Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.
The House and Senate are working to reconcile two bills that would in part move along the cause of cybersecurity in the United States. Both bills, the U.S. Innovation and Competition Act and the America COMPETES Act, passed the Senate and House respectively. For some of the good potential fallout, the Federal Drive with Tom Temin turned...
The House and Senate are working to reconcile two bills that would in part move along the cause of cybersecurity in the United States. Both bills, the U.S. Innovation and Competition Act and the America COMPETES Act, passed the Senate and House respectively. For some of the good potential fallout, the Federal Drive with Tom Temin turned to the senior fellow at the Foundation for Defense of Democracies, retired Rear Adm. Mark Montgomery.
Tom Temin: Adm. Montgomery, good to have you back.
Insight by Verizon: Is DoD ready to go primetime with 5G? Not quite. But the Defense Department is prioritizing projects, tests and use cases that will lay the foundation for wide 5G adoption sooner rather than later. We talk with Air Force, U.S. Army Corps of Engineers and DoD leaders to get the 411.
Mark Montgomery: Real pleasure to be here. Thanks for having me.
Tom Temin: And we should also point out that you are deeply involved with the Cybersecurity Solarium Commission, and this is something that has done its reports and so forth. Just before we start, what is the status of that commission these days?
Mark Montgomery: Thanks for asking, Tom, the commission sunsetted at the end of last year, but the four congressional commissioners and the five remaining non-congressional comissioners so that Sen. Sasse (R-Neb.), Sen. King (I-Maine), Rep. Langevin (D-R.I.), Rep. Gallagher (R-Wis.) wanted to continue to draw, shine a light on some of the issues that we had developed. So we set up a 501(c)(3), to continue to discuss cybersecurity policy recommendations that need to either get through Congress or get to the executive branch to more soundly protect our critical infrastructure. You know, as if by magic, the Russian threats to our cyber infrastructure that have come two months later, are proof that we now know, we need to continue to keep the pressure on and keep our critical infrastructure more secure.
Tom Temin: And Rep. Langevin is leaving Congress, will he still stay active in this field, since he’s been such a great spokesman for cyber as part of the nonprofit?
Mark Montgomery: I think he will in a number of ways. And I think he will through us, you know, he’s got one more good, I try not to think about this, because he has one more good legislative cycle in him. I’m hoping he’s got a lot of silver bullets out there. And we can get a lot done. But, you know, he spent the last 20 years in Congress as really the singular cybersecurity legislative guru. And so I don’t think he can walk away from all that experience and all that knowledge. So my suspicion is he’ll continue to play a pretty significant role in cybersecurity legislation over the rest of the decade.
Tom Temin: And you can get a better lobster roll in Rhode Island than they can in Washington. So there’s that. But let’s get to these two bills, the U.S. Innovation and Competition Act and the America COMPETES Act, both passed. This reconciliation, if they can do it, what do you think will be the benefits in terms of cyber?
Mark Montgomery: I think for you know, the first and foremost, I do think getting, you know, the both bills have a pretty clean $52 billion, but essentially, the CHIPS Act, you know, establishment grant program to support domestic semiconductor production. So I think that’ll get done. You know, that’s not a direct impact on cybersecurity, but it has a lot to do with developing a secure supply chain. So I’ll set that aside for one second, and it’s a well, that’s a big part. Cybersecurity is embedded in a nearly a dozen small provisions in there. Both bills seek to, you know, rectify dramatic shortages in the federal cybersecurity workforce. They invest in STEM education. They both create rotational cybersecurity positions for federal employees. One dear, near and dear to my heart, the House bill expands appropriately, a program called CyberCorps Scholarship for Service. That’s a critical ROTC like program for the workforce. And it was created about 23 years ago, and it’s expanded out to about 500 students a year, it really needs to be about 1,000 students a year to meet the kind of federal demand for people with this kind of skill set a cybersecurity degree, from a two year, four year college.
In the workforce area if these bills get complete, you know, if these provisions are pulled through in the conference into the final bill, we will actually have made a significant impact on the federal cybersecurity workforce. And believe me, you don’t get to say that in a positive way too often over the last two decades.
If I can mention, one other area that the Senate bill has a very important provision on codifying a national risk management cycle. This is a critical recommendation from the Cybersecurity Solarium Commission, we actually have to look at the risk as it’s aggregated across all the sectors energy, finance, telecommunications, water, etc. That we passed into law last year in codifying the sector risk management agencies. But we also have to make sure that CISA the Cybersecurity Infrastructure Security Agency, at the Department of Homeland Security, who’s kind of that, you know, the quarterback of the team, so to speak for federal cooperation with the private sector, has the right authorities and structures and planning cycles to aggregate all this risk across sectors and understand what the national risk is. What are those places where we have to place investments or we have to require certain expectations from the private sector? In order to ensure that we can prevent or if it happens rapidly respond from a significant cybersecurity event.
Tom Temin: We’re speaking with retired Rear Adm. Mark Montgomery, senior fellow at the Foundation for Defense of Democracies and former adviser to the Cyberspace Solarium Commission. And that point about codifying in law, the agencies that correspond to the critical infrastructure, that really completes something started almost 20 years ago with the establishment of DHS, and the corresponding sectors. But it’s always been a policy, then, not something in law.
Mark Montgomery: You’re absolutely right. In fact, I worked at the NSC in 1999 to 2001 on counterterrorism and critical infrastructure protection. And we wrote a Dresidential Decision Directive 63, international infrastructure assurance,
Tom Temin: I remember it well.
Mark Montgomery: Slightly pre-9/11, you know, saying, hey, we need, I think at the time, we identified eight sectors, now it’s up to 60. This is the government, we have to obviously grow, it’s up to 16, or probably 17, or 18. In fairness, I understand why they’re 16 sectors, you know, some things we hadn’t thought about back then that have become integrated into our network, you know, and therefore cybersecurity vulnerable. But you’re right. Here’s the other problem. 23 years ago, we said, this is the level of support the government should be giving these companies. This is the expected cybersecurity that government should be expecting back, we talked about that compact between the public and private sectors. 23 years later, the government has not done a good job making threat information, threat signatures, adversary tactics, techniques and procedures, easily available at kind of the speed of data for the private sector, companies that are the targets of the cybersecurity attacks by and large. So the, as much as we can criticize businesses for not making the appropriate level of investment in cybersecurity with some obvious exceptions, particularly the large U.S. banks are in pretty good shape. As much as we can criticize the business sector for that, we also have to remember that in the government, we haven’t held up our side of the bargain, either. And I think we’re at that point now where, you know, we can’t, it is no longer in the national security interest to continue to stumble along.
Tom Temin: In other words, the government really doesn’t have a good, I guess you’d call it situational awareness of the cyber picture of the nation?
Mark Montgomery: I think that we have an incomplete picture, we have a pretty good picture, obviously on the .mil, what’s going on with military networks, maybe the intelligence communities, and some select private sector ones where we’ve established relationships. But the vast broad majority of what you call the attack, the attack infrastructure and where the adversary might come at you, no, we don’t have an appropriate picture.
Tom Temin: And I wanted to get back to that supply chain question and the indirect effect on security there with the $52 billion for the semiconductor industry. Just I guess, rhetorically, but how did the country get to the point where a nation that invented the transistor, and then invented Silicon Valley was actually Silicon Valley and not code valley, we had a robust world leading semiconductor industry, we lost memory, but we had everything else. How do we get to the point where we’re subsidizing it now?
Mark Montgomery: First I’d want to acknowledge that we still are the leaders in the entrepreneurial development of software. You know, I, more than 50% of the software startups around the world that have value come from the United States,. Another 25%, probably from our close partners in Israel. And those companies tend to come over here, and the successful ones, that they can scale and become part of the U.S. kind of ecosystem. So we’re doing really well in that kind of software investment. And, but the other flipside of the stories, which you mentioned, which was, you know, if you go back 25 years ago, we had that same dominant position, in IT hardware development. And that has, by and large, migrated out of the United States, there’s a, I’m sure there’s a number of books written on this. And I imagine some of the reasons to be given are along the lines of this was a harder sell to venture capitalists. You give me your money, and instead of waiting like a year to see if I’m, if I start to become successful, and then you give me another seed round, another round and another round, let’s wait about three and a half years, between rounds and come back. And I just, I don’t know if we necessarily had the right patience, when a lot of this was slipping overseas from 2003 to 2012. I’m not sure we assessed where it was going as placing us at risk. And I’ll say explicitly, I don’t think this development happening in Japan or Korea or Taiwan, or some other Southeast Asian countries, that puts us at risk. Happening in China, puts us at risk and not everything being done in China puts us at risk. I’m happy to get my sneakers from China. I’m not happy to get any microchips or electronic gear that goes into my long range anti-ship cruise missile from China, so I’m going to separate those. But in that context, I think we allow this to slip overseas and that at the same time, the cost of these units became exorbitant. So you let something slip. And then in the case of the microchip, the foundries, the price became exorbitant, and now to reassure it, you know, it kind of brings you to a bended knee.
Tom Temin: Well, we’ll see if Congress goes through with that. And then maybe we get some of those plants back. They’re quieter than Bitcoin mining farms anyway, and probably better neighbors for people. They do use a lot of water. Retired Rear Adm. Mark Montgomery, a senior fellow at the Foundation for Defense of Democracies, and former adviser to the Cyberspace Solarium Commission. As always, thanks so much for joining me.
Mark Montgomery: Hey, thank you very much, Tom. It’s been a real pleasure.