Rachael Lyon:
Welcome to To The Point cybersecurity podcast. Each week, join Vince Spina and Rachel Lyon to explore the latest in global cybersecurity news, trending topics, and cyber industry initiatives impacting businesses, governments, and our way of life. Now let's get to the point. Hello, everyone. Welcome to this week's episode of To the Point podcast. I'm Rachel Lyon here with my co host, Vince Spina. Vince, what's going on?

Vince Spina:
How are you doing today?

Rachael Lyon:
Good. Good.

Vince Spina:
Listen. I love Rachel's radio voice. Comes down to kinda Luther Vandross level. I like

Rachael Lyon:
Nice. Okay. I miss my calling. Maybe that midnight jazz.

Vince Spina:
Exactly.

Rachael Lyon:
You know, gig is calling. You know, I gotta tell you, Vince, we get the best guests on this podcast. I

Vince Spina:
At the right time.

Rachael Lyon:
At the right time too. At the right time. And and I I couldn't think of a better time, for today's guest to to have our conversation. Please welcome to the podcast David Dimofetta. He is a cybersecurity reporter at Nextgov FCW, and previously was a researcher for the Tech 202 at Washington Post, which if anyone's read that, it is amazing information. David, welcome to the podcast.

David DiMolfetta:
Happy to be here. Thank you both so much.

Vince Spina:
Welcome, David.

Rachael Lyon:
Okay, Dan. Vince, you're gonna what you got for us to kick off today? Yeah. Thank you.

Vince Spina:
Yeah. Rachel always lets me, kinda jump in with the first question, David. So, hey, in briefing for this, you know, we're excited that you're here. As Rachel pointed out, it's timely with, you know, the, some of the activities that happened this week and some of the things that are going on in the industry. And in research, been reading on this, this thing called the National Cybersecurity memo on AI guidelines. And I can tell you, we probably have not I can't think of the last podcast that we didn't touch on the subject of AI. So Yeah. First of all, for our listeners, could you give us a brief overview on what this national cybersecurity memo on AI guidelines is, and then maybe just kinda touch on what what are some of the primary objectives, that it's looking to solve.

David DiMolfetta:
You got it. Yeah. In essence, the the White House wants the military and intelligence community to mesh in more AI capabilities in its day to day operations. So the National Defense Apparatus, they've looked at how AI has really promulgated across the consumer markets over the past 2 years or so. And they said, wow, this is a big deal is very innovative. This could maybe tip the scales of national security. And they believe it's time to mesh these capabilities more, into, the missions as as the govies say, the missions of the day to day agency operations, that they wanna infuse the national defense apparatus with AI. That's taken a lot of forms, of course.

David DiMolfetta:
AI is already being used in warfare in many ways for better or for worse. It helps with strategic planning. It can help with targeting. Can help with data analysis. So it's already being used quite a bit in in the intelligence community. But, the the goal is to really, I I think, get ahead of foreign adversaries, namely Russia and China, which we know are, at least what officials say is they've been using their own AI capabilities in house. And it's, Jake Sullivan said that this is a risk, a risk to the US, if we don't take this on. You said, adversaries are in a quote, persistent quest to leapfrog our military and intelligence capabilities.

David DiMolfetta:
And he also mentioned that, adversaries are unlikely to be bound by the same principles, that we would use AI in. So there's there's a there's a risk here that intelligence officials have laid out and they think it's necessary at this point to fully augment, the military and intelligence workforce with AI.

Vince Spina:
Yeah. David, Rachel, if you don't mind, I actually wanted

Rachael Lyon:
to just kinda

Vince Spina:
pull that thread a little bit. So what I what I glean from that David is, we're not all following the same rules when it comes to AI. So how do you see this memo impacting the development and the deployment of AI technologies from our perspective, our our being the US? Like, how,

David DiMolfetta:
you

Vince Spina:
know, are we are we bound and we are we following, you know, certain, you know, rules based on this memo?

David DiMolfetta:
It's it's tricky because you have to remember that you you're you're you're telling, the defense industrial base to integrate AI for quite literally life and death decision making. I I I think I think we forget sometimes and and, you know, I think the media does this as well. You know? The these are these are capabilities that can kill people, And it's warfare, and that's why we have this stuff. And we're gonna have to think, I I I think, very carefully about how this stuff is integrated. And and, of course, officials have considered this. One part of this memorandum, it's it's very direct in saying you cannot integrate, AI capabilities into, nuclear weapon capabilities. So there there are considerations for this. And, of course, there's a privacy and civil liberties aspect to this as well.

David DiMolfetta:
You know, the the AI, generative AI, it's helped quite a bit with day to day data processing. And we already do quite a bit of that on the intelligence side. We know that for certain at this point in time. There there are civil liberties matters to consider with this as well. I I imagine that stakeholders are gonna take this one slowly and carefully. On the contracting side, I'd also imagine that the private sector is quite excited to get more business and with the US government. It's already been a mainstay, you know, the contractor environment here in Washington exploded, of course after 9:11 is the whole notion was that how do we stop all the stove piping with intelligent sharing? So contractors got a taste of this 25 years ago. They're they're gonna see more of that I think, in the years to come.

Rachael Lyon:
Yeah. It's, you know, when it comes to AI, it's it's so, is amorphous the right word? I don't know. But, it's like how do you wrap your arms around it? How do you know the best implementation? Right? I mean, how do you even know how will these agencies even know where to get started? You know, are are they, you know, kind of starting with obvious use cases or, you know, what I mean? Do the guidelines specify, all the different use? I'm just kinda curious because it's you could put it in so many things, and apply it in so many ways. It it seems like it'd be hard to kinda plan a rollout, right, with without some guardrails, in add you know, in addition to what you've already mentioned.

David DiMolfetta:
Look, it's the the point is that there's a lot of things that needs to be done. And it's I I think it's a bit too soon to tell the the specifics, and you have to remember a lot of this is failed by Tasi or classified missions. But, look the intelligence community and the DoD, more broadly they're already using

Vince Spina:
AI. Right.

David DiMolfetta:
A lot of a lot of the private sector has crafted, built certain specialized versions of AI tools to be used in these more air gapped spaces. So I Gotcha. Little while back, I chatted with someone over at Google, and they've launched an air gapped version, so to speak, of their Gemini generated AI tool. So it's it's on prem, but it doesn't necessarily connect to the Internet in the same way that folks like you or me would use it. They're they're already they're already in there. These AI capabilities are already in there. They're already thinking about it. The the main push here is that the entire apparatus has to take this on.

David DiMolfetta:
That's gonna take many forms.

Rachael Lyon:
Yes. Absolutely. Yeah.

Vince Spina:
I just keep going along those lines. So I I was gonna ask that kind of line of question. Was there, you know, there's there's general purpose large language models that are out there, and they're all being, you know, created by the the various hyperscalers. You kinda touched on the fact that, they are building more kinda secret cleared type versions of that. Talk in terms of, it just being quite frankly still Gemini or Copilot or pick, you know, pick your hyperscaler, large language version. But just wondering, is it different technology or is it the safety net is the, the air gap component of it? I mean, are they using still kinda, you know, Google Gemini the way I would use it in the, in the private sector or I mean, I don't know if we can even touch on this stuff. Right.

Rachael Lyon:
Yeah.

Vince Spina:
Super intriguing, like, you know, how how secret clearly is it, you know, when it when it moves to that that side.

Rachael Lyon:
That seems like it'd be difficult. Right? Yeah. Yeah.

Vince Spina:
You know, maybe some of the 3 letter agencies, you know, are they building their own kind of models and, you know, all that.

David DiMolfetta:
So many questions.

Vince Spina:
The big answer is probably yes.

Rachael Lyon:
So many questions.

David DiMolfetta:
Yeah. Yeah. So yeah.

Vince Spina:
I'm afraid. I don't I

David DiMolfetta:
don't wanna

Vince Spina:
come to the line, cut a line and then pull back, but it's it's super tricky. Is it Thomas Clancy kinda, you know, mode?

Rachael Lyon:
Yes. Exactly.

David DiMolfetta:
Yeah. No. When when I asked, when I asked this, this, public sector executive at at Google about it at the time, in in essence, yes. It behaves the same way, in terms of UI, in terms of user interface. The big difference is that data science

Vince Spina:
What it's fed, what it's, you know

David DiMolfetta:
Right. The the the data scientists in that particular intelligence community environment are given more control over the developer tools that underpin that stuff. So, like, I I don't I don't handle the developer tools and the model, settings and more technical, under the hood aspects of how Gemini behaves. If I interface with Gemini, I simply type in, I don't know, come up with a good recipe for for tonight. And I don't I don't tinker with the, the foundation model that that drives underpins stuff.

Vince Spina:
Yeah.

David DiMolfetta:
But with the more AirGAD version, you're gonna have expert data scientists and and professionals within that IC environment that are able to put signal more within model settings, and and allow it to behave the way they they need in order to carry out the the mission at hand. That's essentially how it works.

Rachael Lyon:
But all that information in the large language model. Right? I mean, if it's going to be useful, I can only imagine what it's being fed and and how it's being updated is very, very fascinating.

David DiMolfetta:
It is fascinating. I think the I think the broad thing to keep in mind just circling back to this whole AI national security memorandum, there are privacy and civil liberty and ethics considerations to to factor in. And I I think if you ask civil liberties folks, I talk to them sometimes when I when I cover issues with, you know, foreign intelligence surveillance, authorities, but they would probably say you can't have the intelligence community grade their own homework. And that's that's I think that's the major focus we're gonna have to keep in mind as the tasks in this memorandum get rolled out.

[12:13] Discussing AI's Ethical and Legal Considerations

Vince Spina:
Yeah. David, let's keep let's keep going with that because, boy, like I said, I can't think of a podcast in the in the near past that we didn't talk about AI. And then one of the things that we start to get into are the ethical and legal considerations on that. Mhmm. And I I loved your your statement there. Is there anything you know, are there mechanisms in place to to monitor and mitigate things like, you know, bias and discrimination and, privacy invasions or any of that? Anything that, you know, has been written into that to to make sure, you know, like you said, our civil liberties are protected and and all that goes with it?

David DiMolfetta:
It's a prevailing concern. The the office of the director of National Intelligence, that's the that's the US agency that oversees, America's intelligence activities and programs, ODNI. They, they put out some guidance recently for the intelligence community to think about this, something that we've covered a little bit. But look, again, I might be going back to this a couple of times here. It's hard to measure this stuff, explicitly because folks like us on the outside, we don't have the clearances and other capabilities to see what they're up to. We're we're not inside this. Right. And and it's it's it's the hand wavy joke saying, well, that's classified.

David DiMolfetta:
But it is. It really is. And the intelligence community, I I'm sure thinks about it. Whether that's enough thinking about it can making those considerations, it's it's hard to tell. There I I think more broadly when we look at how AI is adopted across the federal government, we we know there's a sweeping AI executive order but I think around a year ago, President Biden. That of course has a slew of AI at this considerations in there. But it's tough it's tough to manage this stuff because Right. These products, the consumer facing aspects of these products are so exciting.

David DiMolfetta:
That there's a lot of pressure from the private sector from these hyperscalers, as you mentioned, Vince. So roll these things out fast, and I feel like every few months, you're always seeing a new version of chat, chat, chat, rolling in. So it's that classic classic historical pattern of technology always moving at a faster pace. The federal government. Yeah. And the thing too, this is very timely. President-elect Donald Trump, he's back, and he's made it clear that his administration wants to repeal this stuff. Mhmm.

David DiMolfetta:
Because they, you know, they have issues with, I guess, how frankly, how they consider it to be a quote unquote, you know, woke AI agenda. And if you're repealing this stuff, then perhaps we may see slowdowns in how the government tries to, regulate or implicate AI ethics. It's, there's a lot more to come, I think, in this area. But look, as of now, yes, the government has been thinking long and hard about this and more than ever before, there have always been way before large language models came on the scene. There's always been issues with ethical AI, but now it's a lot more consumer facing. We always talk about hallucinations, but you know, for years, we've had discriminatory credit lending algorithms. You know, why are people of color getting smaller credit lines? Because they're trained on discriminatory data.

Vince Spina:
I mean,

David DiMolfetta:
we've worked to rectify that, but the notion of that being an AI ethics concept, it's been there for a while, but now it's a lot more front facing because everybody is using AI in some way. Not everybody handles, credit lending algorithm, but everyone can handle, you know, write me a funny story or write me a recipe.

Rachael Lyon:
Right.

David DiMolfetta:
Give me ideas for date night, I don't know. It's always something there, look, help me research for this paper. It's a lot more commonplace uses, with generative AI now. Absolutely.

Rachael Lyon:
Yeah. It it seems to and, you know, on the regulation front and and the discourse there. Right? And it's, I think, as with technology over the last several decades. Right? You know, if if you put in too stringent regulations and you're gonna inhibit innovation and all these things aren't gonna happen, you know, and and I don't know if that's kind of, you know, somewhat a reaction to as we saw with social media. Right? And and all the things that happened, you know, when those things just kinda went out, and then you see all the the cascading impact of that, right, on mental health or or other things. But it seems like it would be really hard, right, on on getting the regulations right, because it's gonna be changing so much as well with AI. We just don't even know what the next year is gonna hold. So how do you have, like, a future proof regulation? It seems like it would have to be an ongoing living, breathing thing.

Rachael Lyon:
Is is that kind of how people are looking at it in the government, David, or what are you doing there? Yeah.

David DiMolfetta:
That's that's the goal is to future proof this stuff. But I think I think a lot with cyber regulations too, the issue is that a lot of this stuff is a journey. When people talk about shoring up network defenses for cyber, you know, that only works as well as what the current threat environment is. And people adapt, things change, technology adapts. There are legal mechanisms in place, there are language mechanisms in place in bills to say we have to review this every 2 years, or we have to put a new report in every 2 years, or the secretary has to look at this within 16 months, every 16 months, that dynamic is there. It's not being ignored. This is a big country. There's a lot of stuff to get done.

David DiMolfetta:
There's a lot of stuff to govern and many things outside of I know this is a cyber podcast, but there are many other important concerns outside of cyber too. It's not easy to manage all of this. So yes. Yes, Rachel. The short answer is yes, but, good luck. Yes. Yeah.

Rachael Lyon:
Exactly. Dave,

Vince Spina:
you make a great point. I mean, this is a this is a big country, and there's a lot to govern and regulate and all that. I actually even wanted to make it bigger than that. Like, this is kind of national cybersecurity from our standpoint, and that's big enough. How's it being kind of perceived and and partnered from outside of the US? Like Mhmm. You know, is there international consensus on some of this stuff? Is there any governing bodies? Like, how do we how do we get the buy in of, you know, our our partners around the world

Rachael Lyon:
Right.

Vince Spina:
On this? I mean, it's it's hard enough to send, you know, the the boundary called, you know, the US, but any thoughts on that?

[19:26] US Considers Signing UN Cybercrime Treaty Amid Tensions

David DiMolfetta:
You're absolutely right. The US has great partnerships with the, you know, the 5 Eyes Nations, August, you know, they were working more to expand, partnerships and build relationships with the caucuses, Balkans, Central Asia. Of course, you know, the the the big Western allies, Canada, Britain, New Zealand. So they're they're there. In terms of a standardized approach, the the big flashpoint now is actually a UN cybercrime bench and a UN cybercrime treaty. The problem is that you have our foreign adversaries on that same world stage, Russia, China, Iran, etcetera. So the big flash point among officials right now is, does the US sign on to that? Because there are concerns that we may legitimize the, the behavior of these cyber adversaries. The U the US spies.

David DiMolfetta:
Of course we spy on people, we hack our enemies. You know, it's pretty obvious at this point, you've seen that through the dozens and dozens of reports and leaks that have come out. You know, we all spy on each other, but the US doesn't spy and and go after people the same way in Iran would, the same way a Russia would. It's much more assertive out in those nations. The, you know, the notion of Russia immediately cracking down on anti war protesters, immediately you stand, you stand in Moscow, you pull out an anti war sign and immediately, please go after you.

Rachael Lyon:
Mhmm.

David DiMolfetta:
You know, that behavior is not the same over here.

Rachael Lyon:
Right.

David DiMolfetta:
There are, of course, you know, there's no such thing as a perfect country. There are ethics considerations here in the US, but that behavior is not the same. So the concern is that, do we enable the surveillance norms that our foreign adversaries peddle if we sign on to this treaty. So that's an ongoing debate right now. The, the, this UN cybercrime treaty there, they are, they're in the process, I believe, to get a vote out on that, I think before the end of the year, but will the US sign on to that? It's yet to be seen.

Rachael Lyon:
Interesting. Yeah. Because it is tricky. I mean, to your point, in, you know, when there is a crime committed, and they are from a certain country, you know, those people aren't extradited. They're never really held accountable either. Right? So there's the enforcement aspect of whatever gets stood up. Right? I mean, it does it have any teeth or is it just in words only, right, if you can't have any kind of enforcement or accountability. Right? That seems very tricky.

David DiMolfetta:
Yeah. The thing with this UN cybercrime treaty assets proposed right now is that it would it would, you know, pass along a lot of the, specific authorities back to the countries it covers. So it's it's very up to the interpretability of the nations that fall under it. It's not a it's not a green light to say, well, do whatever the heck you want. But it certainly gives countries a lot of leeway to do what they want. So again, it's that prevailing question. Do we enable or allow or permit these behaviors for an adversaries by signing on to this treaty. Yeah.

David DiMolfetta:
Excuse me.

Vince Spina:
David Dart. Yeah. Rachel kinda touched on this before, like, maybe just kinda shifting gears. I can tell you, anytime I talk about kind of that secret world, I literally can feel my heart rate. It's go up. It's like exciting. So maybe we'll we'll calm it down a little bit. Just kinda talk about, you know, federal cybersecurity regulations and initiatives.

Vince Spina:
Rachel mentioned earlier in the podcast that's ever evolving. As a reporter, any any impactful initiatives that you've reported on in, the near past or, you know, maybe moving forward here in the near future?

David DiMolfetta:
Yeah. The thing I I guess, looking at our level is IoT security, which has been interesting because it's very much a federal agency theme. And we have reported earlier on this year that a lot of the federal government didn't have procedures in place to protect their own IoT assets. That's expanded quite a bit. I think in reporting that it's gotten some more attention, but there's also the the concept of, procuring IoT assets that we had to think about as well. So something something I've been following is the, these house China Hawks trying to crack down the procurement of IoT and LIDAR, that's, light imaging detection ranging technologies, IoT and LIDAR procurement from foreign adversaries like China. China has dominated a lot of the lidar and IoT market and their concerns that if you tether these, this type of hardware, this equipment onto, our critical infrastructure here in the US that it may enable or open up certain systems to spying or intelligence gathering, terrain mapping. That's been, I guess, more of a national security focus.

David DiMolfetta:
I'd say more broadly, the consumer facing side, the government's been thinking long and hard about this concept of a cyber trust mark, which is very, very akin to what we would see with an energy star label. Then in essence, you would slap a label on consumer products, that you grab off the shelf, you'd shop for normally that indicate this meets certain cybersecurity standards, it's probably safer, than alternatives. And so with an energy star rating, same idea, it's more energy efficient, it's better for the environment. Getting that label out there, it's tricky. It's administered mainly by the Federal Communications Commission, but the cyber standards itself, those are developed by NIST, the National Institute of Standards and Technology, and then it's also overseen broadly by the National Security Council. Of course, we have a new administration coming in. So the goal has been to get these labels, onto shelves for consumers. I I'd say at this point early next year, there seems to have been a little bit of a push, downstream pushback on on the release stage for this, which is understandable, because it's very hard to develop these.

David DiMolfetta:
Right now, specifically, I know the US is shopping for, an administrator or program administrators to get this thing going. So there will be a cyber trust, label administrator for this as well. So there are more steps in play here, but look, the goal is, IoT assets, they just make up so much of what we do every day. I mean, this computer that I'm recording the song in a way it's an IoT asset. I mean, I, I, for people who choose to have a smart fridge or smart thermostat at home, it's the same concept. I don't know, a garage door opener. A lot of internet connect devices today. Right.

David DiMolfetta:
It's, it's been deemed a concern because of course, it's why the if it wasn't a concern, we wouldn't be doing this. No. The, it's it's gonna take some more work, but it seems to be chugging along, I think at a good pace. And look, we'll see what happens. I haven't heard that much from, the National Security Council at this point about progress, and but look, we'll see what happens next.

Vince Spina:
Rachel, I don't know if you you track that at all. I've I've got a pretty deep networking background, David, and IoT is a a big issue for me. Like, I I nerd out and, you know, I can tell everything on my network. I have a 111 devices on my network. And in our devices. Yes. We have 3 computers. So, you know, all the things you just talked about.

Vince Spina:
I mean, I can run my dishwasher, my oven, my refrigerator, the cameras in my garages. I mean, you name it, but, I watch that religiously just to make sure nobody's logging on or I don't see kind of anomalous behavior from any of those devices, things like that. But that is a big, big concern as we move forward for all the reasons you talked about. So

Rachael Lyon:
Yeah. It's, it's funny. I you know, David, sometimes I advocate maybe we need to go back to, you know, the stone age and just unplug everything. You know, maybe that's the answer for critical infrastructure security. Let's just take everything offline. Let's go back to the manual, you know, lift and shift and and see if that that, you know, helps us get ahead of things. But nobody seems to wanna jump on that wagon with me.

David DiMolfetta:
That's a carrier vision here. I work myself, so I'm obviously.

Rachael Lyon:
You know, but speaking of of future proofing, I I'd be really interested in what you're hearing here, you know, in securing emerging technologies. Quantum has been coming up a lot more recently, and it seems to kinda come in these waves. I think Quantum's still at 10 years away, Vince, is is what I've been seeing. But, you know, are you seeing any kind of regulation initiatives or hearing any things being developed, you know, as we look at, you know, the impact of Quantum when it when it finally comes online, hopefully, in 10 years and not 30 years, you know, it I know everyone's worried about the encryption cracking capabilities and

David DiMolfetta:
Yeah.

Rachael Lyon:
And all these other other use cases, but I I'd love to know what you're hearing in the Beltway.

[29:19] NIST Released Post-Quantum Encryption Standards

David DiMolfetta:
Yeah. Use development in recent months has been finally we got release of post quantum photography standards. And so you might ask what the heck is that? In essence, it's, quantum computers come on the scene. The question is will we have sufficient enough encryption standards in place so that the capabilities of quantum machine would not be able to break through that encryption access. So it's a normal computer that we would, that we would have in this case, you know, for day to day work, something that we're talking about right now. Can you protect your encrypted data on that computer from being breached by the capabilities of the quantum system? If that makes any sense. Those standards have been released. NIST, National Institute of Standards and Technology has, I think approved 14 of the standards now.

David DiMolfetta:
The next question is how do you bolt that on to to systems? And and how do you deploy quantum practically in in environments, especially for federal uses? Right. That that part's tricky. If you ever seen a quantum computer, they are very large. You have to have, you have to maintain quantum coherence stability, by, by setting these, this equipment, this harbor up in very, very cool like quite literally temperature cold environments. So that cubit states and other scientific, it's a lot of scientific, mishmash here. But you wanna make sure that the quantum device is computationally accurate. And in order to do that, you need to, you need to set them up in very specified environments. I can't picture in the near term, you know, installing a physical quantum device into a government agency or into an office.

David DiMolfetta:
So a lot of the stuff, you know, recently we had an NSA scientist who's, said, yeah, you're probably gonna see this stuff maybe in the next 3 to 5 years, but it's, it's not gonna be on prem. We always talk about we always talk about on prem and networking and in cloud stuff like that. But quite literally, you're not gonna have those on prem quantum, computers. They're just yet a lot of it's gonna be cloud deployed. That's that's what we're hearing. The other question too is how do you actually install and mechanize encryption capabilities into a normal computer? That question is way beyond me. I'm not a quantum scientist. But, but there there's gonna be a lot more to explore here.

David DiMolfetta:
I will say though, the private sector is definitely, they're chugging away at this. They're chugging away at this because it's important. The big concern, that a lot of thought leaders have in the government is are these, they're called record now, decrypt later attacks. That's when an adversary comes into your on your network, they nab data. It might be encrypted data, by the way, so it's useless to them because they can't access it. But then eventually with the capability of a quantum device, they'll be able to use that to break through the encryption standards and access that data for exploitation, for fraud, etcetera. Can we shore up our systems in times that if that type of attack happens, we could prevent them from proceeding? That's the big question on people's minds.

Vince Spina:
Absolutely. Dave, maybe last question around regulations that you you talked earlier about, you know, agencies and entities, government entities. A lot of them are stovepipe and maybe AI will help kind of expand the ability to communicate. But, with your experience and and the things you report on, are you seeing from different groups where, regulations are overlapping and it makes you kinda scratch your head

David DiMolfetta:
that one

Vince Spina:
one confuses, you know, another? Yeah. You know? Yeah. All those kind of issues?

David DiMolfetta:
Yeah. Yeah. So it's funny. I was preparing for this. I I took a lot of notes to discuss this part. The big flash point is, it's it's a it's a regulation called the cyber incident reporting for critical infrastructure acts or c In essence, it's governed by CISA, Cybersecurity and Infrastructure Security Agency that's in the Department of Homeland Security, and mandates that critical infrastructure entities that are targeted by ransomware or other cyber attacks, they have to report them to CISA in a timely manner. So the proposed law says, you have to report general incidents within 72 hours, which is not a lot of time.

Rachael Lyon:
Yeah.

David DiMolfetta:
Ransomware attacks needs to be reported faster than that. And and what's interesting is that as of as when the law was first proposed, in in earlier rule making sometime, it was April this year. Since it said that around 300,000 entities would be subjected to this, there's a lot of critical infrastructure entities out there. The challenge is that you already have cyber incident reporting rules in place from other agencies, like the Federal Communications Commission, like the Securities and Exchange Commission, which governs a lot of the financial sector. The SEC has its own rule that's gotten a lot of pushback in Congress. There have been lawmakers on both sides of the aisle that say, you know, why do you have to force publicly traded entities to report a cyber incident in an 8 k filing? So everyone sees it through, you know, the official SEC EDGAR systems. They have to report that quite fast. I I think a similar time frame, to that 72 hour window, although the exact timeframe escapes me at the moment.

David DiMolfetta:
It's tough. The, the, this is the big challenge of overlapping regulations that, that we've been following. Because in the case of, let's take the Securities and Exchange Commissioner for instance, the financial sector is considered critical infrastructure under current US guidelines, because God forbid, if there's a major cyber attack on a bank or financial system that governs a lot of how regular people like you and me transact, that would be disastrous, it'd be an economic crisis. But why would a company that is considered critical infrastructure under CIRCEA as well have to report twice? You report under CIRCEA, you report under the SEC regulations. I'm told that a lot of these companies have been spending more money hiring legal staff to help them comply with these rules, then quite literally investing in cyber protections that could prevent these breaches in the first place. That's the big tension point that Congress is saying things that I'm hearing when I talk to CISOs. That's the big picture dynamic. I'll mention too, that there are efforts underway to implement regulatory harmonization.

David DiMolfetta:
So the office of the National Cyber Director is supporting this. They they've said quite clearly that we were aware that there's a lot of overlap. They're working with Congress right now on, it's a bill in process. I'm not sure if it'll, run separate from, the National Defense Authorization Act and the typical conferencing that goes on by the end of the year. The NDAA is a must pass, you know, defense policy bill, of course, for for listeners who who don't realize that. So the question is, do we put regular cyber regulatory harmonization to NDAA? It's quite possible, but it might run separate from that. And in essence, the bill, I, which I believe, originated from, the Senate Homeland Security and Government Affairs Committee. It would bring inter agency stakeholders together, in a committee, I believe under the Office of the National Cyber Director.

David DiMolfetta:
And, and they would hash these out because there's overlap it's, it's, it appears to be causing headaches. I I'm not a CISO, I'm not an official, but from from what we're being told it's causing a lot of headaches. The fact that the White House is acknowledging that too is a very big deal. That that I'd say is the biggest tension point under cyber regulations at this stage. And look, we'll see what happens next with this, with the new administration coming in. Yeah. I don't know how ONCD is gonna be augmented, or how it's gonna behave, if they're gonna continue to pursue this stuff. But I imagine in an environment that's not as adamant on regulating, they're gonna wanna see, they're gonna wanna see a bit of harmonization, at minimum, and possibly less.

David DiMolfetta:
We'll we'll find out.

Vince Spina:
Thank you.

Rachael Lyon:
Yeah. Just curious. So I'm gonna get into my favorite topic where we talk about foreign adversaries. I love these things. You know, and and as a cyber journalist, David, you've got a front row seat to all the high profile incidents that are going on. You know, of the things that you've maybe seen in, you know, the recent past in the last year yet say, does anything scare you? Or are we just kinda seeing, oh, it's just another day, you know, on the attack surface?

[38:54] Ongoing Espionage in the US Telecom Infrastructure

David DiMolfetta:
I don't wanna I'm not being particular that would frighten me, per se, but it seemed it seems that the stuff is never ending. Right? Yes. I I I, so I I'm personally not, I guess, afraid to get out of bed every day when when we cover these things. But, there I I would say it's it's quite pervasive. The big thing that that we've been following lately are are the salt typhoon, intrusions into, US telecom companies. And also what it sounds like is the, the infrastructure that facilitates, our or authorized wiretap systems. It's, I, you know, this is I'm giving kudos to to my competitors out in the field that, you know, Wall Street Journal, CNN, politically, they've been doing a great job kind of helping to advance the story here. This is appear to be a very, very complicated advance espionage campaign into telcos.

David DiMolfetta:
And, you know, at this stage that, the target service around 10 to 12 telecom companies, we know AT and T, Verizon, and Lumen are among them. We know that they've targeted officials on both sides of the political aisle, including, including people close to, President-elect Trump, and Vice President-elect JD Vance. Well, so it's, it's quite pervasive, and what they we know that they've accessed audio communications as well, and I believe, unencrypted text messages. So it's quite a bit of stuff that, that they've been able to grab. The cyber safety review board, in DHS, is going to be investigating this. They confirmed that to us recently. I actually have a small readout too from a, a Stafford on the house, on the house side and the house of representatives, told me that they quote, received a classified briefing yesterday from CISA, OD9, the FBI regarding hiding concerns about the reports of the assault typhoon. And that the committees are gonna continue to examine this intrusion because there's serious national security implications involved.

David DiMolfetta:
So, the fact that, select committees in Congress are getting briefed on this from from what we're being told is, you know, is a big deal. This is, investigators seem to believe that this is one of the most pervasive espionage campaigns to date. And, we didn't report this. I think the Wall Street Journal reported this first, but it's it's it's possible that they they've been in these systems, they got in 8 months ago. That means I'd only been in this job for a few months when they got in. So, the SALT Typhoon intruders, that's that's the biggest latest, foreign adversary campaign that we're following. I I'd say another thing, which is dovetailing off of, the presidential, elections. You know, we, we had, we had a safe and secure elections.

David DiMolfetta:
SISA told us that. Mhmm. They're having, they're having many concessions, you know, from the Democrats about, about being cheated, or about any election fraud. But we've known for months, and it echoes 2016, and it echoes more recent years, that foreign adversaries have tried to influence the way the, the election is conducted. And, and I think what's very, frankly, what's very evil and scary is, is that, on, on election day, November 5th, we saw, that what the FBI said were a lot of, Russian affiliated email domains sending out hoax bomb threats to, campaign sites. Yeah. Well, which have it didn't it didn't stop the process, of of conducting election. The election again was safe and secure from what officials tell us, but, it certainly slowed things down.

David DiMolfetta:
There were evacuations. I asked the FBI if it could give me an exact number, they declined to give me an exact number from, but from what I've tracked it's, and from what other reporting I've read, that is not mine. I, I I'm, I want to give credit where creditors do, but it looks like from other reports, it's been, dozens of these these hoax bomb threats, which is a lot. And and also, in in swing states as well, where, people are watching and you have to be very careful and and and, and precise about how, how you count, how you count these votes. And so, so to create slowdowns like that, it's, I, I, I know for certain officials are, are, are furious. They're, it's, it's, it's a knock on our democracy. And it it it would shock me if the FBI was looking into this further at this point.

[43:38] What's the Motivation behind Political Interference?

Vince Spina:
David, I wanna just get your perspective on, like, what's the motivation behind that? And what what I mean by that is, you know, earlier in the, campaign, the right was leaked information from the left, and they came public and said, we won't use this. There's always kind of talks that certain nation states were trying to help, you know, the right win. You talk about, you know, just a myriad bomb threats in multiple states, which would impact potentially either side of the aisle having their voters come out and and vote for them. So it doesn't necessarily come across as a nation state wanting to put a certain candidate or party in power. So the the reasons behind it have to be bigger. Is it just an overall trust thing or just, I mean, if you had to characterize what's the motivation behind all of this? Do you do you have an opinion on that?

David DiMolfetta:
I'll just clarify that. This this this has come from intelligence assessments that reporters have been briefed on that. In essence, in the months leading up to, our presidential election, Russia preferred former president Trump, who is now the president again, but at the time, they prefer former president Trump to win, and they were deploying influence, disinformation campaigns to sway votes in favor of him. And on the flip side, Iran favored, vice president Kamala Harris to win.

Vince Spina:
Interesting. Okay.

David DiMolfetta:
Because the the perception is that you saw for on policy is related to, what's going on in the Middle East. And you know, historically, Trump has not been kind to Iran and and to to foreign adversaries over there. So I'll just clarify that, there were targeted attempts, at the presidential level to get a certain, to get a certain candidate back into, into the oval office. So I'll clarify that. Broadly speaking, I think in 2024, it's a perfect storm of things. A record number of people around planet Earth voted in elections this year. AI, at the consumer facing level hit our computers, came became available this year. It's a perfect storm of opportunity for adversaries.

David DiMolfetta:
Yeah. You know, the a lot of these guys, it's it's just fun and games for them. I I think we forgot that. I I think I think what's Shraddler a lot in in conversations in Washington and it's that, well, you know, the adversaries are trying to do this. They're they're, they're attempting this, we assess this. They, they enjoy it. You know, this is why they're called foreign adversaries. They, you know, unfortunately, we know that with elections, especially in the US, the US is a very, very powerful country that helps dictate the rest, the rest of the way the world works.

David DiMolfetta:
A lot of people as I've learned, you know, in talking to your friends and sources and just colleagues, outside the US, a lot of people watch the United States presidential election because America is so influential on the rest of the world's global foreign policy. If there's a way to undermine democratic institutions that dictate how we elect officials here, then our adversaries will take advantage of that. AI utilization, advancements in technology in general, I think it's contributed to that as well. It's, the way things have stacked up this year, it's, again, it's a perfect storm. I'd say that's the best way to put it. And this stuff isn't going away. AI isn't going away. We have to see how, president-elect Trump, dictates the way our, our, our government functions in the coming months.

David DiMolfetta:
That's something we're gonna be following very carefully, especially from a cyber regulation side. There's a lot more to explore.

Vince Spina:
Thank you. Appreciate that opinion.

Rachael Lyon:
Yeah. Absolutely. So I I do wanna be cognizant of time. So, I I'm gonna wrap up here with, a a fun question, hopefully. You know, given all that you've seen kind of on the cybersecurity front and what you're hearing, you know, from from those in government or, you know, kind of elsewhere. As we look at 2025, what do you what are you concerned about? Anything in terms of developing cyber incidents, and or, do you see anything kind of bubbling up as a trend? You know, it everybody likes to know what's gonna happen in the future. Can you look into your crystal ball and tell us, David?

Vince Spina:
And Rachel said concern, if there's anything you're excited about, that would be good.

Rachael Lyon:
That's true. Exactly. Yes. It doesn't have to be doom and gloom. Let me yeah. Good clarification.

David DiMolfetta:
Say if I had a real crystal ball, my life would be a lot easier, but, I'll try to I'll try to extrapolate a bit. I think it's pretty clear at this point, and and this is just from officials and and executives I talked to. Going forward, the next geopolitical conflict will have a major cyber component embedded into it. A lot more than what we see, between Israel and Hamas or Russia and Ukraine. It's it appears that the next war will have, a major cyber component embedded into it. I'm not jockeying any nation in particular to start a war or

Vince Spina:
to or

David DiMolfetta:
to plant seeds to start a war. I don't think I think deep down nobody nobody wants conflict, but it's it's there and and it's happening. And and this concept of great power competition, it's it's being dictated largely, as we see, and and we see it in in, in our defense policy bills. We see it in military buildup around the world as well. Tech and cyber are certainly here to stay. I would, I I say more on the ground here in in the federal space. We're gonna be watching for how, cyber regulations in the US government are influenced by this under a second Trump administration. One thing we had just reported is there there's a broad desire to, roll back a lot of agency funding and and shed, you know, what what they deem as government waste.

David DiMolfetta:
That there's concept of a good of a government efficiency commission going around. That's that's aimed to be stood up, under a second Trump administration. But the question is, how does that work in terms of funding, cyber defenses within agencies? You know, foreign adversaries love going after government agencies. We've seen it time and time again, it's been a mainstay, motivation for regulations in the Biden era, SolarWinds, Colonial Pipeline. Of course, there's a major incident last year that got the attention of the cyber safety review boards when it's when a separate Chinese hacker group got into, the email inboxes of major US officials, including Secretary of State, January Mondo, and I think Nick Burns, our our ambassador to China. So, being able to access that, we had another case earlier, I think in January when, Russian hackers access to email communications between agencies as well. So the federal government enterprise is a prime target. If you reduce agency budgets, are you gonna have enough money to go around to hire chief information officers for those agencies, chief information security officers, and then of course, the recurring revenue that you pay for with contractors.

David DiMolfetta:
Right. So keep antivirus software and on prem solutions, to, you know, stop phishing attacks or detect phishing. But a lot of ways to get in. There are a lot of techniques that these guys use. Will there be enough money to go around? That's something we're gonna find out.

Rachael Lyon:
Yeah. That's a really good point. It's because, you know, what do they what do they like to say about cyber. Right? You know, the the adversaries, they can try 100 of thousands of time and and think to AI it's all automated. And they just have to get, you know, get in once. Right? You you know, of of the whole attack surface. Yeah. There's a lot of cracks.

Rachael Lyon:
And, yeah, that's that's gonna be a big one to watch for sure. It's a really

David DiMolfetta:
good point.

Rachael Lyon:
Vince, did you have any parting thoughts?

Vince Spina:
No. That's not

Rachael Lyon:
It's been great.

Vince Spina:
David, yeah, very interesting. I mean, it's, I mean, like I said, in the whenever we're talking about foreign adversaries or whatever, I just feel my heart rate go up. It's like you said, it's like a Tom Clancy kind of novel for me. But, and it's, you know, it's got its concern side, but, you know, also comes with a lot of optimism as well on certain things going on. But appreciate you and, your time and coming on and talking to Rachel and I and and our listeners. So thank you very much.

Rachael Lyon:
Absolutely. Yeah. Just to it must be so cool to be in the Beltway. Right? And, you know, kind of a fly on the wall and, you know, depending on where you go in the conversations you can hear and the people that you get to talk to, I just, that is so cool. That is so cool.

David DiMolfetta:
Jay, I'm I'm very lucky. It's great to be here. Thank you.

Rachael Lyon:
Thank you, David. And to all of our listeners, thank you again for joining us for yet another amazing podcast episode and guest. And as always, Vince, I do I need the drum roll?

Vince Spina:
Please smash that like button. Tell us, tell us what we're doing

David DiMolfetta:
right.

Vince Spina:
Future topics for for our podcast, and we just appreciate you all listening in.

Rachael Lyon:
Absolutely. Absolutely. Well, on behalf of Vince and I, everybody, until next time, stay safe. Thanks for joining us on the To the the Point cybersecurity podcast brought to you by Forcepoint. For more information and show notes from today's episode, please visit www.forcepoint.com/podcast. And don't forget to subscribe and leave a review on Apple Podcasts or Google Podcasts.

About Our Guest

David DiMolfetta, Cybersecurity Reporter

David DiMolfetta covers cybersecurity for Nextgov/FCW. Previously, he researched The Cybersecurity 202 and The Technology 202 newsletters at The Washington Post and covered AI, cybersecurity and technology policy for S&P Global Market Intelligence. He holds a BBA from The George Washington University and an MS from Georgetown University.

Check out his LinkedIn