Security Cryptography Whatever

Biden’s Cyber-Everything Bagel with Carole House

Deirdre Connolly, Thomas Ptacek, David Adrian Season 4 Episode 7

Share episode

Just a few days before turning off the lights, the Biden administration dropped a huge cybersecurity executive order including a lot of good stuff, that hopefully [cross your fingers, knock wood, spin around three times and spit] will last into future administrations. We snagged some time with Carole House, outgoing Special Advisor and Acting Senior Director for Cybersecurity and Critical Infrastructure Policy, National Security Council in the Biden-Harris White House, to give us a brain dump.

And now due to popular demand, with video of our actual human¹ faces! https://youtu.be/Pqw0W2crQiM

Transcript: https://securitycryptographywhatever.com/2025/01/20/bidens-cyber-everything-bagel-carole-house/

Links:
- https://www.federalregister.gov/d/2025-01470
- https://www.wired.com/story/biden-executive-order-cybersecurity-ai-and-more/
- 2022 EO: https://archive.ph/hvzWd
- 2023 EO: https://www.whitehouse.gov/wp-content/uploads/2023/06/M-23-16-Update-to-M-22-18-Enhancing-Software-Security-1.pdf
- 2021 EO: https://www.federalregister.gov/documents/2021/05/17/2021-10460/improving-the-nations-cybersecurity
- NIST SSDF: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-218.pdf
- https://www.federalregister.gov/documents/2015/04/02/2015-07788/blocking-the-property-of-certain-persons-engaging-in-significant-malicious-cyber-enabled-activities
- IEEPA: https://www.govinfo.gov/content/pkg/USCODE-2023-title50/pdf/USCODE-2023-title50-chap35-sec1701.pdf

¹ Actual human faces not guaranteed in all cases


"Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)

you know what government needs to drink our own champagne for asking industry to do it. We're going to do it too. hello, welcome to security, cryptography, whatever. I'm Deirdre. I'm Thomas, here on behalf of my client, David Adrian. Uh, and we have an incredibly wonderful special guest today. Carol House, special advisor and acting senior director for cybersecurity and critical infrastructure policy of the National Security Council, uh, in the Biden Harris administration. Hi, Carol. How are you? It's okay. I'm doing great. Uh, you know, our EO got issued today, so it's been a busy day. I can imagine it came out bright and early this morning and we've all been, it's been, it's big. So like the title of the title of this order, this, um, this, uh, executive order from, uh, from the president, uh, is "strengthening and promoting innovation in the nation's cybersecurity". And like, there've been a couple of, of EOs from the Biden administration on cybersecurity, on post quantum readiness, post I post quantum is the thing that I, I focus on a lot. Um, but this is like, like the kitchen sink of cybersecurity orders. Um, can you tell us what's in this and how this came to be? Awesome. Thank you so much, uh, for the opportunity to chat about it too, um, because you, right, it's, it's really our caps, capstone is how we characterize it, um, as really the culmination of the review of a lot of the major incidents that have occurred over the past few years. Um, you know, the administration has really bookended, um, both sides of the administration with major executive orders and then. There have been a lot of national security memoranda and, and, um, other initiatives all throughout the entire admin. Um, but this one really builds on the successes and lessons learned of what we've seen over the past four years to implement very specific protections and to mitigate specific vulnerabilities that we continue to see as a root cause across most of these incidents. So you see a lot of focus there on like securing our communications. And securing cloud environments and software security, um, are a major element there. Um, some other areas of lessons learned are that we need to be able to sanction more effectively. So we fix our sanctions authorities, um, and cyber enabled fraud, absolutely a huge problem that's affecting Americans and costing us billions. So we need to do something about it. So we did. And it's just, yeah, I'm really excited about this as the culmination of all those efforts. Yeah, and I'm, just as a top line, there's a lot of exciting stuff in here, and like I mentioned post quantum, but embedded in the post quantum stuff is literally the entire federal government has to transition to TLS 1. 3. You gotta do it, and you gotta do it in like five years or something like that? so I think, like, Even, even ignoring the post quantumness of it, which is, you know, we think is important, but also, yay! A modern TLS protocol! It's been out for a couple of years now, exciting! yeah, so we think that 2030 is, is doable, uh, for us. So yes, absolutely. Very excited. Um, a lot of things that are in here, um, like that, like BGP protections, like encrypted DNS, things that we really. Should have been doing for years. Um, and that now we're directing it because we, uh, you know, we're, we're driving some efforts. Like there was an FCC, um, rulemaking, uh, related to, related to BGP protections and other things. So like for, for secure routing. So you know what government needs to drink our own champagne for asking industry to do it. We're going to do it too. So there's a lot in here that's really taken from the best practices that we're seeing in industry. I love that. Um, d encrypted, DNS, that is DNS over encrypted channels, not DNSSEC. Right? Because Correct. we have our opinions on DNS SEC and how it can be annoying to deploy in practice Yeah, I know there is. Yeah. Oh, sorry. Go ahead. Yes. I, I have heard. I think we know a little bit about where the, uh, like the network controls in this EO came from, like the source of expertise and like the curation of those things, like some of the people involved there without like getting too deep into, like, the specifics of how, like, you know, you guys curated the network controls that you came up with. What was kind of broadly the deliberative process here? Like, I think, um, the obvious reaction a practitioner would have looking at the CEO is that you guys came up with an everything and bagel, right? Like literally, literally every conceivable thing is here, right? So clearly there's, there's, there's gotta be multiple stakeholders, multiple people driving this. You can actually like see shifts in the way things are structured in different sections and things like that. So, um, yeah, what, what was the, how do you, how, how, how did you do Yes, that's fair. Um, and I will just to give credit to the fact that we did edit, uh, there were longer versions of this and there are more things that I'm actually very sad, um, we're not ultimately in it, but, but also like, this is a wonderful document. And I think they made, they struck the right balance on, like we all did. And by they, I mean, like, yeah. The president, um, in the direction for us to pick the highest impact initiatives, make sure that we were striking the right balance of like high impact, really important measures, things that the American people would understand that would really help them. And that wouldn't just help the government, but also drive positive benefits out for industry and try to try to minimize burden wherever we could. Um, and focus on centralized actions where we could there. So you're going to see a lot of CISA, GSA, NIST, a lot of the like powerhouse force multiplier players in the U. S. government became a major, certainly a source of collaboration with them, but also a major focus for where we wanted as many initiatives as possible to be on. those agencies to try to help the CIOs and CISOs not just feel the weight of a lot of obligations because, because as, as you intimated, there's a lot of things that they have to do in here. Um, but on the process, so I'm, um, as special advisor at the National Security Council, I was like leading this work. And bringing together the interagency and driving coordination with the interagency, um, and with the rest of the NSC team. So, NSC cyber is, is, there's a cyber directorate at the National Security Council, the National Security Council being the kind of penultimate, like, policy body, uh, for the president on national security policy. So, we were working, uh, with the interagency, um, to bring together a really wide representation. from agencies. We had certainly all the policy shops from all the relevant agencies and, um, and we worked with them, uh, in development of this. So there was a huge amount of collaboration over many, many months, well over half a year on this. So this, this really does represent the culmination of a lot of different ideas, collaboration from agencies on what do you want, what will have the best impact. Um, so this, this reflects the thinking of the whole government and not just the thinking of, uh, you know, one office inside of the White House. Yeah, hell yeah. Some of the things that really jump out as like a practitioner is, we mentioned TLS 1. 3, but in here is multi factor, specifically phishing resistant multi factor like Yubikeys, WebAuthn, or other ways to achieve phishing resistant authorization, at least in the federal government. And, of course All of this stuff about, like, provisioning and procurement and requirements of a huge customer, like the federal government, the U. S. government, means that hopefully that will help trickle out into more of our general products that, like, people who don't have anything to do with the federal government also use. That's huge, because a lot of the attacks that, like, we just kind of mentioned in passing, Often are just, like, credential stuffing attacks, and, like, you know, even if they have two factors, sometimes it's, you know, a code, or an SMS, a text to code, and you just, you know, you just fish for it. Um, and this really, really could help with that. So, yay! Yes, I know. I also love this. Um, and like phishing versus an MFA was really emphasized in the zero trust strategies and architectures that we've worked with the interagency and with a lot of industry collaboration to put together. But we needed to like tell industries like this is the North Star. Like we mean it. This is, um, this is already a problem of being exploited and fraud is only increasing right now with the democratized access to really sophisticated AI and other capabilities that can more widely like purport and push forward a lot of things like phishing attacks and stuff more successfully. It's not a fair fight. Uh, what makes it a fair fight is using encryption, uh, and things that can't be spoofed and competed against. So we need to use the best in class tech. That's the only thing that will level the playing field against adversaries that are coming for Americans and their money. Um, and, and I love your point about like, Why focusing on government only and, um, and there's certainly regulatory efforts that we have underway. We've been pushing some rules, um, uh, related to try to help like healthcare, um, information be better secured. And we've done that, um, for, for ports and other, um, and other systems, um, in the energy sector as well, um, and transportation sector. But basically, Just trying to leverage the power of the federal government procurement capability and like over 100 billion worth of procurement And cyber security spending that the federal government uses every single year. We are putting that to work to try to drive the market evolutions that we need in this space. We're a customer just like many others in industry are the software that we use is typically software that a lot of other people are using as well as other services. Services like cloud environments. So just like you said, we want to set a North Star of highlighting that these are the best practices that we're seeing from industry. We need to adopt them, but also we expect vendors that we purchase from that we rely upon and Americans rely on us. So you need to be using these best in class capabilities. So, That was like, that was, that was my next question. Right. So like, if you read through the whole EO, there's like, there's sort of three senses in which like this could actually act on, you know, whoever's doing better cybersecurity stuff. Right. So there's the sense in which you're instructing the agencies. To, uh, you know, adopt better practices. Um, and there's the sense in which you are instructing vendors to the agencies, people going through the GSA process to enact better processes. And then there's the sense in which you are instructing the market directly, whether or not it's dealing directly with the government. That these are new expectations or practices. Like, do you have a sense of what the balance is between those three ways of looking at this? Like in terms of what you were going for with the CEO, Was it more getting agencies to modernize? Was it more getting vendors to raise the bar or was it more like the goal here is actually to raise the bar for the industry across the board? um. It's because my answer is a totally unsatisfying. Yes, all three. Um, because yes, like absolutely. Basically that we definitely need federal agencies to, to pick up the pace, right. And to, and to, to heighten the bar problem is most of, most of our software is not government created. It is commercially created. So we definitely need those vendors to, to, to pick it up. But also we recognize that. Our, you know, certainly our purchasing power and our weight is often like much larger than a lot of other parts of industry. Now, it depends on which vendors. There's certainly plenty of vendors where the government isn't, um, a massive proportion of their market share. But there are some where we absolutely are. Um, and either way, we have a lot more money than many other customers do to be able to put to work here. Um, so we do view that the government Part of the role in, in, in my own personal view of where we're supposed to insert ourselves, whether through regulation or other types of incentives, is where the free market has not fixed itself. Um, and this is a great example of what's happening. And so through incentives of saying, look, we'll buy you if you are this tall in cybersecurity et cetera, um, is a really important role that we need to embrace. Um, regulation is another incentive. Um, I also call regulation, a public private partnership, doesn't. love that joke, uh, very much, but yeah, all of like, I appreciate that. That's not, um, a terribly satisfying answer. It's sort of me cheating, Tom. Sure. So there's like nine broad sections in the EO. Um, there's more than that, but then there's like definitions and stuff, right? But like, you're still in like meat of the recommendations at section nine, right? Like, some of them are kind of very clearly directed at modernizing the agencies directly. So for instance, There's, um, directives in here to get all of the agencies up on EDR softwares. That's like agent based software to monitor endpoints for threats. And then, you know, have a system for sharing the intel from those things. Right. That's, that's really directed. It seems like that's directed at agencies, right? Or there's communication security, which is like, uh, you know, we're going to do TLS one, three, we're going to do post quantum encryption, right? That seems like it's targeted at agencies, right? But then early on, like a lot of it is attestations from vendors. Are there things that it's like, you know, that jump out at you as targeted at industry versus things that jump out to you as, you know, targeted at the agencies, like which, which is which there? Um, I'll, I'll do my best since I do think That there's like a mix of both, but it's probably different weights and proportions. So I'll, I'll try to navigate that for software. It is very much at like that is pointed at the vendors. Absolutely. And pointed at the market. Um, so. That is, um, like we, we see where, despite what we already put in place in the first cyber EO in 2021, right, where we required CEOs to self attest, Um, essentially the pinky promise saying, yes, I use these secure software development practices. Um, and and that's good. That was a good evolution. It's been, it's been, under implementation for the past, like three and a half, four years now at this point. Um, but. We're still seeing Russia and China absolutely exploit vulnerabilities and, commercial software at the root of so many different attacks and supply chain attacks that are hurting industry and that are hurting government. And again, if it's hurting industry, um, if it's hurting government, it is hurting industry and it is hurting Americans because we are providing services. back out to them. Um, and, and either way, we're also using software that the other definitely also uses. So either way, we, we need to fix this. We definitely need more security in the services that the federal government relies upon. we, have really sensitive mission sets, and that is first and foremost, absolutely what must occur. But we also really expect this and want this to drive. the development of secure software like we, we certainly would not expect or look to, um, CEOs to be only using secure software development practices for gov only software, Um, and that not using them at all for their other software. So we view it as both, but I mean, if I had to pick one over the other, it's more Like vendors for government. the software section is. Absolutely pointed straight at the vendor community. Um, and then also rewarding the vendors that actually follow those practices, right? Like the requirement of submission of artifacts to do that validation and then publishing those results back out to the, marketplace where we want, I want other buyers of that software to know whether or not the government has, has assessed validated one way or another. that these, uh, that, that the artifacts have in fact substantiated or not. Um, the, the fact that that vendor is using secure software development practices. So that's a good example for the software one. And how does that touch on some of the open source that a lot of our software uses, whether the actual final product that gets provisioned and deployed is closed source, it often uses open source dependencies or libraries, or you might be using like an open source server to, you know, do your TLS. You can have open source all the way from the thing that you quote buy or provision. How do we fit those things together? Because like, if you're going to be like do you have go your OpenSSL and be like, fill out this form to attest that you have done, uh, secure development practices, or is that sort of like, we can just go look for ourselves? Yeah. So at least for us right now when it's a vendor to the government, it's normally those are commercial providers that will leverage open source software, Um, and other things. But I guess in that point, in that case, like the requirement still sits not on Um, you know, like non sentient library or whatever, you know, until, until one day the AI, now that the code this is the future. Um, Oh God, sorry. I, work in blockchain cryptocurrency stuff too. so like now that smart contracts could actually be smart. It's um, It's a thing. Tornado cash. Yeah, let's we could have that conversation in a bit. Um, so yes, I know I, um, so now that that's a possibility, let's, um, but let's go back to practically what's happening right now is that generally like, yes, like the it's normally commercial vendor like software that relies upon all this, all these open source tools and capabilities. So we're not asking for them to go back to every one of their vendors to also a test, but we expect them and whatever they've created. And To use secure software practices and part of the SSDF, uh, the secure software development framework and like other what those secure practices are does mean having a general understanding of like, what is it that you're using? And like, what does give you some confidence that it's secure? And we know that there's lots of benefits with open source security, obviously. So like that's, it's part of, it's all part of a risk, um, of a risk framework, um, and risk, risk based implementation. So, um, uh, but it's something where we certainly expect them to know what it is that they're using. And maybe let's say monitor for open vulnerabilities, uh, that are identified related to those. Cause there are times where that is, where those open vulnerabilities that are all public information, not being mitigated, um, and have been, again, at the, at the root cause of a lot of these incidents. So those kinds of practices would be the sorts of things that, um, we'd be, um, that we would expect to see in those high level artifacts, This is part of that balance. Like we require artifacts, but not, we're not getting into like pen tests and source code. We're not doing that level of validation. It's like policy and procedure docs and those sorts of things that help give, give confidence to some level of assurance if we want an artifact other than a breach. to be able to bring enforcement, then you have to do, then you have to get some kind of information upfront. Got it. it's, it's an interesting problem, right? Because like, you can hear it just in the way you're describing the motivations for the CEO, Uh, how many times you've said you've talked about supply chain attacks for any obvious reasons. It's top of mind for everyone. Right. But to me, supply chains, chain attacks are. Almost a pure open source problem. Like the primary vector for supply chain attacks is, you know, repositories of open source code and custody of all that stuff. Right. And like our listeners, if you haven't seen the NIST SSDF standards, you can just go look them up. Right. Um, if you've done SOC two before for a company, there's a very similar flavor, except that the SSDF stuff is much deeper into the mechanics of how you're doing secure software development. So for instance. It's more prescriptive about how you would, um, do assessments for vulnerabilities. It doesn't get into pen testing, but it's like, you know, you have automated tools set up to scan for vulnerabilities and how you're managing that stuff. Right. And I think the thing I'm driving towards here is no matter how important the open source project is, none of them will comply with SSDF. Like the state of the art right now in open source project management isn't Isn't there, right? Like some of these requirements are kind of benign on paper, but having had the pleasure of doing them commercially myself, it takes some resources to actually, you know, keep it up to date and all that. Right. So what's, how would you respond to like a very annoying message board nerd who by the way, you're talking to right now who would say that they are concerned? and do? Yeah, this level of specificity for software security is going to deter people from using open source software because they're not going to be able to keep up a record of all the stuff they're doing. As soon as they hit that point where they've pulled in a large, you know, Rust hyper for the HTTP stack dependency, like that kind of like really core, big sprawling dependency, right? That they lose the ability now to keep track of anything they're doing there because that's an open source project. Yeah. Um, I guess like this is where at first I'd point to that we do have a section on open source security in the EO. Um, so, um, yeah, I know I'm a good, you know, architect of um, EO with, uh, with some other really brilliant people I know, um, including one who, uh, was on your, on your podcast maybe half a year ago, um, working on working. Yes, I know. Working on these issues. Um, but, uh, so we do encourage, like, the, the, um, in the EO, we're really promoting the creation of, like, open source, um, security communities inside of the federal government, um, as well as, like, directing the creation of some guidance to agencies on how to participate in and, like, leverage open source securely, as well as participate in the community, um, which is a complicated issue, but also, like, I think that, Some of this means that, okay, if you want to rely on open source, and I, I'm a very, I'm a huge proponent of open source, I am, um, but I recognize that, like, these issues on being able to understand and, like, keep up and maintain those libraries, like, that's, if, if it's not maintained, then that's, you know, potential vulnerability, which, again, back to the risk based approach, you need to understand how critically am I relying on this, um, and how, how often is it being upkept and, like, what is that community, um, because if the community isn't like doesn't continue, then that's something that, um, like it's, it's a real, it's a very real consideration that we need to have, especially when such like critical services are being, um, relied on for them versus trying to create like a really cool go to market solution. Like we're the services that we're providing are often no fail mission sets. So it's just something that we have to figure out, but we are committed to like, to embracing it. Promoting secure use of open source, that that's, I, Yeah, that's great. So like, just so I can make sure that I, my, my understanding of how this works is, so it seems like for this kind of like vendors building software, secure, securely stuff, like the fulcrum of it seems to be that vendors will submit attestations to the, that service did the R the RSA. Hey, do I have that there a repository at this site? Yeah, Right. And so like the basic deal there is going to be at some point, if you want to, if you want, like, if you want to close a six figure GSA contract, they're going to ask in that process, where's your attestation? Can I look it up in the RSA? And then like, and then today that's like a PDF I literally fill out by hand. Right. And then EO talks about like over the longterm, we're going to modernize that. So like, maybe we'll get to the point where it'll be like a build artifact. When I build my software, it'll also post the thing off to the RSA. exactly. We, we. We really want to try to drive, um, like not just policy about tech, but tech that like but also policy that embeds tech in it, or Like is tech readable and machine readable Like that's, um, whether it's the rules as code pilot that, um, we'll be doing later with federal policy that we're looking forward to, but also this specifically where, um, we're telling CISA to modernize, um, guidance and the repository to be able to accept. and ingest machine readable attestations as well as artifacts that come in. We do want to reduce inefficiencies and leverage That like the best in class tech and stuff and try to help modernize our, not just our like policy itself, but approach to how we comply with policy by making it as machine readable as we can. So um, basically that's. That is the future. Again, the North Star that set out for what CISA needs to be driving towards here is something that will minimize burden, um, and also, like, improve assurance and some of this stuff because there, there's huge problems with PDFs and things that even from the world that I, I came from of anti money laundering regulation and financial institutions, the idea that law enforcement has to get records from structured data files in PDFs drives me Absolutely mad. I cannot deal with this situation. And it's something I talk about at length with some nerds that I'm like, this is, this is structured. This file was structured. Why am I getting this as a PDF? Um, so anyway, it's, um, yes. That's the hope and the future that we will drive towards I guess I guess I love that. I guess I am actively in love with what you just said there. Right. I did read that. I'm like, okay, so they're just gonna they're building a process, they're gonna modernize it. But I'm in the middle of this in my own municipality with open data stuff where like, we get like, you know, crime and police information and like, you know, we get like these daily reports and they're all exports of like spreadsheets. In PDF files, and it's like, just don't do that extra step. Just give us the spreadsheet. I'm with you a hundred percent. Okay. This is great. You should only do that. I don't care about the rest of the CEO. Just that thing. recoding America. Yes, absolutely. I know. Um, it's funny. It's all right. We're just, I was just having a discussion about that book and we're like, yes, if we could work that into some of our regulatory and law enforcement processes and other things, like, because we're, you're right. We're telling industry to inefficiently. Go through another step to then give us a thing that like deprives us of being able to do. any of the steps effectively. And I'm like, this is just like, it's just not, it's just not working. Um, that is not solved in the CEO. Um, but it is at least hearkens to in the sense that we're like, okay, if we're going to ask for these forms of evidence in this process for us to do. It's not exactly, it's not a regulatory process, it's a procurement process, right? But like, it feels like a regulatory one a little bit when you're submitting these documents for validation. So we're like, okay, let's make sure that this one is done in a way. Um, that's, so I'm, I'm also excited that we're leaning into the machine readability piece and embracing tech and how we, and how we implement this, um, not just cybersecurity controls, but how we do the policy. And then of course there's like sections in here, there's security system section, but there's others about inventory of everything that you have, and like especially for me in a post quantum world, before you can migrate your cryptography, you have to figure out what cryptography you have, and that requires some sort of inventory, and that requires some sort of format, and ways to process it in a kind of, you know, uh, formatted data way, and not a PDF, not a human readable PDF, Hopefully it's a machine readable format as well. Um, specifically, um, moving away from, from software development practices, there's stuff in here about end to end encrypted communications inside the government, and not just at the network layer, but like for email. Voice other encrypted communications. Um, we have opinions about, like, whether email can be meaningfully, uh, securely encrypted, period. But we know that it's, like, a thing that people use. Like, it's a, it's a full on thing and people need it. Um, can you talk a little bit about, like, what you're trying to get at there? And, like, I, we just saw an FBI directive because of Salt Typhoon in our, um, in our communications companies, in our telecom companies, and saying, Hey, you should switch off, uh, you know, voice calls, uh, not voice, but voice calling, and SMS to end to end encrypted communications because we don't know if the networks are secure. Um, and now this is sort of, the internal side of that. Well, not because there's an assault typhoon inside the government, but just because, you know, end to end encrypted communications are good for almost everyone. Can you talk a little bit about that? And also, um Almost, not everything inside the government needs to be, like, completely, you have to have records of everything especially inside defense. But you do need to have lot of records about government, internal government communication. So can you talk about how those things will intersect? In fact Yeah, so that's where um, I think why you see as practical, um, in, because you're right, some of the nuanced implementations are going to be tough based on certain things like records, um, requirements. And ultimately, this is where I'm just personally hoping that where certain, um, Solutions for, um, um, for encryption as they continue to modernize and implementation start to get better might be able to be some of our longer term fixes on this front for us to, like, to be able to do both well, Um, but basically, yes, like, uh, you're right that the guidance that you saw related to Salt Typhoon, um, which, yeah, like, the, Salt Typhoon incident is not, uh, not accounted for here. Like, it is accounted for here. I'm sorry for the double negative. Um, it is, it's absolutely one of the incidents that we're taking lessons from. Um, and you're right that even though this doesn't mean that there's a breach inside of the government, we recognize like, okay, communication sector, um, targeted here, um, in the and targeted in other ways by PRC actors too, right? Like it's one of the sectors that's being hit, um, but in bolt typhoon activity as well that we're seeing targeted and specifically for, um, uh, yeah. pre positioning for disruptive effect, um, in the potential wake of a, Um, of a conflict. So, uh, basically we see communications is a really attractive high value target. Uh, we need to make sure that we can communicate with each other securely and the most common means of those communications, Um, really, Uh, with a lot of information all in one place are places like email, just tons of data there. um, and then also collaboration tools. I know we didn't get into phone stuff here. That's you're right. That's not, um, uh, that's for another, another day. um, Uh, and issues. But basically, these were some, these were the practical steps that after a lot of examination and discussion that we thought we could meaningfully take, Um, and put into effect to allow for, um, you know, at least transport layer encryption and at least putting, um, trying to encrypt email to the greatest extent that we possibly can. um, you're right, there's going to be some real Some real tough nuggets to nuts to crack, uh, and I'm great at metaphors, um, so real tough nuts to crack, um, and I think I, I'm actually joked about in my office because I'm so bad at metaphors, um, but I always mix them up, but, uh, a really tough nut to crack That's going to be interesting because, you know, part of the whole value add and the risk mitigation of end to end encryption is you can't just have some, you know, very handy logging service just auditing your things going back and forth over the wire, in the middle, Um, you have to have it on the end, so if need to do disclosure or record keeping, uh, for very good, you know, public service reasons, it has to be on the end. So what does that mean? Do you have some kind of bot that's at, that's an end? What does that mean? Is that really end to end? So, um, You know, that's, that's a whole nother thing. It can be done. It's just, you know, especially if you have a government device that's issued to you by your agency and it's like, cool, we're log your communications on your device, but that has to be secure. So it's this whole rabbit that the end to end encryption people, uh, you know, are very aware of. Yeah, and it's and it's really tough when, like, you know, people, like, even if we solved it for, let's say, inside of one agency, then we got to get other agencies on this platform, um, if it's not something that's been, like, implemented or it's interoperable with, like, many different vendor implementations, you have problems of like, lock in and, like, all the all those fun problems come up of only one solution, um, being used or being seen as being preferred, Um, and then, of course, there's the fact that we deal, we call, um, It talks to people outside of the government all the time. International partners, state, local, tribal, territorial, industry. Um, there's a lot of like this is a tough issue. These are, these are the first, these are the first steps, the first practical steps that we saw that we could try to put into place. But ultimately this is a longer road of figuring out how to. Better ensure like in encryption more broadly around all the comms. Um, and you're right. Not to mention that like places like the White House have totally, and even not even just the White House, different offices in the White House have different record keeping requirements. like, the NSC requirements are different from OMB are different from like, it's just, so yes. definitely a complex issue. Um, so a lot of CIO eyes get very big and thinking about like, how do we do this guys? you know maybe we'll have you back to talk about messaging layer security instead of email and then we might talk about federation and We'll leave that for another day. Anyway There's also stuff about quantum cryptography in here, which is like the thing I work on the most in my date in my day job it's really cool because NIST came out with the first three post quantum standards a couple of months ago and Like Yes, and so now everyone would have been kind of keeping an eye on those for almost 10 years, I think, since the beginning of their post quantum competition, and they finally landed, and, and like, all these birds flew, flew, and they're, you know, saying, I need this to be recommended, I need all these things from my standards, because now this is a real FIPS Standard A, if you need to be FIPs compliant, which practically I think everything in the federal government or anything you procure to the federal government needs to be like FIPs compliant or, or you know, blessed in a certain way. Um, and then not even including National Security Systems, now it's a real boy and you can get PQ and you can be FIPs at the same time and oh boy. Um, and so in this EO it basically is a of MA four major directives around adopting PQ stuff. And there was other executive orders about. Um, pushing for PQ adoption about like the 2035 timeline something like that. Um, but this is, uh, one, we, we talked about the, the TLS 1. 3 adoption, which is great because it is the only version of TLS or SSL that allows PQ. So, um, That's great. Um, but also, um, one of the big things is, uh, directing CISA to keep a list of product categories and specific products of, like, what is PQ, like, PQ ready, and you can just, like, go look at your list for your product category of, you know, a VPN, for, you know, firmware signing, or whatever the thing is you might need, um, and you can go there and be like, um, get, get a handy dandy list of stuff that is, uh, rubber stamped and approved and you can just start using that. One thing that's interesting about that is that, um, widely available was the key language in that section. And I have a little bit of questions about what does widely available mean per product category? And I might ask you questions because another important line was prioritizing key establishment. Uh, above other capabilities, which we, we cryptographers generally agree on, that is the most pressing risk um, of our encrypted systems, uh, against a theoretical quantum attacker, because the stuff that you are encrypting right now, under a key Uh, you determine with key establishment is vulnerable because you can just record it all, save it for the day when you have your nice big quantum computer, come online, and then you can pick through your treasure trove of encrypted data and theoretically decrypt it. Um, so like, what is widely available? And like, for me, looking at this, this seems to like, This seems to be where a lot of people are going to be paying a lot of attention, because this is going to be like the laundry list of products and services, uh, the Uh, there is there any, uh, tension, one, widely available, two, uh, any tension about, like, how much attention is going to be on this list of products and services? Yeah, we do anticipate that there'll be some of that. And that's since there's time because the market is not currently flooded with a bunch of PQC capable products, um, it's just something that, um, that CISA is prepared to be like, working on and figuring out how to best implement in a way that allows them to monitor the market sufficiently enough and then list updated in a way, um, that is pointing agencies to the fact that like, Hey, the market has spoken. These capabilities exist. Like we, we need to use it. Um, so first I'd say that widely available, um, I was very happy that no lawyers made us define the term widely available. Um, so, uh, now I, I am positive that in, in like at the, at the EO level, um, so part of this policy document, like it's representative of a document from the president, presidential voice at that level. Representing the kind of directive that we want the, the, the outcome oriented objective to be for the whole us government. But ultimately a lot of this really comes down to the nitty gritty in actual implementation. And that's, what's going to happen here. Um, uh, so what I expect that, um, a place like this, I will not be around since I'm outgoing with this administration. Um, but what CISA will probably be looking to is like, okay, are there tools that have been created that are not just prototypes, whatever, like these are actual things in production that are being available. How, like. Um, like, you know, how big, uh, is that company? How many products is that Like, um, How many products Like, I, again, this will be a bit up to their, um, to their determination and implementation, but I don't know if, like, just one product is made available generally across the market and, like, large enough numbers that it can be, um, that it can serve all of the. federal government requirements in that space, um, is basically what you'd need. So that and, or that multiple market providers and, and capabilities have now arisen. I think that those are going to have to be the considerations that get put into effect there since, um, for those of you that haven't read or memorized that section yet, I'm sure you're working on it. Um, but, um, basically that with that, with this list, the idea is that Any federal, um, agency solicitations past past that point of certain certain product category having these PQC capable, um, uh, tools and solutions that are listed there, they for any of those future solicitations must demand that the products be PQC capable like great once the market. So we're not being we're not trying to front run the market. In the sense that like demand something from agencies that is unable to be met, but we are trying to help create and foster there being a marketplace by saying like, okay, that there is an advantage to starting to integrate this, uh, solutions and tools and capabilities, because like, ultimately, once these things start to be available to be made available by your competitors, in a widely available enough way, um, then agencies will only be able to use those tools, um, because we need to make sure that we're not buying things that are going to last and be in our systems for another 10, 15 years or whatever, um, that are going to put us at risk for, um, a bunch of sensitive information being, um, being able to be decrypted or being able to be compromised. Yeah. And what I found, uh, one nice thing in that section is that it kind of has this like Little, little carve out of basically like, you don't have to wait on the CISA list either, like, if you have a product and it provides, and it becomes available, that you've already provisioned, and it comes available with PQ, um, uh, capability as like an upgrade, you can just go directly there, just apply the upgrade and it's, it'll, you know, you're ready to go, so like, if you are, you're already in like a pretty good place and you can get that automatically from your vendor, you don't have to go buy a new thing and provision a new thing, like, go directly, you know, Go directly to go, you know, collect 200 or whatever. Um, that's great. That's great. It just makes, it's one less thing. And so, that's awesome to see. Um, I, uh, one other thing that I only realized at, like, the, like, last second is basically, like, there's, for the federal, for the U. S. government, there's, There's agency stuff, which is usually FIPS, and then there's national security systems, which is DOD, NSA, and other things like that. And it has this whole other, much more restrictive thing, and it's called the CNSA Suite, and this is CNSA 2. 0 for the PQ stuff. Um, and it does say they have, they're also on like a, you know, they're under directive of this EO, but it's kind of at the bottom of like, Yes, you, the DoD has to go figure out its own version of doing this EO. It's not like to the letter under the order of this EO. You, you're sort of like, you have to go thing that is appropriate for national security systems that is like compliant with the spirit of this executive order that applies to the agencies. Am I reading that Yes. Um, although I will say that like we, we have been working hand in hand with, with, uh, the national manager on, on those things and stuff. So like there's basically just notes that we're not just throwing them out there with no, uh, collaboration and guidance. So we were absolutely working with them on what this new national security memorandum needed to be and what the CNSS guidance needed to be for, um, uh, for like there were that's harkened to in a couple of different sections. And so, um, like all those are things that will occur and need to occur. Um, And are coming up. So yes, that's basically what's happening is this happened with the first cyber EO and with the AI EO too, where there was, um, a first piece that didn't cover the national security systems and some of the more sensitive national security applications. And then the NSM came out that really covered, um, those things. So requirements for the IC DOD system kind of stuff that, um, and other sensitive systems, um, like classified systems and stuff that are national security systems for agencies. Okay, cool. Um, and one last thing on PQ. Um, within 90 days of this order, the, uh, NIST and the Undersecretary for International Trade, which I'm less familiar with, uh, shall identify and engage foreign governments and industry groups in key countries to encourage their transition to PQ algorithms standardized by NIST. That's interesting to me, because I know a lot of standards bodies that are independent of, you know, states. Or, you know, countries and, you know, bodies that are, you know, doing cyber or, you know, things like that for, you know, Western allies, um, are already paying attention to the, to these NIST standards and they're saying, yes, we like that one and we, you know, we recommend it to our users or whatever. Um, not, not exclusively, but you know, they'll say, yes, we like. You know, FIPS 203, and we like this other one, like, both of them we, we recommend to, you know, our people that we, um, you know, we serve. Um, this is interesting because it's, it's now transitioning this, uh, this duty to, like, go and advocate, uh, for adoption of these standards. And, I'm I want to see how people react to that kind of overt advocacy because they're already like, not everybody, but there's a lot of people who are like, yes, look, that's good. Like, that's good enough for the U. S. government. It's good enough for me. But if the U. S. government people are going out and saying, hey, come take our stuff. That's different than it just kind of being sitting there and then like being like it's good enough for us It's good enough for the NSA. Like we're fully trusting it. No, no exceptions Then going out and saying please please use our stuff It's also, if it's, if it's NIST, right, like, you know, in the public consciousness, people think of NIST as a really huge organization, and then, like, people who do a lot of cryptography, that, like, the conventional wisdom is that there's, like, three people in a closet doing this at NIST. like does NIST have the capacity to advocate That's For cryptography. So. So NIST doesn't tend to like, uh, like to operate in like, well, they like never operate in a vacuum, uh, really. So like, like just all their processes are really collaborative, but ultimately they do participate in a lot of international standards bodies. Right. And they go there and they represent, um, USG and like, so that, like, there's some advocacy there. I recognize that it's not there. Right. Wait, maybe they're not there standing with like an American flag and like next and in one hand, in the other hand, the technical standard that they're saying and like, um, but, uh, but instead like being there and making sure that, that, that pushing for like, for standards that we know meet the level of security that we need out there and that need to be adopted across, um, and and, integrated and accounted for as other standards bodies are, um, looking at what needs to be, uh, to be integrated. Um, that is something that NIST, um, kind of already does. It's just in a, like, less boisterous manner than what I was characterizing it as. Um, so I do think that some of it's more just characterized a bit as stuff that NIST already does. Um, but that also things that like, like we're NIST partners with other, um, with other entities in USG like state and stuff to be a part of some of that advocacy. Um, I'm sure like at the root cause of some of this is some concerns, not just about that we have less time than we realize for PQC, we think, or that we're worried we have even less time than we realize. Um, because it's just, it like a decade isn't very long for massive IT modernizations across really like. entrenched sectors that we've seen take a very long time to modernize their tech. Um, So there's that issue. Um, but then also the fact that like we've, we've had issues of standards bodies that we feel are being leveraged for like, um, purposes that we think are counter to like the, to security and other purposes that we want to. So we want things that we, like, we, we trust these standards. We want that, um, these, These incredible standards that were developed with great collaboration with industry and the best experts in the world, um, to be advocated for in the right for us. So I think that all those are really at the heart of why that's listed. But for the most part, I think this is, um, it was more meant to be characterized as like business as usual for NIST. in its participation in standards bodies. So but I, I, I take to heart the way, like, like the way that it's perceived in the way that it's worded. So I, I appreciate that. Yeah, no problem. Okay, cool. Thank you. So like some other hits here. Right. So, um, so one thing I brought this up earlier, but one thing that jumped out to me was the, the EDR stuff. Right. So like my immediate thought reading the, you know, all of the agencies will adopt EDR stuff is just the money hats that are being printed. At the EDR vendors, do you have a sense of where the agencies were with EDR adoption before this? Like, what do you think the Delta is going to be there? Is this like a momentous change or is this really just a you know, getting current practice down on paper kind of thing? So it's really pushing, um, there was an initial direct, directive for implementing EDR from the first cyber EO. And honestly, we've, we've made a huge amount of progress there. So most of this is just getting it. Over the finish line and then specifically pushing the access to pack, um, the persistent access capability program or SISA. Then now that agencies have like, you know, have been implementing these EDR tools, um, which is really great, right? Like we need to know what's on our network and be able to have this capacity for monitoring, et cetera. We now need CISA to be able to conduct their threat hunting activity across the federal civilian enterprise to be able to look for where we have these APT and sophisticated threat actor campaigns that are targeting federal agencies across the whole federal enterprise. Um, so basically this, that the EDR section, besides just like finishing up the final, the final round of like getting that implementation from the first EO, um, because the first EO wasn't as directive and explicit. This one just sort of codifies like that in a little bit stronger language, but then also really is to build the foundation for, and this is YPAC, um, YPAC needs to be implemented. Um, and then we've got some very specific, um, instructions on implementation there to make sure that the most sensitive forms of data don't ever get compromised and other things. And to make sure that, um, that the right kind like you said, yeah, Okay. All right. So another highlight of this, site. so fraud and account takeover. So there's a whole section here. Um, the, the thing that jumps out to me and the fraud section there is like advocacy for States with like online driver's licenses or things like that. Like some kind of secure digital identity, a shift towards digital identity. How, uh, how optimistic are you about that section of things? When we talk about like fraud, um, and we talk about how this EO is going to like combat like online fraud and things like that. Like There's a sense in which it's like, there's a lot of benefits fraud that you guys have, like, are directly implicated in, right? and then there's like banking fraud, which you guys are not directly implicated in. Like, what's the vision for how you're going at that? That's, it's a super interesting section of the whole year. it, it, sure is. Um, and honestly, this is, this is initial steps and initial building blocks that help to address, uh, the cyber enabled fraud issue. Um, ultimately I, I hope that one day there is a whole of government, bigger picture strategic approach on how to fix the whole. Digital identity issue. And then also the, fraud issue. This is, um, again, lessons learned from some of the, like the, the highest impact, lowest cost and burden and like nearest term actions that we can take, um, and, and ultimately identity is a really, I know that I'm setting the backdrop for this more before I get into the specifics, but basically I feel like the backdrop is important to answering your question about how we're getting at this. Um, identity is a really tough issue. Um, it's, uh, you know, yeah. Everybody hates fraud. Nobody likes getting robbed. Um, fraud is nuanced. The kind of fraud, like you were mentioning, that like this doesn't get at every different kind of fraud necessarily. The fixes for business email compromise fraud are different from synthetic identity fraud, different from account takeovers, different from deep fakes. Um, uh, some of deep fakes can potentially be used and all those other ones, but like it's, um, basically the nuance of it. The political lightning rodness that comes from just the term digital identity, um, we were very calibrated and pointed here to try to make it, Um, again, very concrete, specific measures that we feel are nonpartisan and should get a lot of broad support, um, that, that do not try to create a federal identity. Like, let me reinforce not creating a federal identity. Um, we are reinforcing the exact same relationship That the federal government, like, and the states have with Americans by pointing to things like mobile driver's licenses. We're not proposing for that to come to the federal level at all. Um, so basically notes that we're reinforcing that, but, um, in the same way that a lot of the other sections point to changes that we make related to getting access to federal benefits programs. We think driving a marketplace and sending a signal to, like you said, the states and to industry about what is acceptable, about what, um, can and should be used in certain ways. Like in here we're encouraging acceptance. So not exclusive or primary use of digital identity documents. Optionality has to exist. In some cases, digital identities are more inclusive and other ways that may not be to a blind person or something like I just, there's like that they solve some problems, create other new ones. That's why it's got to be part of a suite of options, but they should be accepted. We do need the infrastructure to be evolved to be able to accept digital identities, including things like MDLs, as long as they X, as long as they are interoperable with international standards and, and reflect different principles like privacy, preservation and data minimization. Um, so we're, we're trying to be very targeted and clear that like, this is not about state surveillance. This is not about. Okay. Um, the federal government trying to own your identity at all, we're trying to make sure that the right architecture is put in place to allow you to establish greater trust in cyberspace and more securely conduct transactions, um, on either side of the internet. Um, so basically. That's what's there. Um, so with federal benefits programs, um, GAO published a study at the beginning of last year that the federal government loses between, I think it was 250 and 512 billion a year to fraud. That's half a trillion. That's a huge number. That's a huge number. Um, so I don't mind, like, if we're going to start somewhere, um, I don't mind starting with federal benefits programs. That's a very big number. This is a problem. Um, but I do think that the signal that we're sending. To states and others about what it should take to accept these digital identity documents, how we should be building them. That's great because, you know, driver's licenses are accepted in tons of different use cases. So again, we're creating a marketplace for it. Attribute validation services, um, we were encouraging in a privacy preserving way to be So that goes beyond benefit stuff that could to be, um, an overall benefit for the ecosystem and for that in broad. I feel like I touched a nerve. I just, so sorry. I wasn't, I wasn't worried about like, I wasn't worried about the federal ID thing. I just want to get rid of my driver's license card out of my I'm sorry. Well, sorry. was great. feel like when, you know, you're right. I was, um, I was assuming, uh, a certain feeling. Sorry. Normally when I talk to cryptography folks, I'm like, Oh, we're Barry. Pro privacy. Um, as like, you know, they make sense. Um, but so the, the issue of identity is just a really, it's a really interesting one. So you're right. It's a nerve. It's a, um, it's also just part of the like beating heart of this issue and why it's a really tough one to Um, these steps we could do. Uh, Speaking of the next administration, like, hold on one second. Hold it Before we get there, I got one thing I really want to hit this one. Right. Cause it's, I don't know. So section nine. And the annex of people that you're going after. Like what's the what's so there's a section at the end of this, which is like, you know, people deem, like basically, I don't know, orchestrators of cybercrime, it looks like. It looks like there's a named list of people. So, um, this is the weirdness of. IEPA. Um, and the way this, sorry, IEPA is the International Economic Emergency Powers Act, which is the statute from which you get sanctions authorities. Um, basically when you change those, those laws, sorry, those EOs, um, the cleanest way to fix them, especially when it's not just fixing like one clear place, like we don't like doing it, like, When you change law and you have all this like totally incomprehensible, like, Oh, I'll change this word to say this and this word to change to say this, um, that would have been really tough with this. If you look at the delta between what this version looks like and the old one did. So we just rewrote the whole thing. The annex is actually referring back to the original annex from the first EO. There's not a new annex. to this one. Um, it's just like, it's because basically if we removed that annex, we would be removing those sanctions designations, uh, from the first time and we are not interested in doing that. Those guys are still problems. So, um, it's still that old annex. Um, so there's not new sanctions released with this EO right now. Um, uh, so that's what that's referring to. But the expansion here is really making sure that we can, we can cover a variety of other types of activities. We point to ransomware actors. Um, we make sure that activity. that's captured as part of this is not just about cyber enabled activity. Like if you think about ransomware as a service and you have like specialization, like HR recruiters, negotiators, financial facilitators and money launderers, like guys beyond those creating the exploit kits and doing the recon and actually deploying the malware on network. Like with the way that we had framed some of the wording before, we were like, we were concerned that like, that we, we needed to make sure that we had the flexibility to cover those who are, may not be directly cyber actors, but are. absolutely part of that despicable ecosystem. Uh, we also expanded to make sure that we included that the targeting of allied or partner networks, if they present a threat to US national security and economic security still has to present a threat to us. But if the, if the targeting of others networks present a threat to us, because we have, I don't know, like Um, this is me making right now, but like military servicemen and women reliant on, you know, the, the, on the infrastructure of some other service or nation, like we needed that to be able to be captured here as part of the authorities for the secretary of the treasury to be able to designate. to go find a for but, alright, this is a big kettle of fish, there's some real cool stuff in here. You're leaving! You're all leaving! So like, like, how, how confident can we be that this is gonna, gonna have legs and it's gonna be, uh, actually try to, you know, uh, give it, give it a good shake of actually enacting this into with, uh, the next and future who Yeah. this, this EO, this EO really should have ended with the words 1, 2, 3, not it. Yeah. Um, so I'll say first off that EOs take a long time to, uh, to create. um, but I truly though, this, um, The benefit of cyber, um, uh, as, as a domain space is that generally, generally on most aspects of cyber, um, I think that we've really benefited from a huge amount of bipartisan partnership, um, whether it's in legislation, um, uh, that like the creation of CISA, uh, the Cyber and Infrastructure Security Agency or the Office of the National Cyber Director or the critical infrastructure, uh, reporting, um, of cyber incidents, um, like all of these things, um, have All that bipartisan legislation, um, people are targeted on both sides of the aisle. Um, cyber is not an issue. You know, the world isn't getting less digitized either way, neither, neither side of the aisle is saying, you know, what's terrible is cyber. Um, so understanding that we do see these issues as rising above partisan politics. Um, and being something that honestly, the exigency of the threats, like, like these major incidents and these, these are driven from the lessons learned that we've seen, we've identified them. We're trying to provide some momentum and set the next, um, the next crew up in, in the best footing to be able to focus on the things that they want to be able to focus on, to be able to keep, to keep track of the threat as it's now currently evolving. These are the lessons learned from the recent incidents. But, um, as, uh, as some of the folks at the NSC like to say, the adversary sets the pace, like, and they are evolving and using a lot of emerging technology to do so. So ultimately, like we. We feel that we've set them up there, um, even the direction of the NSM, which we have underway and are handing over, like, this is, this is all, you know, being part of the, of the transition over to the next crew, um, and ultimately we feel that this is, um, it's more like a baton than it is something that's partisan and, um, and not something that can include, um, really good collaboration with the team. So, um, I'm hopeful, um, I'm hopeful that it's something, uh, that will absolutely continue. Absolutely, I hope you're right. Carol House, outgoing senior person at the NSC, uh, on cybersecurity. Thank you for joining us. Congratulations on this huge achievement. Um, thank you so much. Thomas, you got anything else? No, congratulations. Thank you so really appreciate you being honest. Awesome. this is fantastic. Um, I'm Security Cryptography Whatever is a side project from Deirdre Connolly, Thomas Ptacek, and David Adrian. Our editor is Nettie Smith. You can find the podcast online and the hosts online at durhamcrustom, at tkbf, and at davidcadrian. You can buy merch at merch securitycryptographywhatever com. If you like the pod, give us a five star review wherever you rate your favorite podcasts. Thank you for listening!