Navigating cybersecurity's regulatory maze.
Igor Volovich: What we've seen is the regulators are stepping in to fill in the gap that the markets haven't been able to fill themselves. And what I mean by that is neither the individual investors nor the institutional investors have been able to really price in the cost of cyber risk.
Dave Bittner: Hello, everyone and welcome to "Caveat," N2K CyberWire's privacy, surveillance, law and policy podcast. I'm Dave Bittner and joining me is my cohost Ben Yelin from the University of Maryland's Center for Health and Homeland Security. Hey there, Ben.
Ben Yelin: Hello, Dave.
Dave Bittner: On today's show, Ben and I discuss the controversial reauthorization of Section 702, and later in the show, Ben's conversation with Igor Volovich, VP of Compliance Strategy at Qmulos. They're talking about the discourse around cybersecurity incidents and the implications under the newly adopted SEC disclosure rules. While this show covers legal topics and Ben is a lawyer, the views expressed do not constitute legal advice. For official legal advice on any of the topics we cover, please contact your attorney. [ Music ] All right, Ben. It's been a busy couple of weeks here with everything around Section 702 of the Foreign Intelligence--
Ben Yelin: It sure has.
Dave Bittner: -Surveillance Act. I mean, it's been a bit of a roller coaster ride, I think it's fair to say. So, that's going to be the focus of our discussion here. Why don't we start off with just a super quick review of what 702 was--
Ben Yelin: Is, yeah.
Dave Bittner: --where it came from, was, is, will be, all that kind of stuff?
Ben Yelin: Well, we'll do our throat clearing. I know we do this every time we talk about Section 702--
Dave Bittner: Yes.
Ben Yelin: -but there could always be somebody who is unfamiliar with it. So--
Dave Bittner: Right.
Ben Yelin: -Section 702 of the Foreign Intelligence Surveillance Amendments Act of 2008 authorizes the collection of the communications of non-U.S. persons, reasonably believed to be outside of the United States, through directives sent to telecommunications companies. That's actually been expanded. One of the controversial elements of the reauthorization which we will get to.
Dave Bittner: Yes.
Ben Yelin: The controversial aspect of this program is that there's incidental collection of communications of U.S. persons, because if U.S. persons are communicating with overseas targets of investigations, those communications are eligible for collection. They are put into a database. And the government can query that database without obtaining a warrant. So, some have alleged that, or a lot of civil libertarians have alleged that this amounts to a backdoor search mechanism. If you can't find evidence that somebody committed a crime through a normal criminal investigation, obtaining a warrant to do wiretapping for example, then you could use the Section 702 database, see if they've been communicating with overseas foreign intelligence targets. And then you can access those communications without a warrant. This program was reauthorized last in 2018, January 2018. It was reauthorized through December 2023. Congress was running out of time in December, so they reauthorized the program through the middle of April. Now, that temporary reauthorization was significant because the way Section 702 works is that it is approved annually by the Foreign Intelligence Surveillance Court. So, the government submits an application to conduct the -- basically the entire Section 702 program minimization procedures, etcetera. And they just reauthorized Section 701 collection at the beginning of April, meaning this deadline came after that one-year reauthorization from the FISA court. So, at least the thinking was that there wasn't that much urgency to reauthorize the program. Even though its statutory authority was set to expire, the court had approved the federal government's ability to conduct Section 702, searches, queries etcetera. This became more complicated when a couple of telecommunications companies that remain classified. I don't know who they are.
Dave Bittner: Yes, I haven't seen any -- I haven't seen anyone name them.
Ben Yelin: Yes. They basically came to the government and said, "We are not going to comply with these directives if this program is not reauthorized. We don't care what the FISA court has said, there will no longer be statutory authority for these directives, and we're simply not going to comply." So, I think that added a sense of urgency to come up with a full reauthorization.
Dave Bittner: Help me understand that -- the move from those organizations. I mean, is that them saying -- is that them getting on some sort of moral high horse, or they fear regulatory oversight wouldn't be clear? Like a lack of clarity on what the regulatory regime would be.
Ben Yelin: I think it's both.
Dave Bittner: Yes.
Ben Yelin: I think there is a moral side to it. A lot of companies think that Section 702 is intrusive and that it's -- is corrosive to individual liberty because of these searches done not pursuant to a warrant of a Section 702 database. Since we don't know who the companies are, I mean I can't say for sure that their moral stance is -- actually exists.
Dave Bittner: Sure.
Ben Yelin: There's also the possibility that they're just tired of complying with these directives. And any opportunity for them to push back and say, "We're not going to do this," they're going to take that opportunity. They might also be signaling to the government that, "If you compel us through these directives to divulge these communications, we are going to file a lawsuit. We're going to not do it. Now, you could try and hold us in contempt. That's going to lead to litigation. And probably, you the government, are going to want to avoid that type of litigation. It's going to stop you from being able to engage in counterintelligence activities. It's going to be disruptive." So, I think it was kind of that warning shot saying, "We're not just going to sit back -- just because the FISA court reauthorized this program, we're not just going to sit back and pretend that everything is hunky-dory with that statutory reauthorization."
Dave Bittner: Interesting.
Ben Yelin: So, we got to the beginning of April. There are basically two camps as it relates to the reauthorization of Section 702. And as we've talked about, they don't kind of neatly fall into our normal political divides in this country. There is the pro-civil liberties, kind of the edges of the parties on both the left and the right, who find Section 702 to be overly intrusive on 4th Amendment rights. They introduced and tried to push a version of Section 702 reauthorization that would require the government to obtain a warrant to query the Section 702 databases. This advanced out of the House Judiciary Committee. The House Intelligence Committee advanced a bill that reauthorized Section 702 with some minor reforms, and we'll get to what those reforms are, but without that warrant requirement. Basically, the people in this camp are kind of more what you would call "the establishment," in both parties. Party leadership, and I think that's notable because party leadership is privy to classified briefing. So, they might have a better idea of how we're using Section 702 to obtain valuable intelligence.
Dave Bittner: Right.
Ben Yelin: And then just sort of your defense, hawk-minded democrats and republicans who believe that we shouldn't handicap our government agencies. That they're trying to protect us, not just from terrorism but from cyberattacks. These two camps are pretty evenly divided. The one concession that Speaker Mike Johnson, who before he was Speaker, he was kind of in the -- that first camp I mentioned. And then he became Speaker and you kind of get absorbed by your position there.
Dave Bittner: Right.
Ben Yelin: And the concession he made is that the program would only reauthorized for two years. It was originally going to be reauthorized for five years.
Dave Bittner: Oh.
Ben Yelin: In the mind of a lot of republican legislators, those who are skeptical of Section 702, they think that Donald Trump is going to win in November, and so in their minds, this program is reauthorized until Donald Trump can reform it in 2026--
Dave Bittner: Okay.
Ben Yelin: -I think is their frame of mind on this.
Dave Bittner: And Donald Trump weighed in on this, right? He wanted -- I think he used--
Ben Yelin: Through social.
Dave Bittner: -he said he wanted to kill it. Yes.
Ben Yelin: Yes.
Dave Bittner: He said he wanted to kill it.
Ben Yelin: He said, "Kill the bill." I think--
Dave Bittner: Do we -- why?
Ben Yelin: -for Trump, this comes from a misunderstanding of the authority that was used allegedly to surveil his campaign.
Dave Bittner: Okay.
Ben Yelin: So, he'll say things like, "The government spied on my campaign," which like has a thread of truth to it, even though it's hyperbolic.
Dave Bittner: Right.
Ben Yelin: But that was done through a traditional FISA search. So, the government went to the FISA court to get a warrant to surveil the communications of Carter Page who had previously been on the Trump campaign payroll. And that was part of the Russia, Russia, Russia investigation--
Dave Bittner: Okay.
Ben Yelin: -as Trump calls it.
Dave Bittner: Right.
Ben Yelin: But that wasn't Section 702 that was used to obtain that warrant against Page. In fact, President Trump signed the renewal of Section 702 in 2018 after he was assured at that time that Section 702 had nothing to do with what he alleges is his -- the deep state spying on his campaign, or whatever.
Dave Bittner: Interesting.
Ben Yelin: So, I think it really just comes from that misunderstanding and not really wanting to differentiate between Section 702 which is at issue here, and traditional FISA warrants, which was an issue with Carter Page.
Dave Bittner: Well, but misunderstanding or not, his influence is substantial.
Ben Yelin: Yes. I mean there are a lot of republican members in Congress who will do whatever Donald Trump tells them to do. Now, a lot of them were skeptical of Section 702 before Trump weighed in on the subject, and I think that place -- that comes from a place of deep conviction and skepticism against the government, but certainly Trump weighing in I think could have been a decisive factor.
Dave Bittner: Well, it certainly provides cover for them.
Ben Yelin: Totally.
Dave Bittner: Yes.
Ben Yelin: What always happens with Section 702, I think this is a very important context, is the executive branch comes in and says, "This is the crown jewel of our national intelligence apparatus. We are going to miss out on a lot of critical information to stop cyber incidents, to stop terrorist attacks, if this authority is allowed to expire," and that came with increased urgency once these companies that we referenced started to make threats they weren't going to comply with these directives. So, with that sense of urgency, the House first took up the reauthorization bill. They ended up passing it by a relatively substantial margin with both republicans and democrats in support, and both republicans and democrats in opposition. The made for TV or made for House of Cards or whatever moment, was a proposed amendment that would impose a warrant requirement on queries of Section 702 databases. This came down to the wire. The Biden administration was lobbying like crazy against this amendment, but it was supported wholeheartedly by many republicans and democrats who think that Section 702 can't continue if it's going to allow these type of backdoor searches. And that amendment was defeated on a tied vote. It was 212 to 212. Now, unlike we say in baseball, "Tie goes to the runner," in the House, tied means "doesn't pass."
Dave Bittner: Okay.
Ben Yelin: So, this amendment was not agreed to. I was watching the vote live, and you could see some of the lobbying happening on the floor with members who hadn't yet voted. There was legitimately a lot of suspense. So, if you're a huge nerd like I am, I think it was particularly exciting.
Dave Bittner: Had your big bucket of popcorn.
Ben Yelin: Totally, yes. Most people are watching, you know, gripping action movies on your average Thursday evening. I was tuned into CSPAN.
Dave Bittner: Well, FBI Director Wray, you know, to this point about the warrant requirement, he said to Congress last month, I want to quote him here, he said, "Failure to reauthorize 702 or gutting it with some kind of new warrant requirement, would be dangerous and put American lives at risk." I think that's an interesting framing, referring to a warrant requirement as gutting it.
Ben Yelin: Yes. You know what? And this is a point that I was going to get to, I want to be very careful here. I'm not privy. I don't have a security clearance myself. So, there's--
Dave Bittner: Yes.
Ben Yelin: -a lot of information that I don't know. Sometimes I have students who do have security clearances like kind of wink and nod at me about this.
Dave Bittner: Oh, interesting.
Ben Yelin: I don't understand the steadfast opposition in the administration to this warrant requirement.
Dave Bittner: Okay.
Ben Yelin: First of all, there would be a lot of exceptions to obtaining a warrant. For example, in exigent circumstances or if it was the victim of some type of cyber incident that was seeking information, then a warrant would not be required. Any incident where there was impending physical violence, that wouldn't require a warrant. So, with all of those exceptions, I don't know why the government was so adamantly resistant to obtaining a warrant prior to searching these databases. I don't get it. That warrant is already required for previously predicated criminal investigations. So, why do people who are under previously predicated critical investigation get more rights than average Americans whose communications have been captured into the Section 702 database. Seemingly is a reason why this warrant requirement is so offensive to Director Wray and other members of the administration, it baffles me. I don't know why they are so adamantly in opposition. I'm sure a lot of our listeners at the NSA and other agencies are, you know, banging their hand on the table saying, "You don't get it. You don't see what I see."
Dave Bittner: Right.
Ben Yelin: And I am 100% sympathetic to that viewpoint. From what I can tell, I just don't understand that steadfast opposition.
Dave Bittner: Yes. That's interesting. Well, I mean, also we have to put Director Wray's comments in the context that the FISA court back in 2022 found that the FBI was misusing their authority, right?
Ben Yelin: Yes, they--
Dave Bittner: I'm looking at reporting from the Washington Post, 278,000 times between 2020 and 2021, they had, I guess gone too far in their access to this information, according to the FISA court?
Ben Yelin: Yes. The FISA court pointed out all these incidents where they were surveilling Black Lives Matter's protesters, January 6 protestors, without any connection to foreign targets. Section 702 had been used to surveil members of Congress. There were all of these compliance problems. Now, the FBI would say, "Since then, since that was released, we've solved those compliance problems." That remains to be seen. The opinions that the FISA court issues that reauthorize Section 702 annually, are always released kind of two or three years after they've been drafted, just because of the amount of classified information contained therein.
Dave Bittner: I see.
Ben Yelin: And there's a long redaction process.
Dave Bittner: Right.
Ben Yelin: So, I don't know that we have any proof at this point that those problems have been solved. Now, two Congresses credit, I guess, as part of this reauthorization, there are some minor changes that have been made to the program. There are some statutory limits on querying some of these discreet pieces of communication. So, for one, FBI personnel cannot make U.S. person search queries without prior approval from career FBI supervisors or attorneys. And there are exceptions to that requirement if there's a threat to life or bodily harm. The FBI Director or Deputy Director has to approve certain politically sensitive query terms, such as those that identify elected and appointed officials. I think that was put in there by republicans who remain very angry.
Dave Bittner: Right, what we talked about with President Trump.
Ben Yelin: Exactly.
Dave Bittner: Yes, yes.
Ben Yelin: A prohibition on the involvement in political appointees in the approval process for politically sensitive search queries. And then establishing consequences for agents who query U.S. person terms. And there is now zero tolerance for willful misconduct. All of those things are interesting, but they rely on internal enforcement mechanisms. Ultimately, the FISA court will now have to take all of this under consideration when they are tasked with approving Section 702 for 2025, 2026, etcetera, but they're going to have to rely on the attestations of these federal agencies.
Dave Bittner: Interesting.
Ben Yelin: So, last step was the United States Senate. This went to the Senate on Friday evening, and I stayed up way past my bedtime because we did not have a resolution to Section 702. The Senate has a bunch of arcane rules that allow individual Senators to delay proceedings, and a bunch of individual Senators were threatening to delay proceedings unless they got votes on their amendments. One of those amendments, authored by Senator Durbin, the Majority Whip Democrat from Illinois, would have brought this warrant requirement. It was identical -- largely identical to the House amendment. He was allowed to present that amendment. There was a vote. That amendment failed by a relatively narrow margin. There are a few other amendments, including one by Senator Lee who's a major republican from Utah, a major opponent of Section 702. And Senator Rand Paul who tried to tack on the, "Don't Sell Our Data Act," a separately passed House bill that would limit the ability of government agencies to purchase data from data brokers. He tried to glom that onto the Section 702 bill. That failed. All of the amendments ended up failing. And after midnight last Friday, the Senate voted to ratify the reauthorization of Section 702. It went to the President's desk, and he signed it over the weekend. So, the saga for the time being of Section 702 has now concluded, and we'll be right back at this in two years.
Dave Bittner: So, there were some other changes here. I don't know if we'd describe them as settled or not, but there was an expansion of who 702 applies to?
Ben Yelin: Yes. So, this is the other thing I really wanted to discuss. There was an amendment introduced by the Chair and Ranking Member of the House Intelligence Committee that would expand the universe of entities subject to Section 702 directives. As currently drafted, Section 702 applies to communications providers. There was some entity that wasn't neatly defined as a communications provider that the government had sent a directive to. We don't know who this entity is, exactly what they are, that's all classified.
Dave Bittner: Right.
Ben Yelin: That went in front of the FISA court. The FISA court said, "There's too much ambiguity in this statute. This is not a communications provider. Therefore, they cannot be compelled to hand over these communications." That went up to the rarely used FISA court of review, the appeals court, and the appeals court said the same thing, that there's a pretty narrow definition of what a communications provider is in the statute, and whatever this entity was, is not actually a provider. So, the House Intelligence Committee Amendment, which was adopted, expands the definition of entities required to provide data beyond traditional telecom companies to any business that maintains communications equipment. The intention of this amendment is that it apply to cloud storage centers.
Dave Bittner: Right, right.
Ben Yelin: And that's what the Chair and Ranking Member of the Intelligence Committee argued on the House floor that basically this was a narrow, clarifying amendment to make sure that we're not shut out of cloud computing centers because it doesn't narrowly meet this definition of a traditional telecom company, or communications provider. A bunch of activists, including very well-respected ones from the Brennan Center, for example, were very concerned about the addition of this provision because they thought it might allow the government to ask janitors who have access to servers or other individuals who have physical access to computer systems, it would allow the government to compel those people to obtain communications, hand them over to the government to go into the Section 702 database. And this obviously to them was unacceptable. What the House members who proposed this amendment said is this amendment is clarifying in nature. It would do no such thing. There's never been an instance where the government has attempted to obtain communications from somebody who had incidental contact with some type of computer system. So, they've never before asked the janitor who works at, you know, works in the giant server room to go in and rearrange the wires to obtain some data. That's never happened.
Dave Bittner: Okay.
Ben Yelin: It's entirely hypothetical.
Dave Bittner: Yes. And it sounds like an extreme hypothetical.
Ben Yelin: It is, yes. You know, I think the concern here is that you are authorizing that type of collection by expanding the definition. So, there is always that danger. And I think it's potentially ripe for abuse.
Dave Bittner: Yes.
Ben Yelin: My personal opinion is I think this danger is a little bit overstated. I definitely understand the concern, but I think the amendment -- if you believe in Section 702 as an effective counter-intelligence tool is important in that a lot of communications are stored in these cloud computing facilities. If we want to obtain that intelligence, we do have to expand this definition. And that's what happened.
Dave Bittner: Yes. I guess my initial reaction to expanding this to cloud data storage centers was skeptical in thinking that -- I think of a communications provider as someone who is dealing with information that is in transit.
Ben Yelin: Right.
Dave Bittner: Right? And a cloud storage center is--
Ben Yelin: Now, we're at rest.
Dave Bittner: -more data that's at rest. And so, the capturing of this data would be while it was in transit. But I suppose that's not really the case. In other words, if -- now, let's say the FBI goes to a communications company and says, "We want all of the text messages of, you know, between so-and-so and so-and-so." And well, at the moment, that information is at rest. It's not actively in transit. So, I guess it's a -- it could be a distinction without a difference.
Ben Yelin: I think if you understand the amendment narrowly--
Dave Bittner: Yes.
Ben Yelin: -with the interpretation that you just gave, I think it makes sense in that context.
Dave Bittner: Okay.
Ben Yelin: Why should intelligence agencies be concerned about where the data lies, whether it's in transit or at rest? And it doesn't really make that much of a difference from a 4th Amendment constitutional perspective. It's somebody's data. Whether it's in transit or at rest, I think kind of the same constitutional considerations apply.
Dave Bittner: Okay.
Ben Yelin: I think what was controversial is how this provision could have been read more broadly to include the janitors. And I use janitors as kind of the silly example, because that's what the respected advocates were saying. I mean, they use janitors as kind of the most ridiculous example of somebody who had access to these facilities, being asked to or compelled to supply data. I don't think it would only apply to janitors. I mean, it could be to contractors who happen to have access. But, yes, I mean I think that that's sort of a parade of horribles to -- that to me seems relatively unlikely.
Dave Bittner: So, is the idea here that the actual service providers maybe unaware of the collection of data themselves if a -- for example, a third party that had access to that data were compelled to provide the access, rather than the data provider themselves. Is that the fear?
Ben Yelin: Yes. I think that's the fear. I just also think the fear is that you're expanding the potential universe of communications that could be divulged under Section 702.
Dave Bittner: Right.
Ben Yelin: I mean, the fact that it was limited to communications providers, and that was a specific enough definition that when the FISA court was presented with whatever counter-example they were presented with, they put a stop to it, I think in the mind of -- in the minds of civil libertarians, they would say, "Why would we not want to have that as a limiting factor on Section 702 collection? Let's cut down on -- and we can admit that this is an effective counter-intelligence tool, but let's try to eliminate the opportunities that this tool could be abused." And the way they see it, we are now widening the opportunity for this authority to be abused.
Dave Bittner: I see. So, can we look a little bit into the future here? I mean I suppose -- let's start with the really high-level stuff here. Suppose President Biden gets reelected. We imagine he will be hands-off on this, right?
Ben Yelin: Yes. I think he supports Section 702. He's deferring to his FBI Director, the Department of Justice.
Dave Bittner: Right.
Ben Yelin: I didn't see any real passion from him. I don't think this is something that he cares deeply about.
Dave Bittner: Yes.
Ben Yelin: But, yes. I think he would support the status quo of Section 702 without a warrant requirement, if he were reelected.
Dave Bittner: And suppose the opposite happens and former President Trump gets reelected, and he's expressed his disdain for this. What options are at his disposal to make change here?
Ben Yelin: So, there really aren't any options until April of 2026. So, he'd go a year with having this authority in place, unless he went to Congress and asked them to rescind this authority, which they probably wouldn't do.
Dave Bittner: Okay.
Ben Yelin: In 2026, he would have some leverage, but again I'll note this exact same thing happened at the end of 2017, beginning of 2018, where Section 702 was up for reauthorization. He tweeted the morning that it was going to come up for a vote in the House, "This was the program used to spy on me and my campaign by Obama and the deep state," or whatever.
Dave Bittner: Right.
Ben Yelin: Then Paul Ryan and the House Speaker called Trump and explained to him what Section 702 was, and an hour later, he tweeted, "You know, it's actually all right. They can vote for this because Section 702 is about protecting us from bad terrorists who live in foreign countries."
Dave Bittner: I see.
Ben Yelin: I think kind of the same thing would happen. And who knows what his personnel is going to be like in his second term--
Dave Bittner: Right.
Ben Yelin: -but it's possible that he would be talked into extending this program, especially when he has control over how it's operated as President of the United States.
Dave Bittner: Right.
Ben Yelin: So, I wouldn't say it's necessarily dead just because Trump got reelected.
Dave Bittner: So, we've got two years until this comes up again. What do you suppose the lobbying, the jockeying for position is going to look like over these next two years?
Ben Yelin: It's so funny because so much of the jockeying and lobbying shows up right before the deadline. I think activists and stakeholders know what Congress will wait till the last possible moment--
Dave Bittner: I see.
Ben Yelin: -before they reauthorize something controversial--
Dave Bittner: Right.
Ben Yelin: -just because it really takes a lot of effort. I mean, it took a lot of effort this time to get this across the finish line. So, I wouldn't be surprised if there's kind of a lull in Section 702 advocacy for a while. There will still be you know, call petitions by the Electronic Frontier Foundation, you know, "Repeal the reauthorization of Section 702." We'll still see that, but I think in terms of being in the national conversation, we might get a well-deserved break from discussing Section 702. A couple of wildcards is there have been a couple of court cases related to Section 702 collection. Largely, it's criminal defendants where some element of evidence that was used to prosecute them was derived from Section 702. So far, every court that's reviewed these types of cases has upheld Section 702 on constitutional grounds. But if that were not to be the case in some future proceeding, then I think we'd have another conversation about Section 702, especially if it went up to the United States Supreme Court. I don't anticipate that happening. The legal reasoning of these cases, at least to me, seems pretty sound in that this is incidental collection. We allow incidental over here. For example, if the government obtained a warrant to tap the phones of some mob member, and the guy on the other end of the call happened to say something incriminating, you wouldn't need a separate warrant to get information on that second guy, right?
Dave Bittner: Right.
Ben Yelin: So, I think they've analogized that to what's going on here. The original surveillance is duly authorized through Section 702, approved by the FISA court with minimization procedures. So, if incidentally an American is communicating with that lawful target, that's eligible for collection under incidental over here.
Dave Bittner: Yes. Do you think we'll be able to resist talking about it for two years, Ben?
Ben Yelin: I don't know. I feel like somehow it's got to pop up.
Dave Bittner: Right.
Ben Yelin: I wish somebody -- maybe one of our superfans can do a search of our episodes to see how many times we've talked about Section 702, because--
Dave Bittner: Oh my, yes.
Ben Yelin: -it's one of our most common topics of conversation--
Dave Bittner: Yes.
Ben Yelin: -and I -- part of me feels sort of sad that this issue at least temporarily is going to be going away for us. I'm going to have 702 withdrawal.
Dave Bittner: Okay. Well, poor baby. Well, we'll hang in there. Please send your cards and letters to Ben as he mourns the loss of 702 as a topic of discussion. All right, well we will have a link in the show notes to coverage from the Washington Post here, which is quite good, about the details of this. So, if you want to dig into some of the details here, you'll find that link in the show notes. And of course, we would like to hear from you. If there's something you would like us to discuss on the show, you can email us. It's caveat@n2k.com. [ Music ] Ben, you recently spoke with Igor Volovich who is VP of Compliance Strategy at a company called Qmulos. And your conversation centered around some of the discourse around cybersecurity incidents and implications under these newly adopted SEC disclosure rules. Here's Ben speaking with Igor Volovich. [ Music ]
Ben Yelin: So, Igor, I want to start very high level. I think most of our listeners know what happens with a Microsoft breach, but can you kind of go over the history of the past several months as it relates to SEC filings and what's happened with Microsoft and its compliance efforts with these reporting requirements?
Igor Volovich: Well, let's start with a -- start at the top. So, of course, what Microsoft called, "a cascade of avoidable errors," allowed the penetration of their networks. And of course, the email accounts of some U.S. officials. Anytime this happens, there are questions being asked. And of course, folks go to testify on the Hill, and I'm here in D.C., so I do hear a lot of these things, you know, as they happen. I recently went to a conference on the law and compliance that was in the cyber sphere, and it was 50 lawyers and dear old me. And--
Ben Yelin: Sounds like a nightmare to me, as a lawyer. Yes.
Igor Volovich: I love those conferences because you know, all good tech people, they want to talk about the tech. Right? Technologists, that's what they want to do, and I'm fond of saying, architects architect, engineers engineer, and security guys want to do security stuff. And having that other perspective is really good because well, we want to talk about risk. I want to talk about risk. Talking about technology is not necessarily, you know, the path to glory because we've been doing that for the last 30-odd years and we're still getting breached. So, on the SEC front, I think what we've seen is the regulatories are stepping in to fill in the gap that the markets haven't been able to fill themselves. And what I mean by that is neither the individual investors, nor the institutional investors have been able to really price in the cost of cyber risk. And we've seen some stock drops here and there, you know, when the breach was announced, but they usually bounce back. You know, when TJ Maxx happened years and years ago, we all watched that, kind of biting our nails and going, "Oh, my God. Maybe the stock will drop?" And people finally started investing into cyber security, and it kind of didn't happen. The stock bounced back and everybody kind of went back to doing what they were doing. And as the breaches got more frequent and they got more severe, and the scale and the blast rate of these events has grown tremendously, what we've seen is, you know, we invest more. Every year we spend more on cyber, but yet we're still getting the most breaches we ever had. And what gives, right? So, something's got to change. And I think what we've seen historically is that there haven't been enough incentives built into our cyber security risk management models, certainly at the enterprise scale to really incentivize good behavior, to drive good investment, to drive smart investment, strategic investment, to really build security into the business. Not treat it as kind of a built-on or an afterthought. And again, the regulators are coming in and saying, "Look, you guys have been reporting great compliance posture. You know, everything's hunky-dory. All the controls are in place. And then yet, you're getting breached." So, either compliance -- the attack on compliance apparatus is meaningless, or you've been lying about things. So, which is it, right? And they're asking the hard questions now. So, I think that's -- that's the emergent thing that we're seeing.
Ben Yelin: Do you think the SEC has optimized things in terms of creating these incentives, or do you think they could go further?
Igor Volovich: Well, optimized is an interesting word. It depends on how you define optimization, right? I think they've taken a great, big leap forward. They've been announcing it. I mean, this isn't exactly a surprise. They've been talking about it forever. They've been signaling that this is going to happen. And then, finally came out with a rule, right? So, now you have four days after you have determined you had a breach in the material, to file your 8K. And folks were freaking out about that. You know, what if I -- you know, if it takes me days and days and days or months to figure out if it was material or not, right? And the SEC came back and said, "Look, we're being very clear on this. We want transparency. We want disclosure. We also don't want you to impact anything, you know -- any confidentiality. We don't want you to hamper your own response efforts. Obviously, you know, don't go out there and notify the attacking entity that, you know, they've actually succeeded--
Ben Yelin: Bear all our weaknesses, yes.
Igor Volovich: -yes, right. We don't want that. But the SEC is saying, "Look, the investors need to know." And as they spoke at this conference, we had David Hirsch [phonetic] at this conference I was at, and I actually spoke at in D.C. And David said, "Look, we're a disclosure first agency." Just when you think about what we're trying to accomplish here, disclosure is transparency. It's accountability. We want the investors to know what's going on. And cyber security, that is a component of business risk. So, we need to consider that as we make our investment decisions. And from a regulatory perspective, they want to encourage more transparency, more accountability. I mean, you know, sunlight is the best disinfectant, as they say, and I think we've seen some of obfuscation of people hiding behind the complexity of cybersecurity and saying, "Well, you know, we just don't know what we don't know," right? And the SEC is saying, you know, "Bollocks to that." Right? We want you to know, you have to know. This is your job to know, you know, this idea of this plausible deniability. You know, "It's just too complex. We have no idea." No, it's your job to [inaudible 00:37:06], right? So, as soon as you know you've got a breach on your hands, then you go and determine what's your reality. And then once you've figured out that it's a material event, then you report, right? Then you've got four days to do that. So, what we've seen as a result, is folks are coming out of doing these preliminary preemptive 8K filings and saying, "Look, we don't know if it's material or not, but just in case that it is, we're going to go ahead and let the market know." So, they're taking -- they're kind of being overly cautious, and that's fine, right? I think we want more disclosure. We want more transparency. And I think the number now is somewhere around 50 8K's have been filed since the beginning of the year. So, as the rule went into effect, about 50, right? And it'll probably go up, right? There's a universal agreement that yes, I think we're going to see a lot more of this. You know what? It's fine. Take the flipside of that, which was no disclosure, people playing hide-and-seek, you know, saying like, oh, you know, not even acknowledging the breach, and you know, we don't want that, right? So, we want more transparency. I think the SEC's moving in the right direction on that.
Ben Yelin: So, given increased -- the increased need for transparency and these SEC regulations, if you were working at a C-Suite in either a large corporation or even a smaller corporation, what sort of institutional changes would you put in place to reflect this new reality, or to improve compliance or the ability to withstand risk?
Igor Volovich: Great question. So, we talked about this at length at this conference, and there's some agreement about it, right? Folks have done a pretty decent job over the last, let's say, decade of doing these tabletop exercises, you know, figuring out, have an instant response, figuring out how to walk through with the executives and you know, who's the communicator, who is the incident lead, who's going to talk to the press, who's going to talk to the government, etcetera, etcetera. So, the roles and responsibilities have been sort of established. Folks know how to do that pretty well. And whenever we did tabletop exercises, no longer is the C-Suite surprised by any of it. Like, "Okay, it's time for the tabletop," right? Everybody knows that. But when it comes to these sort of things, you know, disclosures, what's material -- and what's material and what's not? How do you figure that out? How do you do it quickly? Matters of risk governance, and what I've come to call, "compliance governance." So, that's the term I've kind of released onto the world, to see what people would think, and what I've seen from confident folks certainly in the C-Suite and in the legal community, they kind of -- you know, some of them turn their heads sideways and do the dog one ear up thing, and go, "Hmm? That's interesting." Right? And some folks enthusiastically nod and say, "Yes, that's exactly the term," right? So, what do we mean by compliance governance? What do I mean by that? I mean how do you know what you know about your compliance posture? How do you know about the integrity? What's the validation model? What's the credibility model? The confidentiality model, for what you're reporting up, right? And so, if you're making a filing, I want you to be able to answer for the integrity of that entire workflow, right, you know, where the data comes from, how do we validate it, how do we make sure our controls are actually in place? And if you say they're in place, how do you make sure that they're really in place? And by the time it winds up as a line on some financial statement or a filing, you know, I say from the data center to the Tem K [phonetic], be able to answer for all of that, right? Follow that bouncing ball all the way up and down that line and be able to answer for each one of those steps. And if it's a lot of manual artifact collection, if it's a lot of manual analysis, if it's a bunch of spreadsheets, if these things wind up being opinions, not facts, these are the kinds of questions that you want to ask. And when you talk about a cultural shift, the cultural shift being towards transparency and disclosure and accountability, you've got to start asking these questions internally, right, then asking, "How do we know what we know?" right? What is the actual confidence level for our compliance and reporting operation, right? And how timely is that data? How loud is that data? What kind of fidelity? What kind of detail do we have in that data, right? So, it's just somebody saying, "Look, we have for instance, you know, multifactor authentication." And that's just a checkbox. And you know, that's not enough, right? Nobody's satisfied by that. And the regularies [phonetic] are becoming a lot more stringent about that, too. And just saying you have something, don't tell me exactly where, right? So, I think that's the shift. I'd say you basically tabletop the idea of a breach and then the idea of material disclosure, how to determine the materiality of and whether or not you have to disclose, and you know, how do you make that decision on the fly? I mean, prebuild those triggers. How do you know what the thresholds are ahead of time, right, so again you're not figuring that out as the breach is happening and you're kind of trying to chase people around your network. So, I think becoming more proactive, becoming more aware of the new requirements, evangelizing that across the C-Suite, getting the buy-in, getting the stakeholders involved, and making that a part of the overall process, right? You know, this is not a one-off. This is going to continue to happen as environments get breached. The bigger they are, the more complex it is. So, get ahead of it now, and pretend that you just had a breach, because guess what? The likelihood is you already have one.
Ben Yelin: So, I'm going to take a skeptic's view. The market, as you said at the beginning of our conversation, didn't correct for these issues of reporting. Basically, it wasn't a proper incentive for these companies to report prior to these SEC regulations. And everything you've just described sounds really expensive. Compliance is expensive. It requires a lot of resources. Do you think SEC's enforcement to actions are sufficient to get people to institute these types of governing structures? And if not, what else needs to be done to either encourage or really force companies into this type of posture you're describing?
Igor Volovich: Well, that's -- that is the typical answer, right? And traditionally compliance has been expensive. It is expensive. A lot of folks don't realize how much compliance actually costs them because sometimes you know, those costs are buried in other functions. I've been around many, many environments where these things kind of get distributed across the whole enterprise, right? Different functions will kind of feed in the compliance information, and they'll collect artifacts, you know? People get kind of shanghaied in or getting pressed into -- or press -- get pressed getting into, doing like, "Oh my God. We've got a lot coming," right? Or, "We had a breach. Okay, we've got to figure out where we were right before the breach so we can basically say, 'Well, we were doing the right thing before it happened and this is outside of our control,' right?" If you follow the normal model, kind of the traditional or let's say legacy model of compliance management, then you'll throw more bodies at the problem, right? Some organizations spend like 60% of their security budget on compliance and they don't realize they're doing it, right? You know, people run to the SOC because they've got the best data. And they ask them for the data and the SOC is like, "Look, I'm chasing bad guys around the network. I don't have time for this." But yes, that's where the auditors and the internal assessors go. So, being cognizant of what you're actually spending on compliance, I think that's the first step to solving that problem. Figuring out where you have some of this shadow compliance going on, right, where it's not actually within your GRC organization, but it's going to -- this octopus sort of spreads its tentacles and you're pulling in data, you're pulling in people, you're pulling in resources, you know, man hours, can you actually capture that, right? And I think that goes towards that compliance governance question, right? How much actual governance do we have? How much control do we have over the quality of your compliance reporting? And I don't think you can answer or even approach answering that question without firstly figuring out, "Well, where are we actually doing compliance?" Like, "Who's on first?" right? So, figure out who's doing compliance and then start pulling that in. And look, I'm a fan of decentralization, but I think within a corporate space, you have to sort of -- you have to bring that stuff in. Somebody has to own that. Typically, it's the JRC team. The problem is that JRC teams have historically relied on just manual labor, right? You know, "We've got more compliance mandates. Let's bring more people in. Oh, we don't have any people. All right, well let's bring in the big four," or the second-tier companies, "Bring the firms in, have them throw more people at the problem," right? And what it does, it just -- it perpetuates that continuous cycle. You know, that's linear growth model. More mandates, more controls, more obligations, more people. And it does become more and more expensive over time. My answer to that is compliance automation, and I'm happy to talk more about what that means.
Ben Yelin: Yes, could you explain a little bit what compliance automation means? I know that's part of your everyday work and can you just kind of introduce that concept to us a little bit?
Igor Volovich: Absolutely. I think -- so there's two things here. On the one hand, what compliance means and what it's capable of as a function, and on the other hand what does compliance automation mean? So, I think there's some taxonomic inconsistency that's happening right now in the industry. We haven't settled on what that actually means. So, from my perspective, compliance automation means end-to-end full-life cycle. So, from like I said, from a data center to a 10K, right? Be able to answer that completely and automate whatever is automatable. So, if you look at most compliance frameworks, they all cross-pollinate, right? That diagram is pretty much overlapped. So, you know, you've got the [inaudible 00:45:51] 153, you've got your PCI DSS, you've got HITRUST, you've got, you know, whatever industry-specific model of framework or standard you have. About 30, 35% of those controls are what we call technical controls, meaning they're actual systems, they're actual application, they're software, they're hardware, they're things that actually have a heartbeat, right? An IP address, something like that, right? And we can collect from those automatically. So, if you can do that, great. Right? Automate what's automatable. Now, what's interesting is those 30, 35% of the controls, those are the ones that are going to keep you safe on a continuous basis, right? You know, policies are important. Security awareness training is important. All of these things are important, but they are not positive control mechanisms for ensuring the integrity and resilience for your environment. So, focus on what you actually can control, what you actually can put your arms around. You know, human factors, I spend a significant amount of time dealing and talking about that, too. But humans are the squishiest part of that what where, right? We want software, hardware. We want things that we can actually positively control and exert again the governance. Risk governance, security governance, compliance governance. So, automate what's automatable. If it's a technical control, it should be automatically managed. It should be automatically collected from, and it should be automatically reported on. So, eliminate the reliance on manual labor, manual labor analysis. Take the guesswork out. Right? Be able to get to this real time risk observability is what I call it, right? And we've used these same models on the security side of the house, like nobody will accept doing security operations in the SOC with data from two weeks ago. In compliance, we operate on data from two years ago and we think that's totally fine. Right? So, changing that perception. Realizing that we don't have to live that way. We actually could come into the real time operational timescale. We could actually do this with the same data you probably already have in your security operation, right? You could leverage that data for compliance, and then there is the something that I call convergence, right? So, we've been talking about convergence probably for the last two-and-a-half years at Qmulos, and I've been championing that for probably a lot longer than that, and we're seeing this adoption, right? Some folks are starting to talk about it. Analysts of government [inaudible 00:47:58] or in some other places, there's some parallel thinking going on, right, and probably of the [inaudible 00:48:03] from our end. We're calling for the acknowledgement of the fact that there's this chasm that exists. This schism that exists before compliance and security. It's unnatural, right? There's no reason it should exist. So, converge. Try to overlap. Try to merge those operations as much as possible. Realize that compliance actually can be a mechanism of risk management. Not just a historical reporting function. Instead of looking backwards, we can look in the real time, and maybe then reach into the future? Right? The same way we're doing security operations. So, basically, it's the convergence of thinking and kind of rethinking what compliance means for you. So, and that's kind of the first step to even embracing the idea of compliance automation.
Ben Yelin: So, this seems to consist of a pretty significant culture change that has to take place within organizations. Do you think that that would only happen on a wide scale with some type of large, high-profile event, the kind of proverbial cyber 9/11 that people have talked about, or do you think this is something that's implementable at scale, even in the absence of that catalyzing event?
Igor Volovich: Look, I think a lot of vendors are happy. They're kind of sitting there, you know, waiting for that inevitable big event to happen so they can jump in and say, "Hey, if only you had my solution, this wouldn't have happened to you," right? Which is so self-serving and it's so disingenuous and frankly people are tired of it, right? It's just another version of FUD, right? Fear, Uncertainty, and Doubt. I'm not a fan of that type of marketing, although industry suffers from that tremendously. You know, we've got what, 4600-odd vendors in the industry that -- which Stiennon tracks in his Security Yearbook which is by the way, a great read I can recommend to everybody. Subscribe and get it every year. And if you ask him for it, he'll probably send you a free copy. And you know, he used to be with Gartner, and now he's got his own analyst firm. So, about 4600 active folks in the industry. Yes, they want to, you know, they want to compete for that you know, for the limelight and so that's not uncommon. I don't think we need to wait for a big event, right? I don't think we need to wait for the cyber-Armageddon or cyber 9/11. I think those have been happening, just on a smaller scale and because it's not you know, disrupting something in a massive way where there's a huge loss of life like -- if that's the threshold, we've waited way too long, right? If we're waiting for, you know, 100 bodies to be laid out on the street, then -- on a stretcher, that's when we'll know it's time to wake up? I mean, we've had wakeup calls all along, right? We've had Colonial Pipeline. We've had the Microsoft hack. We've had solar winds. We've had massive events, and then before that ten years ago, we had the SSL vulnerability that went everywhere as well. I mean I was in war rooms when that happened at a large company. So, we've had events. Like there's no excuse for this. Like, "Well, we need another wakeup call." No, we've had them. I think the real story is creating the positive incentives, driving the change by -- well, the way we do with driving any change, right? You demonstrate the reason for it. You layout division. You bring people onboard, and you explain to them what the benefits are, right? And I think also, explain to them that the infeasibility of their continuous status quo. Right? The idea that we've just accepted this notion that compliance is this. Again, historically reporting function. We look backwards. We report things that happened two, three years ago sometimes. It has no value other than we'll get -- we're going to pass the gauntlet on a periodic cadence, and then just so we can kind of "keep on doing business," quote/unquote, and that's just not the way to operate anymore. You know, folks want to know where you actually are today, right now, real time, because the hacks, the attacks, the breaches, they're happening real-time now. So, we need to bring up probably one of the most significant components of our spend and significant components of our capability into the fold, so that we can actually leverage it to defend against and build a resilient environment just to defend against these attacks, right? And the attacks are only getting more sophisticated. And they're getting more scaled. We are sitting on dormant capability that's soaking up a lot of our budgets and a lot of resources. But yet, we're not really using it to do what it's capable of. Right? So, I think recognizing that hidden value, the fact that there are some sunk costs already in there, significant sunk costs, that you've been investing into for years and years. Right? But you just haven't had a chance, or you haven't had the opportunity, or you haven't had the forethought or the understanding even right, that this could be operationalized. That this could actually be a part of your existing security operations apparatus, right? So, that recognition, I mean that's why one of the white papers we published is called "Rethinking Compliance." Like, rethinking the role of compliance. What it's capable of? These are the kinds of things you've got to think about. So, it's -- I won't deny, right? It is a tough sell for some folks. They're kind of saying, "Look, I need to get past that next audit. Then like leave me alone for the next year." That's not the reality anymore, right? The SEC wants to know immediately when something bad happens, which means you have to know what's going on. You don't want to be going up there, you know, on the Hill and saying, "Hey, well, you know, we did the best we could." "Well, how do you prove that?" "Well, here's out compliance report from last year," or "Here's our audit report from a big four firm." It's like, "Yes, we're not buying it anymore." Nobody's buying it. The regulators are not buying it. The Congress is not buying it. And your partners and customers are not buying it. And if you want be a global company and you want to do business at scale, folks want to know they you know what's going on, on a continuous basis, because you're keeping that data and you're delivering services to them, and delivering products to them, and it's like, you know, I used to work for a huge manufacturing company. We made big, heavy, capital spend things. And you know, like yes, they perform a very critical function, but security is inherently included, should be included in that function because if it's insecure, then it cannot deal with that function, right? And folks have started to integrate that notion that these products need to be secure. They need to be resilient. And it's not like, "Well, can this transformer step down the power from high to medium?" Like, "Yes, that's stable stakes." Security has been considered like this add on. Not anymore. Now, everybody wants to know, they want security included in. So, being able to justify, being able to say, "Look, we have a defensible program. We are credible in our management of our risk posture. Here's how. We're transparent up front," right? Like don't wait for the disclosure requirement to land on you. Don't wait for that event that requires an 8K to be filed. Get that transparency onboard so when I talk about these proactive tabletops, make that part of your exercise. Pretend you've got a whistleblower about to release something. Like, do that because everybody's afraid of whistleblowers. Embrace the notion of whistleblowers. I've been writing about whistleblowers for years, too. The idea that you know, like specifically cyber-whistleblowing, it's a recent phenomenon, but we're seeing more and more of it. And talking to the attorneys and talking to the enforcement folks and folks who deal with that, who incentive whistleblowers, it's just -- that is the next big thing. We're going to see an avalanche of these [inaudible 00:54:58] cases, right, and for those folks who don't know, basically you know, these are whistleblower losses, right, brought on behalf of the public. So, that's just the coming thing. So, like this idea of plausible deniability, the ability to avoid disclosure, all of that's gone. We're living in a new world now. Accept the reality, that transparency and accountability are the name of the game. So, prepare for that. Get transparency internally, and really the only ways to do that is to embrace this notion of real-time continuous compliance, right? And this is not a self-serving thing. I'm not trying to sell anybody any product here, right? I'm trying to sell people on the idea that this is possible. And if they rethink how compliance works and what it can deliver for them, I think you've got a lot of hidden value just sitting there waiting to be unleashed. [ Music ]
Dave Bittner: Interesting conversation, Ben. You know, these SEC disclosure rules kind of, I don't know, is it overstating it to say it's a bit of a shockwave, or more of a rumble?
Ben Yelin: I'd say it's more of a ripple than a wave.
Dave Bittner: Yes.
Ben Yelin: But I do think it's changing the way the industry is dealing with compliance and prioritizing compliance. And having more of an enterprise understanding of the importance of compliance I think is somewhat revolutionary. Created that kind of ripple that we're seeing now that those regulations are in place.
Dave Bittner: It seems to me like this is another step along the way or the continuing progress of the professionalization of cyber security. You know, as it finds itself more and more under a regulatory regime, as best practices and standards and all these things become part of the bedrock, the foundational elements of what is expected and what's to be done, if you have things like this, really help I think cyber security professionals be taken more seriously by the power that be and their companies, and also just make it easier to make the case for what should and shouldn't be done. You know, what are the standards?
Ben Yelin: Yes, I mean I think it's the proliferation of cyber incidents, especially high-profile ones over the past several years that have forced organizations to finally take cyber security seriously.
Dave Bittner: Yes.
Ben Yelin: I think, especially in the private sector, you ignore investing money on cyber defense until you are absolutely forced to by circumstances, and given what we've seen in pretty much every sector I think they've been forced to by circumstances.
Dave Bittner: Yes. All right, well our thanks to Igor Volovich from Qmulos for joining us. We do appreciate him taking the time. [ Music ] That is our show. We want to thank all of you for listening. A quick reminder that N2K's Strategic Workforce Intelligence optimizes the value of your biggest investment: your people. We make you smarter about your team, while making your team smarter. Learn more @n2k.com. Our executive producer is Jennifer Eiben. This show is mixed by Trey Hester. Our executive editor is Peter Kilpe. I'm Dave Bittner.
Ben Yelin: And I'm Ben Yelin.
Dave Bittner: Thanks for listening. [ Music ]