Is the 'Shields Up' era of CISA over?

A

Is the shields up ERA over for cisa? We'll talk about it on this week's episode of Safe Mode. Welcome to Safe Mode. I'm Greg Otto, editor in chief at cyberscoop. Every week we break down the most pressing security issues in technology, providing you the knowledge and the tools to stay ahead of the latest threats while also taking you behind the scenes of the biggest stories in cyber security. An attack is coming. It's about keeping us safe.

B

He's just a disgruntled hacker. He's a super hacker.

A

Stay alert, stay safe, stay saf. This is Safe Mode. Welcome to this week's episode of Safe Mode. I am your host, Greg Otto. In our interview segment this week, we're going to have not one, but two experts from the DoD Cybercrime center that spoke at our recent Cyber Talks event. Leslie Burnas and Jeffrey Hunt, talking about all the threats that they are seeing in, in their day to day jobs. But first, really deep dive with senior reporter Tim Starks, who had an excellent look at what CISA has gone through over year one of the second Trump administration. And we talked to a number of experts, a number of politicians, number of ex CISA employees, surprisingly on the record to say a lot of what we detailed in this story, that things are not good. And that's not to say that. Well, of course, if you followed our reporting, you know that. But this really sort of crystallized how everything has gone over this past year. Would you say so, Tim?

B

I would, yeah. I think one of the things I like doing as a reporter is, you know, we've been reporting on it, others have been reporting on it, about what individual changes are happening, as I said. But I don't think anybody taken a big step back and said, okay, what do we have now? Where are we left@? And one year seemed like a good time to do that. Look, and you know, there was, there was maybe one person I interviewed who was mostly positive. Everybody else was mostly negative, um, if not completely negative.

A

So let's start with what I think is obviously a core reason as to why things have gotten so strained over there the past year. CIS has lost a third of its workforce.

B

That's a huge start. Not only that, but it's who they've lost. They've lost top people who are doing, who have been doing things there for years. People who had been working in both administrations over the years, not just people who were transitions from the Biden administration. There's a certain amount of that that you would expect, right? An administration changes. But we're talking about really senior people who have been at the agency for a very long time who have left. So you know, one of the things that people coming back to is, you know, I wanted to talk about not, not the politics of this so much, but the operational thing. You and I talked about this when we work on the story. Let's, let's tell people what has actually happened. What.

C

Right.

B

What is the operational impact for that? And it really does start with the bodies aren't there. And if the bodies aren't there and you're an industry, and I heard this from many people in industry, if you want to get a meeting with, with cisa, you can't right now, at least not the extent they used to there. You know, there are some times where people would be like, yeah, we've met with this one person this one time. But not the level of engagement they were used to. Not the level of regular, constant back and forth collaboration. And that's at the state and local level as well. Just the loss of bodies has just made a huge difference in what CISA is able to do.

A

So let's talk about operationally, like remind people like what offices are we talking about here? Like all of them. Yes, sure, all of them. But I think it's worth, you know, detailing what offices exactly are we talking about here that had been doing outreach and had been fulfilling missions that are suddenly it's crickets for anybody that really wants to try to collaborate with cisa?

B

I mean obviously one of the most prominent ones obviously is election security. You know, that's, that was cut to almost nothing from, from a significant number of bodies secure by design. The leadership there is gone. You know, Bennie Thompson, the top Democrat on Homeland Security Committee, said his staff has been told that that unit has been decimated. Not just the people leaving. We had the sort of the stakeholder engagement side of things, talking with foreign governments, talking with critical infrastructure owners. We've seen contracts fall apart or you know, sometimes temporarily and come back. But we've seen contracts fall apart on things like the JCDC Joint Cyber Defense Collaborative. We've seen funding in for ISACs that were helping the states on a number of functions, including elections. The list just kind of keeps going on and on. I mean it's, it's, it came a certain point where one of the questions I was asking in the stories is what's left? Right, like what, what is, what is CISA still doing? That's useful because, because when I would ask people how is CISA fared? There was a Laundry list of like, it's lost this, it's lost this, it can't do this anymore. So it actually, you know, I don't want to say that, that an agency that has, you know, a billion plus dollars of funding is not doing anything. It is, but, but what is left is remarkable compared to what, what, what it had been doing.

A

So before we get into what exactly is still going on, that had sort of a positive aspect in the story, the ISAC part of it. I know you talked to an ISAC expert that sort of dove in on what exactly his experience has been over the past year. Can you elaborate on that?

B

Yeah, that was erewhise, the Health isac. You know, he, he, he did have some points about what, how CISA does still have value. But he did talk an awful lot about the idea that CISA had all these capabilities and there have been explicit executive orders saying we want the states to handle some of these things now. And his response was, well, there are 50 states and we don't have the idea that we're going to have that kind of expertise spread out among 50 states. It just doesn't work. That's why you need a centrally coordinating function, which is what CISO is supposed to be doing. I mean, one of, it's got a few big roles, but one of the big ones is where the people are going to coordinate, where the people are going to get everybody together. He talked about just his, you know, their inability to get meetings and saying, you know, maybe you can argue that, that he has a cause to promote in the sense that he runs the Health ISAC as a, as the chief, I think the chief Security officer, he has, he, he obviously wants to promote that organization, but he said this is kind of why people need to stop relying on CISA so much and start relying on each other because we just don't, they don't have the capabilities. CISA doesn't have the capabilities and the states can't have the capabilities. So who's going to do it? We kind of have to do it for each other is what he's getting at.

A

Right. And I think it's really interesting from a health standpoint. Right now we're seeing the string being pulled on the conduit breach for those unfamiliar. Conduit is a company that does a lot in the healthcare space, handles a lot of healthcare data. And it seems that day after day after day we're seeing more data breach notifications go out related to that and in years past, as it would have at least helped like you said, coordinate and help different parts of people affected in the industry get their arms around that. And it seems like that there's. That's just not there anymore.

B

Yeah, I mean, he specifically said, you know, during the Change healthcare breach in 2024, CISA did a great job of that. He and others now, you know, he, he said, I'm not sure that they would be able to do that. Now. Other people in industry said similar things about if there was. If Volt Typhoon, the Chinese hackers decided to activate their malware that's planted in our critical infrastructure that we've been hearing about for years, would we be able to deal with this? And the answer was, I don't think so, that any crisis that might come our way in healthcare or elsewhere, that CISA's not prepared to deal with it right now. And that's. I think that's the thing that was one of the things that struck me is how many people said that, including, you know, Andrew Garbarino, who's the Republican Chairman of the House Homeland Security Committee. I think he, you know, is a. He likes Trump. I think he's talked about thinking that, that there are certain things that he's done with CISA that are good, but he's also been one of the Republicans who's a little bit. A little bit more willing to speak out than some other Republicans about when he doesn't agree with what's happening.

A

Right.

B

And very vocal about this.

A

It really goes to show that this is about a lack of operations, basically. This is not a political mudslinging which we see all over the place in Washington. This story really focused on what, what the agency was doing outside of whether it mattered in any sense of a political sense.

B

Yeah. And I really expected to hear from people, you know, I talked to Republicans who have served in the Trump administration. I talked to Republicans on the Hill, Obviously, I talked to people who were on both sides of the political equation. And what I'm used to with stories like this is that while there might be some, some balance on the degree of criticism, you know, the, the party that's in power is usually going to say, we think they're doing a good job, but also we think they could be doing this better. That wasn't. It wasn't this way. It was the complete opposite way. This, that all of these things that are happening are bad, but also there's a little bit of good. It's. It was. The balance was completely switched from what it usually is.

A

So with all of this operational issues, leadership comes to mind, obviously. And we know for months now that Sean Planky's been in limbo and obviously that was a big part of the story as well.

B

Huge part of the story. I mean, I think, you know, not to undersell. You know, everybody pointed the finger at the Trump administration to some degree. Everybody pointed the finger to Congress to a certain degree. But, but, but both people, everybody was like, both of these parties are responsible. If Congress had put Sean Planky in place, maybe things would be better off is what a lot of people said. If Congress had passed the CISA 2015, the Information Sharing law, maybe things would be better. If the state and local, if there hadn't been these government shutdowns, maybe things would be better. But I think everybody, you know, the idea of having a Senate confirmed leader is that that person has more standing with the administration. They have the idea, they have the ability to sit at senior level table engagements within the administration and say, this is what CISA can bring you. This is what we're able to do. And maybe then a lot of the animosity that this administration came in with towards cisa, because remember, Trump doesn't like this agency. He's always been very vocal about that, or at least since 2020, he has been very vocal about that, that maybe things would be different. I don't think that it would completely change everything. You know, if you cut an agency by a third, you're still going to have huge problems. But, but maybe, you know, if you're, if you're looking for signs of hope for what CISA can do, maybe Sean Planking coming in can make a difference. Maybe they can start rebuilding some of that personnel if Blanket can make that case. And I think another thing that the story touched on is that, you know, the acting director is, was supposed to be the deputy director. He was someone with a technical background. There have been a lot of questions about Dr. Garmakala and how good a job he's doing. People outright were pretty much not, he's not up to the job. So it's not just that Sean Planky is not there, it's also that the person's there has not been getting good reviews from most people.

A

So with all of that, there were still some people that were like, CISA can do some good things. What are those good things? I think people are really asking what, what is left to do that is good.

B

Yeah. And I, you know, even in the last few days we've been seeing some of this, the element of them putting out public warnings, doing some of the Some of the work to protect federal networks, we've seen some binding operational directives from them during this time. Although some people are saying even that's weakened, it's still able to do that. You know, Jeff Green, who had been in the prior administration, you know, I don't think he was necessarily coming in with like a, I want to be kind to the Trump administration for that interview, necessarily, but he said they're still doing good work on the releasing of reports about what's dangerous. I don't know that the volume is the same, I don't know that the rigor is the same, but I know that there are people who are capable of doing that work, who are doing that work. So there are some, there are some spots where people could point out and say, this is good. I think if you're in industry and you were concerned about the Circia regulation on notifying the government when there's a big critical infrastructure breach, that there, that there was a lot of criticism from the, about the previous administration, both sides of the aisle, that that draft legislation, that draft regulation was too, too strict, too onerous, if you will. So I think that people who are hopeful that the fact that this administration has, they're going to have some more town hall meetings, even though there have been people who said, we don't need more town hall meetings, they're at least listening, they're at least indicating that they want to do more to make this better for industry than the criticisms that they've received. So there are places where you can say it's still doing a decent enough job of what it was already doing, or in one case, maybe it's better, depending on your political perspective. But the ultimate result is still it's in a bad place and it's going to be hard for it to get into a good place. Because if you've been, if you've been watching what's happening at ciso, do you really want to go work there now? One of the things that I'm getting in terms of getting a response to the story is that was hard to read because people care about CISO in our community. Right. I mean, I don't remember when it was being created. People weren't sure it was even needed to be created or that it, that, that this idea that this agency was going to somehow bring something to the table, it was a question, right? And, and, and there have even been people who over the years have been saying they don't think it's doing enough or it's not doing a good enough job or it's not doing what we wanted it to do. But even those people are like, this is, this is a big diminishment of what we wanted it to be able to do that it was achieving. It's, it's been a real backslide for everybody who cares about the Agency.

A

Yeah, a lot of work ahead if CISA is going to fundamentally get on track with its operational reorganization. I know that that has been a big, a, big a big term, the reorganization. So, yeah, a lot of work ahead. You want to check out the story, please visit cyberscoop.com Tim, thanks for joining us.

B

Thanks for having me.

A

Joining us on our interview segment this week are two experts from the DoD Cybercrime Center, Leslie Bernis and Jeffrey Hunt, a couple weeks ago at Cybertalks. And by the way, if you weren't at Cybertalks, what were you doing? Come join us at one of our events.

B

They're awesome.

A

At CyberTalks, these two experts really showed us the unique spot that the DoD Cybercrime center sits at, looking at all the threats that affect the defense industrial base, which really affect a lot of enterprise companies as well. So really interesting look at the nexus between the public sector and the private sector. Talking about all the threat intelligence they see, talking about how cybercriminals move cryptocurrency and all of the threats that come with that. Look, it's, it's a wild time to be in threat intelligence. Threats are moving faster than ever. And Leslie and Jeff really give us some insight onto what they are seeing on a day to day basis. Check it out.

D

We've talked a little bit about cybercrime and some of our malicious threat actors. A lot of their activities are now leaning on the use of cryptocurrency. So we'll talk a little bit about the challenges that presents for us and the approach we're taking to address that. So our cyber criminals are increasingly leveraging virtual currencies because this provides them fast cross border movement of illicit funds. It allows them to insulate themselves from the traditional international banking sector because when they try to deal with moving physical currency across borders, they've got to worry about crossing border patrol, they've got to worry about reporting requirements. If they try to do that digitally through the traditional banking system, then they're worried about those banking agencies being able to leverage those financial instruments, doing things like reporting transactions, potentially seizing or sequestering funds. They want to be able to sidestep that. And so the use of virtual currency, which is outside of which is crowdsourced, and outside of that system allows that insulation. So one of the things that we're seeing here is that in addition to that reduced reliance, they're allowed to now achieve obfuscation and laundering of funds much more easily. Traditionally, you had to have a network and a good amount of knowledge to understand how to move all the money around to make that trail more difficult. Since this is now something through virtual currency that can be done from a single keyboard, this is something that can be scripted out, or this is something that can be achieved through smart contracts where the wallet itself will do the moving of the money with no input from the user. So what that means is that the user, the illicit actor, can be handed, push this button, your funds will go places, they will make multiple hops, you won't have to do anything. It lowers the bar for them, which raises the challenge for us. We're seeing because of this, that this has expanded far beyond traditional crime. We are no longer talking about individual actors trying to finance a small illegal transaction. We are seeing things at the organized crime level, the cartel level, the nation state level, as they try to deal with large scale money laundering, but also sanctions, evasion, evading financial sanctions, but also making payments for technologies that they're not allowed to have. So what is our approach to addressing this? A lot of things. We want to start from a known context point. So if we have an address that was given to a ransomware victim, if we have digital addresses that were on the seized phones or the seized laptops of an investigation, or somebody that was stopped at the border, that gives us a context point that we can expand out from that. And then all we want to do is analyze these transactions. Who are they paying? Who have they received money from? What does that tell us about the roles and the, the parts of the transaction that somebody was in? So a ransom payment comes into a wallet, it goes out to the various affiliates. That helps to compromise a network. And based on how much they received and when they received it, we can kind of tell what they were responsible for. Which also allows us to build an evidence tree. We can look at things like exposure types. We see a single wallet. What does this Wallet normally do? 25% of their payments go to infrastructure that we know is tied to a list activity. 10% of their payments go to payouts to foreign nation states. And it gives us a feel for, okay, what does the owner of this wallet typically engage in? And also we can look at laundering tactics. So we talked about the idea that they may want to automate some of these processes. But as those processes, those TTPs become repeatable. It allows us to fingerprint, okay, this is what money laundering looks like for this particular organization, which allows us to recognize it while it's in progress, maybe predict the next places that those funds are going to go. So as you look at this approach, what we want to do is want to identify key identities. We talked about identifying those service providers, but also gives us predictions and early warnings of attacks. Because if somebody is going out to pay one of those providers, it's because they're procuring infrastructure for something. It lets us know that something is being set up. We want to identify exchanges and cash outs. So this is large. Normally, even though they want to do a lot of the moving in cryptocurrency, they have to get back to paper currency at some point. You can't pay bodyguards, and you can't issue bribes with cryptocurrency all the time. You have to find a way to exchange that back into traditional currency. When we want to identify the exchanges which our bad actors are using to do that, because that allows us to tell our partners in the law enforcement community, the counterintelligence community, where evidence may exist, this is the exchange that this bad actor used. This is somewhere where you can survey legal process and maybe be returned the identity of who registered for accounts or the IP addresses of the computers that were used to log on to these online services. We refer those to our partners at Department of Justice, to Treasury, Homeland Security, hsi, and they were able to carry that ball forward. So what is the impact? What's the output of these types of activities? Well, one of the things that we're looking for is an actual opportunity to intercept some of these funds before they get to their end location. Or if we can identify these funds got there and they were the proceeds of illicit activity, we have the possibility of putting together the patches that will give legal justification to seize and recover those funds. This is important because this allows us to do a couple of different things. It allows us to disincentivize the actors. They're only doing this to get paid. If we can make it difficult for them to get paid and may take away their motivation to engage in that activity, we're able to deny resources to actors. If you look at this example of an operation that was run by Department of Justice with input from DC3, with input from some of our international partners, they took down the infrastructure that the actors depended on. They took down the actual website that they were using to name and shame and extort victims. So we know that the next thing that those threat actors would want to do is go reconstitute. They've got to buy new servers, they've got to buy new websites. If we've taken away their resources, we've taken away their funds, we've made it more difficult for them to actually do that because operations cost money. And lastly, we want to restore our victims. This is good for the economy. It's the right thing to do. But also it's good for national security, because if a business goes out of business because they paid a ransom and the hit caused them to go bankrupt, well, that company is no longer able to invent the tool that our war fighters might need in the next generation. So we want to keep these companies online so they can keep doing the good work they do that supports us in addition to the money. Let's talk about the people. So we want to unmask the identities of the people that are engaged in this. Their feeling of anonymity, their belief that no one knows who they are, is what gives them the comfort to go ahead and conduct these illegal activities. So you want to expose them to the world, shine a light on them, identify what their identities are and what their work roles are. But also, we need to establish that for evidence as we reach out to both our domestic partnerships, through Department of Justice, through Homeland Security, but also some of our international partnerships that we need to support us. We need to be able to build a case that meets our standards and their standards to authorize whatever types of actions we're suggesting. Here we have an example from that same group, from that same ransomware group of some actors that were engaged in high level ransomware activity, they're not going to travel to the United States because they know it's not safe for them there. They could be arrested. But they did try to go on vacations, they tried to go to Thailand, they tried to go to South Korea. And based on the evidence that we were able to put together, we were able to send that Department of Justice. Department of justice was able to coordinate with the Thailand authorities, the South Korean authorities, and still leverage those detainments and actually get those individuals arrested and brought back to face justice. What that allows us to do is not only make sure those actors are held accountable, but lets all the other actors that might be considered considering the same type of activity understand that you're not safe if you engage in these types of activities. You can be arrested. And additionally, even for the actors who choose not to travel because they want to insulate themselves from arrest. They realize now that their ability to travel throughout the world has been sacrificed. Their life has gotten success significantly worse because they've chosen to go along this path. So this gives us all these different levers that we can pull to basically let those actors know that this is not a path you want to take. There will be consequences that the US Government can leverage upon you if you choose to go that way. Thank you for your time.

C

This is a pretty unique opportunity for me, especially as an Air Force office, especially special investigation, special Agent, to speak at the spy Museum and talk a little bit about cybercrime. The unique thing about that video is those are all real vignettes from the work that we do at DC3, and I'm really proud to highlight and share that with you all today. I want to thank Goldie for everything that she does for this community and the kind introduction and for the invitation and for your leadership creating a space where government, industry and critical infrastructure partners can come together for real, substantive dialogue. So thank you. Events like Cyber Talks matter because the challenges we face in cyberspace do not respect organizational boundaries, sectors and borders. I'm also honored to be speaking alongside such an esteemed group of professionals with an extraordinary depth of expertise, from policymakers and technologists to operators and infrastructure owners. I appreciate each of you for the work you do every day to defend our cyber landscape. We are meeting at a moment of growing urgency because cybercrime is no longer just about stolen data or financial loss. Cyber threats are no longer theoretical, episodic or isolated. They are persistent, adaptive, and increasingly strategic. Cybercrime has become a strategic enabler. Cyber groups now operate with nation state levels of sophistication. They exploit zero day vulnerabilities, launder proceeds through global networks, and increasingly act as proxies, or at least willing partners for hostile states. Ransomware campaigns disrupt hospitals, pipelines and municipal services. Intellectual property theft erodes U.S. competitiveness and fraud and data breaches undermine our public trust. And artificial intelligence is accelerating all of it, lowering barriers to entry while increasing speed, scale and precision. Cybercrime today is not merely a law enforcement issue. It is an economic threat, a national security threat, and a resilience challenge. And that is precisely why Cyber Talks is so timely. Within the Department of War, there is a clear understanding that and especially the fight against cybercrime is foundational to national power. The Secretary of War has been very clear in his priorities. Reviving the warrior ethos, rebuilding our military and and defending our homeland. You cannot maintain readiness if criminal actors can disrupt logistics, compromise data integrity or extort mission critical systems. And you cannot rebuild our military and reform if legacy systems and slow processes give adversaries persistent advantages. And you cannot defend the homeland if criminal infrastructure operates faster than our ability to defend, detect and disrupt it. Defending against cybercrime is mission assurance. DC3 is a federal Cyber center and Department of War center of Excellence for Digital and Multimedia Forensics. With trusted partners across the federal government, the Defense industrial base and international allies. Our mission is to deliver innovative capabilities and expertise to enable and inform law enforcement, cybersecurity and national security partners. Our goal is to disrupt and prevent cybercrime that threatens the Department, our partners and our nation. At DC3, we approach cybercrime as an ecosystem problem. Not a single incident, not a single actor, not a single sector. And I'll highlight how this translates into action. DC3 provides world class digital forensics, malware analysis and technical expertise that turn cyber incidents into actionable investigations and operations. We assist law enforcement and counterintelligence partners to attribute cyber activity, understand criminal infrastructure and build cases that hold malicious actors accountable. Whether through disruption, prosecution or other national capabilities, cybercriminals thrive on anonymity and our job is to take that away. Through DC3's vulnerability disclosure program, we proactively identify vulnerabilities across the Department of War and Defense industrial based networks, often the same vulnerabilities exploited by ransomware actors, criminal fraud enterprises and criminal marketplaces. This is not reactive defense. This is crime prevention at scale. By finding and fixing weaknesses before criminals exploit them, we reduce attack, surface, deny opportunity and protect both Department of War mission systems and private sector partners. Cybercrime does not exist in isolation. Criminal infrastructure overlaps with espionage influence operations and nation state campaigns. Ransomware profits often fund hostile activity, and stolen credentials and access are reused across multiple operations. DC3's analytics and intelligence integration allow us to see patterns across investigations, linking capabilities, tactics and actors. And we are able to share that insight with partners so they can defend smarter and faster. Cybercrime involves rapidly in defending rapidly, and defenders must evolve faster. Through the Cyber Training Academy, DC3 equips investigators, analysts and cyber professionals with advanced skills in malware analysis, cyber investigations, crypto exploitation and emerging technologies. This directly supports one of the Secretary's most important priorities our people. Because technology alone does not stop cybercrime, the Department's skilled employees, empowered professionals, do. But none of this works without partnerships. Cybercrime targets the seams between agencies, between public and private sectors, between policy and operations, and criminals collaborate and share tools, which allows them to adapt quickly. And we must do the same. The Department of War has emphasized public private collaboration, information sharing, and collective defense as essential to cyber resilience. At DC3, we see firsthand that strongest the strongest outcomes occur when industry partners engage early, reporting incidents, sharing indicators, and working collaboratively to remediate risk. Defending against cyber crime requires trust. Trust that sharing information will lead to action and not punishment. Trust that collaboration strengthens everyone's security. But that's enough about that, and let's talk a little bit about artificial intelligence. And artificial intelligence adds urgency to this mission. AI is already being weaponized by cybercriminals, automating, phishing, generating malware, and scaling fraud. But AI can also be a force multiplier for defense, enhancing detection, accelerating analysis, and helping investigators connect the dots that would otherwise be missed. The Department has been clear about pursuing safe, secure and responsible AI. At DC3, we are focused on using AI to augment human expertise, not replace it so we can move faster than the criminals and defenders can stay ahead of these emerging threats. So what does success look like? Success is fewer opportunities for cybercriminals, shorter dwell times when intrusions occur, faster disruption of criminal infrastructure, and stronger resilience across government, industry and the critical infrastructure. Cybercrime will not disappear, but it can and will be contained and constrained. And it will be made far more costly for those who pursue it. The fight against cybercrime is not abstract. It is operational, urgent, and shared. Together we will defend the systems, data and public trust that our nation depends on. Thank you again to Scoop News Group and Goldie Kamali for the leadership for bringing the community together. Thank you to my fellow speakers and everyone in this room for the work that you do, often quietly, often behind the scenes, often under pressure to protect our nation. In the digital domain, the threats are real, the stakes are high, but so is our collective capability. Thank you and I look forward to the discussion.

A

Thanks for listening to Safe Mode, a weekly podcast on cybersecurity and digital priority privacy, brought to you by cyberscoop. If you enjoyed this episode, please leave a rating and a review and share it with your friends, your co workers, your sizzos, your sysadmins, your mom, your dad, anybody that wants to know more about cyber security. To find out more information or to contact me, please look for all of our social media handles or visit cyberscoop.com thanks for listening. Check us out next week.

D

SA.