Close this search box.
What should the US government do about rampant cyber crime?

EP 79: What should the US government do about rampant cyber crime?

Our bi-weekly Inflection Point bulletin will help you keep up with the fast-paced evolution of cyber risk management.

Sign Up Now!

About this episode

May 11, 2021

Our guest is Michael Garcia, who co-authored a report for the US government, entitled “A Roadmap to Strengthen US Cyber Enforcement: Where Do We Go From Here?” Find out his top 3 recommendations with your hosts Kip Boyle, vCISO with Cyber Risk Opportunities, and Jake Bernstein, JD and Cybersecurity Practice Lead. AND: Will all attorneys please join us online for a free, one-hour CLE on June 23, 2021 at 12 pm Pacific where Kip and Jake will teach you how to answer client questions about ransomware? Sign up here:


Episode Transcript

Speaker 1: Welcome to the Cyber Risk Management Podcast. Our mission is to help you thrive as a Cyber Risk Manager. On today's episode, your virtual Chief Information Security Officer is Kip Boyle. And your virtual Cybersecurity Council is Jake Bernstein. Visit them at and

Jake Bernstein: So Kip, what are we going to talk about today?

Kip Boyle: Hey Jake. Hi, we have a guest today and we're going to talk with Michael Garcia. Because he co-authored a report that I think our audience needs to know about. I wouldn't say it's the easiest report to read, but after I looked at it, I was like, got to get Michael on here to decode this for us. We're not the intended audience, but we'll get into that. His report is called a Roadmap to Strengthen US Cyber Enforcement: Where Do We Go From Here?

Jake Bernstein: That sounds really interesting. And I have some experience in this area, so Michael, welcome to the podcast.

Michael Garcia: Thanks for having me guys.

Kip Boyle: Yeah, we're happy that you're here. Thanks for making the time. Would you introduce yourself and let our listeners know just a little bit about your background? How did you get here?

Michael Garcia: Absolutely. So my name's Michael Garcia. I'm a Senior Policy Advisor for Third Way in the National Security Program where I work on the Cyber Enforcement Initiative, which I'll talk about a little bit. I've been there now for about a year, started in April 2020. So it's about my one year anniversary, about two days ago. Prior to that though, I spent a number of months with the US Cyberspace Solarium Commission, which was recommended commission that looked at how US can prove its cyber deterrence. So I spent a number of months there working on recommendations and developing laser proposals to achieve that end. Prior to the commission, I spent a number of years at the National Governors Association, where I traveled around the country, visiting various capitals to work with governors offices, to develop legislation, policies, executive orders related to cybersecurity technology and other national security issues. And a lot of which was looking at how we can improve public-private partnership around this issue, which I know is something of keen interest to your listeners. So that's me in a nutshell.

Kip Boyle: Oh, you're a COVID hire. Did you have that all sorted out before the pandemic showed up?

Michael Garcia: I sneaked in just in a door before everything happened. The funny thing is I've only been in the office for interviews and have not yet been in the office. So I've been told I have a nice desk and computer and laptop, but so far I've not seen it.

Jake Bernstein: Oh, that's funny.

Kip Boyle: I hope you do soon.

Jake Bernstein: It's a brave world out there right now. So Michael, this is great. Today, we're going to unpack the report you authored. And I have to be honest, I've not read the entire thing. I looked it up and it said "estimated time to read, one hour 47 minutes." And I thought to myself, if I had an hour and 47 minutes, maybe I could get through this, but I don't.

Kip Boyle: And nobody in our audience is going to either. So I was like, this is short circuit as whole thing. And just ask Michael to come in.

Jake Bernstein: And I think that's exactly the purpose of being able to do this. I think this is really important information and I think this podcast can make it accessible to an even wider audience than you would normally seek to be reaching, I would expect. So Kip, I have been saying for years that we're completely outgunned by cybercriminals. It's very, very difficult to stop them as individual company. And the FBI really seems to be much better at arresting old school, physical criminals than digital ones. And what that really does is leave the private sector kind of out in the dark without a lot of protection. At least that's how it feels to those of us in the private sector.

Kip Boyle: Yeah.

Jake Bernstein: And just by way of kind of background when I was at the Attorney General's office in Washington State. We did partner with federal agencies and even in the private sector, I've partnered with some of the federal agencies, the secret service, the FBI. And it's always a one way street. There's not a lot of, I don't know, there's not really a public-private partnership right now. There's more like a one way information in, I don't want to say exchange, it's an information in granting mechanism where we give information to the government and the government stares at us blankly. Which I understand having banned government in government law enforcement. I understand why we do that, however. Oh, this just works so well.

Kip Boyle: It's not helpful for people that are trying to run businesses on the digital highway.

Jake Bernstein: So Michael is there by any chance, they excuse the Pun Third Way. And if so, well, who is Third Way and why did they decide to write this report?

Michael Garcia: Yeah, thanks a lot Jake, you hit on a lot of things, but I think just to kind of hit the last point Third Way is a center left think tank organization in DC that covers a whole host of policy areas, law of researching and writing on things like healthcare, education, workforce. And then the National Security Programme where I reside, where we have our Cyber Enforcement Initiative. And back in 2018, when the initiative began before my time. But my former colleague Mika Oy, she did analysis of a scan of what was being talked about, what was being researched, what was being written about. And she realized that the cybercrime angle was not being mentioned at all. It was a lot of how can we protect our IoT and infrastructure and cyber hygiene as well as looking at maybe what's going on in defense department world and air national space. Both of which are very important, but you're missing a whole slew of things in the middle in terms of cybercriminals going after not only Mob Pop Shops, as well as individuals. But also attacking fortune 500 companies.

I think you look at target Home Depot access, list goes on and on, some of which are just lone-actors, some of which are abetting by in-state actors. What we saw was that there's not actually a lot of policies being proposed around cyber crime, especially going after the human actor behind that crime. Because at the end of the day, any cyber incident is actually a crime. So we began developing a series of policies and papers beginning in 2018, really laying out that landscape. And then when I joined in April 2020, we saw a unique need or line of interest in that with the new administration coming in, whether that's going to be the second Trump administration or Biden administration, a high sitting Congress, we saw that we can really pull some low-level hanging through in order to help folks like the FBI, Secret Service to get at some of the things that you mentioned.

So we convened 30 subject matter experts starting in April through June and July 2020. And these experts ranged from various former administration jobs and government, as well as private sector stay in local representatives and international partners as well to really tackle this from holistic framework. I think we're a little too holistic and that's why the paper is an hour and a half long to read. But we do try to make it a little digestible because the very end we have a pretty nice table in terms of saying who's going to do what, how long it'll take in order to implement the recommendation. And the nice thing about it is that while Third Way, ideologically is a center left institution. Our report is nonpartisan in nature, because we really want to show that cyber security shouldn't be politicized. It really is nonpartisan and that anyone regardless of the administration could take it on and inaudible Congress could take it on as well. And so if you look at the report, it's very much written in that kind of framework, consensus building approach.

Jake Bernstein: Absolutely.

Michael Garcia: Yeah.

Jake Bernstein: That's super helpful. And I want to say I'm actually really impressed with how quickly you guys put this together. I've been part of kind of team written white paid papers before. And the fact that you joined about a year ago and yet this thing is already written I'm actually like, hey, that's amazing. So good job and great. I think this is right. The appendix one to our listeners, if you don't want to read the entire thing, which a lot of our listeners just don't have time for. Download it, skip to page 62 of the PDF, and you've got the appendix, which is the summary, and that's super helpful by itself to kind of get a sense of what's going on.

Kip Boyle: Yeah. Michael, one of the reasons why I was so attracted to what you're doing here, this body of work and this report, isn't because I was part of the target audience. I don't think any of us listening right now are really part of your target audience. But it was really about, nobody's talking about this problem as you said, right? Jake and I are talking about it in terms of helping our listeners and our customers and clients know like, what's the landscape you're operating in here. But what we don't see is serious credible suggestions for what can be done about it. It seems like a really intractable problem. So I'm just really glad you guys are addressing it. But I was curious, I've never worked with, I think tank before, no matter where they fall on the political spectrum. And I'm curious, you gave some background, but I'm still kind of wondering how does this issue relate to Third Way and just in terms of its charter, why there's lots of intractable problems. It's interested to know why this one.

Michael Garcia: So I think going to why cyber crime matters and that we are always trying to identify solutions to challenges that people aren't talking about. And what we found is that cyber crime, at least one in four American households have been impacted by former cyber crime. And honestly, it's probably more than that because only one in 10 people actually report a crime to law enforcement. And you think of all the personally identifiable information that's been stolen from various types of breaches, especially if folks have worked with the government from OPM. The number probably closer to three and four, if not all of us, frankly, having some kind of information being stolen.

So here is the prevalent form of cyber crime or crime in America, yet when we crash the numbers in terms of arrest rate, we've seen that all the crimes that approach FBI, only three in 1000 actually lead to arrest. Here is the most prevalent part of crime, but the lowest enforcement rate. And so we saw that there was a need in order to kind of bridge that Delta and understand that this impacts every single person, every single business and America and members of Congress should pay attention to it. Yes, deter adversaries is important, but actually going somehow after the criminals is equally important. And that's why I think Third Way, sorry, really tackling this issue.

Kip Boyle: Okay. Cool. Now we're going to get to your recommendations, right. Because I want to unpack that, but I just first want to take a little deter and just reemphasize. Jake and I have both said, "we don't think we're in your target audience," who is in your target audience?

Michael Garcia: Yeah, no, you're absolutely right. If you look at the poor, it's a lot of FBI should do this, you can start to do that. So our target audience was really primarily focused at the federal government identifying policies, and proposals that they should implement. If your audience reads very bureaucratic, like a government report almost, which was intentional. So that was our primary audience or secondary audience being staffers on congressional committees and other hill committees to identify legislation that they could implement, because they could easily take out, FBI should do XYZ to say Congress should do ABC with FBI doing these things. That being said, the recommendations do have implications for private sector companies. And I think Jake hit on something really early on, which we talk about to talk about later, information sharing. And that information regime is not necessarily the issue of private sector, but it's really fellow government gain its own house and order. So we have a slew recommendations place to that, but even though it's directed to the government, the outcome is to improve information for the wider private sector ecosystem.

Jake Bernstein: And I would add, it's not just the federal government that needs help here it's the federal government specifically needs to get its own house in order and also provide the leadership to my new favorite acronym, SLTT, State, local territorial, and tribal. I just learned that. But the reason that's important is that as the way that we have organized our law enforcement in this country, hearkens back to seriously, Ye Olden Days of sheriffs, the sheriff of Nottingham level olden days. And what that does is it creates these artificial jurisdictions where, when you are a bad guy and you step out of the City of Bellevue into the City of Issaquah or maybe I should use like cities that people know so DC into-

Michael Garcia: Hey, I know those cities.

Jake Bernstein: ... I know you do. But DC into, I don't know, Raleigh or something. You're just running around to... You cross these kind of artificial boundaries whereby you kind of escape the ability of the previous law enforcement agency to get you. Now that used to be hard stops. We've all seen and heard stories about the twenties and thirties where the state get across the state line and you're safe. That doesn't work as well anymore, there's a lot of interagency cooperation. But if we're going to tackle cyber crime, which does not care at all about artificial geographical boundaries, we have to take the interagency cooperation and information sharing and inter jurisdictional enforcement to an entirely new level. And by the way, how is that for some bureau's pick, I can tell that I can slip back into that government style-

Michael Garcia: Wow.

Jake Bernstein: ... Pretty quick.

Kip Boyle: Yeah. That was impressively confusing to my brain.

Jake Bernstein: Yeah. Sorry.But I bet you, Michael understood everything I just said.

Kip Boyle: I hope so.

Michael Garcia: Oh, complete English to me. Yes.

Jake Bernstein: Yap. So.

Kip Boyle: Well, so, but it's gosh I always go back to the 1920s, 1930s in America gangsters and Bonnie and Clyde, right. The Hollywood movie about how they would rob banks and escape over state lines and all that stuff. And it took a revolution in law enforcement for that to get addressed, right. So you needed more federal oversight. You needed to actually find new ways of prosecuting people for crimes that were easier to prosecute somebody for than the ones that they were actually committing because they had some really interesting ways of dodging evidence pointing back to them and so forth. So a lot of gangsters ultimately were convicted of tax evasion as opposed to murder or racketeering or whatever the other things were that they were actually engaged in. So, but it was possible because we were still under one single political jurisdiction in the United States government, federal government. This is different though, right. Because now we're talking about crossing national boundaries, national borders, this is global, it's transnational, different languages and cultures. It's not just Alabama versus Mississippi, so it's way harder right, Michael?

Michael Garcia: Yeah, absolutely. I think it's different from traditional crime in that you have victims based in US, but the ones portraying the crime are overseas. As a result, we have to help our 18,000 stay in local law enforcement. A lot of which are rural communities. And a lot of which are just five law enforcement officers, some of which really don't have computer investigative backgrounds trying to then put the pieces together to identify maybe someone who is in the Ukraine. So it is a multinational, multi-jurisdictional issue, which is why I think they report so long. Because we had all these things to deal with.

Kip Boyle: There's a lot to do.

Michael Garcia: Yeah. In addition to the NMC issues that Jake pointed out,

Kip Boyle: There's a lot to do. Oh my gosh. So much to do.

Jake Bernstein: Well. And I think one of the biggest challenges that I recall from trying to enforce US law is that the bad guys, they simply are in places where there it's not a friendly nation state, which makes it even more challenging. And I think that is going to be that ultimately is a diplomatic problem for literally nobody else, but the US state department can help with that. Nobody else. There has to be the federal government.

Kip Boyle: As things are right now, right.

Jake Bernstein: Yeah.

Kip Boyle: So, but maybe this is a great time to segue into what exactly is being recommended in the report.

Michael Garcia: Yeah. So as we were talking about, there's a lot of challenges to address. So what we did is, as I mentioned, we had those 30 side matter experts convene them. And we broke them out into three different working groups, which then created our three chapters in a report, which boils down to White House Architecture, domestic law enforcement capabilities, and international capability capacity, which we were just touching upon at the last bit here. So within the 60 recommendations, they fall within those three chapters with the first one, The White House architecture, really looking at how can the federal government become a better coordinator, not only amongst the federal government agencies.

But also with international allies, as well as coordinating with state local partners, which then could trickle into better cooperation and collaboration for private sector partners. And it makes it so much easier knowing if I'm private sector and stay knowing, okay, the FBI is responsible for this secret service does that, state department does this. Right now those clear line of approach do not really exist. They're kind of muddied and we need to do a better job of fixing that. So that's what chapter one really talks about. Chapter two is really looking at how can we provide better coordination amongst domestic law enforcement so that FBI seek service and DHS are working together and coalescing together. So then it can help with those partners at the same local level who can then engage with victims, whether they're individuals like us or private sector, business, or other types of entities.

And that also encourages, we talk about a framework in which we can incentivize reporting mechanisms, information sharing, and better collaboration to share data so that we can go after criminals who live overseas. And that brings me to the third chapter, which is really looking at how can we shape the US government. So it could be a better international ally to a) Improve our allies ability to go after cyber criminals and also to impose consequences on those countries like China or Russia, probably now have been known to have connections with criminal syndicates to steal intellectual property information from private businesses.

And I think what's fascinating, and one little just like Tibit I want to share folks is that we were talking about how the state department is the only federal government agency that, and really the only entity in the US that could and should be leading these international efforts here for the state department, we don't have a cyber technology bureau, it doesn't exist. And that's one of our key recommendations. Yes it's one of the main recommendation that we are joined for century, where our main department engaging in international affairs is now equipped to handle this 20 challenge.

Jake Bernstein: Mm-hmm (affirmative). Totally agree.

Michael Garcia: Wow.

Jake Bernstein: Totally agree. This is a huge major, major problem. I think it would be worthwhile to maybe hit on a couple of points within the kind of specifics. I'm curious if you had to pick one or two of the most important kind of recommendations in there. If you had to pick two or three things that I can wave this Magic Wand and they're going to do this. What would you choose, what do you think is the most important? Because according to this table here, there's 16 kind of main points. And then as you said, 60 plus overall, you can go ahead and pick from the 16 main points. We'll make it a little easier, but I'm kind of curious what do you think it would have the most immediate effect on helping to really begin to deal with this problem.

Kip Boyle: Closing this gap, yeah.

Michael Garcia: Yeah. That's really difficult because to me they're all equally important as any author should say about his recommendations.

Kip Boyle: You have all your children equally.

Michael Garcia: Exactly. But some of them, I like a bit more, I think the way I'll do this is I'll talk about the ones that I think will have the greatest impact for private sector partners, which I think is really important and probably most remains this conversation. And they kind of equally are within the three chapters I mentioned. First and foremost is information sharing and it killed me to even put it into the paper because since the Dawn of the internet, we've been talking about information. I think people lap their hands against their face when they hear it because it's just something we've been trying to do forever now. And as I mentioned, it's not necessarily information flowing from private sector up.

It's the opposite in that the federal government does not provide actual timely and relevant information to private partners nor do they really know the needs of their private partners, which doesn't understand the federal government. There are tons of private individuals who have various needs and equities at stake with their companies. And there's various sectors, but they all need to have tailored information. So one of our key objectives is to have a more streamlined, thoughtful approach in which you're not going to get information from FBI seeker service and the whole host of agencies that have information.

But there should be a streamline in which it's one vector to share information down. And also when private sector shares any information to any federal point, that information is then shared with large across the whole federal enterprise. And because right now I know Jake probably understands this more than anyone here, but there's so much bureaucratic infighting that the fellow government receives a piece of information. It's mine, that is mine, I'm not going to share it. I need to protect this because that's my interest. We need to break down those silos and that then will help with information sharing.

Jake Bernstein: Absolutely. And I think there are some good models out there. I think the FBI's InfraGard is a good example. I think it can... That, but bigger would be a really good start.

Michael Garcia: Absolutely. And I think there's so many of these ISACs and ISOs that I'm sure lobby listeners are familiar with. Leveraging those is really important. So I think that's, that's number one. Number two is that we do a better job of institutionalizing relationships between federal government staying local and product partners. And it's really a three-legged bar stool. You need all three legs in order for the stool to be held into place. Right now, too often, it's based off the personal relationships right now. Maybe me and Jake have really good relationships. So I'll hit them up and say, hey Jake, I've been seeing these weird TTPs on my network or I'm seeing some activity, but if Jake leaves, then all of a sudden it's just Kip taking Jake's place. Maybe I don't like Kip, so I'm not going to work with that agency anymore. And we can't have that.

So we have a serious recommendations in terms of what is each federal agency's responsibility for certain issue areas? When should they be called and how we make sure that private partners understand that. And as an institutionalized relationship, rather than a personal relationship. And I think to drive down a little further is something that we call operational collaboration, which is a term that's been floated throughout government now for past few years. But it's notion of, we talked about public-private partnership a lot, but we need to operationalize it and make it into action. And so we recommend for a framework in which you could bring in prior sector partners and public entities to work together in order to identify maybe malicious command and control systems and take them down. And there's a couple of bad examples that I could point to, but that's not area in which we see that you can have better collaboration with privacy departments.

Jake Bernstein: And I would say, Kip, you and I have one of the best examples of this, right? In our backyard, the Microsoft digital crimes unit has been incredibly active in working with state, local, federal, and international government entities to bring down botnets. It's amazing to me that a private corporation that literally by law has to be focused on shareholder value and profit is able and willing to-

Kip Boyle: It's performing a law enforcement.

Jake Bernstein: ... is performing a law enforcement function and it's doing it better than law enforcement. And that should be something that is really looked at by the federal government.

Kip Boyle: Well, and I think Michael, I kind of hear you touching on this subject a little bit, but I think where we also need to go in this conversation is an acknowledgement that private sector probably has more of the tools. And more of the understanding of the problem space?

Michael Garcia: The expertise.

Kip Boyle: Which is why we're seeing that. But it also comes with a downside, which is private sector doesn't trust government enough to fully let them enter into an equal partnership. And so that's absolutely a cultural barrier, which is not dissimilar to the FBI counterintelligence versus CIA counterintelligence. Where we've got political boundaries, just declaring where these organizations can operate. And that brings us to the Snowden revelations. And so, man, it just seems like a big sweaty hairball here, and it's going to be really hard to... Without some kind of a crisis, right. I just don't know that we're going to be able to really tackle this and achieve some of the revolutions, not evolutions, but revolutions in thinking and behaving that are probably going to be necessary. So this all leaves me kind of a bit despondent.

Michael Garcia: I don't blame you.

Kip Boyle: And again, as if I'm thinking about our audience, right. I'm like, oh my goodness, if anyone's still listening at this point, they must be thinking like, what, so what, ah, what do I do? It's like the Calvary is not coming, right? None of this stuff's going to get resolved anytime soon, unless you know something Michael that we don't. And so I just can't help, but to then move on to this. What should our listeners be thinking about your report? What should they be asking their elected representatives to do? And what should they do? Is there any relief coming for them?

Michael Garcia: Yeah.

Jake Bernstein: And to add one more question to that list. What could they be doing now to promote these goals? Obviously report to the FBI use IC three, all that stuff, but I think that's equally important is what can they do now to make this happen?

Michael Garcia: Right. So I think I actually key off that last point in that I understand the trepidation of not reporting felt government for a whole host concerns. And primarily which is regulatory blowback or any kind of financial injuries that they could face. But I do think that first and foremost, that if a company gets hit with ransomware, malware or any kind of incident, that reporting law enforcement is really important because program actually has a lot of good resources to bear. I know this conversation's been talking about how they need to be improved, but they actually haven't done a lot in the past years and various agencies have a lot they can offer. And there are all stop gap measures in that if you report something to the FBI, that's not necessarily going to be reported then to the SCC or any other kind of regulatory framework, but I understand some of the issues lace that.

And that's why I think tapping into some of these ISOs and ISACs that we're discussing earlier in that if you're not part of your local ISO that maybe your retail shop, there's a retail ISO that's out there that shares a lot of good information. And it's a good way to put a middleman between yourself and the federal government. Yet you can still intake federal government data while not necessarily touching them. And lastly, and it's something that we haven't touched yet, and I think be good to touch on, is the workforce issue. And it's not only federal government, the private sector sees it too. There is a huge workforce gap. There's actually a website that the National Institute for Standards Technology put out that really looks at the workforce gap. And I think part of that gap though, is that far too often, we see cyber security as an IT issue where there's really so much more as an IT challenge. And so when-

Kip Boyle: That's a business challenge, I think.

Michael Garcia: It is. But as a result though, you need to make sure that when you put out your open applications out there, that you frame it in which you're not going to deter people who don't have computer science or cybersecurity background. And then that also helps you to diversify your employment base because right now are too often. Women and people of color are not making up the larger cybersecurity workforce and you're losing out on kind of that diversification of issues. So I think-

Kip Boyle: Yeah.

Michael Garcia: ... those are the three things I'll point out.

Kip Boyle: Dang! But there's no silver bullet.

Jake Bernstein: There is no silver bullet.

Kip Boyle: Hoping we'd have one.

Michael Garcia: We could turn the internet off and call it a day.

Jake Bernstein: That would crosstalk.

Kip Boyle: For those of us of a certain age, we know how to survive, right. In an environment like that. I reminded of-

Jake Bernstein: Yeah crosstalk of myself included literally does not know how to survive. If you turn the internet off.

Kip Boyle: I'm remind of conversations with customers. And I talk about their business continuity plan, their disaster recovery plan. And I often ask them, I'm like so what are you going to do if you can't actually access your file server to read the plan that you should be following when something bad happens?

Michael Garcia: Yeah.

Kip Boyle: Right. It's like we should probably print these things. And I'm like, "I know the poor millennials." They're not really going to know what to do with a pencil in their hands and we just have to train them.

Michael Garcia: Yap.

Kip Boyle: Yeah. But we may end up back in that type of a world anyway, right. If we can't govern this internet thing, then gosh, I just tragedy of the commons pick your metaphor. But it's like I just get concerned that eventually it's going to be so dangerous to do business on the internet. That people are just going to really struggle with this. And really, if it costs more to do business on the internet, then you're making a profit. Then what, what do we do? Right. So it's kind of a dystopian little vision of the world, sorry.

Michael Garcia: No.

Kip Boyle: But anyways, okay. Well, listen, we're just about out of time for the episode here today. We're really glad you joined us. Thank you for being our guest. Why don't you tell everyone how to find yourself on the internet and Third Way and anything else you want to mention?

Michael Garcia: Yeah. So just go to brings you up to the Third Way website and go to the national security program. And there click on cyber and you'll see all of our reports, our op-eds, our events. You'll see my contact information. It's, and reach out to me via email. And I am always trying to engage with folks in the private sector. I know you look at our papers, they tend to be congressional or government facing, but hearing input from private partners is really important for us that we can help better inform policy makers on the hell and the federal government.

Kip Boyle: Mm-hmm (affirmative). Great. Well, ladies and gentlemen, that wraps up another episode of the Cyber Risk Management Podcast. And today we talked about a report that our guest Michael Garcia, co-authored, it's called a Roadmap to Strengthen US Cyber Enforcement: Where Do We Go From Here? And we learned all about where the federal government should be going, but for us people trying to operate in the private sector on the internet. Yeah. I wish there was more for us, but I think we're just going to have to continue to grapple with the problems we already have in our hands. But thank you, Michael, for trying to move the needle on this. And thanks everybody for being here. We'll see you next time.

Speaker 1: Thanks for joining us today on the Cyber Risk Management Podcast. Remember that cyber risk management is a team sport, so include your senior decision makers, legal department, HR, and IT for full effectiveness. So if you want to manage cyber as the dynamic business risk, it has become, we can help find out more by visiting us at and Thanks for tuning in. See you next time.

Headshot of Kip BoyleYOUR HOST:

Kip Boyle
Cyber Risk Opportunities

Kip Boyle is a 20-year information security expert and is the founder and CEO of Cyber Risk Opportunities. He is a former Chief Information Security Officer for both technology and financial services companies and was a cyber-security consultant at Stanford Research Institute (SRI).


Jake Bernstein
K&L Gates LLC

Jake Bernstein, an attorney and Certified Information Systems Security Professional (CISSP) who practices extensively in cybersecurity and privacy as both a counselor and litigator.