Listen to Rob Efrus, Founder and CEO of Efrus Federal Advisors and Morey Haber, CTO and CISO at BeyondTrust discuss Biden’s Executive Order on Cybersecurity and what that means for “Zero Trust.” They will break down the ARP and Biden’s 2022 Fiscal Budget to explain how your agency can use funds now, and analyze how and why Privilege Management plays an increasingly crucial role in mitigating cyber-attacks and protecting CI.
Speaker 1: On behalf of BeyondTrust and Carahsoft, we would like to welcome you to today's podcast focused around the American rescue plan, improve cyber defenses and move towards Zero Trust, where Rob Efrus founder and CEO of Efrus Federal Advisors and Morey Haber, CTO and CSO at BeyondTrust will discuss Biden's executive order on cybersecurity and what that means for Zero Trust. They will also break down the AARP and Biden's 2022 fiscal budget to explain how your agency can use funds now and analyze how and why privilege management plays an increasingly crucial role in mitigating cyber-attacks and protecting ci.
Morey Haber: Thank you so much. Rob, pleasure to having you with me today. My name is Morey Haber. I'm the CTO and CCIO for BeyondTrust. As the CTO, I oversee the high level strategy, the strategy of our privileged access management solutions and remote access technology. At CISO, I'm in charge of the internal security and cloud security of the solutions we offer. You may ask why I have a dual role. One, it's to make the products that we have better, but also implement them within my own organization. My product team regularly jokes that I'm their hardest customer because I use what I make to protect my organization internally and in the cloud, and prove the technology works. This type of feedback is crucial to the success of BeyondTrust and helps us deliver quality products. I'm also an author, I have three books privileged attack vectors with two editions covering the privileged access management space, vulnerability attack vectors covering how to build an effective vulnerability management and patch management program within your organization and identity attack vectors on how to implement identity governance. I also regularly write for Forbes secure world, a variety of other periodicals and I've been in the space for over 20 years. With that, I'll pass it over to Rob.
Rob Efrus: Thank you very much, Morey. Great to be with you and our distinguished audience. Robert Efrus. I am the CEO and founder of Efrus Federal Advisors, a government relations and business development consulting firm that works with the public sector sales organizations of enterprise IT vendors that are selling primarily to the United States government, but also to state and local governments as well. I started my government career after getting a graduate degree in Public Administration from George Washington University, I was selected as a Presidential Management fellow, and worked at NASA headquarters in the office of Legislative Affairs where I was a congressional liaison for the space shuttle program. I focused on aerospace earlier in my career, and then since the early 90s, have been focused on it. And I'm very pleased to be here today and look forward to talking about the very, very dynamic cybersecurity environment within Washington D.C. in the overall federal government. Thank you.
Morey Haber: Thank you, Rob. I'd like to set the stage with what's really going on in the cybersecurity world today. We all fully recognize the threats that are coming in cyber. And in fact, today, the day of this presentation, our president is meeting with the Russian president to discuss cybersecurity attacks, and the implications to not only us, but to businesses and governments and industries worldwide. It seems like every day we have another type of cyber breach in the news, some of them against critical infrastructure, some of them against daily businesses, and unfortunately, some of them against small businesses, where they have no means to do backup, recovery, and even deal with the consequences of things like ransomware. And ransomware, in itself has become one of the leading problems in cyber, even the biggest businesses with all of their plans can't necessarily cope with the advanced attacks being conducted through cyber today. And this is something that we all need to think about. This is something that we all need to consider, not how we necessarily protect, because that's important. There are steps to do better at protecting your organization. But you also have to plan that it's gonna happen. It's just a matter of if, when and how bad and having those plants to actually deal with it, and know how to use them and know how to contact forensics and law enforcement and recover are what are going to be key for CTO CSOs, legal forensics and businesses at large. And if you're trying to understand why this is really happening, it's because the attack surface itself is growing, mainly because we started allowing people to work from home and we had to change the way we do business. We exposed over 50% more RDP ports due to COVID in the last year, so people could do remote access, and 52% is the prime 50% 2% of RDP access was used to start or conduct ransomware. This is critical. We changed our behaviors, we made it easier for threat actors to get a hold of our organizations. And basically, we're not doing ourselves any good service, we need better ways of thinking about the way we're changing our cyber environments with techniques like Zero Trust, with techniques like just in time accounts, so that we can prevent these attacks from happening in the first place. Because last year was a record year for Microsoft. It was reported today that more Microsoft critical vulnerabilities appeared last year than ever before, we now have more vulnerabilities, we have more remote access. And we have more privileged accounts in the cloud on premise at home, everywhere than we've ever seen before. And privileged accounts are not just administrator or root or DBAs. They're any account that has access to sensitive data, or could be leveraged against the organization for data exfiltration were cause embarrassment or harm. So we see this attack surface widening, we have the statistics to prove it. But we need to do a better job protecting and ultimately responding to these threats. Now, with this in mind, the attacks and ransomware themselves are the primary threat that most organizations are thinking about today. 150% increase in 2020, with over 33% new types of ramsons ransomware occurring as well. This means that threat actors are learning that they can take ransomware evolve them create new ones, mold them with vulnerability exploit combinations are other style of privilege to tax and basically make money. This surge, this increase is what has become the biggest liability for organizations. And it's not that they have to actually create the malware alone. 888% increase in file list malware surges, this means lay of the land attacks. This means using native applications and native operating system commands to drop malware that could lead to ransomware or lead to data exfiltration or other types of malicious activity just by using the programs that we have today. Now, this could be through third party vendors supply chains, this could be native to the operating system, this could be in Microsoft Office. But threat actors don't necessarily need to create a virus anymore and install it. They're using our own tools against us. And that surge is really something people should be looking out for. So why is this so relevant? Threat actors have found a way to monetize these attacks, and they built successful business models around them. They're actually gaining and making money overall, based on the threats that they've created. The largest payout today in 2021 is well known $11 million for a single ransomware attack, and 45% of it targeting verticals like healthcare. And unfortunately, in the last year, within the last year, we saw the first death due to these types of attacks, where critical infrastructure within a hospital was compromised and unable to provide life giving care. So the threats are not just to one vertical or another, they are industry wide. Threat actors have learned how to make money from them. Luckily, in one of the more recent cases, we were able to get that money back. But the fact is they've successfully created a good cyber-criminal organization. And as long as they can make money out of it, they will continue to do so. And these are the risks that we have to deal with today. So we need to plan on how to protect that's a given. But we also know how to think about how we respond. And that's the main purpose of this session today, as well as implementing the different types of technologies like Zero Trust to get there just in time, and other types of modern techniques using ml and AI that can help us understand the behavior of users, and inappropriate activity when it may occur. Now what is being done to address the threat to our nation, as I indicated at the highest levels of government, there are meetings to help deal with it. We as staff, people, citizens, companies, individuals need to address it ourselves by taking sincere approaches to security best practices, maintaining backups, making sure that we don't use passwords, eliminating administrative accounts wherever possible, doing the proper due diligence that we know will prevent many of these attacks, but also thinking about how am I going to respond as well, because in 2021, we now have seen this unprecedented attack result in funding from the US government to help companies tackle these problems. And I'm joined by Rob who will dive into this a lot deeper and then we'll have it discussion on the threats and the availability of funds and how you can look at this technology problem and find a good meaningful solution for yourselves your business or your agency. With that, I'm proud to turn it over to Rob. Thank you.
Rob Efrus: Thanks very much, Morey. Great job. So as Morey mentioned, the SolarWinds attack was really a watershed event, as I'm sure most, if not all of you are aware in terms of a call to arms, a recognition that the current approach to defending our nation from cyber-attacks, as well as corporate stakeholders, state, local governments, etc., was not working. A month or so ago, I put a presentation together that describe the new normal, I'm going to quickly go through about six or seven slides that encapsulate what's changed. Then as Morey mentioned, I'm going to talk about the budgets that have been approved for fiscal 21. And are under review currently by the Congress in terms of the fiscal 22 budget that are fiscal year that starts on October 1. And then I'm sure most of you have heard about the cybersecurity executive order issued by the Biden administration. I'm going to talk about that a bit. And that really is the first major policy statement of the new Biden administration to address this new normal. And it's a very dynamic process that I'll describe. And then I'm going to briefly talk about areas of opportunity for BeyondTrust and other vendors that are in the cyberspace in general. So one of the first major changes that was prompted by a Blue Ribbon Commission, chartered by Congress called the solarium commission was a recognition that the stovepipe approach to managing cyber defenses and resiliency and incident response, etc., was not getting it done. And a big recommendation from this panel was to centralize more authority within the Executive Office of the President, such that when an attack occurred, the government would speak with one voice and that focal point within the White House, is the National Cybersecurity director of a gentleman who's been nominated for that post is Chris Inglis. And just today, the Senate Homeland Security and Governmental Affairs Committee approved his nomination and then goes to the Senate floor where it's expected to pass. So getting that position filled and funded is a key area. Also within the Department of Homeland Security, the cybersecurity infrastructure security agency, CISA was given more powers in terms of investigating cyber-attacks, as well as setting up program offices to more effectively collaborate with other federal agencies in this space. And with regard to CISA. It's been operating without a director for the past several months, the former director was fired by the Trump administration, but the nominee Jen easterly, her nomination was approved also today by that senate committee. So both of these positions are key, and they're going to be filled in short order. And for those of you that are stakeholders of DHS and CISA, as well as broader cybersecurity, federal cybersecurity matters, this has been a gap that will hopefully be filled within the next several weeks in terms of getting both of these folks into the saddle. They're both very, very well respected cybersecurity professionals. And it's going to make a big difference. I'm going to talk about the cyber executive order a little later. And then repeatedly, from God agencies, homeland security agencies, and even the intelligence community are really pushing out a very strong interest in collaborating with the private sector. It's based on the recognition that government can't do it all themselves. And it entails not only the user role, vendor, customer type relationship, but also it encompasses threat sharing and intelligence gathering. And we're going to be seeing a lot more of that. And I would dare say that state and local governments also are part of that mix. In terms of incident response and threat intelligence sharing. Another big change was the recognition at least at the federal level, that the perimeter based model of building a moat and defending with that moat in place with the presumption that the moat will keep the bad guys out, that's no longer the case. The solar winds attack in particular, perpetrated through a software vulnerability and weak authentication solutions occurred, you know, inside the moat inside the perimeter. And so now at least at the federal level, there's a very strong push to through solutions like Zero Trust architecture, to work to ensure that the individuals that are on a secured network are fully authorized and supposed to be on that network. And a recognition that perimeter based defenses like the Einstein system that the Department of Homeland Security manages 10 year old system is nearing the end of its useful life. Certainly modifications are being made to that. But a recognition that the perimeter based model just is not getting that done. Another major change that was in the works before solar wind, and went back to the ZTE and Huawei concerns about those China develop devices being on government networks, and offering backdoors. And other means for attackers to get into government networks. That resulted in a piece of legislation, the Federal Acquisition Security Act of 2018 that really put teeth into how, at least at the federal level, the government was going to manage its own supply chain. This is now having a lot of ripples through the executive order that I'll talk about. But for those of you that are doing business with the federal government, or Feds themselves, you know, for sure that the Federal Acquisition Security Council is the interagency group that is going to set up systems to ensure that both the vendors and the products that those vendors are selling to the government are trustworthy. And if they don't meet those trustworthy standards, those vendors and those solutions are going to be barred from operating within the government and government networks. And one of the key mechanisms to achieve that goal, as well as the goals of the executive order that I'll describe is to leverage the government's buying power. And so these policy changes are eventually going to filter down into federal acquisition rules, requiring certifications and representations requiring vendors selling software to assure ensure that they're not selling software that is, contains vulnerability that is readily patched and is developed in a secure way. And if the vendors cannot meet those requirements, and certify as such, they will be prohibited from selling those products to the federal government. Software security is a big priority. I've personally been involved with software security for the past over 10 years. And this issue in terms of secure software development is now finally on the front burner where all stakeholders including government standards, setting bodies like NIST, including Federal Acquisition officials, including the enterprise IT vendor community, they're all getting together, there were a couple of workshops managed by NIST over the last couple of weeks. And as I said earlier, federal independent software vendors are going to really need to step up their commitment to the software development lifecycle, and shifting the incorporation of security defenses into that software development process, as they say, left to the front end of that development process versus bolting on a security capability midstream as the software is going into production, those days are going to be over very, very soon. I mentioned that public private partnerships FireEye really set the bar when it disclosed that they themselves one of the more preeminent cybersecurity companies that's brought in by governments and companies to investigate cyber-attacks when they themselves reported that they were a victim of the solar winds attack. As a result, there's going to be a much as I said, much, much greater emphasis on incident reporting and requiring that reporting back to DHS and CISA. There are a number of threat sharing partnerships. I just post them here, excuse me, because if you're not aware of them, and you're in the space of threat, intelligence gathering and sharing, and you are a vendor in these communities, I would encourage you to get involved in some of these public private partnerships. It's not about selling more product or more services. It's about helping the nation defend itself against the cyber-attacks, exchanging information with government counterparts and strengthening the federal government's ability to defend against attacks. Having said that these public private partnerships are not a panacea. And a lot of change needs to occur to get out of the situation. We're in now, from an identity credential and access management perspective, there was work going on prior to solar winds in terms of establishing a whole of government approach to ICANN, with agencies being responsible for adopting and publishing approaches in their own agencies to implement the ICAM capabilities, and working with NIST to refine standards that involve privileged access. Now, from a budgetary standpoint, the American rescue Act provided sis up with an extra $1.8 billion, which included $650 million specifically to help CISA Support Agency responses to the solar winds attack, to improve information sharing, etc. In addition, a billion dollars was also improved approved for the technology modernization fund. This is a federal fund focus on modernizing legacy IT systems. A key point here is that a key objective of these modernization activities is to migrate applications off of legacy IT infrastructure, which could be vulnerable to more vulnerable to cyber-attacks, even with outdated languages like COBOL, etc. In addition, the Biden administration and their fiscal 2022 budget released in early to mid-May included an additional $750 million in support of federal agency it enhancements directed at improving a cyber resiliency, another 500 million for the technology modernization fund, an additional $110 million on top of the 2021 budget for Cisco, for cyber and it modernization. 20 million for a new cyber response fund additional support for R&D, and including the National Science Foundation. Now, in terms of the executive order, I want to focus on a couple of sections First, there's going to be a much greater requirement on the vendor community to share threat intelligence with the government when they get it. And that's going to be put into government contracts. Overall, the executive order places a very, very high priority on modernizing the US government's cyber resiliency through the adoption of best practices like Zero Trust architecture, secure cloud, optimizing the use of software as a service, and to use analytics to identify and manage cyber security risks. This is a very, very key plank of the cyber executive order. Another key piece and in the interest of time, I'm just going to go through these very quickly is the whole software supply chain security. I mentioned two workshops. A couple of weeks ago at NIST. For those of you who are stakeholders in software security, I suggest you go to the NIST site and search under software supply chain security and get access to the papers that were provided to this by stakeholders, as well as the video presentations. Bottom line is that there's going to be a series of updated policies updated standards in terms of what determines what is critical software. And then that will all flow down into new procurement rules and regulations that vendors selling to the federal government will need to adhere to in order to get those contracts a number of other major elements in the cyber executive order, including incident response and reporting. So baked into the executive order are another a number of opportunities for identity and credential access management. Of course BeyondTrust being a prep preeminent one in the software development space, privileged access is going to be a strengthened as a requirement to ensure that those who are developing software and writing code are authorized to do so similarly, with similar privileged access when reporting instant Since identifying a proposed remediation efforts and threat intelligence, and then in terms of the overall modernizing the government's approach to cybersecurity, Zero Trust architecture, which more he's going to discuss in further detail is a very, very major element and a big priority.
Morey Haber: But Rob, when we look at this executive order, and we see things like Zero Trust, and we see a lot of the mandates out there, how do you think most of the agencies are going to operationalize these and take advantage of potential funds to get there?
Rob Efrus: One of the major changes associated with the shift from the perimeter model to the endpoint model is that CISA is going to be much more present inside of agency networks. And that will create a level of oversight that today has not been systematically applied across government agencies were kind of doing their own thing. And that resulting in a inconsistent approaches to creating a baseline level of cyber resiliency. So the oversight is going to be greater on number one. And initially, CISA is going to be in a position to offer agencies funding to support the acquisition of capabilities, consistent with the shift from a perimeter to endpoint solutions, incorporating Zero Trust architecture, greater cloud security, and the like. So those funds are going to be available initially through CISA. And then the expectation is that agencies themselves, we'll bake those requirements into subsequent budget requests. Now, it's worth noting that across the board in civilian defense, and even intelligence, there's been a significant budgetary increase proposed for fiscal 22 over 21. And part of the rationale of the Biden administration is that some of those additional resources will be applied and are intended for cybersecurity related requirements.
Morey Haber: So as we go down this, we know it's been an unprecedented year. And we know agencies are thinking about Zero Trust. I hear this all the time when working with state, local federal agencies, we realize that all of the vendors are talking about Zero Trust in a variety of ways. But that's really not the best way to think about it. It's not a solution. It's not a tool. It's an approach. And the NIST 800 207 documentation really helps us get there. It helps explain the different models, it helps us understand where we should be thinking about things and how to apply it to legacy technology and how to implement new strategies, especially as you've indicated, Rob, that the perimeter really isn't our best defense anymore. It we can't necessarily rely on that. When we think about the focus of the administration, asking us to do better involving CISA. How were things like Zero Trust being added to the discussion?
Rob Efrus: Well, I think, again, part of the recommendations going back to the solarium commission, a recognition in Congress that the perimeter based approach, in particular Einstein, zero shortcomings. And then the executive order combined with the funding that I've described, will get executed through updated policies and procurement rules that are going to be overseen by both the Office of Management IE government and it office where the chief information security officer is housed, as well as the Executive Office of the President with the National Cybersecurity director working in close support with the National Security Council. So I think the short answer is there's going to be a lot more oversight consistent with this whole of government approach than there has been in the past focus specifically on a rising tide lifting all boats in terms of agency cyber resiliency across the board.
Morey Haber: You know, it's interesting to say that everybody's going to do it at once in the private sector as a CSO, I try very hard to plan my own cyber security's with a timeline goals, measurements, durations, etc. And if my board asks me to do something in a certain timeframe, in a quick timeframe, it's sometimes hard or near impossible to actually make that pivot. With the executive order strict guidelines and timeframes have been given to federal agencies and you got to turn the ship some of them may not be expecting this. Do you think the state governments and commercial sector will be able to follow suit and address those needs?
Rob Efrus: Well I think when you talk about state governments, you know, that's a whole nother sphere to consider. And I have a couple of comments there. I'm glad you raised the point. First of all, there's a recognition that state and local governments which have been so adversely impacted by the pandemic, and me in in critical need of additional resources to make up for the sharp shortfall in tax related revenues, that demand on emergency and health related services, etc. that stimulus measures like the American Recovery Act, and the others were $350 billion of funds was allocated to state governments, I would say a couple things. First, there was broad discretion within the American rescue act and some of the other stimulus packages that have been passed, that provide state and local governments with broad discretion to use those funds, potentially in support of cyber related requirements. And so for those vendors that I've addressed, over the past month or so, you know, I've encouraged those vendors to work with your state and local government partners to assess the budgetary climate within those state and local governments, and to push to see whether those government entities have discretion to use some of those stimulus funds in support of cyber related requirements. That's the first point. The second point is that there's a recognition in the Congress that state and local governments need additional funding, in support of cyber. And so there is a state and local Cybersecurity Act that passed the House last year was reintroduced just earlier this year. And the Senate is planning to take it up as well, that will include $500 million for state and local cyber related needs. And then in addition, I'll point out to the state and local officials on this call that tomorrow, June 17, the Senate Homeland Security and Governmental Affairs Committee will be having a hearing on state and local cybersecurity at 1015 in the morning, and there'll be representatives from Ohio, North Carolina and New Hampshire testifying at that hearing about the state and local cyber needs, as they relate to, you know, federal funding. And so, you know, I would say that funding has already arrived, and state and local governments that can potentially be used, and more funds, I believe, are going to be appropriated in support of that requirement as well.
Morey Haber: It's really interesting to see how we're reacting to this. In 2020, I wrote a blog. It's part of our historical blogs on our website, about cyber warfare and how I actually predicted how this was going to play out. And it's becoming eerily similar to what reality is today that we're seeing the first weaponization by nation states, not actually taking ownership, but conducting this activity and kind of scary for me to think that I actually wrote that, and I was kind of on target, but I was just looking at the trends. What's next for the country in terms of cybersecurity? Rob, what do you think we're going to do we have this money available, we see attacks against federal military, state local, what's next?
Rob Efrus: Well, you know, the sad truth is that these attacks are not going away, they're only going to increase the criminal elements, in particular, as you appropriately pointed out earlier in your remarks, you know, have become very professional in optimizing a business model in that supports criminal activity. And so the net of it is, is that more funding is going to be needed in support of agencies like CISA, you look at the FBI success and getting back clawing back about half of the colonial pipeline ransomware and a recognition that if the FBI in this case, was given even more money, they know what to do they know how to disrupt these financial transactions. And so I think the reality is that all of us as taxpayers are going to, you know, be spending more of those tax dollars in support of continuing to up the government's cyber game. This is just these are the opening innings and much more is going to be needed from a funding standpoint. And if today's summit in Europe with President Biden and president who is any indication president denied any involvement in any of these tax. And so I think that says at all in terms of the situation is going to get worse before it gets better.
Morey Haber: And that's the unfortunate part about this is denying reality, not having transparency, or being oblivious to something going on in your own country against another country is really where we are right now. It brings up some really fascinating points about the strategies we're going to use to defend. And one of them is privileged access management as a cyber defense. Look, if you think about the ransomware, I talked about earlier, you think about the malware attacks, you think about hacks in general, there are two primary methods that hackers gain access to an environment. One is the traditional vulnerability and exploit finding a vulnerability running exploit code gaining access, getting privileged escalation until there is that beachhead approach, we generally solve that today, with vulnerability, patch management and configuration management, those disciplines have been around for a really long time. And hopefully, your agency, your organization is doing a pretty good job identifying them and patching them. That's been table stakes for the last 20 years, the more recent attack vectors have been around privileged, and are solved with privileged access management problems. These are aware we have problems with the actual credentials used for authentication, or deeper down for authorization. These could be anything from leaked credentials, reused credentials, not using multifactor flaws in an SSO type of deployment, anything related to a privileged type or credential type attack, an identity attack related to the account that can compromise an environment. And it takes the onus from the device itself up to the identity to protect, especially when we consider that the perimeter is really gone. Look, when we talk about the perimeter as a security model, we were saying we're going to put network access control, we're going to put firewalls, we're going to put the IPS, we're going to protect the device and then we're going to protect the user. Well, that's not true anymore. We don't have that perimeter to necessarily rely on, we do a lot of things in the cloud. And we still have a lot of people working for home for the foreseeable future. So now we have to make sure when the device is still good, that traditional vulnerability, exploit configuration hardening, but to the identity account relationship, the confidence that that account belongs to the identity and the things that they do, the behavior they use, is accurate. And this leads us into Zero Trust. Because what we want to do is say we don't care where the resources, we don't care where the accesses, we're going to produce a model Zero Trust that uses a policy administrator to decide what they should be able to do a policy engine to enforce it, and then monitor the behavior to make sure it's appropriate. Leveraging many of the authentication schemes we have today, whether it be single factor all the way up through smart cards, pk AI, etc. The point being here is we're going to take those network controls out of the security equation, because we've already proven threat actors from afar location, can get through our defenses and bypass those controls the lateral movement through beachheads through mules, etc. So now we're in the concept of Zero Trust, we have a way of saying user x being in a location, we can get them to where they need to be. But it's those privileged accounts that are the most important in this model, not just the standard user. These are the root, the admin the DBA, or any account that has access to sensitive information can perform lateral movement that can either exfiltrate data cause a denial of service, install something, or even be an embarrassment to the organization or agency. It doesn't have to be router admin. These are accounts that have a high risk associated with them, because of the functions they perform. And this is why privileged access management can defend or do a better job against defending in your organization. When we consider ransomware. And some of the methods that I talked about earlier, the problem that we have is that malware and most ransomware, even file is ransomware need admin rights to write something to the disk, access files, touch the registry, launch child processes, download scripts, etc. If you remove admin rights, they don't have that capability. In fact, you can stop a high 90th percentile of ransomware and malware just by removing admin rights. So privileged access management is about taking those non admin route as well as those admin routes and bring them down to the lowest common denominator of least privilege. No one has admin rights ever any place. Now you apply that to a Zero Trust model and the people coming in the workers coming in to trusted sources. Coming in, don't have the privileges to do everything they need. They're vetted appropriately with the doubt identity account relationship confidence, and applying a model of least privilege or removing access, while monitoring the behavior, their sessions, their keystrokes, everything else in real time. And then flagging if something is inappropriate, or immediately even taking action, like disconnecting their system. So we consider the journey and the threats that we're facing and the funding that's out there. Zero Trust is important concepts for ephemeral accounts, accounts that have a limited duration are very important. But it's those special accounts for privileged access that really can get us in trouble, and why there's some of the first ones we should tackle as a part of these initiatives to secure our country, our agencies and organizations. That's key. And the outline that Rob provided in terms of what's going through Congress. And the funding that's available can help you secure the most precious accounts, assets and sensitive data that you have out there, from these evolving threats, whether it be ransomware, an insider that's been compromised and doesn't even know it, or even that remote threat actor, if you buy into this and you get it. And hopefully you do. If not, you're welcome to ask questions, you have a different problem we have to deal with. You may get it, you may be able to get your peers to evangelize for you. But Rob, how are agencies typically getting the buy in from their leadership, and provoking that communications that here's a problem, here's a way to solve it, how do I get it done? What are they doing? And what should they do?
Rob Efrus: Well, great question. Technically, agency leaders, the political appointees, the secretaries, the deputy secretaries, the administrators, they are responsible for what goes down on their agency's networks. And so that when an attack occurs, it's immediately on the agency leadership, to figure out what happened to share that intelligence and to get whatever remediation assistance is needed to plug that vulnerability and recover. And so what you're going to be seeing with this whole of government approach, and the appointment of a National Cyber Security director, Chris Inglis is that the White House and the Executive Office of the President is going to be much more engaged in terms of raising the game, stepping the agency games up. And then when attacks occur, bringing the entirety of the US government's resources, defense, Intel law enforcement and the like, on to the specific cyber-attack environment. And so I think the short answer is there's going to be much, much more oversight and much more accountability expected from agency leaders moving forward.
Morey Haber: And that gives you them basically the motivation to promote the current trajectory of us Russian affairs seems to presume that the current criminal actions will not change. That's a given we hope they do. But for now, US policy going forward appears to include retaliation upon these those criminals. What does that mean for us? Is this mean in all out cyber war? Does it mean we'll be doing a lot more covert operations? Could it be things like Stuxnet, there's a variety of opinions on this. But if we start committing our resources, to cyber warfare or retaliating, this could escalate really quick. Hopefully, we don't ever get to that situation. Hopefully, we can calm this down. And the countries can agree that if these groups are operating under the radar from the government, they can be held accountable. But if they're being sponsored or known to the government, we have an obviously a different problem. It is state sponsored cyber terrorism, for lack of better words. Rob, do you have any thoughts on this?
Rob Efrus: Well, in fact, we are currently, this is my opinion, in a cyber war with our adversaries currently. And whether that involves, you know, attacks on critical infrastructure by state sponsored groups, you know, whether it involves efforts to support the theft of intellectual property, it's all happening right now. And the point that you're raising in terms of what can we do from an offense standpoint, to blunt those attacks without getting into sensitive information? It's a known fact that we have offensive cyber capabilities. And we are, I believe, engaged in those operations currently. That's it in the public domain, that's not anything secretive. So you're going to see much, much more moving forward. And, you know, one of the challenges has been, you know, what does that mean for the US population and our privacy rights, that's a very, very delicate issue. But in terms of state sponsored cyber-attacks, you know, look for more funding more priority and more resources to blunt them from defending our defending the homeland perspective.
Morey Haber: And that's absolutely the case. And if for anybody that follows a little bit of history on cyber warfare, one of the first public ones that ever occurred was during Desert Storm, where our operatives, our intelligence agencies actually kept the power grid on in Iraq, so that the Saudis flying over could see their targets. And even the news cameras could see what was going on. That's also public domain and well documented today. So we don't want to ever get there. But unfortunately, the capabilities exist, and we need to de-escalate as best as we can. But until that occurs, we still have to protect for now or in case it re escalates in the future. And the model that I'm presenting and the documentation or the collateral that Rob is presenting from the federal government in terms of funding, initiatives, awareness, maybe it's another type of isec, that gets spun up CISA getting more and more involved will only help us in the future. One better defend, but to, as I've indicated, raise that awareness so that when something does occur, we can ring the bell, and let everyone else know so that the damage is known, the attack vector is determined, and we minimize the damage overall, Rob any last words for the agencies in starting their journey or working with this type of problem or even looking to see if funds are available?
Rob Efrus: Now, I would say to the federal officials and state and local government officials recognize that we have turned the page, if you will, in terms of cyber from a priority establishment standpoint, and a funding standpoint, and for the state and local folks in particular, you know, consider what I said in terms of the billions of dollars that have been allocated to the states and with discretion for your state leaders to allocate those funds in support of cyber related requirements, as well as some of these pending legislative efforts in terms of getting state and local governments assistance. So thank you, Morey.
Morey Haber: Rob. Thank you so much. This has been a really great conversation. I'm hoping our audience gets the benefit from it.
Speaker 1: Thanks for listening. If you'd like more information on how Carahsoft or BeyondTrust can help leverage AARP funding to improve your agency's cybersecurity posture, please visit www.carahsoft.com or email us at BeyondTrust@Carahsoft.com. Thanks again for listening and have a great day.