Caveat 11.30.23
Ep 196 | 11.30.23

Critical challenges for critical infrastructure.


Nick Sanna: It is not clear in the industry what we're after. Are we trying to have an agreement to have a minimum level of compliance on best practices in cybersecurity, or are we taking a risk-based approach?

Dave Bittner: Hello, everyone, and welcome to "Caveat," the CyberWire's privacy, surveillance, law, and policy podcast. I'm Dave Bittner. And joining me is my co-host, Ben Yelin, from the University of Maryland Center for Health and Homeland Security. Hello, Ben.

Ben Yelin: Hello, Dave.

Dave Bittner: Today, Ben has the story of a warrantless phone record surveillance program. I explain how reporters from Rolling Stone tracked visitors to Donald Trump's Mar-a-Lago. And later in the show, Nick Sanna of the FAIR Institute and Safe Security is here to discuss challenges the White House faces in attempting to harmonize critical infrastructure regulations. While this show covers legal topics and Ben is a lawyer, the views expressed do not constitute legal advice. For official legal advice on any of the topics we cover, please contact your attorney. [ Music ] All right, Ben, I am going to start things off for us this week. And I have an article from Rolling Stone. This is written by Aram Sinnreich and Jesse Gilbert. And the authors of this article went out and logged in to one of the commonly available data brokers, an organization called Near, N-E-A-R, the opposite of far. And they wanted to see if they could track the comings and goings of public locations or private locations -- locations. And in this case, they chose, wait for it, Mar-a-Lago, Donald Trump's --

Ben Yelin: Fortress?

Dave Bittner: Well, what he -- his fortress of solitude. Yes, what he refers to as his Southern White House and certainly, you know, one of the most well-known locations and residences in the United States, if not the world.

Ben Yelin: Yeah, I mean, subject to Secret Service protection, so.

Dave Bittner: That's right, that's right, it's -- no doubt it is an important place, but also has had controversy for the potential comings and goings of people there, the guests. There's the whole thing with the top-secret documents and all those kinds of things. So it's a place of much interest and intrigue. So the folks at Rolling Stone were curious: what could they find out through run-of-the-mill data brokerage folks? And the answer was a lot. [Laughs] They were able to track using location data, which we've talked about here a lot. You know, the location data that is tracked on all of us through our phones and the apps that we use. They were able to track food delivery workers, mail carriers, guests, all sorts of people coming and going from Mar-a-Lago. Now, to be clear here, there are no accusations of anything being underhanded or, you know, things that should not be happening. But it is interesting that they could track who was coming and going. One of the things that this is able to do is it will tell you who came and went from Mar-a-Lago. But it will also tell you where they spend most of their nights, which means where do they live, where they sleep.

Ben Yelin: And this is all free. I mean, they are not -- they didn't exchange Bitcoin with somebody on the dark web to obtain this data. This is just through a free version of one single data broker's web application.

Dave Bittner: Exactly.

Ben Yelin: So it's very simple. Any idiot, I won't say any idiot, but most people who are mildly technologically savvy would be able to do this if they cared to.

Dave Bittner: Right, like the old saying goes, nothing is foolproof to a talented fool.

Ben Yelin: Right.

Dave Bittner: So they were able to nail down, for example, who were some of the likely visitors to Mar-a-Lago. There was someone, a pastor Abraham Adeyemi, who is a pastor at the Fellowship Baptist Church, which is about 20 minutes from Mar-a-Lago. By Googling some of the locations that came up in this search, they were able to narrow it down that it was probably him. Trump had retweeted a tweet that he had posted that Mr. Adeyemi had posted about a Nigerian pro-Trump parade back in October 2020. So this would be a likely person who would visit Mar-a-Lago, obviously a friend and supporter of former President Trump. So, I mean, it's fun, and it's funny, and, you know, obviously Rolling Stone is a very left-leaning publication. So for them to set their targets on Donald Trump is, you know, wa-wa-wa.

Ben Yelin: Dog bites man news, yeah.

Dave Bittner: Yeah, I mean, there's, you know, take that for what it's worth and all the baggage that comes along with it. But I think this is a fun example, perhaps even a sobering example of how easy it is that anybody -- These authors of this article pointed out, they were -- they're sitting in their living rooms, and they could log on to a free service, put in a location, and track the comings and goings of that location, and narrow down, with very little effort, who the actual people were who were coming and going from that location. So, Mar-a-Lago is one location. Ben, what are some locations of concern?

Ben Yelin: Right, I mean, we're talking about locations that present major national security concerns: the Pentagon, CIA headquarters in Langley, the White House. There are certainly other physical properties that might be subject to this kind of surveillance that might be more serious in terms of national security implications than the former president's residence. Although not to minimize the security interests involved there.

Dave Bittner: Yeah.

Ben Yelin: He is the former president, might be the future president.

Dave Bittner: Yeah.

Ben Yelin: So there's certainly something to worry about there. I think the real takeaway from the story, it's not as much a Donald Trump Mar-a-Lago story as it is about the ease of obtaining this data. And it's not just legitimate actors as they mentioned, like journalists and prosecutors. But if you had blackmailers or foreign intelligence organizations that wanted to obtain this data, they could do so for free, and they could do so easily. They might use it to pester a US official with the threat of releasing information. I mean, maybe not Donald Trump. But let's say some other US politician was having an extramarital affair, and that had been revealed based on free searches of this data, that could be used as blackmail. And that could have national security implications as well. So it is very serious, and, of course, it doesn't only apply to Donald Trump. I think all of us are willingly giving up our location through the thousands of applications that we use. Many of these applications are just Trojan horses for us to share our location data. That data is very valuable. It's purchased. There are a lot of organizations that purchase this data. And any half-witted journalist who is willing to take the time can really learn a lot about a person, about a location based on this freely available data. They mentioned that like flashlight applications, solitaire games, poker games, all things that seem completely innocuous but might be applications that are pure Trojan horses for us to release our data. So I think that's certainly a matter of concern. And whether national security is involved or not, I mean, I think this is clearly a loophole in our privacy legal landscape. The fact that this is so free and easy and the fact that this allows not just journalists, but potentially governments, to spy on us, I think is a cause of great concern. I think it's something that Congress really needs to address.

Dave Bittner: Yeah, but they point out, the authors of this article point out, they say, you know, that they were able to do this using the free version of a single data broker's web app. They write, "Now imagine what a dedicated forensic team could do, working 24/7, with access to the full paid services of every commercial data broker, in addition to all of the other data sources out there, from high-tech hacking to old fashioned surveillance." It really does kind of tighten the holes in the web, you know, that they're able to throw over us to know what we're doing and where we're going. You know, everything from abortion clinics to gay bars, to protests, to meetings with, you know, organizations with special interest groups. All of that stuff is so easy to track now. It's a real problem.

Ben Yelin: It is. The last line of this article says, quote, "every conversation about the future technology needs to begin with someone asking what's the worst that could happen." That I think is the -- that I think is the correct frame of looking at this. Even if the specific results of this exposé might seem funny, I think we just have to think broadly about the implications of having this freely available surveillance. I do think it's incumbent upon all of us to practice the type of privacy hygiene, if you will, in terms of being selective in what applications we use, turning off location services for apps that we don't use, or even for apps that we do use but do not require location services. I think we all just need to be more judicious about this because I think we're just not aware of how much data we're producing simply by virtue of the fact that we have a smartphone.

Dave Bittner: Yeah.

Ben Yelin: And I think to the average person engaging in daily smartphone transactions, that's just not something that crosses their mind. And I think, as a society, we need to change that and just raise awareness of how much information we are voluntarily sharing and how easy that information is to obtain. Now, maybe people don't care about it. I mean, this is something that we've talked about in the past. Like I could get a bullhorn and, you know, go into the middle of Times Square and scream about this all I want. Maybe that's a tradeoff most people are willing to accept to get the benefits of location services. You know, if I want to gamble on FanDuel or whatever, they want to know that I'm in Maryland. That's very useful information for them. They'll probably use it, sell it to a data broker. But I just want to place my sports bet. I'm not thinking about the broader implications of me voluntarily giving them that data. So, it's just everybody should take a pause whenever they download a new application. Think about, is this something I really need? And is this something where the app developer is going to get information about me and about my whereabouts so they can sell and give to data brokers?

Dave Bittner: I don't know if you are old enough to remember the implementation of the Federal Do Not Call List.

Ben Yelin: I'm not that young. I mean, I have some gray hairs on the remaining hairs of my head that I do have.

Dave Bittner: Yeah. Okay. Well, I, yeah, I guess part of why I ask the question that way is that I am old enough that I have lost track of when things happen in my life.

Ben Yelin: There you go. Makes sense.

Dave Bittner: Yeah, that could have been 20 years ago. It could have been last week. I don't know. But the Do Not Call List, which happened back in the days of landlines, was a reaction to the endless number of solicitors calling our homes, interrupting our dinners, you know, all that sort of thing.

Ben Yelin: Back in the day, where the phone rang, and we didn't know who it was.

Dave Bittner: Right, right.

Ben Yelin: It could have been our, you know, grandma wanting to wish us a happy birthday, and it could have been a solicitor.

Dave Bittner: Yeah, we answered the phone.

Ben Yelin: We answered the phone no matter what. That's why it was much easier to do political polls then, because now people are just like, eh, random number, I'm not picking that up.

Dave Bittner: Right.

Ben Yelin: Yeah.

Dave Bittner: So a couple of questions. I mean, would it be possible to have a do not track list? You know, you put yourself on the do not track list, and you say, anything coming from my device is not allowed to be tracked by data brokers.

Ben Yelin: Yeah. I mean, even the most stringent state data privacy laws have not gone that far, although California has come the closest to doing something like that. I think it is certainly feasible where you could have a phone that opts out to all location tracking, except if you explicitly opt-in.

Dave Bittner: Right.

Ben Yelin: That's certainly technologically feasible. And it's something that a state legislature could probably mandate. It's just a question of how much the industry would fight against it and how inconvenient it would be for users who don't care about the privacy of their data and just want to take advantage of the wonderful things that come with tracking our location.

Dave Bittner: Yeah.

Ben Yelin: But if it was really voluntary, I mean, I think this is something like the next version of the CCPA could grapple with where you have a do not -- a do not track device that's kind of the first option when you open up that new device and log in. I mean, now, we could just do that now. We could just turn off all location tracking. That is mostly helpful, although we are still pinging cell phone towers. The government does need a warrant to collect that cell site location information.

Dave Bittner: Right.

Ben Yelin: But, you know, there are ways we could do that now. But I think any affirmative step that gives people more awareness of exactly what they're giving up when they turn on location services I think would be useful.

Dave Bittner: The other thing this article points out is that this is a over-$300-billion-per-year business. That's a lot of money.

Ben Yelin: Yeah.

Dave Bittner: And does that -- I guess, to what degree does that give them political influence and interest in lobbying to maintain the status quo?

Ben Yelin: I mean, a lot. I always think about the tax prep companies. Like, yeah, it's a completely useless industry. In other countries, the equivalence of the IRS, just calculate your taxes, you sign it, and submit it.

Dave Bittner: Right.

Ben Yelin: A lot of lawmakers have proposed that our IRS just do that.

Dave Bittner: Yeah.

Ben Yelin: But there is money to be made. There are a lot of accountants out there. A lot of people who work for the tax prep companies who shall remain nameless.

Dave Bittner: Mm-hmm.

Ben Yelin: And it's just become much harder to reform because of those interests there. Now, they don't go in front of Congress and say this would be a bad policy because I will, you know, lose my third vacation house.

Dave Bittner: Right. [Laughs]

Ben Yelin: They'll go up and say we are adding a level of convenience for our customers that wouldn't already exist. And why would you take away that type of consumer choice? And I think that argument is not only legitimate, but I also think it's persuasive in many circumstances.

Dave Bittner: Yeah.

Ben Yelin: So yeah. I mean, being a powerful industry means you have lobbyists. It means that there is a lot at stake in any potential policy change here. And that means there would just be a big fight on the hands of these companies and Congress. I'll also say like me and you talk about this stuff all the time.

Dave Bittner: Yeah.

Ben Yelin: Which means there are a lot of stories like this about how easy it is to collect people's relatively personal data. And I just -- Maybe this is just kind of depressing, but do enough people care? I mean, I feel like we've now had enough opportunities that if people wanted to learn more about this, they could have. And so I'm -- I guess that's a rhetorical question.

Dave Bittner: Mm-hmm. Yeah, learned helplessness, or just, you know, there -- it doesn't rise to the top of the list of things. People throw up their hands, and they say, huh, you know, what am I going to do?

Ben Yelin: Yeah, it's not the end of the world. What do I have to hide?

Dave Bittner: Right. And how does it actually -- I guess, the number of people who get affected by it in their day-to-day is low enough that it doesn't rise.

Ben Yelin: Yeah.

Dave Bittner: Again, I've said it here before, and I'll say it again. You know, it's one thing to have to go after, you know, Donald Trump in kind of a, you know, wink, wink, nudge, nudge kind of way. He's an easy target, right?

Ben Yelin: Right.

Dave Bittner: I'd say a lazy target, right?

Ben Yelin: Yeah.

Dave Bittner: But if somebody did this to Congress and started outing members of Congress and embarrassing members of Congress, I think that's where we would see real change.

Ben Yelin: Not that we're encouraging that.

Dave Bittner: No, but I mean, that's what happened, you know, back in the day with video rentals and library books.

Ben Yelin: Yeah.

Dave Bittner: Same sort of thing happened. They went after members of Congress, and it got clamped down on. So just an idea there, you know, the John Olivers of the world, the rabble-rousers --

Ben Yelin: Yeah, if you have any -- if you need some episode ideas --

Dave Bittner: [Laughing] All right.

Ben Yelin: -- we're happy to be your writers.

Dave Bittner: There you go. All right, that's what I have for us this week. Ben, what do you got for us?

Ben Yelin: So I have an article from WIRED. And this was about a secretive White House surveillance program which gives cops access to trillions of US phone records. If this sounds familiar, it sort of is. We've had a lot of controversy over the past decade from what Edward Snowden revealed was our Call Detail Records Program, where, for national security purposes, we collected nearly all call detail records from most of the major phone companies, kept them in a searchable database so we could perform queries on it.

Dave Bittner: Right.

Ben Yelin: A lot of outrage came out of the revelation of that program. We reformed it. That data was to remain with the telecommunications company. And we would only be able to obtain it as a government with a lawful order from the FISA Court. So that's all in the national security context. That authority is actually expired which is interesting but a little tangential to the story. I think what we weren't keeping track of is how common this is domestically. So there is this little-known surveillance program. It is called DAS, which stands for Data Analytical Services. And it allows federal, state, and local law enforcement to mine the details of our call records who are, these are people who are not suspects of any crime. It may, in fact, include victims of crimes. And they do this through what's called chain analysis. So you are not just targeting an individual phone number or an individual criminal suspect, for example. But then you're going 1, 2 hops down the line, so anyone who called the targeted individual and then anybody who called that target. And when you start to think about, you know, how many phone calls some people make, that ends up being a really significant number of records. So, this program, which used to be known as Hemisphere, is run in coordination with AT&T. They capture and conduct analysis of US call records for state, local, and federal law enforcement agencies. I think kind of largely because of the Snowden disclosures and the controversy over the Call Detail Records program, the previous version of this program was defunded during the Obama years. It was brought back during the Trump years in 2017. Quickly defunded when Biden became President. And then he was like, you know what? Yeah, it might actually be a useful crime-fighting national security tool. Let's bring it back.

Dave Bittner: So he probably got pressure from his agencies to say, hey, this is a tool we need.

Ben Yelin: This is pretty cool, yeah. So our old friend Ron Wyden, who is always on the lookout for pervasive bulk surveillance programs, sent a letter to the Attorney General saying he had serious concerns about the legality of this program. He is not able to divulge all the information about it because it's classified. But he said that this information would justifiably outrage many Americans and other members of Congress. The question is whether all of this is legal. They reached out to AT&T, and a spokesperson declined a request for comment, simply saying that the company is required by laws to comply with lawful subpoenas. It doesn't seem like if we're talking about a vast number of records here, that all of this is pursuant to some subpoena. It seems more bulk and routine than that.

Dave Bittner: Well, and this article talks about how AT&T charges money for this so that -- AT&T has a profit motive here.

Ben Yelin: Right. So yeah, law enforcement agencies are paying AT&T to retain this data. What we don't know is how long they're retaining the data, so how far back the datas goes. And then, you know, we just have a lot of unanswered questions of what kind of suspects they're using this authority to target, in what kind of cases they're using it. What are some of the oversight mechanisms? We're really in the dark on all of that. What we do know, based on leaked documents, is that agencies as diverse as the US Postal Service to the New York Department of Corrections participated in training sessions for DAS. Basically an opportunity for law enforcement to say, hey, here's this awesome tool that we have. Do you want to pay AT&T for it? It can be really useful in apprehending criminals.

Dave Bittner: Right.

Ben Yelin: I think, depending on how these subpoenas are structured and whether there are subpoenas, I really do question the legality of this. And I'm concerned about the type of bulk phone metadata collection that we saw with Call Detail Records. And that was -- that really goes against the spirit of the USA Freedom Act, which was passed to reform these practices. Even though this is not wiretapping per se, they're not actually listening in on people's calls, this is just chain analysis, I think it's certainly cause for concern. And I think it's something that the justice department needs to provide answers in how they're using this, how local law enforcement is using this, AT&T's role, you know, how this is legal under a bunch of federal statutes, including the Electronic Communications Privacy Act. Now, that act may not apply because the collection here occurs through the telecommunications backbone. Generally, ECPA applies to just information kept with the service providers themselves, not over the infrastructure that supports our telephone networks. I know.

Dave Bittner: [Laughing] So many loopholes. So many loopholes.

Ben Yelin: This is what lawyers are good for. Yeah.

Dave Bittner: [Laughs] So just so I'm crystal clear here. So, after the Snowden revelations, legislation passed on bulk collection.

Ben Yelin: For national security purposes, yes.

Dave Bittner: Right, right. And so what we're saying here is that this program could run afoul of that legislation that was passed post-Snowden.

Ben Yelin: Yeah. So there are two problems with that. One is that that legislation actually expired.

Dave Bittner: Okay.

Ben Yelin: This is one of the weirder things that's happened in the past several years. The House and the Senate passed separate bills to reauthorize the USA Freedom Act and extend it for a number of years.

Dave Bittner: Okay.

Ben Yelin: They happened to do that in March 2020, which was just the worst time to try and reconcile a piece of legislation through Congress since we were all in our houses safely watching Netflix and ordering Amazon delivery services. And so it just kind of never -- they never were able to agree on an extension. It never got reauthorized. And also, I think our national security agencies determined that the program itself, collecting phone records for national security purposes, just really wasn't worth it anymore for a couple of reasons.

Dave Bittner: Oh, right, right, right, right.

Ben Yelin: One is because our targets don't really use telephones as much as they used to in the heyday of Al Qaeda, for example. And if they are using telephones, it's voice over IP, which would require a different legal authority. And the other reason is just the nature of the threats that this program was designed to target. So when we authorized this under the USA Patriot Act in the early 2000s, this was about Al Qaeda, which was really a top-down organization. So, if you could see that person X in the US was calling another person who had been in contact with senior leadership of Al Qaeda, that would be very useful information. But there aren't really those types of centralized terrorism groups, especially in kind of the ISIS age of the past several years and some of the threats that exist now. It's just far more decentralized. So we allowed that authority to lapse. But again, that was in the context of national security. This is -- this program is in the context of law enforcement. I do think it's instructive, though, that Congress registered their objections to a dragnet phone surveillance program that captured phone metadata. And I think what Ron Wyden is trying to do here by sending this letter is saying this goes against the spirit of the reform effort we all undertook to get rid of bulk metadata phone collection.

Dave Bittner: Right.

Ben Yelin: And the fact that this still exists and that we know so little about it, I think, is an affront to that entire effort.

Dave Bittner: So Wyden's letter is basically saying to the DOJ, hey, explain yourself here.

Ben Yelin: Yeah, basically, you know, it's a challenge to the Attorney General to say, I know what's going on with this program. I'm privy to classified information. As a member of various intelligence committees in the Senate, he has access to this information. And I think he's telling Attorney General Garland or Garland's designee to come clean here. Tell us what's going on, how this is being used, release pages of documents related to this project.

Dave Bittner: Now, Wyden's letter -- Let me just get a little, I don't know, gossipy here.

Ben Yelin: Yup.

Dave Bittner: So Wyden's letter to the DOJ is leaked. That's how WIRED gets a hold of it. Do we think Wyden's staff leaked it? You know, I mean, whoops! [Laughing]

Ben Yelin: Yeah.

Dave Bittner: Is that how these sorts of things work?

Ben Yelin: Did I accidentally cc WIRED? What a terrible mistake.

Dave Bittner: [Laughing] Okay.

Ben Yelin: I have no idea --

Dave Bittner: Yeah.

Ben Yelin: -- if it was a earnest mistake.

Dave Bittner: But it's plausible.

Ben Yelin: It's plausible. Yeah. It is plausible.

Dave Bittner: [Laughs] Okay. All right. Well, we will have a link to that story in the show notes. Of course, we would love to hear from you. If there's something you'd like us to consider for the show, you can email us. It's [ Music ] Ben, I recently had the pleasure of speaking with Nick Sanna. He is from the FAIR Institute. And he is president of a cyber risk quantification firm called Safe Security. And we're discussing some of the challenges that the White House faces when it comes to harmonizing some of these critical infrastructure regulations. Here's my conversation with Nick Sanna.

Nick Sanna: Yeah. The first thing I would start with is that they had this request for information to see, is this a problem? And for from my perspective, especially from the FAIR Institute perspective, it's absolutely a problem. I don't understand why we need to rehash it again. There's been many studies conducted by many institution that basically have documented that regulatory overlap is causing many CISOs to spend half their time just reporting on regulatory requirements versus actually managing security. So, depending on the organization, again, it varies from between 60 and 70% of the organization. And so that has been widely documented by organizations like, you know, MIT, I've seen article on Fordham Law Review, Bipartisan Policy Center, you know, GAO, you know, General -- Government Accountability Office, and you know, and FEI, and the IRS. I mean, the number of organization have been saying that regulatory, going to say, harmonization is a must, has been well documented. So we're a bit surprised to see that yet another request for information to explain the problem. I think we need to move forward and start answering some question: who's going to enforce, you know, that harmonization? And so that's what I think the main subject should be.

Dave Bittner: Can you give us an example of where we're seeing this overlap and the kind of trouble that it introduces?

Nick Sanna: Yeah, both in government and, going to say, and in private entities, you know, I see so maybe subject to multiple regulations for there can be redundant. I know that If I think about the commercial sector as an example, you know, banks have multiple regulators. They need to report to the Federal Reserve and the OCC, so that's Treasury, and then FDIC. And then there's New York, you know, that is requiring some risk assessments to be done. And then State of California and many state requirements. And so you're finding organization that have like dozens of regulation, oftentimes redundant, slightly different. It keeps, going to say, the teams very busy trying to document the status of affairs versus improving it. Similarly, in government, there's many -- they have many different regulatory agencies asking for different pieces of information. Oftentimes duplicate and re- and redundant in no one way in a setting where, you know, even the -- at the office, at the National Cyber Director. And they're saying that, you know, organizations should be regulated once and respond once and be able to report to many. So that's a nice objective, but it's still not the reality for many organization on the ground.

Dave Bittner: And when it comes to critical infrastructure, obviously, you know, we're concerned about safety. Are there any incidents here where, beyond just the amount of time that it takes a CISO to deal with all these sorts of things, are there any contradictory regulations or issues along those lines?

Nick Sanna: I think there, the main contradiction, I would say, is that it is not clear in the industry what we're after. Are we trying to have an agreement to have a minimum level of compliance on best practices and cyber security? And -- or are we taking a risk-based approach? One is the checklist approach of kind of what you should have implemented, and in critical infrastructure, there are a minimum set of things you need to do. But the question then is, which of the requirements should be prioritized? How much should be invested in meeting those requirements? That's where the risk-based approach come in. And today, as an industry, we're focused a lot on the checklist approach, which keeps us busy going down the list, giving equal treatment or similar treatment to many security requirements without understanding what really matters most, what is most effective among my best practices where we should pile on and have a more of a defense in depth strategy. You know, no single control is equivalent to another one. And it changes from company from organization organization in different context. And so I think that's the biggest disconnect. There are many regulations say we should take a risk-based approach. But then when the inspector general, in the case of government agencies shows up, they're asking you for a checklist on things like NIST 853 or NIST DSF, et cetera.

Dave Bittner: In terms of harmonizing all these regulations, I mean, what sort of challenges is the White House up against here?

Nick Sanna: Well, the first thing is that apparently, every time there's a new regulation, there's no real check on is this regulation overlapping or potentially contradicting. And so, you know, in the cybersecurity strategy the White House just published a couple months ago, they say that, you know, they want to ask agencies to, going to say, to check whether there is an existing regulation before issuing another one on the same topic or a similar topic. But we need to make sure that there's an enforcement there. You know, today, there was a recommendation. Many executive order has spoken about it, but that has not stemmed the problem. I think what needs to happen is for a government body, and we recommended that it's the Office of Management and Budget, you know, OMB at the White House, to come up with a directive that any new regulation must complete an analysis looking for potential overlap and redundancy and to avoid, you know, multiplication of regulation. And I will go to a step forward. I think that to avoid this problem from, you know, continuing to exist, we need to go to root cause and have some more fundamental housecleaning to be done. And our recommendation would be for OMB to help create a database of all regulations starting from federal agencies and then potentially applying, you know, intelligent techniques, maybe AI or maybe a set of people to look to the redundancy and trying to propose harmonization there. It needs to come from a central body. OMB is in a best position to do that. And they can set an example for also state and local, have their own regulation in the private sector. I think that would be a great example to lead the industry in helping reduce the busy work and help companies focus on what matters the most, which is securing environment, you know, versus just checking boxes and demonstrating you're actually doing the work.

Dave Bittner: Why do you think that OMB is the agency to best head this up? There are other agencies out there, like CISA, for example, who specifically work with cyber. What does OMB bring to the table?

Nick Sanna: I think CISA is a good agency as well. But their main focus is to help companies secure their environments from the technical perspective. And so they have become an information sharing, you know, a very, very good information sharing forum and a forum that informs agencies on best practices. But I think OMB is in a particular good situation because, as of today, all regulatory requirements are in some, as much as possible, all the reports from the IGs and the data that is harvested by agency to demonstrate a regulatory requirement may get collected by Homeland Security in CISA but then gets reported to the White House at OMB. So there is a channel today that is existing. We are, you know, our recommendation is don't -- let's not remove the process -- a process that is operating. Let's strengthen it and make it more efficient. So let's create this database. Let's have OMB do a research on which, you know, regulation redundant, try to come up with a rule that every agent should have one all-encompassing regulation, and then enforce it. And I think they're in a best position to have an overarching view across all agents in government to make sure that everybody abides by it.

Dave Bittner: Which industries do you think are facing the most difficulties here?

Nick Sanna: Well, I think the industry that I have in critical infrastructure have the largest number regulation because the strictest one, you know. There are in, for them, it's in some mandates are not recommendation, is a must-do. You must have these controls, and it must be at this level of security. You cannot fail this. And they -- it's not an option, you know? And so -- And these are typically the most strictest control are on top of another. Series of control may apply to all other agencies in, going to say, indiscriminately.

Dave Bittner: What are your recommendations then for a CISA who's trying to keep up with all of these demands? Any tips or words of wisdom here?

Nick Sanna: I think to CISA drowning in this is try to work with your inspector generals as they come and examine. And in many cases, try to come up with a uniform approach. Although many agencies have been asked to try to consolidate their findings and make it compatible with something like NIST -- the NIST Cybersecurity Framework. Be good at that. A central set of requirements be pristine to that and trying to map all the other work to that initial effort so to minimize the disruption. And when they are -- they have a strong understanding that there are some issues that need to require attention, do a risk analysis and show that they're focusing on the biggest bars of risk, on the biggest items that are at risk, versus on less material elements that may check the box and may not be significant in their context. So one, again, pick up one of the regulatory requirement. Be really good at that and show, you know, you are abiding by the spirit of having one regulation done well. And second, on top of it, prioritize also your regulatory work by having a risk assessment to focus -- to show that you focus on what matters most.

Dave Bittner: What do you suppose is a reasonable timeline here for the White House to show some meaningful progress?

Nick Sanna: Listen, if they within -- within this administration, they're able to come out with a directive asking to and mandating, not just recommending, that no new regulation is issued unless a redundancy analysis is made, you know? And second, to create a database of regulation that can be a first step into then harmonizing it. I think that would be a good step. So I think that that sets the timeline. If they were starting the word harmonization, there would be, I would say I would be elated by that. But again, those are the times in government. Sometimes, they don't happen as quickly as you want. [ Music ]

Dave Bittner: Ben, what do you think about this?

Ben Yelin: Yeah, really interesting interview. I think it just gets to the challenge of these CISOs where you have all these cyber incident reporting requirements. Whether it's through the SEC, state governments, there are a lot of sometimes conflicting demands on these CISOs. And I think it's incumbent upon the White House, to the extent that it can, to try and harmonize some of these regulations in order to minimize the disruption on these CISOs, who already have a lot to worry about.

Dave Bittner: Yeah, they certainly do. All right. Well, our thanks to Nick Sanna from joining us. Again, he is with the FAIR Institute and also from the cyber risk quantification firm Safe Security. We do appreciate him taking the time and sharing his expertise. [ Music ] That is our show. We want to thank all of you for listening. A quick reminder that N2K Strategic Workforce Intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more at Our senior producer is Jennifer Eiben. The show is edited by Elliott Peltzman. Our executive editor is Peter Kilpe. I'm Dave Bittner.

Ben Yelin: And I'm Ben Yelin.

Dave Bittner: Thanks for listening. [ Music ]