 Welcome to the Get Podcast for Enterprise Leaders, delivering timely insights for today's global economy and tomorrow's competitive advantage. I'm your host, Chris Kane, President of the Center for Global Enterprise. And today we will be discussing the pluses and minuses of President Biden's recently released National Cybersecurity Strategy, with Sam Palmosano, Chairman of the Center for Global Enterprise and former Vice Chair of President Obama's Commission on Enhancing National Cybersecurity and Karen Evans, Managing Director of the Cyber Readiness Institute and former CIO of the U.S. Department of Homeland Security, as well as a number of other cybersecurity leadership roles in the U.S. government. Sam and Karen, thank you for being with us today. In March, President Biden released his administration's new National Cybersecurity Strategy. This followed a number of executive orders and other actions that he has taken, and other governments have taken around the world. It is the latest in a series of movements in the regulatory and legal responsibilities for companies to take proactive steps to defend against cybersecurity incidents. While the Biden plan may be the most ambitious we've seen thus far, other governments are also advancing new regulatory requirements. For example, the EU has proposed new regulations that would require any device connected to the Internet to have security features built in. So after years of relying mostly on voluntary efforts to encourage companies to shore up their cyber defenses, these government and regulatory developments seem to be examples of how regulators are deploying new tools and incentives to mitigate cybersecurity risks. Should the Biden plan become policy, companies can expect to face new regulations and lawsuits perhaps if they fail to make secure products or do not enact basic cybersecurity measures. It seems that business leaders must prepare themselves now to operate in a global economic environment with increased cybersecurity requirements and liability. So Karen, perhaps we can start with you. What are the pluses and minuses of the president's plan if the goal is to get companies to implement new cybersecurity capabilities and to increase their state of cyber readiness? I think what the Biden plan outlines is a real change in the paradigm. There's a lot of things, as you said in your opening comments, Chris, that we've been trying for gosh, in my career over 20 years. And so like what's old is new again, but it is trying to shift some of the responsibility away from the specific consumer on to product developers, so that they're more responsible in the ecosystem as they go forward. Sam, your thoughts on pluses and minuses from the president's new strategy. Yeah, I would agree with Karen, Chris. I mean, back to the Obama Commission, one of the things we talked about heavily was design security from day one versus make it an afterthought. And of course, the debate is slowing down innovation and therefore more cost if you do it this way. And we argued though, not necessarily, not if you design from day one. So to her point, put more onus or emphasis on the products themselves in the future and then therefore have a stick, I guess, in a way, because if you don't comply with the regulations that the government potentially could impose, as you know that they haven't. This is just the strategy paper at this point in time. But then there would be financial risk associated with lack of compliance. So the plan has five pillars to it. And the third pillar really is what I think I'd like to focus on today, because it probably is of most interest to our business leaders in the audience. And it's about shaping market forces to drive security and resilience. And Sam, to your point, one of the fundamental elements of pillar number three is shifting liability for software products and services to promote secure development and practices. It's an interesting model, i.e. being a stick model, perhaps, you could argue it's probably both a carrot and a stick, to get market forces to act in a different way. Karen, I wanted to ask you something about the CRI and its mission and how it relates to this pillar number three. Part of the plan that the president has proposed embodies the following statement. Today, end users bear too great a burden for mitigating cyber risks. Individuals, small businesses, state and local governments, and infrastructure operators have limited resources and competing priorities. Yet these actors' choices can have significant impact on our national cybersecurity. And this is the quote that I find most intriguing and especially relevant to the Cyber Readiness Institute's mission and approach. Our collective cyber resilience cannot rely on the constant vigilance of our smallest organizations and individual citizens. Do you agree with that statement? Well, I do agree with the statement and I'm glad you asked me about that because when the strategy came out, I actually wrote a blog post about it because I would be excited if we did shift the paradigm so that some of the software developers, and as Sam said, that we shift some of the responsibilities away. So I would be happy if CRI's core four became the core three, which deals with one of our core four issues is automatic updates because this is part of what a small business has to do. They don't necessarily understand all the updates that come out from software vendors, but we do tell them, hey, you need to apply them. In this particular case, if it's really done from the beginning, the thought would be that these automatic updates would actually cut back that you wouldn't need to do it every week. There are certain vendors that we all know that they release patches every week because of what they're doing. They don't have the resources to be able to test the impact of what these patches are going to be. So we err on the side of saying, hey, you should do the automatic updates. I would be happy if I had to come up with a new fourth area where we cut down to three areas and have them focused on those three areas that they can do, which is related to the human behavior because there's enough things that are happening around email and trying to use phishing emails to exploit and do a whole bunch of social engineering that if we could just be focused on that, that would help unto itself if the rest of industry does their part. So Sam, when you were Vice Chair of President Obama's Cybersecurity Commission, there was a large focus on the federal government and what the federal government could do to protect itself and build resilience, but you also had a focus on business and especially small and medium businesses. In this context, from what you've learned through the Obama Commission and what you see in the President's new national cybersecurity plan, what are some of the lessons learned coming out of the Obama experience that could help make the Biden Administration's initiative here achieve greater results? Or what are some of the areas that concern you about gaps in execution? Well, Chris, a couple of different things. First of all, I think we need to simplify what we can expect. Let's start with the small business we're caring was we can, and she mentioned a lot of the expectations from those organizations because they are most vulnerable and they have no resources to really implement complex solutions. So in many, many ways, we need to take the lens, I'd say, of the smallest, most vulnerable in the technology areas of these companies and then work to the bigger companies. The bigger companies have the resources and the expertise and the money and they'll do the best that they can do, in my opinion. However, it's the other area that we need to focus on. That's why we created CRI and Karen is running that for us. But that was the whole point of that. The other thing is I really do believe that you needed a combination of marketplace incentives as well as government oversight regulation. Both are required, by the way, so I'm not demeaning this approach, which is more leaning towards the government approach or through inspection or procurement and those sorts of things versus the other. But we always believe in the Obama commission that if you had a way to be that there was a positive gain to invest in cyber, i.e. insurance as a mechanism so you could get insured, therefore cover some of your risk and your liability, that would help drive adoption faster than strictly over the government regulatory mechanism to get the necessary investment made to prevent these going into the future. So one of the things that's in pillar three of the president's plan touches exactly on the cyber insurance area, Sam, and I'd like to ask both you and Karen about your thoughts about one, the concept that the administration is proposing here, which is to create a federal cyber insurance backstop in their words, and it goes on to articulate the fact that the administration will assess the need for and possible structures of a federal insurance response to catastrophic cyber events that would support the existing cyber insurance market. In developing this assessment, the administration will seek input and counsel with Congress, state regulators and industry stakeholders. Karen, maybe we could start with you from the work of the CRI. What is your assessment of where the cyber insurance marketplaces today and will an initiative like this from the federal government accelerate the development and the robustness of the cyber insurance marketplace or will it return? Well, the cyber insurance market, cyber insurance itself is really evolving. If you really take a look at this, some of the bigger insurance companies are starting to back away from some of this. This is why the administration has this in there, because if you can attribute or do attribution for an attack to a nation state, then the insurance companies are saying, hey, we shouldn't have to pay for that, that the federal government should actually help defend, as Sam was saying, the most vulnerable. And a lot of times the most vulnerable, they're in a supply chain or they're somewhere in the distribution or the ecosystem for larger companies, which then becomes the opening into those larger companies. So everybody is really interconnected. I think as this moves forward, and I know Congress is looking at it and there's a couple of ways to look at this problem. They're looking at legislation in order to be able to incentivize it, to be able to put some tools. I personally think it should be part, this is Karen Evans, this is part of the work that we're doing in CRI, that it should be part of the business insurance. I'm a small business myself. And so it should be part of business insurance and that maybe this whole evolution of cyber insurance, because companies see that gap and they're going into it is actually going to even cause more of confusion for small and mid-sized businesses thinking that, okay, my business insurance, this is I use technology in my business and my business insurance should cover this. How much should it cover? And I think that that's part of what Sam is talking about too, is because no business doesn't use technology today. It's the way that you use the technology and how you go forward. And this is why CRI, again, you know, I really love the mission space is to be able to help small and mid-sized businesses really understand what some of these business issues are. But as we've been talking all along here, it becomes a choice of where are they going to apply their resources. And to get an additional insurance policy, when you don't really understand the landscape overall, you're going to opt to the side of accepting the risk because you don't understand it and you're going to think it's covered by your business insurance. Sam, thoughts about the insurance marketplace? It seems like it has been slow to develop in the cyberspace, but on the other hand, Karen's point about, well, maybe it shouldn't be a category end of itself. Maybe you ought to be a category, a subcategory of business insurance generally. I actually think it's a pretty good suggestion that Karen brought up because the problem is if you have a unique policy, then you have to come up with the guidelines or risk factors associated with the unique policy and then, therefore, I'd say the mechanisms to audit whether the company has put those mechanisms in place. If you make it as part of your standard risk practices from a company perspective, you should view this as just another element of risk that you'd have in your business and therefore that should be covered as well. Now, there's a lot of hesitancy and I do understand that as far as the insurance companies are concerned because they don't have the mechanisms to actually assess risk and damages. In property insurance, Chris, it's easy to assess damage. Your house got knocked down by a storm or a hurricane would have you. If your brand is damaged because you've lost some data, how do you assess that damage? Although we would all say subjectively, yes, of course your brand is damaged because you can't be trusted, but how do you financially quantify that? That's part of the challenge is, I think, to defend the insurance industries that they have is how do they actually put together a policy that is assessed risk and can therefore cover the associated damages in event occurs? Do either of you see movement on the ability for the insurance industry to figure out the model that makes assessing risk more immediate and more practical? Aaron, have you seen any movement? I think that there is movement with some of the companies that are actually moving forward trying to do the assessment of risk. There are certain companies like Risk Recon, like Bitsite, there's three or four other of them that if you use that in conjunction with some other services that you can get a more holistic approach of how people see them. There are a lot of companies that are also emerging as it relates to supply chain because, as Sam said, it's one of many risks that you have to look at your trading partner. The other point that I wanted to bring up, which is in that national strategy of what you read, Chris, is that people are hesitant to establish some kind of backstop in this particular area because it's like, oh, are we going to end up incentivizing the wrong behavior? Are we going to say, okay, if cyber insurance develops as a separate instrument unto itself, okay, well, I'm not going to buy because if there's a catastrophic issue and it's related to a nation state and I haven't really done my part, but I'm part of that overall landscape, well, then I can tap into this pool and so I don't have to invest my own resources. This is part of that balance that I think Sam was talking about is, like how do you really go forward and construct it in a way? And we've done it. There are other models that we can look at more in depth. For example, and I think they talk about this a little bit, but I know we've all talked about in the past when we're looking at this is flood insurance. And a regular insurance company isn't going to ensure you if you live in a floodplain, but we want to develop flood paying so the government becomes a backstop if you're living in a floodplain. And so that one's pretty easy. But as Sam points out, it's really hard in an automated technology area about assessing the risk and what is the damage. Sam, any movement that you're sensing from? And I guess the question I'd add on for you is, is there a role for technology here? Are you saying technologies come forward that will help the insurance industry automate the risk assessment? Yeah, because a couple of different things. Well, one of the things that we recommended in the Obama commission has actually been implemented, which is you might argue, much to our surprise given there are two different administrations after President Obama. But fundamentally, a lot has been done and a lot of progress has been made. Insurance has been the slowest, in my opinion. And we've worked, we've met with a bunch of different companies myself, folks from Homeland Security and CESA met with a bunch of the leaders of those companies and the like. And yes, it is a difficult problem, but I also think at the end of the day, there's an economic consideration going on, although no one ever admits that. And they just can't see the economic value of having this type of unique plan. And maybe if it's embedded in their normal business insurance practices, there would be economic value as far as their charging mechanisms, that's my point when I say economic value. Now, I mean, I'm cynical, so I'm assuming there must be something because you would imagine some of the big insurance companies perhaps would have done something significant by now, and they really have it in my observation. So the other thing of thought that I have, which is create a competitor, which always works, that somebody they have to chase, and maybe like it's in the early days of credit, it's established in the Commerce Department or Treasury or someplace like that. And it's a temporary mechanism where all of a sudden there's an alternative to them, and then perhaps they will respond because competitions that are the marketplace. I find that a lot of these large institutions don't move quickly when it's just government pushing them to do so. Karen and Sam, thank you for your insights today. And to our listeners, because this is such an important and extensive topic, we have broken this episode up into two parts. We hope you will continue to listen to part two and give us your feedback. You've been listening to The Get, sponsored by the Center for Global Enterprise, celebrating 10 years of convening global enterprise leaders around the most important business transformation issues.