Cybersecurity in the states.
Gary Barlet: I think you're going to have states that are either -- maybe some of the larger states or maybe states that have, you know, maybe great cybersecurity programs in their colleges, you know, that are -- that are recognized nationally, you know, they may fare very well under -- under this idea of more responsibility being given to them because they've got the resources to deal with it. My concern is, you know, the have nots, as you as you kind of call it, you know, there's other states where they may not be -- have as accessible to the same type of resources, the same types of skill sets. And that's, I think, going to create an imbalance.
Dave Bittner: Hello, everyone. And welcome to Caveat, N2K CyberWire's Privacy, Surveillance, Law and Policy Podcast. I'm Dave Bittner. And joining me is my cohost, Ben Yellen, from the University of Maryland Center for Cyber Health and Hazard Strategies. Hey there, Ben.
Ben Yellen: Hello, Dave.
Dave Bittner: On today's show, Ben has the story of a Virginia case relating to reverse keyword searches. I've got a highly unusual move by the DOJ against Maryland's district courts. And, later in the show, my conversation with Gary Barlet, former federal CIO and Air Force Cyber Operations Officer and current public sector CTO at Illumio. We're discussing how the Fed's approach to cybersecurity leaves some states much more at risk than others. While this show covers legal topics and Ben is a lawyer, the views expressed do not constitute legal advice. For official legal advice on any of the topics we cover, please contact your attorney. All right, Ben. We've got some good things to cover here today. You want to start things off for us.
Ben Yellen: Sure. So I got my story from the Electronic Frontier Foundation. They are involved in a Virginia criminal case. They released their amicus brief in this case along with the ACLU. And this relates to reverse keyword search warrants. So background on the case, it was actually a pretty prominent, famous case. A guy by the name of Clements has been charged and convicted of pushing a woman out of his car. He pretended to be an Uber driver, lured her in, pushed -- pushed her out. It turns out she was, like, a Ukrainian immigrant. It was really tragic story. She lived, miraculously.
Dave Bittner: Yeah.
Ben Yellen: But he was charged and convicted. One of the grounds for his appeal is that some of the evidence used to obtain the conviction came from a reverse keyword search. The problem here, Dave, is I can't find any information on what he was alleged to have searched. I'm wondering if they keep that private. I can use my imagination to figure out what it was, and maybe some of our listeners who are familiar with this case might know what it was. All the public sources just say, like, they -- we did a thorough investigation and found out that he was searching for something in a Google search box. And that ended up being incriminating, and that helped lead to his conviction. Unfortunately, we don't know exactly what he was searching in the Google box. But I do think that's kind of beside the point here.
Dave Bittner: Okay.
Ben Yellen: So a reverse keyword search warrant is when the government goes to your Googles of the world, or, in case you use other search engines, which increasingly more people do because Google kind of sucks now. So, you know, maybe you're using ChatGPT. Or maybe you're using Microsoft Copilot or something.
Dave Bittner: Yeah.
Ben Yellen: But this was a Google search. The government goes to Google and says, within this -- this particular time period, under these parameters, who in this geographical area by ISP address searched for X? And X could be anything that might be incriminating in a criminal trial. So who searched for CSAM? Who searched for how to push an old lady out of a car?
Dave Bittner: Right.
Ben Yellen: Who searched for how to leave a crime scene without leaving -- leaving DNA evidence.
Dave Bittner: Right.
Ben Yellen: What happened at the trial court level is the criminal defendant raised this argument. And the Court said that, while reverse keyword searches do violate a person's reasonable expectation of privacy, the use of that search warrant in this case was reasonable under the circumstances, given the severity of the crime. So, if you weigh the competing interests here, the need to convict this guy who did something rather heinous against his personal privacy interests. The case is now on appeal. And what the Electronic Frontier Foundation and the ACLU are arguing is pretty much regardless of the circumstances of the particular case, this type of search warrant raises significant constitutional problems. So their case kind of boils down to the following. They think that these types of search queries are, A, a form of constitutionally protected speech. So the act of searching something online is an expressive activity. It's a way to receive information. People could be searching not-so-kosher things for completely innocent reasons.
Dave Bittner: Right.
Ben Yellen: It could be searching how to cover up the scene of a crime because you're writing a mystery novel --
Dave Bittner: Right.
Ben Yellen: -- which I think is critically important. And it is a form of expressive activity. People could use it for literary works, artistic works, political speech. There's the potential for a chilling effect. If you know that searches might be monitored, then people could be deterred from seeking information on sensitive topics. So, if I wanted to search something about an embarrassing health condition, I might be reluctant to do so because I could be concerned that it could be used against me in a criminal proceeding. And there's some other case law that talks about that chilling effect. They also draw parallels to the Carpenter case. So, in that case, Supreme Court ruled that accessing historical cell site location data without a warrant violates the Fourth Amendment.
Dave Bittner: Everything comes back to Carpenter.
Ben Yellen: It all comes back to Carpenter. And basically, like, the parallel here is that you're able to piece together a lot of personal information on what is ostensibly just metadata. But given the breadth and depth of the information you can learn, just like in Carpenter, this type of search is overbroad. In this case in particular, the warrant was based on a simple hunch. It was not something that they could prove in a court of law that they had probable cause to do. You never have any individualized suspicion. So you are searching every single user who used that search term. So it kind of resembles the type of general warrants that the Fourth Amendment was designed to protect us against.
Dave Bittner: Right. Let's go through this neighborhood and search everybody's house.
Ben Yellen: Right. And see what we can find.
Dave Bittner: Yeah.
Ben Yellen: And, in that case, it's also similar to the type of geofence warrants that we've talked about, like, who was in this particular area at this particular time.
Dave Bittner: Right.
Ben Yellen: The reason I think this goes beyond geofence warrants is just how broad it is because, at least with geofence warrants, you are constrained by the physical location.
Dave Bittner: Right.
Ben Yellen: Now, there are a lot of constitutional problems there because people could be at a physical location for completely innocent reasons, and they shouldn't be caught up in this dragnet. And, again, that's very controversial. But reverse keyword searches go beyond that. Anyone in the world could be searching for something on Google, not just for the offensive search term but for literally anything. And they are caught up in this dragnet because, to find the needle in the haystack, you have to search the entire haystack. And that's something that's particularly constitutionally problematic. So what EFF says is the only way these types of searches should ever be constitutionally permissible are if the person searched something very specific and uncommon so, like, an actual physical address that no one else would be searching; to have stricter time constraints and minimization protocols; and then greater judicial oversight with deleting data that wasn't necessary for this search. So I've been fascinated by reverse keyword searches for a while. It's a really interesting case. And I also -- and I'll just -- I'll stop after I say this. I promise. I think this has become more interesting because of generative AI because searches are getting a little bit more sophisticated. I don't know about you, Dave. But, like, for general knowledge searches, if I want to know, like, what time of year is most common for severe thunderstorms in Maryland, I'm not going to Google anymore. I'm asking ChatGPT. And I'm also going to be probably having a conversation with ChatGPT. It's like, okay. Well, they tell me it's July and August. Well, what makes it July and August?
Dave Bittner: Right.
Ben Yellen: Now, imagine if this was a conversation not about the weather in Maryland but about something incriminating.
Dave Bittner: Right. How do I hide a body?
Ben Yellen: Exactly?
Dave Bittner: Yeah.
Ben Yellen: I think that is going to be potentially a greater constitutional concern than what you put in a traditional Google search bar.
Dave Bittner: Okay. I have many questions.
Ben Yellen: All right. Yeah. I was talking for a long time. Sorry.
Dave Bittner: It's okay. It's okay. So the first thing that made me pause as you were describing this was the -- I -- correct me if I'm wrong here -- it was the court saying that we recognize there's a constitutional issue here. But, in this case, it was so important to the case that we're going to allow it. And that sort of malleability of the rules gave me pause.
Ben Yellen: Welcome to Fourth Amendment jurisprudence, my friend.
Dave Bittner: Okay.
Ben Yellen: So there are a couple of ways which the deck is kind of stacked against criminal defendants. The first is the good faith exception, which we've talked about.
Dave Bittner: Yeah.
Ben Yellen: If the rules are kind of unclear, even if the court comes out in that case and says all geofence warrants are unconstitutional, they're unlikely to vacate that conviction in that case because, when the police were conducting that investigation, they were doing so with a good faith understanding of what the law was at the time. That was before geofence warrants were declared unconstitutional, if that makes sense. So they were acting in good faith. The other thing is the Fourth Amendment doesn't prohibit all searches and seizures or even all searches and seizures done not pursuant to a warrant. It prohibits unreasonable searches and seizures. So that question of reasonability gets at competing interests. Assuming that you've established that there has been a Fourth Amendment search, which we have established that in this case, is that search reasonable? Well, you have to look at the context of the search. Here I think the search itself is problematic. But then, when you look at the competing interests, we have this -- this dangerous criminal. This might be our only chance to lock them up. Compare that to the invasion of privacy. It does give judges a little subjective leeway to come to their own conclusions. That's just the way reasonableness works.
Dave Bittner: Right. So the other thing that I'm curious about is, you know, we're talking about kind of the guardrails put on these reverse keyword warrants. I mean, suppose, you know, one day Ben Yellen is found, you know, dead on the sidewalk out in front of his house. And the police, you know, assumed that there was -- there's foul play involved, right?
Ben Yellen: They better. Yeah.
Dave Bittner: Right. So they go to Google. And they say, I want to know everyone who searched for Ben Yellen's address in the last 24 hours. I want everyone who searched Ben Yellen's name in the last 24 hours.
Ben Yellen: People could just be interested in my views on legal issues through the Caveat podcast --
Dave Bittner: Right.
Ben Yellen: -- even if they weren't trying to murder me, and all those people are caught up in the dragnet.
Dave Bittner: Okay. So this -- that's what I'm getting at. So the specificity of the address, let's say, because that's where you were found, is that likely to be more allowable than the broad search just on your name?
Ben Yellen: I think so because I think at least from EFF's perspective, the more you can narrow it in to something specific, the more it aligns with Fourth Amendment jurisprudence and what we intend the Fourth Amendment to be. The Fourth Amendment is, first and foremost, about specificity. We're looking for this thing or this person in this location. The closer you can get to that, the more likely you are to pass Fourth Amendment muster.
Dave Bittner: Right.
Ben Yellen: The further away from that you get, you start to get into the world of general warrants, which is let's go to Dave's house and rummage through his clothes and his drawers and see what we can find.
Dave Bittner: See what we find. Yeah.
Ben Yellen: And whatever it is, you know, whether it's illegal handgun or some dirty writings that we've founded in his journal.
Dave Bittner: My collection of embarrassing erotic poetry.
Ben Yellen: Right, which, you know, we all know that exists somewhere.
Dave Bittner: Sure.
Ben Yellen: Whatever it is, we're going to use that to prosecute you.
Dave Bittner: Right.
Ben Yellen: And the more you can focus on specificity, I think what EFF is saying is they'd rather not have reverse keyword searches at all. But, if we're going to have them, the court should really focus on that level of specificity. Do we have a specific place being searched? Is the time period narrow enough where we're not going to catch a huge dragnet of people? Because as popular as I'd like to think I am, if somebody was trying to murder me, I would guess that not that many people in the last 24 hours, for example, have searched Ben Yellen on Google.
Dave Bittner: Right.
Ben Yellen: But maybe a decent amount of people have in the last 365 days. And so those people get caught up in the dragnet.
Dave Bittner: Right. Hmm. Where do you suppose this goes next?
Ben Yellen: Well, it is going to the highest court in the state of Virginia, the Virginia Supreme Court, where they're going to consider these issues. Right now, it's a really unsettled area of the law. I think it's going to hew closely to the geofence warrants cases where Chatrie, which was also a Virginia case that we've talked about, uncovered some problems with geofence warrants. And perhaps at some point we're going to have a case that makes it up to the Supreme Court.
Dave Bittner: Oh.
Ben Yellen: So it's a long -- we're not quite on that path yet. We might have to have conflicting cases. There have only been a few criminal convictions that have been sustained based on these reverse keyword searches. So we're just kind of in the early stages of case law on this, and --
Dave Bittner: I can't believe I'm asking this, but is -- is -- because this is the effect you've had on me. Is this one of those fruit of the poisonous tree things where, if they find that this particular bit of evidence is no good, the whole case gets thrown out? Or will they still have enough other stuff potentially on the guy?
Ben Yellen: It depends on how much of the other stuff would have -- would have been discovered independently. But if -- like, let's say you get the reverse keyword search that leads you to a person's house, and in that person's house you find illicit material. If that original reverse keyword search is unconstitutional, anything that was gleaned from that original unconstitutional search is fruit of the poisonous tree and cannot be introduced at trial. So anything downstream from that. Now, if this is used among a bunch of other investigative tactics, and this is just one piece of evidence, then maybe the fruit of the poisonous tree doesn't apply if everything else would have been found independently, if you give law enforcement enough leeway to conduct an investigation.
Dave Bittner: Right, right? How many years into this are we, Ben, and I'm starting to know legal language.
Ben Yellen: Thinking like a lawyer. It's not too late for law school, Dave. We'd love to have you.
Dave Bittner: Oh yeah. That'd be great.
Ben Yellen: Would you like to go in hundreds of thousands of dollars in debt?
Dave Bittner: Yeah.
Ben Yellen: -- to learn a bunch of esoteric? Yeah.
Dave Bittner: That's what I need. I need a JD after my name.
Ben Yellen: Darn tootin.
Dave Bittner: Yeah. All right. Interesting stuff. And we'll have a link to that story in the show notes. Let's take a quick break here to hear from our sponsor. We will be right back. My story this week is also kind of fascinating and perhaps a little more general than the kinds of things that we talk about. But, quite honestly, I put this in here because I just really want to know what you think about this.
Ben Yellen: Yeah.
Dave Bittner: So I figure, if I do, our audience likely does as well. So this is a case where the Department of Justice has filed a lawsuit against -- wait for it -- the entire Federal District Court of Maryland.
Ben Yellen: Yep.
Dave Bittner: You want to unpack this, Ben. You'll probably do a better job than me.
Ben Yellen: Sure. So US District Court of Maryland has 15 judges, and they have all been sued by the United States Department of Justice under Attorney General Pam Bondi. Basically, what happened is the district court put a hold on the deportation of a bunch of individuals who are trying to assert their habeas corpus rights. So habeas corpus is a constitutional protection; literally translates in Latin to you have the body, which basically is a way for people to challenge the circumstances around their own confinement. So sometime in May the chief judge of this district court ordered a 48-hour pause in every single case where an individual migrant had petitioned to try to block their removal from the US with a habeas petition.
Dave Bittner: Okay.
Ben Yellen: And at least according to one law professor who's quoted here, the reason they did this is that there had been so many habeas petitions through so many people that courts needed time to consider all of these requests individually. And, as we saw from the Kilmer Abrego Garcia case, once somebody's out of the country, it becomes a lot harder to litigate this in our court system.
Dave Bittner: I see.
Ben Yellen: And that person was deported through administrative error and spent months in an El Salvadorian prison.
Dave Bittner: Yeah.
Ben Yellen: What this lawsuit alleges is that this undermined the authority of the Executive Branch to carry out deportation proceedings under their Article II powers. They're saying this is a form of, quote, judicial interference in executive prerogatives. I think this is an extremely aggressive action from the DOJ. It is highly unusual. It's not generally the way we resolve these types of disputes. What should have happened here is that the DOJ should have appealed the decision of the chief judge to the United States Court of Appeals in the Fourth Circuit, tried to obtain a stay on the chief judge's ruling; and, if they did not obtain that, then petition up to the United States Supreme Court to see if they could obtain a stay. There are six conservative justices. There's a good chance they could have reached a -- gotten a stay there. That would have been the remedy if they believed wholeheartedly that the district court had come to the wrong conclusion. It's highly unusual to file a lawsuit, not just against these -- not just against this Court in the abstract but against each of the individual judges in their professional capacity.
Dave Bittner: Yeah.
Ben Yellen: Because it's so unusual, this is the type of case that I think could absolutely end up at the Supreme Court. Is this a proper cause of action from the Department of Justice? I personally think it is not. But I am not always aligned on all legal issues with our esteemed Supreme Court.
Dave Bittner: Yeah.
Ben Yellen: So they've surprised me on things like this in the past.
Dave Bittner: Help me understand this because we have this single judge in Maryland who does the 48-hour pause, right? So what's -- why does the DOJ then come after every judge, every federal judge in Maryland, not just that one?
Ben Yellen: That's a great question. I think in their mind it was the chief judge speaking on behalf of the entire 15 judge panel.
Dave Bittner: I see.
Ben Yellen: And seeing that there -- I believe there were no dissents, at least to that order. The implication is that all 15 judges were on board. I don't know that that's a reasonable assumption at all, but that's what the Justice Department is assuming in their lawsuit.
Dave Bittner: And what's the effect of this lawsuit, then?
Ben Yellen: I mean, the real worry is that courts of law in the United States are going to be hesitant to rule as they interpret the law in their jurisdiction for fear that they're going to get a punitive lawsuit for damages from the Department of Justice, and they're going to be forced to waste their time litigating that case against the most powerful department in the country. That's really what concerns me here is generally all district courts have to worry about is that their cases are going to be appealed to the next highest court. That's customary. That's how our system is supposed to work. That's how we -- that's why we have this hierarchical system. But, if they are concerned about being sued over individual decisions in their capacity as judges, then the entire house -- house of cards holding up our judicial system collapses because people are going to be kind of looking behind their back as they make really monumental decisions that affect the interests of so many people in this country. And that's not the way it should be. You should be coming up with your best interpretation of the law given the facts at hand in that case, not cowering in fear because the Department of Justice is about to make your life hell for the next 12 months.
Dave Bittner: What do you make of the DOJ's assertion here that -- that Maryland overstepped their bounds?
Ben Yellen: So they are saying that there is precedent, going back to the Bill Clinton presidency, of the DOJ suing an entire court. So this is not, in their view, completely unprecedented. There was a case in the 1990s where then US attorney and now esteemed United States Senator Sheldon Whitehouse sued the entire court in Rhode Island over a rule about issuing subpoenas to attorneys. What this professor of law at Georgetown University said is, well, this is not completely unprecedented to sue a judge because we think the judge's action is wrong. It's certainly unusual and not the customary way of -- of going about its business. And, to add fuel to that fire, defending the district court panel is Paul Clemens, who was, I believe, the Solicitor General in the George W. Bush administration. So a very conservative jurist or a conservative lawyer, I should say. I don't think he was ever a jurist. The fact that he's taking up this case shows that I think there's some bipartisan pushback against what the Department of Justice is doing. Another interesting element of this is they can't hear this case in Maryland because it's a conflict of interest. So it's been moved to Virginia. A lot of other judges, retired judges who can say whatever they want at this point, now that they're retired --
Dave Bittner: Right.
Ben Yellen: -- have written a letter saying that this is a violation of the separation of powers. And I wonder if that's going to factor into the case as it makes it way -- its way through the federal court in Virginia.
Dave Bittner: Okay. And you think this could be on a collision course with the Supreme Court.
Ben Yellen: Definitely. Especially if the Department of Justice wins the case at the district court level in Virginia and if they win at the Fourth Circuit Court of Appeals. It's very possible that the judge who's been assigned this case in Virginia throws it out and says, we don't do cases like this. This is an abuse of power. Now, the DOJ would have the right to -- the right to appeal that decision, and they could be the ones who take that up to the Supreme Court. And that's a course of action that might happen.
Dave Bittner: Wow. People are taken off the gloves.
Ben Yellen: Sure are. You know, there are a lot of things that were customs that we just kind of never did, even though the tools were available to be used, especially from the Executive Branch. And, as the Executive Branch has accumulated more power through administrations of both parties, I think they've been more emboldened to directly challenge the authority of judges who they see as tyrannical, unelected judicial tyrants who are going against the expressed will of the American people. But that's kind of the point of judges, at least according to our constitutional system is they are supposed to be the guardrail --
Dave Bittner: Right.
Ben Yellen: -- against the passions of the Legislative and Executive Branch. So it does undermine the role of the judicial branch to file a suit like this.
Dave Bittner: Yeah. All right. Well, time will tell. We'll see how this one plays out. It's a fascinating one. We'll have a link to that story in the show notes. Tell you what. Let's take a quick break here to hear from our sponsor. We will be right back. And we are back. Ben, I recently had the pleasure of speaking with Gary Barlet. He is a former Federal CIO and Air Force Cyber Operations Officer. Currently, he's the public sector CTO at Illumio. And we're discussing how some of the changes in the federal approach to cybersecurity has left some states more at risk than others. Here's my conversation with Gary Barlet.
Gary Barlet: You know, there's a lot of talk about decentralization, pushing more down to the states, letting the states be more involved in dealing with, you know, lots of things, you know, from, you know, all the things that FEMA normally takes care of, you know, and now, you know, with the approach to cyber, cybersecurity and cyber defensive actions. I think that, when you look at the changes that are being made at the -- you know, the federal level, you know, with a lot of downsizing and a lot of resources being let go, I think there may have been a little bit of an overreach as far as the amount of downsizing that occurred in the federal government. I think there was a lot of talent that was let go that maybe should have been retained. I do have a little bit of concern there. But it does offer up an opportunity for states. You know, you've got oftentimes people that are looking for some sense of service, and those people may find a new home at the state level.
Dave Bittner: You know, I think it's common for people to say that the states are kind of the laboratories for the rest of the nation. Do you suppose that we'll see some opportunities for innovation or experimentation at the state level?
Gary Barlet: Absolutely. At least I hope so. I think that, because states are oftentimes, you know, less restricted by, you know, lots of, you know, onerous regulations and laws and those types of things, I think you're exactly right when you say that oftentimes you'll see a lot of innovation come out of different states. And hopefully, you know, that's something that other states learn from and then maybe even then translates into, you know, lessons learned at the federal level.
Dave Bittner: As you consider the different states in the union, do you suppose that there are going to be haves and have nots?
Gary Barlet: I do. And that's part of my concern about this delegation of responsibility down to the state levels. I think you're going to have states that are either maybe some of the larger states or maybe states that have, you know, maybe great cybersecurity programs in their colleges, you know, that are recognized nationally. You know, they may fare very well under this idea of, you know, more responsibility being given to them because they've got the resources to deal with it. My concern is, you know, the have nots, as you as you kind of call it. You know, there's other states where they may not be -- have as accessible to the same type of resources, the same types of skill sets. And that's, I think, going to create an imbalance. And it actually causes me concern because attackers don't recognize state boundaries. They're not going to be worried about, you know, only going after the states that -- that have resources. You know, they're going to go after the weakest link, as it were. A lot of times, those same states may have some of the most critical infrastructure for the nation residing in those states. So it causes me pause. It gives me great pause, and it causes me a little bit of concern.
Dave Bittner: Well, and I suppose, I mean, it's important to point out that, with these cuts that we've seen at the federal level, you know, certainly my understanding is they're not just passing the savings along to the states in terms of grants to empower them to take on these tasks. The states are going to have to look around and figure out how they're going to fund these things.
Gary Barlet: Yeah. Absolutely. You know, if I was seeing a whole bunch of money being thrown at the States, I might feel a little less unease. But, as you -- as you reference, that's not what we're seeing it. They're looking for those cuts to be realized as savings. I think there's still going to be some continuation of existing grant programs out there, but I'm not sure that they're going to be enough to offset this, this new level of responsibility and the cost of inheriting that response -- that responsibility. So, you know, I'm a little worried about how this is going to be funded, you know. And, again, money can't solve all the problems, right? There's got to be -- there's got to be skill set. There's got to be, you know, people available, you know. So I think that -- that there's going to be a disparity that's going to cause potentially some issues in the future.
Dave Bittner: What are some of the things that you think the states can do here going forward to best position themselves to handle these new challenges?
Gary Barlet: So one is -- and I have seen some reference to this is I think the first thing states ought to be doing is looking to see, you know, are there federal resources that they can -- you know, expertise that they can inherit, right, that they can hoover up a little, you know, as it were, and hire, as some of these people were being let go by the federal government, right? So -- so they can go after that expertise. I think that's one. Number two, you know, one thing that kind of works in the state's favors, states oftentimes do pretty good at cooperating with each other, right? When you think about, you know, all sorts of things when it comes to law enforcement agreements and those types of things, states -- states, I think, are a little more nimble and oftentimes a little more willing and able to put in place cooperation agreements. So hopefully they'll look at, you know, forming coalitions, you know, from a cyber perspective, you know, where they can do, you know, mutual aid and those types of things so that, if there are states out there that are having trouble getting resources, perhaps they can leverage the resources from, you know, a neighboring state that may have resources that could aid them.
Dave Bittner: You know, I suppose one of the big issues here is that this approach injects a lot of uncertainty for a lot of on people -- for a lot of people, you know, the funding, the personnel, even what the future holds because we don't know what the next administration may do or not do in response to these changes, be they Republicans or Democrats. It strikes me that that level of uncertainty is -- when it comes to cybersecurity is not helpful.
Gary Barlet: No. And I don't think it is, right. I think that -- I would love to see more strategy, more guidance, more vision coming out of the current administration, if nothing else, to give the states a roadmap to kind of follow, you know, or at least, you know -- you know, some guidance on how they should be approaching this. But I am very concerned about this, taking something that, from my perspective, is such a national threat and, you know, from a strategic perspective and breaking it up across, you know, all the different states. You know, whether -- whether there's good guidance in place or not, you know, trying to -- trying to figure out how to coordinate, you know -- you know, for 50 states, you know, reaction to, you know, some sort of attack that starts to spread nationally, I'm not sure how that's going to -- how that's going to fare.
Dave Bittner: Suppose you were a state CISO right now, and you were faced with this situation. What sort of things would you be doing? What sort of meetings would you be having and planning would be taking place?
Gary Barlet: So I'd be doing a couple things. And in some of this there, I know they're already doing, right? But, you know, making sure that I'm having, you know, a good relationship with, you know, with the local FBI office, right, because obviously that they're going to be involved, you know, from a -- from a threat analysis perspective, from an intelligence perspective, you know, and any other agencies that I've got in my -- in my state that could help provide me some insight, some guidance about the types of threats I'm going to be facing. I would be quickly talking to other state CISOs to talk about, Hey. How can we cooperate and graduate together here? You know, what can we -- you know, what can we do to leverage each other's capabilities? You know, how can we -- how can we help each other? And then I -- honestly, I'd be talking to my state legislatures and explaining that, hey. We've got this new huge responsibility that's coming down that is suddenly becoming our responsibility. We're going to need some help, right? This can't be done with -- with existing budgets and existing personnel. And this is something that, from a legislative perspective, is going to have to be addressed and addressed quickly.
Dave Bittner: Yeah. I wonder if, you know, the model that we see with things like the ISACs, you know, could -- you have regional state cooperation agreements. And I'm sure some of that already exists. But to see those sorts of things enhanced or maybe even supercharged, you could see that as being a potential future.
Gary Barlet: Yeah. Absolutely. And like, I say, right, you know, there are agreements I know that are in place. And when you see things like, you know, how do you know, local police departments, you know, from a state level, a county level, you know, cooperation agreements. You see, you know, anytime there's a -- an issue from a power perspective, right, you know, a hurricane hits one state, and you see resources surge to assist that state, you know. So the states are used to cooperating, you know, together like that. It may -- they may find it -- you know, they've been doing that in the past in the cyber realm. But they may realize that it's going to become much more important in the future because of this increased responsibility that's being delegated to them.
Dave Bittner: Ben, what do you think?
Ben Yellen: Really interesting. It's something that I pay attention to a lot, the disparity between states and how they can respond to cyber incidents.
Dave Bittner: Right.
Ben Yellen: Some states are very well-positioned, particularly the bigger states that have the type of resources to fight against all different types of cyberthreats. There are a lot of very small states in this country who could be the victim of cyberattacks who simply don't have those same type of resources. And that's a fault of our system of federalism. Theoretically, we should have a federal government that would protect the interest of all states, big -- big states and small states. But, if we're going to devolve those roles to the state, this -- that's kind of the risk we're going to take.
Dave Bittner: Yeah. I -- I've seen a lot of concern expressed, particularly over rural hospitals in underfunded states, that there -- they could be sitting ducks here.
Ben Yellen: Yeah, yeah. It's not the best time to be a rural hospital.
Dave Bittner: Yeah. For lots of reasons.
Ben Yellen: Yeah. Exactly.
Dave Bittner: Lots of reasons. Let me ask you this: Just bringing it back home, when you think about our home state, or my home state, your adopted state of Maryland, are we -- would we be considered a have or a have not when it comes to these sorts of resources?
Ben Yellen: I think we're more of a have than a have not. Maryland is not a huge state, but it is a medium-sized state. And I think, with some hiccups here and there, the state has done a good job in anticipating cyberthreats and putting together the government infrastructure to prevent -- protect our state and local governments. So I'm gung ho about the work that Maryland has done in this space so far, even though, you know, we have 10 electoral votes and California has 54.
Dave Bittner: Right.
Ben Yellen: So that represents the size of our difference.
Dave Bittner: Okay. Got it. All right. Well, again, our thanks to Gary Barlet from Illumio for joining us. We do appreciate him taking the time. And that is Caveat, brought to you by N2K CyberWire. We'd love to hear from you. We're conducting our annual audience survey to learn more about our listeners. We're collecting your insights through the end of this summer. There's a link in the show notes. Please take a moment and check it out. This episode is produced by Liz Stokes. Our executive producer is Jennifer Eiben. The show is mixed by Tr Hester. Peter Kilpe is our publisher. I'm Dave Bittner.
Ben Yellen: And I'm Ben Yellen.
Dave Bittner: Thanks for listening.
