Full Transcript:

JM: Hey guys, Jordan Mauriello with CRITICALSTART here, Senior Vice President of Managed Services. Today I have with me Michael Balboni, President of Redland Strategies, former Senator, Assemblyman, advisor to Homeland Security. Honored to have him here with us today. We’ve been doing some awesome discussions about things that we’re doing at CRITICALSTART and working with Redland Strategies.

JM: Today we wanted to take an opportunity just to talk to Michael about some general cybersecurity issues. He’s a major influencer in our community. I know many of you already know who he is and has had a major impact even on some of the legislature that we’ve seen around our industry too as well. We want to take the time to get some thoughts from him on some of the direction the industry’s going impact that some of the changes we see in cyber in general are having on national defense, the role of Senate and Congress, and where that’s going from a legislature perspective.

JM: We’re going to open up and have a nice, fun conversation here about some of these issues. Thank you so much for being with us, Michael.

MB: Thanks for having me Jordan, and thanks for your service to the country in the military.

JM: Thank you very much, sir. I appreciate your support.

—

JM: One of the things that I was really interested to talk to you about today and get your thoughts on specifically was, what role do you see Senate and Congress playing in cybersecurity here in the near future? Obviously, I think you were a big proponent of even some of the involvement, the debate that happened over the last couple of administrations. How do you see some of that playing out here in the future?

MB: Ever since the Bush administration, after the 9/11 attacks, there was a focus on cybersecurity. As the threats began to evolve 2004, 2005 there were changes to the way we did intelligence or changes on the outskirts of the cybersecurity. What happens is every time there’s a bill that Congress or the Senate puts forward to try to set up goals for what cybersecurity, cyber resiliency, cyber compliance should look like, they will always be shot down. A lot of times, it was the US Chamber of Commerce that would come in and sit there and say, “You know what? We don’t think that changing the rules by which people play is going to be an effective strategy because the rules change as the threat changes, as the landscape, as the IT develops and evolves.” What’s happened, is the administrations, whether it’s Bush, Obama, Trump where they’ve all come back and they’ve said, “Let’s do it by presidential directive.”

MB: It actually morphed into Obama, the Homeland Security privilege … sorry, cyber resiliency, which I think was the first way they started and they had a presidential directive that basically set up a guideline. Now what’s also happened is that the regulatory agencies, the Securities and Exchange Commission, the CMS, the Office for Privacy and the Health and Human Services, they’d come out with very rigid guidelines as to how do you protect personally identifiable data, how you protect patient health information. They’ve set up all these requirements that really follow the National Institute of Standards and Technology Standards that a lot of people sit there and say, “Okay, this is what we ought to be doing but they’re more advisory at this point in time than actually you have to comply with them.” We’ve seen the goalposts of what constitutes a cyber secure society move as different players get involved if an industry is regulated.

MB: If you went to the library of Congress and when you grabbed into the shelf and wanted the book on cybersecurity and in the United States, you wouldn’t find it. There’s all sorts of different rules and regulations, and therefore you have a different kind of compliance bandwidth on that. Congress and the Senate are trying to wrestle with this all the time. They know the threats and the huge issues as it place to local government but then there’s this big issue that you and I’ve talked about it.

MB: What is the role of government in cybersecurity? Is it a private sector of responsibility and not a government responsibility? It’s two schools of thought. One is, you view cybersecurity as bricks in a wall, and every time a corporation does something that makes us more secure, every time a government agency does something that’s more secure, it builds up the wall of defense.

MB: Therefore, there’s a real role that the private sector needs to take on their own. We should incentivize them to get really serious about cybersecurity. The other school of thought is it really is the government’s responsibility. If God forbid, the Canadians became bellicose and started attacking Plattsburgh, New York right on the border. Certainly, you’d have all of DODs assets coming into Plattsburgh and protecting them. There’s the school of thought that says, “No, no, no, no, no. This is a national security initiative and a priority, and therefore the federal government should be funding, they should be providing expertise and they should be providing monitor and response to any type of cyber incident.” We’re really good. We have not as a country, we’ve really not come to one decision as to how we’re going to handle cybersecurity.

JM: Yeah, I think it’s a fascinating thought that you shared about. If we looked at kinetic warfare, the response is always that the federal government absolutely is responsible, but we see so much happening in the cyber warfare landscape where it is nation-state actors, given attribution is always a challenge in any of these cases, but we do know based on sophistication and even other intelligence mechanisms that we’ve had these kinds of issues. How do we draw that line? How do we find out what is the right response? How much should the federal government be involved? What is their responsibility? I think it’s a challenge in something that we’re going to continue to be working through over the next 5-10 years and the next following administrations too as well.