Podcasts
Caveat
Ep 261
Caveat 5.15.25
Ep 261 | 5.15.25

Diving deep into critical infrastructure.

Show Notes
Transcript

Dave Bittner: Hello, everyone. And welcome to Caveat, N2K CyberWire's Privacy, Surveillance, Law and Policy Podcast. I'm Dave Bittner. And joining me is my cohost, Ben Yellen, from the University of Maryland Center for Health and Homeland Security. Hey there, Ben.

Ben Yellen: Hello, Dave.

 

Dave Bittner: On today's show, Ben and I are joined once again by our N2K CyberWire colleague and editor of the Caveat newsletter, Ethan Cook. Welcome, Ethan.

 

Ethan Cook: Hey, guys. How are you doing?

 

Dave Bittner: We are doing well. And today we are digging into critical infrastructure. While this show covers legal topics and Ben is a lawyer, the views expressed do not constitute legal advice. For official legal advice on any of the topics we cover, please contact your attorney. All right. Well, let's jump right in here. Critical infrastructure, I think let me start with some baseline stuff. What -- let me -- and I'll start with you, Ben. When you think critical infrastructure, what's the first thing that comes to mind?

 

Ben Yellen: I think of the things that, if they went down, we would be royally screwed.

 

Dave Bittner: Okay.

 

Ben Yellen: So --

 

Dave Bittner: How eloquent of you.

 

Ben Yellen: Yeah. Energy grid, anything relating to electricity, water supply, things that which slow down shipping routes and networks, key networks and systems that our government and private institutions rely on to keep things running generally.

 

Dave Bittner: Yeah.

 

Ben Yellen: So that's what I would -- that's the broadest definition possible of critical infrastructure. Anything that, in the absence of it working, would cause noticeable catastrophic damage.

 

Dave Bittner: Okay. Ethan, does that align with the research that you've been doing in preparation for today's episode?

 

Ethan Cook: Yeah. I think so. And I think, you know, it's one of those conversations that, as the nation and technology has evolved, the definition of critical infrastructure has evolved, right? And 20 years ago what we thought about in critical infrastructure has changed to what it is now, you know, with increasing reliance on telecommunications, increasing reliance on semiconductors, increasing -- increasing reliance on rare earth minerals, you know, that has changed kind of fundamentally how we look at some of these sectors.

 

Dave Bittner: Well, why is protecting critical infrastructure so different and I would say arguably harder than defending enterprise networks? Ethan.

 

Ethan Cook: Yeah. I think one of the key difference -- I think there's -- that's a big question. There's a -- there's two things, I think, that I would instantly jump to, which is, one, a huge amount of legacy systems and things that are not up to date or have not been replaced and are just inherently incredibly vulnerable by their design at this point because, you know, they are the -- it's really hard to replace pipeline infrastructure to keep it up with the modern changing world. And, as we have these legacy systems that continue to stay there, they continue to become more vulnerable as people have more time to figure out how to hack them. I think the other aspect of why they're really difficult and while, you know, enterprise networks are obviously privately owned, a huge amount of critical infrastructure is privately owned within the US. And that makes regulating them increasingly hard. And because it varies dramatically over each sector, it's not -- we can't just apply one broad, sweeping stroke to, you know, cover every single critical infrastructure sector. It has to be a far more nuanced approach.

 

Ben Yellen: The other thing to add is just because cybercriminals and malign actors know that the consequences of attacking our critical infrastructure are so large, that gives critical infrastructure added importance. It becomes a better, more ripe target for our adversaries; and, therefore, it becomes more incumbent upon us to protect it because they know that that's going to cause the most damage to us.

 

Dave Bittner: Yeah. I think about probably, in my mind, the number one thing that people think about is probably keeping the lights on, right, the electricity, you know, which I don't know. I suppose you could argue maybe water is --

 

Ben Yellen: Most important. >> Dave Bittner -- important things. But I think, when the lights go out, there's an immediate, sort of visceral response to that for all of us. And we are so blessed in this country of -- that we have unbelievably reliable electrical service, right, that it is noticeable when it goes out; we tend to not even think about it day by day. But what I think about is how these -- these legacy systems, as you said, Ethan, you know, the turnover rate for some of these bits of equipment, these -- these heavy machinery are measured in decades, not years, which means in a lot of cases you have systems that were never designed with the internet in mind, were never designed with that sort of connectivity in mind. And so, when a system like this was designed, the threats to it were perhaps physical. You know, somebody throwing a hand grenade over a fence or corporate espionage, someone -- a human being coming in and causing damage. Like hardening critical infrastructure used to be building higher fences.

 

Dave Bittner: Right.

 

Ben Yellen: Yeah.

 

Dave Bittner: Right, right. And now somewhere along the lines, for convenience, for cost savings, for all of these legitimate reasons we have -- pretty much all of these systems are now hosed up to some kind of network which inevitably leads to the internet. And so it makes the threat borderless. If I can come in and monkey with your electrical system and I don't need to be in your country to do it, that's a whole different game, right?

 

Ethan Cook: Exactly. And I think, on top of that, you have -- another aspect, another wrinkle to that difficulty is we have critical infrastructure is not bound by one state, right? There are companies that spread over multiple states. There are pipelines that go through multiple states. There are electrical grids that go through multiple states, right? So regulating and controlling that, being able to have an authority to go through that is really difficult, especially on a state-to-state level. And what one state may find acceptable, another state may not. And -- and that makes this patchwork system all over the place and inherently very inconsistent with each other. And I think to your point, Dave, it just invites attackers to want to go after these things because they know, if they can shut the lights off, if they know if they can destabilize something, that has severe ramifications for the US.

 

Dave Bittner: What do we suppose are the most pressing cyberthreats facing critical infrastructure today?

 

Ethan Cook: Yeah. So I think some of the most pressing cyberthreats that I would initially jump to is first one that comes to my mind as an example would be SolarWinds and the wreaking, you know, massive impact that that had on infrastructure. And I probably -- the second one after that would be Cloud Strike. Now, Cloud Strike was not a attack that was a faulty patch that went out, but that impact shut down airlines for days. It was an absolute catastrophe. And the destabilization that did it, and that was just not even from an attack. That's, oh, we put out one bad patch, one thing that's not validated; and here are the ramifications of that. With SolarWinds, that was a faulty patch that got corrupted by, you know, a supply chain attack that then spread down and impacted numerous services. And I think, when you look at those two dynamics, they are, you know, reflective of a growing issue, which is it's not just about, oh, a bad guy goes in. It could be we put out a bad patch that's not validated that goes out. And both of those things have the capability of disrupting, and they are reflective of both China and Russia's intent to go after and kind of compromise these systems and target vulnerable infrastructure and sow disruption, as well as just even smaller nations. I think a really great example of a -- of an attack that disrupted a different form of critical infrastructure was the WannaCry attack that went after healthcare industry. Healthcare is absolutely critical infrastructure. If we can't treat people, that's a huge problem. And, while WannaCry was incredibly short-lived, it made North Korea a ton of money in a short-term and who actively disrupted and harmed medical processes in the UK.

 

Dave Bittner: Is ransomware still the biggest concern, or are we looking at other threats taking ransomware's place?

 

Ethan Cook: I would say ransomware is still a huge concern. There has absolutely been a pivot on the ransomware side of concern over the past couple years. I still think that phishing attacks are a huge aspect to ransomware that I don't think anyone has really solved, and I don't think it's going to be solved in the -- in the near term. I do think a different aspect that is kind of coming and growing, it's really kind of taken off these past five years is less of a cyberattack but more so of a infrastructure support aspect, which is having the ability to, as we've become more technological, have a consistent access and supply to advanced semiconductors as we have -- as every -- you know, as we've said earlier, every industry is now becoming increasingly reliant on, you know, technological components of advanced semiconductor material. And having that is -- is almost essential to the modern world. And we saw after COVID there was a huge issue and huge concerns regarding the US' ability to access it and our dependency on foreign made products. And that has been a huge pivot, both within this current administration, as well as Biden's administration, to address that as a -- as a huge vulnerability.

 

Dave Bittner: You know, I remember having a conversation with an expert in critical infrastructure cyberdefense. And one of the points that this person made was that, looking at some of the devices that are used to run a power grid, if you could cause the overload of and destruction of a major transformer, let's say, you know, take down a city or a town's power, these transformers aren't just sitting with spares nearby and that it could take days, weeks, or even months, to manufacture, transport, install a replacement. And that's just kind of the state of things. Like, when I learned that fact, it struck me as interesting that there isn't a strategic transformer reserve, you know.

 

Ben Yellen: Maybe we should establish some type of strategic stockpile, at least to maintain our critical infrastructure. You know how I say there's always a local angle. There was this incident in Maryland where two people conspired -- they were caught based on, I think, good law enforcement surveillance. But they conspired to take down transformers and transmission lines in the state of Maryland through like a hate motivated attack, specifically on Baltimore City. And the estimated cost of those attacks would have been $75 million, which, in the context of the federal government, is chump change. But, in the context of Baltimore City's budget, which is already deeply constrained, $75 million is a lot, not to mention, yeah. If we don't have those kind of backup sources readily available, the time it takes to restore power means that there's going to be added cost that that emerge as the result of that incident.

 

Dave Bittner: Well, Ben, help us understand here. I mean, how -- how is the regulatory regime organized when it comes to these sorts of things? You know, who -- what do the feds take responsibility for? What do the states take responsibility for? What do local municipalities take responsibility for?

 

Ben Yellen: So generally, in the past, critical infrastructure was pretty diffuse. It was state and local responsibility. You think about who regulates the energy sector. Where do you get your water supply from? That type of critical infrastructure are generally state-run entities or state aligned entities. There are some federally managed assets that count as critical infrastructure. And we're talking about like defense installations, for example. But, for the most part, a lot of these are state entities. And, prior to 15, 20 years ago, I think they were pretty siloed. There would be a state utility. It's regulated by the state. Some of them are regional and apply to multiple states, but they're localized. I think what's happened in the last 10 or 15 years that the federal government has taken an advanced role in managing critical infrastructure, and it's done so in a number of ways. There was a presidential policy directive that was issued in 2013. If you're keeping track at home, folks, PPD 21.

 

Dave Bittner: Did you have that in your memory, Ben, or did you look that up?

 

Ben Yellen: I'll neither confirm nor deny. That was in my memory. It's easy for me to remember numbers when they're of some of my favorite sports players.

 

Dave Bittner: I see.

 

Ben Yellen: So I'll leave it at that.

 

Dave Bittner: Okay.

 

Ben Yellen: But you have this national strategy for critical infrastructure and resilience. This was a federal initiative under the Obama administration which identified sectors that are necessary for critical -- for maintaining critical infrastructure and then assigning federal agencies to oversee them. The NIST cybersecurity framework, I know there have been a number of revisions. But the initial framework which came out in 2014 addresses cybersecurity controls on critical infrastructure and then the critical -- the Cybersecurity Information Sharing Act of 2015 which set up a mechanism for sharing threats among states, among different entities so that all of us can understand the threat landscape. It's kind of an organizing role from the federal government. So those are the main federal authorities. Through those authorities, we've set up things like the multistate Information Sharing and Analysis Center, the ISAC; Joint Cyberdefense Collaborative; Supply Chain and Risk Management Program. Even the creation of CISA, which happened under the first Trump administration, was an effort to protect critical infrastructure because I think that's just the source of federal concern about cyberattacks is what happens if we lose our electricity, if we lose our energy supply, if we lose our water supply. So that's kind of what the federal government has done to take a more active role in regulating and protecting critical infrastructure over the past decade or so.

 

Dave Bittner: Are election systems considered critical infrastructure?

 

Ben Yellen: That is a very loaded question, although --

 

Dave Bittner: That's why I asked it.

 

Ben Yellen: I know it shouldn't be. I mean, let me reverse that. I know I think it should be.

 

Dave Bittner: Yeah.

 

Ben Yellen: Now, there are requirements, I think, in 98% of precincts nationwide that there be paper ballots as backup. So most election systems do not run solely on some type of computerized system. But, given the importance of having reliable infrastructure for managing our elections and managing voting rolls, I would say that election systems should qualify as critical infrastructure. I'm wondering if you agree with that, Ethan. And I know this is a controversial subject.

 

Ethan Cook: I would 100% agree that it should be considered critical infrastructure. I think that being able -- and not just for a presidential election but for state, local, midterms, off-year elections, all these things are incredibly important for us as a nation to be able to consistently vote, consistently hear the people, and not just, oh, we can tally the votes but we can ensure that within the systems that they aren't being compromised, that obviously DDoS attacks or taking down voting machines would be critical but also making sure that voter confidentiality and these -- even after votes have been submitted are able to be protected and secured. I think that I would consider that to be absolutely critical infrastructure. And the conversation regarding that has been making it controversial, per se, is, I think, approaching it from a -- the wrong perspective. Rather than saying, oh, is this about which side is winning, rather, thinking about it as who incentivizes and who wins from taking down the whole process. And that is a foreign adversary.

 

Ben Yellen: So can we give a little history here? Because I think that might elucidate the contours of this debate a little bit to the extent that -- that it is a debate.

 

Dave Bittner: Please.

 

Ben Yellen: So in 2017 the Department of Homeland Security designated key components of election infrastructure to be critical infrastructure. If you are looking at your timeline there, that would be in the first Trump administration. CISA took an active role in monitoring and doing threat assessments, looking at voter registration systems, election management systems, IT that's used by election offices, the tabulation systems. And this was an effort that was part of the Department of Homeland Security's federally mandated appropriations process, so they were tasked with performing this as an activity. And this is something that I think Christopher Krebs, when he was the head of CISA during the first Trump administration, took great pride in. So, after the 2020 election happened, Christopher Krebs spoke very publicly about how our election system was resilient and that America had just gone through a free and fair election. And you can only guess what happened next.

 

Dave Bittner: Don't have to guess.

 

Ben Yellen: So I think that's really important context here because we're not operating in a vacuum. This is something that's become politicized.

 

Dave Bittner: We'll be right back. Overall, do we feel like the critical infrastructure security is above the fray when it comes to the political winds? Do we have -- it seems to me like there certainly should be broad bipartisan support for keeping the lights on and the water drinkable. And, yet, we have in this -- certainly this specific case with election security where that didn't happen.

 

Ethan Cook: Well, and I think it's also spread a little bit past election security at this point regarding overall politicization of critical infrastructure. I think, you know, when you say the concept of -- you know, say it out loud that we should protect critical infrastructure, I don't think anyone fundamentally disagrees with that. I think most people would say, yeah. Absolutely. We -- you know, we should make sure people can drink their water. We should make sure that people have access to the internet, which is kind of critical infrastructure at this point; that elections shouldn't be tampered with by hostile actors, etc. But I think where it becomes politicized is the who and the how. You know, who's in charge with making that? And when you have a fundamental distrust of the federal government and the processes and the systems that it's made in place, people are going to inherently pull back and say, well, it should not be in the hands of a bunch of federal bureaucrats; that, whether perceived correct or not, is saying that we should decentralize the processes. And as Ben mentioned and kind of giving the historical context, we saw under -- from 2010 to 2020 this growth of federal centralization in this process with, you know, creating more public/private partnerships, drafting more agency responsibilities, etc. We are now kind of seeing the reverse of that process, which is we should not have federal government in charge of this. We should go back to the more state-led, regional-led focus that we were seeing. And I think that's where the politicalization is really kind of starting to come in, outside of just from an election perspective.

 

Dave Bittner: Ben, you agree with that?

 

Ben Yellen: Yeah. And I don't want this to become like an anti-Trump diatribe because I do think there was some mission creep that I think was ill-advised on the part of some of our agencies that were protecting critical infrastructure. So, for example, I think the highest profile one is the role that CISA took in a public awareness campaign on election disinformation. That's something that I think obviously we don't want misinformation out in the ether. We don't want people's decisions on who to vote for to be misinformed by literal fake news. But I understand why that became politicized because there were certain things that were tagged under that umbrella of election disinformation that turned out to either not be disinformation or at least be the source of political debate so things like Hunter Biden's laptop or the lab leak theory. And I think that sowed some distrust among political conservatives against agencies like CISA and against efforts to regulate critical infrastructure because it began to be associated with something that was fundamentally antithetical to the prospects of Republicans winning elections. So I understand the concern about that level of mission creep. I think the impact of that, something that Ethan has talked about eloquently and I think it certainly is important to discuss is the result of that distrust in the second Trump administration is to cut off a certain amount of funding for CISA, a not insignificant amount, and to devolve a lot of the roles of regulating critical infrastructure to state and local governments. I think there's a lot going for having increased local control of critical infrastructure. Local governments are best situated to know what their critical infrastructure is, to do risk assessments, to allocate resources, etc. But there's a reason that this issue became federal in nature, and that's because all of these things are interconnected. And that's a point that, Dave, you made earlier, that power grids are connected. They're connected to the internet. The internet is global.

 

Dave Bittner: Right.

 

Ben Yellen: So you can't just work in silos. The other problem is a funding problem. I think when the three of us talked about this in the context of disaster management, emergency management we dealt with the same problem where devolving roles to state and local governments sounds good in theory but, unless it's coming with significant federal support, state and local budgets are strapped. They're always strapped. They've made decisions about budgeting, relying on federal funds to address things like protecting critical infrastructure. So, if they're forced to take an increased role in doing that, that money has to come from somewhere. And I've been following this stuff closely in the state of Maryland where we just went through kind of a big budget crunch. And you realize that, for every dollar we lose in federal funding, we have to make that up through spending cuts elsewhere or increased taxes, which nobody wants either of those things. Sorry. That was a long answer.

 

Dave Bittner: Well, there's -- is it -- how may -- clarify my understanding here because the states are kind of more hemmed in than the feds are when it comes to their budgets, right? Like many, many states, if not most, have to balance their budgets.

 

Ben Yellen: Yep. I think almost all of them -- I think there may be one or two exceptions -- in the state constitution there's a requirement that the budget remain balanced. So I know the way it works in Maryland. We have a board of estimates. They give us the best picture on a periodic basis of the difference between our spending levels and the amount of income we're earning through taxation, and the legislature has to work with that and come up with a budget that is balanced. Federal government has not had a balanced budget since fiscal year 2000. At least until recently, there was an understanding that we're the world's global reserve currency; so we can take on a good deal of deficit spending without it necessarily hurting us that much. Now, that's a whole other separate economics conversation. Certainly in the last few years increased government spending has caused increases in inflation, interest rates. So there are obviously costs to that. But, in the context of spending for things that are critically important like protecting our critical infrastructure, yes. The federal government does have more flexibility. They can deficit spend, and they've done so in every emergency of my lifetime. When COVID hit and we needed to protect people's jobs and make sure that small businesses could remain above water until we could all go back to shopping at stores and restaurants, the federal government undertook massive deficit spending under the first Trump administration to keep our economy afloat. And, frankly, it worked, especially relative to our peers across -- across the world. So, yes; there is far more flexibility at the federal level, which is one of the reasons that some role, at least in financing of these efforts, should belong to the federal government.

 

Ethan Cook: Well, and I think another aspect of the flexibility the federal government provides, the centralization of just one group managing a lot of things.

 

Ben Yellen: Right.

 

Ethan Cook: You know, when you have a bunch of state government, states, you know, to the decentralization aspect, every -- and it's not just from a funding perspective but from an education or a knowledge base perspective, different states are going to have access to different resources from a -- from a personnel perspective about how they should handle these situations, what -- what systems they should be looking at, what systems are the most vulnerable, keeping track of patches, etc. And having it previously all under CISA was a huge benefit because, since it's so all privately owned, having that CISA being able to coordinate saying, okay. You know, there is a -- let's say a hypothetical, a electrical company out in Pennsylvania who's seeing this. We know that an electrical company out in North Dakota has a similar structure. We should, you know, coordinate efforts to make sure that we're not only universally kind of all on the same page, but we're being able to track various developments, making sure that companies are put -- deploying patches, supporting them in deploying their patches, etc. because they do have a lot of legacy systems. And I think that was a huge argument to having it all under one banner. And to the point -- Ben's point with -- in terms of scope creep, I think, under Biden, there was a little bit of a scope creep that happened also with regarding of switching from voluntary requirements to mandatory requirements pretty quickly. And while obviously we -- it is a -- I think a lot of people will look at this and say, oh, mandatory requirements for security are beneficial. I think when you are implementing them broad sweepingly and there's already concerns about the -- about some of the programs that CISA's running, I think the reaction to remove CISA's power is a kind of reaction to both of them getting more involved in election programs, etc. but also becoming more involved in private infrastructure and imposed of being voluntary. Hey, we think you should do this. Or here's a voluntary framework; now saying you have to do this, or there will be ramifications. Businesses are going to inherently push back on that.

 

Ben Yellen: The thing that I think baffles me a little bit is that I think there's widespread agreement, particularly among folks in the private sector. And, honestly, like, people I've seen interviewed on this show and on the daily CyberWire podcast that the threat sharing or the information sharing aspect of CISA vis- -vis critical infrastructure has been very successful. I think people have been reliant on it. It's been a huge value-added in identifying threats and coming up with patches before those threats manifest themselves. And so you wonder if there might be some private sector pushback at this decentralization effort or significant cuts in federal funding for agencies like CISA, just given how the private sector sees this.

 

Ethan Cook: Well, and I think the cuts to -- the cuts to MITRE, the CVE Program, that raised a ton of alarms when those -- when MITRE announced that it was -- it was ending that program. I think the information that companies get from federally funded threat hunting teams are pretty valuable to your point, Ben.

 

Dave Bittner: Is there a way to have whatever federal agency is responsible for these things to have the independence to be above the fray when it comes to the swings from one administration to the other. You know, I'm thinking of, like, the independence the fed has, right. You know, is -- is critical infrastructure a category that is important enough that it needs to have independent oversight?

 

Ben Yellen: I wouldn't have said so two or three years ago. Oh, actually, I'll take that back. I wouldn't have said so five or six years ago because I just didn't think there was any partisan divide in terms of hardening our systems to protect against attacks to our critical infrastructure. I think the fact that it now has become politicized at least calls for an examination of whether these agencies should have more independence. Unlike the fed, though, CISA doesn't really have any, like, actual regulatory power. The fed can adjust interest rates; and that affects all of our lives, our monetary supply, our mortgage rates, etc. CISA can give us useful information on threat vectors, but -- and it can give obviously comprehensive recommendations on things we can do to protect our networks. But it doesn't have the same type of enforcement authority, so I'm not sure it's as well-situated to have that level of independence, whether that might be just too much of an ask, especially if people in both parties want to exercise a certain level of ideological control when they're in power.

 

Ethan Cook: Yeah. I think I would agree with that. I think, given how CISA is, you know, allocated under -- or supervised under the DHS and obviously military spending or the military will always be a political arm for both sides, I think, in order for that to happen, there would have to be a pretty substantial movement within Congress to set up and establish CISA or whoever would be the next critical infrastructure group to be a fully independent new agency that operates as the fed does. And I don't think the support there is -- is there at the moment.

 

Dave Bittner: Ethan, where do you suppose we stand right now? The experts out there, when they look at our readiness, when they rate how well-protected we are, how enabled we are to protect these sorts of things, what sort of grade do they give us as a nation?

 

Ethan Cook: It's -- it's a kind of a tricky -- tricky answer. I think, you know, the line that I have always heard growing up and, you know, doing this research is that the US is perpetually behind the eight ball across a variety of sectors, that we have tons of legacy systems were -- that are not secured. We have tons of major risks that are -- we don't even are -- you know, some argue that we don't even -- that we're not even aware of. And I think that that mentality is reinforced by the yearly breaches we see that are not just, oh, you know, someone got their data exposed. It's, oh, we've lost the -- this infrastructure. Oh, this massive company had this happen. Oh, you know, this healthcare provider was shut down for a month or whatever it may be. That kind of reinforced that belief that we are not secure or as secure as we would like to be. I think that that conversation, while it does have some merits, I do think it's a little bit overblown; that we are -- we, over the past 15 years, have made pretty substantial strides in reducing the volume of attacks, in setting up strong defense systems, and improving supply chain resiliency, improving information sharing. And clearly these programs are valuable; and clearly they work, or we wouldn't be hearing their praises sung by so many. I think that, with this new administration and with this change and pivot, I think my concern is not so much will the legacy systems become more vulnerable? I don't think that they will become more vulnerable because they are already vulnerable to begin with. I think the bigger conversation is, will we be able to get response and things back to normal as quickly as we have been. You know, let's say the breach takes a month with the current system. Is that still a month, or is it more like three months of recovery? four months of recovery? What does that actually look like? Because we will recover. I think the question is how long does it take? How much money does it take? Who's in charge of those processes?

 

Dave Bittner: Right. When you're cutting organizations like FEMA, for example, yeah.

 

Ethan Cook: Exactly.

 

Dave Bittner: Yeah. Ben, any final thoughts here before we wrap up?

 

Ben Yellen: I would just want to reiterate basically what Ethan just said is that we've done a lot of really important work over the past 15 years to improve information sharing, to have this kind of centralized agency that looks broadly at nation states and also domestic malign actors. And I would just hate to see us flush that progress down, down the toilet. Obviously, the current system isn't perfect. We've still had these high profile attacks that you've mentioned. But that would -- that would be my concern about an effort to devolve some of the work that the federal government has done to state and local governments.

 

Dave Bittner: I will close with an anecdote that I heard once told by someone who was deep into incident response for critical infrastructure. And I may not have all the details right, but I'm pretty sure I have the gist of the story right. They were doing some investigation into some old legacy computer systems, and they found that there was a crypto mining virus in the computer. So this is a virus that will just use the computer's cycles to generate cryptocurrency, and it just operates in the background. You know, does its thing. Doesn't draw attention to itself, so on and so forth. And the security folks said, Hey, you know, we found this thing. And the operator said, Yeah. I know. I know it's in there. The operator of the crypto, the crypto mining, well, the first thing they do when they come into your system is they clean out all of the other malware. They clean out all of their competitors so that they're not competing -- so they're not competing with anyone else. So this operator's strategy was, it's kind of like -- you know, it's like having a rat snake in your garden, you know. Like, every now and then you're going to come across the rat snake. And you might get a funny feeling about it, but you don't have rats.

 

Ben Yellen: Yeah. It's still there to eat the rats.

 

Dave Bittner: Right. You know, you don't have a rodent problem. Every now and then you got -- or maybe, you know, a rat snake in the hen house. You know, it's keeping the rodents out of the hen house. Every now and then it eats some eggs. But it's a -- it's a trade worth having. And that anecdote always stuck with me, that I think for a lot of these folks it's a pick your battles kind of thing. You know, we have -- we have to keep the lights on. We have to keep the water flowing, all those kinds of things. And we have to use the hand that's dealt to us. And sometimes, quite often, they are imperfect. And so we do the best we can. And some of that's whistling past the graveyard, but there's a lot of people out there doing a lot of good work to make sure that, you know, we get to enjoy civilization in a manner to which we've grown accustomed.

 

Ben Yellen: Including, frankly, many of the listeners to this show. Thank you to all of you who are out there keeping our critical infrastructure safe.

 

Dave Bittner: Absolutely, absolutely. All right. Well, that is Caveat brought to you by N2K CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes, or send an email to caveat@n2k.com. This episode is produced by Liz Stokes. Our executive producer is Jennifer Eiben. The show is mixed by Tr Hester. Peter Kilpe is our publisher. I'm Dave Bittner.

 

Ben Yellen: And I'm Ben Yellen.

 

Ethan Cook: And I'm Ethan Cook.

 

Dave Bittner: Thanks for listening.

Caveat
Podcast Info
HOST(S):
Dave Bittner
Ben Yelin
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Ben Yelin, JD, is the Program Director for Public Policy & External Affairs at the University of Maryland Center for Cyber Health and Hazard Strategies, where he consults public and private entities on homeland security, cybersecurity and emergency management policy. He is also an adjunct faculty member at the University of Maryland Francis King Carey School of Law, where he teaches courses on electronic surveillance and the Fourth Amendment.
Schedule: Wednesdays
Creator: CyberWire, Inc.