Transcript
who operate most of our critical infrastructure before they need it. In the same way that we don't wait to start preparing for natural disasters until after the natural disaster happens, we have to do the same thing with cybersecurity. Hi, and welcome to another episode of Data Security Decoded by Rubrik Zero Labs. My name is Travis Rosick, and I will be your guest host for today's episode. In this episode, I had the pleasure of sitting down with Nicole Tisdell, a distinguished national security and policy expert with an impressive 15-year government experience serving in the National Security Council in the White House and many years on the Hill supporting various House Committees on Homeland Security. Nicole has been instrumental in shaping some of the cybersecurity counterintelligence and counterterrorism policies. She's a founder of Advocacy Blueprints, and she continues to educate folks interested in government policy at American University serving as an adjunct professor. I had a wonderful time speaking with Nicole about the evolving landscape of cyber policy and national security and what can be done to help improve policy across underserved communities in rural areas. With that said, let's jump right in and get started. Hi, I'm joined today by, with Nicole Tisdell for today's podcast. Hi, Nicole, it's great to have you today. Hey, Travis, it's so good to be here. I'm excited to talk with you today. So you have a very interesting, diverse background, lots of different experiences, always fascinated with folks in technical policy and kind of what their journey was like to get to that point in some of your contributions. So maybe starting with that, would love to hear a little bit about your background. I know you're from a huge city in Mississippi called Nettleton, and that's close to another city that I'm afraid to mispronounce. So I'll let you do the honors there. Sure, I am from the no traffic light town of 2000 people called Nettleton, Mississippi. It's right outside of Tupelo, Mississippi, which is the birthplace of Elvis Presley. And that is what it's most famously known for. But I, in terms of how I got into national security, I went to the University of Mississippi known as Ole Miss where I was a political science major. I also went to the University of Mississippi for law school. And I was very intentional about focusing on political science, public policy, and all of my educational pursuits and internships were really, I was really clear that I wanted to work on public policy because I wanted to be able to scale solutions for the most people, especially the most vulnerable populations quickly. And for me, the easiest way to do that was through public policy. No, very fascinating. Yeah, I think, what people don't see as policy is really what drives why things are the way they are. So having that, getting to the root cause and trying to have systemic changes and impact 100% is where the policy impact is. So just while we're talking a little bit about Mississippi, obviously my home state, very rural like yours, if you look at the rankings of different states, we both come from very disadvantaged, underserved communities. So, kind of wanted to talk to you a little bit, get your thoughts around some of the motivations you have with your career aspirations and where you wanna have impact coming from a place where people are underserved, education, income, poverty gaps, things like that. So maybe if you could touch a little bit about your thoughts and passions in helping people from those areas. Sure, well, I tell people, I grew up with a little bit of a chip on my shoulder being from the South and being from a rural community. It always felt like we were being stereotyped. And when you add to that, I'm also a black woman. I am from many marginalized groups. I grew up under the poverty line. A lot of people in my town, actually about 35, 40% of the people in my town also are under the poverty line. And the chip came from a place of people were making policies without having us in mind, but the policies were impacting us. So think about kind of the people in the room, the room where it happens, are doing things based off of their experiences, what they think will work, but they don't have people with diverse backgrounds who are sitting at their table and say, that is gonna work in New York City, that is not gonna work in Tupelo, Mississippi. And so it always felt like we were on the back end trying to play catch up. And so I wanted to be really intentional about going into those spaces and not only acknowledging my background, but using it as a tool to make better public policy. And what that looked like when I was on Capitol Hill, but also when I worked at the White House is, very tangible to the work that we do here. If we're talking about how we respond to cyber attacks, how quickly can the government help with the recovery process? And what that means for a lot of rural or low income communities is putting money up front. So it's not enough to just put out a response toolkit or a playbook and say, here's what you do after you have a cyber incident. What resources are you actually giving people to follow the playbook? So I know you all do a lot of work on data recovery and kind of what happens after the point of impact. Good public policy understands that even if the technical operations are the same, after the point of impact, communities are gonna respond differently based on the resources that they already had in place. And then the resources that they can mobilize quickly. So what that looks like in a very tangible time is, a lot of the times the public policy around cyber security, defenses and protections is centered around reimbursements. So governments get reimbursement or state and locals get reimbursement after they make the investment. That works in San Francisco. That may even work in Austin, Texas. It doesn't work in places like Mississippi and West Virginia, because a lot of these states don't have the money to put up front. So good public policy understands that reimbursements may work for some communities, but it's gonna disadvantage others. And so how do we get grants so that they can get the money out the door quickly? Do we also give them low interest loans so that they can procure services like the ones that you all offer with the understanding of, you have to help people get to a equal playing field in terms of their preparation, also their recovery and their response. No, great insights. I think to some of those challenges, kind of the ivory palace perspective, very similar to some of my experiences supporting the DOD, right? And in the headquarters building, the head shed and creating policy and giving orders and directions down to folks in tactical environments that have a different reality and they're trying to adapt and react and kind of having that disconnect. So from, I guess my own personal life, kind of living through some of the things you were talking about, I always made time to get in the field and meet with the folks and understand the mission. Kind of have that empathy for what people live day to day and then kind of take that back as a feedback loop. And I'm sure that echoes a lot of what your career has been like as well. Oh, exactly. Especially on Capitol Hill, I worked in Congress for 10 years and a lot of the times we were doing what I call defensive policy and very few opportunities to do offensive policy. And I'll explain what the difference is. Defensive policy is what you do after boom. So something has happened and we need a policy that is in response to whatever happened. That is defensive policy. Offensive policy is us proactively saying, here is a problem and we want to address it before it happens. These are our priorities. This is what we're gonna work on. Because cybersecurity policy is still seen as kind of niche and I say that knowing a lot of cybersecurity policy folks are listening to this and I compare it to maritime security. I started when I first started on Capitol Hill, I worked on maritime security policy. Maritime policy is older than our country. And when you compare that to cybersecurity policy at the highest levels of estimating how old it is, it may be 60 years old. And so we as a community in the cyber community, we've not had a lot of opportunities to do offensive policy because so much of the things that we are responding to our first impression for policymakers and lawmakers, but also something has happened like there's a colonial pipeline ransomware attack. There is the JBS meat processing plant attack. For the general public, that was the first time that most people outside of the cyber world even heard of ransomware. But the same thing happened with our policymakers and lawmakers. You have a lot of policymakers and lawmakers who knew a lot about the energy sector and that is their focus, but they had not been thinking about how ransomware attacks could impact the energy sector and our global supply chain. Same thing with the JBS meat processing plant. We have a huge community of agricultural specialists in public policy. But when you start talking to them about how ransomware impacts the agriculture community, there was a deficit there. And so what I was able to do when colonial pipeline and JBS happened, I was the director of legislative affairs on the National Security Council. We had been talking with Congress since I was in Congress about the need to require organizations to tell the government when they have a cyber attack. But we were trying to do that from a place of offensive policy. We had a window open after those cyber attacks in 2021 that allow us to say, okay, we tried this as offensive policy. It didn't work. This window of opportunity is here. Let's talk about the defensive posture that we need to be in, which is we need to, at a minimum, know when these attacks are happening. We need to understand that in the midst of an attack, especially within the first 48 hours, you may not know very much information, but we want you to tell us what you do know so that we can start to connect the dots because we knew that a lot of these organizations are tied together. It's the same folks working over and over. They're using the same techniques. And the idea is if we could figure out what happened in this attack based off of reporting, we can ensure protections for other organizations and we can warn them that this is happening. That, to me, is an example of really being, taking a window of opportunity that had not been open and being really clear. We don't always have cyber attacks on the front page of USA Today and the New York Times, and that window is going to close. I try to be as specific with people as possible. And I used to work on counterterrorism, so I know how the attention span works for the American public in terms of national security events. You really have about two to three weeks of investigative reporting from reporters, broadcast news, talking about it, it being a topic that is what we call a kitchen table topic. And in that two to three weeks, you have to be able to move policy, not just through the U.S. House and not just through the U.S. Senate, but also get the interagency and get the executive branch to also focus on it, come to an agreement and say, here are our priorities, and this is what we're going to do. It doesn't mean you have three weeks to make it long, but you have about three weeks to get it on the top of the priority list so that the next cycle of lawmaking, whatever the policy provision you need is included. All right, very insightful. I like how you categorize the defensive policy and offensive policy. So kind of my soapbox, talking about cyber and cybersecurity specifically is, in general, government and organizations are reactive. So my word for when you say defensive policy is it's reactive. So it waits for something bad to happen, and then we go figure out how to prevent that from happening again. Whereas your offensive policy is what I term proactive cybersecurity. Let's figure out fundamentally what are things that we can put in place in anticipation for what's going to happen next so we're not always playing whack-a-mole. Yeah, and a good one of the things that we use in the public policy space is model legislation and model programming. And so when you talk about that, I tell people I think cybersecurity is at a point now in terms of moving beyond just defensive policy and reactive policy. I like that word as well. It's similar to what we see in natural disasters. So natural disasters, as you know from your background, it is prepare, respond, and recovery. And so being really clear that cyber policy also needs to be about preparing, responding when something happens, and then what does recovery look like? And so if the cyber incident reporting is about preparing and responding, I would say what we were also able to do when I was on the National Security Council was work with Congress to pass is work with the Cybersecurity Grant Program, which is where we gave, we worked with Congress to appropriate a billion dollars for state and locals to make investments into their cybersecurity defenses. Now, a billion dollars sounds like a lot of money, but I tell people, once you divide a billion dollars by 50 states, all of our territories, our counties, and our cities, it really didn't actually end up being that much money, but that program was really important because we set the infrastructure in place, that we set the infrastructure in place, and we also got a little bit of muscle memory going that we have to provide funding to our state and locals who operate most of our critical infrastructure before they need it, in the same way that we don't wait to start preparing for natural disasters until after the natural disaster happens. We have to do the same thing with cybersecurity. And I'm hopeful that that program, now that we have the infrastructure in place, we know that FEMA can give out the funds, we know that CISA can go through the applications and make sure the technical requirements are there. The goal is to go back to Congress and make sure that we can get some type of stabilized funding through that mechanism. And so that was an example of offensive policy that may not look like what a lot of people want, right? Like we heard from people, a billion dollars sounds like a lot, but it's not gonna be enough. And one of the things as the kind of the chief advocate for cybersecurity on the National Security Council was to explain to industry, explain to Congress, but also explain to the interagency that this isn't a one-time deal. Like we're not, what is important is to set up infrastructure so that we can continue to get funding set into this. And I like that grant program because one of the things I think we see and we can compare to counterterrorism grants, counterterrorism grants are based off of where threat actors are targeting and who has the highest threat level. The way we set up the cybersecurity grant program, the cities in the States like a New York City or a San Francisco may not always be the areas that get the most money. And there's an idea in cybersecurity policy that some of the investments that we are going to make are going to allow some of these cities and States to really get their footing together and to make an investment so that they may not need the same amount of money over time. And for me, I think that's really, that's a positive attribute that we're seeing on the offensive side is you can make investments in West Virginia and in Mississippi, and those are gonna help with their defenses long-term. And so you can also make investments in Montana. You can also make investments in Wyoming and you need to do that because we can see from our threat reporting, we know that the People's Republic of China is already pre-positioning on a lot of our water critical infrastructure. I would say it's not, it is just as important to make sure that the water infrastructure is protected in Mississippi and West Virginia as it is in New York and in California. Because when you think about what the goal of those kinds of attacks are, so attacks on our critical infrastructure, especially our public service and our vital systems, the purpose of those attacks isn't always to extract money, right? Like a ransomware attack may not be targeting a rural infrastructure water plant because they want the money. They may be targeting them because they want the chaos to ensue, right? And everything that comes from attacking a global supply chain and taking it back to a larger conversation of, well, is democracy serving you? Because this kind of thing would not happen in China. Or showing that we can penetrate these systems at a rural level. So imagine what we can do at a city level. Being really clear that we have to protect the smaller parts of our critical infrastructure, as well as the larger urban areas, because these attacks are not going to just focus on the urban areas. The rural communities are just as much of a disadvantage and can be targeted just as much. Yeah, absolutely. And I think looking at from a cyber threat perspective, they're very opportunistic. And I think to your point, a lot of people don't fully understand that it really is a person on the other side and they're very well resourced, calculated and working with foreign adversaries. So they're basically testing, right? So they're kind of testing with commercial companies, state, local governments, K to 12. So there is no immune organization in the country, right? So there's different ways to impact people. We've seen examples that you mentioned about impacting just daily, everyday citizens in the US and their quality of life. We're seeing rapid expansion and ransomware attacks on hospitals. And I mean, as you probably are very familiar with the challenge of the rural medical system and the struggles there. And kind of brings me back to some of the grant work. And I love the offensive or proactive policy, getting grants and helping build some of that foundation because we're only as strong as our weakest link. And as you mentioned, the underserved, the critical infrastructure, where the person has the job to do cybersecurity because they can type or they understand technology. So they have 10 jobs that they have to do, not because they have significant training in cybersecurity. So what brought me into government was an effort about 20 years ago, 20 plus years ago, where the Pentagon said, we need to get more folks in cybersecurity. So the NSA certified schools, centers of academic excellence across the country. So Mississippi State and where I went, West Virginia University were two of the first 10 in the country. So I have a lot of friends from Mississippi State. It's not Old Miss, but it's not too far from your hometown. But yeah, I mean, just strong relationships. The students from there made tremendous impacts. But I think getting into that education, making people knowledgeable, aware, not just for national security perspective, but going back to, they're good paying jobs. That's good for the community economic development to creating opportunities. So maybe I wanted to chat with you a little bit about the role, two things. One is, these communities have to have investments for economic growth. I think the longer they wait to educate and get more students in the K to 12 system in colleges into STEM and STEAM careers, if they don't start now or accelerate those efforts, they're really gonna be at a disadvantage as well. I agree. And look, I'm pretty hardcore about my support of the University of Mississippi, but I will say, I love Mississippi State too. I was actually just there this past week talking to students. I think to your point, one of the things that kind of worries me a little bit when we talk about cyber policy is a lot of people don't wanna focus on what you just brought up, which we're about to discuss, which is the workforce. So many of the issues that we are having right now is we don't have enough people to help us. And so it shows up in different ways because I do a lot of talks like everybody else in the last two or three years about how AI is gonna impact different industries. And I tell people, I'm like, we're pretty excited about some of the advancements that AI is gonna have on the cyber workforce to kind of help us fill in some of those gaps, but also take away some of the mundane, difficult parts of cybersecurity because we wanna have people and the brain power of people focused on more complex issues. That doesn't mean that the things that AI will help us with are not important, but they can be mundane. We have a lot of burnout in our industry. And so figuring out a way to use AI so that people get to focus more on the work that requires humanized human intellect, but also is really motivating and something that they can be passionate about. One of the other things that I think when we talk about workforce, there's always this assumption that if you wanna work in cybersecurity, you need to move to Washington, DC and Northern Virginia, or you need to live in New York or you need to live in San Francisco. I want us to understand that we have to have folks that are working in cybersecurity everywhere. So we talk about Nettleton, Mississippi, and we talk about Tupelo, but as it turns out, it's not thousands of people who are ready to move to a town with no traffic lights or move to Tupelo, Mississippi, which has two flights a day out of their airport. Figuring out how to create a workforce with a community that already exists and lives in these communities so that they can be empowered to protect these communities is really where we're gonna have to shift our focus on workforce. And so one of the things that I worked on at the White House, but also I worked in Congress is figuring out how we can create these regional nodes and these regional opportunities so that people can protect the communities that they already live in. And that's a really good example of cyber policy still playing a little bit of catch-up because I think for so long, we've always felt like, well, if you work for NSA, you need to be in Maryland. That's not true. If you wanna work for CISA, CISA is responsible for providing technical assistance to every piece of critical infrastructure in the United States. That infrastructure exists in Nettleton, Mississippi. It exists in Tupelo, Mississippi. How do we make it easier for people to serve their communities where they are? And then exactly parallel and equal to that, these are really, really good jobs and there is stability in working in cybersecurity. And so that is going to feed into what these communities also need. They need protection and they need opportunity. One of the things of growing up in my town, we were a community that focused on furniture making. And after NAFTA was signed, we don't have to get into a NAFTA conversation, a lot of those jobs left and I saw how it impacted our community. We went from having a pool where we could learn how to, we could get swim lessons and you could hang out to not having a pool because as it turned out, I didn't even know until the factory closed, there was a factory that was sponsoring that pool that wasn't the city pool. And so one of the things that I'm really passionate about with the workforce is I want these communities protected, but I also want the people who live in these communities to have good economic opportunities and feel empowered. I want them to, we know that they're gonna stay there, their tax base is gonna invest in the school so that the schools can have better cybersecurity. We know that they are gonna, their tax base is gonna be for the city so that the city can have more cyber tools and hire more folks to protect the water system. All of this stuff is very, it's connected in a very real way. I just think we have to get to a place in the cyber community where you actually push for these policies and do more of this offensive policy, right? Because when we talk about the workforce, I think one of the reasons why it gets relegated down sometimes is because you do have to, you gotta be an idea person to come up with solutions for workforce. And I know a lot of folks in the cyber community have had their hands slapped by their superiors and their bosses if you're trying to do offensive policy, but I think we're at a unique time, especially at the start of a new year, at the start of a new administration, there are also policy, there are new lawmakers on Capitol Hill. There is an opportunity to say, this is how we make the turn on workforce. It looks like having more geographical options. It looks like more remote options. Like we're still a little obsessed in the federal government about everybody needs to be in a SCIF. Everyone needs to have a security clearance. And that's not the case. One of the things that I worked on with a think tank Aspen Digital is let's actually review these job requirements and see are these the requirements for the job or is this your wishlist for a perfect person, right? Because some of these job requirements, they have everything except requiring you to have a specific Zodiac sign. And it's like, come on, y'all. We don't need to be that specific. That is not the work that is gonna be done. And having an overly specific wishlist is gonna keep that position open. And that creates a hole in our defenses. And so being really clear, you can say what is needed for this job and then we can help you find someone. Same things with the federal government has moved toward skill-based hiring. As it turns out, we've learned over time that a lot of these educational requirements are creating barriers to entry for people to come in and do these positions. And some people have skills that are transferable and you can come in and you can do the same job without those credentials. Both of those are really good examples of like this is what we mean when we say diversifying the workforce. It is in terms of race, ethnicity, but it's also in terms of geographic location and background and social economic background. Yeah, a lot of great points. Just to add to that, I think, you know, I mean, I think both of us are examples coming from rural areas, going to the big city to do this kind of work. The result is a brain drain on, you know, the states that are underserved and it just perpetuates the problem, right? So, I think to your point, kind of all these communities need these types of jobs. You know, the flexibility, remote work helps ensure economic stability, but also from, you know, cybersecurity and other aspects. You know, trying to have an effort to kind of keep folks distributed across the country makes a lot of sense. Another thing you touched on, on the proactive policy side from a cyber perspective, one of the things that brought me and attracted me to RUBRIC was kind of focusing on this area, which I don't think there's enough emphasis on the recovery part of cyber attacks. You know, they tend to stop on the response side, which is the thing that makes the news. And, you know, there was an instant response on this effort. We figured out what happened, but the hard work really is, well, it's all hard work, but, you know, the heavy lift that nobody ever sees is what that recovery effort looks like and how impactful that really is. Yeah, and I'm so glad that you all work on this. Even coming on this podcast today, one of the things that I try to talk about, and I wrote about this significantly in a WIRED piece that was called The Hidden Injustice of Cyberattacks. And it really, to your point, Travis, it talks about what happens after the incident response. And so one of the examples, because I know you all do a lot in terms of healthcare recovery after attacks, I don't know that people have a full understanding of how the impacts of attacks on our health system, the ripple effects, how long-term they are and how far-reaching they are. And so one of the things that I've been talking a lot with reporters is, you know, let's be careful about the language that we use when you're reporting a healthcare attack, because the language that we're using right now is no operations were impacted by the attack and all the procedures that were canceled are being rescheduled. I don't know that people have a full understanding when they say that kind of thing of how much it takes to actually get ready for a medical procedure, right? Like you have people who were already hesitant to receive care, who were already hesitant about the procedures, but for people from our communities, you know, our hospital was 30 minutes away. You've like set up a whole infrastructure, like a whole support infrastructure of how you're gonna get there, how you're gonna get home, who's gonna be there for your aftercare, it's not as easy as just saying, oh, well, we'll just reschedule it. People have taken off work. People are paid by the hour. There's so many things that come into this. And what I don't think folks fully understand is, you also have eroded trust. You've eroded trust between a doctor and a patient, between the medical system and the patients who need the care. And so what you all do with the recovery, I think is just as important in terms of the response of getting the systems back online, it's also how do we have a holistic approach to the patients, to the people who were impacted by this attack? And that is, you know, I feel like I'm pointing out all these areas where we are not at a policy deficit, but it just hasn't been a priority. I think this is yet another. We spend a lot of time focused on what are our adversaries doing? What tools are they using? What techniques are they using? And once we kind of figure out that, it's like, oh, problem solved. And I would say, if you figured out what the adversary is doing, how they're doing it, you've figured out 50% of the problems. You cannot just leave when the recovery has not been in place. And we would never do that, going back to the example of natural disasters. We would never say, oh, we figured out what happened. The hurricane came. This is how many homes were damaged. This is how many schools were damaged. Case closed. It's like, no, the recovery is just as much an important part of that natural disaster. Same thing with cybersecurity. The recovery is just as important part of that cyber attack or that ransomware attack. And so as we think about what our proactive policy is going to be, it's also making sure that these are gonna be holistic responses where people will know we will be with you to help you get ready, to help you respond. And then if something happens, help you recover. Yeah, I couldn't agree more. And then I do agree that a lot of the more, I guess, attractive policy work is around what the threat actors are doing and what they're up to on the threat intelligence side. But I kind of look at it, the ability to rapidly recover, survive an attack, recover and go back to normal as quickly as possible is kind of a form of a deterrent or cyber deterrence. And that's something that, I think Ukraine has kind of built in Russia and some of the conflict there with destructive malware trying to bring down not just the impact of the military, but the entire community and their way of life. But the ability for them to survive those and keep their way of life from a technology perspective, I think is, they've really gotten, as Rob Joyce, a former NSA cyber director said, they've gotten religion about backups in that process. And it really kind of changes the tactic. Why commit an offensive attack or do ransomware when they can survive and it doesn't really impact them anymore. So I think ultimately that's the goal that I would like to see the US and critical infrastructure to kind of get to, because I think that would really change the game from a cyber conflict perspective. Yeah. And we've seen one of the things when you work in public policy, so much of our job is like being a translator between the technical community and the policymakers and the lawmakers. And so I rely on analogies a lot. And so when we talk about putting those investments in to really kind of get people centered, I talk to people about car insurance. Like car insurance is not about you will never be in an accident. Car insurance is about how do we make sure that you recover after something happens? So let's do all the things. We'll have airbags. We'll have all this. We recognize things will happen. We also want the recovery to be fast. That's what good cyber policy is supposed to be as well. And I've spent a lot of time at grassroots community levels. And so I talk about the three basics of like, let's use multi-factor authentication. Let's use a password manager and let's turn on our automatic updates. And so I actually walk communities through how to do this. And every time people are like, okay, so I'm never gonna get hacked. Like I'm gonna be fine. My phone is gonna be fine. My laptop is gonna be fine. And I'm really honest with them. And I say, no, we just made it harder for it to happen. And we made it easier for you to recover if it does happen. And people appreciate that. People are like, well, thank you for being honest. I'm like, yeah. And if something happens, here's what we're gonna do. So you can get back online. You're doing those automatic updates so that we can back up your files. And the same thing happens at a larger level for these larger organizations. You can be honest with the school and say, look, the reason you're investing in Rubrik is not because we are going to confirm that you'll never have an attack. We wanna get you back online. We wanna get your data recovered as quickly as possible. And oh yeah, if it puts you in a position where someone says we have your data and you have to pay us a ransom, it is to me kind of a feature, not a bug if you're able to say, we actually are not gonna pay the ransom. Like you're not gonna be able to terrorize us with this ransom because we know we can recover even if we don't. And I know it's very political about who pays ransoms and who doesn't pay ransoms right now. But I tell people either way, you need to have a backup plan. You need to have recovery services that are already in place. What you don't wanna do is be in a place where you're trying to decide if you're gonna pay a ransom or if you're not gonna pay a ransom and you have no space to negotiate because you don't have the tech and the software and the hardware in place to be able to even think about saying no. Yeah, the world I live in on a daily basis, I'm trying to advocate and educate and evangelize. Yeah, I mean, it's definitely a scary proposition for the folks that are at organizations that aren't doing the proactive approach to investing and compliance doesn't keep up with the threat actors. And I think the organizations in the news, most of them are probably compliant. That's just not enough anymore. So yeah, so kind of pivoting to some of your past and areas after leaving the government, I know you're an educator at American University and teaching students that wanna get into public policy and more of a passion area, you started Advocacy Blueprints. So maybe if you could spend a little bit of time talking about, I guess what just caused that smile when I mentioned it. So some of your passion and goals with both of those. Yeah, well, one of the things when you worked in national security policy for 15 years, you realize there are some people who are really good advocates and there are other people who struggle. And I was able to see over time, most of the people who are struggling with advocacy are struggling because no one's ever actually taught them how to advocate, right? So I wrote a book called Right to Petition, which is 50 things you can ask your member of Congress to do for you that is not just creating a law. I always tell folks Schoolhouse Rock did a really great job about how a bill becomes a law, but we needed about 49 other Schoolhouse Rocks to tell you all the other things that a member of Congress can do for you. And part of the book, but also setting up Advocacy Blueprints is to give people the blueprint on how to do this. One of the other things that I learned when I was in policy is I actually, I knew that I was at a deficit because I wasn't actually hearing from rural communities while I was working on a policy that was gonna impact rural communities. And when you are in these places and spaces, you don't always have the, you don't have the resource of time or contacts to find the people that you need to talk to. So what, one of the things that I'm doing with my company, but also with the book is really encouraging people that your voice does matter and people do wanna hear from you. It is much easier for you to get to the Committee on Homeland Security than for me to get to every rural community owner and operator of critical infrastructure. That doesn't mean that I don't wanna hear from you. We just don't have the resources in terms of time or outreach to do that. I think, and what that looks like on the, at a higher level is one of the things that I was able to see when I went into the White House is government also really struggles with this. So it's not just the state and locals who don't really know how to participate in the advocacy process and shape policy, right? So it's not just advocating for grants. It is saying cyber incident reporting, here's what I would actually know as like the head of the cyber program for a town of 2000 people in 48 hours. And here's what I would absolutely not know, probably in two weeks. And so having that conversation and saying, okay, based off of what you would know in 48 hours, then why don't we actually say the language and the language that we were able to get into the cyber incident reporting law is known information. It's that word known is one word. It sounds very simple, but we didn't wanna put our, we didn't wanna put people in a place where they were gonna be penalized for not sharing things that they just don't know because they only have one person that is working cybersecurity, right? And, oh yeah, the person in that town that is in charge of cybersecurity is also in the fire department. So being really clear, we want you to tell us what you know, and then we will update the reporting as we go. I think that is a really good example of one of the things that I'm also trying to empower government actors to do, right? Because a lot of the times when you're in government and I see this firsthand over and over again, you're trying to be so responsive to something that has happened. And sometimes we create laws and regulations that are going to disproportionately impact folks that don't actually have a lobbyist, that don't have, the town doesn't have a general counsel that knows what cybersecurity is. The head of IT is literally the chief of police or is also the chief of the fire department. You can't, these words have meaning and then the consequences also have impact. And so one of the things that I've been working on when I was in government, but then also now is really talking with the cyber policy teams of, I understand the FBI and CISA needs to know when a cyber incident happens, but how do we make sure that we are helping the people who are reporting us, that we recognize these are victims of cyber attacks. So we don't penalize them and we don't make their recovery even harder because now they have a lot of reporting that the government is expecting from them. And all of that stuff takes away from recovery. We've all been in those places and spaces. And so what I've done is. What I've done is Really created a business a book But also this class at American University Oh actually teaching people how to advocate the class at American University is cyber policy for marginalized communities and These are students who were already in the public policy program A lot of them were also in the cyber policy program and really just carving out a class to say how do you? Advocate for someone who may never be in a classified space How do you advocate for a community that doesn't even know that DOD or DHS is thinking about this policy proposal and really, just giving them the tools, but then the Empowerment that you have to do this if you are in these spaces and you know this Travis if we're in these spaces You are responsible for all of West Virginia I'm responsible for all of Mississippi because we know that they're not gonna they're not gonna be in a skiff at the NSA they're not gonna be in a skiff at DHS and giving people the tools of you if you see a policy come out and I really get very niche you with the students and I Also go down really at a niche level for corporations and and small governments that are thinking about this stuff, too You have to say like oh We're for every requirement that we give someone are we giving them a resource so that they can do it? So if you want People and it is law now you want folks to tell you within 48 hours That they've had a cyber attack and here are basic things that we want you to report. Are you sending down an incident? Response team to help them so that they can give you this data To me, that's what good public policy is It's meeting of like the government has a need but the government also needs to provide a service to its people And so good cyber equity policy and and Advocacy for marginalized communities is thinking about those things and making sure that they are a part of every policy that rolls out people have good intentions like most of the time when I brought up these issues whether it's in the situation room at the White House or It's at a hearing room in Congress when I bring up these issues. I Cannot think of one time where someone say oh, we don't care about that. What they say is I had not thought about that and To me that is the difference in a policy that is going to roll out and it's gonna be holistic and helpful Versus a policy that is gonna roll out and it's gonna be onerous and and punitive to the people that it is supposed to help Yeah, I yeah Perspective from everybody involved is is crucial in a successful policy No question and and to your point I've definitely seen the a response effort bought down and trying to find all of the information and You know in many cases that information doesn't exist. So they're kind of stuck trying to go dig more information and Ultimately, they're just delaying, you know the overall, you know, that's kind of missing the intent So I do like some of the things you were advocating for with the the known information And yeah state local government some of the underserved areas are gonna definitely struggle in trying to Provide the same amount of information and rigor and analysis as you know, say a fortune 50 company. It's just not realistic. Yeah I know we're coming up on time Wanted to touch on one more topic before we get into that closing question So obviously we just recently had an election Transition time adversaries are opportunistic. So the last transition was when the solar winds attack happened You know, I'm you you know, not Nostradamus, but you know something like that could happen again. So Thinking about offensive defensive policies or proactive reactive cyber security What advice do you have for? Government employees about to undertake, you know a presidential transition I know you've been on a transition team before kind of getting things in place Getting the lay of the land and starting to work on new policies. So any advice recommendations you have for You know politicians folks just entering You know Congress for the first time in any words of wisdom specifically around cyber security Sure Well, I will say Overall you need to have an offensive priority list and you need to have a defensive policy list And I know it's confusing because we're in cyber security and offensive cyber and defensive cyber means I'm the totally different But I'm talking about very specific policy. So I did serve on the Biden-Harris transition team in 2020 and I was a part of the response team for solar winds but I finished the transition team and then went to the National Security Council and I will say we were in the middle of responding to solar winds and I One of the things that you do when you are on the legislative affairs team for the National Security Council is you actually sit down? With all of the groups that you work with we call them clients So cyber was one of my clients you sit down with your clients and you say What are you currently responding to from a policy level and then tell us what you want to get done in the next four years? and different Different people have different numbers, but I gave everybody five to the dismay of all my clients They're like five we have I'm like you get five each and they all wanted 20 each. I'm like, no, let's just pick our top five One of the things that as you're talking about a new transition in Congress a new transition in the administration But just also new opportunities You have to have a list of the things that you proactively want to get done because especially with cybersecurity things are gonna happen and The reason I needed to know whatever, you know What are your five things and four as I called them is? Because I knew we were gonna have a lot of crises that I was gonna be responding to and what I didn't want to do Is look up in six months or in a year and I've only been responding to crises I haven't been able to prioritize the offensive things that they wanted to do the proactive things that they want to do and so as people are thinking about how to Engage and you should be engaging. I'm already talking to the Trump administration. I'm really clear I know this is not a political show, but I have to say this to folks. You cannot opt out of cyberpolicy Until and unless you the party you support is in charge That is not an effective way to do public policy public policy is still going to move You can tailor public policy and you should tailor it to whoever is in charge or whoever you are advocating for but that that's always been the case and so what you need to do is have a list of things that you proactively want to be able to get done in front of the presidential administration or The congressional administration and then also be a good advocate and flag for them other things that they're gonna see we know unfortunately The numbers on the ransomware side of the house are not going away anytime soon And so as you are making your list of things that you won't recognize that these policymakers especially lawmakers They're gonna keep hearing from their constituents. They're gonna keep having Businesses attack they're gonna keep having health care facilities attack and make sure that your priorities can line up with it because a Lot of people especially lawmakers and policymakers. They don't have the benefit of always doing proactive policy They are absolutely responsible for that defensive policy to you. And so you can start to connect the dots So one of the things that I'm really focused on is how do we actually get a dent in this? 500,000 or 500,000 cyber openings and how do we make it significant and how do we make sure that it is? Regional that it is diverse in terms of social economic background as well. So when I talk about Ransomware, I always talk about and also we got to get the workforce trained in Tupelo, Mississippi We got to figure out a way to get more contracting dollars to Mississippi So that people can do remote services until we can get someone to move to Tupelo, Mississippi That's killing two birds with one stone as we say in the South, but that's what really good advocates do It's not just your list and what you want done it is also being responsive to the things that they are going to have to defend and respond in terms of Kind of how do you do it? Not shocking. I will tell people you should really start with your member of Congress I think people get overwhelmed with the executive branch because there are so many players. There are so many people and you can You can go and talk to your member of Congress and then your member of Congress can be an advocate for you Like me for instance. I was the head of legislative affairs for cybersecurity That meant that every member of Congress Could have what we call pick up the phone Privileges pick up the phone privileges and call Nicole at the White House to say There was this cyber attack that happened on a small business in my district or in my state That's very different than maybe calling the FBI who is getting a lot of calls from large organizations small Organizations individuals like people who are also having a cyber crime happen to them Being able to have a member of Congress actually call the White House and say who should they be talking to? Can you make sure they are talking to the right agency? And then also what are what should I be doing from a policy perspective to make sure this doesn't happen to my other constituents? That's really really powerful and it puts you in a place where you don't have to navigate and advocate the entire executive branch by yourself And so I always tell folks I'm like you should get in the game. You should not get overwhelmed Just start with your member of Congress. Everybody has two senators and everyone has a member in the house that represents you That's three people three offices that you can reach out to make sure they know what your issue is who you are And then if you're a part of a larger coalition if it is a series of dry cleaners They have been having these attacks then you tell them it's a series of dry cleaners And this is this is the organization that we're all a part of or this is how we figured it out Advocacy is doesn't have to be these big sweeping Engagements you really can start at a small level and build kind of the groundwork and build the network So that you can get major policy changes and I think for listeners who are you know? Not at a fortune 500 company You really are is they are for sure gonna have to rely on their relationships in Congress in a way that some of these larger Corporate of these larger corporations who have 40 people on their cyber policy team You don't it may just be you and it may be you're the head of cyber policy But you're also the general counsel and you know You might also sit on the board and so you're gonna have to figure out a way to scale your advocacy So that you can actually influence policy Tremendous advice. I mean, I think You know most people don't really think that your congressional rep is there to support you and You know to be there for requests and you know advocacy requests. So I think You know, that's a major takeaway that you know, I haven't really thought about in a long time from that perspective. So Yeah, tremendous advice and and and feedback So Typically as I thank you so much for your time today. We we usually Close out these podcasts with a the same question for every guest. So We have this routine of you know, asking looking back at your careers and as you look ahead Based on our current trajectory You know, do you feel more optimistic or pessimistic about the future of cybersecurity and security policy? I Am an eternal optimist and I feel optimistic about it. I Think for better or worse a lot of people are Learning more about cybersecurity. I wish the way people didn't learn about cyber policy was always something bad happened and Now they're like, oh, what is this? I need to check in I wish there were a better way to get more people under our tent But I don't I don't mind that being the case because when they get under the tent Usually people come because they want you to help them solve their problem What I've noticed with cyber policy is once people learn about it Whatever their introduction is they stay in the space and they want to engage in a space I've talked with plenty of members of Congress when I was on the heel and when I was at the White House They're like, oh, I don't do cyber and I'm like, oh, let me tell you why you do do cyber Let me tell you why you need to be a leader in cyber and you talk to them and you say like you're a former Educator we got to be we actually need people with educational background To sit in the room with the security policy folks and not just make sure everything is gonna be a bit security solution But make sure it's gonna be something that these schools can actually implement We need people with a healthcare background who are gonna be in the same place of saying, you know What you what we shouldn't do is just only penalize Bad actors if they take a service offline because this is what it means when you attack the billing service of a hospital This is the other information that's on the billing side So let's not just look at the OT side or the operating system side of the house I'm optimistic because I think we are getting more technical and non-technical folks in these Policymaking roles. I want the cyber policy industry to grow. I'm working on a program With CrowdStrike and with a nonprofit called pop-ups foundation where we are unapologetically saying we are looking for students Who want to focus on cyber policy and you can have a technical background. You can have a non-technical background We will introduce these concepts to you We will teach you how to think about them how to debate and then how to create how to debate, and then how to create holistic policy. I think we are just kind of getting to that space, right? Like one of the things that we talk about, people now, when I tell them I work on cyber policy, people are like, how did we get this requirement for the SEC to like, for people to have to report to the SEC so quickly after they have a cyber attack? And I tell them, if you don't like it, you need to get into the cyber policy game. Because just knowing the SEC and not knowing the folks that work on cyber at the SEC is not going to be how you advocate effectively. And I think what we're starting to see is a lot of people who have been dismissive about cyber policy because they don't have a technical background and they just think we're all like crazy, over the top people who think the sky is falling are now actually coming to the table and saying, okay, I want to understand this because I don't want to always relegate the cybersecurity folks to the side or to the back of the room or only come talk to you all when something happens. And so really just starting to prioritize and understand cyber policy is going to impact your business operations, is going to impact your services to your customers, to constituents, to the public. It's not a nice to have, it's a must have. And so I'm really optimistic about it. Yeah, I'm a cynical optimist. I like that. You're like edging your bets. Yeah. Yeah. So when, yeah, taking the big picture, I'm optimistic, but every day is kind of, you know, something frustrating happens, but yes. No, I thoroughly enjoyed the conversation today, Nicole, and I'm sure our audience did as well. Can't thank you enough for the insights. And yeah, I mean, I think, you know, folks that focus in cyber and cybersecurity on the technical side, don't fully appreciate the policy aspects and vice versa. So I think kind of, you know, merging those groups together, you know, I mean, too much focus on one area or the other, things aren't going to get fixed. So much like, you know, understanding, empathizing with other folks with different backgrounds, you know, kind of what your theme for the whole conversation was today, very much in this realm as well. So thank you again. Of course. And thank you so much for having me. I really enjoyed our discussion. And I also appreciate you sharing your platform so that we could talk about these issues. ♪♪♪ ♪♪♪
