WEBVTT 1 00:00:00.030 --> 00:00:03.000 Anna Delaney: Hello, thanks for joining us for Proof of Concept, 2 00:00:03.000 --> 00:00:06.330 the ISMG talk show where we discuss the cybersecurity and 3 00:00:06.330 --> 00:00:10.050 privacy challenges of today and tomorrow with industry leaders, 4 00:00:10.140 --> 00:00:13.650 and how we can potentially solve them. I'm Anna Delaney, director 5 00:00:13.650 --> 00:00:15.270 of productions, here at ISMG. 6 00:00:15.930 --> 00:00:17.760 Tom Field: I'm Tom Field, I'm senior vice president of 7 00:00:17.760 --> 00:00:21.180 editorial at ISMG. Anna Delaney, where in the world are you, 8 00:00:21.180 --> 00:00:21.540 today? 9 00:00:23.010 --> 00:00:26.730 Anna Delaney: I'm in London that feels like the Bahamas. Not that 10 00:00:26.730 --> 00:00:30.600 I know. But it's hot enough to be solving tropical. It's very, 11 00:00:30.600 --> 00:00:33.810 very good. We like that summer's here. 12 00:00:34.380 --> 00:00:36.510 Tom Field: That we're finding you at home is news in and of 13 00:00:36.510 --> 00:00:37.020 itself. 14 00:00:37.360 --> 00:00:40.690 Anna Delaney: It's dull really. Because the last time we 15 00:00:40.690 --> 00:00:43.570 recorded this, we were both in New York, there for our 16 00:00:43.570 --> 00:00:47.650 Northeast Summit. And since then, you've been back to New 17 00:00:47.650 --> 00:00:50.260 York to host our Healthcare Summit. How was it for you this 18 00:00:50.260 --> 00:00:52.390 time? Anything to report on? 19 00:00:52.660 --> 00:00:54.430 Tom Field: Yes, I was in New York earlier this week for our 20 00:00:54.430 --> 00:00:59.230 first Healthcare Security Summit since the fall of 2019. We had 21 00:00:59.230 --> 00:01:03.670 robust attendance at the event, excellent speakers. Again, here 22 00:01:03.670 --> 00:01:08.800 we are midyear of 2022. Every event is somebody's first event 23 00:01:08.800 --> 00:01:11.980 back from pandemic. So there's that excitement. And we had 24 00:01:11.980 --> 00:01:15.370 terrific topics. We certainly talked about cyber insurance. We 25 00:01:15.370 --> 00:01:19.780 talked about unique threats to healthcare entities, including 26 00:01:19.780 --> 00:01:25.150 of course, the ransomware surge and documentation of 27 00:01:25.150 --> 00:01:29.890 cyberattacks that do have resulted in loss of life. And 28 00:01:29.920 --> 00:01:33.820 everybody's favorite topic: medical device security. So we 29 00:01:33.820 --> 00:01:37.210 had an excellent panel of speakers and sponsors and 30 00:01:37.210 --> 00:01:40.990 discussions on our stages throughout the day. I hosted 31 00:01:40.990 --> 00:01:44.380 another roundtable discussion on our favorite topic of software 32 00:01:44.380 --> 00:01:48.970 supply chain security, just happy to see people again, and 33 00:01:48.970 --> 00:01:52.960 kudos to our colleague Marianne McGee for putting together such 34 00:01:52.990 --> 00:01:55.690 a lineup of speakers and topics. 35 00:01:55.000 --> 00:01:58.660 Anna Delaney: But on the ransomware threat: I read just 36 00:01:58.660 --> 00:02:02.200 today that ransomware attacks on U.S. healthcare organizations 37 00:02:02.200 --> 00:02:08.380 increased 94% from 2021 to 2022. And it's worth remembering that 38 00:02:08.380 --> 00:02:12.340 just four to 7% of the average health care providers' annual IT 39 00:02:12.340 --> 00:02:15.490 budget is focused on cybersecurity. And that's pretty 40 00:02:15.490 --> 00:02:18.760 gloomy picture, I'd say. Was there any hope that you gained 41 00:02:18.760 --> 00:02:19.630 from this event? 42 00:02:21.190 --> 00:02:24.490 Tom Field: About ransomware? Hopefully, the criminals move on 43 00:02:24.490 --> 00:02:27.280 to something else. Now, as long as it's successful, it's going 44 00:02:27.280 --> 00:02:31.360 to continue to work. And it is successful, because the 45 00:02:32.350 --> 00:02:35.800 criminals know they've got the healthcare organizations over a 46 00:02:35.800 --> 00:02:40.930 barrel. This is about treating lives and saving lives. And when 47 00:02:40.930 --> 00:02:44.650 it comes down to paying a ransom of whatever amount that might 48 00:02:44.650 --> 00:02:48.160 be, too often organizations are going to do that and hope that 49 00:02:48.160 --> 00:02:51.490 this goes away. Now, we know better. But it's a successful 50 00:02:51.490 --> 00:02:53.920 business model. I don't have a lot of hope that that's going to 51 00:02:53.920 --> 00:02:54.520 change soon. 52 00:02:55.690 --> 00:02:57.550 Anna Delaney: But in terms of defending ourselves? 53 00:02:58.650 --> 00:03:00.120 Tom Field: There are some positive things happening. I 54 00:03:00.120 --> 00:03:02.460 think, certainly a medical device security, I think that 55 00:03:02.460 --> 00:03:06.120 the message has come down that security really needs to be 56 00:03:06.120 --> 00:03:08.820 built in and embedded from the very start when you're creating 57 00:03:08.820 --> 00:03:12.120 these devices. And I think that all the players now understand 58 00:03:12.120 --> 00:03:14.580 this and are working together quite well. So I'm encouraged 59 00:03:14.580 --> 00:03:18.990 there and encouraged that you've got healthcare organizations 60 00:03:18.990 --> 00:03:22.860 that have come to think a higher level of maturity and their 61 00:03:22.860 --> 00:03:25.830 security postures and their security leadership. So I think 62 00:03:25.830 --> 00:03:30.750 that these shifts are being captained by some smart leaders. 63 00:03:30.000 --> 00:03:33.630 Anna Delaney: And of course, the ISMG were focused on keeping 64 00:03:33.840 --> 00:03:38.370 content relevant and fresh. And for some time now, we've tried 65 00:03:38.370 --> 00:03:42.030 to steer clear of terms like pandemic effect, and how has 66 00:03:42.030 --> 00:03:45.180 COVID impacted your business. But I guess in the healthcare 67 00:03:45.180 --> 00:03:49.620 sector, we can't avoid still talking about COVID. How much of 68 00:03:49.620 --> 00:03:52.410 COVID was part of the conversations that you had? 69 00:03:53.080 --> 00:03:55.840 Tom Field: Well, it is in some ways, but it's in ways that are 70 00:03:56.680 --> 00:04:00.550 related to the ongoing digital transformation. And for many of 71 00:04:00.550 --> 00:04:04.390 these healthcare organizations embarking on robust cloud 72 00:04:04.390 --> 00:04:07.270 migration strategies that they hadn't done before, certainly 73 00:04:07.270 --> 00:04:10.840 not to this degree. So, there is talk of that. There's talk of 74 00:04:10.840 --> 00:04:15.220 the new freedom for healthcare providers, being able to provide 75 00:04:15.220 --> 00:04:19.780 remote digital healthcare and means of securing that. So it's 76 00:04:19.780 --> 00:04:25.120 not so much impacted pandemic in terms of we're not talking about 77 00:04:25.120 --> 00:04:27.400 the loss of business because of surgeries that weren't 78 00:04:27.400 --> 00:04:32.710 performed. We aren't talking about trying to align this new 79 00:04:32.710 --> 00:04:35.740 hybrid workforce. I think we're getting into some more positive 80 00:04:35.740 --> 00:04:39.760 progressive impacts of the pandemic, which is a nice relief 81 00:04:39.760 --> 00:04:41.050 to have these conversations. 82 00:04:41.130 --> 00:04:43.320 Anna Delaney: Yeah, for sure. And of course, we have our 83 00:04:43.320 --> 00:04:46.320 Government Summit coming up in Washington. What are you looking 84 00:04:46.320 --> 00:04:46.950 forward to? 85 00:04:47.830 --> 00:04:50.410 Tom Field: Going back to Washington, D.C., again, as a 86 00:04:50.410 --> 00:04:52.930 similar refrain. It's been two and a half, three years since 87 00:04:52.930 --> 00:04:55.930 I've been back there. So going back to D.C., but we've also got 88 00:04:55.930 --> 00:04:58.030 some excellent speakers, including some people that we're 89 00:04:58.030 --> 00:05:00.550 going to be talking to here before too long, but in 90 00:05:00.550 --> 00:05:04.510 addition, we've got speakers from CISA, from the NSA, from 91 00:05:04.510 --> 00:05:07.750 the FBI, the Secret Service from the Department of Defense. So 92 00:05:07.930 --> 00:05:11.260 we're going to get into some terrific conversations about 93 00:05:11.260 --> 00:05:14.410 critical infrastructure protection, about the 94 00:05:14.770 --> 00:05:17.920 nation-state threat landscape, and further repercussions of 95 00:05:17.920 --> 00:05:22.000 Russia and Ukraine, we'll talk about ransomware, of course, and 96 00:05:22.060 --> 00:05:25.270 I'm looking forward to catching up with some of these government 97 00:05:25.270 --> 00:05:29.800 agencies on where they are and conforming with President 98 00:05:29.800 --> 00:05:33.370 Biden's 2021 executive order. So they're going to be some fresh 99 00:05:33.370 --> 00:05:38.020 conversations about zero trust security, about MFA. And about 100 00:05:38.380 --> 00:05:42.520 our favorite, the SBOM (software bills of materials). Could be a 101 00:05:42.520 --> 00:05:46.060 terrific event. Looking forward, that will be July 26. 102 00:05:47.230 --> 00:05:49.450 Anna Delaney: Yeah, I, unfortunately, won't be there. 103 00:05:49.450 --> 00:05:53.320 But I'll be watching virtually. And yeah, looking forward to 104 00:05:53.320 --> 00:05:55.720 that. And of course, you have the CISO of the U.S. Army, which 105 00:05:55.720 --> 00:05:56.830 is pretty cool, I think. 106 00:05:57.410 --> 00:06:01.580 Tom Field: The agenda and list of speakers evolves by the hour. 107 00:06:01.580 --> 00:06:04.460 It seems that this is going to be a significant event. And I 108 00:06:04.460 --> 00:06:08.180 would put that out there to our audience here. This is going to 109 00:06:08.180 --> 00:06:11.780 be in Arlington, Virginia. It's an event that free registration, 110 00:06:11.780 --> 00:06:15.230 please check out our sites, look at the agenda and the speakers. 111 00:06:15.260 --> 00:06:19.880 It's a terrific day to spend among some of the top thought 112 00:06:19.880 --> 00:06:22.970 leaders in the industry, and talking about the topics that 113 00:06:22.970 --> 00:06:26.150 are relevant to everybody in the public and the private sector 114 00:06:26.150 --> 00:06:29.210 that we will be talking about over the course of the next 115 00:06:29.210 --> 00:06:33.620 year. There's no better way to immerse yourself in topics and 116 00:06:33.620 --> 00:06:36.560 speakers and spend some time at this event. If I might give that 117 00:06:36.560 --> 00:06:37.190 little plug. 118 00:06:38.110 --> 00:06:40.870 Anna Delaney: For sure. Well said. Well, let's introduce our 119 00:06:40.870 --> 00:06:45.430 first guest. We're delighted to welcome back the exceptional 120 00:06:45.430 --> 00:06:49.510 Jeremy Grant, managing director of technology, business strategy 121 00:06:49.540 --> 00:06:51.730 at Venable. Great to see you, Jeremy. 122 00:06:51.910 --> 00:06:53.830 Jeremy Grant: Great to be here. Thanks again. 123 00:06:53.000 --> 00:06:56.450 Anna Delaney: So Jeremy, it's been an interesting time for 124 00:06:56.540 --> 00:07:00.230 anything digital identity, and we saw that improving the 125 00:07:00.230 --> 00:07:03.650 Digital Identity Act was on the agenda for the committee on 126 00:07:03.680 --> 00:07:07.400 oversight and reform markup meeting last week. What do we 127 00:07:07.400 --> 00:07:09.560 need to know? What's the state been like? 128 00:07:09.550 --> 00:07:12.158 Jeremy Grant: Well, it's been a very lively week, I think both 129 00:07:12.212 --> 00:07:15.581 in the House and the Senate on the digital identity front. So, 130 00:07:15.635 --> 00:07:18.949 you know, as backdrop as we're talking about the pandemic and 131 00:07:19.004 --> 00:07:22.372 people, you know, getting out of the house again for the first 132 00:07:22.427 --> 00:07:25.632 time and showing up in-person events. One of the things the 133 00:07:25.687 --> 00:07:28.566 U.S. government has been grappling with, I think both 134 00:07:28.621 --> 00:07:31.337 with regard to public distribution of benefits and 135 00:07:31.392 --> 00:07:34.489 government services, but also the fraud we've seen in the 136 00:07:34.543 --> 00:07:37.857 private sector has been massive fraud that skyrocketed during 137 00:07:37.912 --> 00:07:40.846 the pandemic, as organized criminals took advantage of 138 00:07:40.900 --> 00:07:44.051 court deficiencies in identity infrastructure to basically 139 00:07:44.106 --> 00:07:47.366 spook people and, you know, claim benefits in their name and 140 00:07:47.420 --> 00:07:50.897 the estimates of the fraud. You know, some say tens of billions, 141 00:07:50.952 --> 00:07:54.157 some say hundreds of billions, it's a lot of money. So, you 142 00:07:54.212 --> 00:07:57.363 know, with a focus on trying to figure out well, how do we 143 00:07:57.417 --> 00:08:00.840 actually address some of these deficiencies in digital identity 144 00:08:00.895 --> 00:08:04.318 infrastructure. There's been a great bipartisan House Bill, led 145 00:08:04.372 --> 00:08:07.578 by Bill Foster and Illinois Democrats and John Katko, a New 146 00:08:07.632 --> 00:08:10.729 York Republican called the Improving Digital Identity Act 147 00:08:10.783 --> 00:08:13.880 that's been out there for a couple years. Not to get into 148 00:08:13.935 --> 00:08:16.978 every detail, but to move legislation through the House, 149 00:08:17.032 --> 00:08:20.020 it gets rid of bills get referred to certain committees 150 00:08:20.075 --> 00:08:23.335 that have jurisdiction, it was hard to get the committees of 151 00:08:23.389 --> 00:08:26.812 jurisdiction to pay attention to this bill, until recently. And 152 00:08:26.866 --> 00:08:30.018 so I think the big news this week, were really two things. 153 00:08:30.072 --> 00:08:33.115 First, in the Senate side, remember, you got to pass the 154 00:08:33.169 --> 00:08:36.375 bill through the House and the Senate to become law. If you 155 00:08:36.429 --> 00:08:39.580 remember your old, you know, civics lessons or Schoolhouse 156 00:08:39.635 --> 00:08:42.677 Rock. We saw two senators, Kyrsten Sinema from Arizona, 157 00:08:42.732 --> 00:08:45.883 who's a Democrat, teamed up with Senator Cynthia Lummis, a 158 00:08:45.937 --> 00:08:49.034 Republican from Wyoming to introduce a Senate counterpart 159 00:08:49.089 --> 00:08:52.240 to that bill. And then on Thursday, July 14, in the House, 160 00:08:52.294 --> 00:08:55.826 that same language was marked up in the House Oversight Committee 161 00:08:55.880 --> 00:08:59.249 that has jurisdiction. So you're suddenly starting to see some 162 00:08:59.303 --> 00:09:02.618 momentum here, where the main committee that needs to move on 163 00:09:02.672 --> 00:09:06.041 has embraced it in the House, and we have a bipartisan bill in 164 00:09:06.095 --> 00:09:09.355 the Senate. You know, we don't want to get overly optimistic 165 00:09:09.409 --> 00:09:12.887 just given how hard it is to get something through Congress. But 166 00:09:12.941 --> 00:09:16.092 you're starting to see Democrats and Republicans together, 167 00:09:16.147 --> 00:09:19.407 recognize the importance of action here and also starting to 168 00:09:19.461 --> 00:09:22.450 take some action to actually advance the bills forward. 169 00:09:23.830 --> 00:09:27.070 Anna Delaney: Great, that's good to hear. So talk us through the 170 00:09:27.070 --> 00:09:29.710 events of the past couple of years that have led to this 171 00:09:29.770 --> 00:09:30.370 breakthrough. 172 00:09:30.900 --> 00:09:33.570 Jeremy Grant: Well, a lot of it, you know, came from, you know, 173 00:09:33.570 --> 00:09:36.450 going back to the 2017 Equifax breach. So you know, we've 174 00:09:36.450 --> 00:09:39.930 certainly talked before one of the projects that we run out of 175 00:09:39.930 --> 00:09:43.440 Venable is industry coalition called the Better Identity 176 00:09:43.440 --> 00:09:48.090 Coalition, which arose out of a lot of questions people were 177 00:09:48.090 --> 00:09:51.750 asking after that Equifax breach, specifically around how 178 00:09:51.750 --> 00:09:53.820 are we going to do digital identity, going forward, you 179 00:09:53.820 --> 00:09:57.900 know, for leveraging solutions from companies, you know, what 180 00:09:57.900 --> 00:09:59.730 people would call knowledge-based verification 181 00:09:59.730 --> 00:10:02.640 where I'm done is asking, "Hey Anna Delaney, you say you're 182 00:10:02.640 --> 00:10:05.250 Anna, but, you know, what's your mortgage payment. You took out a 183 00:10:05.250 --> 00:10:07.860 car loan four years ago with Chase, what are you paying? What 184 00:10:07.860 --> 00:10:11.130 street did you live on in 2006?" That was sort of the standard at 185 00:10:11.130 --> 00:10:14.670 the time in 2017. For how to figure out who was who online. 186 00:10:14.910 --> 00:10:17.820 And you know, the kind of, you know, thing I can say about 187 00:10:17.820 --> 00:10:20.130 those knowledge-based systems is they worked for a while, but the 188 00:10:20.130 --> 00:10:23.190 attackers caught up with him to the point that most of the banks 189 00:10:23.190 --> 00:10:25.530 I work with these days in our coalition say if somebody 190 00:10:25.530 --> 00:10:28.500 answers one of those quizzes too quickly and too accurately to 191 00:10:28.500 --> 00:10:31.770 sign, it's probably a fraudster. You know, they kind of have the 192 00:10:31.770 --> 00:10:34.530 keys to those answers now. And so it led to, you know, broader 193 00:10:34.530 --> 00:10:38.040 questions around how do we figure out who's who online. And 194 00:10:38.040 --> 00:10:41.460 I think you know, that at the heart of the coalition's policy 195 00:10:41.460 --> 00:10:44.190 blueprint that was actually published — in a recording of 196 00:10:44.190 --> 00:10:46.410 this in the 15th — four years ago today, that's a big deal. 197 00:10:48.180 --> 00:10:51.480 Was this recognition, we need to ultimately close the gap between 198 00:10:51.480 --> 00:10:54.060 the credentials, the government issues, which are stuck in the 199 00:10:54.840 --> 00:10:57.960 paper and plastic world, and the digital world. We're all trying 200 00:10:57.960 --> 00:11:01.320 to transact online. That blueprint got a great bipartisan 201 00:11:01.320 --> 00:11:04.110 response. It then led to the introduction of a house bill, 202 00:11:04.110 --> 00:11:06.510 and now we're starting to see momentum pick up in the Senate 203 00:11:06.510 --> 00:11:09.390 and with committees in the House that matter taking this up. 204 00:11:10.170 --> 00:11:12.480 Anna Delaney: So momentum is picking out. What are we likely 205 00:11:12.600 --> 00:11:13.410 to see next? 206 00:11:14.130 --> 00:11:15.930 Jeremy Grant: Well, there's still a few things that have to 207 00:11:15.930 --> 00:11:20.490 happen. I will say that the House bill got marked up, but 208 00:11:20.490 --> 00:11:23.160 they did not have the final vote on it. Not to get too far in the 209 00:11:23.160 --> 00:11:25.110 weeds, but they all had to run from the committee to the full 210 00:11:25.110 --> 00:11:28.890 floor of the House to vote on about 600 amendments tied to the 211 00:11:28.890 --> 00:11:31.500 National Defense Authorization Act for the year that basically 212 00:11:31.500 --> 00:11:33.450 funds the whole defense department. So, they're going to 213 00:11:33.450 --> 00:11:36.900 come back and vote on it. And then we're hoping, perhaps in 214 00:11:36.900 --> 00:11:40.200 the Senate, we'll see a similar type of markup. You know, 215 00:11:40.200 --> 00:11:42.150 perhaps later this month, given some of the momentum we're 216 00:11:42.150 --> 00:11:42.480 seeing. 217 00:11:42.840 --> 00:11:46.530 Anna Delaney: Good. Jeremy, just finally, what digital ID trends 218 00:11:46.530 --> 00:11:50.010 are you watching elsewhere in the world? What piqued your 219 00:11:50.010 --> 00:11:51.090 interest recently? 220 00:11:51.360 --> 00:11:53.460 Jeremy Grant: You know, I think that the two things that I'm 221 00:11:53.460 --> 00:11:57.390 getting asked most about, that people are talking about: one is 222 00:11:57.390 --> 00:12:00.900 a topic that I think we've talked about on some other ISMG 223 00:12:01.080 --> 00:12:06.000 interviews, which is the passkey announcement from FIDO, where 224 00:12:06.030 --> 00:12:09.930 it's, you know, I would say a way to finally address some of 225 00:12:09.930 --> 00:12:12.930 the lingering usability concerns around FIDO authentication, 226 00:12:12.930 --> 00:12:15.270 which everybody's recognized as sort of the gold standard from a 227 00:12:15.270 --> 00:12:19.290 security perspective, but a little bit hard to deploy in 228 00:12:19.290 --> 00:12:21.930 terms of, you know, a lot of it involves people managing private 229 00:12:21.930 --> 00:12:24.630 keys and our devices, which isn't the easiest thing to do. 230 00:12:24.990 --> 00:12:27.510 So the announcement from a couple of months ago that Apple, 231 00:12:27.510 --> 00:12:30.360 Google, and Microsoft are all collaborating in FIDO Alliance 232 00:12:30.360 --> 00:12:34.020 to come up with a standardized way to sync your passkeys, your 233 00:12:34.020 --> 00:12:38.940 FIDO keys across devices. Lots of questions about that, you 234 00:12:38.940 --> 00:12:40.770 know, I'd say a lot of excitement in industry and 235 00:12:40.770 --> 00:12:43.050 governments, but you know, also questions around how it's going 236 00:12:43.050 --> 00:12:46.200 to work. And then I think the other thing is, you know, as 237 00:12:46.200 --> 00:12:49.860 we're starting to see, at least in the U.S., with mobile 238 00:12:49.860 --> 00:12:52.980 driver's license, is starting to get adopted by a handful of 239 00:12:52.980 --> 00:12:56.190 states. The early use cases are focused on in-person 240 00:12:56.220 --> 00:12:58.680 applications, like what do I do if I'm going through a TSA 241 00:12:58.680 --> 00:13:01.140 checkpoint? And could I use my phone instead of my plastic 242 00:13:01.140 --> 00:13:04.500 card? But the real interesting ones, getting back to some of 243 00:13:04.500 --> 00:13:06.960 the things about our identity coalition has been focused on 244 00:13:06.960 --> 00:13:11.340 how do I use that to prove who I am online, instead of, you know, 245 00:13:11.820 --> 00:13:14.100 some other product trying to guess who we actually go back to 246 00:13:14.100 --> 00:13:17.040 the authoritative source and have a digital counterparts that 247 00:13:17.040 --> 00:13:20.010 physical credential. So some good activity happening there. 248 00:13:20.010 --> 00:13:23.160 And I think the next couple years are going to be lively in 249 00:13:23.160 --> 00:13:23.730 that regard. 250 00:13:24.420 --> 00:13:26.340 Anna Delaney: Lovely. Fascinating times. Thank you 251 00:13:26.340 --> 00:13:30.060 very much, Jeremy. It's been informative, as always. Tom, 252 00:13:30.090 --> 00:13:31.170 over to you. 253 00:13:31.710 --> 00:13:34.890 Tom Field: Well, and let's talk with Venable's other Grant. We 254 00:13:34.890 --> 00:13:37.920 have got here with us today, the former federal CISO and current 255 00:13:37.920 --> 00:13:40.890 senior director for cybersecurity at Venable, Grant 256 00:13:40.890 --> 00:13:42.870 Schneider. Grant, always a pleasure to see you. 257 00:13:43.740 --> 00:13:46.620 Grant Schneider: Tom, great to be here with you and Anna again. 258 00:13:47.340 --> 00:13:50.730 Tom Field: So following up on what Jeremy Grant was just 259 00:13:50.730 --> 00:13:53.310 talking about: House Appropriations Committee has 260 00:13:53.310 --> 00:13:59.190 approved a $417 million budget increase for CISA for 2023. How 261 00:13:59.190 --> 00:14:03.390 significant is that? And where do you see these potential funds 262 00:14:03.390 --> 00:14:04.290 being distributed? 263 00:14:05.580 --> 00:14:08.700 Grant Schneider: Yeah, it's a significant amount, right? It's 264 00:14:08.700 --> 00:14:14.430 a significant amount above both what was appropriated and in 265 00:14:14.430 --> 00:14:18.990 2022. And then also an even more significant amount above the 266 00:14:18.990 --> 00:14:23.430 President's request. And so, you know, it'll be interesting. You 267 00:14:23.430 --> 00:14:27.000 know, like Jeremy was discussing the process, there's still a 268 00:14:27.000 --> 00:14:29.850 process with the Senate. So, we'll see how these numbers hold 269 00:14:30.570 --> 00:14:33.990 in general, but the fact that there's been a lot of bipartisan 270 00:14:33.990 --> 00:14:38.280 support of enhancing and increasing CISA's budget is 271 00:14:38.280 --> 00:14:40.890 just, you know, a testimony to the understanding of the 272 00:14:40.890 --> 00:14:44.370 importance of cybersecurity. You know, some of this is going 273 00:14:44.370 --> 00:14:48.480 toward some pretty directed programs inside of CISA. I think 274 00:14:48.480 --> 00:14:52.440 one of the questions I have is, how is this going to be able to 275 00:14:52.440 --> 00:14:56.550 leverage these funds to support, you know, their various missions 276 00:14:56.550 --> 00:15:00.510 around, you know, critical infrastructure in our nation as 277 00:15:00.510 --> 00:15:03.780 a whole, but also from a former government standpoint, you know, 278 00:15:03.780 --> 00:15:07.080 how are they going to be able to support departments and agencies 279 00:15:07.350 --> 00:15:11.430 that are working to implement the cybersecurity executive 280 00:15:11.430 --> 00:15:15.090 order mandates and make enhancements across their 281 00:15:15.090 --> 00:15:19.830 cybersecurity? We're not seeing the same types of increases at 282 00:15:19.830 --> 00:15:21.930 other agencies that we're seeing at CISA. 283 00:15:22.320 --> 00:15:24.420 Tom Field: And we'll be able to have these conversations with 284 00:15:24.570 --> 00:15:26.610 CISA at our upcoming government security events. 285 00:15:26.610 --> 00:15:26.850 Grant Schneider: Yes, we will. 286 00:15:26.850 --> 00:15:30.450 Tom Field: So, I look forward to that. Grant, earlier today, I 287 00:15:30.450 --> 00:15:32.610 was talking to an identity vendor, and they mentioned they 288 00:15:32.610 --> 00:15:37.080 were going to a county government conference next week 289 00:15:37.470 --> 00:15:43.080 where the county government people think MFA is a bad word. 290 00:15:43.440 --> 00:15:45.990 So, I'm wondering what they're going to think about SBOM, when 291 00:15:45.990 --> 00:15:49.470 that gets introduced. As you know, CISA is currently 292 00:15:49.470 --> 00:15:52.920 facilitating a series of public listening sessions to build on 293 00:15:52.920 --> 00:15:55.620 existing community-led work around the software bill of 294 00:15:55.620 --> 00:16:00.090 materials on specific SBOM topics. How do you think these 295 00:16:00.090 --> 00:16:02.610 discussions are going? And do you have any concerns about what 296 00:16:02.610 --> 00:16:03.900 you've seen or heard so far? 297 00:16:05.340 --> 00:16:09.150 Grant Schneider: So I think the discussions have been productive 298 00:16:09.150 --> 00:16:13.380 and informative. I mean, they're exactly that. They're listening 299 00:16:14.130 --> 00:16:19.710 sessions, I've sat in a number of them this week. And, you 300 00:16:19.710 --> 00:16:21.570 know, the great thing is we're bringing a lot of different 301 00:16:21.570 --> 00:16:25.320 people and a lot of different points of view. And CISA has 302 00:16:25.320 --> 00:16:28.890 worked to, you know, put some alignment around, when are we 303 00:16:28.890 --> 00:16:31.830 talking about how we share and exchange data? When are we going 304 00:16:31.830 --> 00:16:35.460 to talk about what this means for cloud service providers? I 305 00:16:35.460 --> 00:16:39.450 think what I'm getting out of it is there's a lot of work to be 306 00:16:39.450 --> 00:16:43.860 done here, we were still at the early stages on software bill of 307 00:16:43.860 --> 00:16:48.540 materials, it's going to be a really important tool. And it's 308 00:16:48.540 --> 00:16:52.620 going to be a tool for a variety of different use cases. But most 309 00:16:52.620 --> 00:16:57.150 people come at it with their particular use case in mind. And 310 00:16:57.150 --> 00:17:02.970 so I think that makes it a bit of a challenge of how you pull 311 00:17:03.180 --> 00:17:06.600 the various points of view together. And how do we move as 312 00:17:06.600 --> 00:17:09.690 an industry forward, this isn't something that CISA is 313 00:17:09.690 --> 00:17:12.900 ultimately going to drive and own, right? They're going to set 314 00:17:12.900 --> 00:17:14.730 some requirements, the government will set some 315 00:17:14.730 --> 00:17:18.240 requirements, but industry is really going to be at the lead 316 00:17:18.300 --> 00:17:21.960 of, you know, hurting the other industry cats and making 317 00:17:21.960 --> 00:17:22.710 progress here. 318 00:17:23.370 --> 00:17:25.590 Tom Field: So I've been in a lot of discussions with small 319 00:17:25.590 --> 00:17:28.740 roundtable groups about software supply chain security, it's 320 00:17:28.740 --> 00:17:31.290 clear that organizations of all sizes, all sectors are 321 00:17:31.290 --> 00:17:33.870 challenged, just to know what they have for code within their 322 00:17:33.870 --> 00:17:37.650 organizations. Asset inventory is a huge issue. What's your 323 00:17:37.650 --> 00:17:40.830 advice to organizations on where they can just begin to get a 324 00:17:40.830 --> 00:17:44.130 better handle on software security and software supply 325 00:17:44.130 --> 00:17:44.910 chain security? 326 00:17:46.050 --> 00:17:48.720 Grant Schneider: Yeah, well, your point is well taken. Asset 327 00:17:49.200 --> 00:17:53.220 information has been a challenge for IT organizations, as long as 328 00:17:53.220 --> 00:17:57.840 they've had assets, as best I can tell. I mean, it really 329 00:17:57.840 --> 00:18:01.770 comes down to, and also much of cybersecurity does, the 330 00:18:01.890 --> 00:18:05.580 foundations and the fundamentals. I do think with 331 00:18:05.580 --> 00:18:09.900 software security, we're going to need, you know, most 332 00:18:09.900 --> 00:18:13.020 organizations can understand what products they have either 333 00:18:13.020 --> 00:18:16.140 through their licensing agreements, you can have 334 00:18:16.140 --> 00:18:19.380 automated tools that will understand that products, the 335 00:18:19.380 --> 00:18:23.010 challenge is becoming and this is where SBOM comes in the 336 00:18:23.040 --> 00:18:26.430 components of those products that you have, and what are they 337 00:18:26.430 --> 00:18:29.670 made up of, because even the software that you license, or 338 00:18:29.670 --> 00:18:33.990 that you purchase from a vendor includes open source or modules 339 00:18:33.990 --> 00:18:37.650 that are reused for a lot of really good reasons. And that's 340 00:18:37.650 --> 00:18:42.690 a good practice that we want to continue to see and encourage 341 00:18:42.690 --> 00:18:46.290 because it drives up efficiency and drives down costs and does a 342 00:18:46.290 --> 00:18:50.280 lot of things. But it also creates this unknown of what's 343 00:18:50.280 --> 00:18:53.850 really in my package. And more importantly, and we saw this 344 00:18:53.850 --> 00:18:58.500 with Log4j, if there's an issue, you know, and you don't know 345 00:18:58.500 --> 00:19:03.000 where it is, that issue can suddenly become very wide 346 00:19:03.000 --> 00:19:06.480 ranging, and a lot of different organizations and a lot of 347 00:19:06.480 --> 00:19:10.050 different places. And Log4j is kind of the perfect example 348 00:19:10.050 --> 00:19:10.350 there. 349 00:19:11.580 --> 00:19:13.770 Tom Field: Grant, my take on this, my simple take is that 350 00:19:13.860 --> 00:19:17.010 SBOM has become like information sharing. Everybody wants to 351 00:19:17.010 --> 00:19:21.120 receive information, we're reluctant to give it up. I don't 352 00:19:21.120 --> 00:19:25.500 know that we're resolving the mutual benefit here anytime 353 00:19:25.500 --> 00:20:00.690 soon. What's your take on SBOM so far? 354 00:19:29.330 --> 00:19:32.138 Grant Schneider: I think the analogy with information sharing 355 00:19:32.202 --> 00:19:36.032 is probably really good. Because the other part of it that I 356 00:19:36.096 --> 00:19:40.181 would say is it's different for everyone. Some people think SBOM 357 00:19:40.245 --> 00:19:44.330 should be public, and you know, other people are concerned about 358 00:19:44.394 --> 00:19:48.415 their intellectual property or the secret sauce and their code, 359 00:19:48.479 --> 00:19:52.501 and what those implications may be if it's public, you know, so 360 00:19:52.565 --> 00:19:56.203 other people only want to be able to provide them to, you 361 00:19:56.267 --> 00:20:00.288 know, people who have acquired their software. So there's a lot 362 00:20:00.352 --> 00:20:04.373 of different points of view. We have a long road ahead of us, I 363 00:20:04.437 --> 00:20:08.267 think is my bottom line on SBOM. There's a lot of work to be 364 00:20:08.331 --> 00:20:12.289 done. And we're going to need a lot of collaboration and a lot 365 00:20:12.353 --> 00:20:15.800 of information sharing to get from point A to point B. 366 00:20:15.000 --> 00:20:18.060 Tom Field: Excellent. Grant, Thanks so much. Appreciate it. 367 00:20:18.120 --> 00:20:19.260 Anna, back to you. 368 00:20:20.130 --> 00:20:23.640 Anna Delaney: Let's bring the party together. Summer holidays 369 00:20:23.700 --> 00:20:28.140 are upon us. Are you taking a break? Where do you go to unwind 370 00:20:28.200 --> 00:20:30.990 to get away from the stress of work? I think Jeremy, you got to 371 00:20:30.990 --> 00:20:33.810 start us off because you've got a good story. 372 00:20:34.800 --> 00:20:37.710 Jeremy Grant: Yeah, so I got less than a week back from two 373 00:20:37.710 --> 00:20:43.050 weeks in Portugal. So well, I will say the plunging euro is 374 00:20:43.050 --> 00:20:46.890 making things wonderfully affordable, although probably 375 00:20:46.890 --> 00:20:47.970 harder for the Europeans. 376 00:20:49.140 --> 00:20:53.220 Anna Delaney: So Jeremy, did you switch off your phone? Did you 377 00:20:54.960 --> 00:20:55.980 avoid taking calls? 378 00:20:55.000 --> 00:20:58.259 Jeremy Grant: It was largely unplugged. So, to be clear, I'm 379 00:20:55.000 --> 00:21:06.670 Anna Delaney: Very good. Grant, do you take time out? 380 00:20:58.330 --> 00:21:02.653 a two-phone kind of guy. I got the party phone — the personal 381 00:21:02.724 --> 00:21:07.046 phone — and then I have the one with the work email. And yes, 382 00:21:07.117 --> 00:21:11.723 you know, there's no need to mix those two together. So there was 383 00:21:07.960 --> 00:21:13.806 Grant Schneider: Yes, actually, the end of the month, or I guess 384 00:21:11.794 --> 00:21:15.763 a little bit of check-in here and there, deal with a few 385 00:21:13.930 --> 00:21:21.642 the first week of August. I'm going to spend a week sailing on 386 00:21:15.833 --> 00:21:20.440 things. But no, this was a largely blissfully unplugged vacation. 387 00:21:21.766 --> 00:21:29.727 the Chesapeake Bay with both of my daughters. So looking forward 388 00:21:29.851 --> 00:21:37.438 to spending a little bit of time with them and hopefully find 389 00:21:37.563 --> 00:21:46.270 some spots where my cell phone doesn't work. So that I too can unplug. 390 00:21:46.000 --> 00:21:49.525 Anna Delaney: I was going to say that's a very good idea. Lack of 391 00:21:46.000 --> 00:21:56.680 Tom Field: Oh, yeah. But I had a big storm hit here yesterday. It 392 00:21:49.594 --> 00:21:53.050 Wi Fi there. Tom, you are also a fan of the water. 393 00:21:56.680 --> 00:21:58.930 knocked out my phone. So all of a sudden my phones weren't 394 00:21:58.930 --> 00:22:02.440 working. I didn't have to go anywhere. My break is hanging 395 00:22:02.440 --> 00:22:03.370 out with the three of you today. 396 00:22:05.140 --> 00:22:07.450 Anna Delaney: And what's on your summer reading list seller, Bill 397 00:22:07.450 --> 00:22:10.870 Gates. Jeremy, do you have a long list that you work through? 398 00:22:12.550 --> 00:22:14.650 Jeremy Grant: Well, I actually needed a new book now because I, 399 00:22:14.680 --> 00:22:17.740 you know, plowed through a few of them while I was gone. Sea of 400 00:22:17.740 --> 00:22:22.570 Tranquillity by Emily St. John Mandel was a great book. We've 401 00:22:22.570 --> 00:22:23.860 done well on the beach last week. 402 00:22:25.690 --> 00:22:27.940 Anna Delaney: Grant, it's fiction? Fact or fiction? 403 00:22:30.420 --> 00:22:32.970 Grant Schneider: Sum of both. I need to go through the stack of 404 00:22:32.970 --> 00:22:38.460 books in my room and pick a couple to take so definitely. 405 00:22:38.640 --> 00:22:41.850 One that I've always meant to read and haven't is Old Man and 406 00:22:41.850 --> 00:22:45.390 the Sea by Hemingway, so I think that's going to be on my list 407 00:22:45.390 --> 00:22:45.990 this summer. 408 00:22:46.210 --> 00:22:50.350 Anna Delaney: Very apt. Tom, that was a big book. Did I spy a 409 00:22:50.000 --> 00:22:53.330 Tom Field: I am revisiting the first Stephen King book I ever 410 00:22:50.350 --> 00:22:50.680 big book? 411 00:22:53.330 --> 00:22:56.360 bought in the fall of 1980, which is Firestarter. And I 412 00:22:56.360 --> 00:22:59.480 haven't read it since the fall of 1980. Give you a sense of how 413 00:22:59.480 --> 00:23:03.470 old this is. When you open it up and says books by, there are 414 00:23:03.470 --> 00:23:04.040 only six. 415 00:23:05.990 --> 00:23:09.980 Anna Delaney: That's awesome. So no cybersecurity reading for you 416 00:23:09.980 --> 00:23:10.580 this summer? 417 00:23:11.390 --> 00:23:12.500 Tom Field: All day, everyday. 418 00:23:14.550 --> 00:23:16.710 Anna Delaney: Well, that's all we have time for. This has been 419 00:23:16.740 --> 00:23:19.470 fascinating and brilliant and an absolute pleasure. Thank you 420 00:23:19.500 --> 00:23:22.800 very much Jeremy Grant and Grant Schneider for your insight and 421 00:23:22.920 --> 00:23:23.940 it's goodbye from us. 422 00:23:24.780 --> 00:23:25.440 Tom Field: Until next time! 423 00:23:25.980 --> 00:23:27.450 Anna Delaney: Until next time! Thank you for watching.