white house to create a more robust and independent agency for cyber, on the one hand, and i think that probably would be pushed more by a biden administration. Host Charlie Mitchell is the editor of inside cybersecurity and he is the author of this book, cyber in the age of trump. Thanks for being with us. Guest thank you, thank you. I enjoyed it. Are camping 2020 coverage continues with candidates campaigning and debating. Cspan, unfiltered view of politics. Jill biden and President Trump are both on the campaign trail today at the former Vice President makes the stop in toledo, ohio, where he is expected to focus on the economy. Lets live at 1 15 p. M. Eastern. The president heads to florida for his first public event outside the white house since being treated for coronavirus. Thats live at 7 p. M. Eastern in florida to give much both rallies on cspan2, online cspan. Org or listen on our free cspan radio app. All 435 house seats are up for election in november. According to the Cook Political Report only 91 are competitive. When is the new jersey second Congressional District incumbent Jeff Van Drew who switch parties from democrat to republican last december fac
vimarsana.com © 2020. All Rights Reserved.