WEBVTT - The State of Cybersecurity 0:00:02.480 --> 0:00:05.480 Get in touch with technology with tech Stuff from how 0:00:05.559 --> 0:00:14.880 Stuff Looks Coming. Hey there everyone, and welcome to Tech Stuff. 0:00:14.920 --> 0:00:20.160 My name is Jonathan Strickland, and here is Lauren Vogelbaum. Yep, 0:00:20.320 --> 0:00:23.280 that's that's that's my co host. Everybody. Today, we're going 0:00:23.320 --> 0:00:26.840 to talk a little bit about security. It's an important thing, 0:00:27.040 --> 0:00:30.800 cyber security specifically. Yeah, you've got to secure your cybers, 0:00:30.960 --> 0:00:33.880 all your cybers, all your cybers are belonging to you 0:00:34.000 --> 0:00:37.400 and should continue to do so. Um. Yeah, we're we're 0:00:37.400 --> 0:00:41.280 talking about cybersecurity because because President of Wilma did, yes 0:00:41.320 --> 0:00:44.480 he did. The President of the United States of America 0:00:45.000 --> 0:00:47.880 had his State of the Union address, which is when 0:00:47.920 --> 0:00:50.000 the president, if you are not from the United States, 0:00:50.040 --> 0:00:55.000 were perhaps just our politically, uh, completely separate from anything 0:00:55.040 --> 0:00:57.560 that goes on, a little bit lost and confused perhaps, 0:00:57.640 --> 0:01:00.000 or maybe maybe you haven't been to the internet. Maybe 0:01:00.040 --> 0:01:03.440 you live as a hermit often the distance and you 0:01:03.560 --> 0:01:06.640 only get human contact through podcasts, in which case, hey, 0:01:06.640 --> 0:01:10.160 thanks for choosing ours. But yeah, every every year the 0:01:10.440 --> 0:01:15.200 president has this this forum where he begins to to 0:01:15.360 --> 0:01:20.160 address how the country is doing and what his administration 0:01:20.280 --> 0:01:23.160 or her administration. Should we ever get a female president. 0:01:23.480 --> 0:01:27.839 I'm sure it's someday, someday, any any year now, but anyway, 0:01:27.959 --> 0:01:31.600 that is when the president will lay out plans for 0:01:31.760 --> 0:01:34.520 what is going what the government will focus on in 0:01:34.560 --> 0:01:37.760 the following year, assuming the rest of the government plays ball, 0:01:38.000 --> 0:01:41.959 because again the United States government, it's not just the president, sure, 0:01:42.160 --> 0:01:44.479 but but it's kind of saying what's important. Yeah, yeah, 0:01:44.520 --> 0:01:47.680 And I personally kind of side note. I feel like 0:01:47.720 --> 0:01:52.200 this has become less critical to politics now, in this 0:01:52.200 --> 0:01:55.000 this our information age, than it was, for example, fifty 0:01:55.040 --> 0:01:57.520 or sixty years ago, when people didn't really have direct 0:01:57.560 --> 0:02:00.760 and continual access to everything bloody going on in the 0:02:00.760 --> 0:02:02.920 government all the time. Yeah, that's that's a good point 0:02:03.000 --> 0:02:05.960 because earlier you would hear the president essentially during the 0:02:06.000 --> 0:02:10.240 State of the Union address and after any major event 0:02:10.440 --> 0:02:13.720 like a catastrophe or not even not not necessarily something bad, 0:02:13.760 --> 0:02:15.520 but usually it had to be something big, and then 0:02:15.520 --> 0:02:18.280 the president would end up addressing the nation about it. 0:02:18.919 --> 0:02:21.200 But in this case, we now live in a world 0:02:21.280 --> 0:02:24.560 where we get this information on a fairly continuous basis. 0:02:24.560 --> 0:02:26.760 I mean, you could follow the president on Twitter and 0:02:26.800 --> 0:02:30.560 get information or just the twenty four hour news coverage 0:02:30.720 --> 0:02:33.359 of what's going on the government's out there too. Anyways. 0:02:33.400 --> 0:02:35.600 State the Union kind of traditionally seen as a big 0:02:35.639 --> 0:02:39.760 important event here in the US. So during the State 0:02:39.800 --> 0:02:43.000 of the Union, one of the many points the President 0:02:43.240 --> 0:02:47.440 addressed was cybersecurity. Now that was not the the the 0:02:47.600 --> 0:02:49.600 entire focus of the speech. In fact, it only took 0:02:49.639 --> 0:02:51.800 up a small section about a minute and a half. 0:02:51.840 --> 0:02:53.639 I think. Yeah. In fact I can I can read 0:02:53.639 --> 0:02:57.200 out verbatim what he said because the text is available 0:02:57.360 --> 0:03:00.760 on the on the Internet of all things. So here's 0:03:00.760 --> 0:03:05.200 what President Obama had to say about cyber security. America 0:03:05.360 --> 0:03:08.680 must also face the rapidly growing threat from cyber attacks. 0:03:08.720 --> 0:03:12.239 We know hackers steal people's identities and infiltrate private email. 0:03:12.520 --> 0:03:15.600 We know foreign countries and companies swipe our corporate secrets. 0:03:15.960 --> 0:03:18.880 Now our enemies are also seeking the ability to sabotage 0:03:18.880 --> 0:03:21.960 our power grid, our financial institutions, and our air traffic 0:03:21.960 --> 0:03:25.080 control systems. We cannot look back years from now and 0:03:25.120 --> 0:03:27.640 wonder why we did nothing in the face of real 0:03:27.680 --> 0:03:30.960 threats to our security and our economy. That's why earlier 0:03:31.000 --> 0:03:33.560 today I signed a new executive order that will strengthen 0:03:33.560 --> 0:03:37.240 our cyber defenses by increasing information sharing and developing standards 0:03:37.280 --> 0:03:40.440 to protect our national security, our jobs, and our privacy. 0:03:40.720 --> 0:03:43.400 Now Congress must act as well by passing legislation to 0:03:43.400 --> 0:03:46.400 give our government a greater capacity secure our networks ended 0:03:46.440 --> 0:03:50.440 to our attacks. So really, this of course just served 0:03:50.520 --> 0:03:53.200 to alert the nation to yes, we are aware of 0:03:53.200 --> 0:03:55.560 the problem, and yes we are going to do something 0:03:55.680 --> 0:03:59.280 to respond to this problem. But of course the speech 0:03:59.360 --> 0:04:02.160 was not the right venue to go into detail about 0:04:02.360 --> 0:04:04.200 what that was going to be, right right, These these 0:04:04.280 --> 0:04:06.560 kinds of speeches aren't really used for extreme detail of 0:04:06.600 --> 0:04:10.840 any kind. It's it's more more hey stuff, Yeah, hey, problem, 0:04:10.920 --> 0:04:13.680 we're gonna fix it. How are we going to fix it? 0:04:14.400 --> 0:04:18.120 Look over here at the Chewbacca. Um. Yeah, And this 0:04:18.200 --> 0:04:21.360 is regardless of who is in power. It's just that's 0:04:21.400 --> 0:04:23.360 the way, that's the way it works. Yeah, we We are, 0:04:23.400 --> 0:04:25.320 by the way, trying very hard in this episode to 0:04:25.480 --> 0:04:28.400 to not let any of our personal politics enter into 0:04:28.480 --> 0:04:31.280 this discussion. Sure, so this is this is actually us 0:04:31.320 --> 0:04:33.520 being being as fair as we possibly can be. And 0:04:33.560 --> 0:04:35.080 if we wind up making a little bit of fun 0:04:35.120 --> 0:04:38.880 of any given administration, it's not Yeah, it's not politically motivated. 0:04:39.120 --> 0:04:41.560 Now in this case, it's motivated by our knowledge of 0:04:41.600 --> 0:04:45.240 how technology works, how policy works, and how those two 0:04:45.800 --> 0:04:50.279 things don't necessarily mesh very well. Uh. And that that's 0:04:50.279 --> 0:04:55.040 regardless of what your political stances, whether you're conservative or liberal, 0:04:55.160 --> 0:04:58.520 no matter what it's it's just the technology is kind 0:04:58.520 --> 0:05:02.200 of a political uh, just as a tool. Now you 0:05:02.240 --> 0:05:05.120 can use it for political means. But anyway, getting into this, 0:05:05.200 --> 0:05:07.520 we we really wanted to talk more about the Executive 0:05:07.600 --> 0:05:11.799 Order itself because that's where the approach that that Obama 0:05:11.880 --> 0:05:14.080 wants the government to take. That's where that's where it 0:05:14.120 --> 0:05:16.560 comes from, right right, And UM, I I read I 0:05:16.600 --> 0:05:18.960 read a great write up that Michael Daniel, who is 0:05:19.040 --> 0:05:22.400 Obama's cybersecurity coordinator, wrote up about it, UM and he 0:05:22.440 --> 0:05:24.960 was just saying that that basically the Executive Order breaks 0:05:24.960 --> 0:05:28.720 down into three parts and that's um basically just uh, 0:05:28.920 --> 0:05:32.159 it covers information sharing first off, which means that it 0:05:32.520 --> 0:05:36.640 really wants the different segments of the government to work 0:05:36.800 --> 0:05:39.760 with all of these private companies that run run our 0:05:39.800 --> 0:05:44.800 technology infrastructure and our power infrastructure, UM to share information 0:05:44.839 --> 0:05:50.240 about any any cyber threats that are going on. And UM, yeah, 0:05:50.240 --> 0:05:53.800 that's the first big section because obviously the issue here 0:05:53.880 --> 0:05:56.960 is that sometimes the government gets information, but depending upon 0:05:57.000 --> 0:05:59.479 the classification of that information, they may not be able 0:05:59.520 --> 0:06:03.200 to share it very on a very wide distribution. And 0:06:03.360 --> 0:06:07.120 beyond that, sometimes when you get information in the government, 0:06:07.160 --> 0:06:10.720 it's really hard for the information to escape the government. 0:06:10.960 --> 0:06:12.640 So in other words, this is supposed to lay the 0:06:12.640 --> 0:06:16.480 groundwork to allow the government to share information with entities 0:06:16.839 --> 0:06:20.240 that are critical to our infrastructure, and also going the 0:06:20.279 --> 0:06:26.560 other way, giving giving those entities, uh basic incentive, thank 0:06:26.560 --> 0:06:29.440 you so much, incentive to also share any information that 0:06:29.480 --> 0:06:31.880 they have about some cyber texts, any cyber attacks that 0:06:31.960 --> 0:06:33.880 might be occurring back to the government so that the 0:06:33.880 --> 0:06:37.080 government can do more to help out right, And we'll 0:06:37.120 --> 0:06:39.760 we'll dive into more about how that's a challenge in 0:06:39.800 --> 0:06:42.719 a little bit because as it turns out, you know, 0:06:42.800 --> 0:06:50.000 it sounds, yeah, totally everybody like like we just got attacked, 0:06:50.000 --> 0:06:52.080 we should let the government know. But I'll get into 0:06:52.120 --> 0:06:57.080 why a lot of companies don't really necessarily see that 0:06:57.200 --> 0:06:59.760 as the best option, right right, All right, So that's 0:06:59.800 --> 0:07:04.880 part one. Part to UM kind of outlines a flexible 0:07:05.160 --> 0:07:09.520 risk based package of core practices based on existing standards 0:07:09.520 --> 0:07:14.040 of cybersecurity. Yeah, so this is looking at there there 0:07:14.080 --> 0:07:18.440 are several organizations already that are working toward the best 0:07:18.440 --> 0:07:21.960 practices for cybersecurity, and so this is kind of trying 0:07:22.000 --> 0:07:24.080 to to say, let's take a look at all of 0:07:24.120 --> 0:07:27.400 this stuff and and pick and choose the best out 0:07:27.400 --> 0:07:29.840 of all of it and use that as the framework 0:07:29.880 --> 0:07:33.120 for what everyone should do. That's also possibly going to 0:07:33.160 --> 0:07:36.000 be a bottleneck, but I'll get to that when we 0:07:36.080 --> 0:07:39.360 get a little further into this. Yes. Yes, the third 0:07:39.480 --> 0:07:44.160 The third part then deals with privacy protections, because when 0:07:44.240 --> 0:07:47.160 you're dealing with these companies that have a lot of 0:07:47.200 --> 0:07:50.880 private citizens data or even their own private corporate data 0:07:51.240 --> 0:07:53.280 or you know, or or on the other end from 0:07:53.280 --> 0:07:56.520 the government, the government doesn't doesn't want anything sensitive to 0:07:56.600 --> 0:07:59.880 end up being revealed that they don't want to give out. Right. Yeah, 0:08:00.440 --> 0:08:04.320 you know, companies have proprietary information for example, So let's 0:08:04.320 --> 0:08:08.360 say that a cyber attack focuses on something that involves 0:08:08.400 --> 0:08:12.520 proprietary information, information that is necessary for that company to 0:08:12.600 --> 0:08:15.880 keep secret. It's a trade secret. It's something that allows 0:08:15.960 --> 0:08:18.480 them to do business the way they do it and 0:08:18.520 --> 0:08:21.080 make money and make money. Yeah. So for example, just 0:08:21.120 --> 0:08:23.080 this is a random example that I just thought up 0:08:23.160 --> 0:08:26.880 right now, but the Google algorithm. Okay, because Google algorithm, 0:08:26.960 --> 0:08:30.880 that's essentially the the the recipe that tells Google how 0:08:30.960 --> 0:08:34.840 to rank search results on any given query. Well, that's 0:08:34.840 --> 0:08:37.800 a that's pretty useful information to have, especially if you're 0:08:37.800 --> 0:08:42.240 building websites. But let's say that cyber they the Google 0:08:42.280 --> 0:08:45.040 suffered a cyber attack and part of the information that 0:08:45.160 --> 0:08:48.040 was compromised was this Google algorithm, which is kind of 0:08:48.080 --> 0:08:51.720 like their their secret sauce. You know, it's it's not 0:08:51.960 --> 0:08:57.000 not published, right, is the mathematical Horsey sauce. Yes, it is, Yes, 0:08:57.040 --> 0:08:59.360 it's it's part of their eleven Herbs and spices, and 0:08:59.679 --> 0:09:03.000 so they don't want the information getting out. And if 0:09:03.000 --> 0:09:05.600 they were to report the information to the government, it's 0:09:05.600 --> 0:09:10.160 possible that part of the distribution of information to everybody else, 0:09:10.320 --> 0:09:12.520 you know, saying like, well, Google was attacked, so these 0:09:12.559 --> 0:09:14.600 other companies need to be aware of this as well. 0:09:15.240 --> 0:09:18.440 The worry is that the algorithm itself would become part 0:09:18.440 --> 0:09:21.960 of that information distribution and then Google loses its advantage 0:09:21.960 --> 0:09:25.080 in the marketplace. That's that's just a simple example, and 0:09:25.120 --> 0:09:27.560 it may even be unrealistic in the sense of what 0:09:27.559 --> 0:09:31.040 we're talking about here, but it's just to kind of illustrate, uh, 0:09:31.200 --> 0:09:34.000 why the government needs to take this into account when 0:09:34.200 --> 0:09:37.520 formulating policy. Yeah, and and so those are the basic 0:09:37.559 --> 0:09:40.480 three parts and uh, and the administration is really big 0:09:40.559 --> 0:09:42.880 on on saying that you know that that they want 0:09:42.920 --> 0:09:45.840 to work really hard with with companies and with the 0:09:45.920 --> 0:09:48.720 different government organizations to make all of this as sensical 0:09:48.960 --> 0:09:54.040 and um, not like work, more like sharing and hugging. Yeah, 0:09:54.280 --> 0:09:56.800 there needs to be sharing and hugging well while standing 0:09:56.920 --> 0:09:59.720 shoulder to shoulder to keep the cyber attackers at bay. 0:10:00.320 --> 0:10:02.080 And you know, and so they say that they worked 0:10:02.080 --> 0:10:06.840 with with over two companies directly and and fifteen million 0:10:06.840 --> 0:10:09.720 employees and all kinds of crazy numbers like that, trying 0:10:09.720 --> 0:10:13.439 to trying to work to get this information together. And 0:10:13.440 --> 0:10:15.560 and to be fair, we should also point out that 0:10:15.640 --> 0:10:18.360 these are it's a directive, but again it does not 0:10:19.200 --> 0:10:22.720 lay out step by step how this is going to happen. 0:10:22.800 --> 0:10:27.599 It's more like saying to specific departments within the government, Hey, 0:10:27.640 --> 0:10:30.240 this is what I want. Here's the result I want. 0:10:30.640 --> 0:10:33.480 You have two hundred and forty days to return to 0:10:33.520 --> 0:10:37.120 me the result I want go And it's up to 0:10:37.200 --> 0:10:41.000 that individual department to determine what are the steps that 0:10:41.040 --> 0:10:43.880 it needs to take in order to meet the requirements 0:10:43.920 --> 0:10:46.800 of this executive order. Uh. This is also something that 0:10:46.840 --> 0:10:49.439 I've seen critics point at, saying, a lot of the 0:10:49.480 --> 0:10:52.360 time tables that are discussed within the Executive Order are 0:10:52.400 --> 0:10:56.920 not necessarily realistic because you're talking about navigating such a 0:10:57.000 --> 0:11:00.360 complex issue, not just from the technology side, but from 0:11:00.360 --> 0:11:04.319 the existing policy side. That uh, that in order to 0:11:04.320 --> 0:11:07.680 to find something that satisfies the needs of the Executive 0:11:07.760 --> 0:11:10.760 Order and does not violate any of these other entities 0:11:10.760 --> 0:11:14.520 that are already out there is a huge challenge. And 0:11:14.520 --> 0:11:18.080 two hundred forty days, which is just one of the deadlines. 0:11:18.120 --> 0:11:19.840 There's some that are like a hundred twenty days, depending 0:11:19.920 --> 0:11:21.640 upon what it is. But it's just it's just not 0:11:21.760 --> 0:11:24.600 enough time, right and especially considering that if you've been 0:11:24.640 --> 0:11:26.360 paying attention to the news at all, and say the 0:11:26.400 --> 0:11:30.760 past existence of reality, you may have noticed that the 0:11:30.800 --> 0:11:34.560 different parts of American political system don't necessarily work together 0:11:34.640 --> 0:11:37.400 extremely well, and so so things. I mean, for for example, 0:11:37.440 --> 0:11:39.880 there was a Cybersecurity Act last year I believe that 0:11:39.960 --> 0:11:43.120 tried to go through Congress. It made it past No, 0:11:43.280 --> 0:11:45.920 that was the other one. It got failbustered by the Republicans. 0:11:45.920 --> 0:11:47.480 They were saying that it was going to place too 0:11:47.520 --> 0:11:49.800 much of a burden on the companies, that it would affect, 0:11:49.800 --> 0:11:51.840 and and all kinds of stuff like that has been 0:11:51.840 --> 0:11:53.520 going on for the past three and a half years, 0:11:53.600 --> 0:11:57.240 or really since the mid nineties when computer networks became 0:11:57.280 --> 0:11:59.719 a really integral part of business. Yeah. This this is 0:11:59.720 --> 0:12:03.240 a complicated issue because on one hand, you're talking about 0:12:03.320 --> 0:12:07.520 protecting a lot of private entities, and private entities do 0:12:07.600 --> 0:12:11.480 not have any connection to the government other than paying taxes. Honestly, 0:12:11.520 --> 0:12:14.199 as I'm sure we're all aware, but anyway, these private 0:12:14.280 --> 0:12:16.880 entities don't necessarily have any other connection to the government. 0:12:16.880 --> 0:12:19.240 They're not run by the government. It's not a socialist 0:12:19.320 --> 0:12:22.960 kind of structure. It's private structure. Uh. But that means 0:12:23.000 --> 0:12:26.559 that they you know, how far can the government come 0:12:26.640 --> 0:12:30.120 in to try and protect these entities When the entity 0:12:30.160 --> 0:12:33.480 itself is in control of something that's vital to the 0:12:33.520 --> 0:12:37.760 operation of business or national security, then there it is 0:12:37.800 --> 0:12:40.160 in the government's interest to come in and say, look, 0:12:40.240 --> 0:12:42.679 I know that we don't have any uh any call 0:12:42.760 --> 0:12:44.960 and how you run your business, that's not our job, 0:12:45.080 --> 0:12:48.040 but we need to protect it because how your business 0:12:48.080 --> 0:12:53.480 performs affects the citizens of this country. So I guess 0:12:53.480 --> 0:12:55.280 we can start diving into the example order. Did you 0:12:55.360 --> 0:12:57.040 have something else you wanted to mention before we did that? 0:12:57.080 --> 0:12:59.480 And that's about it, all right, So here's the here's 0:12:59.480 --> 0:13:04.679 an opening paragraph from part of the executive order. Does 0:13:04.720 --> 0:13:07.000 the policy of the United States to enhance the security 0:13:07.080 --> 0:13:10.000 and resilience of the nation's critical infrastructure and to maintain 0:13:10.040 --> 0:13:13.480 a cyber environment that encourages efficiency, innovation, and economic prosperity 0:13:13.520 --> 0:13:18.000 while promoting safety, security, business competentiality, privacy, and civil liberties. 0:13:18.040 --> 0:13:20.120 We can achieve these goals through a partnership with the 0:13:20.160 --> 0:13:23.880 owners and operators of critical infrastructure to improve cybersecurity information sharing, 0:13:23.920 --> 0:13:28.760 and collaboratively develop and implement risk based standards. As a 0:13:28.760 --> 0:13:32.520 as a mouthful, fascinating, that was so thrilling. It was, Yeah, 0:13:32.520 --> 0:13:35.959 it's it's it's it's not quite legally ease, it's not 0:13:36.240 --> 0:13:40.640 it's not so dense as to be uh, completely inoperable. 0:13:40.920 --> 0:13:42.840 You can't understand a word of it without having like 0:13:42.880 --> 0:13:45.640 three lawyers on your team, but it does. It does 0:13:45.800 --> 0:13:47.960 make it kind of you know, it's it's this very 0:13:48.040 --> 0:13:51.319 formal sort of language. Part of the issue here also 0:13:51.440 --> 0:13:54.520 is that some people argue that the terms are not 0:13:55.320 --> 0:14:00.160 narrowly defined enough to make it meaningful. For example, you 0:14:00.160 --> 0:14:04.400 talk about operators of critical infrastructure, um, they there are 0:14:04.440 --> 0:14:07.400 some people who say that that's not specific enough. You know, 0:14:07.480 --> 0:14:10.720 you don't you know how what? What? What is infrastructure? 0:14:11.160 --> 0:14:13.760 Are we talking? Are we talking just things like power grids? 0:14:14.240 --> 0:14:16.959 I mean that would clearly be critical infrastructure. Does it 0:14:17.040 --> 0:14:20.480 extend to UH to telephones, does it extend to dams? 0:14:20.640 --> 0:14:24.800 Or doesn't extend to UH? To cybersecurity firms? Because if 0:14:24.840 --> 0:14:27.440 you're talking about something now that where you're really trying 0:14:27.480 --> 0:14:30.360 to protect people from cyber attacks, does that mean does 0:14:30.360 --> 0:14:33.720 that extend to the point that cybersecurity firms become part 0:14:33.720 --> 0:14:37.880 of this critical infrastructure because they are the protection against 0:14:37.960 --> 0:14:41.000 that sort of thing. Um. I'm sure that those kind 0:14:41.040 --> 0:14:43.240 of definitions will be worked out. And sometimes this sort 0:14:43.240 --> 0:14:46.880 of legislation or these executive orders I should say, not 0:14:46.880 --> 0:14:49.360 not legislation, but this executive order. And sometimes these things 0:14:49.400 --> 0:14:53.000 are are vaguely worded on purpose to try and have 0:14:53.040 --> 0:14:56.040 the broadest possible application, and then you narrow it down 0:14:56.160 --> 0:14:58.200 as it's put into practice. And that's the feeling that 0:14:58.240 --> 0:15:00.200 I get from this, and especially since they're kind up 0:15:00.200 --> 0:15:03.280 going like, yeah, do this thing and you work it out. Yeah. 0:15:03.320 --> 0:15:05.480 So I'm gonna go through a little bit kind of 0:15:05.520 --> 0:15:07.760 point by point of some of the sections here, and 0:15:07.800 --> 0:15:10.480 then after I do that, we'll we'll kind of talk 0:15:10.520 --> 0:15:13.560 about some of the the not just criticisms, but just 0:15:13.600 --> 0:15:17.000 some of the observations people have made about this. So, 0:15:17.000 --> 0:15:20.440 so it begins by talking about distributing reports of detected 0:15:20.480 --> 0:15:24.400 cyber security threats to private sector companies as long as 0:15:24.400 --> 0:15:28.240 those reports do not endanger investigations and law enforcement efforts 0:15:28.320 --> 0:15:31.600 and they are unclassified. So, in other words, when the 0:15:31.640 --> 0:15:34.520 government gets, say a report that there's a threat, a 0:15:34.600 --> 0:15:39.160 cyber threat, uh, this is what would allow the government 0:15:39.200 --> 0:15:43.000 to send that information out to the various parties that 0:15:43.120 --> 0:15:45.920 could be affected by this cyber threat and to kind 0:15:45.920 --> 0:15:48.680 of give them a heads up saying, look, we've detected 0:15:48.720 --> 0:15:53.840 that there's some operation in let's say China, whether it's 0:15:54.000 --> 0:15:56.800 state backed or it's a group of hackers who are 0:15:56.840 --> 0:15:58.800 working on their own or whatever, or maybe it's a 0:15:59.240 --> 0:16:01.800 Russian group that looks like it's working out of China. 0:16:02.680 --> 0:16:04.960 This is complicated. We can't really be sure because the 0:16:04.960 --> 0:16:08.000 way the internet works in the way hackers get around 0:16:08.000 --> 0:16:10.440 this sort of thing. But they've detected that there's this 0:16:10.520 --> 0:16:13.520 credible threat, and they've detected what the potential targets are. 0:16:13.880 --> 0:16:16.360 This part of the executive order gives the government the 0:16:16.400 --> 0:16:19.640 ability to say, hey, heads up, it's coming in. And 0:16:19.680 --> 0:16:22.880 this is actually an expansion of a currently existing program 0:16:23.120 --> 0:16:28.040 um called the Defense Industrial Based Information Sharing Program, which 0:16:28.120 --> 0:16:31.360 I believe currently exists to allow government contractors to receive 0:16:31.440 --> 0:16:34.680 real time reports about these threats. Right, and so again, 0:16:34.880 --> 0:16:38.440 the reason why they say it can't endanger investigations is clearly, 0:16:38.480 --> 0:16:42.760 if there's a like UH and a law enforcement group, 0:16:42.760 --> 0:16:45.280 whether it's it's the United States or it could be 0:16:45.400 --> 0:16:50.960 some UH international type of UH law enforcement group looking 0:16:51.000 --> 0:16:55.400 into the problem, then by sharing information, you could compromise 0:16:55.560 --> 0:16:59.280 that that investigation. So it's a delicate thing. It's it's 0:16:59.320 --> 0:17:01.480 not something where every single time there's going to be 0:17:01.480 --> 0:17:03.680 a threat, there's automatically going to be a report generator 0:17:03.720 --> 0:17:05.600 that gets sent out. It's going to be a case 0:17:05.640 --> 0:17:09.960 by case basis. The next section talks about how classified 0:17:10.000 --> 0:17:13.800 reports will go to critical infrastructure entities that are authorized 0:17:13.840 --> 0:17:17.840 to receive them. So there will be some privately held 0:17:17.880 --> 0:17:22.840 companies that will be authorized to receive classified information, assuming 0:17:22.840 --> 0:17:25.920 that classified information relates to that entity in some way. 0:17:26.040 --> 0:17:27.840 I think it's also talking a little bit about trying 0:17:27.840 --> 0:17:33.520 to expedite the process of getting clearances for appropriate uh 0:17:33.880 --> 0:17:37.760 A individuals and also state and government representatives to give 0:17:37.880 --> 0:17:40.560 that stuff. Yeah, exactly, yes. So this this again is 0:17:40.600 --> 0:17:42.919 kind of like cutting away some of the red tape 0:17:43.400 --> 0:17:47.159 that would exist between information and the and the entity 0:17:47.240 --> 0:17:50.119 that would most benefit from receiving it, uh in a 0:17:50.240 --> 0:17:53.760 in a cyber attack kind of situation. It would also 0:17:53.840 --> 0:17:57.600 expand the Enhanced Cyber Security Services Program to all critical 0:17:57.640 --> 0:18:03.360 infrastructure sectors, which is a voluntary information sharing program and 0:18:03.440 --> 0:18:05.840 it offers this is where you were talking about, it's 0:18:05.840 --> 0:18:08.560 offering the cross fight info to the private sector folks, 0:18:08.600 --> 0:18:12.520 but also it's a sharing program that is supposed to 0:18:12.640 --> 0:18:18.280 encourage companies to share information between each other to say, uh, 0:18:18.320 --> 0:18:22.000 there's this cyber attack that we've we've detected and it 0:18:22.040 --> 0:18:25.280 could affect your industry as well as ours. So the 0:18:25.320 --> 0:18:28.520 idea is that it's supposed to encourage these companies to participate, 0:18:28.560 --> 0:18:32.280 but it is voluntary. We'll get into that when we 0:18:32.320 --> 0:18:37.280 get into the criticisms. Um Also, beyond the security clearance 0:18:37.320 --> 0:18:41.240 being expedited, we have private sector experts will be invited 0:18:41.359 --> 0:18:43.840 to come and speak to the government on a regular 0:18:43.880 --> 0:18:46.399 basis to keep the government informed about cyber risks and 0:18:46.480 --> 0:18:49.040 the best practices to respond to them. Now, this is 0:18:49.119 --> 0:18:51.520 essentially the part of the executive Order that recognizes the 0:18:51.520 --> 0:18:54.280 fact that the people who hold positions of power in 0:18:54.359 --> 0:19:01.000 politics may not be technologically qualified. They maybe savvy, but 0:19:01.080 --> 0:19:05.000 even a technologically savvy person would not necessarily be up 0:19:05.000 --> 0:19:08.200 to date on the latest cyber threats. And so this 0:19:08.280 --> 0:19:11.080 is this is to give the government the chance to 0:19:11.720 --> 0:19:17.879 maintain a an ongoing dialogue with experts in the cybersecurity 0:19:17.920 --> 0:19:21.399 field so that the best policies are formed as a result, 0:19:21.440 --> 0:19:23.560 and that the best practices are formed as a result, 0:19:23.600 --> 0:19:26.679 because what works today may not work in three months. 0:19:26.840 --> 0:19:31.240 It's a funny thing about technology. And then, uh, the 0:19:31.840 --> 0:19:35.879 next section is the one that's all about privacy and 0:19:35.920 --> 0:19:39.680 civil liberties because apparent that it's it's a really big 0:19:39.720 --> 0:19:42.199 issue in the idea that a lot of these companies 0:19:42.240 --> 0:19:45.200 have a lot of our data, not just corporate data, 0:19:45.240 --> 0:19:48.720 but our personal data. So think about it like power companies, 0:19:48.760 --> 0:19:53.040 gas companies. Uh, you've got you've got credit card companies. 0:19:53.080 --> 0:19:55.480 You should you know, all sorts of vendors out there 0:19:55.520 --> 0:20:00.800 have information, social networking companies, all of these have personal 0:20:00.840 --> 0:20:05.119 information that could put citizens at risk if that information 0:20:05.160 --> 0:20:08.840 were shared to a broader audience. So that's the part 0:20:08.840 --> 0:20:12.520 where the executive Order says, Okay, we want this culture 0:20:12.760 --> 0:20:15.000 of sharing. We want to be able to get the 0:20:15.040 --> 0:20:17.399 information to where it needs to be so that we 0:20:17.440 --> 0:20:20.360 can protect ourselves, but we don't want to do that 0:20:20.520 --> 0:20:24.639 at the expense of personal privacy and civil liberties. We 0:20:24.680 --> 0:20:29.360 don't want to violate anyone's privacy or expectation to privacy. Um, 0:20:29.400 --> 0:20:32.719 so we don't want a credit card company to send 0:20:32.960 --> 0:20:36.919 information to some other entity that just so happens to 0:20:37.000 --> 0:20:41.240 have the the all the credit card numbers, names, addresses, 0:20:41.280 --> 0:20:44.000 credit scores of everyone who's a customer with that credit 0:20:44.040 --> 0:20:47.320 card company, because that would be a bad thing. And 0:20:47.440 --> 0:20:49.560 so one of the things that this this requires is 0:20:49.640 --> 0:20:54.520 a regular assessments in public reporting of any kind of mishaps. Yeah, 0:20:54.600 --> 0:20:57.879 so it's an ongoing dialogue again with the government to 0:20:57.920 --> 0:21:02.080 make sure that this is done an appropriate way, because 0:21:02.160 --> 0:21:06.040 I mean, obviously, when when people start to worry about security. 0:21:06.400 --> 0:21:10.120 It's it can be I won't say easy, but it's 0:21:10.160 --> 0:21:13.960 possible that you overlook other concerns that you should really 0:21:14.160 --> 0:21:16.919 take into mind when you're trying to protect yourself. We 0:21:17.240 --> 0:21:20.080 we usually see this in the wake of some sort 0:21:20.119 --> 0:21:24.080 of actual attack, where an attack happens and then we 0:21:24.160 --> 0:21:25.879 just want to respond to that and make sure it 0:21:25.920 --> 0:21:30.400 doesn't happen again. And you can easily set aside other 0:21:30.480 --> 0:21:32.199 concerns that you really need to keep in mind the 0:21:32.200 --> 0:21:34.840 whole time. Well, before we move on to the rest 0:21:34.920 --> 0:21:37.159 of the executive Order, I think now would be a 0:21:37.160 --> 0:21:40.320 good time to take a quick break and thank our sponsor, 0:21:40.800 --> 0:21:43.880 and now back to the show. So the next section 0:21:45.040 --> 0:21:50.000 is all about consulting and getting various departments to talk 0:21:50.040 --> 0:21:52.960 to each other to improve security measures, so when one 0:21:53.200 --> 0:21:57.119 group sees something that's working, it can communicate that with 0:21:57.160 --> 0:21:59.320 other groups. It's kind of it's kind of this idea 0:21:59.359 --> 0:22:05.280 of UH inciting cooperation between departments and other entities. Then 0:22:05.560 --> 0:22:08.800 there's a section. I've got a direct quote here, and 0:22:09.640 --> 0:22:12.920 the Secretary of Commerce shall direct the Director of the 0:22:13.040 --> 0:22:18.320 National Institute of Standards and Technology UH for here. Henceford 0:22:18.359 --> 0:22:21.600 known as a director to lead the development of a 0:22:21.680 --> 0:22:26.240 framework to reduce cyber risks to critical infrastructure, henceforth known 0:22:26.280 --> 0:22:30.280 as the cybersecurity Framework. The cybersecurity Framework shall include a 0:22:30.280 --> 0:22:35.320 set of standards, methodologies, procedures, and processes that align policy, business, 0:22:35.359 --> 0:22:39.879 and technological approaches to address cyber risks. That's essentially saying 0:22:40.359 --> 0:22:43.760 you have to take everything into consideration and make it 0:22:43.880 --> 0:22:48.440