Cyber warfare and national cyber defense with Jason Healey

Secure Talk Podcast: Jason Healey

Justin Beals: Hello, everybody, and welcome to SecureTalk. We're super glad to have you joining us today. We have another amazing guest in store for us. Today, we're going to be chatting with Jason Healey. Jason is a senior research scholar at Columbia University's School for International and Public Affairs, specializing in cyber risk and conflict.

He has taught and mentored hundreds of students who have gone on to careers at the White House, the finance sectors, civil society and everywhere in between. Jason was a founding member of both the Office of the National Cyber Director at the White House in 2022 and the first cyber command in the world, the Joint Task Force for Computer Network Defense, in 1998, where he was one of the early pioneers of cyber threat intelligence.

He started his career as a U. S. Air Force intelligence officer with jobs at the Pentagon and the National Security Agency. Jason also founded the Incident Response and Cyber Threat Intelligence Capabilities at Goldman Sachs and is a former vice chair of the FS ISAC. Jason, thanks for joining us today.

Jason Healey: Thanks so much for having me here on SecureTalk. 

Justin Beals: That is quite the resume. I have to say, in 1998, I think I was more focused on writing code and drinking beer a little bit. So it's really an amazing background. But of course, we love an origin story, and especially for our audience—early and career listeners.

They love hearing how people have pieced together these amazing journeys. Could you tell us a little bit about how you got started? 

Jason Healey: Yeah, thanks. Right. I had actually been a political scientist, but knew, and, for my undergrad at the Air Force Academy, and was wanted to be a pilot, right? This is near the first top gun days, and as I got in, I realized at best, I'm going to be an average pilot of tanker or transport aircraft, right? I'm just like, I would get airsick, right? This is not going to work, but it was a, but it was the decision that I said that, you know, I'm going to compete for intelligence because I bet I can use my brain.

Like, I'm actually, I think I'm okay thinking about stuff and I knew I loved the technology and I, and, and I see this with so many of my students now of they love the technology. And they love thinking about the implications of the technology and how we deal with it and, and the troubles that it causes on society, but they're not going to be technologists themselves necessarily.

And so that meant, for where  I, the choices available at the time was either going to space, not going to space, but, you know, going, you know, looking at, at space and NRO kinds of stuff or, or getting into cyber. And so I made that decision prior on 94 that, yeah, I wanted to get in the stuff that was.

Maybe just starting to be called, be called cyber then. And the timing was great because the military was just starting to figure this out. Air Force captains like I was at the time happened to be well placed to help tackle a lot of these important issues, um, especially at the NSA and the Pentagon to start saying, all right, how does the Department of Defense as a whole start to tackle these? 

Justin Beals: I mean, certainly there was a lot happening with digital networking, sharing of information. And of course, I probably, you were around for the first time someone mentioned even something called cyber warfare or cyber security broadly, you know,  literally defining that function inside an organization as complicated as the U. S. Air Force. 

Jason Healey: Yeah. And, you know, so if you want to talk origin stories, right? So for me, a lot of the story goes back to the mid, the late 1960s. Not my story, I guess, I guess technically my story, but to me, I love it because it, because it's, it's our field because In the sixties, if computer security was locking the door, right, you had it like your perimeter was an actual perimeter, right?

It was a concrete wall with a locked door. And so as long as you locked the door and you did some per, you know, security for your people that were touching the computer, right?. The defense would, would kind of have the advantage. It may be even the defenders had the supremacy. Because your attack surface was the frickin door!

And one of the, you know, really the founding document of computer security was this document called the Ware Report, that it was the Defense Science Board, originally classified in 1970. Because we literally started to put holes in the perimeter. Like literal holes, right? You had to drill a hole through the wall because you now had a network; you now had remote terminals. And so this founding document of our field said, oh crap, what do we do now that the wall isn't the barrier? Now that anyone who can touch one of these remote access terminals can get in. And basically the report said, yep, can't do it. Can't be done.

Like there's no technology, there's nothing that we have that can secure this stuff. And so really since then, right, for those 50 years. To my mind, right, it's been the, okay, how can we defenders catch up? And then of course, we did the internet, right? Then you're, then it wasn't just the people touching the remote access terminal.

Now is anybody in the world can now get access because we knocked those literal holes in the perimeter. In the sixties and seventies. 

Justin Beals: I can see the tension a little bit, and I'm gonna own, I'm not a deep expert in warfare as a you know, as, as a practice. I don't know how to describe that. Well, I'm just gonna own that. But I can see the tension. 

Jason Healey: Justin, you're not a cyber warrior.

Justin Beals:  I thought everybody . Thanks, Jason. Um, uh, I'm the foible for these things. So, I can see the tension and, and I think we even see it in conflicts that are happening today where. Real time intelligence information is actually much more critical to success than the number of soldiers you have on the battlefield.

Jason Healey: Oh, to some degree. Yes. Right. The,, so much of my job as a practitioner and now more as a scholar, Has been looking  at where are we over hyping and where are we under hyping and we've seen a lot of overhype. You know, for example, the UK was saying, you know, like hey We don't we don't have to really buy as many tanks or tanks because we've got cyber and we've got this other high tech stuff, and we've seen this slosh back and forth and to some degree my own views have sloshed back and forth. You know, but my I wrote this this history, but it's sort of a military history of cyber conflict You 10 years ago and then I was I was more on the hey, we're overhyping.

We're talking about this digital Pearl Harbor which goes back to 1991 when Schwartow first test of you know in testimony to Congress in 1991 talked about electronic Pearl Harbor so right writing in 2011 and saying boy, you know, we haven't you know, we're not really seeing that yet we're Obviously, there are some dynamics we don't understand, but now I feel like it's gone the other way,right? We have folks that are drawn, trying to draw conclusions from Ukraine or the rest and saying like cyber capabilities aren't like that. They don't do the big Pearl Harbor. They're useful, to steal information and to shape the information space, but not really useful on the battlefield or coercion on the rest.

And they have a ton of great evidence for that.   But my concern is, well, all of our evidence. This was substantially drawn when states weren't invading each other for territorial gain. You largely had, you know, even when there were invasions like the United States in Iraq 2003, or I mean, in Azerbaijan, or you know, stuff in Syria, you didn't have two technologically advanced countries and, and they weren't playing for existential stakes, like territorial annexation, like we've seen now with Ukraine.

Like, we're worried about with Iran, like we're worried about, with China,  and so maybe, you know, states might operate differently, cyber might be used in very different and surprising ways, um, and, and I'll just say one last, right, to me as practitioners, right, I just saw it was the, um, it was the anniversary of Nimda this week, and many of your listeners will remember this, this hit one week after, um, 9/11.

And it just took down. It was another one of those worms that were hitting us every quarterback in those days, 25 years ago, 23 years ago. And they would just take down, like, Like substantial portions of the internet a couple of times a year, and so I think for those of us practitioners that lived through that, we know cyber can get a lot worse It can cause these large scale disruptions, even though there wasn't a nation-state anchoring You know nation-state threat actors that were that were conducting it.

Justin Beals: Yeah, I think, you know, certainly, we're seeing some interesting things play out with Ukraine and Russia. You know, it feels like there's still a lot to learn, you know, and notice about what's happening on that particular conflict, and, you know, you and I are going to be a little safe to not get too far out over our skis and some of these discussions because there's a lot of information we don't know. And, and it's, and it's coming to light, and we'll try and, and, 

Jason Healey: and two things on that. Thanks, judge. Thanks for raising. And one, by the way, I'm not a cyber warrior either. Like I was, I was never on the keyboard, right? I was an instant response and intelligence guy. Yeah. You know, policy guy, I was more on the governance and risk side, like, you know, like you, I think.

You know, and Ukraine is very interesting, and we're still working through those lessons, in how much of it was, you know, hard work by the Ukrainian defenders, but especially getting a lot of a ton of outside capability coming in, through places like the CDAC, the cyber defense assistance coalition, for Ukraine, cyber command hunt forward, right.

So how much of those lessons about what Russia was able to, Russia wasn't really incorporating cyber. So, I'm concerned that we might overlearn those lessons. If, you know, for example, China against Taiwan, right? Taiwan might not get that extraordinary out external support. China, the United States, North Korea might have learned the lessons that, Hey, Russia didn't do a good job integrating it.

And we should do, here's how to do better next time. And so hugely thankful that, that Russia and cyber in Ukraine wasn't as bad as we thought. Hugely thankful that it doesn't look like Putin wanted to use his cyber forces to target Europe, you know, like European energy markets, American financial markets.

So fingers crossed, fingers crossed, wouldn't it be great if cyber actually isn't as dangerous in the hands of the state as we would, as we would, as we might fear? I would love that, but it would it would surprise me a bit. 

Justin Beals: It's a very connected world, right? We keep putting more and more critical infrastructure into that, and that creates more and more surface area to secure.

Yeah. You know, you mentioned, and I think this is really intriguing to me, you're a deep expert in cybersecurity policy at a global and national level. That's a unique perspective, Jason. I'm usually concerned about a customer. Yeah. you know, what do you see? What do you see as some of the successes and failures in policymaking around this area?

Jason Healey: Where I've been most, um, excited, is right. So much of my thinking on this Justin goes back to that origin story I told about, right? Defense used to have advantage, maybe even supremacy. And then it started to shift away from that. And so my goal for, I don't know, the last 10 years or so has been, hey, if we're in cyber, like our only goal, I'm kind of exaggerating that, right?If I'm an academic, I've got to speak with precision. You know, if I'm, if I'm on a podcast, I speak with excitement. 

Justin Beals: You're on a podcast. We can be excited 

Jason Healey: So much. Can we what can we do to, shift that, to get the defense advantage at an enterprise? Like you work with, like, what can we do to make sure those defenders have the advantage at the least cost?

But also at the largest scale for cyberspace as a whole, right? How can we shift that back towards what they had in the sixties? So that,, the defenders have the harder time. The defenders are the ones that have the cyber skills gap. The defenders are the ones that are struggling, to achieve their gains, their goals, um, at any kind of reasonable cost.

And it's the defenders that can sit back and say, Oh, this is kind of easy. You know, cause, because what we've had for the last, um, uh, since I would say maybe the, um, certainly the early two thousands. where I'm sorry to use a sports, you know, an American sports analogy here, but, um, where the attackers could use their junior varsity team, you know, I guess for folks in Europe, like this is their under, there's their under 23 squad.

Right. Right. Yeah. And, and for us, we would have to use our main squad. Like we would have to use our varsity team to try and take out their, their, their lesser players. Yeah. Um, and if they come at us with their varsity players, Man, we've got to use our all stars, right? To some degree, that's what we saw with solar winds, right?

You had the super great team with the Russian foreign intelligence that was their varsity team, and thank goodness they tried to take on Mandiant FireEye, because those were our all stars, and if they hadn't gone after our all stars, we would have had a lot more difficulty trying to take them on. And you know, if the, if the attackers bring their all stars, then, you know, God help you, you know what I  mean?

You really, you're going to have a difficult, so I'd love to see that flipped.. Where, where it takes the adversaries to use their all, you know, to use their varsity players, like to use their main players to try and even take down, you know, moderate, you know, moderately capable cyber defenders.

Wouldn't that, wouldn't that be a lovely state of affairs? And we can do it. You know, it's absolutely possible and I'm firmly convinced that we can do this and we can measure the success of it to 

Justin Beals: measurement. That's right up my alley. Jason. Yeah. Um, we have had a lot of discussions about the asymmetry of the power in cyber warfare and one of the I use the sports metaphor a lot of times to and talking to folks where I'm like, look, when you're in an adversarial environment, if you're a see, so if you store critical data, and people are trying to get at it. You're going to lose some games, you know, my favorite soccer team loses some games and it makes me sad, but it, it's something that comes with the territory when you have an adversarial work, you know, we're just doing project management. We're trying to get  something released in a certain period of time, we don't, we deal with our own constructs, you know, as opposed to someone else trying to derail us directly.

You believe it's possible to change this. One of the things I read in some of your work is this tension between availability versus, you know, security, you know, and trying to balance that a little bit. Are there certain things that you think are certain broad decisions that you would make about availability or at least how we approach it?

Jason Healey: You know, where my brain goes most on that is, is, is with cloud, right? It really surprised me in how much when I was working in D. C. That the government folks would say the cloud is great, but In New York, working with great CISOs, Ed Amoroso and Phil Venables, and the conversation would go, well, the cloud is great and we haven't yet begun to see the real gains from security.

Like, it's going to get even better. Because companies were able to substantially trade off their cyber, buy down their cyber security risk, but in exchange they would get vendor risk, which they didn't take care of enough. But also, um, All of us get concentration risk, and so I'm really curious, you know, I'm really interested in how we play that off.

And in a public policy side, right, I can live with concentration risk substantially because the cloud providers have largely been taking, you know, we're you know, broadly more able to To shoulder that risk, but that kind of puts us in this antitrust, like now we've given those that already had power and now they have even more power, and to give another, you know, a strong cybersecurity example of that. The biggest gains that we make in cybersecurity is not at the enterprise level, right? Imagine we invent some amazing new security widget. We've got to buy a billion of them. We've got to deploy them. We've got to integrate them into the environment.

We have to train people. We have to keep it up to date and patched. Even it gave us a perfect security, like that's a lot of work that we have to do. Compare that to what happened with this is work we'd done with our New York cyber task force that looked at how to make a more defensible cyberspace.

The number one innovation that the experts, raised as, as that gave defenders the most advantage over attackers at the largest scale and least cost, Windows Update. But you had this technology innovation. That, that said, all right, we're just going to automatically update and we're going to push it to you.

And they combined that with a process innovation patch Tuesday, right? And this is where you really see the big gains when the lowest cost innovator, in this case, originally it was Microsoft, but, but now it's all vent, you know, now it's all software does the technical innovation. And when we combine it with cool process innovations and the other cool process innovations, you know, after we got hit by the Morris worm in 1986, the Department of Defense said, we need a computer emergency response team.

It's a process innovation. It was a new organization. After Citi got hit by Vladimir Levin for 10 million, Citibank. for 10 million in 1995, they said, we need a chief information security officer. 1998, we said, we need information sharing and analysis centers. We need an attack, uh, you know, an attack framework, a cyber kill chain.

Those are all ideas, organizations, um, and it's so cheap to do that. Look how cheap MITRE ATT& CK, GRC, right? Your whole space is about these, is about these process innovations. 

Justin Beals: And it's going through a deep revolution now too, you know, not just process innovation, but. We're deep into, you know, measuring the data exhaust of control operation for effectiveness, which is pretty wild place to be.

It's just such an immediate measurement and at a precision level cause we're down to, hey, these are the three pieces of data exhaust we expect out of a control operation. 

Jason Healey: That's very cool. And can I, can I just touch on measurement? Because one, when I. One of the me there's one measurement in particular that's really useful at the enterprise level.

But also is easy to aggregate up to the cyberspace as a whole measure. So the, I love it because it helps us look at, um, de offense, defense balance, and that's meantime to detect. Oh yeah. Right. You know, so if you are a board, if you are a ciso right? It's a measurement that you really want. Okay. You know, how long does it take us to detect? How long does it take us to respond? How long does it take us? to contain or to kick or to kick out an adversary that's really useful at the board level. But it, it's also, it's been reported by the Verizon and the Verizon data rich investigation report for like a decade aggregated.

So if we're getting defense better than offense at scale at the entire internet, we would expect to see those detection times go down. And in fact, that's what's happening. Meantime, to detect has dropped over the last 10 ish years from like a couple of hundred days down to 10 or 15 days. And we have that from multiple sources, even when you subtract ransomware, because you might argue that, Hey, well, you would expect shorter detections because ransomware needs to get, get detected or you're not going to get paid.

Mandiant looked and they pulled out ransomware and they said, it goes down. It's gone down even. Even if you you control for ransomware. 

Justin Beals: Yeah, and and broadly like When I worked my first computer science gig was a British telecom and and they were rolling out their global frame Frame Relay Data Network at that time, and  I had a, you know, it was my first gig, professional gig in computer science, no longer just playing around on my old Mac SE, but my boss there taught me something that I will never forget, and I thought it was the worst possible way to think about what we were doing, which was, well, if we didn't get hacked, This year, Justin, then, um, maybe we can cut our budget.

And if we did, then we need more budget. Doesn't feel like a good measurement tactic. 

Jason Healey: If we didn't crash our car, then we should just, yeah, . That's awful.

Justin Beals: Every once in a while, I still see it where, where. A CISO will get fascinated with a cybersecurity tool as opposed to a broad, like, what am I going to measure? How am I going to norm reference the outcomes here? 

Jason Healey: And that's what I love about, uh, about the, these measurement aspects of saying, all right, like that's, that's actually, you know, I said, that's awful.

It's a terrible metric, but  I get why it's a useful metric. And so that, that's  our job as practitioners or  for me now on, on the, you know, as more of a scholar or public policy, you know, as a policymaker, um, to say, all right, That's, that's a useful heuristic for them to reach, reach for. Let's make sure they've got better ones that are close to hand that make sense to them.

And at the White House level, right, we, we never had useful measurements because we never had the president or other senior policymaker give us a goal that was measurable. So our work on this New York cyber task force that said, no, the goal is defensibility. The goal is shifting, from, from offense to defense.

And the White House picked that up, right? They included that in the strategy, and that gives us a measurable goal. Now we can say, all right, other than mean time to detect, what are these other measurements that we can go into? That's going to help us. And that's a subset of the total set of metrics.  Like a lot of the metrics that are out there, um, you know, how many, how many attacks get blocked, right?

Well, that's not, that's not useful. Others are really useful, but they don't have a time series. So we've been going through at Columbia, this was my talk at Black Hat to say, all right, What,  metrics, especially existing, I tend to call them indicators, not metrics because there's no method of there's, there might not be method as much methodology do we have over time that can show us whether or not cyberspace as a whole is getting better, what ought we look for next that can help us know, for example, are we disrupting adversaries at scale?

Justin Beals: Yeah. Do you think that part of that desire to get more precision in analyzing our ability to, you know, deliver on good security is why we're seeing the metastasis, what I call a metastasizing set of like different standards from a dot. You know, some are private. Some are coming from NIST. We just had the two dot O of the CSF standard and a lot of them are really similar.

But you know, as a software engineer, I never wanted to build any project without a framework definition, right? 

It seems like we're leaned in, I think, as at least in the United States, from a private market, capital markets perspective, into saying, yeah, we need to norm reference practices at least and test ourselves against those.

Jason Healey: Yeah, and I'm, I'm hopeful by what I've seen in the US out of the federal government on trying to harmonize these, right? So yeah, we're seeing, we're seeing, you know, the good news is we're seeing framework. The bad news is we're seeing too many frameworks, right? So it's been nice to see. The White House, a lot of your listeners might not know the FCC, the Federal Communications Commission, has been chairing an independent, a forum, a cybersecurity forum of independent and executive branch regulators.

So this is getting the FCC, the SEC, the, you know, all these, CISA, all of these regulators together, to see how they can better harmonize. The White House has been driving this out, the Austin National Cyber Director, um, there's a great bill that's come out of the Senate, on this,, that's, saying, good, we've got to harmonize, not just we have to, but that calls for there to be a committee run by the White House that's going to help bring some more coherence to all these frameworks so that we don't have CPGs and CSFs and NISTs.

And what have you, that they're going to be, should be much more harmonized. So, fingers crossed,  I'm optimistic. 

Justin Beals: Yeah. I went through this in a, in a different, vertical in education, you know, in K 12 in education, everything is standards-driven, right?. And it's, it's a huge set of standards, 50 states times eight different subject areas times 12 different grade levels.

And you have to take everything from like quiz questions to lesson plans to, you know, and then we have standardized testing. So there is some really wonky measurement tools, on the assessment side. And it turned into a really huge computer science problem. It was essentially a data ontology and graphene issue at the day. Yeah. You know, you, you mentioned policies. You worked on the 2023. 

Jason Healey: Can I just say that for a second? 

And that's the reason why I'm, I'm especially when I'm looking at, you know, at my indicators, looking for what we're already capturing,

Like, you know, when I talk about this, people say, Oh, wow, that's gonna be a big data set.

I don't want the data set like Verizon's reporting this. Mandiant is reporting this. Veracode is reporting this. We've got an amazing set of stuff. That we can just look because because at the end of the day, we don't care whether like cyber security has gone from 71. 6 to 78. 2, whatever that means. We want to know it's getting like what's the direction and magnitude of the change?, right? 

Like are students doing better or are students doing worse and at what rate? yeah, if we could do if we could dive in like at an enterprise. You don't want that. Like a CISO wants to see under the hood, but to a large degree for a lot of this stuff, we don't need to see under the hood. We just need to see if three sources are all reporting, it's going in the same direction.

Then we can, then we can give ourselves a thumbs up or thumbs down. I'm sorry. I talked to you there. 

Justin Beals: No, no, that's great. Cause it is about the trend lines, right?  more than anything else. And It's funny. We think of a lot of the data that we read even, I mean, just mathematical information, let alone the standards, outcomes and assessments as being valid in the point of time.

And I'm not necessarily sure that's always true, right? It's more valid from a comparative perspective in where we were and where we're going. So, you know, you worked on the 2023 national cybersecurity policy. I think I'm always interested in how the sausage is made, but I'm, an engineer by trade.

Can you tell us a little bit about how, you know, it's such a massive constituency. How do you, how do you, the people part of this, how does an organization manage the people part competing priorities, what people want to see? 

Jason Healey: So  this is The White House's 2023 national cyber security strategy. It was run from,, the Austin national cyber director. From, my colleague Rob Kanaki, um, and, uh, the principal drafters, Matt Farah and Harry Kreisa. So I, I was, I was associated with that team,  and it was in part driven by the ideas that we had done it at Columbia. One reason I was brought in and it's really because as long as you're just working on the internal draft, it can be, you know, it's a work of love.

It's like all the things that you want to see going in this. As soon as you start submitting the draft, oh, then it's emotion. Like then, now you've got all of these departments and agencies that say, oh, wait a minute, you're calling out their program, but you're not calling out mine. And then it just starts to balloon.

And so what happens with these? is,  there's a lot of homework at the front end. So some of the homework is saying, alright, who has, what has been the smart stuff that's been written by academia, by think tanks,  by, trade associations that have come in and that we want, that we want to look at, that they've said, here's what's wrong and here's, and here are the potential solutions.

For this team coming in for the White House, they had the advantage of the Cyberspace Solarium Commission. Well, Executive Director Mark, who is now at FTD, who did a, you know, they did a, this, they did a great job. The National Cyber Director himself, Chris Inglis, had been one of those commissioners.

So they had this great model of this good set of ideas to tackle, but they also pulled from a lot of other places, again, including our Columbia work. Then there were the official documents. or unofficial documents. Okay, so what did the president campaign on? What did they say? clearly, this was an administration that believed in the positive power of government.

So it's no surprise that we saw words like market failure and regulation in there, you know, more than another administration did. But it goes beyond that. Okay, what was in the national, The national security strategy, which talked about we have a decisive decade here, right? It talks about, you know, it talked about China or Russia in different ways.

And so that has to get, those top-level documents then have to get,  ingested and developed as part of this. Also, this team had to deal with colonial pipelines, solar, right? Of these areas of saying, okay, we had these major incidents and especially for the senior folks, right? Right for the Jake Sullivan's for the for the other folks that in their first months didn't think they'd have to be dealing with cyber and had to deal with cyber like that that leaves scars right for them to say all right. Yes I'm maybe willing to be more risk seeking in this or alternately risk averse, depending on the incident that happened. So all of that comes in as well as the personalities and things that the drafting team themselves want. So for example, Rob Kanaki care,  who is the deputy that was in charge of it, was really interested in things, topics like, um, uh, an insurance backstop for catastrophic cyber losses.

There was a big push that the sector risk management agencies needed to do more. And right. And so the team does that. And the, and the last I'll say, you know, before it goes out for the coordination and all of the horse trading is people shouldn't underestimate effective and even beautiful writing.

Cause a lot of the stuff that went into it,  the drafting team, especially, especially Harry and Matt, were really making sound arguments with good language. You know, it's kind of like if you see someone else's elegant code and you go, oh wow, that's What a great hack, like what a great way of expressing this and it helps you make you feel it's right because it just, it just looks elegant.

And the way that they were able to lay out the arguments in really nice language  just really helps convince people that, okay, these, I can get behind these ideas because this is, this is nicely done. 

Justin Beals: Yeah. I think there's a sense of craftsmanship, right, to pulling together, um, effective communication.

And it's, it's really, I mean, I've worked on consensus based projects in the past where we had to get a lot of opinions and try to boil them in. And  what you find interesting is that. You take in a lot of data, you kind of like, I almost call it, I let it rest in my head. 

Jason Healey: Yeah, yeah, right.

Justin Beals:   I try to find out what the fundamental thing is everybody is trying to say and reflect that.

And it, it breeds some opportunity for, um, some precision in, in the, in the language itself, how we state it. Where people can hear themselves and what their concerns are. But it also is encapsulated enough that they can share it because it's too complicated. Then they can't use the pithy phrase to remind each other of the thing we're trying to do.

Jason Healey: Yeah. I really like that. Yeah. And you know, just having the right handle, what you call something, helps. You know,  there had been quite a bit on, on liability for software manufacturers. In early drafts. And they switched that. It switched from being liability, like we're going to hold you responsible if something goes wrong, to having safe harbors if you're doing the right stuff.

It's the same coin, but it was, it's a, it's a much better way of thinking about it. The last two things, let me mention, is one, there was a lot of outreach. The team did hundreds of outreach, you know, of talking to folks. I was, I'm normally the person that connects policy to hackers. You know, both White House and I'm on the Black Hat and DEF CON review boards.

And one day I was just walking around the camp, the compound in the White House and I see all these, my blue hair friends, you know, with all the sticker, you know, with all the stickers on their laptops. And because there had been an outreach with hackers  and DEF CON and other communities and I didn't even know about it, which was amazing, which was amazing because it was doing that outreach.

The  last I'll say is, people shouldn't overlook the role of budget. It can be easy for folks with a technology background to talk down the people in D. C. that are doing White House policy or policy at these high levels, and they don't come from a computer science background. But one of the big things that made this strategy a success was that the inclusion of folks like,  Drenan Dudley and her team, she was running budget, she used to run Senate appropriate, or she used to be on Senate appropriations.

She's office, she had been office of management and budget. So she was there to help make sure that as the strategy was being written. That there was going to be budget for these priorities, more budget for these priorities and less budget for things that weren't. And so in the previous versions,  the White House, the National Security Council would have maybe six people, total working defense.

So they would do the strategy and then they would think about implementation and budget. Because the National Cyber Director had 70, 80 people, they were able to do that and make sure that the money was included at the same time as the ideas. And that's a, that makes a huge, huge difference. 

Justin Beals: It comes back to the language issue too, right?

Like if we imbue this with jargon and emotionally charged words,  it makes it hard for people to think about, um, I can be a positive part of implementing  this policy, right? Also, you know, they don't look at the more we make people feel stupid, the less they're going to want to get involved in solving the problem, right?

Yeah, that's true. And little small five person engineering teams and at a national policy level, , You know what? Something was new and to some degree, that's 

Jason Healey: Why we're seeing the change in CISOs right where now CISOs are having an upward, you know, having a much more upward responsibility of they need an outward.

They need to understand the business units. And the concerns of the board, because they need to be those stereotypes, they need the narrative, they need to be able to do that trans, that translation. So I'm really glad that you mentioned it that way. I think that's exact, I think that's exactly, um, comparable.

Justin Beals: That's been true throughout my computer science career, right? Like there was a time where I loved like, what package are we doing and how do I do this code? And here's some interesting ways to play with data science. But my job, even before becoming a CEO as a chief technology officer, was a lot about telling stories about architecture in ways that people could understand what the opportunities were like,  and we need to communicate with our business folks to help them understand that the opportunity, the value and, and also so often,  and I impress this upon my engineers at our team, you are innovation drivers. If you are, if you are also aware of what the business is going through and can think about how technology can solve a problem in ways they never considered.

Jason Healey:  Very cool. 

Justin Beals: One of the things that,  was, , I have a quote from, I believe one of your blog posts or a paper that you wrote,, and you state that,  about  the old cyber security policies versus the most recent one is that  the lack of mandatory requirements has resulted in an inadequate and inconsistent outcomes.

And I think we're talking here about the private sector a little bit and that the new policy really, you know, did push that forward some, you know, that where, look, those of us in the private sector need to understand what we are responsible for and the ethics around effective practices. Yeah. 

Jason Healey: Yeah. And the flip side, right?

One of the big things of the new strategy was. Hey, we can no longer put the burden on  the end users, right? Whether, whether that end user is a big bank or a small and medium-sized enterprise, right? We can't keep having these national security impact because somebody clicks on a link, right? And so those who have more burden should  have more power, should take on more responsibility, right?

Whether that's the big platform, but also the U S government. And the US government needs to do a better job. So Rob Kenaki, the deputy who I said was responsible for the draft, he used to call it the, um, the Home Depot doctrine. You can do it. We can help, which I thought was a really, which was a really interesting way of doing it.

So not just regulating, but, but also making sure that the government is stepping up on their side. 

Justin Beals:  I certainly always love when somebody tells me this is the bar you need to meet, you know, it's difficult to go for, well,  I wanted to cover a couple of recent, um, actual hacks or issues that we've had in the marketplace security issues.

One of the things that, especially in reading some of your material, I think about the CrowdStrike issue was this example of monoculture, you know? But the other thing about the CrowdStrike issue is, do you consider it a security issue? It wasn't like a threat actor. I don't believe. From the data I've read, that some threat actor caused an issue as much as we didn't test our code very well before we released it.

Jason Healey: Yeah, I mean, certainly it's security and resilience interwound in that. And it's one of those that I use an example because, again, having the background that I did, right, we're so stamped on our background. And so having gone through that stuff 25 years ago where the internet would routinely go down.

Because we had common mode vulnerabilities, right? Because we had huge parts of the internet that were relying on some component and in every other kind of conflict or crime, right? If you want to hit a million targets, you need a million cars. You need a million getaway cars, right? Um, or you need,  to go in and hit all 1 million.

And as we learned with. you know, with CrowdStrike, with so many of these other incidents, SolarWinds and, and um, and the rest, if we're all dependent on the same,  if the technology that has the same vulnerability, we can all go down at once. And, and so the, to me, this is a big component of, of this offense advantage.

Dan Gere said it best, as he did said it best for so, so many things, is  the more technological a society becomes, the more it depends on distant digital perfection. What a great quote! That we're relying on distant digital perfection and yet a part of that can be looking at,  you know, these common mode vulnerabilities like CrowdStrike or the rest where we're all dependent on the same, same technology, but it goes well beyond that, right? I mean, it goes to the, our concentration risk with the cloud providers. It goes into components, right? It's very practical. 

Whatever level we get at, we just have this complexity that we can't get our heads around. Yeah. you know, where, you know, some chip component manufacturer has, you know, is, you know, goes out of business or has a fire and it. And it, and it cascades through the system. 

Justin Beals: The other thing that I feel about the CrowdStrike issue was, I, I think in some ways, especially in the cybersecurity  product world, we've gone hard at this agent modality of deploying our tools. And I feel like we've abandoned some of the best practices around network segmentation, where we have interfaces that we control who gets access to what.

 Jason Healey: Great point. Great. 

Justin Beals: And then the other issue that, and this is of course emerging, but, um, you know, and so we'll, we'll just focus on the things that,  we know today, but obviously this, um, this attack on Hezbollah with Assad is a real intelligence issue. Any thoughts that you have on how that's emerging?

Jason Healey: Yeah, it's still early days. So as we're recording this, we've only had a couple of days of information. 

Justin Beals: Yes. 

Jason Healey:  And it's, it's been interesting.  So one, I'm, I'm cautious about saying too much cause I'm not an expert on, on many of these issues, but I suspect like many of us in our field, um, we were thrown into the conversation of knowing more about this than many of the people we were around, right.

Whether it's at a family gathering or, you know, for me at Columbia University, right? I'm not an expert in explosives, but I probably know more about supply chain attacks, um, and certainly cyber than many of the other faculty, right? And so, you know, I suspect many of us were thrust into this place of having to say, and for me it was like, yeah, this is cyber because justice seems really, really hard to pull that off.

Yeah. And, but it is a, it is, we do have to be cautious in our field right? Of, of where's that right point between, all right. We  need to step up and say what we think we know to those, um, you know, people that aren't gonna have a chance to talk to, to an IED expert.  Or an EOD expert. Could, we saw like, you know, a lot of people that were, that were showing up on main news sources that were saying this was a cyber attack, that this was zero day, you know, this was a zero day when we didn't have anywhere near that kind of understanding within the first day or two and, you know, without admitting the other possibility, you know, the other possibility. So, you know, it, it does put us semi experts in that tough position of needing to help dehype, but without, you know, making it, making things worse.

Justin Beals: Certainly like ran over a network of some sort, but I do think my take just a couple of days in is that. Yeah. But something about the supply chain of these physical devices, uh, is probably more critical a concern. 

Jason Healey: Yeah. And, and I think it helps us a lot. You know, when, where we as a field can help is, you know, many of the folks that are looking at supply chain as a normal issue, like the logistic specialists that are figuring out how to get stuff that we need from place A to place B, don't think about, you know, How that, that gear could be, uh, you know, dorked in transit.

Yeah. and you know, and we, you know, we're, we've got the security mindset, folks like us, right? We, you know, even if, you know, even if you're doing, I don't mean even if, right, you could take someone that's just doing software security. And that mindset of how something might happen to that software, if you, if they know a little bit about logistics, their mind is going to be able to walk through the program, that process of saying like any process, you know, give us a process and we'll walk through where the vulnerabilities, where someone might be able to gain access to it.

And so I think as we go forward, right, as  there's going to be more attention now on hardware supply chains, right? Good. We've got s bombs and the rest to start thinking in a more disciplined process about software. Now, some of that same thinking that we're good at of how can this happen of people tampering with the physical supply chain, right?

I suspect a lot of the listeners and a lot of the people that have been coming from the cyber backgrounds are going to find themselves leaning over hardware. Towards that space just because we've got a good mindset for it. 

Justin Beals: Yeah. Jason,  it is such a treat to get to talk to experts like yourself. This has been an amazing discussion.

I always learn from it. Um, I'm grateful for your work, both with the U. S. Air Force, National Security Agency and our government in developing, you know, helping, helping team. Us in the field that are trying to implement good security do the best that we can and, and thanks for joining us today. 

Jason Healey: Yeah, great. Thanks a lot, Justin. Thanks to the team from SecureTalk.