[1:02] Technology and Cybersecurity

Rachael: Let me introduce today's guest because this is going to be a fun conversation. We've got Eric Mill joining us today. He currently serves in the Office of Management and Budget as a senior advisor on technology and cybersecurity to the Federal Chief Information Officer. Welcome to the podcast,

Eric. You have such a great background. I can't wait for today's discussion.

Petko: Eric, we can talk in zero trust, but I'd love to get your take. You've worked everything from nonprofit to industry to government. Can you give us a consensus, just a high-level, 2000-foot view?

Eric: I started work as a software engineer. I’m basically in the working world for the last two decades. I was a software engineer for a decade and in policy and product for a decade with some overlap. So I graduated school in '05 into what was a not yet recovered from the dot com bust field in computer science. I’ve wanted to do web development.

I also was a child of the '90s in a very nice chill period with not much going on in the US world, between the Berlin Wall and 9/11. 

And I was able to just really enjoy being on the internet and fall in love with the early web. I just wanted to do web development for a long time. So I did that for several years, and eventually found my way to DC into a non-profit called the Sunlight Foundation. It is a transparency non-profit that does not exist anymore. 

 

Focus on Government Transparency, Cyber, and Democracy

Eric: It was around a 50-person-strong non-profit that in other countries would be called an anti-corruption organization. An anti-corruption NGO in the US, with really a focus on government transparency.

I did a lot with legislative and executive branch data. Made APIs, scraped data sets off of websites, and made apps for people to use those things to try to model what government could do. Then I was eventually enticed to go join the government at GSA when the 18F Digital Service Wing started up around the same time that the US Digital Service did. 

I started very quickly getting into policy and also getting really more into cyber security. Then I ended up working closely with OMB on basically an HTTPS everywhere for federal government policy, which sort of was a little unusual for the digital service space to be working on policy stuff. But it worked out and ultimately was a fairly successful policy and it really is now the default to have that in the federal government.

Once I had done that, I started getting more drawn into policy work in the federal government as well as cybersecurity. Started working with OMB more in the office where I work now. After about five years of that, I worked for the Senate on election security for a time. Just spent a year before this job out in the tech sector leading security for a web browser.

Then I just returned to the top of this administration early last year.

Petko: You went from web to policy to cyber to, I'm not going to work in government, I'm going to go to industry and then go back to the government. 

 

Dynamic and Diverse

Petko: It's such a dynamic, and diverse, but at the same time, what have you learned from the industry?

Eric: It was really helpful for me working in the private sector for the first few years of my career. I just spent about three or four years at for-profit organizations just becoming decent at the craft. Getting the discipline of software engineering just really focused on results. There's this thing too about software in general, I think.

It’s this weird priesthood honestly in a society where it feels impenetrable for people to think and reason about.

It can often feel a little unnecessarily magical. I think that was really helpful for me too, just to understand, everything in the world is made out of this. It's just a matter of getting to understand it a bit and working with it and you can bend it to your service. That really shaped my relationship with technology. I know when I came into a nonprofit as well as into government, it helped to have some of that discipline that I got in the outside world. 

One of the things that really left me with when I was at GSA and now OMB, a really guiding principle for me is how important it is to have everybody's incentives be aligned. It is just one big world and country that we're in. Everybody's in their own bubble. Like the private sector's in its bubble and doesn't really understand what is happening inside the government.

Before I joined the government, I thought it was very boring inside and I was very wrong. In government, you have your own special bubble. 

 

Trying to March in the Same Direction with Cyber and Democracy

Eric: You really don't know what's going on outside there. For me, it is clear to everybody's benefit, especially when we look at technology. It is these crosscutting strata underneath everything that we should all be trying to march in the same direction. The HTTPS thing is a great example. It's good for people, for the government, for security, and for privacy. But sometimes it's a matter of taking things that feel in competition with other things in their own bubbles. Just trying to make sure we see what is happening.

Rachael: By the way, you didn't talk about when you were at GSA. I think you had also launched a public bug bounty and vulnerability disclosure policy.

Eric: I really was really very proud of that. We were the first. All credit in a big way has to be given to the Department of Defense and the Defense Digital Service within it. They launched Hack the Pentagon in, I forget exactly what year, I think it was 2016. It’s a hugely influential move. It helped make a lot of arguments within the government much smoother for things like that going forward. 

One of the things we were really happy that we were able to do at GSA is, for one, launch a general vulnerability disclosure policy with industry-standard norms. For folks not familiar, you don't have to pay money and pay bounties to do this sort of thing. A whole disclosure program like the one that we ran was just a way of saying, if you find something here, you could safely report it. 

 

Norms of Safety

Eric: With norms of safety worked out in both directions so that we know that we as the government are not going to get hit with a report that's like, this is going public tomorrow. Hope you weren't doing anything this weekend. They can also feel safe that they're not going to get a nastygram from a lawyer afterward. 

Even if those fears are not, even if there's a mix of perception and reality to them, it's really important to put them to rest. We did the first in the civilian government, the first of all disclosure program. And we set up a bug bounty as well for some of our most mature programs. That was a really powerful experience that it was something where I was also able to see and interact quite a bit with folks in the outside world. 

Just go back and forth with them about the technical impact of different things. It served me very well in the Senate because of one of my main focus areas there. I worked for the Senate Rules Committee, which has jurisdiction over federal elections and campaigns. On vulnerability disclosure and getting vulnerabilities reported in the most constructive way possible in election systems and that was in 2019.

That was on a lot of people's minds. Something of a simpler time even in retrospect. But yes, very helpful.

Petko: You've been part of so much of the let's encrypt everything. Let's make sure we've got the right vulnerabilities identified at the right time. You must have been part of the zero-trust initiative that came out of OMB. I'd love to get your take on Zero Trust. 

 

[09:52] The Premise of Zero Trust on Cyber and Democracy

Petko: It feels like it's a buzzer bingo at this point. Every customer, every vendor, and anyone that I've talked to will say, I want Zero Trust, but I have no idea what it means. Then it becomes, everyone puts Zero Trust in front of every product it feels like now. What's the premise, the principles that Zero Trust is trying to do? How do we get to where we are that may be doing what it's doing?

Eric: Let's zoom out a little bit. First, so yes, OMB released at the top of this year what we call the Federal Zero Trust Strategy. It's one of the many things that we did as a result of last year's cybersecurity executive order. That executive order was a big sweeping response to a couple of big national events in cybersecurity.

It called for a whole host of things from different agencies, some of which affects the private sector. Some of which are geared toward agency operations. 

For those not familiar, you have an audience, I know you focus a lot on federal government issues. The Office of Management and Budget is the part of the White House that tends to focus on how agencies work. And the office of the Federal Chief Information Officer is part of the management side of OMB.

It is responsible for policy and cybersecurity of agency operations.

That HTTPS memo that I mentioned earlier, for example, from 2015, was issued by this office. The cybersecurity executive order, which is a product of the whole White House, calls for many things.

 

Umbrella Cybersecurity Initiative

Eric: OMB is called upon a number of times in it to provide guidance to federal agencies in a number of areas. One of them was Zero Trust. This also ends up functioning in many ways as our umbrella cybersecurity initiative for the Biden administration from OMB. 

It references a few other memos in it that also came out of the same executive order, but really covers a sweeping set of ground. Zooming out on what Zero Trust is, I think we observed some similar things. It's a heavily used term and it can be applied to many different things. When words get into that state, which obviously is to some extent a measure of success, it can be a little hard to grab onto it.

What we wanted to do was take the very serious and important principles at the heart of what Zero Trust is meant to be. Try to grab onto them where you can and say, in these areas, these are going to be some of the most important things we could ask you to do over the next few years. Some of them are short-term, some of them medium-term, and some of them are really the beginning of a longer-term shift. But let's try to break them into reasonably organized themes. 

We did not want to do a big reference architecture of every single possible thing you could think of. Other people are doing that. There's a very important, the Department of Defense has done a great one. We're very focused on, for the civilian government, what are the key areas that both represent. The most important principles that zero trust is meant to contain?

 

Technical Priorities of Cyber and Democracy

Eric: What are some of the most significant technical priorities if we could see agencies do these things, we'll feel in a much better place. Zero Trust comes out of this history. If you have a few different guests on your podcast, you may get different takes on exactly this. But the take that I will give you is Zero

Trust really emerged from this push towards the least privileged and preventing lateral movement. 

The techy way I've heard some people like to put it is saying, it really should be zero implicit trust. I guess what it is trying to do is it's not literally that you could just never have any trust in people or in components or anything. But it's trying to have you actually reason more explicitly about where that trust is.

So that you can put it in a place where you can manage it effectively as opposed to just letting it sprawl throughout your organization.

I think it's fair to say that the original and classic example of this is the concept of your internal network, your VPN, and your intranet. This is changing now as we all go through this. But conventionally and still in many places for the last one or two decades, there has been this model of the network perimeter. 

When you get through the gate, you have a lot of stuff that you can just talk to, see and visit within your organization by connecting at that layer. That puts a lot of implicit trust in that network. If just by virtue of having your IP address come from a particular range, you can all of a sudden see and access some things that you otherwise couldn't. 

 

Phishing an Employee Successfully

Eric: Then you have put a whole lot of trust in really any network component that might allow you to get an IP address in that range. Just to put it in the technical language of it, that's actually not. As the world has gone on really, you have to expect that eventually, an adversary is going to be able to get, to emit some requests from inside your network. The classic example of that is just phishing an employee successfully and getting them to open an unsafe attachment or something. 

That was the publicly disclosed and famous example of the Aurora attack that Google disclosed back in, I want to say 2009. There's an unsafe flash version and then somebody has a vantage point from within your organization. I think we try to say this in the strategy really as explicitly as we can. You just have to basically prepare for any one piece of your organization to be compromised at any given time and try to construct something that is resilient to that.

In security, in InfoSec land, there are a few different principles there, but one of them is the principle of least privilege. You want to take each of your components and give them only the amount of privileges necessary. If you have a monitoring tool in place on a server or on your network or on a phone or whatever, you should constrain that tool. So it’s just able to read stuff and not able to actually change anything on the device that it's on. Yes, if it's working in the way it was intended, there's no risk, but if it is compromised then you want to limit the adversary to just monitor. 

 

Internal Principle of Information Security

Eric: That's a simple example. But that's an internal principle of information security that we try to reflect in our strategy. I think a number of the security initiatives that are most interesting and successful in the world today are trying to deliver in a way that is reasonably easy. It’s not burdensome and interoperable for people. So yes, that's one take.

Petko: The way you make it sound the more I think, and most people are familiar with Zero Trust for network access. But Zero Trust has got multiple pillars in the way system defines them. There's the identity, the device, and the network, but in the app. But the way you're describing it makes me start thinking, it's almost taking multifactor instead of just one factor, but multifactor across all your applications. 

So don't just verify based on the fact that there's an IP. Don't just verify based on credentials but verify based on the credential of the device they're coming from. You've checked the device into the network and then given them access. So you've got to hit all three and it's extremely difficult to hit all three at the same time.

Eric: That's not a bad way to think about it. It's interesting because you've seen some of the big organizations, Google and Microsoft are the most prominent. Both actually move to an internet-first model where they don't even have internet or are moving in that direction. But then you also see organizations. There's a big focus on secure access service edge things that move the network tunneling into this app model, more constrained space. You can find stuff all along the spectrum. 

 

[18:28] The Most Important Thing About Cyber and Democracy

Eric: But Petko, I think what you said, is the most important thing is that you're combining information about people, devices, time, and space. You're taking more information than you previously had available to you. Then you’re trying to make good use of it to make decisions. Not just to lock things down harder, but to also be able to grant access in a more resilient way as well.

This is one of the things that we try to reflect in both how we wrote our strategy and how we oversee it. Anything like this, if you want to have the buy-in of your organization for more than a minute. This can't be ushering them into a drearier era with how they go about their business and are not able to perform their mission. That won't work. In theory, there are a number of areas here in Zero Trust where you can have a bit of your cake and eat it too. Where the more secure thing can also lead to the more usable thing. 

You see that in how multifactor authentication is evolving, and you also see that in what you can do with the heuristics you're talking about. Where you can become more comfortable knowing where to be more flexible with your employees. You can see that that's not where the risk is as much. So you can focus your security attention and scrutiny on the places that are riskier.

Petko: If you're an organization or you're an agency in the government, you've built this gate, guards and guns, castle moat infrastructure. Going to an internet first or a Zero Trust mindset, that's not an easy change overnight. 

 

What OMB Thinks

Petko: What would an agency or an organization do, how would they budget for something like that? It feels like where you start first. How do you budget for it? What does OMB think about how agencies should take advantage of this?

Eric: Certainly, we are talking about multiyear initiatives, especially for large organizations that are not in greenfield situations. They have just tons of interest. One thing that is sometimes easy to forget for folks outside the government is how federated and decentralized many of these large cabinet-level agencies are. It's not always as simple as just having the security team of the agency get some stuff set up and deploy it in that environment. 

Obviously, the federal budgeting environment is a complicated place. It involves two branches of government working together. But agencies are taking a variety of approaches. You see in our zero strategies we ask for funding estimates for agencies over a few fiscal years for what they would need to accomplish the things that we're asking of them. Knowing that that's going to vary quite a bit on the kind of agency, where they are in different areas.

It's been one of the big focus areas for the technology monetization fund. For those not familiar, the technology monetization fund is administered out of GSA. There's a board that is chaired by my boss, the federal Chief Information Officer, Claire Marana. It’s along with other technology leaders from around the government. The American Rescue Plan, the reconciliation bill or law from early 2021 at the top of this administration provided $1 billion with a B into the technology monetization fund. A significant amount of that has been awarded. 

 

A Big Focus on Zero Trust

Eric: One of its big focuses here has been Zero Trust. We awarded in the first set of awards from that. There were three agencies that received money for Zero Trust architecture. There have been some more since and that's going to continue to be a focus area for that fund. 

The technology modernization fund is an executive branch-administered fund that is able to. It oversees things with sound fiscal principles and gives out money in trenches and has metrics and performance associated. It's something that can supplement the different efforts that agencies and governments are engaged in. To try to get folks reasonable cybersecurity funding and especially to be able to surge at different times to meet acute needs like we are experiencing.

Petko: I think the key is the surge because most of the government has, we're budget flat or we're up a small percentage social security kind of thing. Then wait, I have to spend how much to make this change? I don't have that in the budget. This allows them to kind of with the prior coordination and planning plan for change or organizational structural change. 

We were talking about an interesting topic on cybersecurity. You said cyber security is really about democratizing the investment.

Rachael: Democracy investment.

Eric: As I mentioned, I used to work for a non-profit focused on building robust democracies and having a more effective government. I was a part of our international program. So I traveled around the world a little bit getting to know how governments worked, and how legislatures worked in other countries. 

 

Who Are Working to Support Cyber and Democracy

Eric: It left me with a profound respect for the community of folks around the world and in the United States working to support democracy. That helps you not take it for granted. And that is only more apparent with the passage of time. I didn't always work in cybersecurity. I've only really been working on security things for eight, nine years, something like that. 

The reason I keep putting my time into that is so that we can continue to make a more stable world that creates an overall better situation for people and society to thrive. The guarantees you want with a world that is more secure from an information perspective are very similar to the goals of what you want from a more democratic world.

I do think that when people look around and they see important institutions having a difficult time securing themselves from all sorts of different kinds of actors. Some very imposing and sophisticated and some less so. As year after year goes by, it just doesn't seem like things are very stable. Maybe various people on this call have had their information breached at one point or another. 

That doesn't help with the struggles that we face around building a more trustworthy government and showing people that democracy can work. That's been a throughline in my career and I do think that it's particularly salient right now.

Petko: I guess you could say if you invest in cyber security, you're really investing in democracy when you think about it. Because the core of cyber security is availability and integrity. 

 

The Core Principles of Any Government

Petko: Those are just the core principles of any government or any institution, and any organization you might have. The data, the email you received from whitehouse.gov, you hope it's whitehouse.gov. You checked and it's not some other email address from decades ago that you might have seen. The website you're going to is that because you trust them. Integrity and availability are key elements of the government and certain parts.

Eric: It is more than cyber security. There was a big wake-up call when healthcare.gov struggled during its launch some years ago. That certainly contributed to the creation of multiple digital service teams in the government and many people entering tech policy from the technology community who hadn't previously thought about it. That's cyber security, like other parts of digital service delivery. It's like, well the social contract is now implemented through software. I hope it works and I hope it works well.

Rachael: Speaking of social, you've had this really robust career. We're always like how do we get ahead of the cybersecurity threat? You look at things like social media and social engineering and how do you mitigate things like that? Is that a policy discussion, I guess, given your background? It's something that I think about a lot. How do we get ahead of this? There are new social networks created all the time. I'm a big fan of TikTok, I'll admit it and I read all the concerns with that. But how do we address it?

Eric: It is obvious. You're talking about one of the issues of our time. It is a multidimensional problem with both policy and technical issues.

 

[27:53] Different Policy Engagements

Eric: I don't know that I could do a fulsome coverage of all of the different policy engagements. But I could tackle misinformation here. I will point to a couple of areas in our zero strategies that do try to speak to some of this stuff. 

You mentioned social engineering with phishing being a very close cousin of that. Possibly one of the places with the most aggressive piece of our zero strategies is on making the federal government technically resilient to phishing and social engineering. Social engineering is a big part of that. People understand phishing as trying to fool you into going into a fake site or something and that’s true.

Actually more recently too, you've seen simpler, more dispiriting attacks on organizations and companies that are even taking advantage of MFA fatigue. Like push notifications sent to phones until you just give up and hit approve which some small percentage of people will do. If your organization isn't ready for that, it might just take one.

I think one of the reasons that I continue to enjoy working in this field is that it can be easy to feel a little nihilistic sometimes in the field of security. 

The fact is there are a lot of really important developments that work in technology. They work very well and can actually stop a lot of the attacks. There are obviously reasons why these things aren't adopted everywhere with a snap of the fingers and organizational change. Consumer habit changes are hard.

But newer approaches to multifactor authentication actually have really studied how phishing and social engineering work in the wild. When you have things like Fido, which is a newer industry standard in multifactor authentication, as well and the federal government has hit, oh yes.

 

Fido and PIV

Petko: Can you talk more about Fido? I see it builds on that.

Eric: What Fido and PIV and the federal government do is they are designed to make phishing as you see it today. The kind of social engineering I described is actually technically infeasible. Fido, in particular, there's a group called the Fido Alliance, which is a collection of most companies and industries.

Although there's some government agency involvement included like NIST is a member. They've for the last around 10 years been developing standards that can be implemented across a whole variety of different spaces.

They all share this property of being resistant to phishing as it is practiced today and social engineering and basically taking a bunch of common attacks off the table. I'll give a brief description here of the core piece of it. Maybe the thing that most people might be familiar with in their lives is the portable key.

You can carry it around on your key chain or inside your laptop. After you put in your credentials you hit the button on the key and it goes forth.

There’s a key innovation there that makes it impossible for somebody to phish you if you have to go through one of those keys. When you register the key to a website, the key remembers the name of the website. If you register it with yahoo.com and then somebody fools you into going to yah0o.com, you may miss that with your fallible human brain.

But the key will notice that and will just not work. That basic idea takes a number of traditional phishing attacks off the table, even the automated ones that work very effectively. 

 

The Federal State Zero Trust Strategy in Cyber and Democracy

Eric: I think this is the other thing. This is especially true when we really started on the federal zero trust strategy. There still was not necessarily this universally understood threat model of why most multifactor fail. Because if you are going to a website and you're typing your username and password and you think you're on the real one. So you have no problem typing your username and password.

There's really no reason why you wouldn't also type in the six-digit number off of your app or that you got texted.

All an attacker has to do is just make sure that in real time they've loaded in your username and password and caused you to get texted. They could just ferry all that stuff back and forth and so that stuff all falls. A lot of people know Fido from the keys. However, in more recent years, you actually see this baked into laptops and phones. The fingerprint reader that’s on your laptop or at the back or front of your phone or on the face ID system. That also can be built into phones or into laptops. 

You can essentially register your phone or laptop itself as a device, as a factor as you log in. That’s just reusing the way you already log into your laptop or your phone. You don't even have to learn anything or carry anything around. This core tech has been around for a while. But it is now starting to actually permeate out into the ecosystem, into the industry, and into government.

Actually, can take some of these things that continue to feel like a scourge on us and make them hard to pull off.

 

Fido Alliance

Petko: I think I've seen Microsoft, Google and Apple are part of this Fido Alliance and also as they're calling it passwordless, if you will. You can log in. I know that Apple just came out along with Fido, they're working on this thing called passkey. If I go to a certain website, instead of me having to pick a password for that website, I'll let it generate one cryptography on the device.

Then when I have to log into it, I just provide my thumbprint if you will and it logs in for me. 

So if we take the principle of, I know I have friends who always ask me in planes. They're like, well what should I do as an individual to protect myself from cybersecurity? I start with MFA and then I say getting a password manager is the second thing. Get a unique password for every single website. In a way, this provides a unique one-time password for every single website.

Eric: I think when you look around, you see efforts to make this stuff passwordless and that feels like where things are going. I think I have a password manager and I recommend everybody to use one as well. I'm not sure I'm going to win at convincing people. Like everybody around me, to have 200 websites in their password manager that they've set up. It probably is important for us to move beyond that. 

The federal government is actually in many ways ahead of its time on this. For a long time, we have had PIV, P-I-V, and personal identity verification, and these cards are issued. We do pass authentication for all kinds of things in the federal government.

 

The Technical Protocols Under the Hood

Eric: One of the issues that we face is that the way in which PIV works, and the technical protocols under the hood, work okay for an enterprise and the federal government. But they haven't proven to work that well for other organizations or for regular people. For a number of reasons, it has taken other efforts, Fido being the premier one.

They start making something that can transcend those boundaries across the enterprise and personal use. Just bring in new patterns that seem to interoperate very well.

Petko: I'm still remembering back when the PIV came out and you had HS PD12 and all these other policies that started consolidating. It sounds like the government's going ahead with passwordless and going beyond that. Where do you think cyber and passwordless or Fido is going?

Eric: I think what we're focused on, in the Federal Zero strategy, from a policy perspective. We're just insisting on phishing-resistant authentication being used all the time. I think it's that all the time that is the challenging part. As I mentioned, you can find PIV all over the federal government but for a variety of reasons. Technical reasons, human reasons, and policy reasons, rarely are able to cover 100% of the situations people find themselves in all the time in their work. 

Many agencies have different recovery flows, and alternate things that support work. What we say in the federal strategy is we really expect that there are going to be alternatives to PIV that are used alongside it. In order to create a consistent bar, we don't have to have these methods that we know fall somewhat trivially to a motivated actor. We don't need to have those around in the federal government over time.

 

[37:56] The Reality in the Federal Government

Eric: I think that has been the reality in the federal government for a while, which is we have a lot of use of PIV and PIV is very ahead of its time and very powerful. Then there are all these little cases that it can't handle. What we need is a strategy that brings agencies to a place where they're using a variety of phish-resistant tools and form factors. Giving options to their staff so that through the actual entropy of life and mission delivery as people experience it, they're able to keep to that high standard.

Petko: I love how you're not directing them to buy some specific technology. You're saying here's what the problem is, you guys figure out the how. We'll tell you what the what is and what is phishing just in MFA or its Enterprise Identity Solutions. You can figure out which ones you want to deploy and then use TMF. Is there anything else that you had, here's I wish the top three things that agencies and organizations should do. 

Eric: Our federal zero strategies have our top 20 things or so I'm a little loathe to rank them in priority order in that way. But I will tell you that there are certainly some areas where we get a little bit more specific. We’re a little bit more aggressive in those because of how important they are. We just talked about MFA for a while, and we talk quite a bit about encryption in transit in the federal Zero Trust strategy. In particular, the importance of encryption inside the network. The importance of not just assuming that because it's in your internal network that it is fine. 

 

Cyber and Democracy Is Not a Confidentiality Thing

Eric: In particular, really making sure to talk about the fact that it's not just a confidentiality thing. It's not just about people being able to see the traffic, it's also about being able to modify that traffic. So you could take traffic that doesn't seem sensitive on its face. But if modified in a certain way, it could possibly cause different things to happen that are unexpected. And so we lean on that.

We also talk a little bit about the tension between network-level visibility and network-level encryption and some of the risks involved there that agency should consider. Another area we should go into quite a bit of detail on as a theme is application layer security. One of the big themes here of this whole conversation has really, I think you could characterize an element of zero trust as moving.

Shifting the emphasis away from some sort of layer four network level stuff to more application layer concerns. 

Protocols, logs, and things that are more varied in particular because that's where a lot of the attacks are. They're in application-level vulnerabilities where the application doesn't behave the way you think it should. It could be things as simple as just looking at the URL in a web application and changing one number to another number. You’re wondering if it will work and it takes you to something you weren't supposed to see.

We are trying to direct some more attention to those kinds of vulnerabilities. Agencies do care about those things and they scan for different kinds of application layer vulnerabilities. Some agencies will do more work to really dig in and test those things. 

 

Vulnerability Disclosure Programs

Eric: I think what we're really looking and calling for is a pretty consistent bar. We certainly want vulnerability disclosure programs to play a huge role in that. That is a reality check of having the world be able to tell you when they find things that don't work. We want agencies to really have consistently strong muscles for that kind of stuff inside their organization.

Things that no WAF, no web application firewall is going to catch, and things that no scanner is going to detect. But things that require really analyzing how the application works. 

Those are a few areas and are great places to start. If you haven't already, definitely read the strategy and not just apply it in government but apply it in industry. I've read in the past. If you look at the order, there are some things that you do in 30 days, 60 days, and 90 days. And if you take that order, you can definitely prioritize and come up with your own priorities.

Rachael: Are you reading any good books or have you got a finger on a great book that you know is coming out? It could be security related or not. We had a guest who was reading Dave Groll's biography. I didn't know he had a new one out so I ran out and bought it. I'm always looking for great suggestions.

Eric: My reading habits certainly do atrophy the busier I get in life. Although I will say after watching the Dune movie, I'm rereading the Dune books. Those are great airplane fodder. I do find that a lot of these times how I follow things in the security world, it's splintered into a million pieces. 

 

What People Are Talking About Concerning Cyber and Democracy

Eric: It's on social media, it's on Slack, it's through occasional blog posts, it's all these different places. That's a little hard to just think of one name to recommend. But I do think it has been very important to just stay out there. Stay out of the bubble and see what people are actually talking and arguing about and especially when they argue.

Petko: Given that, you've done so much in terms of the public sector, non-profit and industry, and government. Is there any book you'd recommend as required reading for anyone in cyber regardless of where they are? It could be technical. Is there a book that says, I wish people read that if you have one? 

Eric: These are not books, but there are definitely some essays that have been really impactful on me. There's a classic one, which a lot of people know is your reflections on trusting trust. I don't know if you're familiar, but it is a sort of famous speech given by a professor whose name is slipping my mind. 

It’s essentially this idea of if you compromise the compiler for the code and then replace what you did, your attack can live forever undetected. It both is intellectually interesting for the recursive aspect of it as well as just helps remind you of its all software under the hood. Sometimes there's no one particular policy that can help you.

Another thing from a least privileged perspective is another paper that was really impactful on me. I saw it at a presentation at CCC some years ago, by Joanna Rutkowska. It was called the Stateless Laptop and involved this theoretical idea of a laptop. 

 

Each of the Components of Cyber and Democracy

Eric: All the firmware of each of the components inside the computer was put onto a removable card in a write-only or read-only form. It's a laptop that's probably not going to exist because the economics are very challenging with something like this. 

But the idea was all these places where attacks can live within your computer, we're now more familiar today than we used to be with hard drive microcontroller compromise. Things that sound very esoteric, but the eight different places in your laptop where things can live and happen. That idea of just taking them, moving them all out, and having them in an immovable place and also putting it in your control. Even if it ends up just being a thought experiment, it reminded me that you can always rethink what you see around you.

Rachael: That's how you get there. Even this kind of guy, it'll never happen, but nowadays we just don't know. Anything's possible. Getting all these great minds together and bringing in all these diverse thinkers, that's how we get there to make things like that a reality. I'm always trying to be an optimist. Are we going to get ahead of this cybersecurity threat? Is that in the cards for us in the years ahead?

Eric: I told you the things that motivate me is that there are things that work. It is actually possible to take the things you see around you, the bad things that happen to people, and you can do something about them. The bigger problem is it's the non-technical part of it, it's the organizational change management. It is just getting people to focus, getting priorities aligned, and following through.

 

The Administration’s Focus on Cyber and Democracy

Rachael: It's been great to see this administration's focus on cybersecurity. I think that helps all boats rise when we're all collectively thinking about the problem together. That gets me excited for the future for sure. 

Eric, thank you so much for joining us today. This has been wonderful. We could have probably 18 conversations on these topics because it's just scratching the surface. Thank you so much for sharing your insights and perspective with our listeners today. This has been wonderful.

To all of our listeners, thanks again for joining us this week. Don't forget to subscribe. It's right there, ready to be smashed, and you get a fresh episode with Eric right in your email inbox on Tuesday. Everyone, be safe.

 

About Our Guest

Eric Mill is a leader in technology policy and cybersecurity, with a long background in public service. He currently serves in the Biden-Harris administration in the Office of Management and Budget. He’s the Senior Advisor on Technology and Cybersecurity to the Federal Chief Information Officer, Clare Martorana.

Prior to that, Eric was the Lead Product Manager for the security of the Chrome web browser at Google. In 2019, Eric worked for Senator Amy Klobuchar through the TechCongress program, with a focus on election security, vulnerability disclosure, and management of the .gov internet domain.

Before that, Eric served in the 18F team at the U.S. General Services Administration, where he led the federal government's adoption of strong encryption for its online services. While at GSA, Eric oversaw Login.gov, which lets millions of people sign into U.S. public services securely and privately.

Prior to 18F, Eric was a part of the Sunlight Foundation, a civil society group dedicated to government transparency. At Sunlight, Eric created open data services that helped the public follow government activity, advised Congress on its open data strategy, and provided expert guidance to anti-corruption NGOs around the world.