In this episode of Redefining CyberSecurity Podcast, host, Sean Martin, is joined by industry luminaries Emily Coyle, Andrew Goldstein and Dr. Amit Elazari as they discuss the chilling implications of the SEC's decision to charge SolarWinds' CISO in the aftermath of a cyber attack. They shed light on the Cyber Governance Alliance's initiatives, legal perspectives, policy ambiguities and contradictions, and offer a call to action for the cybersecurity community to shape their future policies and governance before it is too late.
Guests:
Emily Coyle, President & Founding Partner, Cyber Governance Alliance
On LinkedIn | https://www.linkedin.com/in/emily-elaine-coyle-a8243328/
Dr. Amit Elazari, Co-Founder & CEO, OpenPolicy
On LinkedIn | https://www.linkedin.com/in/amit-elazari-bar-on/
On X | https://www.twitter.com/AmitElazari
Andrew Goldstein, Chair of Global White Collar Defense and Investigations Practice, Cooley LLP [@CooleyLLP]
On LinkedIn | https://www.linkedin.com/in/andrew-d-goldstein/
____________________________
Host: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]
On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/sean-martin
___________________________
Episode Notes
In the episode of Redefining CyberSecurity Podcast, host Sean Martin discusses the issues surrounding the SEC's precedent-setting decision to charge the CISO of SolarWinds, Tim Brown, in the aftermath of the Sunburst cyberattack. Joining Sean are Emily Coyle, the founder of Cyber Governance Alliance, Andrew Goldstein from law firm Cooley and Amit Elazari from OpenPolicy.
Emily elucidates on the work of the Cyber Governance Alliance, aiming to lobby for methodology change by bringing the best practices of cybersecurity into the legal framework. The Alliance is seeking to provide cyber security professionals with the protections they need to carry out their role, including limitations on liability and protection against the chilling effect of litigation.
Andrew speaks to the potential impacts their arguments could have on the wider cyber security field. A pressing concern he highlights is the effect of the SEC's decision on aspiring cyber security professionals and their willingness to engage in the field, potentially exacerbating an already vulnerable shortage of professionals.
Amit points out the contradictions between best practice standards for cybersecurity, enshrined in legislation, and the SEC’s decision. She puts a call to action to the cyber community to collectively support the renewal of the amicus, around furthering discussions with policy makers to create a balanced decision.
The group concludes that the lawsuit sets a challenging precedence for cybersecurity professionals. They argue that aligning legal and policy frameworks with cybersecurity practices should be a priority. They also encourage the community to engage the policymakers in discussion, starting with commenting on and signing the next amicus brief being drafted. Collectively they emphasize the urgency and importance of the cybersecurity community's involvement in shaping the future of cybersecurity policy and governance before it's set in stone.
Key Questions Addressed
Top Insights from the Conversation
___________________________
Watch this and other videos on ITSPmagazine's YouTube Channel
Redefining CyberSecurity Podcast with Sean Martin, CISSP playlist:
📺 https://www.youtube.com/playlist?list=PLnYu0psdcllS9aVGdiakVss9u7xgYDKYq
ITSPmagazine YouTube Channel:
📺 https://www.youtube.com/@itspmagazine
Be sure to share and subscribe!
___________________________
Resources
The amended amicus is due March 29th. Cooley will be hosting a webinar with Latham & Watkins (SolarWinds & Tim Brown outside counsel) to discuss:
Date: Monday, March 11th
Time: 4:00 - 4:30 EST
Zoom Link: https://cooley.zoom.us/j/99323354217
To learn more about signing on to the updated amicus, contact Open Policy ( info@openpolicygroup.com ) or the team at Cooley via https://forms.office.com/Pages/ResponsePage.aspx?id=vqaHcH1e6Eme5Tx__T8eZbG7QNlB75pMoakNn09c-C5UMDBDNUVRVU8yUzFKV09HNjk5MTc0V0taSS4u.
To learn more about Cyber Governance Alliance and their efforts to fight for cyber professionals in Washington, contact the team at ( info@cybergovernancealliance.org) or check out https://cybergovernancealliance.org/
___________________________
To see and hear more Redefining CyberSecurity content on ITSPmagazine, visit:
https://www.itspmagazine.com/redefining-cybersecurity-podcast
Are you interested in sponsoring this show with an ad placement in the podcast?
Learn More 👉 https://itspm.ag/podadplc
Cyber Governance Alliance and the Effort to Fight for CISO Liability Protections | A Conversation with Emily Coyle, Dr. Amit Elazari, and Andrew Goldstein | Redefining CyberSecurity Podcast with Sean Martin
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.
_________________________________________
Sean Martin: [00:00:00] Hello, everybody. You are very welcome to a new episode of Redefining Cybersecurity Podcast. I'm your host, Sean Martin, where I get to talk about all kinds of cool things, and sometimes not so cool things that happen to, uh, To those, uh, trying to defend the corporations and the society that we all live in.
And, uh, today I get to talk about cyber governance alliance, uh, with three folks who've been working diligently to understand where some of the risks lie for the individuals and how individuals can find. better protections for themselves as they try to do the right things. And let's face it, we're all human.
Sometimes we make mistakes as well, and we need protection in those cases too. So I'm thrilled to have this conversation today with Emily Amit and Andrew. Thank you all for joining me.
Emily Coyle: Glad to be here. Thanks for having us.
Sean Martin: Yeah, this is going to be super fun. Uh, Maybe uncomfortable for [00:01:00] some who are in the role of security leadership and, uh, but hopefully there's a light at the end of the tunnel based on the chat we're going to have today.
Before we get into the specifics, a few words from each of you, your current role, what you're up to, and maybe a brief word on why this topic is important to you. And I'm going to start with you, Emily.
Emily Coyle: Well, again, thanks for having me and Andrew and Amit and thank you for your patience. I know we had to move it a few times, but we are super thrilled to be with you.
And just by way of background, you know, I listened to some of your podcasts and I, I feel like one of those kids from the old PBS show who's not like the others. Um, I am not a CISO. I'm not a cyber hacker. I have a very, very different role in this ecosystem, which is I am a lobbyist and a policy, uh, expert.
I, I spend my days wandering around Capitol Hill and the White House. And, um, I spent a lot of time, um, working on corporate governance the last 20 [00:02:00] years. I was, uh, kind of raised originally in the financial services sector and, and as a. Sarbanes Oxley was being developed after Enron and WorldCom working a lot on concepts around governance and risk management and enterprise risk management and the role for the board.
Um, I spent some time on Capitol Hill as a designee to the Financial Services Committee looking at amendments to Sarbanes Oxley and then ultimately ended up in house at one of the big four audit firms for over a decade where I was. I played many roles there. I was their House lobbyist, their Senate lobbyist, their Democratic lobbyist, but I also built their cyber policy engagement program.
And that's really where this conversation, um, comes from, uh, which was about 11 years ago, uh, I had been asked to start engaging on cyber in a way that I had on some other legislation and started looking into it and I was like, well, There's not a single piece of legislation, and this is never going away.
So we can't just like, you [00:03:00] know, quickly have a few meetings and solve the problem. And we ended up building a pretty comprehensive cyber policy engagement program, um, looking at both the audit side and how do you do kind of risk management governance around cyber And cyber attestation. And then also the advisory side of the firm.
For those of you who are not deep in the weeds of how the audit profession is set up and run and regulated. Sometimes I go down those policy rabbit holes, uh, after Enron and WorldCom collapsed, we had Sarbanes Oxley. It established a whole set of new rules, established new rules for risk management around financial controls for publicly traded companies.
And it also established rules for regulation of audit companies. Um, so if you audit a public company, you can't do advisory work for them. The premise being you shouldn't be auditing your own work. So there are, there's kind of a firewall between the two sides. The channel one are the audit clients and the channel two are the advisory.
And I was in the great, good fortune [00:04:00] of sitting over top. Uh, and seeing both sides of the world and understanding what the profession was doing, um, on both sides of the world and the lessons learned. And that was really interesting, um, and an evolution because I helped that firm, uh, contribute to the Internet Security Alliance Governance Standards and then ultimately the NACD.
And we spent a lot of time briefing members of Congress on the Banking Committee, the House Financial Services Committee, and the Securities and Exchange Commission. Uh, the commissioners and others, um, around best practices. So, you know, this is something that I've been looking at from a governance standpoint for a very long time.
And in this space, one of the things that became very quickly apparent to me is that, um, I think. Going back to 2015 is when we started sounding the alarm bell on Capitol Hill that there weren't enough people working in the cyber profession and that gap was only going to grow. And as the future move forward, and we became ever more interconnected [00:05:00] that the risk and vulnerability was only going to grow and that there needed to be something done.
So always thinking about. You know, this workforce that is, um, it's basically you have a negative unemployment rate because there's so much need and demand and it's only growing exponentially. Then at the same time, you know, CISOs have very different, very different, uh, roles in different companies and many, many of the largest companies can afford to pay and bring in and gobble up the talent where some of the smaller ones don't have that.
Um, and given that we're such an interconnected economy and so dependent on supply chains, um, that creates a lot of vulnerability, especially when you think about like mid market vulnerability and, and supply chain vulnerability. So these are things that we've been thinking about. And as, uh, the SEC came out with this claim on, on, uh, when it was October 31st, um, Naming SolarWinds for getting [00:06:00] attacked by Russia and also the CISO, I found that personally offensive, um, because I had been, not being a CISO, but I found it personally offensive and rather horrid because knowing what I know that, you know, many CISOs don't necessarily have control over their budgets, that they're subject to business decisions, that, uh, they're fighting, uh, thankless tasks.
They're often under resourced, that they may not have direct connection to the board. They Sometimes they report to the COO. Sometimes they report to the CEO. Sometimes they report to the CTO. Sometimes they report to the CIO. There is no governance structure. And, uh, the many times that I worked on amending Sarbanes Oxley over the years, we did not consider, Congress was not considering this.
Now, certainly, after the SolarWinds and Colonial Pipeline, the Cyber Solarium Commission was stood up by Congress, and they recommended a SOCS for cyber, which is governance standards. And they said, we need this. And they sent letters to policymakers [00:07:00] and some of the Cyber Solarium Commission members themselves were members of Congress and introduced legislation, but it didn't go anywhere.
And you know, So, um, I am ride or die legislative branch separation of powers. We have three branches of government for a reason. So when the, excuse me, when the Securities and Exchange Commission came out, which is a member of the executive branch, for those of you who are not like living in the world of Washington, D.
C. every day, uh, the executive branch, uh, came out without an act of Congress and said, Hey, We're going to hold this individual personally liable, uh, even though Congress has not given us direct explicit authority or guidance, and we're going to sue them and name them, um, because of what they did, even though they don't necessarily under law, have a role, um, you know, we're going to name and shame you.
And that to me was wrong and it was really challenging. And I know I have lots of friends on the [00:08:00] democratic side who are a little frustrated with me because I came out very publicly. Um, Against a democratic administration and said, Hey, you know, I fully believe in cyber governance standards. There's absolutely a need for them.
But I also believe in the separation of powers. And I also believe in protecting our workforce. And I think it's wrong that you're going after one individual when Congress has not given you the authority to do that. So I penned a little op ed on LinkedIn and started getting phone calls. And that's the long story of how we ended up here.
Because I brought Amit in, who is one of the most brilliant men. Cyber regulatory experts. I know she's much deeper in the weeds than I am. And she used to run a global cyber red policy for Intel. I met her in a previous role in lifetime and I knew I needed her. I knew she had been the lead on, um, some coordinated vulnerability disclosure and Amici that had gone forward.
And we got to know Andrew, um, who graciously. And amazingly, [00:09:00] uh, took up the, the drafting of the amicus, um, pro bono. Thank you, Andrew. And thank you team at Cooley. And thank you to the team at Freshfields who also, um, contributed, but these guys work tirelessly over Christmas and New Year's through the holidays, um, Pull the policy arguments, um, to, to develop an amicus that was submitted on February 2nd, challenging the SEC on the basis of protecting the CISO and the cyber profession and all the ecosystem that goes around that.
So I thought it would be really great for all of us to come together and for you to hear from them and, and their perspectives as well.
Sean Martin: I agree wholeheartedly. And we'll, we'll get to the amicus in a moment. Maybe it's part of Andrew's, uh, introduction, but I want to, I know it's been on the show. Dr.
Elazari, it's good to see you again. We've discussed Disclosed. io, Disclosed. io and, uh, Responsible Disclosure and protecting the researchers that do, [00:10:00] uh, the hard work of identifying and properly sharing information where we have weaknesses. And now you do a lot with policy, with open policy. Um, maybe a few words about what you're up to and, and why you're excited to be part of this.
Amit Elazari: Yeah. Fantastic to be here with you again. Thank you for this opportunity. Um, and what a wonderful platform. Um, so yeah, um, I've been, I guess, uh, a long time in the business of coalitions. Uh, and you know, some of you, uh, might recall that my path into cyber was pretty untraditional. I was, uh, yes, I was in 8200, uh, many years ago, but, you know, I was doing my PhD in the law and looking at terms of service and contracts.
And it is my sister, Karen, um, a big advocate for security, for responsible disclosure and vulnerability disclosure and working with hackers, uh, that told me about this amazing phenomena of security research and the need to protect hackers. And that kind of led to the path of Disclose. io, [00:11:00] which is.
Another coalition, a very, a story, and perhaps an inspirational story also for the CISOs, where the hackers came together and, uh, advocated for better protections, and you know, now we can share, Sean, just maybe briefly, fast forward, I think it's been like five or six years, five years since I've been on your podcast, uh, that thing ended up in the Supreme Court decision on Von Buren, uh, moving the needle in three different briefs.
It is now required by all federal agencies and CISA regulation. It was in a position of the parliament for the European, uh, parliament to be in the Cyber Resilience Act. And that language is now adopted by thousands, if not, I want to say tens of thousands, uh, of programs protecting millions of hackers.
So, uh, that safe harbor movement, um, you know, perhaps a crazy idea and, uh, of a student at Berkeley and a lot of community work, uh, behind it led to real change. And now we have. Another opportunity here in a different area, uh, perhaps a call to action for coalitions of CISO. But yeah, that's, uh, kind of my story.
So Dr. Amit Al Azari, [00:12:00] uh, spent a few years at Berkeley doing my PhD in the law, where I also did disclose IO, but also did some other work in hacking and got some bug bounties, uh, ended up headhunted by Intel. Uh, so really that coalition changed my life and spent, uh, four and a half years in Intel. a great company that gave me a chance to learn this profession from a big tech perspective, ultimately as the head of cyber policy.
So I led our cyber security advocacy and government relationships work, and I also chaired a couple of policy trade association committees, including ITI, which represents 80 of the largest tech companies in the world of cyber policy. So we had some experience with an amicus brief that was filed on the Spectre Meltdown mitigation.
That is a different, very different issue. But did include some arguments on vulnerability disclosure and Adamicus brief has resulted in a, in a motion to reconsider wins. So it was very important for the community to raise their voice. At that time, we talked about this was Fort Wade Association. Just supporting the amicus.
And so that taught me a little [00:13:00] bit about the power of an amicus brief and why an amicus brief is a is really a tool in the policy landscape, right? That can shape the future of cyber. I quit Intel about eight months ago to start a company. Uh, it's co founded by me and David Duzan. It's called Open Policy.
And we are disrupting government affairs and lobbying. We would like to think about ourselves as a tech enabled platform, leveraging AI to unlock the value of government affairs to all. So make sure that more entities, CISOs, unicorns, startups, enterprise, corporation, and even large organizations can better see what's coming from a regulatory and policy perspective.
And we. Right now, we really focus on cyber and A. I. And we're pretty fortunate to be named on the executive order page and work with some of the best companies in the world, like armies and in the layer. Um, so this is pretty exciting. Uh, through that work that we're doing today in open [00:14:00] policy, it became clear to me that we have some kind of a market gap here.
Um, the CISOs had a really important opportunity to raise their voice and engage on this topic because it was the first kind of decision of any type of regulatory agencies coming in and, you know, trying to claim liability in a, in an attack that is really APT driven, right? A very sophisticated attack.
These were things that were happening, alleged to be happening before we even had the cyber rule released. And what's fascinating is the CISO community is not really well organized. together. There are amazing people out there. They're amazing groups. People like Robert Rodriguez sign it. That really helped us in this effort.
Uh, organizations like, um, I. S. A. That really helped us, but not really one place for all the sisters to come together and advocate. And as a platform that is organizing, you know, communities, we just saw that gap, and we felt that we can help, at least on the policy argument. So that's the role I played there, and I'm [00:15:00] happy to go a little bit more into the weeds of why, you know, I felt personally that, you know, from a personal perspective, from an academic perspective, it's a, it's a really important cyber policy issue that if we don't get right, we really have a lot on the line for the next decades to come.
Sean Martin: I love it. Yeah, I see tons of little factions of amazing CISOs. Right. They all have their own little groups, some small, some big, uh, to bring them all together and to enable them and empower them as a community. I think that that's super cool. So I'm excited in this, uh, Andrew, you're a little bit about what you're up to and, uh, and lead into the amicus.
Tell us, tell us a bit about, uh, What that looks like.
Andrew Goldstein: Sure. Happy to. And thank you for having me part of this, uh, pretty fantastic group. Um, so a little background on me. I am the head of the white collar defense and investigations practice at the law firm Cooley. Um, [00:16:00] I've been here for about five years before that I was with the department of justice for about nine years.
Uh, for seven years, I was a prosecutor in the Southern district of New York. I was the head of the public corruption unit. Uh, in the Southern District of New York. Um, and then for two years, I was part of the Robert Mueller team investigating Russian interference in the 2016 election. Um, we got involved in this amicus effort, uh, when, uh, we were reached out to by Emily and Amit, and also by the lawyers from Latham Watkins, who were representing SolarWinds and Tim Brown, um, to see if we could help put together This brief on behalf of the CISO community, the cyber security community, um, that would make some of the arguments that we'll, we'll walk through, but that'll help the court understand what the risks are if, [00:17:00] Liability gets imposed the way that the SEC is trying to impose liability here on both the company and on Tim Brown as the CISO.
And we were delighted to do it. Cooley has a huge cybersecurity practice. It's a big part of sort of what our firm does. We interact with CISOs and with cyber professionals at companies all the time. Um, so this was, uh, right in our wheelhouse. We partnered with the law firm Freshfields, um, and with a former Southern District colleague of mine, Tim Howard, who was the lead for Freshfields.
Um, and we worked, uh, closely with, with a meet in particular to, uh, both draft a brief that the CISO community and that, uh, cyber security organizations could get behind. And then also to recruit people who would sign on, um, we ended up with a total [00:18:00] of 30 signatories to the brief, a combination of CISOs, current and former, um, many from, you know, very, uh, reputable, uh, companies where it's not so easy to take a position adverse to the SEC.
And, uh, and I think the issues that this case raises are important enough to the CISO community and to cybersecurity more broadly that we had a lot of people really wanting to get behind what we were doing. I think it might be helpful just to give a little bit of background on the case, uh, for your, uh, audio, uh, audio viewership, uh, and so if I could just go backwards a little bit in time and, uh, and talk a little bit about the case.
Emily. Raise some of this as she was speaking. Um, but you know, basically what happened [00:19:00] here is, you know, back in December of 2020 solar winds discovered that it had become the victim of a huge Russian sponsored cyber attack. Uh, people called it sunburst. Um, and it was a, it turned out to have been a lengthy effort by the Russian government to get into SolarWinds systems.
Um, the company jumped into incident response, um, and it disclosed the attack to investors on the next trading day. Um, there clearly was an SEC investigation that was mostly, uh, Quiet and the people did not know about. Um, but then last year, three years after the attack, the SEC brought a civil enforcement action in the Southern District of New York against SolarWinds [00:20:00] and its CISO, Tim Brown.
Um, and the SEC's charges, uh, span sort of the whole period from the IPO of the company, um, all the way through the attack, and its aftermath. Um, Tim Brown was the, uh, the VP of security and architecture and the head of information security. And he then became the company's first CISO. And the gist of the complaint that the SEC filed was that SolarWinds overstated its cybersecurity practices.
And understated the risk that it could be a victim of an attack like sunburst. Um, the SEC also, uh, has allegations about SolarWinds SEC filings in the aftermath of the attack. Um, the SEC says that [00:21:00] the filings did not reflect all of the company's knowledge about the attack. Um, and the SEC also took issue with the SEC filings in advance of the attack, saying that, again, that SolarWinds did not properly disclose its vulnerability to this kind of an attack.
So, uh, last month, Tim Brown and SolarWinds filed a motion to dismiss The SEC's charges, um, and they made arguments in, in all kinds of different ways, but they talked about effectively, you know, the, the SEC was re victimizing the victim of this attack, um, and was moving the goalposts for how companies should handle cybersecurity issues.
Um, It also, you know, became evident that, you know, this was the first [00:22:00] time that a CISO was facing an SEC enforcement action, uh, for, you know, for their role in company securities filings. Um, we argued in our amicus brief that this was really the first time a CISO was facing an action for basically doing his job.
Um, and Our group and several other groups who, uh, represented other amicus in this case, all ended up submitting briefs to the court to effectively support this motion to dismiss and to lay out for the court all of the different ways that the FCC's theories of liability here could Actually backfire.
And in a case that's about trying to get companies to disclose properly what their cyber security vulnerabilities and issues are, our argument was that Uh, one of our arguments was [00:23:00] that the result of these charges could actually undermine cybersecurity by inspiring companies to over disclose, put too much information out there, um, or potentially to chill the kinds of communications you want to have both internally.
And externally with other companies with government regulators about the kind of cyber security issues that you need to be discussing in order to deter the kinds of attacks, like the sunburst attack from the Russian government. So I'll leave it at that. But that's the I think the general background of where we were.
Sean Martin: That's fantastic. Emily, I don't know if you want to take it somewhere, but I was looking at some of the items in the webinar. The amicus and the impact can be broad and, and deep to the role programs, companies, ISACs sharing with each other, government entity, [00:24:00] critical infrastructure, perhaps even fending, fending for themselves and having a group to partner with to fend for collectively as each other.
So how I think what's really cool about what you're working on is bringing. This community together to, I believe, understand what the right ways are to manage programs and to, we're not saying get rid of responsibility here, right? And, and, and let people have run freely with fraudulent activities. It's an understanding of what's appropriate, how to work together, how to recognize the role and measure the role and audit the role and, and look at all that it does.
So maybe I don't, can you kind of walk through some of the things you were thinking about with this? Thank you so much.
Emily Coyle: Me or Andrew?
Andrew Goldstein: One thing I meant to say as we, just to frame this, so that everybody knows what the status is. After the SEC, [00:25:00] sorry, after our amicus filings and others, and the company moved to dismiss the SEC's charges, Um, the SEC decided to amend its complaint.
Um, and a few weeks ago, the SEC put out a new version of its complaint, which is, it's interesting in several different ways. Um, one of which is that they added something like 50 pages of new allegations, all focused on Tim Brown and his conduct. And, you know, in a way, that's clearly a direct response to the different arguments that the amicus, uh, or the amici made in, uh, in explaining to the court what all the risks were here.
Because it's clear. That the SEC's response is to say, no, this is a very specific and unique circumstance. If you look at all of what happened here with Tim Brown, it, it, this is not something that's going to [00:26:00] affect companies and CISOs nationwide. This is something that's very particular to this circumstance.
You know, we, we are likely to be filing a new amicus or effectively a renewed amicus, uh, at the end of this month, uh, in further support of dismissal. Um, and we'll be reaching out to CISOs and cyber security organizations to get additional support. We'd like to actually have more support than we had the first time around.
Um, and it's one reason why we're delighted to be on this, uh, this podcast. Um, but it is, we think that Many of the issues, the core issues that we raised the first time around are not solved by the SEC's new charges. Um, and so that's something that as between now and the end of this month, when we have to make a decision about filing, that we'll be talking to stakeholders and talking to [00:27:00] CISOs and others to get support for potentially another brief.
Emily Coyle: And I think to build on everything Andrew said and and tie it back to some of your thoughts, questions and observations, Sean, you know, what am I doing? We, we have created a new organization called the Cyber Governance Alliance, and it is an alliance of folks from different parts of the cyber community who believe and support cyber governance standards Um, but who also believe that there needs to be basic liability protections for those doing or trying to do the right thing in a challenging situation, um, and engaging in industry best practices.
And so we've stood up. This new organization called Cyber Governance Alliance, and I'm happy to send you the link and hope that you will post it along with a way to sign on to Andrew and Amit's new, renewed amicus. [00:28:00] But the vision here comes directly out of my experience in financial services and corporate governance oversight.
I spent. Over a decade working for an entity that was heavily regulated by the SEC. And I know there's lots of good folks over there. However, um, what they're doing is policymaking through enforcement and this is not the 1st. set of commissioners to do that. It happens. Um, and it happens in other areas of the capital markets.
And there's a lot of fear of speaking out, um, because they're, they're, they're your regulator and they can put you out of business. The, the moment I saw was that I understand what's going on here, but I no longer work for an SEC regulated entity. I work for myself and my coalition partners. And I therefore have the freedom to speak out.
I also happen to be someone who has been educating, you [00:29:00] know, the chair of the banking committee and his staff and financial services committee in the house about cyber and how hard it is to manage with 85 percent of our critical infrastructure in the United States in the private sector, you know, having Um, The sword of Damocles through this kind of lawsuit hangover cyber professionals who are being targeted by our foreign adversaries, um, as an acts of war, as acts of, uh, acts of aggression to undermine our economic and national security.
Um, I just think that this is the wrong way of going about it. So my vision, when all of this came out, my response was there's, there's a solution here. And it's based on. What other industries have done successfully in the past, right? When Sarbanes Oxley came forward, they adopted much of what the big four were already doing.
They took most of the best practices, um, and they made them law or they made them regulations. There is a [00:30:00] distinction and difference for those of us who are policy wonks here in Washington. Um, but they also limited new private rights of action, and they also limited the ability to sue an audit firm Um, for quote unquote, aiding and abetting, um, in certain financial cases.
And I apologize. I should have let you know that there's a dog over here. Uh, uh, she's, she's very up in arms about it too. It's a dog. Um, but. Uh, there, there is this precedent where, you know, the big fight that was happening on Capitol Hill as Sarbanes Oxley was going through was how are we going to limit frivolous lawsuits?
How are we going to protect the audit and the sanctity of the folks who are responsible for the audit? How are we going to create good processes? Um, and how do we keep kind of like this? Onslaught of frivolous litigation from coming in and destroying the people who are supposed to protect our capital markets.
And [00:31:00] that's what an auditor does, right? They're supposed to be protecting the investor. So they changed the way that auditors are hired and fired and they created a mandatory role for the board. Uh, and then they said the C. E. O. And the C. F. O. Are personally liable, and they have to sign the financials. Um, but then they set up new limitations on private rights of action.
And they said, if somebody is going to claim that, you know, a bank or a financial services company or a public company committed fraud in their Auditor didn't catch it because auditors can't be everywhere all at once. And, uh, you know, certainly technology is helping us get there, but that creates new vulnerabilities and risks.
That's a story for another day. Um, that not only would. there be a limitation on outside claims, but that the SEC would have to work with the FBI to determine if there had been a breach of securities law before any action could be taken. So that there would be a joint agency, different areas of expertise before a lawsuit could be brought.
And when the [00:32:00] SEC claim came out, I immediately thought of what happened with Sarbanes Oxley and said, here's the path forward. We take the best practices that companies have been working on for years. Um, and we make sure that we have a framework because we haven't figured it out and the meat is deep in the weeds on this and can tell you about the evolving nature of this framework.
So we don't want to codify anything in legislation that limits the, our ability to evolve and adapt because this is, you know, an ongoing arms race in terms of like protecting ourselves against the bad guys in cybersecurity. But create a framework of risk management, ensure that. This is that cyber is managed as an enterprise wide risk, uh, cyber by design, cyber at the highest levels, empower our systems, but also protect them.
Let's limit some liability. Let's limit the individual liability. Let's limit like new private rights of action and ambulance chasers and this tsunami of litigation that can come out of what the FCC has done here to chill the market. And, you know, [00:33:00] Okay. Andrew touched on it, and I know Amit is chomping at the bit to talk about the impact that this is having on, um, sharing vulnerabilities because the cyber community is all about sharing, right?
Sharing is caring, and we all talk to each other. And that's, that's how we negotiate and figure these things out. And we do something called coordinated vulnerability disclosure, where we don't tell the world that the bad guys are in our system, and we don't know how to fix it. And Amit is the expert on that.
Um, but Helping the government understand and different branches of the government understand, um, that what has happened here by this one. Agency whose job is rightfully so to protect investors, but it is impacting our national security. It is impacting our cyber security and our economic security. It was made in a vacuum, um, by folks who wanted to bring an enforcement action and is going to have pretty calamitous.
Effects on our national security that the rest of the government whole of government effort team cyber. Um, you know, [00:34:00] they're trying to they're trying to stand up more public private sharing. So we've got 1 arm of the administration that has done something that's put a chilling effect on people's willingness to talk to each other while we have.
Other areas of the same administration and they are my friends and they're doing some fantastic work out there, but we have other areas that are trying to push for more disclosure and working together. And that has been such a challenging battle being in this town, working on cyber issues for 12, 13 years now.
But being in this town for almost 25 years, this town being Washington, D. C. Um, it has been so hard to get private companies to come and share information with the federal government. The federal government, there's Staff by many well intended people. However, I'm sure you guys know and talked about many of their systems are outdated.
There is a whole effort to modernize the federal government right now. That's something else that I meet and I are working on in a different project, um, to modernize their systems and. That there [00:35:00] have been some pretty serious breaches by the federal agencies themselves, including the SEC. So this is something we're all struggling with.
This is something where the FBI and the Department of Justice have decided on ransomware cases, they're not going to sue the victims of ransomware cases. Why do we have this other law enforcement entity making these unilateral decisions that even previous government commissions have said, you know, Congress, you really need to act here.
So for me, that's what I'm doing. And that's my passion and my focus and why, um, I wanted to bring this crew together today because Andrew can share with you, you know, the concerns that he's starting to see and hear from the cyber professionals they represent and the floodgate of litigation they've been exposed to.
And Amit can share with you, you know, the insights to the chilling effect that it's having on coordinated vulnerability. And we don't want to just terrify everyone. We want to say like, Hey, actually we've created [00:36:00] this coalition, this new entity to try and solve this problem. But we, we also need you all to to show up and help us do it.
Sean Martin: I'd like, I think first, uh, maybe amidst perspective on the impact and, um, and maybe Andrew's as well. Um, but I also want to get to the frameworks and I know before we started recording, we touched on CSF two from this coming out. Is that the end? I'll be all, I don't know. Um, so I want to get to that as well.
So maybe a minute and Andrew, a little bit of the impact and then we can. Transition to the frameworks.
Amit Elazari: Yeah, and I'll touch on the frameworks because it's related. Um, you know, I, I think I've been doing work on cyber policy for a while. Um, once in, in, you know, a few years, you really see, um, some kind of, uh, Policy document.
And in this case, it's a case, but you know, it's pun intended. But sometimes they could be [00:37:00] legislation that has the power to change the trajectory of where we're going. Cyber policy where we're going to see cyber policy and risk for organizations for the next decade. And just to double down on the implications.
We now have legislation that is requiring federal contractors to have vulnerability disclosure practices aligned with international standards. The standards say, minimize the exposure of confidential sensitive information about unmitigated vulnerabilities. The standards say, engage in information sharing with your peers, because that's how we resolve Cyber together.
That's how we come together to address threats. Information sharing. Um, these standards actually prohibit the sharing of information of to any party, government or other when it comes to unmitigated vulnerabilities. So these standards are [00:38:00] Best practice, they are referred to by NIST, they are referred to by Congress in legislation like the IOT Cybersecurity Improvement Act.
And at the same time, we have a challenge, right? You know, I'm just talking from an educational perspective and, you know, from a contradiction perspective, where someone is getting punished for not sharing with the public at large. Information about vulnerabilities that are not mitigated and throughout the amicus, we go into great detail in showing into these inconsistencies right between one action and the whole of government effort.
On public private partnership building, uh, showcasing how really the cyber practice is still emerging as, as you shared, Sean, just this week, this month, we had the release of a new cyber security framework, our vision that goes into great depth into new, um, guidelines and the commentation and clarifications needed when it comes to the CISO role [00:39:00] and professional roles.
So all of this is still emerging. And when you have a case like this. When it's personal liability of the top executives, the same executives that is navigating, not just organizational risks. Think about the CISOs. In each and every one of their decisions, they might be protecting the nation at large.
They have so many uncertainties they need to take into account and information that is constantly changing. And what's interesting, it's, it's really kind of impacting third parties. So when you take all of that together, when you throw any uncertainty, and when it's We often talk about it would say, you know, regulation that is duplicative regulation that is contradicting contradicting any uncertainty is hard enough in cyber policy when you have a decision that has the impact to create such a chilling effects from an educational perspective from an ecosystem perspective.
We really have a responsibility here to bring that ecosystem view [00:40:00] so we can go. The amicus brief goes into great detail into those issues, and we will have another opportunity to outline them. But my biggest call to action is for the community. Um, I personally reached out to about 30 different CESAR groups, um, policy.
is hard. I've seen so many conversations on this case in conferences, in blog, blog posts, in podcasts, in webinars, what really matters is how this community comes together and seize this moment to educate the court. And really, the implications are well, way, way, way beyond just a particular case. So no matter where a side, which side you are, If you're not going to come together and put your voice there, it will be very hard to push, push this conversation forward.
These are the venues where you need to be sharing your expertise and really, um, explaining the impact on each and [00:41:00] every one of you. And, you know, coming from doing disclosed I. O. where I was Honestly, Sean, a bit surprised that it took a student from Berkeley right to go to DEF CON and call us a number of hackers.
Of course, there were many, many community efforts around it, but I feel kind of the same. Like sometimes you need to come to a community and say it's time to come together. So we're doing another brief. We need your help. We need your support. We need the systems to come together on. This is kind of my biggest call to action that I would love to leverage this platform for.
Sean Martin: I love it. And Andrew, you're, you're. Your thoughts on this as well, and it. Amit mentioned this is more than just this case. It's bigger than just this case. It's not, I just want to do what Mr. Brown did at SolarWinds and I'll be okay, right? This is bigger than that. Describe what you're hearing, what you're talking about with some of the folks you work with.
Andrew Goldstein: Yeah, I think it's, it's, it's much bigger than this case in a few different ways, some of which Amit just walked through, [00:42:00] in that In part of what enforcement actions are about is a way of setting the boundaries for the way that people act at companies and the it can change the incentives, not just how you act, but the incentives for getting into the business in the first place.
One of the arguments that we haven't talked about today, but that's in our brief, is there is a terrible shortage of cybersecurity professionals across the board, and in particular in the CISO role. There's a lack of CISOs in, like, a significant number of Fortune 100 companies. And to, for the, for the SEC, which has now, you know, poured all these resources into examining all of these internal communications of SolarWinds and Tim Brown, um, like, an obvious [00:43:00] impact of this action.
Is going to be to further deter people from wanting to take on these positions, which, you know, on the flip side are of increasing importance. In the corporate world, the government should want people to take on this role to exercise leadership to balance all of these competing factors about, well, how much should you disclose, um, how much, what do we need to do to be able to keep our company safe, but also to protect national security more broadly.
To not put incentives in place to over disclose, um, because that could end up effectively giving the keys to the kingdom to the people who are trying to hack into your systems. And all of that is, it's immensely difficult. As Emily described, there are policy makers who are trying to get all of these incentives right.
And. One of the arguments that we've made is that for the SEC to [00:44:00] use this enforcement action in this particular way it could end up tilting these incentives in directions that are not helpful and not productive and not as thought out as what the policy makers are trying to do on the other side of all of this.
Sean Martin: And I. It's not lost on me that I think we all know, and everybody listening to my show knows, I'd say pretty much everybody that joins this role, some role in cybersecurity, comes from a place of wanting to do good, to help us help our companies, help our countries, protect ourselves against the bad things happening.
So it. It's very striking to me that individuals are being targeted as doing the opposite, when in fact, I know for a fact, and in this particular case, I know Ms. Tim [00:45:00] well, I don't see it. So, um, I think we need to come together and make this very clear to those who, We need to know, uh, Emily, as we wrap here, some, some final words from you and the final call to action.
How, how can the community join? I'm going to include all the links you share with me to the Alliance and to how they can contribute and participate with the update to the amicus. Um, what else do you want to share with folks?
Emily Coyle: I was going to say to try and wrap a bow on it. The updated amicus that Andrew and Ami are, um, filing, and that's March 29th, that you have to file?
Andrew Goldstein: March 29th is the deadline. Yep.
Emily Coyle: Um, that, if you think about a patient that is sick and bleeding, right? They are, they're putting the tourniquet on. That's what that amicus is. It's the tourniquet. Cyber Governance Alliance. We are the chemotherapy, right? Like we're trying to fix the underlying problem. We're [00:46:00] trying to push for and we know it's a challenge in Congress, but we're trying to get some basic rules of the road established by the entity in our government that's responsible for setting policy by having folks, um, who specialize in securities laws and incentives But who also have roles on the Intel Committee, um, and the National Security and Armed Services Committee take a careful, consider balanced approach, um, and set the rules of the road.
So that's, that's basically, um, what we're doing amicus tourniquet and CGA cyber governance Alliance. We are doing, we're engaging in that longer right to try and rebuild and rehabilitate the patient, um, to create the right incentives for the long run. So that's that. Uh, that's where I'll leave it. But me, Andrew, did you have any additional thoughts?
Amit Elazari: Um, no, I would just put it out there, you know, um, reach out, you know, um, you can contact open policy for [00:47:00] our website. You can reach out to me on LinkedIn. Uh, we need. especially see some groups, especially trade associations, groups that can represent a large community. We had massive support, um, already, but this is really the time to drive that message home.
All of us are like I'm doing this pro bono. Uh, this is really something we're doing for the community, but we need your help. So please do reach out. Um, this is a unique opportunity to raise your voice. We're not sure where we're going to have an additional opportunity like this. Uh, and I will just say, um, you know, well, Emily is working on the long term and policy work there.
Um, amicus brief and court decisions do have a way to influence those discussions. The Hill is looking at how, you know, the court is going to look at this. Precedent is really important. So we really want to, uh, do everything we can to educate the court here. So please do reach out. We need your help.
Andrew, anything to add? [00:48:00]
Andrew Goldstein: We are actually going to be holding one or more Information sessions for people who are interested in potentially signing on or learning more about this next step in the litigation. So, uh, stay tuned for that.
Sean Martin: Well, this is, uh, such an important thing, and I'm thrilled to have the three of you on to bring it to my attention and to my audience's attention, hopefully.
Hopefully it takes off. I use the term patient. This isn't about one individual. This is about security leadership, and, uh, it needs, it needs our attention. Needs our attention. So I appreciate all that the three of you are doing For this and beyond I know everything else you touch Comes back to this as well.
It's a it's a big circle and everything's connected in some way or another and so thank you all for all that you're doing and please if you're [00:49:00] listening and watching to this and have a vested interest in the role succeeding and surviving and and And you as well, individually, doing the same, please participate, engage, bring your peers along with you as well, um, share your thoughts.
You don't have to agree with everything, but at least get your thoughts as part of this, so you have a voice. Otherwise, you're stuck with the President mentioned, so. Thank you all for listening and watching. Please do subscribe and share, especially this one. I know I say that for everyone. This is an important one.
So thanks everybody. And we'll catch you on the next episode. You're all very welcome back again. As you know, um, with updates, uh, as, as you see fit, um, let's keep the, keep the story going. Hopefully not for too long though.
Thanks everybody.
Andrew Goldstein: Thank you, Sean.