Specialty Podcast: An Inside Look at the White House National Cybersecurity Strategy

Intro (00:00):
You are listening to the Alliant Specialty Podcast, dedicated to insurance and risk management solutions and trends shaping the market today.

David Finz (00:09):
Hello everyone and welcome to another edition of the Alliant Specialty Podcast. I'm David Finz and with me today in the studio we have a very special guest. Stephen Vina is a senior advisor in the office of the National Cyber Director. That means he's coming to us straight from the White House. Stephen, why don't you tell us a little bit about what that role entails?

Stephen Vina (00:31):
Thank you so much, David, for having me. It's a real pleasure to see you again. I kind of want to talk a little about the office because I think maybe some of your listeners may not know a lot about the office of the National Cyber Director. We are the newest office in the White House, probably the first one in over 30 years. We were established in January of 2021 and have been moving full steam ahead since then. We're a staff of around 80 folks right now, and our mission is guided by four underlying principles. One, we really want to build what we call federal coherence and what that really gets down to is coordination across the federal government when it comes to cybersecurity. You have a lot of different agencies involved from the intelligence community to law enforcement, and it's very important that we all kind of are coordinated in the approach we're bringing forward to address our cyber roots.

The second, we call it, aligning our budget to our aspirations, and that's really making sure, and it's very similar to what we do in the insurance industry, is making sure that the investments we're putting forward with our limited resources are really driving down risk. Third, I would say improving public-private partnerships, it's critical to what we do. I, as well as everyone knows that about 90% of critical infrastructure is owned by the private sector, and so it's critical that the federal government and private sector partner together. And then finally what we call, increasing present and future resilience. So, we want to address not only the threats today, but looking down the road, looking at tomorrow. So those are kind of the general constructs of our office from a policy and a policy coordination role. I've been with this office for about a year now. I started off as the first-ever Director for Legislative Affairs. My responsibility was standing up our office, managing our relationship with congress as well as advocating for the administration and ODC's priorities on the hill. And so, I did that for about a year. Now I'm actually moved over to more of a policy leaning position. I'm leading our cyber insurance efforts. We're helping develop and coordinate the policy across the interagency. It's been a great experience so far and really honored to be serving in this administration.

David Finz (02:28):
Now, you made reference before to the White House's new national cybersecurity strategy. So, tell us a little bit about the five pillars of this strategy.

Stephen Vina (02:39):
Sure. So, the strategy was released earlier this month, and really what we did is we took a hard look at challenges facing our country in cyberspace and these won't come to any surprise to your listeners. And we really had to rethink the way we approached cybersecurity. And so, what this strategy tries to do is lay out a new vision with the underlying goal that we want to build a digital ecosystem that is more defensible, resilient and aligned with our values. So that's kind of our underlying goal. And to do that, we put forward two fundamental shifts. The first is that we must rebalance the responsibility for cyber security. Claim after claim would come in and you read the report and it's one person clicked on a link, and it caused havoc for the company, perhaps millions of dollars in losses.

And so, we had to really rethink, is that the way it should be? Should one person hold so much responsibility. And so, what we're trying to do here is that we're shifting that responsibility to those that are best positioned and most capable to bear the burden, right? So, moving it from the small organization, the individual entity, to those that are more capable, best capable and closer to the risk to actually do something about it. So really to re-architect our digital system. So, we're building things like, and I'm sure you've heard this before, security by design, making it in at the beginning so that one individual, so much responsibility is not placed on them. The second thing that we do is really realigning our incentives to favor long-term investments. And again, that's getting to this point about thinking down the road, right?

It's building out that workforce, it's zero trust architecture, security by design, making those investments and resources and capabilities so we know that we can address, not only what we're dealing with today, but looking at tomorrow. Now you asked about the pillars. So those fundamental shifts, that's kind of the big picture. The pillars are how we carry out those two fundamental shifts. There's five of them in the strategy and within each of those pillars, there's various strategic objectives. The first being defending critical infrastructure. And so, we're taking a close look to see if more regulation is needed to ensure that there's at least some kind of baseline of cybersecurity hygiene for those critical services that you and I use every day. The second is disrupting and dismantling threat actors. Again, that's working across the interagency across the government, to make sure we're using all levers of national power so that bad actors don't take advantage of our critical infrastructure.

Third is shaping market forces to drive security and resilience, shifting the liability for software. Things like IoT, we talk about insurance, how can the market drive better cybersecurity? Fourth, we talk about investing in a resilient future. And then again, this gets to things like workforce, research and development, post quantum encryption. How are we thinking about those threats that we're seeing not only today merge, but down the road will be front and center. And then finally, our international relationships, right? We know cyber's global, we know the cyber knows no boundaries. And so, we have to be thinking internationally what we're doing here and what's happening in Europe and Asia is also critical to their operations. And so, we have to think globally in our cybersecurity, whether it's the norms, finding responsible norms or making sure different countries have capabilities and helping them have that technical expertise.

David Finz (06:04):
Well, that's a very comprehensive overview. I want to thank you for that, Stephen. I would like to go back to one of the points that you raised before about the strategy. It seems that a key point around this is to shift liability to the software developers and other vendors when their technology fails to prevent an attack. And so, I do need to ask you, how do you respond to critics who claim that this places an unfair burden on businesses due to the ever-changing threat landscape? Like, to put it bluntly, can one of these technology companies really anticipate what form the next zero-day attack is going to take and design that into their products

Stephen Vina (06:47):
That's a great question and this is one that we've thought long and hard about and really touches on that fundamental shift because I think this discussion about software liability has been around for a long time and I think this is one of the first times that the government has really stepped in and said, "we want to move the ball forward here because we think this is where we can make some real change." We need safer software and how we get there, to your points, maybe that might stifle innovation. And so, the focus was really towards maybe we can shift the liability and see how that might incentivize a stronger software development process. It's important to say, this is the beginning of that discussion. I think we still have a long way to go, and we are open to hearing from industry stakeholders on these issues.

We've been talking about a safe harbor, perhaps, should you meet certain software development process, does that open you to some kind of safe harbor or, another option is known vulnerabilities. What kind of risk do you assume if you're pushing through a product that you know that has some vulnerabilities? So, those are just different concepts we're thinking about right now. And we're definitely open to hearing, suggestions from the industry about this. We recognize it is a long-term process. So, some of the things that we're looking at is vulnerability disclosures, software, bill of materials, end of life support. I know from back in my insurance days that it's very important to a lot of the insurance community looking at those different processes in place for software continues to be critical and it's something that we're going to be taking a hard look at.

David Finz (08:19):
Well, it's reassuring to hear that you're going to be welcoming input from industry stakeholders, so I'm sure our listeners are glad to hear that. Shifting gears for a moment, I'd like to get your thoughts on the federal backstop for cyber insurance. As I know that the Department of the Treasury has been looking at this as well. Do you think it's necessary and how much control over underwriting criteria would the federal government need to have in order to make this effective?

Stephen Vina (08:46):
Yeah, so take a step back and the fact that we're talking about cyber insurance in a national cybersecurity strategy. It's an important part of the discussion here about insurance being a part of these security discussions, being a security partner. With respect to the backstop, I think there's also a recognition that, and there's been report after report about potential, the potential for catastrophic losses, the potential for large cascading and systemic impacts across multiple sectors, right? And so, we have that out there and we have that recognition of those types of losses out there, right? So, we have this gap that perhaps may be increasing. And so, the question is what are we going to do? And so, we're trying to be proactive here. Assessing the need for a backstop is the work that's ongoing right now. And so, without getting into the details, I can say that the points that you raise are issues that are being looked at. Should it be mandatory? What will it cover? What's the trigger? What's the threshold? But ultimately the initial question is, is it warranted or not? And that's what process is happening right now.

David Finz (09:47):
Well, it's good to hear that treasury is coordinating with you and taking that input into account that they received from the comments. Stephen, any last thoughts for our listeners today?

Stephen Vina (09:57):
So, I just want to say thank you. Thank you for having me. It's great to see you again. I think the insurance community can be a strategic partner. There's a lot of work to be done and working together we'll be able to continue to move the ball forward. We value the relationship with you and your listeners and the insurance community, and so our door’s open. If you would like to engage, please reach out to me and we'd love to hear from you.

David Finz (10:18):
That's terrific. Thanks again for appearing on the program, Stephen. Well, that about wraps it up for today. I want to thank everyone for joining and for listening. Bringing you thought leadership like Stephen Vina is just one more way that Alliant helps you find the more rewarding way to manage risk. And if you'd like to learn more about our offerings around the cyber insurance product, you can visit our website at www.alliant.com/cyber. Thanks again, until next time, take care.