Resources
Key Questions
- What are the main federal Executive Branch activities that relate to cyber?
- What is the regulatory role of federal cyber agencies?
- What legal role do federal agencies play in regulating cyber incidents?
- How do various federal cyber agencies coordinate their regulatory activities?
- What are the most important levers and tools used by the executive branch in cyber policy?
- What is the public engagement role of the executive branch in cyber policy?
Transcript:Ěý
Sasha O’ConnellWelcome back to Start Here. My name is Sasha O'Connell and I'm a Senior Professorial Lecturer and Executive in Residence at Â鶹´«Ă˝. In this series of podcasts, we provide a framework for analyzing foundational cyber public policy questions to include previous episodes on topics ranging from incident reporting to ransomware and what to do about it. For this episode we are again, going to take a bit of a different approach and instead of being topic-based, this is the third in a sub series of five episodes where we're looking at the players who have a role in cyber policy, with a focus here in the U.S. and we're walking through six aspects for each of those players. One, what their role is, two, what their structure is, three, what tools and authorities they have, four, where they tend to play in the policy space and five, recent trends in terms of their priorities and six, lastly, how stakeholders-be they from any aspect of the private sector, academia, civil society, et cetera, can engage and have their voices heard with those leaders. For the last episode, we dug into these aspects as they relate to the wonderful world of internet governance and today, we're going to turn our attention back here, specifically to the United States, to the current configuration of the Executive Branch and how it, specifically, is positioned to address cyber and cyber policy. To work through the ins and outs as usual, I'm again joined today by Drew Bagley, Vice President Council for Privacy and Cyber Policy at CrowdStrike and Megan Brown, a partner at Wiley and co-chair of the firm's Privacy, Cyber & Data Governance practice and I should say we are recording in-person today at Wiley; so it's fun to be together!Ěý
Good to see you guys! So fun. Okay, let's get to it and jump right in. When it comes to the Executive Branch in cyber, I think the foremost place to start is how much change we've really seen, certainly in the last ten years or so. I know when I teach, I pull out the, I guess it's 2010(ish), bubble chart titled U.S. Federal Cyber Security Operations Team Roles and Responsibilities. I know you guys have seen that as well. I saw it live and in person when I was in government. Some might remember that's a PowerPoint slide we literally used to carry around with us and share in the inner agency to explain the kind of who's who in the Executive Branch. So fast forward to today, or relatively recently, there is a really nice 2020 GAO report titled Key Federal Entities That are Responsible for the Nation's Cyber Security and the thing here is that back in 2010, there were about three departments listed in that bubble chart, and of course today the GAO report from 2020 at least, lists seventeen. So that kind of change is obviously super important and something we can try and walk through a bit. In addition to blooming in terms of just numbers, the roles and responsibilities today are commensurately much more expansive than they once were. So, I think we might start with some very basics in terms of their priorities and that being resilient team, maybe at DHS and DOD, and maybe we can talk too about some intrusion, responsibilities, investigation, and prosecution at DOJ but really it is cyber for all in the executive branch.
Yes, Megan, I know you're, you're in deep with many of these functions. Do you want to kick us off?
Megan Brown
Yeah, absolutely. So, I think you captured a couple of the main federal Executive Branch activities that relate to cyber and I can address, kind of, who's doing those things, but another big piece of what's going on in the Executive Branch is a move towards regulations. So, I don't want to leave out some of those agencies, but yeah, sort of jumping into the resiliency piece that you teed up, you've got CISA, right. CISA is within DHS, but it's its own entity. It is focused on national resiliency. It considers itself the hub for getting information out to critical infrastructure. It's also kind of the cyber point agency for the federal civilian agencies, the non-DOD part of the house when another federal agency has a cyber issue or DHS says there's a problem. They can issue binding operational directives that tell agencies what they have to do to secure their systems. So that's a really key piece. CISA, they're partnering with a bunch of regulatory agencies as well and so lots of activity coming out of CISA.
You've also got sort of when it comes to protecting the federal government's data, as I alluded to, CISA has a role to play there, as do the Federal Chief Information Security Officers, and you have a main Federal CIO, and then you've got CSOs across the different agencies. They're responsible for complying with things like FISMA and FedRamp and the things that Congress tells the government it has to do to protect civilian citizen data and government functions, which are constantly under attack from nation states as well. There's a lot of GAO reports, I will point out that, that think that there remains a lot of work to be done, but that's a big piece of it. You've got Cyber Crime and Cyber Intrusion Investigations and Prosecutions, which is, you know, Sasha, your old stomping ground at the FBI, the Department of Justice, the Secret Service, DHS also investigates a lot, there’s HIS, you've got the U.S. Postal Service and a whole bunch of different entities that have a role to play in investigating cyber crime and cyber intrusions that doesn't get into the DOD side of the house, which Drew might want to chat about later.
There's some, and then I think I'll pivot now to kind of the regulatory piece of it; some people would think of this as kind of the consumer protection type bucket of what the government functions would be. You've heard loud and clear from the White House telling the Executive Branch to go forth and make regulations and to understand a key differentiator within the Executive Branch there's two flavors of agencies that have role to play, or can have a role to play: there's independent agencies and there's executive branch agencies and that will become important to a whole bunch of policy disputes down the road but suffice it to say, the Executive Branch ones are the agencies like DOJ, DHS, Treasury that are directly responsive to the President. The independent agencies, theoretically, are insulated from that political control and here we're talking the Securities and Exchange Commission, the Federal Communications Commission, et cetera. The last agency I'll plug is within Department of Commerce, a super important player in the cyber policy and technical standards role is NIST, the National Institute for Standards and Technology, absolutely critical doing tons of things for the past more than ten years. So, I think that's kind of the whirlwind tour of the Executive Branch and some of its functions related to resiliency, standard setting, and investigations.
Sasha O’Connell
Absolutely, and you touched on too, that protection of federal data too, right, we always talk about, in addition to these externally facing roles and responsibilities, every department and agency is responsible for their own data and then some departments and agencies are responsible for helping all federal agencies elevate their game in that regard and then I think we talked about it briefly, but just to put a little bit of a finer point on that within all of those, as you mentioned, Megan, there are priorities. You can't do everything, so the Executive Branch and we talked about the White House last time, a focus on critical infrastructure, right, when everything else being equal, a place to start there in terms of resiliency and in terms of investigations, as you mentioned, a focus on strategic nation state adversaries and nation state actors.
Okay. That's a lot of things. Drew…
Megan Brown
One more thing…
Sasha O’Connell
Yeah.
Megan Brown
I would be remiss if I didn't also note that the last role that the government has to play is in, as you said, Sasha, sort of protecting its own stuff. It does that not just through regulation and what CISA does, it also does that through federal contracting and so we've been watching and participating in many activities at the federal level to elevate and impose additional requirements on federal contractors; not just at DOD, but it's expanding dramatically across federal contractors and that can affect everyone from your traditional defense contractors, to the folks who help with Medicaid and Medicare and anyone who sells a widget to the government, so it's a broad way for the government to try and use that additional power to adjust private cybersecurity.
Sasha O’Connell
Absolutely! So it sounds like the Executive Branch is super busy with just that. Drew, are there other things going on or have we covered everything?
Drew Bagley
I think we covered it all…
Sasha O’Connell
We can go home. Okay, great.
Drew Bagley
So, I think it's important to when we think about, you know what the federal government's role is in cybersecurity, oftentimes what we're thinking about actually is coming from the Executive Branch rather than always needing a new law or a new policy to solve a cyber problem, sometimes it's a matter of the fact that crime has migrated to new electronic forms and we're thinking about how do we prosecute this? How do we, you know, ensure that adversaries are not able to leverage new means to commit old crimes and that's a lot of what we see the Executive Branch doing in cybersecurity, even where there are not necessarily bespoke cybersecurity authorities. So, for example, with DOJ, naturally, ever since there's been crime using computers, DOJ has been involved. A lot of that, of course, stems from what we've covered on earlier episodes with CFAA but even when we see some other forms of crime that deal with extortion where there can be other statutes at play, we see DOJ playing a big role in those investigations and prosecutions. We also see a lot with regard to the inherent and very unique authority of the government to be able to actually do offensive activities against adversaries. So, a lot of that naturally stems from victims being asked, what can we do to disrupt the adversaries? Why can't we hack back? and naturally the private sector entities can not do that for very good reasons, but that's where the government does have that unique authority to do take downs and sometimes are working with private sector partners to do those take downs, but then something that's very inherent to that government authority is when there are those offensive cyber operations that might be tied to either active kinetic conflicts, or might be tied to a more surreptitious means and things we never even read about in the news headlines and so a lot of that comes from the Executive Branch and that's where it gets really interesting where even what Megan was mentioning a moment ago with DOD - if you looked at DOD, DOD has aspects and responsibilities that are in charge of protecting its own data from adversaries also maintaining the integrity of the data so that other branches relying upon DOD data have information insurance, but then under DOD you have the NSA and the NSA wears multiple hats, including that of signals intelligence and being able to gather information that increasingly is in the cyber realm and not in the traditional over the year signal realm. As well as then being in charge of U.S. cyber command, they can't take these offensive actions and in addition to that, then there's softer kinder things like coming up with standards for workforce development, like the NICE framework, which I know you're very familiar with Sasha.
Sasha O’Connell
Yeah.
Drew Bagley
And then also there's that general convening authority we've talked about before where sometimes it can be used for these more formal things like a take down, but sometimes the convening authority, even if we're, you know, we talked about in the context of the White House, but other agencies can also get people together and shed the spotlight on certain cyber issues and even get voluntary commitments from different organizations that can move the needle forward, or at least get the conversation going on different topics, even in the absence of new policy.
And then in addition to all of that, I think the Executive Branch importantly also helps set the tone in the narrative on the messaging on what we see as a priority in cybersecurity and perhaps what might not be a lot of priority because there's a signal versus noise problem in all things in public policy and cybersecurity is certainly one of those realms that suffers from that as well and that's where I think that's really helpful is when the Executive Branch is able to kind of highlight certain topics and then that can get actually activity from Congress and even from the private sector.
Sasha O’Connell
Absolutely. So, in terms of role, I mean, as you guys laid it out, there's a lot. From protecting data to investigations, to work force standards, as you mentioned in the NICE framework to offensive operations and, in terms of structure, I think it can be really kind of complicated externally to understand where all that sits and I know even from me growing up, professionally at the FBI, I really didn't come to realize later how complex. Environment's gotten more complex in terms of players on the playing field, but even from the inside, it's hard to see. In particular, one thing I experienced was the internal separation between the National Security and Homeland Security agencies and then the more kind of commerce focused or consumer protection focused departments and agencies and the lack of kind of ability to make sure there's coordination across all.
I know, so when we think about structure, you hear the language â€team sport’ in cyber all the time from leaders in government and certainly the lessons learned around the task force model and applying that here seemed to be something that's a real focus of the Executive Branch. One example, of course, is the NCI JTF, which is that investigative coordination hub run by the FBI out in Chantilly, which brings together departments and agencies, federal, state, local, private sector across to make sure there is that coordination piece, but I know those things again, particularly across the kind of DOJs and commerce departments of the world remain hard to coordinate.
Drew, how do you see all that? Like how, you know, from your perspective, do these things get coordinated or what structure is happening and maybe what structure, question to both of you, should be happening in the Executive Branch around all this?
Drew Bagley
I think you know, on the one hand, I think many folks dream of there being one central place to go for all of these issues. On the other hand, cybersecurity, like anything else, is part and parcel of just everyday functions of all the other agencies and is going to be. So that's where I think that there've been two developments that obviously do not decomplicate things necessarily as much as we need but are at least a step in this direction in theory and so one is of course, the way in which CISA has been empowered to be a shared services provider to the federal government. Where then within the Executive Branch at least, you don't have every agency fending for itself and then in theory too, over time you can have the federal government leading by example with one set of standards for what they're even doing with cybersecurity and that naturally takes time but that's something where that's a key part of CISA's role in addition to CISA working with critical infrastructure providers and doing a lot of other things. And then the other is this notion of you know, for a couple of decades we've had some sort of coordinator role that's either sat in the White House or the State Department or both and now what we've seen is the formalization of both with the Office of the National Cyber Director sitting in the White House and then with the State Department Cyber Bureau taking on the cyber role there. So, right now we kind of have the first generation of a lot of these things and what's going to be important is seeing how they're institutionalized. How do these newer institutions maintain structure from administration to administration and as they get, you know new leaders in and especially in roles where they are political roles and you have people swapping out, will they be able to actually bring all the agencies together and coordinate? Even more so remains to be seen, but we at least have the infrastructure in place to start that journey and start that process because before that, because there was such a lack of coordination every administration saw the need for there to be somebody at least doing some sort of coordinating but it's interesting because you have coordination without the power of mandates and that's what it was like when it was a one person job, that's what it's like now when we have you know, a new agency within the White House and that's something that I think is going to remain challenging. Not to say that necessarily you want to give that office mandates at the expense of all these agencies that do have autonomous roles to play but just to say, it's a trickier thing to solve.
Sasha O’Connell
Yeah, and thanks for bringing up State Department. We didn't talk about that previously, but obviously the growth there with Ambassador Fick and then coming out of RSA for, if our listeners who aren't one of the 40,000 people joining us out there last week, the three of us were all out there, and weren’t on our flights to DC. It was really interesting to see the Secretary of State give a keynote. Really interesting to see that leadership on behalf of the Executive Branch being from the State Department. So to Drew's point, it adds another player sort of in terms of leadership that needs to be coordinated in.
So Megan, what's your thoughts on that? Is the Executive Branch organized as it should be, or, what do you think about where this is all heading?
Megan Brown
I mean, I will say I get a little frustrated by the multiplicity of folks who want to be out in front on cyber. It was great to see the Secretary of State out at RSA in a sense. At the same time…
Sasha O’Connell
Raises questions, sure.
Megan Brown
Right; what are you doing here? DHS is here in force and half of CISA was at RSA to roll out many of their varied initiatives. So, I think if it's being done in a thoughtful and coordinated way led by the White House, great, but if it's very fragmented, which right now it really feels very fragmented, then everyone wanting to be point on some aspect of cyber just strains private sector resources and presses, I think on that partnership model that I don't know if the listeners sort of, you know, we've talked about it in various of the pods before, but right, there's been decades of public, private partnership and collaboration that I think this administration has decided doesn't fit the bill. It's not enough, but I worry that some of this push, this pivot to regulation, is straining those partnerships; and another thing that will strain the partnerships is just, you only have so many people that are staffed in DC federal cyber offices of major corporations. So, you know, there's, there's only so much resource to go around to have people monitoring what State doing today? What's DHS doing today? So, I mean, I don't have a great solution of like, oh, we should reorient and restructure the federal government. I think the ONCD experiment is sort of still open and we'll see what people think of that in a couple of years, if that has worked, or if that just created yet another, you know group of people that need to be out in front on cyber.
Sasha O’Connell
Sure. Drew sees it optimistically as a tipping point toward fantastic collaboration and Megan is a little more skeptical. I was shocked!
So I think we all agree though, in terms of structure, in addition to roll, it's a lot. There are a lot of players on the playing field, very, very senior people in government all now have very senior roles and ensuring that coordination both for the government side and Megan, to your point so that folks who interact with government can keep tabs and coordinate as needed is super important going forward.
Okay. So we have all these departments and agencies on the playing field here with all of these responsibilities we've talked about. You know, we could go, and I know I sit with two lawyers who are very familiar with actual authorities that exist. So we're going to try and keep it a little bit high level here. Keep it in buckets. We've already talked a little bit about investigation. We've talked a little bit about regulation. Megan, you mentioned contracting also as a super important kind of tool or lever the federal government can use. What do you guys think here? There's also funding and how that gets used. There's also prosecution sort of that other piece that comes after investigation and in some instances. What do you guys think here are the most important levers and tools or anything else I'm forgetting from my list?
Megan Brown
I mean, one thing that I felt was not on the list that should be, is that partnership model that I alluded to and the information sharing and one thing that kind of bewilders me about how we've gotten to where we are is you know, nine years ago, Congress passed the Cybersecurity Information Sharing Act of 2015 and I don't know that that got enough focus, or attention, or love, and now here we are in a very much different kind of let's move to mandates and standards and things like that, but that partnership model of information sharing, I think, is a really important piece. The government has a monopoly on both the offensive use of force, like Drew mentioned. They also have a whole bunch of information that they can and should be sharing with the private sector and that's an old saw that people have complained about for a long time, but it remains true and they put out a lot of information post Ukraine invasion, but was it really actionable? Are they really putting out into the private sector the kind of things that cyber defenders can meaningfully use? I think that's an important piece of the puzzle in addition to all of the other things that you mentioned, that we can certainly do a dive on.
Sasha O’Connell
Absolutely; information sharing, definitely old challenge, in terms of operationalizing, but I think your point's well taken. As important as ever today for sure.
Drew, what else? What are we forgetting or funding or prosecution or what's your thought on this?
Drew Bagley
I think we see a lot of frustrations with prosecutions because we're dealing with multi-jurisdictional global e-crime or nation state actors and that's something that you know, from a victim perspective, really is a game of whack-a-mole in terms of attempting to do in indictments and whatnot, but nonetheless, they still send a message, send a signal. I still think that's important but I think that ultimately what's really important for the Executive Branch is to constantly ask how do we raise the cost for adversaries so that it's more difficult, slower, and we disrupt their ability to act at scale in doing these types of attacks and that's something where to Megan's point on these public private partnerships, I think the most important part of that is for the government to use the authorities where it has its monopoly and focus on that and focus on its convening power where it can do something unique rather than attempt to recreate what already exists in the private sector in terms of threat intelligence information and all these other things that weren't as robust, frankly, over a decade ago. But where there's things that are already that, robust, I think , what's really important is, the government has a unique ability to raise the cost for the adversary and that needs to be the focus.
Sasha O’Connell
Can you talk in that vein, something I talk to students a lot about too, when they talk about investigations and then prosecutions if the adversary is not in the United States, what tools do the United States have? And we talked a little bit about the power of name and shame. What does that mean? Can you guys talk a little bit about that or explain how that might be used as a tool? Again, it needs to be closely coordinated across the functions of the federal agencies, but what is that all about as a tool?
Megan Brown
I mean, I think name and shame does make a difference and I'm a fan of the prosecutions and indictments in absentia where, you know, these bad guys are scattered across the world. They're in places where we may realistically never, ever be able to get ahold of them, but I still think there's an important norm and you know, I feel like five years ago we talked a lot about international norms in cyberspace, and that seems to have faded away a bit. And yeah, you're never going to get certain countries to agree with our norms but it's still very, I think, notable when you have like the lock bit take downs and some of these big international collaborative efforts.
Drew Bagley
Avalanche.
Megan Brown
Yeah. Like, and it sends a message and yeah, it might be frustrating because maybe you're just maybe preventing some of these people from traveling internationally for, you know, a few years, but it's important to keep saying that these are crimes because I think it's important to respect like who the actual victims are in the United States and reminding people that these are bad people doing things to U.S. citizens and businesses and that's an important thing for the Department of Justice to keep doing.
Sasha O’Connell
Perfect.
Drew Bagley
There's also a muscle memory created by doing that sort of coordination and as much as the tempo can be increased, that's important for really saying, okay, if you're going to set up infrastructure and commit cyber crime, well then you can't expect your infrastructure to be resilient and there is going to be a cost and your infrastructure is going to get burned and the more of these we do in coordination with allies and the more often we do them, then that actually can lead to disruption; I think that's important.
Sasha O’Connell
Absolutely. Okay. So we've talked about that sort of the name and shame as one example of the Executive Branch in action. Let's just maybe go around real quick and add some other examples of what this can look like. I'll start, we haven't talked a ton about education. I mean, Megan, you mentioned information sharing and its sort of the next phase of information sharing, right, is actual education. You mentioned the role of CISA. I'll call out specifically both, two campaigns, one, the Shield Up campaign; probably most folks are familiar with. They did a tremendous job kind of amplifying that information around the invasion of Ukraine in terms of, you know, the need for folks to focus on resiliency, both at the organizational level and at the small business level, it was really focused on organizations, the Shield Up campaign, and again, sharing information but also in a way that takes that additional step to really help folks understand and, and sort of goes into the world of teaching and education. CISA also has, and has recently reupped to their Secure Our World education campaign and that's for individuals, so families and individuals. And it's focused around things like update, you know, your software, complex passwords, do backup of your data and avoid phishing. Four things that are really, they have a very large campaign focused around and we have found, I did some research last summer that actually there are lots of dot govs that have done training materials that fit in those four buckets. So the government's really invested a lot there in terms of education and it's something you can really point to as a work product of the Executive Branch.
What do you guys think? So we talked about sort of name and shame campaigns and the impact they can have, education.
Megan, what do you think? Is there, you know, what would you point to as kind of the government and action on this regard?
Megan Brown
I think I've got kind of to, to draw some contrasts. One is, the massive new rulemaking at the Department of Homeland Security, really within CISA for those who are picky about that. To implement the Cyber Incident Reporting for Critical Infrastructure Act. That is a huge new piece of regulation. It is being developed right now. It is going to affect, I think millions of U.S. businesses; CISA says maybe just 300,000, but we’ll see. That to me is an example if someone's looking for a case study on like, hey, here's cyber regulation. That's that, right? By contrast I wanted to point out to go back to the convening function that you and Drew had talked about at the Federal Communications Commission. They make good use of advisory committees, which we didn't really talk about, but there's a whole bunch of them across the federal government that enable the private sector to work with the federal government in non-regulatory ways. One that I wanted to highlight that we've done a fair bit of work and it's fairly influential in cyber in the comm sector is the Communication, Security, Reliability and Interoperability Council, lovingly referred to as CSRIC. You know, this is weedy, weedy, stock…
Drew Bagley
Sounds like a medication.
Megan Brown
Brought to you by GlaxoSmithKline.
Drew Bagley
Side effects may include…
Megan Brown
I'm going to keep this PG.
The CSRIC puts out, they get chartered by the chairwoman of the FCC and she's added DHS to it and they bring together industry folks to look at problems and put out reports that identify solutions and best practices. That to me is on the opposite end of the spectrum from the CISA rulemaking on incident reporting, and just to me, jump out, as good examples for anyone new to these policy areas to kind of look at different models.
Sasha O’Connell
Awesome. What do you think Drew?
Drew Bagley
I think it sounds like a medication.
Sasha O’Connell
Beyond that, any examples of the Executive Branch in action you want to highlight?
Drew Bagley
When I think about the example of the Shields Up campaign, I think what was successful about that is it was very tailored and focused and even focused toward specific types of data centers and whatnot. So that I think it did a better job of avoiding say, what we were doing 20 years ago with terror alerts, where they were so generalized and so far reaching that you really had alert fatigue and so I think that nonetheless, if we, you know, do these sorts of alerts all the time you'll get alert fatigue but I think that the government can play a great role in educating about specific threats when they actually get very specific about this and are using for example, in the case of CISA, using the communication channels they already have with the sectors they are already working with to convey this information. I think that's something really important in terms of the very broad initiatives, like Secure Our World. I think things like that can be effective if they're universal, they're concise and then they're you know, they're repeated for a long period of time. There was now, I'm going to call the campaign effective and now I might butcher what the campaign was, but I think it was the Stop, Think and Click…
Megan Brown
Stop, Think, Connect.
Drew Bagley
Stop, Think, Connect. Sorry. Stop, Think, Connect. Click, I'm dating myself. Click on things. Stop, Think, Connect Campaign that APWG, and the government had a partnership on and I think that was very effective too. Where now you at least have folks being skeptical, even though folks still fall for phishing all the time but there's this notion that you're at least thinking about whether or not something's legitimate. I think those things are important. I think that's something that the government can do in a unique way or do in a unique way with partnerships. Because of that, you know, having the megaphone, I think that is important.
Sasha O’Connell
Absolutely. Okay. So our category five is recent trends. I think we've already talked quite a bit about the growth roles across agencies. Again, when I left government in early 2017 there was no ONCD. There was no ambassador for cyber at State Department and CISA definitely didn't have both the authorities and the funding they do today. Just as a couple examples. Also this kind of approach of cyber for all, that every department and agency has at a minimum, the responsibility for their own data and securing it and thinking about things that way, I think is pretty new. Drew mentioned offense, really kind of, we obviously were talking about this back at the FBI back in the day, but there's a much broader conversation about this today, both offence and defense. You mentioned workforce, what's old is new again. My partner, Diana Burley at the White House, I mean not the White House, at AU, that too has been working on these issues with the White House and others for many, many years but it's sort of always and forever at the forefront as a persistent and evergreen issue.
Megan, you mentioned regulation in that dramatic increase recently and the need then because of this broad new roles and growth, new departments and agencies that need for harmonization or deconfliction, I think the piece in terms of recent trends, unless I'm missing something, that we haven't talked about is kind of public engagement, and it kind of leads us to our last category of stakeholder engagement too. I can say from my experience again, leaving government in early 2017, and this is sometimes pretty typical of the FBI too, but tend to be pretty internally focused, not super focused on external engagement with stakeholders. That did change under Director Comi, Director Mueller, had a vision for an office of private sector coordination and Director Comi put that into play. So OPS, as it is today at the FBI, is an actual headquarters office that is specifically focused on that stakeholder engagement particularly with the private sector. So that is something I've seen just exponentially grow. I also just speaking of RSA, Megan, you mentioned CISA's presence there, the FBI's presence, their state department's presence there. Again, compared to my time in government, the willingness of leaders across government, particularly in cyber, to engage at conferences, to be a long form podcast talking about their roles and responsibilities, it really has changed exponentially. I think because of that acknowledgement that it's everybody's job, cyber, and if the government sort of stays in their space that kind of partnership, Megan, you were talking about won't happen.
How do you guys see that? Any other new trends I forgot? Anything that I didn't list that we should mention?
Drew Bagley
Well, I think what we were talking about at the top of the discussion where we do have this new infrastructure in place, like ONCD for example and we have every agency or seventeen agencies with some sort of cyber role; something that has been important for a very long time, but it is increasingly important is the need to harmonize obligations for would be victims, for those with the responsibility to protect data, and to deconflict across government and there's that opportunity with an office set up to focus on coordination to at least lay the blueprint for that and I think that's really important because right now you kind of have two different trends. You have regulatory traditions and authorities that date back in some cases at least a century, coupled with newer laws and requirements that are meant to meet the challenges of today with regard to cybersecurity and cyber incidents and data breach reporting but what that creates is really this Venn diagram of obligations for victims, would be victims, and those responsible for protecting data, that is not always easy to follow but also arguably means that when there is an incident resources are not necessarily devoted exclusively to stopping the bleeding and dealing with the incident but instead to…
Sasha O’Connell
Sorting out obligations.
Drew Bagley
Yeah, sorting out the regulatory matters after the fact and it's not always clear that even if there are reasons why different agencies have certain cyber authorities; it's not always clear as to why there needs to be all these different reporting apparatuses and whatnot. I know that's something that on the backend there's, because of the Cyber Incident Reporting Council recommendations that CIRSIA, perhaps will help ameliorate a little bit but it still doesn't solve it. We're still not waving a magic wand and harmonizing regulation, but I think that's something really important and something, again, unique for the Executive Branch to perhaps come up with a blueprint for and then even though there's an enormous role for Congress to play with whatever the solution would be.
Sasha O’Connell
And then our last category of kind of stakeholder engagement; where do you see all that? Drew, do you want to start?
Drew Bagley
Sure. I think all of those trends of folks who previously wouldn't be speaking about their roles and wouldn't be out there are really positive because it also in addition to you know, knowing where to go, it demystifies things because I think often in any realm of public policy, not just cybersecurity, you sometimes you think the worst, if you don't have anybody out there and you can't personify what the role, what the function is and actually what it does. The other thing is too, though, it kind of helps I think demonstrate the real limitations of government in many realms because otherwise, especially if you're a victim, you think that perhaps in that moment that the government's going to be able to solve all your problems and make you whole again and all that and that's not the case either and then it helps, I think, with figuring out where do we need resources. So I think that's very positive. To your point we've had certain roles that have always been engaged with the private sector, but this notion of just about every agency having some sort of stakeholder engagements, definitely a development that's accelerated in the past decade. I think now it's a matter of then prioritizing and coordinating around the things that again, where government has a unique authority has not trying to replicate what already exists and then where the government is actually using its unique position to convene even competitors together to do something in a coordinated fashion is important but I think that you know, what's still difficult is if you're the victim of a cyber crime, they're just as not, there just aren't enough resources to go around in terms of helping you and so that goes back to a lot of the other initiatives that government's pushing like secure by design.
So those best suited to secure things should be and then a lot of the best practices that the government's embracing for cybersecurity, trying to get the private sector to replicate that for those responsible for data. Realizing they have a responsibility to protect that data. I think that's really important too. So, yeah, as the optimist on the podcast, positive development and the final thing I'll just say on that is I think we need to, my eyes glaze over when I, you know, today's conferences when I just hear, oh, if only we did information sharing, the rest would take care of itself like as if that's the goal and like, that's just a means, but there has to be a goal attached to it. We have to be talking about what information and what's actionable and, all of that, because you know, there's software platforms that are sharing information in real time doing things. Information sharing's not the issue, it's information being shared for a space for collaboration on some specific action. That’s what’s important.
Megan Brown
That lets me grab the apparent role of pessimist since you called dibs on optimist. I guess I’ll be pessimist.
Drew Bagley
I was designated optimist to be clear, by the host.
Megan Brown
So some of that public engagement is very helpful. It is very important. I go back to the partnerships that I think sometimes were being taken for granted or overlooked, frankly. Some of the operational work that has been going on for a very long time that I think is being undervalued at the moment but a lot of what we're seeing now, this pivot to mandates and standards and regulation, there's another aspect of stakeholder engagement and that is how does government obtain good information on which to base policy and I see some real gaps and I see some real reliance on we're going to have some workshop calls where the government reads some stuff to the private sector, listens and then goes away and one thing that just jumps to mind is this question that's right now before CISA on their rulemaking on incident reporting, they've taken a lot of flack for how they've structured it, but also whether or not they're going to accept meetings and ex parte communications as we nerdy lawyers will call it, and it appears their position is no and if they're about to regulate the entire U.S. economy, they need to have a way to get good information, to do good cost benefit analysis and figure out, to your point Drew, but if what they're doing is for a real good purpose, or if it's just information collection for its own sake. So, that's my pessimist two cents.
Sasha O’Connell
I know you're not all pessimists. So can you tell us like, are there role making comment period processes that you do think are examples that CISA should be adopting?
Megan Brown
Yeah, I mean I think there's lots of agencies who do rulemakings and they may not get to the results that I like but, or that clients like, but you know, there's a bunch of them across the government and you can just pick the alphabet soup and they can look for examples to like the Federal Communications Commission. Now we'd have a whole philosophical discussion about regulatory capture and whether this is the right approach to cyber, but yeah, there are places they could look that allow for good policymaking and good input.
Sasha O’Connell
Unstructured rulemaking.
All right, well lots on the table, but I think for today, we're going to leave it at that. We hope everyone visits us at the Start Here website. As always, the link will be in the show notes to see additional resources. We've got those maps that I talked about earlier on, that bubble chart and then the GAO report visual will be there and we hope you join us next time, where we will do our next round on Congress, which I'm excited about because I'm ready to learn more you guys. It is complicated! Alright, Drew, Megan. Thanks so much for joining me and we'll see everyone next time.