Contractors and federal managers agree: It is difficult to keep up with all of the cybersecurity rules and regulations.
Contractors and federal managers agree: It is difficult to keep up with all of the cybersecurity rules and regulations. The parade of new proposals never ends. American University has a program that might help. It is a series of online discussions with people who know policy. For more, the Federal Drive with Tom Temin spoke with American University senior lecturer Dr. Sasha Cohen O’Connell.
Interview Transcript:
Tom Temin I should say you’re not just a lecturer there, but you host podcasts that talk about cyber security policy. How do you keep people awake through that?
Sasha O’Connell Oh, it’s more exciting than you might think. Of course. Yes. A brand-new podcast series in partnership with our colleagues both at CrowdStrike and Wylie Ryan.
Tom Temin All right. And I guess the bigger question is what is going on that people need to go out of their way to get more understanding of cyber regulations just seem to be like tulips popping up everywhere.
Sasha O’Connell Absolutely. Even in my time, I’ve been back in American University full time for five years teaching U.S. cyber policy, and I was just saying to my class yesterday, the blooming, to keep your analogy in terms of activity with the government side around cyber policy is just an explosion is really impacted the way I teach. I think a couple of things drive that. One is, of course, the threat and the changing nature of the threat, both nation state actors and criminal actors. And that increased activity over time. Not new but continuing to increase. In addition, I think there’s a change in leadership in government over time, folks who are perhaps more up to speed on these issues and able to make decisions both in the executive and legislative branch. And then I think, frankly, some political will, right, given the nature of the attacks we’re seeing to act and to do think about it. So, we’re starting to see that across government. And that’s generating a lot of conversation and need for educational materials, which is what brought us to the podcast.
Tom Temin Plus the publications of regulations and policies themselves can be daunting. CISA, for example, just came out with a new rule on incident reporting for small businesses. Nobody knows who’s affected by this, but the rule was something like 500 pages. That’s a dense 500 pages. That’s part of the challenge, isn’t it?
Sasha O’Connell Absolutely. I think it’s in the 400, 447. In the most recent call for comment, the NPRM around CIRCIA at which I know you guys covered last week as well. Absolutely. It is daunting. This whole theme of incident reporting is actually our first topic of the podcast. And because whether it’s the new SEC rule or rules coming out of CISA on the heels of CIRCIA, we know that folks need some context, right? They need some history, some context, and some materials that sort of, we call it start here. Right. A place to start to understand the context of these issues before you start to dive into all the details. And we also know that there’s new people working in this space, or people for whom these topics are new, and they need some primers and access to that kind of information. And that’s, again, the impetus for this podcast. And incident reporting is exactly where we start.
Tom Temin And so much of the cybersecurity discussions, coverage, articles, media pieces and so forth concern cybersecurity practitioners and how to stay ahead of threats, understand the threat environment, responses, and all of these cyber operational things. So, do those people need to be better versed in policy, or who is it within an organization that should be versed in policy, even if they’re not coding the next counterattack type of thing?
Sasha O’Connell This is exactly one of the changes that’s happened at the moment, sort of in the last five years. It used to be the job for FBI, you know, the precursor to CISA and PPD, CISA folks who cyber was their day job. But now I like to say it’s truly cyber for all. Right. Certainly in government, if you work at HHS, as we saw with the most recent hack relevant to the health care system, if you work at EPA and you’re worried about clean water, as we’ve seen in recent mornings in that sector as well, there’s really no spot in government that doesn’t have a cyber policy component to what they do. At a minimum, they’re responsible for protecting their own data, right? The data internal to those departments and agencies or on the Hill, if you think about the data managed there. And then there’s that piece within. There’s the externally inter-agency, you know, bigger picture policy piece that focuses on the customers of these departments and agencies. Right. And there are equities and authorities across the board.
Tom Temin We’re speaking with Sasha O’Connell. She’s senior lecturer at American University and host of a podcast series on cyber security policy. And I wanted to ask you about, maybe based on your experience, we should note long term at the FBI before coming to academia and so forth, where you were involved with cybersecurity policy. Often the complaint comes especially from industry, but also from government practitioners that there seems to be, let’s say, a want of coordination of policy creation among the federal entities themselves. Is that an issue that you cover and. You feel that is an issue?
Sasha O’Connell Yes of course. Better coordination and deconfliction. It’s something that’s always being worked on. As you mentioned, I spent about 15 years at the FBI, and one of my last roles was to stand up and lead a new office that was facing the National Security Council to work with the White House on those policy issues where the FBI had equities. And through that NFB process that many of your listeners I’m sure are involved with, is that effort at coordination. You know, especially now in an area like cyber where there’s so much growth and population of use and the blooming of interest in regulation and legislation, convenings and voluntary standards, it is more important than ever through those processes that those things are being coordinated in cyber as well. We see a ton of activity at the state level. So, all 50 states have their own victim notification laws, for example. And that’s something that Washington and I know the Biden administration is super aware of and working hard, both here in the US and also relevant to our international partners, making sure that global companies have those kind of crosswalks and deconfliction information and where possible, that things are reconciled because it is a huge challenge.
Tom Temin And it’s also true that the number of agencies is kind of spreading. I mean, you’ve got DoD and many components there and a couple of different components of Homeland Security, Justice Department. But now the FTC, the SEC, the FCC, everybody seems to be maybe even the FAA jumping into cyber and cyber policy. So, it sounds like this is something that’s going to not go away, is it?
Sasha O’Connell No. Absolutely not. In my classroom, I use the bubble chart from the early 2000, which is maybe some of our listeners remember a PowerPoint that we used to walk around and show roles and responsibilities in cyber, and it had 4 or 5 agencies. And then there’s a great 2020 GAO report that shows a nice graphic of all the departments and agencies with cyber responsibility. And I think it’s about 25. Right. So, your point is super well-taken. And again, it really is cyber for all. And again, why we think this need to fill the gap in terms of foundational educational materials is so important, both for current leaders in government and for future leaders studying cyber now.
Tom Temin And what about the contractors? It would seem that they need to keep on top of this. I think they know they need to, because the implication is not simply that you will lose data or get hacked and all of this, but then you’ll get hit with False Claims act, for example, or in the case of the SEC, they would like to, you know, arrest you and pillory and find you and so on. I mean, its dangerous territory, isn’t it, for contractors, companies 100%.
Sasha O’Connell And it’s particularly relevant because one of the levers is, you know, that the executive branch has, in terms of being able to raise the bar in cybersecurity is, of course, through contracting. Right. And the standards they set through those opportunities. So, absolutely, this needs to be front of mind for all government contractors to keep an eye on that, because it is a place where there is a lot of activity and change going on. Absolutely.
Tom Temin And just quickly, from the standpoint of being at American University, is this an area that you see growth of interest in incoming students?
Sasha O’Connell 100%, so much so that in the last three years we have created a graduate certificate, a non-technical certificate, specifically in cyber policy and management. So, when you come perhaps for your master’s degree in public administration thinking you want to be maybe a city or town manager, we now have that opportunity. Right. Because if you don’t get a little something, the four corners on ransomware, for example, before you head out to lead, even at the state and local level, let alone the federal level, it’s really a huge gap, both in terms of getting jobs and being impactful when you get there. So yeah, we see the demand both at the undergraduate and graduate level. And again, at AU, we’re specifically focused on that policy piece, that intersection of the law with the technology, with the functionality of government.
Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
Tom Temin is host of the Federal Drive and has been providing insight on federal technology and management issues for more than 30 years.
Follow @tteminWFED