Srsly Risky Biz: Why two hats are better than two heads - Risky Bulletin

Summary6 min read

Risky Bulletin Podcast Summary: "Srsly Risky Biz: Why Two Hats Are Better Than Two Heads"

Release Date: December 19, 2024
Host: risky.biz (Patrick)
Guest: Tom Uren, Public Policy and Intelligence Editor

Introduction

In the December 19, 2024 episode of Risky Bulletin, host Patrick engages in an in-depth discussion with Tom Uren, the podcast's public policy and intelligence editor. Titled “Why Two Hats Are Better Than Two Heads,” the episode delves into the complexities of leadership roles within the U.S. cybersecurity apparatus, the implications of potential administrative changes, SEC regulations on cyber incident disclosures, and the pervasive influence of WhatsApp globally. This summary captures the essence of their conversation, highlighting key points, notable quotes, and insightful analyses.

Splitting Leadership: NSA vs. Cyber Command

Discussion Overview:
The primary focus of the episode revolves around the proposed plan by the incoming Trump administration to split the leadership roles of the National Security Agency (NSA) and Cyber Command. Patrick introduces the topic by contrasting his perspective with Tom’s detailed analysis.

Notable Points:

Current Leadership Structure:
- Patrick mentions the current unified leadership under General Tim Hogg, highlighting the dual responsibilities that come with overseeing both the NSA and Cyber Command.
- Tom explains, “[00:26] B: ... Cyber Command is led at a four-star level... NSA is led by a three-star... Cyber Command, just by the nature of the Department of Defense, outranks NSA.”
Implications of Splitting Roles:
- Tom argues that splitting the leadership could inadvertently prioritize Cyber Command’s disruptive missions over the NSA’s intelligence-gathering operations. He states, “[02:11] B: ... NSA, the priority is to collect intelligence... Cyber Command... to do disruptive and destructive things... placing that capability at risk.”
Decision-Making Dynamics:
- The conversation emphasizes the benefits of having a single decision-maker who can balance long-term intelligence collection with short-term cyber operations. Tom cites General Hogg’s Senate confirmation remarks: “[03:24] B: ... a single decision maker... is best equipped to protect critical intelligence equities... while executing national priorities.”
Challenges of a Split Structure:
- Tom highlights the practical difficulties in creating a new architecture for deconflicting decisions between split roles, noting that it’s a complex endeavor within the existing Department of Defense framework.

Notable Quote:
[03:26] B: “A single decision maker, responsible and accountable for the mission outcomes of both organizations is best equipped to protect critical intelligence equities... while executing national priorities as directed.”

Trump Administration’s Cyber Policy Direction

Discussion Overview:
Patrick and Tom explore President Trump’s distinctive approach to cyber policy, marked by a preference for more aggressive and less cautious strategies.

Notable Points:

Aggressive Cyber Stance:
- Patrick remarks on Trump’s clear policy direction towards aggressive cyber operations, mentioning initiatives like NSPM 13 and the "defend forward" strategy.
Implications for Cyber Operations:
- Tom agrees that while more offensive cyber operations aren’t inherently bad, they must be balanced to avoid undermining long-term intelligence capabilities. “[10:05] B: ... you don’t want to do too many [offensive operations] at the expense of longer-term capabilities.”

Notable Quote:
[10:43] A: “It's interesting because it's one of the only times... an executive... has a clear policy direction in cyber. It's Trump, the cyber president.”

SEC Cyber Incident Disclosure Requirements

Discussion Overview:
The episode shifts focus to the Securities and Exchange Commission’s (SEC) new disclosure requirements for cyber incidents, examining the industry's reaction and the effectiveness of these regulations.

Notable Points:

Initial Panic and Overreporting:
- Patrick describes the initial reaction among Chief Information Security Officers (CISOs) who feared an onslaught of mandatory disclosures, leading to premature and excessive reporting. “[11 months later] we've seen some people over reporting...”
SEC’s Response:
- In response to the overreporting, the SEC intervened to curb unnecessary disclosures, yet many organizations continue to report incidents prematurely. “[12:49] B: ... very few material incidents have been reported...”
Boilerplate Language:
- Both speakers note the prevalence of boilerplate language in SEC filings, which often lack substantive details about the incidents. “[12:53] A: ... boilerplate language in an SEC filing... just a copy-paste.”
Future Outlook:
- Tom suggests a need for ongoing education and iterative rule-making to refine disclosure requirements, emphasizing that cybersecurity remains a dynamic and evolving challenge.

Notable Quote:
[13:14] B: “So when I was writing this piece, I was thinking... you continue to educate people, cyber incidents aren't going to go away anytime soon.”

The Global Influence of WhatsApp

Discussion Overview:
The conversation transitions to the pervasive role of WhatsApp in various regions, particularly in countries like Brazil and India, and its impact on communication during crises.

Notable Points:

WhatsApp’s Reliability:
- Patrick shares a personal anecdote about using WhatsApp for insurance claims in Brazil, underscoring the platform’s reliability even in areas with poor internet connectivity.
- Tom elaborates on WhatsApp’s design for robustness, making it a preferred tool in conflict zones where other communication methods fail. “[17:10] B: ... it's often used as the app of choice for people like NGOs in conflict or disaster areas.”
Dual-Edged Sword:
- The speakers acknowledge that while WhatsApp facilitates essential communication, it also enables malicious actors to coordinate activities, highlighting its dual nature.
Technological Legacy:
- Tom points out that WhatsApp’s foundational principles of reliability have led to its widespread adoption across diverse and challenging environments, solidifying its role as a critical communication tool.

Notable Quote:
[17:51] A: “... it also is used by the people who are perpetrating the violence. So it's that double-edged sword...”

Conclusion and Future Outlook

As the episode wraps up, Patrick and Tom briefly touch upon personal updates and future plans. Tom announces his upcoming leave until early February 2025, allowing him to recharge before continuing his work.

Notable Points:

Tom’s Sabbatical:
- Patrick wishes Tom a great break and looks forward to reconvening in the next year.
Closing Remarks:
- The conversation ends on a positive note, appreciating the insights shared and the collaborative effort in navigating the complexities of cybersecurity policies.

Notable Quote:
[19:13] B: “Feburary something or other. Early February, not late February.”
[19:29] B: “Thanks, Pat. And you too.”

Key Takeaways

Unified Leadership Benefits: Maintaining a single leadership role for both NSA and Cyber Command ensures balanced decision-making, safeguarding long-term intelligence capabilities while managing immediate cyber operations.
Policy Direction Matters: The Trump administration’s assertive cyber policies highlight the significance of clear leadership in shaping national cybersecurity strategies, though they must be carefully balanced to avoid undermining foundational intelligence functions.
Regulatory Challenges: SEC’s cyber incident disclosure requirements have led to initial overreporting and the proliferation of boilerplate language, indicating a need for more nuanced and iterative regulatory frameworks.
Global Communication Tools: WhatsApp’s design for reliability underpins its widespread use in both benign and adversarial contexts, illustrating the profound impact of technological choices on global communication dynamics.
Continuous Adaptation: Cybersecurity remains an ever-evolving field requiring ongoing education, adaptable policies, and resilient infrastructure to address both current and future challenges.

This episode of Risky Bulletin offers a comprehensive exploration of pivotal issues in cybersecurity policy, reflecting on leadership structures, regulatory environments, and the broader implications of ubiquitous communication technologies. Whether you're a seasoned professional or new to the field, Patrick and Tom’s insightful dialogue provides valuable perspectives on navigating the intricate landscape of cybersecurity.

Loading summary

Transcript38 lines

[00:05]
A
Hey, everyone, and welcome to Seriously Risky Business, the podcast we do here at Risky Biz, which is all about government policy and intelligence. Joining me, of course, is Mr. Tom Uren, our public policy and intelligence editor, and he's going to walk us through the newsletter he has written this week, the Seriously Risky Business newsletter, which you can find at Risky Biz. Tom, how's it going?
[00:26]
B
Good, good. Patrick, how are you?
[00:27]
A
Good, good. So, yeah, this is our last one for the year, and of course, we'd like to thank the William and Flora Hewlett foundation, who support Tom's work with us, and also Lawfare Media, who syndicate Tom's column. And, you know, they're a big help to us as well, so thank you to them. And Tom, Yeah, for the last one this year, we're walking through a few topics. You've done a terrific write up on this thing that's happening in the US where it looks like the incoming Trump administration is going to want to split the roles of the head of NSA and the head of Cyber Command. Now, we spoke about this on the weekly show yesterday, but from a very different perspective, where what I was talking about is, well, from everyone I talk to, Cyber Command isn't ready to stand on its two feet, on its own two feet. So there's a very practical reason why these roles haven't been split. You've looked, though, instead at the reasons that splitting these roles could, could wind up prioritizing Cyber Command over nsa. And that's something that's a little bit like, oh, maybe not so great.
[01:27]
B
Yeah, yeah. So the story is that Cyber Command is led at a four star level, and that's just because of the nature of the hierarchy of the Department of Defense, because it's, you know, a combatant command, whereas NSA is led by a three star. And so Cyber Command, just by the nature of the Department of Defence, outranks nsa. And so currently, the way I think about it is that you've got basically a very similar pool of people doing very, very similar things using the same resources, you know, construed broadly, things like exploits, tools, techniques, capabilities.
[02:12]
A
Well, and the operators who know how to use them.
[02:13]
B
I think that's exactly all very the same, almost interchangeable, except their priorities are very different. So nsa, the priority is to collect intelligence. And the way you do that is being very, very stealthy. You don't get caught. And you, if you don't get caught, you can, as a rough generalization, collect intelligence infinitely, forever. Now, obviously, practically not true. Now, the point of Cyber Command, or At least one of the points is to do disruptive and destructive things that are flashy, cause people to have an impact on people. And so they notice them, and then they go, oh, why did that happen? And so by the nature of what they're trying to do, you're placing that capability at risk. And so each time you do a Cyber Command style disruptive operation, you've got to think carefully about, is the risk to my intelligence gathering capability worth the disruption that I'm going to cause? Like, what's the big picture? Win, loss out of all of that. And so right now, the person who makes that decision is General Tim Howe. Is it how or Hoff.
[03:24]
A
It's Hogg. It's Hogg, because.
[03:27]
B
Okay, Hogg, Tim Hogg. Apologies for getting that wrong. And the. To me, that makes sense. Right. The same person, he's responsible for both missions. He can weigh up, you know, what are we getting out of this? How much is the risk? What's the benefit we're going to get here? Someone needs to do that. And naively splitting the two leaderships, so both Cyber Command and NSA are led by Tim Hogg. Just naively splitting it would mean that you'd need to create some sort of architecture. Well, you don't need to, but ideally you would create an architecture to sort of weigh up those decisions. And I don't think that's easy. And to me, that's the fundamental problem with splitting the two. So Hogg actually spoke about this during his Senate confirmation, and he called it that the most critical advantage of what they call the dual hat, that the head of Cyber Command is the head of nsa, and I quote, a single decision maker, responsible and accountable for the mission outcomes of both organizations is best equipped to protect critical intelligence equities like the capabilities that NSA uses while executing national priorities as directed. So that, that is, to me, the major problem with splitting the two roles is that you need to create some sort of, I guess in infosec terms, a compensating control to figure out what do we do.
[04:57]
A
Yeah, you'd almost need a new head of both organizations who can handle the sort of deconfliction.
[05:02]
B
Right.
[05:03]
A
And I'm not sure how that would work. I'm sure that there's, you know, there's some oversight there, but you would also be relying on a good working relationship between these two people. But ultimately, you know, from what you've written, it looks like Cyber Command would have the final say. Now, I kind of feel like reading your article, you kind of agree with, with Tim Hogg's comments from his Senate confirmation I find it pretty hard to disagree with as well because, you know, something that I've been talking about recently on the show and something that I spoke about with Chris Krebs in Sydney, you know, a couple of weeks ago, is that, you know, intelligence collection seems to be the most valuable thing states do with cyber capabilities. When we look at cyber war style activities, it looks like there's some sort of, you know, there are occasional tactical advantages to doing that and whatnot, but the value that we get from intelligence collection through cyber means is just, you know, immense. So it's almost like, I feel like those, you know, NSA should get the four star and Cyber Command should get the three star, which kind of tells you again that splitting these roles is not, is not going to be, you know, without risk.
[06:07]
B
Yeah. The way I described it in the piece is that Cyber Command, when you do a disruption operation, it's the direct application of state force. Whereas when you collect intelligence, what you're really doing is you're enhancing what else you can do.
[06:25]
A
So that means that intelligence is about options, right? Like collect as much information as you can and then decide on a course of action. Whereas the Cyber Command side is like, it's just action only. Hoorah.
[06:38]
B
That's right. And by its nature those kinds of operations tend to have short lived impacts because, you know, at the most extreme you wipe, you wipe all the computers in an organization and people tend to recover like surprisingly quickly. And so if you're going to do that, you've got to weigh that up at, well, you know, we make a better decision because of intelligence we gathered today and tomorrow and next week and you know, for months. And those better decisions, like the benefits roll up over time. So you, I think that that makes a huge difference over time. It's just that it's invisible. Like you don't see those changed decisions because they're sort of, well, because it's intelligence. No one says we changed our mind because of this piece of intelligence. So it's invisible, it's hard to see, it's ephemeral and ethereal maybe.
[07:32]
A
I mean, I look at, at the same time that I agree with everything you're saying, right. And I understand the risks here. I kind of feel like, you know, these two agencies having the same head isn't tenable long term. You know, I feel like these organizations need to be able to stand on their own. Of course they need to be able to cooperate, but they need to be able to stand on Their own at some point. Right. I mean, are you sympathetic at all to that argument?
[07:54]
B
I think, okay, I'll give you the practical answer and I'll give you the idealistic answer. And my idealistic answer is, no, I'm not sympathetic at all. I think they should be the same organization with one head with different functions in different, like, you know, divisions or whatever. Like, that's my platonic ideal of what that type of organization would look like, because you've got essentially the same people, could be in a network. And whether it's disruption or intelligence, it's just what you do in that network. Now, that's totally impractical because of the way the U.S. department of Defense is. And so I think realistically, maybe you're right, and then you need to have structures that allow that sort of decision making to be made. But I think that, you know, what is it? The enemy can't be the best, can't be the enemy of the good.
[08:50]
A
So, yeah, don't let perfect be the enemy of the good. And that's the thing. I sort of feel like, you know, as these functions, well, particularly Cyber Command, I think the criticality of, like, NSA is well understood. I think something like Cyber Command just naturally over time is going to grow, become more important, do more operations and whatnot. And, you know, it being sort of a function that's being fulfilled essentially kind of by NSA at the moment. I sort of feel like, well, will it. Will it, you know, will it be able to grow up or is it just always going to be sort of second fiddle there? So I do feel like ultimately we're going to need, you know, they are going to need a split at some point. Yeah, I'm not saying it's like right now because, you know, the big focus of my conversation yesterday was, well, you know, cybercanned. From what I hear, they can't really do much without the people at Fort Meade, like, without actual NSA personnel helping them. So, you know, I think splitting the organization completely at this point is not realistic. Appointing a new head, a different head for Cyber Command, I'm sure that can be done. But, yeah, the whole thing's fraught. I mean, this is one thing, though, that you get with the Trump White House is once they get an idea, they're just going to push it through. You know, they're just going to do it. They're going to get it done and try to fix it once it. Fix it live, fix it in production, to use a it metaphor. Right.
[10:05]
B
Yeah. So I don't actually think More offensive cyber operations that cause disruption would be a bad thing. Yeah, I think it's just you don't want to do too many of them at the expense of longer term capabilities. So that's. I think that probably the historical has been an overweighting of signals intelligence versus disruption and so it's natural that there's a rebalancing over time. I think getting that balance perfectly right is probably quite difficult. And right now we're leaving it up to a single person. Is that the best long term solution? It's a good short term solution.
[10:44]
A
Exactly right. It was funny though, that conversation I had with Chris. I'm sure you saw it just talking about Trump's bias towards more aggressive cyber stuff like changes to NSPM 13 and whatever. Yeah. It's just interesting because it's one of the only times I can think of, of an executive, you know, of a president who actually has a clear policy direction in cyber. It's Trump, which is to be less cautious, to be more aggressive, to go out there, defend forward and all of that. Right. So I just find that interesting that he is, he is, you know, Donald Trump, cyber president. Right. Because it's something that he seems to. Yeah. At least have an established policy direction in. Now another thing that we're going to talk about today is the SEC stuff. Right. So it's really funny. Like again, I touched on this briefly yesterday before the SEC introduced its disclosure requirements for cyber incidents. The panic out there in among CISOs was just, it was honestly, even at the time I found a little bit ridiculous because they were talking about the, you know, the world was ending basically and the other people were saying people were going to over report and it was going to turn into a mess. And you. Indeed we did see some people over reporting because anytime there'd be an incident, they would report it before they determined that it was material just to be safe. And it got so ridiculous that the SEC even came out and told people to stop doing that. They still do. And Here we are 11 months later and what it looks like has happened is there's been, you know, 70 odd incidents reported, only something like, what was it? 11 were deemed to be actually material. And I guess the disappointing thing is, you know, these, these 8K filings where people are talking about these incidents, I mean, they're all full of boilerplate language. And so this whole thing has turned into what I would describe as a fizzer and not the end of the world that everybody was sort of claiming was going to happen. I don't know, there's something a little bit delicious for me about listening to everyone panic about something that, you know, I didn't think was a particularly big deal and it not turning into a particularly big deal.
[12:49]
B
Yeah. I mean, it's really caused the boilerplate machine to go into overdrive.
[12:53]
A
That's right. I mean, the joke I made yesterday was like boilerplate language in an SEC filing. That's. I've never heard of that.
[13:00]
B
You know, and I mean, you know, the person who first came up with those form of words probably deserves a pay rise. Everyone else is just copying their work. Yeah. So the.
[13:09]
A
It's a copy paster, mate.
[13:11]
B
That's right.
[13:12]
A
Cyber filings are just a copy paste.
[13:14]
B
So when I was writing this piece, I was thinking, so what's the answer here? Like, there's actually very few material incidents that have been reported. Should you just give up and say, oh yeah, don't worry about it? Because mostly the material ones are actually ones that have significant impacts and so people in the press pick them up so they do get reported. In the end, I decided that probably wasn't a realistic or responsible approach, assuming that I was the head of the sec. And so I think it's just, you know, you continue to educate people, cyber incidents aren't going to go away anytime soon. So this is a long term problem. You've started trying to raise the bar on disclosure. I think it's a good thing in the long term. So you just need to keep pushing and saying, yeah, we don't actually care about these ones, but here's a really good example of, you know, this is what we're looking for in a disclosure and tell us that's right.
[14:11]
A
And I think, I think what's going to happen eventually is they're going to, there's going to be some material disclosure and they roll out the boilerplate language, but it turns out to be a big deal and they're going to get smacked for it. Right. So I think that's kind of how this will naturally evolve. And, you know, we're all going to find, you know, everyone's going to come to understand what the line should be for when you do a disclosure and how much detail you should put into it.
[14:31]
B
Yeah. And I think there's a tendency to think we've got to solve the problem like in the next rulemaking phase. And I think it's like cybersecurity is an iterative business. People are always learning as they go.
[14:43]
A
Yeah. Now the last thing we're going to talk about is Rest of World has published a bunch of articles on all about WhatsApp and the history of WhatsApp and they're surprisingly interesting, which is how it found its way into your newsletter. This is one that I found interesting because my partner, my wife is Brazilian and in Brazil people only use WhatsApp. Right. And it's because the telcos have they. They don't really do reliable SMS delivery and it was billed and it was expensive and whatever. So everyone uses WhatsApp. And I've. It's a story I've told on the show before, but I remember once we had a little prang in my wife's car and we had to do an insurance claim. The whole thing was handled over, over WhatsApp using like WhatsApp bots and everything. Um, it's actually an incredible bit of technology when people use it. Like the way that you can deal with companies and stuff via, via WhatsApp is just incredible. But it's looked at how the first principles of WhatsApp were really about making it reliable even in places where network coverage is bad. And I've experienced that personally, where I've been in places with very terrible, terrible Internet connectivity, WhatsApp would still work. Nothing else would matter. Products, I will say, like even Facebook messenger and whatever, pretty good, but whereas anything else just won't. And that this has had an incredible transformational effect in some places. And just looking at WhatsApp as this sort of foundational technology proves to be quite interesting.
[16:05]
B
Yeah. So I always like the stories where you can see this sort of arc of history. It's just the kind of person I am, I guess. So the first piece, so it's a series of three so far, talks about how one of their goals was to try and hit every user everywhere on every platform. And so that means people in India which get intermittent Internet access. And so that results in just a way of creating the app that is really robust and reliable and that translates many, many years later to it being used in conflict zones because it's one of the only apps that works. So they talk about how it's poor connectivity, as you said, makes it particularly useful and you know, particularly journalists in Gaza climbing up to a high point because the local cell systems have been destroyed. They're trying to reach quite remote cell networks and WhatsApp still works, but you can't even get email. Doesn't work, for example.
[17:10]
A
No. And I've experienced this myself. Like it is extraordinary how you can send and receive messages when the Internet connectivity is that patchy like it's, I mean you honestly just think, how did they do this? Right, yeah, yeah, yeah.
[17:24]
B
And so some of the original people would hike out into remote places where they basically barely had cell signal just to test that it would work on something like a Nokia C3 phone, stuff like that. And that, that heritage means that nowadays it's quite often used as the app of choice for people like NGOs who are trying to assist in conflict or disaster areas.
[17:52]
A
But as your poise, as your piece points out though, it also is used by the people who are perpetrating the violence. Right. So it's that, it's that double edged sword and that's what makes it, what, what makes it interesting is that, you know, you get a little bit of everything when you roll out a technology like this to everywhere.
[18:06]
B
Yeah, that's right. And the, the series covers how it's been used by influencers in different countries. Brazil, that's very popular, but also India. And it's something that I never use WhatsApp for, but it's also, and how it's used by business. So it's really does a whole lot of stuff that, you know, I use WhatsApp occasionally that I'm just never aware of. And I found the whole series quite fascinating.
[18:35]
A
I mean, look, right as we're recording this, my mother in law's phone died and she's had to dust off her old phone and for some reason, like someone set a pin for a WhatsApp so she can't turn it onto a new phone and like, she's basically like, no one can reach her at the moment because her WhatsApp hasn't been able to be, you know, reinstalled on her own device. And I've had to like, well, maybe she could try this app called Signal. It's a lot like WhatsApp, but it is just everything in Brazil. So yeah, it's pretty cool stuff. All right, we're going to wrap it up there. That's it, man. For 2024. You're actually out on leave for quite a while. You're having an extent, a borderline sabbatical. Tom, when are you back?
[19:13]
B
February. February something or other. Early February, not late February.
[19:18]
A
So yeah, yeah, so you're gonna have a terrific break and, you know, recharge the old batteries there and yeah, we'll catch you in 2025, man. Have a terrific break. Have a great Christmas, have a great summer.
[19:29]
B
Thanks, Pat. And you too.