A

The Trump administration cybersecurity strategy is out. What next? We'll talk about it on this episode of Safe Mode. Welcome to Safe Mode.

B

I'm Greg Otto, editor in chief at cyberscoop. Every week we break down the most pressing security issues in technology, providing you the knowledge and the tools to stay ahead of the latest threats, while also taking you behind the scenes of the biggest stories in cyber security.

C

An attack is coming.

A

It's about keeping us safe. He's just a disgruntled hacker.

C

She's a super hacker.

D

Stay al. Stay safe.

C

Stay safe.

A

This is Safe Mode. Welcome to this week's episode of Safe Mode. I am your host, Greg Otto. In our interview segment this week, you're going to be hearing from Mike Duffy, the federal ciso. He recently spoke at Cyber talks about all of the priorities that he is laying out over the course of this year. And it's going to be a busy one because we also have Tim Starks joining us to talk about the Trump administration's cybersecurity strategy being released on Friday and all of the things that portends. So, Tim, thanks for joining us.

C

Yeah, happy to be here.

A

So let's start with what we saw from the cybersecurity strategy. I mean, we had written about months ago that it was going to be pretty simple, five pages, a couple pillars. But there were some slight tweaks, I would say, since we, we first started hearing about the drafts. But what, what did we see when it would finally hit the public?

C

Yeah, I think so. I, I don't know if I. Tweaks, maybe. Certainly there were things, there were a few things we didn't expect. Right. Because we only had kind of a high level summary in terms of what people talked about that were in there. So I, I wasn't expecting them to talk about surveillance, for instance. Okay. And, and combating it nation, not, not nationwide, but worldwide. But if the six pillars were pretty much as we expected, you know, that the, I think if there was a slight tweak, it's like, I think that there were, of the, of the seven pages, we, we'd only said there would be five. One was a cover page and one was a, was the end page.

A

So we nailed it.

C

We, we nailed it there. And about, and almost, about half of it was just preamble. So you're talking about two and a half pages of, of them saying we're going to go get the terror, we're going to go get the cyber bad actors. Trump is great, you know, kind of the things you might expect and then the six pillars were as we had previously reported, but within some of those pillars, there were some things that I was like, oh, I didn't know that they were going to do that.

A

So let's talk about that. Well, what, what piqued your interest there?

C

I think there were like the surveillance thing I think was noteworthy. I mean, certainly you can say that it's a commitable goal that they would want to tackle repressive regime surveillance. I think, you know, there'd be a lot of people who would say about this administration that they've expanded surveillance on people and have repressed them. So interesting to see that passage. Right. I think that some of the things related to AI were a little bit more specific than maybe I thought they'd be. What else jumps out as like a slightly different or new. I think those are the couple, really just a couple things.

A

To me, I, I don't, I don't know this necessarily new because we've seen this in previous administrations and this has just been a line of thought, I would say, for the past decade. Was the workforce part of it, especially in the dofied Trump administration? Like, okay, like yes. What is on the page there is correct in that there needs to be more of a workforce for cybersecurity, whether that is in the public sector or private sector. But we are talking about public sector here. And it's like, well, you had that, like, let's talk about the actual reality of the on the ground. You've, you've really spent the first part, first year of the administration pushing that workforce out. So it's, it really in, in the nicest reading, I guess that I could put it, it's that, well, you, you set up a goal that you kneecapped yourself with over the first year of your administration. Yeah, just, it's contradictory.

C

It is. I, I, I, you know, there were a lot of contradictions throughout. I'll, I'll speaking somewhat of contradictions. But also going back to your earlier question, there was a passage in there saying they wanted to address software liability, which I, I didn't see coming. Certainly it was something that Rob Konanki, who had written the previous strategy for the Biden administration or co written it, had said that was something that if they didn't address in this administration, basically it was going to be a waste of time. That's how big an issue they thought that was in the previous administration. And so to see anything that harkened back to what the prior administration wanted to do was a little surprising. Because if Trump defines himself in any ways, it's often by how he defined himself against what previous people were doing. So that was a little surprising scenery and a little contradictory on the workforce front. I do think we got a little bit more detail from Sean and things he said after the release of the. So, you know, the strategy came out on that Friday, Monday, he started talking about this is what we're actually going to do. And so he'd been mentioning that there was going to be this cyber academy that was going to bring together all of the federal efforts on workforce that exist somehow. He says there could be more details about this soon. But also an accelerator and a foundry connected to it that are involving getting capital going. I think the other thing that's kind of interesting in the context of the administration cutting so many cyber personnel is, is that, you know, there was some news recently that the OPM was going to be looking to hire back some people. Maybe not hire the same people, but hire more people.

A

Right. The jobs are suddenly open again.

C

Yeah. So I think, think, you know, some of this wasn't about necessarily shrinking the size of the government. Some of it might have been about bringing in the kinds of people. You know, he has this idea that there's a deep state and everybody's trying to get him. So if you get rid of the people who are trying to get him, and CISO was an agency that he thought was trying to get him, maybe then you can be like, we're going to bring in the right kind of people. You know, he's, he's, there's all these rules that he's had about hiring people for political positions that have not been political before. So, yeah, I think he definitely, you know, from the standpoint of what we know about cyber and what we talk to people about cyber about this, this administration hurt the cyber workforce. But maybe the idea was to change it more than to hurt it. And I don't know that that is going to end up getting the result they're wanting. If you lose expert personnel, it's not like you can just suddenly hire another cyber expert, like, okay, bring in some more cyber people. It's not that easy.

A

Right.

C

Which is why we have these job work shortfalls all over the country.

A

Right.

C

And all over the world.

A

So with that, that, that part of it, and especially with what I want to get to what Sean Aaron Cross said, because you followed him in not one, but two public appearances on Monday where he did sort of spell out what does come next. And you talked about the cyber academy, but there were Some other things he talked about that that will really sort of ferment what the, the cyber strategy does.

C

Yeah, they. And you know, in terms of the stra. The strategy was very, very broad, very high level, you know, where there were specifics. I was surprised. So to hear Sean Ken Cross talk about stuff that was substantive was a little different from what we've been hearing from them in terms of how they're going to do things differently or how they're going to improve things or how they're going to bring new things to the table. And so one of those things, and again, I don't want to make it seem like these are huge things, but they're relative to what the administration has been doing. They're pretty big.

A

Right.

C

So one of them was to have an, an interagency body come together to deal with the cyber offense question that they've been talking about a lot, which is the main pillar. I think the first pillar from this, from the strategy is we need to shape adversaries behavior. And Cairn Cross emphasized that doesn't just mean offense in cyberspace, it means also all the other things that we associate with previous administrations, arrests, sanctions, diplomatic efforts. So that's one thing. Another thing is they talk about a lot of pilot programs, multiple pilot programs. And at the state level, some of them focus on critical infrastructure, some of them focus on critical infrastructure within a certain state. He mentioned beef in South Dakota, I believe, and water in Texas makes sense, but also also state law enforcement pro pilot programs of some kind. And you know, he didn't put a lot of flesh on the bone, but it was more flush on the bone than we've seen.

A

Right. And when it comes to cybersecurity, that is something that we've heard in the past year is that not that they want to push all the liability onto states, but they want states to be more proactive when it comes to what needs to be done cybersecurity wise. So it sort of matches up with what we have heard from administration officials.

C

Yeah, I think it'll be interesting to see how much of a federal role they want to be happening there because there, you know, there were actual executive orders where they said we're going to be pushing some of this stuff to the states. And the states have felt that. The states have said we feel like the things we used to get from CESA we're not getting. So how much help they're going to provide and in what capacity will be interesting to see and how much they expect the states to do things versus how much of a nudge or assist they give will be really fascinating to watch play out too.

A

So something that you mentioned that I want to go back to the software liability part of it and how that really, I think it's a good encapsulation of the response that we got and people going that some of this is inherently contradictory to some actions that we've already seen. Software liability part where, okay, they, they talk about trying to have vendors be more responsible for the code that they ship. And I think Sean talked about that on Monday where he's like, got to bring vendors to the table, get them invested in making sure that this software is in fact safe. Well, OMB rescinded a memo a couple months ago where they basically put s bombs on the back burner where they're, they're voluntary.

C

Right.

A

And the software attestation, if that is, if you, if you want to do it, great, you can, you don't have to do it.

C

And it seems they don't have to do it in a certain way.

A

Right, right. And it seems like that gets to the contradictory part that I was talking about and it just seems that other people picked up on that too from your conversations.

C

Yeah, definitely. I think, you know, you can kind of go through each pillar and say, they say they want to do this, but this is what they have done.

A

Right.

C

And you do see contradictions. I think the software liability piece is something, you know, I've been writing about cybersecurity as long as I have. I feel like I mentioned it every time I talk. I've been writing about cybersecurity for a long time. But the software liability piece has been coming up ever since. I mean, Bruce Schneier talking about this to me when I was a cub cybersecurity reporter where if you could really try to address one thing in cybersecurity, you know, I hear some people, sometimes people bring up this workforce thing, sometimes people bring up this software liability thing. There's the, the major things that if you wanted to fix cybersecurity, it would be this. And so I don't know how they're going to address it. Certainly I think the industry friendly approach they've had in terms of, you know, they're talking about cutting back regulations as part of this, part of the strategy. Software liability kind of, kind of goes against that in a lot of ways because you're is a regulation, it would be regulations or it would be law. It would be something legislation, it would be lawsuits. It could be a lot of ways you could address that question. And I don't think there are any of them that you see industry groups jumping up and down and saying, we like that one. It's a fundamentally confrontational thing to say, hey, you software companies, we're going to make you so that you are responsible for this in some way, shape or form. So I don't know how, how you talk about addressing software liability in this administration with the approach I've taken to date, maybe, I mean, maybe they'll surprise us. Right? And they, they do that a lot where you're, you're thinking, oh, they're kind of not going to do it that way, and then they just turn around and do it that way. So it's possible that they've got something up their sleeve. But that would, that's also maybe, you know, one of the reasons it hasn't been addressed is because it's also really hard to address. What does that even look like? How do you really, truly write a legislation that would work? It's such a complicated, thorny problem. It would be really fascinating to see them do much on this at all, let alone something major that would be really fascinating.

A

So Sean talked about the plan in not hypothetical terms, but sort of the roadmap. We don't know dates or anything like that. But what's next? Is there an implementation plan that's going to be dropped? Or now that this is out, what can people see coming down the path?

C

Yeah, I was hoping to get more from him than we did, frankly, on that. You know, all the people I've talked to have said, you know, they're, they're expecting executive orders, possibly they're expecting, you know, the prior administration put out their strategy and then they put out a whole separate document that said, here's how we're going to implement this and walk down what agencies were going to do what. And then they did updates on it to say, this is who's done what so far. So I don't know if we're going to get either of either of those things or if we're going to get kind of a trickle of things where, you know, to hear him, to hear Sean talk about it, the, the, the cyber academy and the foundry and accelerator, we're going to be hearing more about those soon. That sounds like a separate piece. It doesn't sound like this is going to be part of an implementing, implementing guidance, because I think you might would have said that overall. Right. So I think, if I had to guess right now, based on what he said, compared to what my sources had said private prior to this, it sounds like stuff is going to trickle out, but, but my prior reporting was that they were going to have some kind of implementing guidance or executive orders. I still think that's on the table. Potentially. They released an executive order on that same day. It wasn't so explicitly tied to, if you read the strategy, what that cybercrime and fraud executive order was doing. But it wasn't a coincidence that they released them on the same day. So I think we could see all of those things or some mix of them or I don't think we're going to see just one thing.

A

Right. Okay. Well, whatever we see, whenever we see it, I am sure that our Cyberspoop readers and listeners will get their information from Tim Starks. Tim, thanks for joining us to talk about it.

C

Yeah.

A

From talking about the cybersecurity strategy with a reporter that's covering it to hearing from a man that is responsible for implementing it, we're going to be talking to Mike Duffy, the federal CISO in our interview segment. Mike recently talked at cyber talks a lot about the priorities that he's facing this coming year. And now with the cybersecurity strategy out, you can see where things are coming together, whether it is just enterprise wide, across the federal enterprise, enterprise wide security, AI, all the things that are talked about in the cybersecurity strategy and all the things that the federal CISO community really pays attention to and really carries out on the day to day. Mike lays it out what we're going to see in 2026. Check it out.

D

All right. Good afternoon. How's everything been? Great. I just got in. There's quite a bit of traffic.

A

How's everything been?

D

There we go. All right. I see some familiar faces. This is a great crowd. It's great to be in the spy museum. I've never been to this location before, so really good to see so many familiar faces, so many folks talking about these important topics on cybersecurity, artificial intelligence. I am sure that you've heard quite a bit on the threats and opportunities of artificial intelligence, its convergence with AI. I will spare you some of that. I just learned I'm between lunch and an awards ceremony, so I will be brief. But I'm happy to speak with you after my remarks today. I think whether you consider this to be an inflection point or a wake up call or just the next kind of iteration of technology across our landscape, I think we have clearly crossed that threshold threshold of panel discussions and hypotheticals and experimentation to actually kind of an operational reality in cybersecurity when it comes to the use of artificial intelligence. And it's a reminder that we are long past the point where we can start considering our next step. We have to be here at this point. The decisions that we're making now have to consider agility and resilience as this environment continues to evolve. And this really is a pivotal moment. I'm probably saying the things that many of the speakers and panels have already said today, but I think it's important to reiterate, emphasize the point that we're in Our foundational cybersecurity policies have largely been shaped over the past decade in response to significant cybersecurity events. I'm sure many of you reference these on a daily basis. As you're pointing back, remember when we responded to X, Y and Z, Remember what happened when we didn't have this or that? Those policies were not designed with AI and the risks inherent to this new era in mind, nor do they fully harness the potential and the opportunity that we have based on where we are today. And yet good cyber policy has to be enduring and adaptable to whatever is thrown at us. We have to react but not be volatile. We need to be forward thinking and vigilant, but not overwrought. We need to make sure that what we are putting in place now can endure in the future as we consider the future environment as it changes now. Fortunately, a lot of those core principles that we've been working through and implementing over the years still largely apply. Zero trust. Know your environment, operational visibility, you know, reducing your attack surface, prioritizing high value assets, hardening your cloud environments, all still extremely important for us. And our roadmap favors decisive action with these existing constructs while deliberately adapting those policies over time. It should reflect what we've learned as we proactively take action, not when we are picking up the pieces. We should be thinking about what policies are necessary based on the capabilities, the threats, the issues that we're seeing now, and ensuring that we've built that policy apparatus, this mechanism in place now so that we can move forward confidently, focus our people, our processes, our technology on where we will be going and where the technology is leading us. Importantly, as we enter this new era defined by AI interconnections, the expanded dependencies that all of us have, we can't wait for the next crisis to inspire our action. And I think that's the call that you've likely heard from many of the speakers today. This is not the time to wait. For the next thing, we need to resource coordinate, orchestrate what action looks like, put those policies in place, take immediate action, decisive action to get ahead of this threat and move forward confidently. Now, the administration has been clear on its goal to leverage technology to better serve the American people. Faster services, more secure services. And in fact, the President's management agenda also has a cybersecurity specific cross priority goal. This is a very important step, the administration taking this responsibility seriously to ensure that we are not only modernizing the services to the American people, but we are adequately securing them on their behalf. Now, our roadmap is shaped by three priorities that I've discussed in forums similar to this one. The first being focusing our enterprise cyber defense. That's really making sure that we're operating as a federal government, as a cohesive unit, as a unified front. We're making best use of our cyber investments across the board to act more efficiently and to work with each other moving forward. Second is improving operational resilience. That's continuous mission delivery regardless of the persistent threats and risks that we're facing. And third is securing the modern United States government. The modern government in the sense that as all of us are thinking of ways that we're modernizing how the government serves its people, we know that new technology and new approaches will require us to consider security in different ways moving forward. Now, all three of these priorities converge when we're looking at ways that we are optimizing cyber defense for the enterprise, both within agencies and across all agencies, to ensure that we are fully coordinated against these AI enabled attacks, that we can make strategic decisions based on the threats that we're seeing in our landscape and we can rapidly respond as they come. I'll mention three of these initiatives that we have ongoing right now with agencies to give you a sense of sense of where our focuses and our priorities lie. First, we have to consider the impact of emerging technology and the threat environment when it comes to the most basic processes, procedures and protocols of the government. We ask a simple question. Are agency teams prepared to respond to the next big thing? Can we across the interagency ensure that our protocols are in place and efficiency efficient and effective to counter the threat, but also respond effectively? This is where resilience is so important. Last month I convened over 60 cyber practitioners, leaders in both CISO positions as well as SOC directors to have a discussion on this. A tabletop for the first time across government to hear from the civilian departments and agencies, what are the protocols? What are the procedures? What might fall as we're Looking at faster attacks, scalable attacks, issues that we haven't seen before. What are the gaps, what are the overlaps, what are the redundancies that we might have in place today? It highlighted opportunities that we're already putting in place. This is the way tabletops and exercises are intended to work. We discuss it. It pushes us to the brink and we find ways that we can build the way that we should be operating better. The bottom line is cross agency teams can no longer respond to massive cyber incidents to the federal government with sharing emails and phone calls and PDF files on threat intelligence. This is a different time. We have to make sure that we're postured correctly to address that call. Second, considering the efficiency and optimization focus that I know many of the speakers have seen spoken about, we're working with CISOs to rationalize their cyber technology stacks over time. There's been a lot of bloat across agencies, a lot of different reporting across bureaus, and it's time now to consider how do we empower the CISO role to make strategic decisions in a moment's notice, both for budget, for resources, for strategic plans, but also when disaster strikes, do we have the information at our fingertips to pull together a response plan moving forward? And of course, in doing so, we'll consider things like redundant insufficient capabilities, the use of modern technologies and modernized enterprise wide capabilities and shared services such as continuous diagnostics and mitigation, the program from CISO. Now, this has been a top priority for CISOs for a lot of reasons as they undertake within their own departments and agencies, modernization efforts. So we're all kind of reflecting on the way that we are postured against this threat, making good use of the opportunity that we have ahead of us. And finally, as we're kind of scanning the horizon, considering what may be coming next, the opportunities that we have because of artificial intelligence and more seamless operations. We're working with agencies to transform the way that they're doing cyber defense, enabling faster detection, predictive analysis, targeted response at machine speed. We're identifying a small set of relevant cyber use cases in AI to move this forward. As I said at the beginning, our policy can't be shaped as we're picking up the pieces. We have to be proactive, piloting what might work, test it out, see if we can scale it from one agency to the next so that we can build the roadmap moving forward. This is a continuous, adaptive approach as we work. Recently, the Federal cio, Greg Barbaccia, has overseen some really positive progress in doing a federal AI sprint on more general technologies across the government. We're now turning our attention to cyber specific use cases to ensure that we are ready for the threat. We are poised and postured to move forward confidently into the future. Now, leading agencies, I know many of them I saw on the agenda. Leading agencies in the federal government are already doing this. They're tailoring highly customized threat detections, response capabilities. Others are demonstrating AI tools already and working with many of you in this room, I'm sure. But adversaries don't stop at agency boundaries. Those are artificial. We know that it's not good enough for a few really advanced federal cyber teams across government. We need to work cohesively as a unified front, ensuring that we are raising all capability and posture across agencies because we know that's how adversaries view the federal government. It isn't individual agencies. And we'll stop once we get to the end of this network. Now, across all these efforts, our model, our intent is to partner, to pilot, to scale and institutionalize as appropriate in policy and in practice. As I said at the beginning, this isn't about just finding a way to fix an old policy or to fast track a new way that we're looking at emerging technology. This is intended to inform the way that we develop policy, consider our roadmaps, build strategy, and adapt to the environment that we are currently in. I think it goes without saying that this is a defining moment for the federal government. I don't think it's enough for federal agencies to be a few years behind what the state of the art or leading private sector entities are doing. I think we need to be there at the front of that line, in fact, sharing those use cases, those lessons learned, those insights as we lead the way in certain areas and drive progress on behalf of the American people as we protect our digital assets. We're eager to demonstrate how the federal government can do this over the next year and be on the leading edge of what modern cyber defense will look like for the era ahead of us. So with that, thank you very much. It's great to see all of you and I'm happy to talk with you after the session. Thank you.

B

Thanks for listening to Safe Mode, a weekly podcast on cybersecurity and digital privacy brought to you by cyberscoop. If you enjoyed this episode, please leave a rating and a review and share it with your friends, your co workers, your CISOs, your sysadmins, your mom, your dad, anybody that wants to know more about cyber security. To find out more information or to contact me.

A

Please look for all of our social

B

media handles or visit cyberscoop.

D

Com.

B

Thanks for listening. Check us out next week.