Robert Sheldon: [00:00:10] It's a different, more sophisticated mode of operating adversaries are using, and it's happening everywhere - private sector and public sector alike. But it's something I think that people are paying a lot of attention to now, and they're going to continue to pay more attention to because it is a wicked problem.
Dave Bittner: [00:00:24] Hello and welcome to "Caveat," the CyberWire's law and policy podcast. I'm Dave Bittner, and joining me is my co-host, Ben Yelin from the University of Maryland's Center for Health and Homeland Security. Hello, Ben.
Ben Yelin: [00:00:34] Hi, Dave.
Dave Bittner: [00:00:35] On this week's show, Ben describes new proposed privacy legislation from Senate Democrats, I have a story from the Supreme Court of Pennsylvania on the Fifth Amendment and password privacy, and later in the show, my interview with Robert Sheldon, head of technology strategy for public sector at CrowdStrike. We'll be discussing federal cybersecurity and how efforts there connect to broader IT modernization initiatives. While this show covers legal topics and Ben is a lawyer, the views expressed do not constitute legal advice. For official legal advice on any of the topics we cover, please contact your attorney. We'll be right back after this word from our sponsors.
Dave Bittner: [00:01:12] And now a few thoughts from our sponsors at KnowBe4. What do you do with risk? We hear that you can basically do three things - you can accept it, you can transfer it, or you can reduce it. And of course, you might wind up doing some mix of the three. But consider - risk comes in many forms, and it comes from many places, including places you don't necessarily control. Many an organization has been clobbered by something they wish they'd seen coming. So what can you do to see it coming? Later in the show, we'll hear some of KnowBe4's ideas on seeing in to third-party risk.
Dave Bittner: [00:01:50] And we are back. Ben, why don't you get us started this week?
Ben Yelin: [00:01:53] Sure. So we have a piece of proposed legislation that was introduced by Senator Maria Cantwell in the United States Senate. She is a Democrat from Washington and has experience in the tech industry. And she has introduced the Consumer Online Privacy Rights Act. This would be a federal data privacy law, which, as we've talked about before, does not exist. There has been a patchwork of state laws, most notably we have a California statute, which is coming into effect. But there is this vacuum, this void, at the federal level that she's trying to fill, and this is a very bold proposal. The most controversial provision is giving users a private right of action against the tech companies for misusing their data.
Dave Bittner: [00:02:35] What does that mean?
Ben Yelin: [00:02:36] So if a tech company violates the law, misuses your data, this statute would allow any user the right to sue that company in federal court for some sort of monetary relief. And, you know, granting that private right of action is obviously very controversial because it could expose the entire industry to a multitude of lawsuits. The rest of the piece of legislation has a lot of very strong privacy protections. It gives users across the country the right to ask companies what information is collected about them. A company has to get a person's permission under the proposed statute to collect and share sensitive data, and what counts as sensitive data is defined rather broadly in this proposed piece of legislation.
Ben Yelin: [00:03:20] And there's also a couple strong enforcement provisions. The bill would allow the Federal Trade Commission to enforce increased privacy practices to protect consumers. They already have these powers in a variety of other industries, and it would extend that to relations with the tech companies. So this is a piece of legislation that, you know, in our current polarized political climate, probably stands little chance of passing in its current form. Senator Cantwell is in the Senate minority. So, you know, unless she can hack into Senate Majority Leader Mitch McConnell's mind...
Dave Bittner: [00:03:55] (Laughter).
Ben Yelin: [00:03:55] ...I don't see this piece of legislation being signed into law any time soon. But it's sort of - you can see it as kind of the opening bid by Democrats in what figures to be a long series of proposals for data privacy legislation.
Dave Bittner: [00:04:08] Yeah. We should point out the article here is from Tony Romm at The Washington Post. What are the areas of pushback that we can expect from Senate Republicans and from industry?
Ben Yelin: [00:04:19] The one I mentioned before, that private right of action, is probably going to be the biggest source of controversy. The other one is - Senator Cantwell's bill does not include a provision in which the federal government's privacy protections would preempt state laws, and that's something that the tech companies really want, and that doesn't exist in this bill. So to put that into plain language a bit - the tech companies obviously don't want to have to comply with 50 separate state privacy statutes.
Dave Bittner: [00:04:45] Right.
Ben Yelin: [00:04:46] If the federal government expressly put in a statute that their privacy protections preempt state law, then those state laws would no longer be enforceable. And, you know, that's something that's very important to the tech companies. They can have one industrywide standard across the country. They don't have to comply with a patchwork of laws.
Dave Bittner: [00:05:05] Right.
Ben Yelin: [00:05:06] And from their perspective, it's more likely that the federal governments will have less stringent privacy protocols and protection than a state like California. So they'd rather comply with whatever Congress comes up with than, you know, the California state Legislature. So that's something, you know, that - they'd be reticent to support this bill because it does not have that preemption provision.
Ben Yelin: [00:05:29] I will say Senator Cantwell seems amenable to including that provision, this preemption provision. And what this article suggests, which I think has a lot of merit, is maybe she put in that private right of action as a bargaining chip. So she can go to her Republican counterparts - and she's been working with Senator Roger Wicker of Mississippi - she can go to him and say, you can get your federal preemption - or we'll get rid of the private right of action if you can meet us halfway on federal preemption, or something like that. So I think this is really something to jump-start negotiations, to sort of lay down the marker on what Democrats want and expect from a data privacy bill and if they'll use it as a starting point for further negotiations.
Dave Bittner: [00:06:15] And I suppose noteworthy also - that Senator Cantwell, respected in the Senate for her experience in the tech industry, so she's a good person to be leading this charge.
Ben Yelin: [00:06:25] Yeah, she is. You know, she's been in the Senate since 2001, so she has some seniority. She does have that experience. She's earned her respect. She has, you know, bipartisan bona fides, which is important in a closely divided Senate. What she has working against her is the clock, right? So there's just a limit to what the Senate is going to be able to do prior to 2021. We're about to enter an election year. Besides, you know, the business of the country confirming nominees, you know, keeping the lights on, there's possibly going to be a months-long impeachment trial in the Senate.
Ben Yelin: [00:07:01] So there just might not be bandwidth to even consider this piece of legislation, even if she were to reach some sort of bipartisan agreement. So I think it's more about just staking a claim as to what, you know, her and her colleagues ideal privacy protection law would be, and it is a very bold and interesting proposal.
Dave Bittner: [00:07:23] And I suppose - recognition, also, that there's a desire out there or a need for this, that they're hearing from their constituents that this is something people want.
Ben Yelin: [00:07:32] Absolutely. And I think there is a real grassroots movement for this. I think that was one of the reasons that the California privacy law was enacted. We've had these high-profile incidents over the past several years where there have been data breaches. Certainly, what happened with Cambridge Analytica and Facebook was a catalyst for this movement for more robust privacy protections. Now that this proposal is out there, I'm wondering if there's another high-profile incident, another high-profile data breach, another high-profile incident of the tech companies using our data for nefarious purposes, maybe this is something that might get more popular support.
Dave Bittner: [00:08:07] So even if it doesn't gain immediate traction, they have it in their back pocket...
Ben Yelin: [00:08:13] Exactly.
Dave Bittner: [00:08:13] ...To come to - to bring forward should public opinion demand it.
Ben Yelin: [00:08:18] Right. So...
Dave Bittner: [00:08:19] Yeah, that's interesting. Yeah.
Ben Yelin: [00:08:20] So if there's some major incidents, you know, the public gets riled up and Senator Cantwell can say, hey, you know, we have a plan for that, to use the parlance of one of the presidential candidates.
Dave Bittner: [00:08:29] Right (laughter).
Ben Yelin: [00:08:32] You know, and I think that's a good purpose of proposing legislation, is you're trying to preemptively attack a problem before it sort of gets into the public consciousness so that when that problem really becomes politically salient, you're there with a potential solution. I think that's what she's trying to do here.
Dave Bittner: [00:08:49] All right. Well, certainly worth keeping an eye on, and we will do that (laughter).
Ben Yelin: [00:08:53] Absolutely.
Dave Bittner: [00:08:55] My story this week is a ruling from the Pennsylvania Supreme Court, and they have ruled that the police cannot force you to tell them your password. Let's unpack this together, Ben, because there's a lot here, and there's some history here.
Ben Yelin: [00:09:12] Yes.
Dave Bittner: [00:09:12] Can you sort of share with us the pingponging back-and-forth when it comes to whether they can or they can't and where we find ourselves today with this ruling?
Ben Yelin: [00:09:20] So first, I should say, I will try to answer this without a lot of legalese.
Dave Bittner: [00:09:24] Good (laughter).
Ben Yelin: [00:09:24] Because there are a lot of, like, doctrines in here...
Dave Bittner: [00:09:26] Yeah. OK.
Ben Yelin: [00:09:27] ...That, you know, are going to mean nothing to someone who hasn't had the displeasure of sitting through a law school class.
Dave Bittner: [00:09:32] Good luck with that. And I'll give you an evil eye if you...
Ben Yelin: [00:09:37] Yes.
Dave Bittner: [00:09:37] ...Stray too far (laughter).
Ben Yelin: [00:09:39] I will need your guidance on this.
Dave Bittner: [00:09:40] All right. Well, go for it.
Ben Yelin: [00:09:41] So the Fifth Amendment to the United States Constitution says that you cannot be forced to testify against yourself. This is the so-called right against self-incrimination.
Dave Bittner: [00:09:50] Right.
Ben Yelin: [00:09:50] So a court of law cannot force you to testify in court in a way that would incriminate you, that could get you convicted. This only applies to what's called testimonial evidence. So it wouldn't apply - and I think we've talked about this, for example - in a nontestimonial circumstance, like being involved in a police lineup. Even though that is an action that would incriminate you, it's nontestimonial. So the Supreme Court has said it does not apply in those circumstances.
Dave Bittner: [00:10:18] So testimonial means me saying something....
Ben Yelin: [00:10:20] Right.
Dave Bittner: [00:10:20] ...Me sharing some information that I have - that's testimony.
Ben Yelin: [00:10:24] Right.
Dave Bittner: [00:10:24] OK.
Ben Yelin: [00:10:24] So generally, the way it's talked about is sharing the contents of one's own mind.
Dave Bittner: [00:10:28] OK.
Ben Yelin: [00:10:29] Now, there's this legitimate question that's been presented in cases across the country as to whether a passcode is the contents of one's mind. We've had some conflicting judicial opinions on this in various state and federal courts. It seems like there's a consensus starting to form that. Yes, this is testimonial evidence, being forced to type in your own passcode, and yes, this is revealing the contents of one's own mind. You're forcing someone to reveal what's in their brain. You know, that's what a passcode is - it's something that we know and remember. And if we're forced to type that into a phone, that would violate that protection against self-incrimination.
Ben Yelin: [00:11:09] The complicating factor here is there's this long-standing Supreme Court exception to the rite against self-incrimination - this thing called the foregone conclusion doctrine. And what prosecutors have tried to argue is that this foregone conclusion doctrine holds that the Fifth Amendment doesn't apply if it's inevitable that law enforcement will be able to get access to relevant information.
Ben Yelin: [00:11:35] So sort of the test there is law enforcement already knows exactly what's on that protected device, they will get access to it, you know, they already can prove with some certitude that there's incriminating information on that device - the rationale there is simply having somebody type in a passcode shouldn't be you know, the be-all and end-all in terms of having relevant evidence to prosecute a criminal case.
Dave Bittner: [00:12:02] Right. We're just speeding things along here.
Ben Yelin: [00:12:04] Exactly.
Dave Bittner: [00:12:05] Yeah.
Ben Yelin: [00:12:06] You know, I think it's something of a practical judicial doctrine.
Dave Bittner: [00:12:09] OK.
Ben Yelin: [00:12:10] Now, there are questions on how - the extent of that foregone conclusion exception, does that apply in all circumstances? Does that only apply, you know, as certain civil liberties groups argue, when we're dealing with something like business records? Which isn't really the content of one's mind; it's something that the telephone company has written down as part of their day-to-day business records.
Dave Bittner: [00:12:32] OK.
Ben Yelin: [00:12:32] So the Pennsylvania Supreme Court agreed with some of these civil liberties groups, including the Electronic Frontier Foundation, that this foregone conclusion exception does not apply. And they said, requiring the Commonwealth - the Commonwealth of Pennsylvania - to do the heavy lifting, indeed, to shoulder the entire load in building and bringing a criminal case without a defendant's assistance may be inconvenient and even difficult; yet to apply this exception, the foregone conclusion, rationale in these circumstances would allow the exception to swallow the constitutional privilege. Nevertheless, this constitutional right is firmly grounded in the realization that the privilege, while sometimes a shelter to the guilty, is often a protection to the innocent.
Ben Yelin: [00:13:15] That's a universal principle. I mean, that applies to all constitutional protections, you know, in the realm of criminal law, you know...
Dave Bittner: [00:13:23] Is that the notion that sometimes, you know, bad guys are going to get away with things, but it's worth it in our efforts to to try to protect innocent people from being...
Ben Yelin: [00:13:34] Absolutely.
Dave Bittner: [00:13:35] ...Unfairly, you know, locked up?
Ben Yelin: [00:13:36] Right. Because for every bad guy who, you know, gets off scot-free because, you know, it's difficult for law enforcement to make their case, there's an innocent person who's protected under these provisions. And that's sort of the rationale of the Pennsylvania Supreme Court. Yes, it's going to be much harder for law enforcement to obtain this evidence if they're not able to compel a person to enter in a passcode. But what this court is saying is that's the price they're going to have to pay to protect individuals' freedom and individuals' privacy in their device and the contents of their own mind, which is that passcode.
Ben Yelin: [00:14:09] So, you know, for those of you who live in Pennsylvania, you now know that if law enforcement tries to compel you to enter in your passcode, you do have constitutional protection. And I should note that this is a case that similar cases are pending in state courts and federal courts across the country. And I think as we've talked about before, because there's been some disagreement on this, because it's coming up so frequently in state and federal courts, this is something that might make its way to the United States Supreme Court.
Dave Bittner: [00:14:38] Yeah, that was my next question. I mean, for you and I, for example, living here in Maryland, does this ruling in Pennsylvania have any bearing on us whatsoever?
Ben Yelin: [00:14:47] It certainly does not. I can be safe. I'm driving up to Syracuse for the holidays.
Dave Bittner: [00:14:52] (Laughter).
Ben Yelin: [00:14:52] So, you know, that...
Dave Bittner: [00:14:54] While you're on the road.
Ben Yelin: [00:14:55] Right. That requires me to be in Pennsylvania for a few hours...
Dave Bittner: [00:14:58] I see.
Ben Yelin: [00:14:58] ...For better or worse. So while I'm there, you know, it applies. I can feel safe.
Dave Bittner: [00:15:02] All rules are off, right?
Ben Yelin: [00:15:02] Exactly.
Dave Bittner: [00:15:03] You're just going to be - yeah, all right.
Ben Yelin: [00:15:04] But for the portion of my trip in Maryland and New York, you know, that's not something that's going to apply. Those are the consequences of having our system of federalism is sometimes there are going to be different rules depending on how court's rule in different states.
Dave Bittner: [00:15:18] So it would take this getting before the Supreme Court for us to have something that covers the entire nation.
Ben Yelin: [00:15:25] Exactly. To have any sort of nationwide applicability - unless, you know, there could be a lower federal court, either a district court or a court of appeals, that, you know, make some sort of claim that forcing somebody to enter a passcode violates the Fifth Amendment right against self-incrimination. They could conceivably issue a nationwide injunction that would apply across the country. That injunction would prevent law enforcement at all levels from being able to access those devices. The Supreme Court could stay a nationwide injunction at any time, you know. So lower courts know that, so they might be reticent to apply that injunction. But, yeah, for now, it applies in Pennsylvania. There are similar cases. I think they note a couple of other states where this is coming up. Indiana was one of them, New Jersey. So, you know, this is an issue that's not going away. And I think this is something that we very well might see in front of the Supreme Court in the next couple of years.
Dave Bittner: [00:16:15] It's interesting to me that this was a 4-3 decision in Pennsylvania, so not overwhelming, you know, one way or the other. I'm curious, in your tracking of this, has there been any sense that - is this tracking state by state? You know, are conservative states going one way and progressive states going another way? Is there - is it tracking like that at all? Do you have any sense?
Ben Yelin: [00:16:37] It seems to be a little bit more - I wouldn't say random, but it's not, like, coming down neatly on partisan lines. There have been judges - I mean, we've seen cases in Florida, which is not exactly a progressive paradise necessarily...
Dave Bittner: [00:16:49] Right, right.
Ben Yelin: [00:16:50] ...That have held similarly in cases like this. And there are some - you know, I look at Supreme Court justices who have very conservative track records like Justice Gorsuch and even Justice Kavanaugh, who, in terms of protections for criminal defendants, come down very strongly on the side of those defendants. And you could see them in a, you know, digital privacy case like this taking that position, even though they're not what we would think of as progressive judges. So, yeah, this doesn't seem to me like one of those issues where, you know, it's a proxy for your political affiliation. You know, it's not like abortion, for example...
Dave Bittner: [00:17:26] Right, right.
Ben Yelin: [00:17:26] ...Or one of these other hot-button issues. I think it's something where there are good faith disagreements about whether this counts as testimonial evidence and whether this foregone conclusion exception applies.
Dave Bittner: [00:17:38] All right. You have one other little item you wanted to recommend this week.
Ben Yelin: [00:17:43] I did. So I've been a longtime fan of the comedian Sacha Baron Cohen. We were talking about before we started recording that I've never laughed harder in my life than some of his segments on "Who Is America?" There's a silly side to him. And then there's a serious side where he's, you know, disguised himself as certain characters and has gotten very powerful people to sort of let down their guard and reveal their prejudices. So he went and gave a speech. He was receiving an award from the Anti-Defamation League. And he gave this 24-minute-long speech about the threat of social media on our democracy, specifically the threat of what he called the Silicon Valley six, the most powerful executives in Silicon Valley, people like Mark Zuckerberg, who are so concerned about monetizing their content and drawing eyes to the most controversial social media posts that they're poisoning our democracy with ideasthat are very dangerous. And in his view, you know, yes, the right to free speech is fundamentally important, but free speech - and I think this is an exact quote from his speech - does not account to freedom of reach, meaning there's no constitutional requirement or moral requirement that Facebook or any other tech company amplifies some of these, you know, dangerous ideas, this racism, neo-Nazis, homophobia, et cetera. Part of the reason the speech was so powerful was it was coming from such an unlikely source. But, you know, for anybody who's interested in potential regulation of tech companies, you know, and certainly there are very valid arguments on both sides, I would highly recommend watching it.
Dave Bittner: [00:19:28] Yeah, I agree. I enjoyed it very much. I think it's very thoughtful. I think he makes really strong cases for the things that he believes in. And even if you don't agree with everything he says, it's provocative. It's - there's a lot to unpack and think about here. And I don't know that I've seen these arguments laid out in such a complete and easy-to-understand way as what he does here.
Ben Yelin: [00:19:51] Yeah. That's why it was so compelling is, like, he's obviously - he's an entertainer, so he knows how to give an entertaining speech.
Dave Bittner: [00:19:58] Right, right.
Ben Yelin: [00:19:58] You know, there were many points in the speech where I was laughing, but there are many points in the speech where it was very serious.
Dave Bittner: [00:20:04] So we'll include a link in the show notes for it. We do recommend checking it out. I think it's worth your time.
Ben Yelin: [00:20:11] Absolutely.
Dave Bittner: [00:20:12] All right. It is time to move on to our Listener on the Line.
0:20:15:(SOUNDBITE OF PHONE DIALING)
Dave Bittner: [00:20:19] And this week, we have a listener who sent us his question. His name is Stefan (ph). And here is his question.
Stefan: [00:20:27] Hi, my name's Stefan. I'm from Winnipeg, Manitoba, in Canada. And I've been assistant admin for about 4 1/2 years. I've noticed that everywhere I work, there has been the same precaution of setting up mobile device management apps on any personal phones or tablets that we use to view company emails. The mobile device management's key use is that if a phone is lost or stolen, we can wipe data from the phone remotely keeping the company's data secure. In fact, general e-liability insurance is sometimes contingent on the ability to do this. Every time I'm introduced to this practice, I almost talk myself out of a job trying to insist that we get written consent and a lawyer to write up the consent form. My worry is that the phone could have personal data like family photos, important text documents or even crypto coin wallets. If the data is wiped, I fear the user could have some merit in court to say that we've destroyed something valuable to them. I'm curious as to what your recommendation is concerning mobile device management apps and what legal precautions to take when deploying them on personal devices.
Dave Bittner: [00:21:20] All right. Interesting question, Ben. What do you think here?
Ben Yelin: [00:21:22] Yes. First of all, thank you, Stefan, for a very interesting question. So the way the law works across the United States - and I should give - not to mention the name of our podcast, I should give that caveat that everything I'm about to say applies...
Dave Bittner: [00:21:36] (Laughter) Well played, well played.
Ben Yelin: [00:21:39] Yeah, I know - applies only in the United States.
Dave Bittner: [00:21:41] Yeah.
Ben Yelin: [00:21:41] But there are certainly no, at this time, state or federal statutes dealing with whether a person has a cause of action if a company wipes data from that person's personal device. So many businesses have BYOD policies - bring your own device.
Dave Bittner: [00:21:59] Right.
Ben Yelin: [00:21:59] Sounds like, you know, the worst party you could go to in college.
Dave Bittner: [00:22:05] (Laughter).
Ben Yelin: [00:22:06] And these policies come with terms and services. So, you know, if you're an employer, you want to write in very plain English exactly what it means for your employee to be using that personal device to conduct business.
Dave Bittner: [00:22:19] Right.
Ben Yelin: [00:22:19] And most of those agreements have a provision that says if your personal device is lost or stolen, we, for security purposes to protect our own data, can wipe the data from that device. And you are sort of assuming that risk when you choose to use that personal device for business purposes. Now, you know, what's sort of unfortunate from the user's perspective is they very often might not have a choice. If they're not issued a company device, they may be forced to use their personal device for business purposes. So, you know, the best that an organization can do is just make it very clear in plain English, not in legalese, in those terms and services when you sign your employment contract that the business or organization retains that right.
Ben Yelin: [00:23:04] You know, I should also say there aren't state and federal laws right now protecting the user from data getting wiped, but this is sort of a hot area of the law. We've seen some states like California sort of toy around with this idea. So this is something that, you know, employers should pay attention to. This is something, you know, you might see a state statute that gives employees a right of action in these types of circumstances. I wouldn't be that surprised to see that in the next couple of years. But great question.
Dave Bittner: [00:23:33] Yeah, I think also just from the practical point of view, it seems to me that in terms of protecting your personal things on your device - your photos, your personal emails, your whatever - if you're going to be co-mingling on your device this way, have a system in place that's automatically backing all that stuff up off the device regularly, whether using something like, you know, Google Photos to back up all your photos. All of these providers have different cloud options that are out there. So there's certainly no shortage of those.
Ben Yelin: [00:24:02] Right. And that's probably outside, you know, having the opportunity to get a separate device for work.
Dave Bittner: [00:24:07] Right.
Ben Yelin: [00:24:07] That's probably the best option a user has is just to make sure anything that's private, anything that's personal that you want protected, back up very frequently. Make sure that you're not, you know, exposing yourself to the risk that some of your most sentimental pictures are going to be deleted because somebody takes your personal device.
Dave Bittner: [00:24:25] Yeah. And I suppose check in with the security and IT folks to make sure that their reach doesn't extend beyond what you have in mind, that you're all on the same page. In other words, you know, if they wipe the device, they're not going to be able to reach out to any of your cloud backups and claw anything back from there, you know?
Ben Yelin: [00:24:43] Exactly.
Dave Bittner: [00:24:44] You don't want there to be any surprises.
Ben Yelin: [00:24:46] No. And that's why I think it's very worthwhile for both employers and employees - have a conversation when employment begins. Make this part of your standard training practices. Explain exactly what rights the organization retains in wiping data, in the event that the device is misplaced. Make sure employees understand the risks. And don't bury it in 100 pages of terms and conditions because, you know, you don't want that surprise to happen.
Dave Bittner: [00:25:12] Do you think it's reasonable, as an employee being onboarded, for me to say, you know, if I don't want that convenience of having it all on my personal device, do you think it's reasonable to say, no, I'm not going to do that - you need to provide me with a separate work device?
Ben Yelin: [00:25:27] Not really.
Dave Bittner: [00:25:27] No?
Ben Yelin: [00:25:29] You know, I mean, it's...
Dave Bittner: [00:25:31] Is that a, meanwhile, back in the real world, kind of thing, yeah? (Laughter).
Ben Yelin: [00:25:35] Yeah, it's like - you know, employers will or won't hire you...
Dave Bittner: [00:25:38] Right. Right.
Ben Yelin: [00:25:38] ...You know, if you make demands like that.
Dave Bittner: [00:25:40] A great way to start off with your employment with...
Ben Yelin: [00:25:42] Exactly.
Dave Bittner: [00:25:43] Yeah. All right.
Ben Yelin: [00:25:43] And they're, in no sense, legally bound to offer you, you know, some sort of work device, nonpersonal device.
Dave Bittner: [00:25:50] Yeah.
Ben Yelin: [00:25:50] You might come off as kind of a needy person. Maybe that's OK.
Dave Bittner: [00:25:54] (Laughter) Yeah.
Ben Yelin: [00:25:54] You know, if you're somebody who's been headhunted and so, you know...
Dave Bittner: [00:25:59] Right. If you're in the position to - yeah.
Ben Yelin: [00:26:01] Exactly.
Dave Bittner: [00:26:02] Yeah.
Ben Yelin: [00:26:02] That you can secure that as a condition of your employment. But if you're just somebody who is entering the workforce...
Dave Bittner: [00:26:08] Yeah.
Ben Yelin: [00:26:08] ...It's not something that you're really going to be able to demand.
Dave Bittner: [00:26:11] Yeah. All right. Well, thanks to Stephen for sending in that question. We do appreciate it. And of course, we do want to hear from you. If you'd like to send in a question, you can send it to email@example.com. We also have a calling number - that is 410-618-3720. That's 410-618-3720. So either send us an audio file or call in and leave your question, and there's a good chance that we will use it on the show.
Dave Bittner: [00:26:40] Coming up next, we have my interview with Robert Sheldon. He's the head of technology strategy for public sector at CrowdStrike. But before we get to that, a word from our sponsors.
Dave Bittner: [00:26:51] So let's return to our sponsor KnowBe4's question - how can you see risk coming, especially when that risk comes from third parties? After all, it's not your risk - until it is. Here's Step 1 - know what those third parties are up to. KnowBe4 has a full GRC platform that helps you do just that. It's called KCM, and its vendor risk management module gives you the insight into your suppliers that you need to be able to assess and manage the risks they might carry with them into your organization. With KnowBe4's KCM, you can vet, manage and monitor your third-party vendor security risk requirements. You'll not only be able to pre-qualify the risk; you'll be able to keep track of that risk as your business relationship evolves. KnowBe4's standard templates are easy to use, and they give you a consistent, equitable way of understanding risk across your entire supply chain. And as always, you get this in an effectively automated platform that you'll see in a single pane of glass. You'll manage risk twice as fast at half the cost. Go to kb4.com/kcm and check out their innovative GRC platform. That's kb4.com/kcm. Check it out.
Dave Bittner: [00:28:08] And we're back. Ben, I recently had the pleasure speaking with Robert Sheldon. He is the head of technology strategy and public sector at CrowdStrike, certainly a well-known organization. And we discussed a variety of things, including federal cybersecurity and how they need to connect with broader IT modernization initiatives across both federal and the private sector. Here's my conversation with Robert Sheldon.
Dave Bittner: [00:28:32] Let's talk about the state of things when it comes to the feds here in the U.S. I mean, by your estimation, where do we find ourselves today when it comes to federal cybersecurity?
Robert Sheldon: [00:28:43] I think there is a lot of attention on federal cybersecurity, and there's a lot of people working on it from a lot of different angles. There's people who focus on it at a White House level and at the OMB level that are looking at this more programmatically, looking at IT modernization. And of course, there's some important security elements to those efforts. And then there's people at DHS, which now has a new level of focus on account of the creation of CISA a year ago, and there are other agencies that are really trying to advance their own cybersecurity efforts, internally mostly.
Robert Sheldon: [00:29:14] And then, of course, at DOD, you see a great level of energy in terms of enhancing U.S. national cybersecurity defense posture and then outward-facing capabilities for missions. And the Congress - it's an interesting time right now because there are a lot of new proposals that are being generated, but there's also some programs that are now 5 or 7 years old. And so in a type of way, in the private sector, you consider that almost like a legacy system. But because of the way that the federal lawmaking process and the creation of programs, how that works here, means that you're dealing with some programs.
Robert Sheldon: [00:29:50] So it's interesting to see, just over the past couple of years, people look at things like CDM modernizations or continuing diagnostics in mitigation or now people looking at EINSTEIN modernization or enhancements. And then, of course, there's people who have new ideas and new concepts for additional programs as well. So there's a lot of different institutions sort of going in different directions and applying energy in different places.
Dave Bittner: [00:30:13] You know, you mentioned the pace at which things like federal contracting happen. And I wonder, is it a reasonable expectation for things in the federal space to be able to keep up with the - what I would perceive as an increasing velocity when it comes to the types of threats that we have against us? Is there a mismatch there? How are folks in the federal space adapting to the necessary pace at which they do business, but also the need to keep things safe and secure?
Robert Sheldon: [00:30:45] I like the concept of the velocity of threats and, really, just the velocity of change, too, because it's not just that adversaries move very quickly. Of course, they do and increasingly quickly, I think, by some measures. It's also the case that, in the private sector, there's just a little more freedom of action, I think, for decision-makers to be able to say, this concept doesn't work, let's try a new one - or this program's not working, or this solution or this tool is not working; let's try a different strategy. And in government, for a variety of reasons, it doesn't work that way. And part of that is by design; part of that, I think, is a legacy of dealing with areas that just move slower than cybersecurity. So it is a difficult place to be and to be, for example, a federal CISO and to have all the constraints that they have placed upon them and still be able to have a cybersecurity posture that is as good or better as someone in the private sector that has fewer of those constraints.
Dave Bittner: [00:31:40] The folks that you work with, I mean, the successful leaders in the government space, what are the things they have in common? How are they navigating this reality and getting it done?
Robert Sheldon: [00:31:50] I think one of the interesting things over the past few years - that you're seeing more cross-pollination almost in people that have private sector experience at an executive level, people who are - there are CISOs in federal government who come into - who've come from the private sector. They come into government to try to serve. They understand how things work on the other side of the fence, so to speak. And they are trying to bring some of those concepts forward.
Robert Sheldon: [00:32:14] And I think that people are trying to design programs that have the flexibility to bring in the types of capabilities that they need. I think it's really difficult. I think there's probably a lot of interest in finding pathways to do that more efficiently. And I think that the other ones that are really succeeding have picked a few things that are achievable, whether that's a goal about getting your workforce to a place where everybody is operating at a high level.
Robert Sheldon: [00:32:40] There's a ton of interest in workforce development plans in government right now. And that's nice because it's good to see government leaders invest in people and to see those people come and develop new skills and that sort of thing. The other thing that people do, I think, is try and get to a place where they have an ordering principle for their efforts because there's so many things that you can do at a high level if you're a decision-maker in government - so where you want to apply your efforts.
Robert Sheldon: [00:33:03] And we've had a lot of productive conversations with people where they might come and say, what are CrowdStrike's customers doing to organize their efforts. And our co-founder Dmitri Alperovitch always advances this concept of the 1-10-60 rule, as an organizing principle for how people should think about applying themselves. And that's - essentially, it's the concept of try and ensure your environment so that you can get a detection. If there's an adversary there within one minute, try and have a person look at that detection information within 10 minutes, and then if there's a threat, isolate it or remediate it within 1 hour. So 1-10-60.
Robert Sheldon: [00:33:38] And if you have 50 regulations that you're trying to adhere to and if you have an inspector general report that has 32 findings of areas that can be improved and if you have eight programs that you can try and sequence in which order you get to the recommendations or you get to the actions first, it's useful to have a high-level principal like that, where you can say, the things that I'm going to really seek to do first are the things that are going to help with an objective like that. And we've seen a lot of interest, increasing interest, from decision-makers in government in adopting a format like that.
Robert Sheldon: [00:34:14] And then just understanding that maybe you don't get there overnight. But if you can start getting data around how you're performing and then measuring yourself month over month or quarter over quarter, you really can move the needle in the right direction. And it's been interesting to see that concept gain resonance with people.
Dave Bittner: [00:34:33] In your estimation, what are we in for in the next few years in terms of policy initiatives that folks are going to be pursuing in Washington, regulatory things? What direction do you think we're headed?
Robert Sheldon: [00:34:45] I think some work to tighten up - what I referred to before - is almost legacy programs or programs that need to be updated or modernized - will be something that people put effort into. I think Continuous Diagnostics and Mitigation, or CDM, and EINSTEIN are programs like that that will need some effort.
Robert Sheldon: [00:35:01] I think that we're really starting to see now more interest and more uptake in the concept of managed services, which is something that kind of makes sense that it's arrived at government now. It's been gaining a ton of traction and a ton of currency in the private sector for some time. And it'll be interesting to see how that concept takes hold in government about, you know, can you, as an agency - it doesn't really have anything to do with cybersecurity. You know, you have a basic mission. But can you bring in some help from somewhere, either the private sector or maybe a different agency to help do some basic security tasks for you?
Robert Sheldon: [00:35:36] And then with the bandwidth that you've freed up, the effort of your people and your decision-making attention, that sort of thing, really get back to focusing on maybe risk management - or mission assurance is a concept that we hear more in the DOD space. But just focus on being able to achieve that mission without having to be bogged down by doing some security tasks that some other organization's more well-suited than you to perform. I think that that's going to be a big thing as well.
Robert Sheldon: [00:36:00] And then just general movement to the cloud, making sure that you can achieve some security gains by doing that, some contracting rationality terms of making sure that you're using shared services and using modern, updated apps, kind of freeing yourself from legacy app maintenance and so forth. And then making sure that your data is in one place. You can apply a lot of interesting analytics against it and maybe find some new applications for data that you already have, for example. So that would be a generational task, I think, moving the government from legacy infrastructure and systems into more modern ones and ones that are cloud-based.
Robert Sheldon: [00:36:35] There's a lot of people in government right now who are really watching with interest what's happening in the SLTT space - state, local, tribal and territorial space - from a cybersecurity perspective. And part of that is because there are people who are concerned about secure elections, that sort of thing. And part of it is because there's all these ransomware campaigns going on against the state, local, tribal, territorial entities, and they're making news. And I think that there's a lot of people in government that are seeing that and looking for pathways to provide assistance, if you're CISA, or just looking at possible disruptions or campaigns like that to target federal government entities.
Robert Sheldon: [00:37:15] So that's something that's very - that's, I think, very important to see in terms of just, like, looking to your left and looking to your right and seeing what else is going on environmentally. I think that there's a ton of interest on supply chain security as well. So - and this connects to a lot of broader concerns about who's a provider of different technologies and different systems. So people are paying attention to that more and being more concerned about what types of providers and what types of entities have a de facto foothold in your environment because you rely on them for some product or some service.
Robert Sheldon: [00:37:47] And then adversaries are increasingly leveraging software supply chain attacks to start with a foothold, an environment, maybe use an update mechanism or something similar to be able to compromise the environments that they're in. And then an adversary can get a foothold and then go about doing their business, as though an adversary would if they had found entry in a different way, for example, by your general spearphishing or something like that. So it's just a different, more sophisticated mode of operating adversaries are using, and it's happening everywhere, private sector and public sector alike. But it's something I think that people are paying a lot of attention to now, and they're going to continue to pay more attention to because it is a wicked problem.
Dave Bittner: [00:38:27] All right, Ben, interesting things that Robert had to share with us.
Ben Yelin: [00:38:30] It's always useful to hear from an expert about best practices, particularly for people who are in governments. Another thing that sort of stood out for me as a long-lasting problem is that not only do the laws generally lag behind advances in technology in the private sector, but everything in the public sector moves at a snail's pace compared to the dynamism of the private sector. And that goes for implementing cybersecurity best practices. We've seen that in state and local governments across the country with these ransomware attacks and certainly at the federal government as well and, you know, just in all different other types of circumstances. He talked about that in the context of the difficulty of passing legislation and regulation that reacts to new cybersecurity threats.
Dave Bittner: [00:39:17] Right.
Ben Yelin: [00:39:18] And that's something we've talked about before, and I think it's always worth emphasizing. I think people who aren't enmeshed in the world of law and politics might not realize how difficult it is to even pass what seems like a sensible, no-nonsense, you know, cybersecurity measure just because our system, as he said, is designed to throw up these veto points.
Dave Bittner: [00:39:41] My heart goes out to these folks from the private sector who are selling to the federal government because of the budget cycles that they have to deal with, where, you know, all parties could be in agreement that the folks on the federal side have this problem and the folks in the private sector have a solution to that problem, but that money is a year away, so we're all going to live with the problem, you know (laughter).
Ben Yelin: [00:40:05] Yeah.
Dave Bittner: [00:40:05] You're like - it's just - it's hard to...
Ben Yelin: [00:40:06] It's rough, living in that world, yeah.
Dave Bittner: [00:40:09] Yeah. Yeah. You can't be as nimble as you can, I suppose, in the private sector, where you can go and make your case and say, hey, you know, we need this now. It's harder to do.
Ben Yelin: [00:40:17] Right. Like agile development, when you're relying on government grants and, you know, having to go through 10 rounds of review, is not always something that's going to be easy. I would say it would be great to attract more private sector talent into the public sector, and that's inhibited by the fact that there's just not as much money to be made in the public sector.
Dave Bittner: [00:40:40] Yeah, I hear this increasing drumbeat from folks in cybersecurity saying that the public sector is a great place to get your start right out of school, right out of training, you know, that, like, it's a good place to learn the ropes, get a couple years under your belt there in that environment, that that is likely to be time well spent.
Ben Yelin: [00:41:02] Right, then you can cash out in Silicon Valley, yeah.
Dave Bittner: [00:41:04] (Laughter) Right. And then you can cash out, right, which is the problem that, you know, the federal folks have - there's so much turnover - because we're still in this environment where there's so much money in cybersecurity, there's so much competition for the few - relatively few people who have that expertise, that it's really a seller's market, from the employment point of view, I guess.
Ben Yelin: [00:41:25] Yeah, it is. And, you know, I think that's going to be a problem. Obviously, the federal government and state and local governments can hire contractors. But having somebody on staff with expertise is an asset that's kind of irreplaceable.
Dave Bittner: [00:41:38] Yeah.
Ben Yelin: [00:41:38] And even if you are getting, you know, people who are just getting into the workforce out of school, they may be very talented, but they might not represent, you know, the best and the brightest out there.
Dave Bittner: [00:41:48] Yeah.
Ben Yelin: [00:41:49] So, I mean, it's a hard problem to solve because solving it would require all of us as taxpayers to subsidize higher salaries for people who protect our information. And that's kind of a policy choice we would have to make. We certainly have not made that choice thus far.
Dave Bittner: [00:42:05] Yeah, it'd Be interesting to see how - if all these ransomware issues change that equation, where communities say, you know, rather than paying that $18 million in ransom, it would have been cheaper to hire an expensive security team (laughter).
Ben Yelin: [00:42:19] Absolutely. I mean, you've seen in the past. Like, I'm old enough to remember when healthcare.gov collapsed in early October of 2014.
Dave Bittner: [00:42:27] Yeah.
Ben Yelin: [00:42:28] And the Obama - or 2013 - the Obama administration was basically like, take all my money and fix this. I forget who the contractor was.
Dave Bittner: [00:42:36] (Laughter) Right. Right.
Ben Yelin: [00:42:37] And, you know, that's probably not as effective as, let's say, getting a few people on staff at HHS who know how to put together a website.
Dave Bittner: [00:42:44] Yeah. Yeah.
Ben Yelin: [00:42:46] Yeah. But that's the way it works sometimes.
Dave Bittner: [00:42:47] Interesting. Yeah. All right. Well, again, thanks to Robert Sheldon from CrowdStrike for joining us.
Dave Bittner: [00:42:52] We want to thank all of you for listening. We want to thank this week's sponsor, KnowBe4. If you go to knowbe4.com/kcm, you can check out their innovative GRC platform. That's kb4.com/kcm. Request a demo and see how you can get audits done at half the cost in half the time. Our thanks to the University of Maryland's Center for Health and Homeland Security for their participation. You can learn more at mdchhs.com.
Dave Bittner: [00:43:20] The "Caveat" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our coordinating producers are Kelsea Bond and Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner.
Ben Yelin: [00:43:34] And I'm Ben Yelin.
Dave Bittner: [00:43:35] Thanks for listening.