The future of software security standards.
Jeff Williams: When we talk about cybersecurity, we talk about terms like breaches and attacks and attack surface and threat modeling and risk and incidents, and it's all negative. We talk about remediation time and vulnerabilities, and it's all attributes of Planet Risk. And we're trapped in orbit around that. And, every once in a while, every few years, someone makes a big stink about it and says like, "Hey, instead of just reacting to bad stuff, why don't we actually try to build stuff good in the first place?"
Dave Bittner: Hello, everyone, and welcome to "Caveat," N2K CyberWire's privacy surveillance law and policy podcast. I'm Dave Bittner and joining me is my cohost, Ben Yelin, from the University of Maryland Center for Health and Homeland Security. Hey there, Ben.
Ben Yelin: Hello, Dave.
Dave Bittner: On today's show, Ben has the story of Elon Musk's and DOGE's incursions into federal databases, I've got the story of a man who was wrongly convicted of identity theft. And, later in the show, my conversation with Jeff Williams, former global chairman of OWASP and founder and CTO of Contrast Security. We're discussing what could happen to "Secure by Design" in the current administration and how to secure software through regulations. While this show covers legal topics and Ben is a lawyer, the views expressed do not constitute legal advice. For official legal advice on any of the topics we cover, please contact your attorney. [ Music ] All right, Ben, I think it's fair to say it's been a busy week when it comes to policy. So, you want to start off with the big, gigantic elephant in the room?
Ben Yelin: Yeah. So, something very weird is going on with the world's richest man, Elon Musk, who now has a government email address, so he's kind of quasi part of our federal government.
Dave Bittner: Yeah.
Ben Yelin: And the quasi-federal agency that he is overseeing, DOGE, the Department of Government Efficiency, which is now just him, Vivek Ramaswamy dropped out before he even started -
Dave Bittner: Right.
Ben Yelin: - to go run for governor of Ohio, and there was a big New York Times expose, as we're recording this it came out today, on exactly what Musk and his DOGE team is doing. And, frankly, it's pretty disturbing. And I think it could have implications for cybersecurity, for data privacy, for your grandma getting her Social Security payments, really for any type of activity relating to federal disbursement of payments. So, one of the things that Musk and his team of 19-to 23-year-old tech bros have done, I don't say that derogatorily, is they have gone into federal agencies, talked to the senior-most career officials and asked to gain access to systems - federal systems, particularly when it - as it relates to the Department of Treasury, it is the system that controls 95% of all federal payments. And the most senior civil servant at the Treasury basically said, "No, GT - GTFO." And Musk and his team, presumably with the support of the president, said, "You can go on administrative leave, but this is happening." And, rather than go on administrative leave, the senior official from the Department of Treasury simply retired. So, they have gained access to this large system which disburses payments. They're doing it because, in their view, they've been empowered to cut wasteful government spending. The normal process for doing that would be to make recommendations. Maybe you take a look inside the books of these various federal departments and find waste, fraud and abuse. There always is some. I read that there was I think $230 billion worth of overpayments in fiscal year 2023. So, it does happen. You make some recommendations, you give them to Congress, which is the body that decides how and when and where the government spends federal dollars -
Dave Bittner: They control the purse strings.
Ben Yelin: They control the purse strings. And they should enact a statute that governs how money is spent.
Dave Bittner: Now, just let me check you for a second here -
Ben Yelin: Yeah.
Dave Bittner: - because, I mean, the normal process here, wouldn't it be to request or demand a report or an audit or to have some qualified organization come in with a certain amount of discipline -
Ben Yelin: Right.
Dave Bittner: - to do this sort of thing?
Ben Yelin: And it would be methodical, it would take some time. You could get an outside auditing organization, something like the Rand Corporation or any sort of outside consultant to come in or maybe you make use of the inspectors general at these various departments -
Dave Bittner: Yeah.
Ben Yelin: - who monitor things like whether money is being used for wasteful purposes. Of course, many of the inspectors general have been fired since President Trump took office.
Dave Bittner: Right.
Ben Yelin: So, many of these offices don't have them. That would be the normal process. And then you go to Congress and say, "We've identified this wasteful spending. For the next appropriations bill, will you cut this program or will you reform it?"
Dave Bittner: Okay.
Ben Yelin: They are skipping these steps. And Musk, who obviously has a very public presence online through his own platform, X/Twitter, is saying that he intends to cut $4 billion per day from the federal budget, which really adds up. Now, how and why does the richest man of the world get to just decide which government programs to cut arbitrarily? That's a great question. But that is absolutely what he is trying to do. The foremost example is this program called USAID, which is an independent government agency that disperses payments to overseas entities, whether they're nongovernmental organizations, sometimes governments, as part of humanitarian efforts.
Dave Bittner: This was created by President Kennedy. Right?
Ben Yelin: It was created by President Kennedy, yeah. It's sort of an exercise of our soft power. We give humanitarian aid to countries around the world, including for things like infectious diseases, and it's been very successful in winning us goodwill in the international community and putting us in a more favorable position vis-à-vis our geopolitical rivals -
Dave Bittner: Right.
Ben Yelin: - like Russia and China.
Dave Bittner: And Musk is saying that -
Ben Yelin: "I'm going to kill it."
Dave Bittner: - it's a criminal organization.
Ben Yelin: Yeah, he says it's a criminal organization, he's going to kill it. For them, you know, for Musk and his allies, they find the most ridiculous expenditure they could find. And I think, for this one, it's something like education about trans issues in Ecuador or something.
Dave Bittner: Right.
Ben Yelin: They make that the focal point or the reason why this particular government program needs to be shut down. And then, instead of making recommendations, they simply shut down the program by physically going into the building where the program exists, barring the doors, going - getting into these government systems and networks, refusing access to career civil service employees and then just declaring that USAID no longer exists. For now, it's been put under the authority of the Department of State and Secretary Marco Rubio, but it's possible that the program could be discontinued altogether. They are also trying a version of this with the Department of Education. So, Musk and his team have tried to gain access to Department of Education systems. Trump has stated that one of his goals is to shut down the Department of Education. And this is kind of a way to start that process, to make sure that, at the very least, the Department of Education is significantly downsized. And then the incursion into the Department of Treasury is the most concerning 'cause that is the literal purse strings. The Department of Treasury really is a bank, it's not a policy-making institution. And the fact that they've gained entry to these systems, now, the Trump administration officials insist it is only read-only access -
Dave Bittner: So, that's the question - that's been questioned by folks inside this - there's - let me back up. There's been reporting from insiders that Musk's crew has admin access. So, they do have write access allegedly.
Ben Yelin: Allegedly. So, we don't know exactly who's telling the truth.
Dave Bittner: Right.
Ben Yelin: I don't think anybody involved in this is a reliable narrator.
Dave Bittner: Yeah.
Ben Yelin: So, it's hard to know what to believe. I tend to think that they have gained access. Last week, as we were recording our last podcast, they put in this Office of Management and Budget order to basically temporarily stop all grants and loans, which caused a big freak out.
Dave Bittner: Yeah.
Ben Yelin: And that memo was framed as a request to various departments to put stop payments on those grants and loans. But the fact that they controlled the Treasury seemed to have some impact because a lot of organizations across the country filed lawsuits because they were not getting the checks that they believe they were entitled to.
Dave Bittner: Right.
Ben Yelin: So, there is some evidence that they have gained access into the system. Musk comes from the world of Silicon Valley where I think this type of behavior is celebrated.
Dave Bittner: This is exactly what he did to Twitter.
Ben Yelin: Exactly. He barged in, he broke everything, you do what he refers to as zero-based budgeting. So, you zero out everything, you downsize by 80 - 90% and then you make everybody justify their own positions. So, if it's worthwhile, argue for it. The base - the budget base is zero. If you want funding for something, argue for your own existence. And it's been very successful for him in the private sector. He is the world's richest man after all.
Dave Bittner: Right.
Ben Yelin: But, last time I checked, Dave, we're living in a democracy.
Dave Bittner: Ohh, Ben, you're adorable.
Ben Yelin: I know. And we have elected representatives who make decisions on our behalf as to where federal dollars should be spent. And this isn't to defend every single dollar that comes from the federal government.
Dave Bittner: Yeah.
Ben Yelin: I don't want - I do think there is a role to play in promoting government efficiency. But the methods that Elon Musk is using here strike me as blatantly unconstitutional and antithetical to our system of government.
Dave Bittner: So, I have so many questions, Ben.
Ben Yelin: Yeah, I'll stop and let you ask some questions.
Dave Bittner: I've got so many questions. Let's start with how the heck is any of this legal?
Ben Yelin: So, there have been a few lawsuits challenging what Musk and the DOGE team have done. First, you have to have somebody establish standing. So, we're going to have to have some entity whose funding has been cut off, the pipes have been clogged and funding is not getting to an organization, then they can establish standing. And they might be able to get an injunction that restores funding. What Musk and his team have said off the record is they want to bulldoze everything so quickly that organizations don't have time to react and file lawsuits.
Dave Bittner: Right. I saw, over the weekend, Musk, I think, posted on X/Twitter that they had the advantage because they work on weekends and government employees don't.
Ben Yelin: Yeah, exactly.
Dave Bittner: Yeah.
Ben Yelin: And he put sleeping bags in the old Executive Office Building -
Dave Bittner: Right, yeah.
Ben Yelin: - so his young employees are sleeping there.
Dave Bittner: Okay.
Ben Yelin: So, we might get potentially some relief through our legal system. Short of that, and I don't know exactly what that relief would look like, Congress has some oversight responsibilities, but they don't have an army. And, actually, to be honest, the Judicial Branch doesn't have an army either. So, if Musk decides, and I kind of think he has this attitude that, "I'm not going to let bureaucrats get in my way, whether that's from federal agencies or from rogue Biden/Obama-appointed judges, stop me from my mission to make government more efficient." He just might not comply with these court orders. Then, of course, he would be explicitly violating the law, which would be enforced by the Department of Justice. If you see where I'm -
Dave Bittner: Yeah.
Ben Yelin: - if you see where I'm going here -
Dave Bittner: Yeah.
Ben Yelin: - Congress could zero out funding for his office. I don't think that would make a big difference. They could impeach the president. That's not going to happen. Republicans have majorities in both houses of Congress. So, Democrats can't even hold public hearings on what Musk is doing in these systems. So, frankly, there's really not much to stop him, even if you grant that what he's doing is legal. What matters is that he doesn't think it's illegal or he doesn't care. He's going to keep on doing it.
Dave Bittner: What about the security issues? Like the folks who are in doing this security clearances and national security, all - access to all this information that is relevant to our nation's security?
Ben Yelin: Right. So, normally, anybody accessing these systems will have had to go through the clearance process and gotten their security clearance. All we've heard from the Trump administration are vague quotes that like "the law is being followed" and it's put in this kind of passive voice. Reporting -
Dave Bittner: Well, the president's allowed to grant anyone a security clearance. Right? Isn't that -
Ben Yelin: Yes.
Dave Bittner: Or at least that's his argument -
Ben Yelin: Yes.
Dave Bittner: - his unchallenged argument, I guess.
Ben Yelin: It is. And, in his first term, he was reluctant to do that and I think a lot of things got bogged down as people were trying to obtain their security clearances and they had some skeletons in their closet. So, I think his attitude right now is "don't worry about the security clearances."
Dave Bittner: Okay.
Ben Yelin: So, it seems like, if I had to guess and there's been some reporting to these regards, most of the DOGE staff, who I think number like - I think there's like 40 of them, none of them have gone through the process to obtain security clearances. So, there is personal information on basically everybody in the country in these systems. They've been in the Office of Personnel Management, OPM -
Dave Bittner: Right.
Ben Yelin: - which has sensitive data on every government employee. And there's really not much of a mechanism for accountability. They don't have security clearances so they haven't been pre-cleared to access this information. And then, once they get it, you know, what's to stop them from laundering information through favored media sources or anonymous Twitter accounts to prevent themselves from being indicated as the person who leaked government secrets? But when you have 40 people who, for the first time, have access to these systems, the risk I think is extremely high -
Dave Bittner: Yeah.
Ben Yelin: - to our national security and to people's private data, which I think is something that's being underreported as media organizations are covering this story.
Dave Bittner: Now, how about Musk himself because - so, what I wonder is, in some way, shape or form, he is a government employee?
Ben Yelin: Yes.
Dave Bittner: Okay.
Ben Yelin: That was established, and the quote's from this New York Times article, he's like - there's some type - he's like a quasi-government employee where -
Dave Bittner: So, shouldn't he be required to divest himself of his - I'm - I know, I mean, you laugh, but isn't that what you're supposed to do?
Ben Yelin: Yes.
Dave Bittner: Okay.
Ben Yelin: There is.
Dave Bittner: I also wonder like, "What are the board of directors at Tesla and SpaceX think about Elon's new side hustle?"
Ben Yelin: Yeah, isn't he abandoning some of his -
Dave Bittner: Right?
Ben Yelin: - responsibilities as CEO of these companies?
Dave Bittner: I mean, yeah.
Ben Yelin: In terms of conflicts of interest, there are a million different conflicts of interest because he runs three very prominent businesses.
Dave Bittner: Right.
Ben Yelin: I mean, the New York Times lists all these ways in which he has interest in various contracts in China that are implicated by many of these systems that he is controlling. And they're basically - at least the attitude from the article seems to be like, "We're not going to let that stop him from going in and cause - and wreaking havoc and accomplishing his mission to make government more efficient. Again, all we've gotten from the administration is a quote that "all laws are being followed." But, yeah, there are massive conflicts of interest here. And I'm not trying to be flippant or to exaggerate, but I really just think they're ignoring these potential conflicts of interest 'cause even - really even the appearance of a conflict of interest is problematic.
Dave Bittner: Yeah.
Ben Yelin: The idea that he can go in there and divest - or divert money to his interests is potentially terrifying and undermines trust in our entire system of government.
Dave Bittner: Right.
Ben Yelin: But I just think, in his mind, and maybe to a lesser extent, in Trump's mind, the ends justify the means. He thinks that what he's doing is righteous. He has an army of yes men and a few women on Twitter - X/Twitter who think that everything he does is some type of genius, masterful gambit.
Dave Bittner: Right.
Ben Yelin: And he's not going to let bureaucratic roadblocks get in the way of his ultimate goal, which is to cut the federal budget and try and bring it into balance. So, I think, frankly, he's just ignoring these blatant conflicts of interests and I think Trump is giving him leeway to do so.
Dave Bittner: Do you think he's in any type of legal peril? Or I suppose if he was, the president could just pardon him. Right?
Ben Yelin: Yes. I don't think he's in any legal peril for that reason. And the president could issue a preemptive pardon for him now. Or the president could, to try and avoid political blowback, just wait until his last few days in office and make sure that future presidents don't have the opportunity to criminally charge Elon Musk, which I think is almost certain to happen. So, they're really - there really is not any level of accountability here. And I think this has been shocking for people who are federal employees, who are career civil servants -
Dave Bittner: Yeah.
Ben Yelin: - who've just never seen anything like this. I think the only limits on his power right now and his ability to control these systems and these government agencies is Trump himself. Musk, I think, is less concerned about the political popularity of this project. I think he sees what he's doing as being righteous, he's ideologically committed to it, I think he really believes in it.
Dave Bittner: Yeah.
Ben Yelin: If he starts like cutting off funding for people's Medicare or Social Security and people get really angry about it, Trump is sensitive to that, especially if it's his supporters who are being impacted. And that's when Trump might tell him to can it or there might be this long, expected reckoning with the two of them where Trump throws him under the bus. I could see that happening.
Dave Bittner: Yeah.
Ben Yelin: But, beyond that, I don't think there are any accountability mechanisms, especially since the civil servants who are trying to put up roadblocks to prevent these DOGE employees from getting access, they're being threatened with administrative leave or potential dismissal.
Dave Bittner: Yeah.
Ben Yelin: And they would rather retire than go through that process, for the most part.
Dave Bittner: Yeah. Yeah, I guess one of the benefits of being a billionaire is living a consequence-free life, which, you know, I argue is a reason why - one of the reasons we should not allow billionaires.
Ben Yelin: Yeah. And I know there's a saying out there that every billionaire is a policy mistake or something like that.
Dave Bittner: Right, right.
Ben Yelin: But, yeah, I mean, to me, it's a pretty scary situation. I don't - I think I want to - what I want to be careful about is what he's doing on the surface might not strike most people in the electorate as like inherently problematic or unpopular because I think there is a widespread perception that there is a lot of federal government waste and that Musk has a history of going into companies with a sledgehammer and making them lean, mean fighting machines. He did it with SpaceX, he did it with X/Twitter. It takes a bit of explanation from those of us who believe in these institutions to explain why this is so blatantly illegal, unconstitutional, antithetical to our democratic system of government.
Dave Bittner: Right.
Ben Yelin: It's not going to be the easiest argument to make. I think most people might be like, "Well, whatever." Like, "We've tried it the old way. Government keeps spending beyond its means. What's wrong with having this guy go in there and taking control of the reins?"
Dave Bittner: Yeah.
Ben Yelin: And I think it's incumbent upon those of us who care about this stuff to get out there and argue why this is bad for our democratic system -
Dave Bittner: Yeah.
Ben Yelin: - that if somebody can do this, then our votes no longer matter, our votes for members of Congress don't matter 'cause they don't control the power of the purse and we only get to vote for president once every four years. So, that's kind of where I'm at on this thing. Like I don't expect this - I don't expect public accountability 'cause it's not immediately clear to me that the electorate will find what he's doing objectionable. So, it's - you know, I think it falls on those of us who really believe in our system of government to make that affirmative case.
Dave Bittner: Just anecdotally, over this past weekend, I was with some family, several of which work in the intelligence community, and they were just saying how things have ground to a halt where they work because -
Ben Yelin: Yeah.
Dave Bittner: - nobody knows what's happening, nobody knows if they're going to have jobs or the funding - there's the whole retirement thing. And, so, things have pretty much just kind of stopped while everybody holds their breath. And, for people who are in the intelligence -
Ben Yelin: Right.
Dave Bittner: - community, whose day-to-day job is keeping the rest of us safe and keeping an eye on what's going on around the world, that's not good.
Ben Yelin: It's not that the threat landscape has changed or gotten significantly better.
Dave Bittner: Right.
Ben Yelin: I completely understand that sensibility. I mean, one of the things - they quoted a bunch of federal employees in this New York Times article and I think they feel really paralyzed. And I think that's part of Musk's strategy. If you telegraph like, "Well, we're not going to touch X, Y, and Z agency. So, if you work for the NSA, you're fine to go to work, it's business as usual."
Dave Bittner: Right.
Ben Yelin: I think the goal is to keep people on edge -
Dave Bittner: Yeah.
Ben Yelin: - so that your [inaudible 00:23:38] can have that kind of shock and awe mentality that people are not expecting it when he comes into the agency and takes over. There's less ability for organized resistance. Yeah, it's not great, it's not great at all.
Dave Bittner: Not great, Bob, not great. Well, we will have a link to that story in the show notes. I am going to shift gears and leave the federal government for a moment.
Ben Yelin: Please do, Dave, we need this.
Dave Bittner: This is a story that caught my eye. And this is about identity theft, the integrity of the justice system and kind of, to me, what - this story strikes at a fundamental issue in our justice system, which is who do you believe? Okay? This is about a man named William Woods, who has not had the easiest life in the world. He has dealt with homelessness, he has had mental health issues. You know, he has moved from place to place, from job to job. He's taken on many low-level jobs over the years. And, at one point in his life, he was working at a hot dog stand. And one of his coworkers at the hot dog stand was a gentleman named Mr. Keirans. Allegedly, at some point in time, Mr. Keirans, who was also in a similar situation with his own life, he was down on his luck, stole Mr. Woods' wallet and assumed Mr. Woods' identity. He went to a different town, established himself as Mr. Woods. He went on 23andMe, the DNA site, and was able to get - or it might have been Ancestry, one of those sites, was able to get a copy of Mr. Woods' birth certificate, which allowed him to get more paperwork affirming that he is Mr. Woods. In the meantime, Mr. Woods has a run-in with the law, gets apprehended and accused of identity theft. The real Mr. Woods is accused of stealing the identity of the fake Mr. Woods, Mr. Keiran. Okay?
Ben Yelin: It's hard to follow, but I think I get it.
Dave Bittner: It's hard to follow -
Ben Yelin: Yeah.
Dave Bittner: - yes.
Ben Yelin: So, in a way, he's being accused of stealing his own identity?
Dave Bittner: He's being accused of stealing his own identity. And because he has mental health issues, because he has a checkered past, the judge, the prosecutors don't believe him. According to a transcript from a proceeding in 2021, I'm going to quote from the article here, it says, "Prosecutors in Los Angeles asked the judge to order Mr. Woods not to use his name. When a judicial assistant noted that Mr. Woods insisted that he was, in fact, Mr. Woods, the judge overseeing the case pushed back, 'That's because he was crazy,' the California judge said," according to the proceed - the transcript of the proceedings. So, imagine this situation if you are Mr. Woods. Right? You're - he goes to jail for having been found to have stolen an identity, but he is the actual real person and someone else stole his identity. This other person, Mr. Keirans, has moved on with his life, he established a - this article calls it "a quiet, successful life" -
Ben Yelin: As Mr. Woods?
Dave Bittner: As Mr. Woods. He got married, he raised a son, whose name is Woods. He lived in a middle-class neighborhood and he worked for the University of Iowa's hospital where he was a high-level IT administrator. Everyone in his life, his wife, his children, his employers, everybody knew him as William Woods. But he wasn't William Woods. Finally, the real William Woods was able to convince an investigator at the University of Iowa, where Mr. Keirans worked, to look into this. And this detective dug into it and was finally able to unpack the truth by getting some DNA tests done because the real Mr. Woods' father was alive in Kentucky, his identity was unquestioned, and the DNA test established without question that the man claiming to be the real Mr. Woods was the real Mr. Woods, the man claiming to be Mr. Woods, who was actually Mr. Kieran's, was not. And the jig was up.
Ben Yelin: Why did they not do any type of forensic investigation prior? Was it because they just didn't believe this crazy career criminal when he said that he was the real Mr. Woods?
Dave Bittner: I think that's probably the biggest part of it, that you have someone who has a checkered past, who is down on his luck and also has mental health issues. So, this article talks about how sometimes, in the court hearings, he would say odd things, he was not completely coherent. And the prosecutors thought perhaps he wasn't qualified to testify on his own behalf. So, I also think that Mr. Keirans had managed to get an overwhelming amount of paperwork. Right?
Ben Yelin: Right.
Dave Bittner: He had a birth certificate.
Ben Yelin: Which means you can get anything -
Dave Bittner: Right.
Ben Yelin: - from that, a driver's license.
Dave Bittner: Right.
Ben Yelin: Yeah, all different types of government documentation.
Dave Bittner: Right. So, he went to the powers that be, a fine upstanding citizen now, right, having a job, a family, all this paperwork and is speaking, you know, eloquently, let's say. Right? So, you can see how the biases would shift one way or another just from kind of human perception.
Ben Yelin: Yeah, it's like - it kind of brings up meta questions about one's own existence. Like, "How do we know, each and every one of us, that we are who we say we are?" This is like the stuff of nightmares where -
Dave Bittner: Right.
Ben Yelin: - like your entire existence is questioned, your entire history, your entire concept of self-identification. It's like - it feels like it's right out of a science fiction movie.
Dave Bittner: Right.
Ben Yelin: But the thing is like this should all be able to be resolved with forensic evidence, DNA -
Dave Bittner: Yeah.
Ben Yelin: - fingerprints.
Dave Bittner: Yeah.
Ben Yelin: And I don't know what would have happened before we had reliable forms of forensic evidence. I think this never would have been resolved 'cause it's the word of one Mr. Woods against another and the real Mr. Woods is somebody who doesn't have - doesn't inspire a lot of trust or credibility.
Dave Bittner: So, ultimately, the imposter was brought to justice. The real Mr. Woods is back on his feet. He's got an apartment, he's working in a landscaping job. And he's also pursuing legal action to try to, you know, get some compensation for having been unjustly jailed.
Ben Yelin: At least this story has somewhat of a happy ending.
Dave Bittner: Yeah.
Ben Yelin: It took a while. And I'm glad that his father was still alive so that they could resolve this through DNA 'cause, if that had not happened, it could have been the rest of his life where he was trying to prove his own identity and nobody believed him.
Dave Bittner: Right, right. And, kind of what you alluded to, like there are all the facts of this and there's the story and the narrative of this that is fascinating and interesting and compelling and it's a real page-turner. But it also gets to the fundamentals of our justice system, which is, "Who do you believe?" And, in this case, you had someone - like you were saying, the foundations, who are you and how do you prove who you are? And what if someone has the ability to prove that they are you more than you have the ability to prove you are you? This lie can end up with people in jail. It's just - yeah, it's foundational, I think.
Ben Yelin: It really is. What a great story.
Dave Bittner: Yeah.
Ben Yelin: I mean, it's sad in a lot of ways, but it's really remarkable.
Dave Bittner: Yeah, you talk about a cautionary tale. I mean, you know, hopefully, you know, folks all over who deal with this stuff day-to-day, I would hope this was a story that's making the rounds. You know?
Ben Yelin: Wasn't there - I remember there was a plot in "The Simpsons" that has like long been discredited as being the worst thing "The Simpsons" ever did -
Dave Bittner: Okay.
Ben Yelin: - where Seymour Skinner, the principal, it turns out like he wasn't the real Seymour Skinner, he stole somebody's identity during the Vietnam War -
Dave Bittner: Oh.
Ben Yelin: - and had a different name entirely?
Dave Bittner: Okay.
Ben Yelin: That's what this reminds me of.
Dave Bittner: Oh, okay.
Ben Yelin: And everybody who was a "Simpsons" fan was like, "How can you do this to" -
Dave Bittner: Well, I mean, that sounds like they were ripping off "Mad Men" because that's a major plot point of the show "Mad Men."
Ben Yelin: Oh, well, I think this was before "Mad Men."
Dave Bittner: Okay.
Ben Yelin: So, who knows?
Dave Bittner: Maybe "Mad Men" ripped off "The Simpsons."
Ben Yelin: "The Simpsons," yeah. It shows our relative taste in television, that's for sure.
Dave Bittner: Right, right, right. Well, we will have a link to this story in the show notes. Like I said, it's a bit of a page-turner so do check it out. And, of course, we would love to hear from you. If there's something you'd like us to consider for the show, you can email us. It's caveat@n2k.com. [ Music ] Ben, I recently had the pleasure of speaking with Jeff Williams. He is the former global chairman of OWASP and the founder and CTO of an organization called Contrast Security. Our discussion centers on what could happen to "Secure by Design," which is CISA's initiative, in this current administration. Here's my conversation with Jeff Williams. [ Music ]
Jeff Williams: Well, from a "Secure by Design" perspective, we are basically at square one. While the - CISA and some other agencies have started talking about "Secure by Design" a little bit, it really hasn't made any meaningful impact and it certainly hasn't trickled down to software development teams and changed the way that they build software, which is unfortunate, but it's been where we've - it's been like this for 20 years. Before that, actually, there was some really interesting "Secure by Design" efforts, but they've just gotten overwhelmed by risk management and sort of the speed of modern software.
Dave Bittner: Why do you suppose that CISA hasn't been able to get better traction with this?
Jeff Williams: Well, the way I like to talk about it is we are trapped in orbit around Planet Risk. When we talk about cybersecurity, we talk about terms like breaches and attacks and attack surface and threat modeling and risk and incidents, and it's all negative. We talk about remediation time and vulnerabilities, and it's all attributes of Planet Risk. And we're trapped in orbit around that. And, every once in a while, every few years, someone makes a big stink about it and says like, "Hey, instead of just reacting to bad stuff, why don't we actually try to build stuff good in the first place?" And I call that Planet Assurance. And it would be great if we lived in orbit around Planet Assurance, we would talk about things like trustworthiness and evidence and assurance and defenses and traceability and things like that. But that's not the planet we live on. We gave up that planet. We migrated from there to Planet Risk about 20 years ago when the - you know, the real burst of software came in the early days of the internet. People were like, "I don't know, that sounds hard to do, the assurance thing. I've got to get this online so I'm just going to look for bad stuff and fix it if I find any and that's going to be good enough."
Dave Bittner: Yeah. What do you suppose, I mean, the incentives are then to - that this is the path we're on and to not change directions? You mentioned some of the historical things, but what's the ongoing pressure to keep the status quo?
Jeff Williams: Well, I think it's just easier to look for bad stuff and try to plaster over it than to try to actually do the work of building things that are fundamentally secure. You know, strong mechanisms, evidence that those mechanisms are the right ones to deal with the threats you're looking at, traceability and all that stuff that goes along with "Secure by Design" is actually - it's not that it's more difficult, it's just that it's where we are and it's hard to change.
Dave Bittner: Where do you suppose we're headed then? I mean, we have a new administration coming, it's already been announced that there's going to be new leadership at CISA. And I think there are folks who believe that the future of CISA might be in jeopardy. Where do you suppose we're going with this?
Jeff Williams: Well, it's a little hard to predict, but, if I had to guess, even if CISA didn't change at all, I think it would be very difficult for them to achieve any real meaningful progress in "Secure by Design." The only way I can see that happening is if there was legislation passed that enforced it, maybe through transparency or maybe through liability. We can talk about that a little bit. But there would have to be some legal pressure to do something. It can't just be like a, "Would you please build things more securely?"
Dave Bittner: Yeah.
Jeff Williams: That never works. But, given the fact that there's a new administration coming in who's likely going to be fairly opposed to new legislation like that, I really don't see anything changing.
Dave Bittner: Have any of the movements with things like SBOMs, you know, software bill of materials, has that moved the needle at all?
Jeff Williams: I'm a big fan of SBOMs. In fact, I'm a contributor to the CycloneDX project, which is one of the biggest SBOM standards and widely used. But I always saw SBOMs as a baby step in the direction that we wanted to go, more transparency. And, to a limited extent, people are using SBOMs and getting a little bit more transparency, a little more visibility into what's in the software that they're relying on, but it really hasn't made much of a broad difference in anything. It's just - it's a - like - it's a little bit like the ingredients on the side of your Cheerios box. Right? It sort of says what's in there, which is good to know, but it doesn't necessarily tell you that those Cheerios are healthy for you or not. In fact, with the exact same ingredients, my grandmother can make a beautiful apple pie and I could make a big steaming pile of garbage.
Dave Bittner: Yeah, right.
Jeff Williams: Just knowing the ingredients doesn't really tell you what you want to know.
Dave Bittner: Right, right. It reminds me of, you know, when I was a kid growing up, the advertisers would say, "This cereal is the fun part of a nutritious breakfast." You know?
Jeff Williams: You mean, it's full of sugar?
Dave Bittner: Right, right, exactly. Well, what about, you know, some of the pledges that some of these companies have made? You know, CISA has had a certain amount of success getting companies to pledge to do a better job. I guess the point here is that without any sort of regulatory oversight, they're only as good as the paper they're printed on?
Jeff Williams: Well, it's interesting, I mean, it's - making pledges is great, I wish the pledge had some teeth, but it doesn't really bind them to doing anything. So, I suspect it's mostly dead letter. But it is interesting that, at the same time government organizations are talking about transparency and people making pledges, they're also pursuing the idea of liability for insecure software. And those two things are in direct conflict. If you make insecure software a legal exposure, then do you really think companies are going to be forthcoming about being transparent and share the details of like, you know, what they're doing to secure their software and why it's secure? There's actually kind of a chilling effect if you go with a liability regime. And the EU just did that so it's - you know, it's kind of interesting times for cybersecurity in that respect.
Dave Bittner: Well, in a perfect world, what sorts of things would you like to see? What sort of policies should we prioritize here?
Jeff Williams: So, I think that, and this is given that the software is directly responsible for the - protecting almost everything that we care about in life, our finances, our healthcare, our government, our elections, our defense, I mean, everything, our social life, it's all controlled by software. And, so I think that, given that, people have a right to know what was done to secure that software, what defenses are in there, what threats was it designed to be resilient against, what did they do to assure it, how did they test it, stuff like that. Really, I'd love to see some kind of traceability that said, "Hey, here's what threats we envision for this thing." Maybe it's, you know, a new bank that opens. Right? You'd be - you'd like to know like, "Hey, what threats did you have in mind when you designed this software for this bank? What defenses did you put in place to stop those threats? How did you test those defenses? And how do you monitor in production to make sure you're not being attacked that, you know, to prove that your defenses are effective?" Like, that's a pretty simple disclosure. It doesn't require that bank to do anything they're not already doing. It's just, "Hey, tell me how you do it. And then I can choose which bank I want to use based on how they respond to that question."
Dave Bittner: Could there be some kind of a seal of approval? You know, I'm thinking of, you know, the old days, you had electrical devices were UL listed, you know, which just meant that somebody had taken a look at the way this thing was put together and put a stamp of a certain level of approval here. Is that even possible with something as complex as software?
Jeff Williams: I absolutely think it is. I studied dozens of different labeling regimes across a bunch of different kinds of products, like cars have labels, cigarettes have labels, drugs have labels, food has labels, movies have labels, even your refrigerator, it's got a label on it, an Energy Star label. And I learned a couple things about that. The first thing is simple labels almost always are more effective than complex labels. There can be standards underneath it and so on, but the top-level label can't have more than like a couple real things on it. And, so, you could just say like, "I meet some minimal set of criteria, I get five stars" or whatever. NIST looked into this under the Cybersecurity Executive Order. There was a program to look into this, both for mobile devices and for regular kinds of software. And I guess it really didn't go very far. But there are places in the world where these kinds of labels are used. The second thing I learned about those labels, though, is that even if consumers don't read the labels, they can still have massive effects on the market. And here's how this works. You know, imagine you have to be public about your bank and what security you put into there. Your legal team is going to say, "Hey, we can't go to market with something that says our bank has no defenses in place." And, so, they're very motivated to make sure that they say that that security is there. So, it affects them, just like a food company with - if they have to publish their list of ingredients, they're not going to say like, "Hey, this was made with arsenic."
Dave Bittner: Right? I'm curious, just for a moment, I'd like to get back to the topic of the EU that you spoke about briefly earlier. The things that the EU has put in place here, what is the effect that they are going to have globally, do you suspect?
Jeff Williams: Well, it's super interesting. Let me explain what they did. I know - I was very surprised by this because we've talked about transparency and sort of limited liability in this country with safe harbors and stuff, they took that dial and punched it all the way to the metal. They said, "We're going to go straight past like negligence and gross negligence and best practices. We're going to go all the way to strict liability." In fact, they call it no-fault liability, which means if you have a problem in your software that - they would call it a defect in the - this is in the Product Liability Directive that just went into effect about a month ago. They would say - and they said, "If you have a defect in your software that causes harm, you are liable. And you have to be transparent about allowing discovery so that the plaintiff can find out, you know, about the defect and so on." But they said, essentially, "You're liable for any harm that that defect causes." And it doesn't matter what you did to secure the software. It doesn't matter if you followed best practice or standards or you tested it with this or that. It just puts all the burden on them. Which is, from a legal jurisprudence perspective, really interesting. It says the developer is the least cost avoider. That's a Koh's theorem concept. And it's a way of putting the burden on the party that can most easily avoid those costs in society. So, it's like an economically efficient outcome. But, yeah, it's crazy. I mean, it is a dramatic change from anything we have in the United States. And, so, to get back to your question, how's it going to affect things worldwide, I think it could be pretty significant. So, the EU member states have two years to implement that new directive. And, over the course of those next couple of years, I think we're going to see lawsuits, I think we're going to see lawsuits against U.S. companies that are selling software in the EU. It applies to not just like, you know, products you install on your desktop or mobile app kind of stuff, it's any kind of software. So, if you've got a SaaS service that you're offering and people in the EU use it, they can sue you. It applies to open source, not directly because you can't sue the open-source provider, but anybody who uses open source, if that open source has a defect and you have included it in your product, then you're liable for that. So, it's really a massive change in the legal framework for cybersecurity.
Dave Bittner: No, that's really interesting. What is your perspective, again, you know heading into the future here, are you optimistic or are you pessimistic or are you somewhere in between? Where do you sit on the spectrum of where do you suppose we're headed here?
Jeff Williams: Well, I think it's always a safe bet in cybersecurity that not much is really going to change. I think, for the last several decades, we've seen software being built that has quite a lot of vulnerabilities in it. And, you know, I think Ponemon did a study recently where they said the average enterprise has 1.1 million vulnerabilities in their apps and APIs in their backlog that they're just - you know, haven't fixed yet. And I think, you know, unfortunately, I don't see anything on the horizon that's going to change that. Like we're not going to all of a sudden jump over to Planet Assurance and start doing things in a more disciplined way. You know, there's always new technologies coming out. I think AI is throwing a monkey wrench into the works right now and everybody's scrambling to figure out how to secure AI. But notice the pattern. We rolled out AI to the world and now we're trying to figure out how to secure it.
Dave Bittner: Right.
Jeff Williams: It's not the other way around and it never -
Dave Bittner: Right.
Jeff Williams: - has been. And, until that changes, I just don't see any other way for it to go.
Dave Bittner: Yeah. There's no, "First, do no harm" [inaudible 00:50:02].
Jeff Williams: No [inaudible 00:50:04] for developers?
Dave Bittner: Yeah. Interesting. [ Music ] Ben, what do you think?
Ben Yelin: Really interesting interview. I think I was very discouraged about the future of CISA back on January 20th 'cause I think there was a lot of angst and resignation among Republican lawmakers about certain functions of CISA. The now secretary of the Department of Homeland Security said that she wanted to significantly narrow CISA and its functions. I think that had to do with CISA's role in misinformation, policing misinformation. I think now there's been more of a recognition that, in terms of its actual cybersecurity work, they're pretty focused on the mission and they have buy-in from the administration. So, I'm feeling more positive about that than I was a couple of weeks ago.
Dave Bittner: Yeah, agreed. And, in fact, I saw an article in the past week or so that was talking about how many Republican senators have kind of backed off of that charge of getting rid of CISA as they are seeing the real present threats from China and Russia and the usual suspects -
Ben Yelin: Absolutely.
Dave Bittner: - and understand the need to keep up the pace of fighting that good fight. All right, well, again, our thanks to Jeff Williams for joining us. We do appreciate him taking the time. [ Music ] That is "Caveat," brought to you by N2K CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to caveat@n2k.com. This episode is produced by Liz Stokes. Our executive producer is Jennifer Eiben. The show is mixed by Tré Hester. Peter Kilpe is our publisher. I'm Dave Bittner.
Ben Yelin: And I'm Ben Yelin.
Dave Bittner: Thanks for listening. [ Music ]
