On The Digital Life this week, we chat about the Department of Homeland Security’s new cyber defense organization. The National Risk Management Center will be in charge of coordinating efforts to prevent hackers from targeting key US economic and other assets including the country’s power grids, energy infrastructure, and importantly, its electoral system during the midterm elections. The new organization will work closely with private companies to tackle the wide variety of cyber threats facing the nation. Join us as we discuss.
Jon: Welcome to episode 270 of The Digital Life, a show about our insights into the future of design and technology. I’m your host, Jon Follett, and with me is founder and co-host, Dirk Knemeyer.
Dirk: Greetings, listeners.
Jon: For our topic this week, we’re going to chat about the new Department of Homeland Security cyber infrastructure defense organization, which is entitled the National Risk Management Center. It’s going to start coordinating efforts to prevent hackers from targeting things like America’s power grid, importantly the electoral system, the election system for the midterm elections, healthcare, other power infrastructure, things like that. I thought it was an interesting move for Department of Homeland Security to start this sort of public-private partnership.
I think the way it’s structured, the Department of Homeland Security is going to staff this National Risk Management Center with experts, who are then going to be working with private companies who would then let the center know that they’re experiencing some kind of cyber attack. They’re also going to embed some of these experts within companies, so it’s going to be very much this hub-and-spoke model of cybersecurity with both public and private people involved.
The reason I find that interesting, I feel like it’s a good idea. I kind of wonder what other efforts along this line have been made before. It seems, on its face, to be a great idea to me, and I think it starts to raise the level of awareness from a public discussion standpoint that we are really in a new era when it comes to … We talk about the digital life every day, but there is also this cyber warfare, which is just an ongoing threat, an ongoing difficulty. It is diffuse, it is constant, it is dangerous, and it is creeping into all kinds of aspects of our lives. Before I go into my rant on this, Dirk, what were your impressions of this announcement, the structure of it, the general approach?
Dirk: Yeah, I mean, there’s a lot of layers here. First, it is, I think in this day and age, important at the national level to have significant investment in cybersecurity and to be thinking about it across a broad spectrum, including those covered by this program. The fact that it’s being thought about and something is happening sort of at the macro level, I think, is a necessary thing. I don’t have any insight into what was or wasn’t happening before or in addition to this program, so I don’t know if my feeling should be, “Thank god, finally,” or, “Okay, yeah, this is just sort of a small extension of good things that were already happening.” But something should be happening, so I’m glad something is, even though I don’t know if this is the right thing or not.
The fact that it’s sort of centered in the Department of Homeland Security, look, Homeland Security’s been around for about 15 years. It came out after 9/11. Certainly in the early days, there were a lot of concerns about human rights abuses. My impression of the Department of Homeland Security, as someone who hasn’t studied it but as a citizen observing it through the media, is not positive, but that’s now old, right? I don’t know how the Department of Homeland Security has changed. I know a few years ago, there was a whole fight in Congress where the Republicans, to try and get their way, were going to defund part of the Department of Homeland Security, which seems opposite to my impression of it being sort of a hawkish, Republican initiative.
I don’t necessarily know what’s going on with that organization at this point, but sort of my mental model of it, now going back a long time, is not a great one. Take that for what you will. I think it’s very interesting that they are integrating so deeply with corporations to the point, as you mentioned, having their employees, having their team members, embedded into corporations. That starts to get into sort of delicious sci-fi territory for me.
Jon: Yeah, that could have sort of positive or negative effects. I wonder. The way it’s been characterized in the news is that DHS employees will be assigned to specific companies to work with them. That’s what I meant by embedded. I don’t know if that means they’ll be on-site. Certainly in this day and age, you don’t need to be on-site anywhere to be part of an organization. You can obviously be a remote employee. That’ll be interesting to watch that play out.
I think the larger narrative here is important, because I think, as much as cybersecurity is in the news, I think we’re largely ignorant of the ebbs and flows of cyber attacks in the United States, only understanding it when it’s an inconvenience or when it’s a political issue. Inconvenience, perfect example of this is last year Netflix and some Amazon Web Services were taken down by a denial-of-service attack, which I believe was traced back to a Chinese botnet. There was a New England-based firm that basically handles a lot of the internet traffic, and their servers were hit with this denial-of-service attack. Everybody all of a sudden paid attention, because you can’t watch your movies anymore, so your life is disrupted in some small way.
Dirk: Yeah, when our government gets attacked, that’s not important, but boy, if I can’t watch some little TV show, oh my god, it’s time to march in the streets, right?
Jon: Yes. It’s binging, man. If you can’t binge, what are you going to do? That made news for a while. Now, as we’re starting to begin to understand the levels of disruption, misinformation campaigns, and just sort of news items that are not real that sort of populate our social media spheres, as we’re becoming more aware of those targeted activities, we’re starting to understand really what it means to live in a digital world and have our thoughts and our day-to-day lives sort of influenced by that. More specifically, we’ve migrated certain aspects of our day-to-day conversations, contacts, important information, our memories even, our photographs, our writing, all of these things we’ve migrated piece by piece online.
As we’ve moved into this new territory, I think we’ve sort of naively assumed that we could either sort of trust that whatever mechanisms we’re using, like the doors are locked and the windows are closed and it’s a safe place to go. I don’t think we’ve ever really faced up to the fact that there’s lots of bad actors and that we’re exposed. This sort of goes across what we’re considering expanding this digital footprint, especially with the Internet of Things and the sort of smart cities for regulating everything from municipal services to traffic flow to you name it.
We’re creating all these points of entry into our lives, into our physical lives, because now you’re driving a car through an intersection that might be regulated by some IoT-enabled traffic system. That is an attack surface. We’ve created a digital double of our traffic in cyberspace, and now that is just a place that can be attacked. There’s sort of any number of ways to create mischief or real damage. Then, of course, we talk on the show a lot about automated cars, self-driving cars. Once again, plenty of attack surfaces there. It’s almost as if we are still … As much as we’ve digitized our lives, we are still very much naïve about the ability to protect that digital life. We’ve left ourselves open, both locally and on a national scale. I think that we are just seeing the very beginnings of our understanding as a public of these issues, and I think this conversation can’t happen quick enough, at least for me.
Dirk: Yeah, and I mean, a lot of it is there’s no accountability. Companies are motivated by profits. They’re not motivated by safety first. It’s sort of profits first and then safety. We want to be safe, but if it’s too expensive or too slow or somehow interferes with our killing it, then it’s going to get short shrift. That’s a systemic problem. That’s a social problem around how our country is structured, how our value systems are structured, and is at the core of all of this. If it was safety first, if you had to have things locked down to a certain degree before you could do anything, there would be a lot better security, and there would be a lot less stuff. We like our stuff, Jon. We love stuff, so stuff first and safety last.
Jon: Yeah. Unfortunately, I recall one of our discussions, Dirk, where you had said, “You know, in order to be safe, you just need to unplug it,” so you’re not going to have your computer hooked up to the internet if you really want to be 100% sure you’re not exposed.
Dirk: Yeah, I mean, it’s not rocket science, right? There’s a reason why they call them computer viruses. How are real viruses protected against? Just think of the cleanroom model. Think of the steps that are taken in order for researchers and individuals to not be infected with viruses. The physics of that translate into cyberspace. Yeah, you have to remove yourself. You have to safe room yourself. You have to unplug yourself. But we don’t want to do that, do we? Then we can’t watch our Netflix, baby.
Jon: Yeah, as much as we all love Netflix. I think you hit the nail on the head there in terms of identifying profit motive and cost as being huge blockers in terms of creating this safer and more sane infrastructure. I think there’s going to be at least discussion of, hey, what do we need to do to rebuild, update, or otherwise make more secure the infrastructure services, both digital and obviously we have physical infrastructure issues in the US as well, but serious digital infrastructure investments that would at least shore up those systems so they’re not able to be hacked in the same way as they are now.
Just to reflect further, this is somewhat dystopian and feels farfetched, but there have been in the past couple years, attacks on Ukrainian power plants, for example, software cyber attacks that have shut those plants down for a period of time. It is not out of the range of possibility that these things can happen. Whether that would just be a minor disruption or a long-term problem, I’m not sure, but it is not out of the realm of conceivability that we could be dealing with this stuff in a much more present way as cybersecurity becomes more of an issue in the US.
Dirk: Yeah. Yeah, it is an area where just as citizens not involved in the government, it’s hard to have an informed opinion, because we don’t really know what’s going on, as you pointed out earlier. It’s similar to terrorism. You periodically hear stories of, “Oh, this terror threat was thwarted. That terror threat was thwarted.” There are a lot of, quote-unquote, terror threats, whether that’s some sort of imminent attack or sort of fizzling out some kind of agent in the nascent days, but the stories we really hear about are the ones when there’s an explosion or people are dead. But those are the strong minority.
Cyber is similar. We don’t know most of what’s going on out there in terms of attempted attacks, successful attacks. We hear less about successful cyber attacks than we do terror attacks, because when something blows up and people are dead, they can’t really be hidden. I guarantee you there’s a lot hidden that’s done behind the scenes in cyber attacks that we have no awareness of. Ultimately for me, I feel informed enough to talk about this as an important topic and one that should be an issue of national focus, but I’m ignorant.
I don’t know what’s really happening behind the scenes and to what degree we’re ahead of the curve or behind the curve or just sort of treading water. It’s interesting to talk about and sort of raise awareness to it, but where some things on the show we talk about, I feel like with some authority I can make suggestions, recommendations, here I feel like a babe in the woods. I’m just hopeful that the right decisions, the right level of investment, the right type of technology are being brought to bear in ways that I don’t and even can’t understand.
Jon: Yeah. Not for nothing, but for a long time, Mac users were really in the minority of computer users. Now since Apple has become the behemoth that it is now, there are a lot more users of Mac laptops and things like that. But another sort of aspect, at least if you were a user of MacBooks or whatever, is that we’ve not been hip-deep in the PC realm where there’s a lot more deliberate attention paid to security. The Macintosh realm has always been such a small slice of the computing realm that I think for years we were isolated from just the sheer volume of things that you needed to do to prepare your computer to make it safe to use.
Every time I use a PC, I’m always astounded by the inconvenience of a variety of security mechanisms. Not to say that we don’t have those on the Mac as well, but I think that that’s also colored my view of security, just because I’ve never really been a PC user. That’s isolated me from the random virus attacks and things like that. But now, it feels like neither Mac nor PC are safe, so I feel like that time of isolation is long past. I don’t know if you feel the same, Dirk.
Dirk: I don’t know. It sounds like early 20th century international politics. You had the Teddy Roosevelt versus Woodrow Wilson doctrines there.
Jon: Oh, please. I’m not that old. I don’t remember Teddy Roosevelt, just to be clear. Yes, we’ll watch how the Department of Homeland Security evolves this cyber center and how this evolves at the National Risk Management Center and see what comes of it.
Dirk: Good branding, by the way, Jon. National Risk Management Center, it’s hard to not get behind that, right?
Jon: Yeah. The acronyms are going to be astounding on this one. Listeners, remember that while you’re listening to the show, you can follow along with the things that we are mentioning here in real time. Just head over to thedigitalife.com, that’s just one L in The Digital Life, and go to the page for this episode. We’ve included links to pretty much everything mentioned by everyone, so it’s a rich information resource to take advantage of while you’re listening or afterward if you’re trying to remember something that you liked. You can find The Digital Life on iTunes, SoundCloud, Stitcher, Player FM, and Google Play. If you want to follow us outside of the show, you can follow me on Twitter, @jonfollett. That’s J-O-N-F-O-L-L-E-T-T. Of course, the whole show is brought to you by GoInvo, a studio designing the future of healthcare and emerging technologies, which you can check out at goinvo.com. That’s G-O-I-N-V-O, dot com. Dirk?
Dirk: You can follow me on Twitter, @dknemeyer. That’s @-D-K-N-E-M-E-Y-E-R. Thanks so much for listening.
Jon: That’s it for episode 270 of The Digital Life. For Dirk Knemeyer, I’m Jon Follett. We’ll see you next time.