After SolarWinds breach, where do we go from here?

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

The federal government has a big data loss problem and a reputational black eye from the recently-discovered Russian cybersecurity attack successes. A longtime federal cybersecurity executive, most recently at the Department of Homeland Security, has a few ideas about what the government might be able to do next. Keith Trippie joined Federal Drive with Tom Temin to discuss.

Interview transcript:

Tom Temin: Mr. Trippie, good to have you on.

Keith Trippie: Hey Tom.

Tom Temin: So what did the government do wrong here? I mean, all of these years of cybersecurity policies, laws, directives, executives parading through, I’ve watched it for 20 years — and it’s almost as if they had done nothing or am I missing something?

Keith Trippie: Let’s be clear, we’ve spent billions on this. And this is our cyber 9/11. This is the wake up call. This isn’t just a wake up call for the politicians, this is a wake up call for CEOs of companies to federal agencies. We have spent so much money Tom, and one of the risk areas that we in the government, when I was there and since I’ve left, have not focused on is what is the supply chain risk. We’ve talked about it, there’s been a bunch of academics that go away for three weeks, and they write a paper. But there aren’t the hard and fast rules. So what are our, for lack of a better term, what is our cybersecurity doctrine for the United States? What is if somebody hits us, whether it’s a nation state or criminal enterprise, or just somebody that got lucky that knows how to hack, what is our policy? Is it mutual destruction? Is it same force? Is it domino theory? Is it the strategies that we’ve used in kinetic conflicts? We don’t have that yet. And I think in a vacuum, you get the sort of testing for what it looks like Russia was doing. They test, they see how far they can go.

Tom Temin: Microsoft had an interesting reaction to the whole thing.

Keith Trippie: They did. And I tell you what is fascinating about what they did is, I would argue, they went further than most companies I’ve seen in responding to this. Part of it was they got a taste of the medicine, right? They were impacted by it. So they were, I would argue, incentivized to take actions. And one of the things that they did was they did a bit of a takedown service, like they went after the domain, that was in theory, talking with some of the servers in these organizations, and took it out, took it over and then was able to get intelligence about who were potentially the Russians, who were they communicating with? What companies did they attack? What did they successfully get access to? So that sort of action is really one of the first steps I’ve seen a company take. And I’ll be honest the American in me says, great, go get em Microsoft. The Homeland Security veteran in me says, well wait a minute, what are the implications if we have a private sector company edging into what most people would think that is a federal government response? So we really need to think about what is our doctrine? What is the roles that a large US corporation can take if they’ve been attacked? I don’t think that’s answered yet. So that’s what’s fascinating about what Microsoft fractions.

Tom Temin: Well, shouldn’t Homeland Security then have done this and say, alright we see now where this is coming from, just unload everything we’ve got on them. And we do have some offensive tools, everyone knows that.

Keith Trippie: Great question. So again, we’ve spent billions. We had someone that used to run the cyber organization inside DHS just three weeks ago say was the most secure election that we’ve had. At the same time reports are coming out that this same software that was hacked was potentially used by one of the election software voting machine system companies. So I don’t want to say asleep at the switch, I would want to argue that our civilian and military side meet together and figure out what is your response? And what is my responsibility to pull back US companies from doing a lot of this? And I think, whether it’s on the military side, if it’s overseas, or if it’s conus, in the United States, Homeland and FBI, need to probably have more of a leadership role to take those actions and maybe take that server over. Why did we do Microsoft to do it? We’ve spent billions of dollars, we have the Einstein network, and I’m sure some of your audience considering that you talk to everyday is aware of what this is. We spend billions, what good does that do us? Nine months, this has been going on and we had a private sector company find the problem. It wasn’t the US government.

Tom Temin: What about the fundamental problem that no matter what billions we’ve spent, and what policies we’ve had, federal systems are still apparently inherently insecure?

Keith Trippie: That’s a great question. So I’d love to get into that. So a couple of things in federal contract. Part of the problem is a lot of federal agencies look at cyber as what happens at the end of the line right before the system goes live. Throw some security on there. That is wrong. The concept that the federal government hasn’t adopted yet is cyber by design. That’s where you embed cyber all the way over from planning and budgeting all the way through the contracts process. Just so for example, all of these federal agencies that got whacked, what is in their contracts that says that they can pay, either A, take legal action against this company, or be assigned financial penalties, there isn’t. The federal government signed contracts with all of these software and hardware companies. And there’s no contractual language that says, should you be sloppy, and get hacked, and it impacts us, we’re able to financially penalize you, and all of the financial costs associated with the cleanup, you’re going to pay that. None of our contracts do that. And federal government pays almost 50 to 100% more than what you typically get in the commercial market. And so we can’t figure out a way to add that sort of cyber protection language into our contracts. That is one of the first things that I would do, because if you did that, and say, you added a clause that said, hey CISA, you offer auditing services. So you have three to six people that can come in and assess your technology. Why are we buying software from in the United States and outside the United States, that doesn’t require, say, a service organization to go in and fully vet the software on a quarterly or at a minimum, an annual basis, we don’t do that. We don’t even require that. We offer guidelines. CISA offers it as a service, if you will, for free, but none of these companies are, A, forced to do it. And two, none of them want to do it because they don’t trust the federal government to protect their data, number one. And number two, keep them from being assessed liabilities, if they are hacked. You’ve got these different challenges all happening at the same time that the federal government’s got to step up here. I mean, this is our 9/11 in the world of cyber, they have got to take action.

Tom Temin: But what you describe is a compliance and penalty approach. And that might be some of it. But what about the design of the federal systems themselves? What’s been happening on that front such that they are so easily hackable the supply chain can’t hold up?

Keith Trippie: Well, what’s interesting about this was right, this is true Trojan horse, right. So it was a company that was a company that’s selling to the government for years, was hacked, in their supply chain. So the federal government, when they do a patch upgrade or an upgrade to that software, they willingly allow the malicious code into their network because it was inherently trusted, because it means you will have as a trusted company. So that problem would have been found right away by say, an Einstein if you will. But we need to be able to say that when we’re running our updates and scans, we’ve got a scan that, when I say we the government, has got to be able to scan all of that software, before it gets added to your servers to help identify and look for things like backdoors, which is what it looks like these guys, if it is the Russians, put into the software code that they upgraded. And so we all just willingly upgraded and don’t have the security check as part of that process. I would bet a year from now, every federal agency will have that on all of their software. If you think that the Russkies if they really did this, if you think that they just said, I’m going to pick some company in Austin, Texas and I’m going to hope that my strategy works and it’s going to get into thousand of agencies and companies. No, they’re trying that and probably been successful with other software and hardware companies. We’re just all focused on this one because it’s the shiny object. But if we think that these companies or these nation state actors just tried one company, no.

Tom Temin: And you have probably been watching in the course of consulting with different companies since your federal career, looking at the Cybersecurity Maturity Model certification system, which is very, very much in its infancy at this point — do you think that holds promise for the future?

Keith Trippie: Yeah, I mean, I kind of look at it like this — so when I think of that model, I look at it and say, okay when the underwriters laboratories came around years ago, no one when they plug in a lamp to the wall are they worried that it’s going to burn down the house because of that UL stamp on the lamp. That’s great. We don’t have that in cyber, we don’t have anything close to that. So I think this new model that’s been developed is promising. But until it gets fully implemented and ingrained in commercial entities that build software and hardware, fully ingrained into federal agencies, but we’ve got people that are in IT, that have been in this game a long time and they do business a certain way. And you have the young wave of talent coming in that says, Well, why did we do it this way? And they’re not thinking about cyber. They’re a little bit more focused on on building apps. So what you’ve got here is kind of a challenge in the workforce. Are you really recruiting the right individuals to be building systems and deploying systems in the federal government? So you’ve got some old greybeards that are used to building it one way and the new whippersnappers that are only focused on building apps as fast as they can. You don’t have a culture of cyber DNA yet in the federal workforce. So you can come up with a standard and you can talk about it, but who’s implementing? Which CIO is going to divert funding from pick a mission project and put it into cyber. It’s very hard for them to do, a lot of pressure from senior leadership at an organization that says you make sure that this new system that supports some regulation gets implemented. Well, it’s a trade off, you can’t do everything. So when usually things could sacrifice, cyber sometimes is on the chopping block early. And I think that mentality has got to change.

Tom Temin: And while we have you since your federal career, you have become an author.

Keith Trippie: I have. I’ve got a little bit of free time over here in Indonesia now. So nights and weekends, gives me something to do. And I tell you, it was a sort of a thoughtful reflection on over a decade in the federal government, kind of seeing how the way things work. I came up with this concept, and Tom it’s a little out there, right. So the name of the book is called the Forgotten American. But the subtitle is called prosecuting a RICO case against the US Congress. And so the question I asked myself is, are US citizens unwitting co-conspirators laundering violations by the US Congress, kind of a big topic, a heavy topic. But if you go back 100 years, and you go forward over the past several years, we have implemented taxation that violates the Constitution. We spend outside the 18 enumerated powers. McConnell and Pelosi have just agreed on yet another $900 billion that are outside the 18 enumerated powers. And then the backside of that money laundering conversation is, how does the money come back in to the politicians? Well, through campaign finance. You and I just watched one of the craziest elections of all time, and more than $14 billion was spent on electing a bunch of politicians. Why would people spend $14 billion to elect politicians? So this book is written as a courtroom drama, it’s a fictional drama. And it’s fun, there’s some comedy in there. But the concept that we’re trying to make is or the case that I’m trying to make is, is the Congress performing money laundering and RICO violations against US citizens. And having worked inside the government for 10 years, I saw things that made me ask those questions.

Tom Temin: Alright, well we’ll have to find the answer to the trial and when we read the book. Keith Trippie is former DHS senior cybersecurity executive, now in private consulting. Thanks so much for joining me.

Keith Trippie: Thanks and stay safe.

Related Stories

Comments

Sign up for breaking news alerts