BSidesSF 2023 - Space and Cyberspace at the White House (Tanya Simms, Lauryn Williams)

hello everyone thank you for joining us this afternoon we are delighted to have Tanya Sims and Lauren Williams to talk to us about space and cyberspace at the White House thank you so much for that introduction um I guess first off welcome back from lunch um these seats are very comfortable so feel free to recline back and listen to us drone on about policy um yeah very exciting I got a woo somewhere um okay so uh first off um I guess a round of introductions my name is Tanya Sims I'm the director for cyber policy and programs at the office of the national cyber director over the course of the last 12 years prior to oncd um I was I've been in the National Security Systems cyber defense sort of community making sure that our critical assets critical for military operations for other uh sensitive National Security missions are well defended and protected and so I see one of my former colleagues in the audience there but I guess I shouldn't point to him because he might have issues with that um but uh anyways so um at the office of the national cyber director um oh and CD as we like to call it um uh my primary goal as a director for cyber policy and programs is to look at critical infrastructure related governance right how is the federal government Community organized and um sort of around critical infrastructure systems protections and so you think about sort of all the Departments and agencies uh dealing with the 16 critical infrastructure sectors that we have in this country um that are called sector risk management agencies right how are we actually working as a cohesive unit to properly defend the different sectors from cyber related risks and vulnerabilities attack but also how are we talking about sort of private public collaboration when it comes to critical infrastructure systems cyber security as we all know probably that um over the course of the last 20 years critical infrastructure is mostly within private sector hands right right and so public private collaboration in that sense is very important and Space Systems while not a critical infrastructure sector per se formally designated as such we recognize it to be a critical underpinning function right when you think about not just military application but also sort of all of the communications GPS right weather monitoring that that we rely on um in our daily lives is just average civilians right Space Systems becomes incredibly important and so these are just some of the things that I focus on within oncd Lauren thanks so much Tanya I'm really glad to be here with my colleague given all of the Aries expertise that she's focused on for for a long time I'm Lauren Williams and I think we very much are here to bring put the space in cyberspace through this panel and this conversation um and I am a senior advisor for strategy and research was in the office of the national cyber director and have been in this office for the better part of this year but previously immediately before coming to the White House was working in the Department of Defense in the office of the assistant secretary for space policy which is I'm sure as many of you know space policy particularly within the government is kind of a new a growing area an expanding area of focus given all the reasons that Tanya mentioned that's because Space Systems are so critical to way of life to National Security to our economy and so I joined that that office relatively immediately after the space force was created lots of activity around space issues within the Department of Defense while I was there I focused very particularly on kind of the intersection thinking about the intersection between National securities-based missions and how we can better leverage our Partnerships with the private sector particularly many of the companies that are based here in California how can the Department of Defense way on the other side of the country be better integrated and thinking about how the private sector does things and incorporating that way of thinking and systems and services into how we do things back in DC and since I joined the White House when I walked in the door as the person who had come immediately from from the Department of Defense working on Space issues this issue of space system cyber security was one that had been percolating it's one that Tanya had been thinking about at the White House for some time but it's one that needed kind of further high level attention from our perspective at the White House and so we're here today to talk to you about um I would say in the better part of the past six months of effort on going within our offices to lend more of that high level next expertise and invisibility to this issue okay and with that maybe the next slide so first off right um a little bit more about the office of the national cyber director how many of you have heard of oncd just a oh there's a lot of you okay well um I will still do my spiel Berg and so um Owen CD right um the newest sort of organization policy organization at the White House um I I'll just circle back right over the last 40 years and that predates my existence on this Earth but over the last 40 years there's been sort of a debate a discussion at the highest levels in terms of how do we organize as a US Government around cyber security as the sort of thing that is not just you know in the movie movie hackers as a subculture right but as a as a critical function that that underpins sort of everything that we are doing um and so there's this rapid Innovation rapid sort of Market expansion and then and also a growing rapid need for cyber security and so um there has been this debate but really sort of I think no sort of central point to say how do we actually do this how do we actually create some accountability in this space and so in 2019 um the uh Solarium commission um stood up and sort of tried to examine and how do we actually do this right and what the commission found was that there is a need that there is a gap to be filled with the creation of a national cyber director well first the commission thought it was going to be a great idea to maybe create a new Department of cyber that was scrapped pretty quick pretty quickly right we we need more federal agencies um but no so uh after sort of toying with the idea of the creation of a department of cyber they said well what if we had sort of an organization at the highest level at the White House um who had the sort of a national cyber director who had the convening authority to to bring together public and private stakeholders like never before right no one truly has that Authority whether you go to sort of a specific Federal agency like sizza or NSA or whatever right not one of them has sort of um an overall convening authority over the entirety of public and private and so this office would be sort of stood up to first and foremost have that convening Authority and then um the other point right um is that um Congress agreed with that assessment surprisingly so um in uh 2021 the National Defense authorization Act of fiscal year 2021 actually called for the stand-up of this position the national cyber director and so in June of 2021 um Chris Inglis so many of you might have known him um former deputy director of NSA and also fighter pilot extraordinaire um he was actually sworn in uh sorry confirmed by the Senate to be the nation's first cyber director and in July he was actually sworn in but he was employee number one so we like to call ourselves a startup of the White House um for all that who have worked in federal government that is um it's it's both fun and interesting and daily excitement right but uh as employee number one right he had the hard task of right-sizing the organization because he can't obviously cannot do it all so over the course of the last year we've grown to 80 people strong within oncd and I would say it's still growing right and we have people like myself and Lauren and others from um sort of private and public sectors to bring their background and experiences to bear in onc and um what is really our mission so our mission right one is that public and private partnership what does that actually mean right we've talked about it and talked about it and talked about it over you know decades and decades but how do you actually bring that to bear what do you do to bring some accountability to that second is federal coherence who is actually doing what in the federal sphere right if you're going to reach out to or if you have a concern about a cyber security risk or vulnerability who do you reach out to you shouldn't write um you just have to Google it right you should have a roster of candidates at your disposal to reach out to for additional information and to be connected to the right people right you don't want to just be constantly searching and searching and searching um third is increasing future resilience right cyber security isn't something to just sprinkle in after the fact after you know a cyber 911 type of event right you want to we want to consider a culture where it's cyber security by Design so that we are increasing the security and resiliency of products that everyday citizens use whether that's you know your your grandparents or also your children or the businesses and the organizations that you support right um we want those products to be secure by Design and then fourth is aligning resources to aspirations um very very important which I think is um a little bit different from maybe some of the other organizations that have been stood up at the White House level where this one is especially when we're talking about cyber security cyber security can be expensive right and maybe not all the different organizations that we're talking to have the resources to actually do the things that that we are asking of them and so how do we align that there's a specific team within oncd looking at budget right looking at and talking to different organizations to make sure that we can have those resources that align to what we are talking about and that gets into sort of implementing and talking about a national cyber security strategy all right so I think that's a great lead-in to again our very new organization just showed up in 2021 um just very much now uh reaching its full strength and uh kind of thinking about the full breadth and range of activities that an office of the national cyber director should be undertaking for the purpose of increasing security and resilience across the digital ecosystem and so it's been it's been very busy and as Tanya mentioned it's been an exciting time um and not least because in just last month early in March 2023 the Biden Harris Administration released a national cyber security strategy and as I'm sure many of you know this was the first cyber security site the first cyber security strategy but the first cyber strategy uh released within the last five years and for this Administration and this strategy is very much focused on what we like to call an affirmative vision for cyberspace an affirmative vision for a digital ecosystem that is different from from previous versions previous iterations of cyber strategies because it's not one that's focused on the threat actors it's not one that's focused on you know what we need to do to um what we need to do to defend ourselves from threat actors primarily but also to think about how we can be better using cyberspace to enable all of the things that are important to us as Citizens and across National Security and kind of economic implications and so kind of the key underlying principles are that you know cyberspace exists to help us achieve our goals it should be an enabler not an impediment the end state that we're seeking is a digital ecosystem in which it enables civil society and defense and National Security as well as cooperation in advanced areas like space um and so the key fundamental shifts that are important to highlight are are the ones that are listed on on this side of the the slide here and they are one kind of the primary uh fundamental shift uh that has been getting a lot of attention is this Focus um now within this Administration to Shifting the burden of responsibility from the actors that are most vulnerable that are at least um least able to handle it to those who are most enabled and most empowered uh to be able to make the changes that can have Ripple effects across the digital ecosystem so very specifically we're talking about government we're talking about bigger companies that should have more of the burden of responsibility than for example our grandparents or us as individual citizens who have been told you know just change your passwords or do XYZ and and then um you know you will you yourselves will be will be protected those things are all important but there's also a bigger conversation to be had about where the burden of responsibility should lie so that is fundamental shift number one number two uh to Tanya's Point earlier as well focusing on implementation and thinking about what should be done kind of realign incentives there's a focus in this strategy on realigning incentives to favor our longer term aspirations and Investments the strategy itself is organized around five critical pillars which are listed on this side defending critical infrastructure and disrupting and dismantling threat actors shaping Market forces to drive security and resilience investing in a resilient future and finally for and last but not least finally forging International Partnerships what we would argue as we we transition to talking more about space cyber security is that the national cyber security strategy and the Five Pillars included in that strategy are an opportunity they provide an opportunity their policy it's a policy document a strategic kind of high level language but it provides an opportunity for us as government and as a private sector and across Society just apply those principles to real world challenges to real World threats that are ongoing today and one area of growing activity and growing Focus for our office as well as other elements at the the White House the National Space Council National Security Council as well is the important and Urgent issue of space cyber security foreign all right so in particular the work that we have been doing and thinking about related to space system cyber security very much is driven and motivated by the existing policy and the law of the land when it comes to space cyber security and so this is very specifically space policy directive five which was released during the previous administration um and it is good policy we would argue um it is high level it it provides General policy and five principles to apply to the space ecosystem and kind of stepping back for a moment uh the policy is based on the the assessment and the argument that you know Space Systems are a critical and critical enabler of all critical infrastructure those 16 sectors that Tanya mentioned here on Earth and so we don't just care about space for space's sake or because it's cool we which all of which is true but we care about it because Space Systems they satellites allow us to utilize GPS here on the earth they enable Communications more and more you know companies are providing private sector companies are providing space-based internet and communication Services you name it probably any daily activity that you rely on also relies on on Space Systems and so for that reason it's incredibly incredibly important for us to think about how we can better as across private and public sector how we can better ensure that space systems are resilient to cyber threats and thinking a little bit more uh thinking about the threat environment it is I'm sure very well known to all of you that in the Ukraine Russia Ukraine context over a year ago the very first shot we would argue in that in that conflict was a Cyber attack on a U.S U.S based space system which had Ripple effects across Europe and so they're very very real threat and kind of urgent urgent challenges to be addressed so go ahead yeah no I just wanted to underscore that last point right and so during the Russia Ukraine conflict we saw that um space assets weren't just focused on for sort of projecting military operations or military might but specifically when it came down to it the impact to the civilians and the Dual nature of space assets is what we're talking about in terms of criticality right um Communications for you know phone signals were disrupted but also access to Internet for just people trying to go about their daily lives and then the other point is what we're talking about when when you hear sort of thought leaders talk about great power competition um and just you know great power competition in in terms like that right we think about Russia the the People's Republic of China right you think about the doctrines that they have issued which which highlight the importance of space assets not just because of the Dual nature but because of both the economic Advantage um in sort of peacetime as well as in Wartime that military advantage and so um space Assets in in in that respect right remain incredibly important um for us as a government um but the issues with spd5 So principally speaking the general principles that are outlined here right I think everybody can agree these make sense they look good they sound good they feel good but at the end of the day we're lacking one a lot of technical detail right we're lacking what what are the steps to implementation what are those some of the key features that people can really grasp and say okay this is how I'm going to prioritize my cyber security in in working through this issue um and so those measures are sort of missing right we don't have sort of accountable parties even listed out in the actual directive calling out different government agencies for example in terms of them having accountability over certain aspects of of what is presented in spd5 the other point is that there is no enforcement mechanism that in that sense um it's policy not law and for the lawyers out there right that distinction is very very important it's not statute right no one is required to do it it's not a mandate and so um in that sense right if there's no implementation details right and there's no nobody's sort of cracking the Whip or not even cracking or providing a very soft carrot right to say like Please do this right um then who's actually tracking progress um when it comes to a space system cyber security um and so with with solarwinds I think we saw a lot of the challenges associated with supply chain security but also first and foremost it was an issue with information sharing and truly understanding what resides um within your software product and so something like spd5 right what we're saying is well let's take these basic principles and let's add some teeth to it but also let's let's provide some technical details where we can get at things like soft uh supply chain security absolutely and then the other element that is really that is critical and it also uh very much fits into our ethos as an organization is that as we all know uh the private sector is very much kind of driving the pace of innovation when it comes to thinking about the growth of the space economy and all of the Innovations across the the ecosystem of Space Systems so we're talking about launch and Commercial imagery satellite Communications cloud and data infrastructure the private sector is very much on the Leading Edge of innovation and so we as oncd with a very much a focus on public-private collaboration and our partners within the White House would agree um very much see the the importance of especially even in just you know the past three years when uh since spd5 was released very much see the importance of Leaning into understanding perspectives fro