Even for cybersecurity policy vets like Splunk’s Bill Wright, 2021 has taken the cake as the busiest year for Federal cybersecurity policy in the past decade – at least since 2012 when the big event was a mandatory cyber threat data sharing bill that Sens. John McCain, R-Ariz., and Joe Lieberman, I-Conn., couldn’t quite push over the finish line.
Times certainly have changed over the intervening decade, but the importance of technology and security – and how they are both endangered by the increasing pace and sophistication of cyber assaults – have only become more acute.
Wright has been Senior Director-North American Government Affairs at Splunk for the past three years, after a stint as director of government affairs and senior cybersecurity policy counsel at Symantec. Before that, he saw some of the first big congressional cyber debates up close as a subcommittee staff director on the Senate Homeland Security and Governmental Affairs Committee, following several years in counterterrorism at the Director of National Intelligence and the State Department.
We caught up with Wright for a talk about the blizzard of cyber policy development thus far in 2021, and where they might lead.
MeriTalk: A lot of times, cyber threats seem technical and hard to explain, but in the case of ransomware after attacks like the one on Colonial Pipeline and gasoline pumps going dry, that’s no longer the case. The Biden administration and industry are pushing back against ransomware in a number of ways, what are some good ideas that stick out for you?
Wright: I thought a lot of the ideas that came out of the Ransomware Task Force, issued
in April, by the Institute for Security and Technology were particularly interesting. My constant caution over 20 years of working in the policy arena is the truism about technology and innovation – it moves much faster than policy ever can, so we need to be careful.
But with that said, we need a strategy that’s comprehensive. Not just a whole-of-government strategy, that wouldn’t work. It needs to be a whole-of-society approach, and it needs to talk about improving defenses.
We need better defenses, and we need to get the basics of those right. So one thing to think of is ubiquitous use of multifactor authentication for access to networks, and then you can limit credential abuse, which is so important. Then you have to update patching systems, obviously, to prevent actors from exploiting those known vulnerabilities right. Then, practice incident response plans and backups. This is basic blocking and tackling for any good security organization.
The Biden administration’s cybersecurity executive order really takes some positive steps in that direction by requiring Federal agencies to adopt multifactor authentication, move toward zero trust security architectures, pushing industry to develop more secure software to sell to the government, and creating better threat information sharing mechanisms, that’s a section of the order which I love. And then putting the emphasis on data log retention, maintaining those can be crucial to shoring up defenses.
MeriTalk: Any thoughts about President Biden’s decision to elevate the ransomware issue directly to top of the foreign policy list with Russian President Putin?
Wright: I think it’s the right thing to do. It also fits in with what we discussed earlier about taking a whole-of-government and a whole-of-society approach. Part of that is using all elements of national power at your disposal, including diplomacy, and that’s what President Biden is doing.
There are clearly safe havens around the world for perpetrators of ransomware, and we need to be able to bring more aggressive action against them to create some level of deterrent. Those actors include all of the affiliates, not just the makers of the ransomware. The development of ransomware-as-a-service has drastically lowered the barriers of entry for criminals. You no longer have to be particularly sophisticated or savvy, you just need criminal malicious intent, and then enough affiliates to help you.
On a strategic basis, you have to publicly go after these malicious actors while at the same time you are shoring up your defenses. Today, the risk versus reward ratio is badly skewed.
MeriTalk: One corollary to President Biden’s confronting the issue in a very public way with Putin is when President Obama did a similar thing with Chinese President Xi Jinping in 2013 over cyberattacks on the U.S. that were economically motivated. It seemed that approach worked at least for a time, do you see it the same way?
Wright: It not only worked, but it was absolutely necessary. Those discussions are regarded as an example of bilateral success, and I understand we did see a drop in the kinds of attacks that were involved.
MeriTalk: One of the most interesting policy turns in recent weeks has been the Cybersecurity and Infrastructure Security Agency’s (CISA) announcement of the Joint Cyber Defense Collaborative (JCDC) with industry groups to drive down cyber risks faced by Federal agencies, state and local governments, and the private sector. It seems like the kind of seat at the table that industry has wanted for a long time.
Wright: While Splunk is not one of the named companies on the initial roster for the JCDC, we are always interested in helping our government partners, so maybe it’s a discussion for us in the future. I’m anxious to hear more. I like the idea of bringing together several Federal agencies with the private sector to work together. I get the feeling from the announcement that they are looking to expand in size and scope. I’m very much looking forward to figuring out what their focus is and how we might be able to contribute.
MeriTalk: Any thoughts on how the JCDC might proceed?
Wright: They made a big splash with the announcement, and I think they are going to get a lot of interested parties. I don’t have a great feel for it, perhaps it might cover tabletop exercises, or operational collaboration, but I don’t know. I do like the idea that it’s a big group of players that really covers the waterfront from companies to state and local, to Federal agencies.
MeriTalk: What’s the particular view of security from Splunk’s perspective?
Wright: As a general statement, many of the security problems we see today are in fact, data problems. Data is at the core, and better use of data is the solution.
I would also highlight the promise around security orchestration, automation and response, or SOAR, which automates some of the lower-level security issues. That lets you put your security experts onto higher-level security tasks and requirements. There is a lot of promise in the SOAR technologies, especially with the dearth of cyber expertise.
MeriTalk: That kind of ties back into the cybersecurity executive order, with requirements to save and analyze log data. That’s a prime example of the need for automation?
Wright: Absolutely. I was glad to see that the order dedicated one entire section to the importance of log data, that is one of the keys. At Splunk, we’ve been saying that for a long time, and it really seems to be gaining traction.
MeriTalk: Last question about the executive order – compared to some of the cybersecurity orders from prior administrations, this one seems to change the landscape a little bit more, and requires government and in some respects industry to take action. How do you see it?
Wright: I couldn’t agree more. In prior administrations, the orders would not have been this detailed. This order steps up to the urgency of the moment.
MeriTalk: And finally, though I know it’s still a work in progress, any thoughts about the cybersecurity components of the infrastructure bill that made it through the Senate and awaits action in the House?
Wright: I’m encouraged by what’s in the infrastructure bill, in particular the $1 billion that would fund cybersecurity grants to state and local governments. Some of them are struggling with funding limitations that occurred through the pandemic, and are facing serious IT modernization and security problems. That funding is hugely important from my standpoint.