American Flag Cyber Theme

Episode 228: CISA’s Eric Goldstein on being Everyone’s Friend in Cyber

In this episode of the podcast (#228) we’re joined by Eric Goldstein, Executive Assistant Director for Cybersecurity for the Cybersecurity and Infrastructure Security Agency (CISA) to talk about how the US government’s lead cybersecurity agency is helping companies and local government to keep hackers at bay. But are organizations ready to ask for help?

As always,  you can check our full conversation in our latest Security Ledger podcast at Blubrry. You can also listen to it on iTunes and Spotify. Or, check us out on Google PodcastsStitcherRadio Public and more. Also: if you enjoy this podcast, consider signing up to receive it in your email. Just point your web browser to securityledger.com/subscribe to get notified whenever a new podcast is posted. 

[MP3]


October is the 18th annual Cybersecurity Awareness Month – a month dedicated to educating the public and the private sector about cyber risks. What better time, then, to check in with our friends at CISA, the Cybersecurity and Infrastructure Security Agency. 

CISA: A Different Kind of Agency

Eric Goldstein, CISA
Eric Goldstein (CISA)

As the U.S. government’s newest agency and the tip of the spear for government response to cyber risks and cyber threats, CISA has its hands full. The agency is responsible for coordinating and informing the cybersecurity practices of the federal government, which employs more than 4 million Americans and has a budget of close to $5 trillion. It also is the go-to for cybersecurity intelligence and security services for state and local governments. The agency offers a series of “cyber hygiene services” that local and state governments can use to interrogate their infrastructure. CISA also helps coordinate with the private sector around emerging threats, such as ransomware gangs and the hack of key providers like SolarWinds, Kaseya, the Colonial pipeline and more. 

CISA executives are quick to point out that the agency is not a regulator nor is it law enforcement. Indeed: CISA is “a different kind of agency:” less bureaucratic, more agile and more willing to embrace technologic change. CISA’s most important objective is to be a friend to the agencies and organizations that it serves: involving itself in cyber incident response not to assign blame or mete out punishment, but to help those affected to recover and move on. 

Making the Most of Cybersecurity Awareness Month

But to do that, CISA needs to enjoy the trust and acceptance of the organizations it is trying to help: from state and city governments to critical infrastructure operators and supply chain providers in the broader economy.

To learn more about that effort, we invited Eric Goldstein,  Executive Assistant Director for Cybersecurity for CISA in to the Security Ledger studio to talk about the agency’s agenda for October, including its 4th Annual National Cybersecurity Summit, which is taking place all this month. (Check out the agenda for the October 20 and 27th events here).

CISA…or CIZA?

In this conversation, Eric and I discuss the agency’s work on problems like ransomware, and a recent report that linked ransomware outbreaks at hospitals to increased delays and strain and stress among medical staff working there. We also talk about how his experience working in the private sector for Goldman Sachs has informed his work for the federal government – another big cyber target. To start off, I asked Eric the one question that’s on the tip of everyone’s tongue: Is it CIZA or CISA? 


Episode 228 Transcript

[START OF RECORDING]

PAUL: Hello and welcome to another episode of The Security Ledger podcast. I am your host Paul Roberts, Editor in Chief at the Security Ledger. In this week’s episode of the podcast, number 228:

ERIC: So one key role that I see for CISA is really being that ally of infosec professionals to make sure that they have the right information to win those conversations that are happening every day across our country to delay a product for a few days while you fix that vulnerability or that service to consumers while you put in multi factor authentication, even if it adds a little bit more friction.

PAUL: October is Cybersecurity Awareness Month, a month dedicated to educating the public and the private sectors about cyber risks. What better time, then, to check in with our friends at CISA, the Cybersecurity and Infrastructure Security Agency as the US government’s newest agency and the tip of the spear for government response to cyber risks and cyber threats, CISA has its hands full. The agency is responsible for coordinating and informing the cybersecurity practices of the federal government, which employs more than 4 million Americans. It’s also the go to for state and local governments providing cybersecurity intelligence and security services, and it helps coordinate with the private sector around emerging threats and attacks such as Solar Winds, the Kaseya Hack, Colonial Pipeline, JBS and more. CISA executives are quick to point out that the agency isn’t a regulator and it isn’t law enforcement. Indeed, CISA’s most important stated objective is to be a friend to the agencies and organizations that it serves. But to do that, CISA needs the trust and acceptance of the organizations it’s trying to help. To learn more about that effort, we invited Eric Goldstein, the executive director for Cybersecurity for CISA, into the Security Ledger studio, to talk about the agency’s mission and how it is celebrating Cyber Security Awareness Month. In this conversation, Eric and I discussed the agency’s work on problems like ransomware and a recent report from CISA that linked ransomware outbreaks at medical facilities to increase strain and stress among medical staff working there. To start off, I asked Eric the one question that’s at the tip of everybody’s tongue. Is it CISA or CISA?

ERIC: My name is Eric Goldstein. I am the executive assistant director for cybersecurity at CISA, which is the Cyber Security and Infrastructure Security Agency.

PAUL: Eric, welcome to Security Ledger podcast.

ERIC: Thanks so much, Paul. It’s great to be here.

PAUL: Great to have you. Okay. First things first, CISA or CISA? Eric, I hear both.

ERIC: So, you know, it’s funny you asked because we had a really clever tweet that it is CISA.

PAUL: You heard it here first. That is the definitive it is CISA, which is what I thought. But I’ve heard people say CISA like scissor and felt like maybe I was the dummy.

ERIC: Beauty is in the eye of the  beholder. But we’ll go with CISA, at least on this podcast.

PAUL: Okay, Eric, for the listeners who are not familiar with CISA and the work that you do, explain what CISA is.

ERIC: I love that question because we have such an exciting mission in this space. CISA has the privilege of really being able to focus in my particular area of just focusing on advancing the nation’s cybersecurity, which means helping our federal civilian government, helping the nation’s critical infrastructure, helping the nation’s state, local, tribal and territorial partners improve their security and more effectively respond and limit the impacts of cybersecurity events. And it’s a really great mission because among all the agencies in the federal government with a toe or a finger in cybersecurity, we’re not a law enforcement agency. We’re not a cybersecurity regulator. We are not a member of the intelligence community. We are really focused purely and simply on network defense, which includes providing services to help organizations improve their own security, sharing timely and actionable information to help organizations understand the most impactful and emerging threats and risks. And then, when incidents do occur, providing assistance to help organizations restore and recover and quickly sharing information to limit the spread of a given incident and contain the kind of widespread campaigns that we’ve seen too frequently in recent years.

PAUL: Many people kind of refer to CISA as the federal government’s point agency on cybersecurity. Is that a fair characterization?

ERIC: That is a fair characterization. Now, it’s important to note, of course, that cybersecurity is both a whole of government and a whole of nation effort. And so we work very closely with other partners in government and, of course, in the private sector to understand and manage cybersecurity incidents. But when an incident occurs, when a campaign or vulnerability is identified, CISA really serves as that quarterback as that hub in the national model to make sure that we’re collectively ingesting information to understand the incident, sharing information quickly and providing assistance to those victims who need help.

PAUL: Great. And, Eric, tell us a little bit about the work that you do at CISA.

ERIC: Certainly. So CISA has a few different functions. We have teams that focus on physical security. We have teams that focus on interoperability of emergency communications, on long term risk assessment. The team that I have the privilege to lead is really focused on operational cybersecurity risk reduction. And so we focus on providing that information sharing and guidance to help organizations reduce risk into their networks. We provide the operational services like vulnerability scans, architecture reviews, red teaming, to help organizations understand their own risks and reduce them. We have the threat hunters and the Internet responders who are there to actually go on network and understand how an adversary broke in and help an organization evict them. And we provide a lot of the foundational technologies, particularly for federal civilian agencies, to help them secure their own networks. And then, finally, but importantly, we are really that collaborative hub where we bring together organizations from government and the private sector to operationally collaborate to solve hard cybersecurity problems. Whether it’s the newest Zero Day vulnerability, an emerging intrusion campaign, some indicators that we received from a partner working together to figure out how can we more effectively manage risk at scale?

PAUL: Okay and you’re no newbie in the cybersecurity world. In fact, in a previous life, you were the head of cybersecurity policy, strategy and regulation at Goldman Sachs, so clearly chased a bigger paycheck to the federal government. Right Eric?

ERIC: You know I love the mission here, as our director has said, and I’ll paraphrase her here. This really is the best job in government as somebody who spent time in the private sector just coming to work every day with such a passionate, committed group of people with such a great mission for our country. You really can’t beat it.

PAUL: And you’ve been in the government space before. In fact, you were at the National Protection and Programs Directorate. So you were in the government, really, in the period where CISA was first created. Can you talk a little bit about kind of what you observed and learned about infosec and the challenges facing the federal government when it comes to cybersecurity just from your earlier tenure there?

ERIC: Yeah, absolutely. I want you to know for a moment one thing I learned from my tenure in the private sector, and I’ll back up from there, which is understanding how cybersecurity risk decisions are made in the real world. Right. Because we know that across this country every day there are CISOs, there are infosec professionals who understand the right thing to do, who see the threat reporting, who know about the vulnerabilities, who want to deploy the right controls in their environments, who want the right gates in place in their SDLC. But for whatever reason, their organizations find it hard to justify the changes in investment models in business practices, in software development practices, delaying products, delaying features that are necessary sometimes to put in the right level of security. One key role that I see for CISA is really being that ally of infosec professionals to make sure that they have the right information to win those conversations that are happening every day across our country, and they’re winning those arguments to delay a product for a few days while you fix that vulnerability or delay that service to consumers while you put in multi factor authentication, even if it adds a little bit more friction. And so understanding how these decisions are being made, and often they’re happening in good faith. There’s just a tension between potentially a business need and a security need and helping to put our finger on the scale so that security needs are really given that appropriate weight and then going back to something I learned during my prior tenure at the Department. Frankly, one thing I’ve really learned is they need to be very frank and transparent about the respective roles of CISA and our partners in our collaborative model. And I think in CISA’s early years, even before we had our current name, the agency wasn’t always clear about the outcomes that we are trying to achieve. And one thing that we’ve really grown into is trying to be a coequal partner in the cybersecurity operational collaboration ecosystem. And what that means is understanding that we don’t have a monopoly on information, we don’t have a monopoly on the ability to drive cybersecurity risk reduction at scale. And we need to really closely partner with organizations across this country and, frankly, across the world to make sure that we are benefiting from real visibility into emerging cybersecurity risks, and that we take action in concert with the private sector, with other government partners so that we can actually have a higher likelihood of long term risk reduction change.

PAUL: You worked, again, Goldman Sachs, which is obviously huge target and also a company that has resources to invest in cutting edge technology. Same is true with the federal government. What have you seen the difference in just in terms of even issues like procurement and program development, private sector versus government?

ERIC: You know, I think it is certainly the case that the private sector is often, although not universally more able to move with agility in procurement and adopting new technologies, certainly in higher and talented personnel. But the government, I think, really is catching up. And one value proposition that CISA has is we’re designed to really be a new kind of agency where we are able to pilot new technologies in more creative and innovative ways. We’re able to hire a bit more quickly. We’re able to utilize different sorts of assessments to make sure that we’re bringing on candidates, maybe that don’t have degrees or traditional credentials, making sure that we build the sort of deep and diverse workforce that we need to make the challenge ahead. So certainly government has structures that are not always designed with innovation first in mind, and that’s sometimes for good reasons. But I do think at CISA that we have a leadership team that’s really focused on making sure that we represent the best in government and are able to have processes that meet the risk that we know we’re up against.

PAUL: So one of the things that you’ve done, CISA I mean, that I think is great is really push agencies to basically have what’s often referred to as kind of a front door for security researchers, a VDP, vulnerability disclosure policy, and kind of clearly stated terms for security researchers who might probe government systems looking for vulnerabilities. And there have been some interesting discoveries as a result of that. What has been the response to that? And then also kind of the next step on the maturity curve for after VDP might be things like bug bounty programs where you’re actually incentivizing people to come and find vulnerabilities. Is that something that you can see CISA pushing federal government agencies to stand up?

ERIC: Absolutely. That’s a great question. So first of all, I think CISA’s work in initially, mandating that agencies adopt a vulnerability disclosure policy, or VDP, utilizing our directive authority that we are able to levy against federal agencies to require them to take urgent risk management action was a critical step forward. Before this directive, there was, of course, no requirement for agencies to adopt even a policy, not least a program or a platform. But moving forward, just this past summer, we rolled out a new shared service where we now offer a vulnerability disclosure platform as a service utilizing a well respected third party vendor that allows federal agencies to adopt our vulnerability disclosure platform without any of the burden on them. To find a provider, go through a procurement stand it up. We did all of that work for them. And so that’s already showing great effect in broadening the number of federal agencies, federal websites, and mobile apps that are covered by vulnerability disclosure programs. As you note, I think there’s really two key areas of growth, one of which is certainly we are working closely with many agencies to further support the adoption of bug bounty programs, which are a terrific incentive to get the nation’s best security researchers to look for and report vulnerabilities in websites and mobile applications, and then also improve the ability of federal agencies to actually act upon disclosed vulnerabilities. Because, of course, we know that getting researchers to find a vulnerability is one key step. Getting them to report it into a trusted platform is a key step. Triaging it is one more key step. But then at the end of all that, you got to actually fix something. Making sure that agencies have the people, the program, the processes in place to act with appropriate urgency on vulnerabilities that are disclosed is equally critical and certainly not a consideration that’s unique to agencies, but really one that’s generalizable across organizations embarking upon these important efforts.

PAUL: So one of the initiatives that CISA is pursuing is what’s called the Joint Cyber Defense Collaborative. Can you talk a little bit about that?

ERIC: This is really one of the most exciting things I think happening in government right now, not just cybersecurity. The idea here is, we’ve said for a long time in cybersecurity, the importance of public private collaboration. There’s been a lot of efforts for information sharing and sharing indicators and partnering, and I think it’s fair to say that those efforts were positive, but they didn’t necessarily achieve the focused outcome that we’re looking for as a national cybersecurity community. Congress saw this concern, and a bill last winter authorized CISA to establish a new cyber planning and defense organization. And the goal here is really for CISA to bring together government partners, private sector partners, state and local partners, collaboratively identify the most significant cybersecurity risks facing our country, develop joint cyber defense plans to reduce those risks by taking concerted action that brings together not just government, but also the private sector, taking action within eaches own, your own authorities and own capabilities, exercising those plans to make sure that they’re really fit for purpose to achieve their objectives and then actually executing those plans in a really novel, collaborative way that’s focused on achieving measurable risk reduction outcomes. That last one is an important point because for the first time, we’re really saying here’s a risk we care about, and at the end of each cyber defense sprint as we’re calling them, we want to see a measurable reduction in national risk or we haven’t it succeeded. It’s really a new way of thinking about cybersecurity and cyber defense planning and working towards measurable outcomes in a way that we haven’t before. Our director, Jen Easterly, announced the Joint Cyber Defense Collaborative at the Black Hat conference over the summer. We are excited that we have 15 of the nation’s largest and most effective cyber and tech companies as plank holders in this effort, and we’re already seeing operational successes using this construct in understanding and managing emergent cybersecurity campaigns. But there’s a lot more work to do here, and we’re excited to broaden the scope of the effort to include more entities across sectors.

PAUL: Can we talk about ransomware?

ERIC: Of course.

PAUL: It wouldn’t be a cybersecurity podcast if we didn’t talk about ransomware. Obviously the most kind of salient cybersecurity threat out there right now. This is a really big problem with many different heads to it, right? There are many different causes and contributors to the ransomware pandemic, including tolerant foreign countries that are allowing these groups to operate from within their borders. What is CISA’s role in addressing this problem, both within the federal government, which is your immediate purview and then also helping kind of in the broader economy and society. And what steps has the agency taken to address this problem?

ERIC: You know, we’ve seen over the last year that ransomware really is an extraordinarily, both impactful and pervasive challenge that’s effecting organizations across all sectors, big and small. And we’ve seen attacks affecting everybody from K-12 schools to hospitals to grant cooperatives and large corporations, small businesses alike. We’re really pushing this from a few angles. The first is an understanding that even though there are infrequent ransomware events that use novel tactics, techniques and procedures, the majority of ransomware intrusions, probably the vast majority, are utilizing known vulnerabilities and known security weaknesses to perpetrate the initial intrusion and to cause highly impactful encryption events. That, of course, are so harmful to organizations. And so our first goal is to make sure that every single organization in this country a) understands the risk, understands the potential impact of the risk on their ability to provide their functions, their services to their customers or the constituents, and then make sure that those organizations know and adopt these known best practices that we know are effective in reducing the likelihood and impact of a cybersecurity or a ransomware event. Now, looking back a few months, we surveyed the landscape of information about ransomware, and we identified a problem that probably will not be a surprise to any listener, which is the US government had a whole bunch of websites out there with information about ransomware and having just come from the private sector. This seemed rather ridiculous that an organization would have to figure out should they visit a website for CISA, for the FBI, for Treasury, for Health and Human Services. That’s not the right way to convey a message. And so the government got together and said, you know what? Let’s just create a single website called stopransomware.gov that’s going to be a one stop shop for information about how to prevent, reduce the impact of ransomware intrusions, what to do if an intrusion happens, and then how to report it and how to get help. This website went live over the summer. I would encourage any listener who hasn’t made it over yet to check it out. It really is a wealth of knowledge that we update recurringly as we issue new advisories, new guidance, new alerts. But this really is focus area one to make sure that all organizations understand those basic steps to take that can help secure their networks. The second is that as new ransomware strains are identified as we see new ransomware campaigns to make sure that we are sharing actionable technical information, including both indicators of compromise and mitigations, that are mapped to actor tactics, techniques and procedures, and share those broadly to help organizations further secure their networks. For example, just a week or so ago, we released a new advisory with our colleagues, the FBI, about conti-ransomware that’s available on a website for anybody interested, and we’ll continue rolling out these kind of products to make sure that we’re helping network defenders understand these ransomware groups, their strengths and their tactics and take defensive measures in response. And the third area is when a ransomware intrusion occurs to the extent needed helping the victim organization with their response, although we know, of course, there are many third party private entities that are highly competent at ransomware rebuilding and response but then critically gleaning information from the intrusion that we can then share to help others. Silver Ransomware actor is using a particular malware particular infrastructure. We’re able to turn that into shareable indicators of compromise and blast that out widely to protect others. So ideally, I guess we’re only going to use a given piece of malware and given command and control server a given email header one time before we can help it be blocked throughout the ecosystem, which is effective in at least raising some costs, when with more adversaries and making them adapt more before they launch more intrusions.

PAUL: One interesting report that you released just a few days ago and kind of picks up on this where CISA studied the impact of COVID-19 on the availability of healthcare, which is one of the critical national functions that your agency is dedicated to preserve and then correlated that with hospitals that had experienced ransomware attacks and found that ransomware attacks can exacerbate stresses on health care providers on top of something like a COVID-19 pandemic that could impact patient care. You’re not necessarily connecting the dots and saying people died because there was a ransomware attack in a hospital and there was a pandemic. But you’re saying the data suggests that ransomware attacks would add to the strain already on strained facilities and could certainly lead to unnecessary deaths. And then, of course, as we know, The Wall Street Journal had a report that more directly made a connection in the case of an infant who died at a facility that was experiencing a ransomware attack. This is something that people talk about in a bunch of different sectors, not just health care, which is sort of the Cascading events or the coincidence events, whether unintentionally or intentionally cyberattacks on top of natural disasters like pandemics or hurricanes and stuff like that. What is CISA doing to kind of dig deeper into those types of cascading risks or combined events where cyber is one part of it? But there are also other parts of it that aren’t cyber.

ERIC: One of my peer organizations within CISA is called our National Risk Management Center, the NRMC. And this organization is really focused on understanding risks to what we call national critical functions, which are those functions that are really critical to our economy, public health and safety, national security, and then understand what intersection of threats and risks could most undermine or degrade those national critical functions in a way that could really impact the American people. And so the research you mentioned on the intersection between the COVID-19 pandemic and the surge of ransomware intrusions on the provide medical care national critical function is an example of that sort of essential work where we are combining our cybersecurity expertise with our understanding of the dependencies within these national critical functions and deriving analysis that, ideally the owners and operators of critical infrastructure can actually use to make informed risk decisions. And so, as you noted, it is certainly intuitively, not surprising, that ransomware intrusions on hospitals could potentially result in life safety implications. But doing this kind of research again helps the argument for security professionals in many institutions to say, look, here’s why we need to make these important investments. Here’s why we need encrypted offline backups. We need to patch our Internet basic hosts. This is all part of our effort to support the best possible risk decisions in organizations across the country.

PAUL: Yes. So I guess what should healthcare facilities and consumers take away from it? Should consumers be wary of going to a hospital that is experiencing a ransomware attack? And I guess how would they be expected to know that? And what should hospital staff be taking from that analysis by CISA?

ERIC: So, of course, individuals and families should be getting the medical attention that they need it that they need at the location most convenient and that provides the service they need. So that’s the most important thing, particularly as we are still in such a challenging time with the pandemic across the country. I think what the report really does tell us is that this is a real and urgent risk for all organizations. Hospitals in the health care sector are not unique here, and every organization needs to recognize the impact, not just to their bottom line, but potentially to life, safety and public safety from the risk of cybersecurity intrusions and take urgent steps to implement the right security controls, which again, are outlined at stopransomware.gov to reduce the risk of these sort of intrusions occurring and having potential impacts to their customers, their patients, their stakeholders.

PAUL: Ultimately, so much of this critical infrastructure in the United States, including many hospitals, are private entities, privately owned, not run by the government. When push comes to shove, I know you say we’re not the cops and we’re not the regulators. We’re kind of your friends, but when push comes to shove, what can and should the government do to say, you know, to a hospital, we’ve been giving you 15 years to try and get your act together on cybersecurity, and now you’ve got a ransomware attack. So we’re going to take the steering wheel, as it were or kind of pushing to that next level of saying this is no longer suggested, but in fact mandatory, and we’re going to check back and make sure you’ve done it.

ERIC: The first perspective is that certainly in our experience and my personally, most organizations, if given the right information at the right level, will make the right risk decision. That’s why we are so focused on ensuring that we are communicating effectively with security practitioners, with security executives and with business executives at all levels of organizations, including briefings to CEOs and boards of directors to help organizations make the right risk decision to manage risk, their organization and to the functions that they provide. Now, it’s certainly also the case that for some sectors, for some organizations, there is a role for regulation here. One example is the work of TSA, which regulates, among other things, in the pipeline sector that recently issued security directives requiring certain cybersecurity measures to protect the nation’s pipelines, which, of course, we saw at the back of the colonial intrusion, are just so critical to the functioning of multiple sectors and countless other infrastructure. And so there are regulators in this country that are deeply focused on this issue. It is CISA’s role to be that fond of expertise, of guidance and understanding changes in the threat environment, so that whether guidance is voluntary from CISA or compulsory from a regulator, organizations have the right information at the right direction to take the most prudent steps to manage risks for their environment.

PAUL: Can we talk about the agriculture sector?

ERIC: Absolutely.

PAUL: Okay, so agriculture is one where historically there hasn’t been a lot of attention with cybersecurity by and large, because there hasn’t been a need for it. But we have seen an increasing cadence of attacks, both GBS, the meat processor and then new collaborative, the grain collaborative. What is CISA’s role and take on the agriculture industry? It seems like a sector where federal responsibility and oversight is spread among a bunch of different agencies and that can kind of complicate this problem.

ERIC: The food and AG sector really has characteristics that are not uncommon across different sectors, which is significant diversity of the organizations therein. And so, of course, there are massive multinational corporations in the food and agriculture sector that have large, sophisticated cybersecurity teams and programs that manage a highly diverse network, perhaps perhaps going cloud native, perhaps hybrid. And then, of course, there are a lot of very small organizations in the center that might have small security teams, might even have small IT teams, and frankly, probably historically didn’t think about cybersecurity as being a risk that they had to manage, which is why at CISA, we are so focused on making sure that we are delivering information and risk reduction services that meet organizations where they are. One example of this is our Cybersecurity Essentials program, which again is available on our website, cisa.gov, and Cyber Essentials is really designed to be a starter kit for organizations that are building or taking the next steps to mature their cybersecurity programs and aren’t able to invest in a fully dedicated security operations center or can’t deploy leading edge tooling, but need to do some basic steps to secure their enterprise. And as part of this, we work very closely with sector agencies, for example, the US Department of Agriculture, the USDA, to make sure that we are communicating with and delivering services and information to the right companies that, as you note, maybe facing cybersecurity risk at a level that perhaps they didn’t think would be the case even a few years ago. But simply the diversity and breadth of organizations across this country is an inherent challenge because we need to make sure that we are reaching organizations across sectors, even those that historically didn’t realize cybersecurity was their problem. But that being said, the prevalence of ransomware intrusions, although, of course, significantly damaging and harmful both to these organizations and to the individuals and communities they serve, do still serve as a clarion call for prudent risk management and investment. And at CISA, our role is to make sure that we are amplifying how these risks can be managed by these investments, by the security controls, and making sure that we’re pushing out information broadly and deeply to everyone who needs it.

PAUL: Among the organizations who can take advantage of that program is local government I know as well who can sign up for free vulnerability scanning and a whole bunch of services that you guys offer, basically for free to local governments. Is that right?

ERIC: That’s right. And it actually bears noting that many of CISA’s services are free for anybody in the country. So whether a company, a state or local government, a nonprofit, a school district many of our services like vulnerability scanning, like phishing tests, like Web application scanning, even the remote penetration testing. These are services that anybody can take advantage of fully free. This is a service that the government provides to improve the cybersecurity of our country and reduce risk to our people. And these are all available again on cisa.gov. Now we do offer a suite of unique services to our state and local government partners significantly through partnership with the Multi State Information Sharing and Analysis Center, the MSISAC. And we do provide a variety of unique tools and services to help our state and local partners secure their networks. But by and large, almost all of our programs are available really to allcomers, because we recognize that all organizations may be at risk.

PAUL: Do you have any data on, like, uptake and adoption?

ERIC: We at this point have several thousand organizations across the country that have signed up for our voluntary Vulnerability Management Services program that we call Cyber Hygiene with more signing up every week. And again, these services are really fully scalable. And so we’d encourage any organization with an interest in help identifying vulnerabilities and risks across their network to sign up. It really is zero risk. It’s a service offered by the government to help organizations manage risk.

PAUL: We’re talking on the occasion of Cybersecurity Awareness Month. So give us a sense, Eric, what CISA is doing for this month to celebrate Cybersecurity Awareness Month and also use it to get your message out?

ERIC: Absolutely, so first of all, what an exciting month to be on the Security Ledger podcast. It is more of an honor in this illustrious month. At CISA, this really is our month to shine. So we’re focused on a few areas. First of all, this, of course, is the month where we roll out our CISA Cyber Summit, which of course, is virtual this year out of it, but it’s a caution, but will be available on our website in the weeks to come. It’s a feature, really exciting keynote addresses and panels with some of the leading thinkers in national cybersecurity, so it would encourage listeners to be on the lookout for announcements about the panel and keynote dates for our Cyber Summit. And then we’re also really using this month to focus on some critical best practices that both end users and organizations can adopt, because we know I recently read some research noting that simply adopting multi factor authentication would address 90 plus percent of security intrusions. And we all know the data is taken with a grain of salt and cybersecurity, but still, that’s a pretty evocative statistic. And so we’re focusing on really the fundamentals this month. Make sure that you’re updating software don’t use end of life technology assets, use multifactor authentication, be aware of phishing emails on down the line, and most importantly, both encouraging end users to adopt that practice and also encouraging end users to ask their service providers ask those entities of which they’re a customer to provide multifactor authentication because there are, of course, still too many services online where even if a customer wants to turn on MFA, they can’t do it because it’s not being offered. And so creating that bottom up demand signal where end users will understand the need for these controls and start creating a crown-swell of energy for wider spread adoption. We’ll also be really impactful. And so we’re using this month with the two, we double our focus on the fundamentals, ensuring that all Americans understand the steps that they can take and what they should expect from those companies or entities that are providing services to them.

PAUL: Eric Goldstein of CISA thank you so much for coming on and speaking to us on the Security Ledger podcast. It was a pleasure and we hope to have you back again soon.

ERIC: Likewise, thanks so much, Paul.

PAUL: Eric Goldstein is the Executive Director for Cybersecurity for the Cybersecurity and Infrastructure Security Agency (CISA).

[END OF RECORDING]