EP 93: Executive Order on Ransomware and Cybersecurity
Our bi-weekly Inflection Point bulletin will help you keep up with the fast-paced evolution of cyber risk management.
Sign Up Now!
About this episode
November 23, 2021
Is there anything helpful in the US President’s “Improving the Nation’s Cybersecurity” Executive Order and the follow-on Ransomware Memo from the White House? Let’s find out with your hosts Kip Boyle, vCISO with Cyber Risk Opportunities, and Jake Bernstein, Partner with K&L Gates.
Sign up for our free ethics CLE on December 15, 2021:
Kip: Hey everybody, we're going to interrupt the start of the show with a brief announcement for the attorneys in our audience.
Jake: Do you need an ethics credit before the end of 2021?
Kip: If you do, we have a free continuing legal education course with your name on it, and it's practical for your law firm.
Jake: That's right. We're going to explore reasonable cybersecurity according to RPC 1.6C and the ABA formal opinion 477R and how that specifically applies to risk assessment and data backups.
Kip: Join us online for a one hour cutting edge CLE. It's going to happen on December 15th, 2021 at noon Pacific time, and this is going to be live. And Jake and I are going to teach you how to operationalize these topics.
Jake: In addition to the ever valuable ethics credit, you'll receive actionable advice that you can use right away.
Kip: Exactly. So I want you to sign up now. And there's two ways to do it. You can go to eventbright.com and you can search for us and find the event or more helpfully, we've put the link for you in the show notes. So get down into the show notes and find it.
Jake: We hope to see you there. And now on with this episode.
Speaker 3: Welcome to the Cyber Risk Management Podcast. Our mission is to help executives thrive as cyber risk managers. Your host are Kip Boyle, virtual chief information security officer at cyber risk opportunities and Jake Bernstein, partner at the law firm of K&L Gates. Visit them @cr-map.com and @klgates.com.
Kip: Hey Jake, what are we going to talk about today?
Jake: Hey, Kip. Today, we're going to take a look at some of the federal government's relatively recent policies relating to cybersecurity. Specifically, the Biden administration's Improving The Nation's Cybersecurity executive order from May 17th, 2021, and the follow up ransomware memo from June 2nd, 2021.
Kip: This is super important. And although we're not going to talk about it today, I'm pretty sure in a future episode we should probably tackle the fact that the Biden administration has actually held a meeting with international partners to try and move an agenda forward. But as a prelude to that, let's look at the executive order and the memo because that's the basis for what he's trying to do. So let's dive in.
Jake: It really is. And as you know, and we've talked about this on the podcast here and there, executive orders are not laws, but they do have a binding effect on the entire executive branch of the federal government. And for those who need a civics refresher, that means that every part of the government that isn't the courts and Congress is the executive branch, really.
This is what most people think of when they think of the federal government. It's all the agencies, everything including the military. It's all executive branch. Let's start with that and just make it clear that it's not a law that everyone has to follow, but it might as well be a law if you happen to be a federal agency.
Kip: Right. So it's the next best thing to legislation. And they're not just suggestions, they're not just recommendations. I agree with you, these things really matter, right?
Jake: They do. They really matter, and I think we can go through that. And we're not going to talk about the details of all of the implementation dates, because a lot of executive orders, they're like, within 45 days of the order, within 60 days, within 120 days. And that's the requirement part that, that matters most if you happen to be a federal agency or really a director of a federal agency. That's all in there and you can get this for free obviously, it's a public document. We're going to talk about really what's in there and leave the implementation details to the fed.
The first thing though that I want to talk about is, and this is common to most executive orders, is that it sets policy. And even though out of the balance of the order, this is the least operational or least practical component, just because it's policy, but it sets the stage. And what I love is that the federal government is really clearly recognizing the threat posed by cyber attackers and cybersecurity risks.
And in fact, it goes so far as to say, "incremental improvements will not give us the security we need. Instead, the federal government needs to make bold changes and significant investments in order to defend the vital institutions that underpin the American way of life." That's a big language, the American way of life. I love that it's being linked to cybersecurity and cybersecurity risk.
Kip: Well, another way of saying that is, this is an existential threat. Like the world as we live in it, will go away if we don't do something. It needs to be defended.
Jake: Well, and all I can think about Kip is your dystopian, horror story thing, where you say, the bad guy is ransomware. What's the end game of the ransomware gangs? It's too like, you want to access your email? That'll be a dollar, please insert it into the slot. That's really not a good thing.
Kip: Yeah. I hope to heck we don't end up there, but just think about it, if mobsters controlled everything, we know what that's like in the physical world. They go from storefront to storefront and shake down the owners for protection money. So what's the digital equivalent of that? What might that look like? And I don't know, I was just thinking about that the other day. And who would want to live like that?
Kip: The thing is that, they don't want to get rid of us, they don't want to destroy us. It's not like Hitler is saying, we're going to liquidate the United States. It's not that. It's worse than that, they want to subjugate us. I think that's worse.
Jake: It is worse.
Kip: To live like that under subjugation. I do very much appreciate that language because I think it is a good tone to be set. We talk about how executives need to set the tone at the top. And that's exactly what he's doing here, is he's setting that tone and I love it. It's very good, it's very appropriate.
And there's another statement in there. It's pretty blunt. It says, it is the policy of my administration that the prevention, detection, assessment and remediation of cyber incidents is a top priority and essential to national and economic security. That's the next cybersecurity framework right there. In terms of the way that it's constructed to prepare yourself for incidents and then actually gracefully deal with them and then get back to business.
Jake: Totally. The way that these executive orders are organized is, they are broken down into different sections. You can go through and see the different sections. So the next section focuses on removing barriers to sharing threat information.
Now, as we know this isn't a new policy or a new idea, the cybersecurity and infrastructure security agency, affectionately known as CSA, is a relatively new federal agency. And one of its core functions has always been the promotion of information sharing, but the order goes farther. And basically, it says that all federal contracts must include robust information sharing provisions. This is huge.
Kip: It's absolutely huge, it's necessary. There are going to be some unintended consequences to this by the way, which is that, the CMMC, which is the effort by the federal government to get sensitive but unclassified information better protected, all right. That still being sorted out, but I think that's in play here because it's being done through the auspices of the federal procurement process within DOD. And now, this is more expansive than that, this is about contracting with the federal government across all agencies. And so I think what's going on in DOD is a bit of a harbinger of what could be happening across the board, which is the smaller subcontractors that depend for their existence on receiving work from prime contractors as flow down, their very existence is being threatened here because they really don't have the resources or the management sophistication to do some of these things.
Then maybe this is necessary although it's going to be painful. But maybe one of the consequences is that, that the very small organizations that perform services for the federal government, they're just not going to be able to do it anymore because they just cannot swing the bat fast and hard enough when some of these attacks come at them. I think that's something that we need to watch. And it would be awful if the industry's all started to consolidate. In other words, the prime contractors start buying up all the small contractors because the small contractors can't conform to these very expensive, more sophisticated requirements.
Jake: It's interesting. Wouldn't that be awful? In a sense, I understand what you're saying-
Kip: Well, as a small business owner, let me put my small business owner hat on, that would be awful for small business owners. Because all these small companies, they're privately held, their businesses started by people who want to build wealth for their families and possibly leave a legacy for their children and from that point of view.
Jake: ... I agree. But I think at the same time, there is a ... first of all, the order is really all about making new rules and really forcing the federal agencies to consider and take all this stuff into account. It's not necessarily going to say ... it can still be a risk measured approach. In other words, if you're a smaller contractor, you're attack surface is also smaller. It might go the way that you've described, but it also might not be that bad, I think is what I will say.
Kip: I agree with you. And I'm not predicting that, that's what's going to happen. I just think that that bears observation. It wouldn't be the first time that an industry consolidated because some market shift. And so I'm not even saying it's unprecedented.
Jake: Well, there are worse reasons for that thing to happen than securing our cybersecurity infrastructure and everything.
Kip: When you're talking about an existential risk to the American way of life, that means sacrifice, right?
Jake: It does.
Kip: I'm just pointing out that one of those sacrifices could be a consolidation in the federal contracting space where a lot of these small companies just are not going to be able to afford to operate under these new rules. And that's all I'm saying, is that, it's just something to watch out for, but it may in fact be necessary.
Setting that aside there, if you're going to make dramatic leaps ahead like the executive order wants, then you're going to have to do dramatic things like increasing information sharing. If you are going to do business.
Jake: And adding information sharing clauses into the federal contracts will do it. And it's not just adding stuff, it's also, in a lot of ways, it's going to be revising them because I think there's a lot of contractual barriers to information sharing right now. I know that there are.
Kip: Yeah. I think we talked before in a previous episode about how the NTSB, the National Transportation Safety Board, whenever there's an air crash, they convene a-
Jake: You're getting ahead of things. Hold that thought, because that's coming. That's coming very soon.
Kip: ... I know. Yes, but that's the point, right?
Kip: Is that people don't want to speak up right now because there's a lot of liability. And so we need to create a space where that's not such a big deal.
Jake: All right. Well, why don't you go ahead and introduce the next major section?
Kip: Sure. It's about modernizing federal government cyber security, which, if you think about the office of personnel management, the hack there, which my military record was part of that, I got a notice about it, and all the other federal government hacks. It's like, great, it's about time that we modernized federal government cybersecurity. But again, it's a good thing. Even though ... finally, I don't want to diminish it. This is an important and significant step. And so the order actually says that the federal government must adopt security best practices advanced towards zero trust architecture. Amazing. That was me commenting, otherwise I'm reading this verbatim.
Accelerate the movement to secure cloud services, include software as a service, infrastructure as a service, platform as a service, and centralize and streamline access to the cybersecurity data and drive analytics for identifying and managing cybersecurity risks and invest in both technology and personnel to match those modernization goals. I don't know if I would've written it this way, but I think it's touching on all the important points.
Jake: Well, that's bureaucratic government speak there. There's a lot of semicolons, no one talks in semicolons. I have a question for you, which is, what do you make of this whole zero trust architecture thing? Because I feel like I've seen ... this is something I'm still learning and figuring out, but I definitely have seen mixed feelings in the community about zero trust architecture. If you have an easy definition to explain, that'd be great. If not, I did notice that section 10 is definitions, Kip. And what are lawyers' favorite thing? Definition.
Kip: Definition for sure.
Jake: We do have a definition, but I'm curious, what are your thoughts on this?
Kip: There's a couple of different ways that you can look at it. And I've been working with some customers right now to try to sort out what exactly is zero trust architecture and how do they get from where they are today to zero trust? Like, what does that look like? And let me start by telling you what it does not look like. You don't go to your favorite vendor and say, will you please sell me a box of zero trust architecture?
Jake: Wait, you don't?
Kip: No, you do not.
Jake: There's no blinky light box that sells that includes zero trust architecture?
Kip: Well, you know what? There are boxes out there that have blinky lights that have zero trust stamped on them. Like a little sticker on the front but not with zero trust.
Jake: God, Somehow I don't trust that.
Kip: That's absolutely going on. And I've seen this over and over and over again. These are just vendors trying to follow the trends and stay relevant. But, no, you don't go to your favorite vendor, whether it's an operating system vendor or a network device vendor, or security vendor, and say, please sell me some zero trust. That's not what it is. Zero trust architecture more than anything else is just a change in the way that you think about how you do work. And I think this is the most succinct definition that I can come up with.
There's a famous Russian aphorism, or I can't remember it, parable or something like that. And it says, trust but verify. President Reagan used that many years ago. And that's what our current network security approaches are, trust but verify. But zero trust architecture says, verify then trust everything. So nobody gets trust by default. Nobody gets the benefit of the doubt. A zero trust architecture's says, I don't trust you until you prove to me that you are who you say you are. And the more shady you act when I first see you and the higher value asset you're trying to get to, and the weirder the place you're coming from, the more you're going to have to prove yourself.
Jake: I like this then. That is a good explanation. And I'm also skimming the, quite honestly, fairly long paragraph.
Kip: Let's not read it to people, they'll not like it.
Jake: We will not. We won't read it.
Kip: You can go get the executive order and read it for yourself. But let me just give you one very simple example. Today we've got perimeter networks. We have firewalls and perimeter networks. And the base assumption is that, if you somehow get into the internal network, you have a certain amount of trust. And so zero trust architecture says, no, there is no such thing as a perimeter network anymore, where if you can get into it, somehow if you have an IP address on the internal network, I'm going to give you a certain amount of trust to move around the network. And zero trust architecture just completely blows that up.
This is a big deal because we've been building network perimeters as a security mechanism from the beginning. We don't know how to do it any other way, the industry has no idea. And the vendors are struggling too, because everything that they've been building and selling for years now, 30 plus years, has been built around this basic assumption that there's internal networks and external networks, and zero trust says, nope, it's all dangerous networking.
Jake: Well, I think that's reality.
Kip: It is reality. We're finally catching up to reality.
Jake: Interesting. Well, this is not ... maybe we can do a different episode on zero trust at some point.
Kip: I think this-
Jake: This is not that episode. We can add it to the Trello board. One of the things I wanted to say and I'm just going to skip a little bit here is, the order obviously spends quite a few pages describing the various steps that all of the agencies must take. Like I mentioned, it gives timelines. The next section though, it's something that we've discussed before Kip, and that would be-
Kip: ... Supply chain security.
Jake: ... Yes. Enhancing software supply chain security. And I love that the phrase software supply chain security has made it into an executive order. It's a small thing, but the recognition that this is an issue is big. And I love the actual phrase used. This is so obvious, but yet so important. Are you ready for go for it?
Kip: Go for it.
Jake: Security of software used by the federal government is vital to the federal government's ability to perform its critical functions. All I can say is, indeed.
Kip: It's always been the case, but sometimes you just have to say things out loud in order to truly appreciate the reality that you're living in. This is very good. Now, I don't know who wrote this executive order, president Biden didn't write it. And presidents don't write their own executive orders.
Jake: That is true.
Kip: But clearly somebody or some people who have their finger on the pulse of what's going on in the world have written this, and so this is wonderful. And on the heels of some of the software supply chain, things that we've seen lately, the CSA attacks, for example, the whole NotPetya thing in 2017 was a software supply chain attack, because the intruder put the disc wiper inside of a software update. And that's how it got pushed out, it came over a trusted software update channel. There's no doubt that this is an issue that's got to be dealt with. And in fact, you and I have even spoken to groups about what an important thing this is. So I'm really happy to see it.
Jake: I promise you were slightly ahead of yourself. Now, section five, Kip, go I know you want to talk about this.
Kip: Yes. And I've been mentioning this a lot lately. Yesterday, I did a session with a trade group, and I was at their conference and I was talking about this. Section five of the executive order talks about establishing a cyber safety review board, which is amazing. It is conceptually very much in line with the national transportation safety review board. If you have a massive traffic accident on the nation's freeways, on the railways, or on the air routes, it's within the purview of the NTSB to investigate it, and the idea there is to discover root cause and effect a change. So this is about science. It's not about politics, it's not about liability, it's not about determining fault, it's not about lawsuits. It's a safe place to just talk about and discover what went wrong and what are we going to do to keep it from happening? Which is why I love cyber safety review board as a title.
Anyway, we could probably do a whole episode just on that, but I just want to acknowledge that this is a really smart move and I really hope that this becomes a reality. So there you go, that's what I want to say about that. And we'll keep an eye on it. Now, what else is in this executive order that we need to talk about?
Jake: The next section is called, standardizing the federal government's playbook for responding to cybersecurity vulnerabilities and incidents. And yes, this is another, it's about time thing, but I'm really happy to see it happen. And quite simply, it recognizes that cyber incident response currently varies across agencies. And that, that lack of coordination is not a good thing. I agree, the devil will be in the details, but it's a good thing to recognize. And it's a short section so I'm going to just move ahead and I actually just name a few others as well.
Section seven is, improving detection of cybersecurity vulnerabilities and incidents on federal government networks.
Kip: Big deal.
Jake: Obviously that's critical. If you can't detect, then there's all sorts of things you can't do. And then section eight, is improving the federal government's investigative and remediation capabilities. These are both very good goals, I think-
Kip: And they're going to be difficult though.
Jake: They are going to be very hard.
Kip: They're going to be very difficult, because nobody's really doing a good job of this right now. It's very difficult. And I liken it to having a warehouse with all of your inventory in it and you have no idea who's coming and going, not a clue. And people can just wander in there and just graffiti the place, or they can hang out in there for days and take detailed inventories of everything that you own, and then back a truck up to it and start making off with your stuff in the middle of the night and you have no idea what's going on. And this would never be tolerated in the real world, we'd have video surveillance cameras and so forth. And it's just striking to me that our digital warehouses have none of this.
Jake: It is. Again, it's going to be hard, actually quite a few of the time limits have already passed. A lot of them were 45, 90 days. There are some that are quite a bit longer, nine months to a year. And so it'll be really interesting to see where the federal government gets by next may. But I think that this is ... again, I don't want to take anything away from it, even though it is hard and may not work-
Kip: It's ambitious.
Jake: ... It's a good thing to do.
Kip: I think it is a good thing to do. As we start heading towards the end of the episode here, how about if we shift our focus now and talk about the ransomware memo. We just talked about the executive order. Now, let's talk out this ransomware memo. It's very short, it actually refers to the executive order. It came out around the time of the colonial pipeline attack. And that was no coincidence, which is really good. And the government is really saying to the private sector and particularly, the part parts of the private sector that are critical infrastructure. Like, you need to do a better job of protecting yourself and they're right but there's got to be more to it, obviously.
And the memo says that the federal government is going to do its part to, "to disrupt and deter ransomware actors." This is great. The white house has awoken to the fact that, that ransomware and the larger cyber attacks are an existential threat to the American way of life and that they have to do something. This is a great start, but I think that it's not clear at all what they're going to be able to do. And I don't think it's clear at all how long is it going to take to get it done? This is some really heavy lifting. I think it's going to take years and years and years to actually do it.
Jake: Well, it was like a three page memo. So there's only so much that we can expect out of it. But I do think it's important. And I save this for you, because I think that there is a clear favorite part for you, so it's a float. Just go ahead and read it and then we'll talk about it for a moment.
Kip: Yeah. So the most important takeaway from the recent spate of ransomware attacks on the United States, Irish, German, and other organizations around the world is that, companies that view ransomware as a threat to their core business operations, rather than a simple risk of data theft will react and recover more effectively. And damn it, they stole my line.
Jake: They totally did.
Kip: Yeah. And my way of saying it is, cyber is a business risk and you have to treat it with all the gravity of a business risk to your sales function, your order fulfillment function, or your account's receivable function. If you can't do those things, you're going to go out of business. I'm asserting and now the white house is agreeing that cyber is a business risk and you absolutely have to deal with it as an existential threat. And what I like to say actually is, it's a material risk. Because that's what our auditors and financial people call things like this. It's a material risk.
Jake: If you happen to be a public company, it's also what you have to put in your report to the SCC. The material risks.
Kip: Which we don't have that yet, and I want to call it the AICPA to figure that out.
Jake: Well, I knew you'd like that part. Let me run through the memo's advice as to what to do right now. First, it says to implement the five best practices from the improving the nation's cybersecurity order that we had just discussed. Now, I did conspicuously save these for right now, they're quick. And I think we're going to like these, I like these. They are, one, use multifactor authentication. Good, Can't disagree with that.
Two, use endpoint detection and response. Also, a good idea. Three, and I'm paraphrasing, encrypt what you can. And then I thought it was funny because I counted four and I made it into five, so I'm not sure who wrote the five best practices. But I think what they meant was, four is, have a skilled empowered security team. I think that actually deserves to be its own best practice. It's hard, I fully understand, but look, if you can't hire one train one. Help them.
Kip: Contract for one.
Jake: Contract for one, et cetera. That's really what it comes down to. And then what does that skilled empowered security team need to do? Patch rapidly and share and incorporate that information into your defenses. That's good stuff.
Kip: It is good stuff, but I want to be super clear about a big takeaway that people should have from this, is the federal government is saying in effect, it cannot protect you. You need to have a skilled empowered security team and you need to do these things. The federal government is not going to do these things for you. It's not in a position to be able to do these things for you. It's almost saying, you need your own police force.
Imagine if the topic here was armed robbery. What if there were armed gangs just roaming the country, and they would just roll into whatever storefront and stick a machine gun into the cashier's face and take the money? Now, if the federal government said, well, gosh, you need to have strong locks on your doors and you need to have alarm systems and you need to have a skilled and empowered security team and blah, blah, blah. I think people would be like, what?
Jake: It did at one point. That was, police forcing was private way back in the day.
Kip: Yes. And so I just want to point out that the people who are alive now, don't remember a time, I don't, when we didn't have a publicly funded police force. Just like the people alive now don't remember when we didn't have a well-funded publicly supported fire department in all Metro areas.
Those all evolved and they used to all be privately run or just volunteer organizations, but we have formalized it, we've raised taxes to fund it, and we're at the embryonic nascent stage of trying to figure out how are we going to police the internet? And the federal government is right now telling you, you have to raise your own private digital police force because they can't do it yet.
Jake: That's a really good point. So why don't you run through their ... they actually gave five additional pieces of advice. All of which are good. They're solid.
Kip: It's all good. And I think it also lines up really well with what the insurance companies are saying right now, because the insurance companies are taking a leadership role on how do you mitigate and prevent the biggest cyber risks? Because guess what? They're underwriting all of us. And so between the federal government and the insurance companies providing leadership, I think it's all very good. They talk about things like backing up your data, making system images and so forth. There's nothing controversial about that. But small organizations struggle to do this. Update patch systems promptly, yep. Test your incident response plan, of course. We do fire drills once a year, twice a year, something like that and testing your cyber incident response plan, ultimately is going to become the same thing.
There's some other advice. The fourth thing is, to check your security team's work by using third party auditors, network, penetration, testers, and so forth, yes. And then the fifth one is, segment your networks. Now, segment your networks, yes for sure, and definitely keep your operational networks separate because they're just much more brittle.
Quite frankly, all these internet of things out in the industrial areas don't really have very good security, so you've got to keep those things segregated. And what's really important about that is, people can die when valves are turned, when they shouldn't be. Think about the attack on the water supply in that small municipality in Florida, the attackers increased the quantity of lye that was going into the potable drinking water, and you know what? Too much lye will hurt people and potentially kill them.
If you think about an oil refinery that has wifi access points attached to an industrial controls, about how much and what quantity of oil should be flowing through a pipe at any given time. And in fact, Gartner, the research organization recently made a big prediction about this. They said that, and I want to make sure that they said it right here, so hold on here. Let's see, by 2025, cyber attackers will have weaponized operational technology and they have a new term called Killware. And they actually think that people will begin to die because operational technologies are going to start to be hacked in a way that is going to result in the loss of human life.
Jake: It's a sobering thought, but I think it's critical that we actually stay aware of it and realize that it's real. One, it's already happened, there's example of it. And I don't-
Kip: I read somewhere in medical centers.
Jake: ... Yep. Additionally, we don't know for sure, but the NotPetya cyber attack was a cyber weapon deployed against Ukraine and it basically damaged heating systems during the Ukrainian winter. And I'm sure people died because of that. We don't know for sure, but it is the case.
Kip: Well, there's a lot of incidental damage that's hurting people.
Kip: But I think Gartner is saying, nope, an oil refinery is going to blow up as a result of digital tampering and workers at that refinery will die as a result of it. I believe that's what they're saying.
Jake: No, and I think that's unfortunately a macabre but I think realistic prediction.
Kip: It's awful, and I don't want that to happen. But fortunately again, in this memo, it's calling it out. The signs are here, there are flags flying right now that you need to segment your networks and you need to keep your operational technology networks well guarded.
Now, unfortunately it's still relying on this trust but verify model. When you segment your networks, you're still implying that there's an internal versus an external network, or there's a more trusted security zone versus a less trusted security zone. So this not consistent with zero trust architecture, but take what you can get sometimes.
Jake: Well, I think we can very much all live the ex files life of trust no one. At least our digital friends need to understand that and live that way.
Kip: For sure. Well, do you have any final thoughts or should we wrap it up?
Jake: No, I think we've scared ourselves. By the way, we're not diverse people to talk about Killware and things like that. Bruce Schneier has a book called Click Here to Kill Everybody. We've previously discussed a book called, By The Time You Read this, It Will Be Too Late. That had a similar theme. I think the people in the industry have been concerned about this for quite some time. And I think it's going to be a tragedy, but it also will hopefully serve as a important wake up call when it does happen.
Kip: You're right that this has been talked about before. The reason why I think this is noteworthy is because Gartner is a respected and closely followed IT research firm. And they're known for making predictions about what's going to happen in the future. And I don't know exactly what their track record is, but I just think it's very noteworthy that they now have gone on record of as saying, we really think this is going to happen. They've actually put a date on it. And so they're actually forecasting it as ... and this is now a planning assumption that organizations need to work from.
Jake: I think it is. And of course, now that you've mentioned it, we have to end it with a legal thought, which is, now that it is a planning assumption, everyone knows that when there's unlawful deaths, or anything to do with an industrial accident, lawsuits do to get filed, someone does ultimately pay. I would not want to be the executives who didn't do things like segment my network and implement zero trust architecture if this happens.
Kip: It's funny for you to say that because I don't think I led you to this exactly. But there's another Gartner prediction. 75% and of CEOs will be personally liable for what they call cyber physical security incidents by 2024. And that's exactly what you just said, is that somebody dies because a cyber device attached to a physical thing will cause death to workers, or staff-
Jake: Patients, whoever-
Kip: ... Patients, customers, and CEOs are absolutely exposed to being personally liable for that.
Jake: ... Yep. Well what a cheery final thought. I think we should wrap it up now, before we get even more-
Kip: Nobody listens to our podcast because they want to feel better about the world.
Jake: ... No, that is true.
Kip: Gosh. But I think we should feel a little encouraged by what we've covered today. Right?
Kip: The executive order and the memo. That's what we did today on the Cyber Risk Management Podcast, we examined the president's improving the nation's cybersecurity executive order, and the follow on ransomware memo that came from the white house.
Again, we're really glad to see the government is recognizing all of this and taking action. I just don't think it's going to result in anything substantial anytime soon, but that means we'll see you next time.
Jake: It does indeed. We'll see you next time.
Speaker 3: Thanks for joining us today on the Cyber Risk Management Podcast. If you need to overcome a cyber security hurdle that's keeping you from growing your business profitably, then please visit us @cr-map.com. Thanks for tuning in. See you next time.
Sign up to receive email updates
Enter your name and email address below and I'll send you periodic updates about the podcast.
Cyber Risk Opportunities
Kip Boyle is a 20-year information security expert and is the founder and CEO of Cyber Risk Opportunities. He is a former Chief Information Security Officer for both technology and financial services companies and was a cyber-security consultant at Stanford Research Institute (SRI).
K&L Gates LLC
Jake Bernstein, an attorney and Certified Information Systems Security Professional (CISSP) who practices extensively in cybersecurity and privacy as both a counselor and litigator.