Tarah Wheeler, senior fellow for global cyber policy at CFR, discusses the bipartisan Infrastructure Investment and Jobs Act (IIJA) and ways to improve state and local government cybersecurity and critical infrastructure systems.
FASKIANOS: Thank you. Welcome to the Council on Foreign Relations State and Local Officials webinar. I’m Irina Faskianos, vice president for the National Program and Outreach here at CFR.
We are delighted to have participants from forty-six states and territories for today’s discussion on “Fortifying Cyber Infrastructure.” Thank you for taking the time to join us.
Today’s discussion is on the record. CFR is an independent and nonpartisan membership organization, think tank, publisher, and educational institutional focusing on U.S. foreign policy. CFR is also the publisher of Foreign Affairs magazine. And, as always, CFR takes no institutional positions on matters of policy. Through our State and Local Officials Initiative, CFR serves as a resource on international issues affecting the priorities and agendas of state and local governments by providing analysis on a wide range of policy topics.
I’m pleased to be joined today by Tarah Wheeler. Her bio we shared with you in advance, but I will—I will give you a few highlights. Tarah Wheeler is senior fellow for global cyber policy at CFR, and CEO of the information security consultancy Red Queen Dynamics. She’s also had positions as a contributing cybersecurity editor at Brookings Institution, cyber project fellow at Harvard’s Belfer Center for Science and International Affairs, and very much more. She was also a U.S.-U.K. Fulbright scholar in cybersecurity, and she is the author of the bestselling book Women In Tech: Take Your Career to The Next Level With Practical Advice And Inspiring Stories. And I commend that to all of you.
But today’s discussion is on cyber infrastructure. Tarah, thank you very much for being with us. Perhaps you can talk about there were some provisions in the bipartisan Infrastructure Investment and Jobs Act for strengthening cybersecurity and cyber resilience at the state and local level. It would be great if you could talk a little bit about that, and what officials should be thinking about when they get those funds, how to use them, how to think about cyber policy at the sub-national level, and how important it is in all of these communities across the country.
WHEELER: Thank you so much, Irina. It’s just a real pleasure to be here today. As always, the Council on Foreign Relations is doing an incredible job making sure this information gets to the people who need it. And it’s a joy to be here with you all today. Thank you so much for the work that you do in our state and local governments keeping us safe. I am honored and humbled, and I hope I’ll be able to provide some context today and some of the fun esoterica—(laughs)—of the infrastructure act that we’re taking a look at today.
I think the top thing that really crosses my mind as I first read it is, first of all, this is a bill sponsored by Rep. DeFazio, from my home state of Oregon. So good things always come from my beautiful home state. And I’m glad to see that this is certainly one of them. I’m glad to see that the Biden administration is focusing on improving our safety and cybersecurity infrastructure.
So if you are running a state and local government—if you’re running, essentially, a non-federal government, as I think most of you already know, there are—there’s a grant program that’s coming out from this bill that was approved and passed a month ago. And there’s about a billion dollars that’s available over the next four years for you to apply for, to try to upgrade your cybersecurity posture, your stance. So the question is, do we all go shopping for purses, or do we figure out how to get some of this money allocated in a fashion that lets us really start to drive towards the challenges of local governments in cybersecurity.
There’s really a lot of—a lot of questions people have been asking me about over this one. And maybe the number one thing is, should we be thinking about this on, like, a population level? Larger populations should receive a greater priority? Or should we be thinking about this sliced differently, kind of orthogonally, at a sectoral level? For instance, dividing it up amongst health care, power facilities, water facilities. Is there—is there a difference in that grant set and, for instance, tribal grants for cybersecurity and infrastructure? And it certainly does look like we’ve managed to separate this out into a really smart package of grantmaking not only bodies, but slicing it in multiple different, important ways.
So if I were you, the first thing I would do is ask myself: Who’s giving me advice about how to spend this money? Because filling out grant applications is a time-consuming process, as I think basically everybody on this call already knows. It takes a lot of energy and effort to set this up, right? So are you applying for the right thing? The very first question I’m going to ask you is this: Have you asked the people inside your organization—whether it’s a municipality, a county government, a state government—have you meaningfully asked everybody in your organization the question: Is your work and home email password different?
If you know, the answer to that question and you’re sitting on this call right now and you say to yourself: Yes, we’ve addressed the question of password sharing, of multiple account takeover, of business email compromise. We’ve fundamentally addressed that question, then we have a different conversation to have. I’m not actually sure if we’re able to do something along the lines of a poll in this Zoom or not, but I would sure love to see some feedback on this from you folks. It’s OK if we can’t but think to yourself this question. If you can meaningfully have visibility into whether or not your users have strong, unique passwords for every different account stored in a password manager or not, that’s the break point.
If you’re not there yet, that’s where you need to get to. That’s the very first step, ensuring that you’ve got users using strong, independent passwords. That’s your first defense against not only business email compromise, but the growing threat of ransomware. It’s still growing. It’s still getting—the ransomware threats are still doubling every year, year over year, with really no end to that in sight unless we make some very serious changes. One of the key ways that ransomware hits systems is shared passwords.
Now, if you’ve gotten to the point where you have meaningfully addressed the question of whether or not your users are using unique passwords stored in a password manager, your next step right after that one is multifactor authentication. Do you have your users using app-based multifactor authentication to have a multiple factor to log into accounts for state and local governments, for all the systems that you’re—that you’re administering? If you do, then what are you doing on this call? It’s happy hour time for you. Get out of here. You’re doing great, comparatively speaking.
No, in all seriousness, those are really the two break points I see: Do you have visibility into passwords? Do you have visibility into multifactor authentication? After that, you can start going to topic-based areas in cybersecurity that are based on your threat model. So that’s really the question I’m going to have for you, and I want you to be thinking in those terms. At what level do you find yourself in that sort of hierarchy of cyber—the Maslow’s cyber hierarchy of needs on this one right here? And based on that, we can start with questions about how sort of we slice this budget and this grant up in ways that are most meaningful to you? Does that help us as kind of a starting point, Irina?
FASKIANOS: It does indeed. So can you talk a little bit about, you know, state and local governments most notably have been the target of ransomware attacks in recent years. So the risks—what are the risks on not doing this? You know, on not having appropriate cybersecurity protection measures in place?
WHEELER: So a couple weeks ago one of the most devastating data breaches, I think, honestly, in history, happened in Australia. In Australia, a couple of weeks ago Medibank was—experienced a massive data breach. And 9.7 million patient records—now, remember, Australia’s got a population of about thirty million people. We’re talking a third of the population. And when we talk about a population-level event, this is one of the most devastating I’ve ever seen.
This is the full and complete medical records of essentially every single person in the entire Australian health care system. These records went to things like reproductive health, mental health treatment, substance abuse issues. And the data breach was—the full analysis will come out, but it looks to be a question of inappropriate protections over things like passwords—over unique passwords and over multifactor authentication. When we talk about why this matters, about why we’re trying to prevent ransomware, about why we’re trying to prevent business email compromise, ultimately what we’re talking about is either preventing the theft of or the denial of the use of the kind of data that you use to run your organizations. If you do not have these measures in place, you are looking at the loss of records in your organization in the case of ransomware, or the theft of records, in the case of a data breach.
Those two things are very different. Which should you be most concerned about as someone running an organization that likely retains a lot of official data over the people in your—in your area of jurisdiction. Doesn’t matter if it’s a city, if it’s a county, if it’s a tribal government, if it’s a state. If you are somebody who’s running an organization that stores this kind of data, ransomware is intended to deny you the access to the systems that you’re running. Data breaches are intended to steal and then profit off of the use of that data, whether that is literally blackmailing people whose data you now possess, or in the case of ransomware the promise to unlock that data and make it of use again to the organization in exchange for a payment.
Typically, in bitcoin, although monero is growing in popularity. It’s a pretty solid choice. Zcash is another really good one to use for anonymity. And if you don’t understand the things that I’m talking about right now, how you pay, stuff like that, I think there’s call to dive a little deeper into the machinery and the economics of how you pay ransoms and pay blackmail for data breaches. But really in this case, the two major things you can do are get to a point of visibility on where you stand in terms of your user data and your—there’s a difference between user data meaning the cliental you serve and your internal users in your organization.
Your internal users in your organization need to have that strong, independent password with multifactor authentication in place. But at the point in which you’ve done that, your next question is: How many computers do you have? I’m genuinely—think for yourself. Think about the answer to this question. Do you know how many computers you have, how many endpoints are on your corporate, your organizational, your business, your government network? If you don’t know the answer to that question, that’s the next question after that one.
The question of asset inventory is no longer a question that solely belongs to the IT function in your organizations. It’s a major question when it comes to cybersecurity to provide some kind of visibility into whether or not you’ve got rogue devices on your network. The question I think, Irina, I’m going to try to repeat back again a little bit here, like, what is the impact of these kinds of attacks? It’s either to make money or to cause embarrassment, and then to make money. Ultimately, this is—this is about you being farmed, if you are an easy target, for quick cash payments. And it’s being done by people who really, genuinely, don’t care about the people you serve.
I do care about the people you serve. I happen to be one of them, for probably a chain of people trailing on up through a couple of states in this country. And I want to see you, believe me, as safe as possible, because that’s my data. It’s everybody’s data in this country. So, yeah, that’s our—that’s our next step. And I’m interested in the technical side of sort of the steps that you’re at, but there are really good and interesting questions about industry-specific and sector-specific protections that can be put into place as well too. So does that help a little on that question?
FASKIANOS: It does. And would you say that you would need—that people should invest in a person within the organization, coupled with an outside firm, that would help us—you know, rather than trying to build it from scratch? Somebody—a consultancy, or that kind of thing? Like, how do you—what is—how do you scale this, or make this tangible, and implement this at the state and local level?
WHEELER: How do you implement this at the state and local level? So, first of all, it’s a great question, because it’s both complex and a simple one. If you’re—if you’re somebody like me—I want to be cautious here, because this is what I do, also. I’m a—one of the reasons I’m having this conversation with you folks here at Council on Foreign Relations and became a senior fellow here is that this isn’t just what I write about, it’s what I do on an everyday basis.
So my company provides this kind of service. I mean, to set that aside for a second—and I’m just going to try to make sure we’ve covered all of the grounds. It is highly unlikely that if you were an organization that has fewer than 500 people in your organization, that you will be able to bring in house even half of the cybersecurity expertise you need in order to keep yourselves safe. It’s expensive to hire cyber—qualified cybersecurity professionals. There’s a reason why there’s a third—why third-party and service providers are there. And that’s because, it has been my experience, that an FTE, a full-time employee, in cybersecurity, as differentiated from just the IT function, doesn’t get hired till about employee number 150 in almost any organization.
Now, that’s different in extremely high-tech organizations, but most of who I serve have haystacks, not tech stacks. So it’s unlikely you’re going to be able to bring a lot of the expertise in house. One of the things I’ve loved, I’m going to bring a lesson across the pond for you. One of the things I’d love to see, the NCSC, which is the—essentially the equivalent of CISA in the United Kingdom—CISA’s the Cybersecurity and Infrastructure Security Agency here in the United States. One of the things I’d love to see the NCSC do is they certify third parties for incidence response and cybersecurity provisioning at consulting. Which it doesn’t mean they recommend them. It just means they’ve passed a series of bars that says this organization is worthy of trust. You can go to them, and we know that they’ve handled incident response issues before.
So I would love to start seeing something like that in the United States. I believe that moves are being made in that direction. I’ve heard of the possibility of that happening, of getting a little bit more of a sort of cyber civil defense force a little bit, if I can borrow, you know, kind of Craig Newmark’s phrase that he’s been talking about for a while. But just the idea that there are trusted third parties you can go to who have at least been rated and evaluated to give you—to give you a hand. So, yes, the service providers are out there. There is a wide range of skills and capabilities out there in third parties. If you ask smart people on the internet, they’ll give you good people to go to.
And I want to be—I want to just be very cautious in how I phrase it, I’ve seen a lot of very good and very bad service providers. So when you go and evaluate them, make sure and have somebody who is also a trusted IT or cybersecurity provider, who’s not going to be that person, do an evaluation of who you want to engage with. They should have several things that you should find when you look at them. They should have a bunch of people who are qualified, and those qualifications can take a lot of different—a lot of different sort of—they can be manifested in a lot of different ways. I don’t mean college degrees. I mean people who demonstrate through their care, willingness to educate the public, that they are people who can and should be trusted with critical infrastructure.
People who have the respect of the industry are a good fit. There’s a lot of wonderful cybersecurity third-party providers out there. And I want to be cautious not to just sort of also name all of my friends on this one too, but if you look for the helpers, like Fred Rogers says, you’re going to do—you’re going to do just fine when you find somebody locally. Now, I can also provide a recommendation if you get stuck and you don’t know what else to do. You can find four people. Look for your local college. And whatever respected college is a hundred miles away from you or less. Look for, you know, a research one university. Look for whatever state or tech university is near you.
I went, by the way, to Portland State University. Go to Portland State University. That was where my master’s degree was. Go talk to the chair of the computer science department. Ask the chair of your computer science department to help you evaluate someone. Go look for your local ISC, or ISACA, or ISSA chapters. Those are information security professional associations. And ask someone from one of those chapters, perhaps the chapter president, to help you find a third-party provider.
You can also go look for somebody in government. The CIO and CTO of most states have a pretty good feel for who in-state third-party providers are. And they often maintain an ad hoc list of who those people are, and who those trusted providers are. And finally, take a look and find out inside your organization, if you did a brief poll, if anybody knows people in information security and information technology, where they would go to ask for something like this. Those are four sources of good information you can go to, to ask for trusted providers as we wait for some kind of certification process for cybersecurity third-party providers for you.
Does that help a bit?
FASKIANOS: It does. So I’m going to ask one more question before opening up to the group. And, please, we’d love to hear not only questions, comments, and you can share what you’re doing in your community as well. So this is a really good time. We’ve found that people share across municipalities and it’s been very helpful.
So at the top, you mentioned what kind of grant are you writing. So if you know the answers, you know, the passwords and all of that, great. But the second part is, if you do know that, then what is the other thing that you should be looking at? How to focus on cybersecurity at a—you know, at the different issues and sectors. So can you talk a little bit about that second part of what you mentioned?
WHEELER: The hardest part of this is not just doing it as a one-off. It’s not just kind of once a year or once every two years in a cycle writing essentially a book-length report on how you find yourself doing, your stats, your sort of point-in-time perspective on how your cybersecurity is doing. Your hardest job at that point is to maintain continuous compliance integration. That continuous process of repeatedly fixing small things and nudging your security posture upward, that’s the next step.
For that, even if you can’t hire somebody internally, or you can’t get the, eh, quarter-million dollars it’s going to take to hire a good, qualified person at a state and local level to come from private industry and run that program for you, you can take a tenth of that amount and start to get in the habit of asking a few questions every week or two that let you check on your cybersecurity posture and just do one or two things at a time. Keep that continuous process in mind and find somebody who’s willing to be your security champion internally.
If you’re a thirty-person organization, find somebody that you can give a small pay bump to and give them the checklist that lets them figure out what’s going on in an ongoing basis and make that part of a quarterly report to you. Just start to decrease the amount of time that you go between those checkups to find out how you’re doing. And if there is absolutely nothing else that you can figure out how to do, and you have no money to do any part of this, you get denied for every grant, just do one thing for me. Turn on automatic updates on every machine, everybody’s phone.
Most of you folks, if you’ve been issued a government phone—it could be an Android, it could be an iPhone. Turn on automatic updating on your phone, and the next thing you do right after that is turn on automatic updating on your Windows or Mac machines. You’re probably on Windows machines, I’m going to guess, many of you. Turn on Windows Defender, and don’t ignore the prompts if it tells you to do something. Yes, I know it takes forever to do the update cycle. That’s the thing that’s going to keep you the safest, automatic updates. If you can’t do anything else, do that. Keep your patches up to date.
FASKIANOS: Great. Thank you. I am going to open it up to the group, and then we can continue talking. But I really don’t want to—I would like to get to the questions. And you can—we would love to hear from you. And do not be shy. And if there are no questions, I will—that means that you’ve been—you’ve been so thorough. (Laughs.) So if you want to ask a question, you can click on the raised hand icon, and accept the unmute prompt when I call on you. And you can also write a question or comment in the Q&A box. And if you do that, please include your affiliation there so we know what state and where you’re coming from. It just really does help give everybody context.
OK, so the first question, raised hand, is from Gail Patterson-Gladney. And please unmute yourself and tell us who you are.
Q: Yes. Hello. I’m Van Buren County commissioner. I served for six years and just recently got reelected. And before I served as county commissioner, I worked for the city of South Haven.
And I was told in a conference in the Michigan Municipal League that we should not use our personal cellphones for our emails. In the county, it seems to be different. We can go ahead and open our phones and use our emails. Which is the safest way to use our personal phone?
WHEELER: That is such a great question. Thank you so much. And congratulations on getting reelected, Gail. Nice work. (Laughs.)
So this is the—this is the way I would proceed on that one. It’s a hard question, because I understand the lack of budgets that can lead to you not being issued a phone to conduct work business on. And if you’ve been expected to use your phone, your personal phones, to get your work email, one of the most important things you can do is, like I said, make sure that your passwords on your work and home email are different. And I want to make sure that I’m very clear on that one.
The password I’m talking about isn’t the one to get into your phone. It’s that you’ll set up two different email accounts on your phone. Don’t forward your work emails to your home email address. And open only those home emails on your phone. Does that make sense? I want to make sure that I’m clear. And if I’m saying something you know, I’m so sorry. I just want to make sure I’m clear on this. Does that make sense, first?
Q: You said don’t forward your county emails to your personal accounts, like Gmail or Yahoo accounts? Like, personal ones?
WHEELER: Yeah. Make sure—yeah, don’t forward your work emails to your personal address. So, for instance, like, my email address might be [email protected]. And when I view my [email protected] emails, even if I’m looking at them on my personal device, I’m not inside Council on Foreign Relations forwarding those emails to [email protected], and then only opening up the Gmail app, and reading my tarah@gmail(.com), and seeing the forwarded emails from my work email. Don’t do that. Does that make sense?
WHEELER: OK. The thing that you do is you go into settings, whether you got an Android phone or an iPhone. You’ll go into settings—let me see if I can just find this real quick. So there’s going to be—there’s going to be a setting in here. It’ll be called general—or it’ll be called—you’ll see where there’s probably something in here called “mail.” So, yeah, inside your iPhone there’s going to be—or in Android—there’ll be a setting called “mail.” And what you need to do is you need to go to this thing right here—see if I can just cover this up a little bit—you’ll see “accounts” in here, OK? Make sure you got two different accounts in there. One’s your work and one’s your home.
So you want to make sure that when you’re logging not your work emails, that you’re seeing your work emails as a separate account than your personal emails. I hope that makes sense. And, you know, we can also put a blog out there to help people understand that a little bit better. But the thing that we’re trying to do is make sure that you don’t mix all of those emails up together in one big data pool that’s on your personal email, so that if someone breaks into your personal email, they can see all your government business. Does that make sense?
Q: Yes, except for I thought because I have two different email—let’s say I have my government Gmail and then I have my personal Gmail. I thought that separated them enough when I bring up Gmail.
WHEELER: So, OK, it depends on how you have your phone set up. But the thing that we want to make sure is happening is that you have two different accounts set up on your phone, as opposed to you forwarding all of your work emails to your personal email address. And if that’s not clear, I want to make sure we got enough time to answer everybody’s questions, but, Gail, also if you want to I’ll help walk you through that. Yeah, and what we’re trying to do here is make sure that if you lost access to either one of those accounts, it wouldn’t mean that you lost access to other. So that’s what’s really important.
Now, ideally—in an ideal world, you’re being issued a work phone that you just have work stuff on. Let’s be realistic. Most people aren’t busy getting a $1,000 iPhone for their jobs, right? So that’s the ideal, right? And we’re not sitting in Silicon Valley here. So you’re probably being expected to answer work emails on your personal device. And just making sure that when you have your work emails that you don’t have a setting in your work web or email client that’s forwarding those emails to your personal email address. And we can go into that a little bit more later, but your IT person can probably make sure that you have two different accounts set up on your phone. If you have two different accounts, and you’re viewing them separately, you’re as good as you’re going to be in this situation.
Q: OK. Thank you very much. I’ll check with my IT person on that too.
FASKIANOS: OK, I’m going to take the next question from Danielle Schonbaum, who’s the finance administrator of Shelby County in Tennessee. And Danielle had a raised hand, put it back down, and put it in the chat. But I would love—we’d love to hear from you directly. So if you want to accept the unmute prompt, that would be great.
Q: Sure. Hi. Danielle Schonbaum, Shelby County government.
I was just curious about any thoughts you had on cyber insurance. GFOA magazine had a pretty extensive article in the last month or so about some of the pitfalls of cyber insurance and, you know, what it really covers. So just—
WHEELER: Well, do you want my thoughts, or do you want my opinions? Because my opinions are funnier, but we should probably start with the thoughts. OK, so the first thought I have here is that cyber insurance is incredibly important. And here’s the reason why: Cyber insurance is really the first sort of attempt that the finance and international regulatory community has really made effectively to price the risk associated with doing cybersecurity poorly, or inappropriately.
After the creation of fire insurance, home fire insurance, the number of house fires in this country dropped massively because fire insurance companies figured out very quickly that they could incentivize with their pricing homeowners taking certain steps. Like, making sure that their stoves were located away from the house, or fully tiled, or moving to—away from open flames and open gas flames, to contained sources of light and heat. Moving to baseboard heating away from radiators, that kind of thing.
So the insurance company figured out what that risk would look like for a homeowner. And they managed to make it expensive to make choices that were more likely to get you burnt down, and cheaper if you made choices that were less likely to get you burnt down. Cyber insurance is the very beginning of that process right now. If you make choices, like having automatic patching turned on, or using multifactor authentication, or certainly in the case of Gail where you have different devices where you separated out work and home email for people who are employees, those choices mean that cyber insurance programs are going to price safer choices cheaper.
So there’s a lot of different providers out there, and it’s still kind of a wild west situation with it. But that’s really important, that they’re doing that. And beginning to stick an actual number on the value of making certain kinds of choices in cybersecurity is the real value of the cyber insurance industry. Are they good at it yet? Some people are better than others at it. I’ve walked clients of mine through the cyber insurance application process before. And the checklists are still really, really—they’re very basic still.
They’re still asking questions like, “What kind of encryption do you use?” That’s not a meaningful question for a thirty-person accounting firm, right? Because you’re using Office 365, or you’re using Google Apps, or whatever you’re using. And the answer is, I mean, I guess we use some? There’s a green padlock when I look at my computer, right? That’s the answer to that question. And it’s not that the people who are answering these questions are dumb. It’s that they have a different skill set than those of us who are answering these more specialized questions in cybersecurity.
And sometimes the people who design these questionnaires in cyber insurance are sort of copying the patterns they used from homeowners’ insurance, and rental insurance, and auto insurance, without realizing this is a really different world. There’s no independence of risk in cyber insurance. And what I mean by that is, if you house burns down that doesn’t mean your neighbor’s house burns down, even if they have the exact same house and the exact same floorplan, right? In cyber insurance, two different clients who have the same, essentially, floorplan, the same network, the same updates, the same vulnerabilities, if one of them gets hacked the other’s probably going to get hacked as well too.
Which means that a cyber insurance company has to figure out how to price risk not only for a single entity, but across an entire spectrum of an industry that likely all has the same version of the same kind of software all the way through it. So that’s the problem we’re tackling. And people who are evaluating businesses and organizations for cyber insurance, are still not really good at understanding independence of risk. A good example is, like, hurricane or flood insurance. If you get flooded, your neighbor gets flooded. There’s no independence of risk in that. If you experience a hurricane, so does your neighbor. House fire’s different. So’s flooding based on plumbing issues in a single-family dwelling, right?
I think you can understand kind of the concept we’re going for. So cyber insurance is serving a valuable function. They’re starting to get to the price of real risk. But they’re not good yet at calculating independent risk for individual applicants. I hope that’s useful information for you.
FASKIANOS: Great. Thank you.
I’m going to go next to Isabelle LaSalle. I don’t know if you want to ask your question that you’ve written, Isabelle. I’ll give you a few seconds to unmute if you’d like. Otherwise, I will read it. And, yeah, and tell us who you are. Tell us who you are.
Q: Hi. My name is Isabelle LaSalle. I’m a legislative assistant with the California State Assembly.
I was just wondering if you had suggestions for steps that state legislatures can take to improve cybersecurity at the statewide and at the local government level.
WHEELER: The CCPA of 2018 did more to make cybersecurity a thing on people’s minds than almost anything else. If you were there getting that being kicked through, thank you for your service. So the California Consumer Privacy Act of 2018 means that people now have to pay attention to what’s happening with data on California citizens, California businesses, anybody doing business in the state of California, data passing through California. It’s basically GDPR for California.
But genuinely, seriously, for those folks who are looking to find a way to spur action in their organizations, realize that if you’re storing information using a California company on a California citizen, doing business, storing anything in California—and, let’s be honest, much of the tech industry is located in California. Which means you should probably just do this right now. That’s the question that’s going to get you action because it needs to be public facing and it needs to be true. If you say that someone can send us a request and within sixty days we’ll respond, and within ninety days we will guarantee your data deletion, you better be sure that you are deleting that data.
That gets you into what really matters, which is your data security and retention policy. So what can legislative assistants, what can—what can legislatures do across this country, what can anybody do in this particular case? Ask people if they understand whether or not data is getting deleted when you think it is. That is not a trivial question. It’s a technical, interesting question that backs up into heavy-duty applied physics and engineering in my field, in computer science. It does come down to sort of, like, what’s a practical definition of deletion? And there’s a couple of good working practical definitions out there, which is beyond the scope of this conversation. But there’s good definitions of data deleted, we’re pretty sure we’re good going forward from this point out.
FASKIANOS: What other—can you cite other examples of states or municipalities that are doing cyber well, that you would—you would, you know, cite for other states and governments—local governments to look at?
WHEELER: Two things. Colorado’s also passing a data privacy law. And some time back New York passed new regulations at DFS that meant that they were—they’re really closely losing at how data is stored, protected, and deleted. If you know what’s happening with your data, you’ve gone past the question of sort of user passwords, of multifactor authentication, of asset inventory, and you’re into the real, serious question. Which is, what are we doing with all this information we’re collecting?
There’s—I mean, there’s not many state and local governments doing this really, really, really well. And nobody’s perfect on this one. California’s law in 2018 is a very useful one. And the truth is, that it makes a great deal of sense wherever you are in the United States to just abide by that, because it’s by far the most stringent one. So just start there, and you’re good pretty much every place else. It’s going to be important to see those laws passed, but the truth is we need to see a federal law. And if the—and if the federal government passed, honestly, a version of that CCPA 2018, we’d be in pretty good shape.
Basically, all companies right now are squeezed between GDPR and the CCPA. And if you abide by both of those things, you’re doing pretty OK. Just because you’re a nonprofit or state and local government doesn’t mean you shouldn’t be doing those things. It just means you probably have a little bit more exception, wiggle room. Don’t take the exception. Try to do it right, if you can. And the answer is it’s hard to get this stuff through. There’s a lot of lobbyists that don’t want to be told what their companies can be doing with your data, right?
FASKIANOS: And how likely is it that such legislation will be passed at the federal level? Is that—is that in Congress now? I mean, is—and is there bipartisan support to things that you can tell—you can talk about that?
WHEELER: So there’s, in general, always a version of that privacy act sort of running around and trying to get—trying to get through. I couldn’t speak to the current state of what that looks like. And that’s mostly because, it’s my understanding—I’m not a congressional specialist in any way, shape, or form. But it’s my understanding that now with a split Senate and House, there’s less possibility of bipartisan legislation being passed in terms of privacy bill. But I will leave that up to the congressional scholars to address. The answer is, yes. Almost all the time there is a pretty good—a pretty good version of the bill, and a pretty terrible version of that bill, always sort of getting duked out in subcommittees.
FASKIANOS: What would you say officials should be doing to raise awareness with their constituents of the importance of strong cybersecurity protocols?
WHEELER: I’m not sure how much constituents need to have their awareness raised. This is—it’s sort like—it’s sort of like saying you need to raise the awareness of constituents about pollution, right? Like, we know. We pick up our own trash. But, like, what do you expect us to do about a river by ourselves, right? So I’m not sure how much the individual constituent can do about a river. If they have also the same strong different passwords and multifactor authentication, and they know how many computers are connecting to their home network, they’re already kind of doing what they’re supposed to be doing. At this point, it’s on you to start protecting them.
So that’s a responsibility we’ve sort of taken up at this point. It’s a hard one, but awareness in this case, the thing I would say to not do is throw scare numbers at people. We already know what data breaches look like. Honestly, a lot of data breaches are—people get notified of them again and again, and it’s creating fatigue in them. Maybe instead of raising awareness, we need to be able to raise the sophistication of the conversation, especially at the state and local government, to raise confidence—not necessarily awareness, but confidence—in constituents that people are at the helm who know what they’re doing in cybersecurity. So set an example more than raise awareness, is a good way to put it. It’s a hard—it’s a hard task. But if you can do that, you’re doing the right thing.
FASKIANOS: And you have written that some of the money from the package will go toward establishing new Office of the National Cyber Director. So if you were advising that office, how would you suggest that they interact with state and local officials? And how would you want state and local officials to be engaging with that new office? And what’s the timeline for that office to be created, by the way?
WHEELER: Well, the Office of the Cyber Director, if I’m correct, if we’re talking about Chris Inglis and the OCD is Office of the National Cyber Director, I’ve seen that $21 million allocation in there. They’ve done a wonderful job getting set up to have conversations about capacity building. State, local, tribal governments are all receiving some attention as we start to pay attention to grassroots-level building of cyber capacity. How would I advise them? I wouldn’t presume to. There’s some very smart people who are doing that work—Kemba Walden, Rob Knake, Chris Inglis, Camille Stewart Gloster. These are incredible and smart people who are doing this work. I think Camille is focused on workplace and cybersecurity capacity building.
And how would we engage? I think they’re getting ready to start—sort of state taking more intake from the public, but they’re also beginning outreach programs. They’re just getting set up, right? This is—this funding, I think, was only approved as of a month ago. So I will look forward to see how they’ll develop a portal out for you. And I would imagine it’s going to be some way of taking information in and disseminating it as well. So the answer is, I think they’ve got to figure out where the light switches are first.
FASKIANOS: And I will just note that Rob Knake used to be a fellow here at CFR. We were sad to lose him, but he—our loss and the government’s gain, for sure.
FASKIANOS: I want to give people—yeah, absolutely. (Laughs.) I want to give people a last chance to ask questions. I have one more while we’re waiting for something to queue up. Do you think that the—that enough money has been appropriated to tackle this problem? I mean, is it a realistic amount? Or is it just a drop in the bucket? And you did mention—you said, how are we doing it? Allocating it by population, or needs, or whatever. I mean, what is the best path forward to sort of get these funds allocated in a strategic manner?
WHEELER: Mmm hmm. I’d say that’s a great question. Before I start in on that, I want to just tell the folks in the room right at the moment, whatever your IT questions are—I loved Gail’s question earlier about how do I—how do I, you know, answer these questions on my personal device. If you have—like, I’m the IT person for a bunch of folks, right? Like, not just mom and dad. So if you have questions and you want to just take a minute and ask those questions now, can I just promise you right now there is no such thing as a dumb question.
The only question here that’s problematic is one that you don’t ask when you could have asked now and gotten a quick answer from somebody. Please ask your questions. It doesn’t matter how—literally, where is the setting on my watch for this? Where do I click on my computer to fix the thing? Ask me. This is what I do for a living, so I am more than willing to help. And there is no dumb questions on any of this. You could also—do absolutely feel free to contact me. I think Irina’s going to have information up. I’m more than happy to just answer questions for you, if you want to. It’s completely fine. This is—this is fun for me.
So but the question about whether or not—Irina’s, it’s, like, such a great question. Like, is this enough money? Is it too little? Is it too much? It’s like asking if the EPA has been allocated enough money to fight pollution. The answer is that it’s always going to be both enough—it’s always going to be too little or too much. And the reason why is, either it needs to be optimized someplace else, or it—the amount of money is enough to get started on something, but not follow all the way through with it. So the complexity of government budgeting—what do I know? I’m just a hacker. I couldn’t put together a government budget for you.
But I can tell you, the complexities of that are beyond me personally. I would say that a billion dollars for the kinds of grants that need to be allocated at the state and local level, that’s enough money to fix three of your problems each, right? You could fix a couple, two, three, problems at that level. You can get $25,000, half—you know, a quarter-million dollars. You can get enough money to fix, like, -ish a few problems. It’s not enough to fix all of it.
And I hope at least part of what comes out of this is not that you are fixing these problems by yourself. What I hope comes out of this grant process is a continuing collaboration with, what’s most important of all, networking with other people who are experiencing the same problems so that you can get an economy of scale in fixing these problems. So that you can collaborate on solutions. So that you’re building capacity not just technically but in your human capital, so that you learn these things and can share them with everybody around you.
If this is implemented in that fashion, each one of you solving a few of these problems and sharing that information amongst every one of the people that you’re put in touch with, that does start to become a meaningful solution to the problem. And for that, there’s enough money to do that. There’s not enough money for all of you to fix all of your problems on your own without talking to anybody.
You’re muted, Irina.
FASKIANOS: Oh, your comment elicited a few questions. So from Patrick Whalen (sp). Patrick, do you want to unmute yourself? Or I can ask it myself?
Q: Hello. Yes, thank you. My question, as I typed it out, may be a little confusing. But you mentioned not using scare tactics and statistics and numbers in discussing these subjects with constituents. And I wonder if you’d recommend a similar or different approach internally within offices? You know, I kind of get eye rolls when people see what my passwords are and just, you know, a mash of numbers, letters, and symbols, and that I change them trimonthly or bimonthly, you know. It’s kind of seen as alien. And so bringing up this subject internally—strategies, suggestions you have for that. Thank you. Very informative talk.
WHEELER: Absolutely. Thank you so much. I appreciate it, Patrick.
So, first of all, what I’m going to recommend is the guidance on changing your password quarterly has been updated at NIST. That’s the National Institute for Standards and Technology. The guidance at NIST has been updated to you don’t need to change your password quarterly. What you need is a super solid, strong, long password, paired with multifactor authentication. Changing passwords continuously is how you get passwords like summer22!, autumn22!, winter22!. Like, that’s how you get those passwords, and why that password process is really commonly associated with a lot of breaches. And it’s because very few people will change their passwords and store them in a password manager if they’ve got to change them that quickly. Or they won’t maintain them well.
The guidance is to get people onto password managers at this point. There’s a lot of great passwords managers. LastPass. I personally use 1Password, because I can have a family vault that I share with family members, with my spouse. We can share, like, some financial passwords that are required. And they’re stored along with the ability to get to those devices that give us multifactor authentication, whether that’s a security key or an app-based authenticator.
So how do you—how do you get to a place where you’ve advocated for this? Well, first of all, don’t advocate for the password changes. Advocate for password managers, not password changes. How do you get the attention of people internally? We are all in situations where everything’s burning down all the time. Those of you who are dealing with local governments that have municipal hospitals have nothing but problems all day long. And I see you and I feel for you and I sympathize for you. You’ve got devices inside local critical infrastructure that haven’t been patched in twenty years. And they are wildly vulnerable to all kinds of different attacks that—I mean, honestly, that’s the kind of stuff that we teach at the kiddie village at my information security conferences at this point. That’s how we get the kids started on hacking.
So this—you’ve got—you’ve got a target-rich environment that you’re trying to protect, and nobody’s really helping you. Until now. I think genuinely there’s been a real sea-change over the last five years. And when you see the work that’s coming out of the National Cyber Director, coming out of CISA. If you need help with your administration to get attention on these issues, go to some of the latest guidance from CISA. It’s getting better over time. They’re doing a great job getting some of these advisories out. They’re still at too high a technical level to be of a great deal of use to your leadership, but hopefully you can translate it a little bit more for them. And if you can’t do that, find somebody who can, and get you to the level of, like, a football analogy or a cooking analogy, and that will help at least a little bit.
You’re in—you’re in a tough spot. And there’s not a lot of money to solve these problems. If you can’t do anything else, get your executives to take a look at the most vulnerable members of the constituency that you serve, and ask yourself: If the most vulnerable members of your constituency are served by devices that are also the least updated and the least cared-for in your constituency. If the poorest people in our communities are being served by the most outdated machines at the local library, and the kind of terrible run-down sphygmomanometer, and, you know, the blood pressure thingy, those devices are the least cared for the and most out of date. You can at least tell your leadership that there needs to be an investment in the people in your community that need that help the most.
That can be the way that you get a little bit more buy-in, and it give them that kind of air cover that they need. And then go get $25,000, go get $100,000, go get a million dollars to update the devices and the technologies that serve the people in your community that need it most and will likely understand it least. Chances are fairly decent, it’s some of your executives as well.
FASKIANOS: (Laughs.) Excellent. Let’s see, there’s a new question from Stephen Courtney (sp): How do you feel about using biometrics or physical security tokens for access?
WHEELER: Biometrics or physical security tokens for access. So there’s a thing that we talk about when we talk about authentication. There’s a thing that you know, a thing that you do, a thing that you are. A thing that you know, a thing that you do, and a thing that you are, are three different elements of authentication. A thing that you know could be a password. A thing that you are could be biometrics. And a thing that you do can be a process of a second factor, for instance, like a token for authentication.
If you have a thing that you know, a thing that you are, and a thing that you do, and a thing that you are is involved with biometrics, it’s a thing that can’t change. So you want to be very cautious about using biometrics, because it’s a thing that is intended to be unique to a person, but once the information is leaked and can be duplicated, it can never be changed. You can’t go back from losing somebody’s retina scans and DNA. You can’t go back from losing somebody’s thumbprints as image files, if you’ve been storing them. Be incredibly cautious about that.
Now, there’s a lot of very good, technical implementations of multifactor authentication that involve app-based authentication, they involved a physical token or security device. Like—hang on for a second here—this little guy right here is my YubiKey. I use this to authenticate myself—I know, it’s kind of teeny, right? You can barely see the little guy.
FASKIANOS: How do you keep track of that? Oh my goodness, I would lose that! (Laughs.)
WHEELER: It just stays plugged in. It just stays plugged into my machine all the time.
FASKIANOS: Oh, OK, good.
WHEELER: So there’s a lot of—there’s a lot of options. And, yeah, you can have those—you can have devices like this that can be permanently there. And what that device means is that if somebody asks me for my physical authentication, if I kind of touch that little thing and the string of letters matches what my app is expecting, they know I’m at my laptop. That’s my laptop key. Or, they at least know that I possess this, if I go plug it into a different laptop. Somebody who doesn’t physically have this key on them can’t get into stuff like my financial accounts. So are there problems with it? Sure. But is this a pretty good choice? I mean, this is what I have my parents do. So it should tell you something about what your options are. Don’t use retina scans, and fingerprints, and DNA. Just don’t use them. But use physical tokens as an option.
FASKIANOS: Now I’m worried because now global entry is with a fingerprint. And CLEAR is with an eye scan. (Laughs.) So are you saying not to use those? Are those safe?
WHEELER: I use CLEAR, yeah. I’m saying that—I’m saying that we have absolutely no choice about those. Don’t implement them if you can possibly help it. I don’t like it. But let’s be honest, the airport is an incredible coercive environment. There’s no—for all intents and purposes, you cannot not consent to anything anyone ells you to do in an airport, or you can, I don’t know, be locked in a tiny cell. Who the hell knows at this point, right? So be cautious about that and implementing stuff like that. Because once that genie is out, it’s out.
And yeah, you pretty much need to use facial recognition to get in and out of this country at this point at any checkpoint. Can you opt out of it at gates walking onto an airplane to London? I’ve opted out before because I’m stubborn as hell and I want to see what happens. And the answer is—the answer I get from gate agents, they’re like, I mean, it’s fine. We just took your picture anyway. And they’ll wave me on. No passport. I’ll be like, but I opted out of facial recognition. And they’re like, I mean, what do you want me to do, look at your passport? I know who you are, Ms. Wheeler. So the answer is it’s already there. Don’t be the person who does it again badly and loses it.
FASKIANOS: Got it. So if somebody, you know, I have two practical questions. If you—you know, we all know now clicking on links is a terrible thing and it can unleash some very bad things. If somebody within your agency clicks on a link, what should—what should be the next step? And then the second part is, if you have a ransomware attack or you are being ransomed, where should local officials go? What should be the first call that they make if they’re getting—if they have that situation happen?
WHEELER: These are such great questions. There are two—there are two complicated questions. So I’m going to—the first question is what do you do, and the second is who do you call, I think. So the first question—clicking on links isn’t terrible. That’s the internet. You literally—that is the internet, Irina. Like, clicking on links is a good thing. It’s wonderful. If someone you don’t know send you a link in an email from an external—by the way, one of the best things you can do is turn on that little external email notice. If you have your local IT person, have them turn on the notice that says: This message is from an external source.
If you don’t know what I’m talking about, go find out and fix that thing. That is absolutely a thing you can fix, and it’s a big defense against clicking on links that you’re like, oh, I feel like I know a John Smith from where the hell over in the next office. You know, I’ll check out what he’s sending right here. Somebody sends you a link that’s like final quarter, you know, executive salaries.xls, do not click on that. That’s never the salaries. It’s never the salaries. So if you click on something, do let your IT people know as soon as possible.
But here’s the thing, there’s a lot of stuff in the media that shows sort of somebody clicking on a link and then somebody in a hoodie in the background—you know, that’s me, by the way. I’m the one in the hoodie—you know, typing away frantically, trying to break into your computer as you tapped on the thing. And if you just close the link quick enough like, oh, dang, I can step back and you see, like, somebody slams the lid of their laptop shut. Oh, we defeated the hackers. Thanks. That’s not how any of this works. (Laugh.)
The second that you click on the link, the payload has been delivered. It’s done. It’s over. There’s no—there’s, no, oh, I should just close this popup really quick, and everything’s fine. It was only open for a couple of seconds. It’s probably fine. No. The payload has either been delivered or it has failed, and it happened the second that you clicked on the link. Or that the mail client that you were in evaluated the link to try to preload it for you clicking on it. So don’t worry about that second thing that I just said, just trust me on this one. If you click on a link, it’s over. It’s done. There’s no—there’s no kind of a little bit there. There’s no quick just shut it down. The second that the link gets clicked, the payload has delivered or it has failed. Doesn’t matter what you do at that moment. You do need to go talk to your IT person right away.
If there’s one thing that you can do it is isolate your computer or your device immediately from the network. Turn on airplane mode. Don’t shut the computer down. Turn on airplane mode and remove it from the internet as fast as you can. That is different. That’s about the amount of data that can be transferred off of your computer. No whether or not the compromised happened, but about how much they can get from you. It’s, like, the bank has been broken into. That state has already been achieved. How much money can they get out, right? So this is what you’re doing. You can’t stop—they’ve already broken in, but you can slam the vault door shut.
You must speak to somebody as fast as you can and get your computer cut off from the internet. That’s going to vary a little bit from person to person and from organization to organization. But please go ask your IT people what to do in the event, and how to turn on airplane mode or get your computer unhooked from the internet. If you’re not sure what to do, there’s a little Wi-Fi symbol probably at the top or at the bottom of your screen right now. If you click on that, you’re going to be able to see something probably called Wi-Fi settings. Click on that, and you’ll be able to—I’m trying to make sure that I don’t actually go offline right now—but there should be something in there that says airplane mode. Do that, and then if you also have a—it’ll look like a network cable, right? A little ethernet cable. Yank that right away. Then go talk to somebody. Not using your computer but go talk to somebody and find someone who can help you with that. That’s the first thing you do.
The second thing is who are you going to call when this happens, if you’re an organization and you’ve experienced a massive attack? There’s a lot of—there’s several different answers to this question. The FBI has field offices that you can report this to. Be aware that the FBI is a law enforcement organization. Their job is not to protect you or keep you safe. Their job is to solve the crime of how this happened. And so they may be more focused on who the offenders are, how this happened, do you have evidence? And they tend to be pursuing this from the perspective of someone who’s trying to figure out if this is in their jurisdiction and if they can figure out who to go after.
I would highly encourage you to report immediately to CISA, which is the organization—it’s not a law enforcement organization. This is the Cybersecurity and Infrastructure Security Agency. They also have field offices. They can’t necessarily dispatch incident response to you right away, but they can provide guidance about what you can do next, provide references, referrals, and technical guidance for people who can help you get yourselves set back up again. It depends on what you need to do and how quickly you have recovered from this, and if you’ve recovered from it.
So the answer is, basically, FBI field office or CISA. It depends if you are a regulated organization. Maybe you’re health care and you need to report to HHS. That’s also very possible. They’re a regulatory body, so they can both help you and possibly penalize you. There’s a lot of weird incentives in our government. We’re working on it. So whoever you talk to, just be aware there’s a spectrum between can advise but can’t prosecute or regulate all the way over to can after the criminals or can regulate you depending upon what the nature of the breach was and what the level of responsibility you have for it was.
It's a complicated question. It’s getting a little easier. And there’s starting to be a bit more of a cyber 9-1-1 at .gov. And I would highly recommend, of course, if any of you are not on the .gov system, that will give you a bunch of resources as well. If you are a state or a local government and your website is not on .gov as opposed to .com, .co, .org, whatever, go get on the .gov system. You’ll get a bunch of resources that will help you out with that, and where to go.
FASKIANOS: Great. Thank you so much, Tarah. This was fantastic. And to all of you for taking part. Again, if you have questions, you have Tarah here who’s willing to answer them. She’s a fantastic resource. We’re so happy that she’s joined CFR. And obviously she’s still very much running her own company. We will send out a link to this webinar and the transcript. You can follow Tarah Wheeler’s work on CFR.org, on Twitter at @tarah. Very easy to remember. And as always, we encourage you to visit CFR.org, ForeignAffairs.com, and ThinkGlobalHealth.org for more expertise and analysis. You can also email us, [email protected], to let us know how CFR can support the important work you are doing. So wishing you all happy holidays. We will reconvene in the new year. So enjoy the holidays and happy new year in advance.
Thank you again, Tarah.
WHEELER: Thank you so much. It was absolutely wonderful. Thanks so much, Irina. It was a real pleasure.