Alison King, VP of Forescout Technologies, Talks About Government Cybersecurity Policy with Active Cyber™

July 19, 2024

I have been interested in network access control technology since my days working on trusted computing and high assurance platform initiatives for different government entities. And today, with network access control comprising a key element of the zero trust cyber architecture discussions, I can understand how such offerings from Forescout Technologies are a popular choice for addressing zero trust needs. So I was delighted to be re-introduced to Forescout at the recent AFCEA Technet Cyber Conference where I was grateful to pick up an interview/podcast with Ms. Alison King – the Vice President of Government Affairs at Forescout. Learn how Ali’s journey through various cybersecurity roles as a federal policy-maker now positions Forescout at the forefront of linking policy and technology in this interview with Active Cyber™ – especially in the able to lean in for the cyber protection of the critical infrastructure. So you can listen to our interview at this link, or you can read it below and learn a little more about what a leading thinker says about federal cyber policy.  

Spotlight on Ms. Alison King

» Title: Vice President of Government Affairs at Forescout Technologies

» Website: https://www.forescout.com/

» LinkedIn: https://www.linkedin.com/in/alisoneking

Read her bio below.      

Chris Daly, Active Cyber™: Hi everyone. Welcome to the Active Cyber Zone. Today I’m with Alison King, who’s the Vice President for Government Affairs at Forescout Technologies. So welcome to the Active Cyber Zone, Ali.

Alison King, Vice President Government Affairs, Forescout Technologies: Thank you so much.

Active Cyber™: So Ali, to get started, why don’t you give us a little bit of background on yourself and how you got into cybersecurity and what you do for Forescout?

Ms. Ali King: I’m currently the Vice President of Government Affairs for Forescout. So in my job jar, I’m responsible for all functions with the federal executive branch and the legislative branch. I’m also responsible for policy and strategic partnerships as well. I started with Forescout in the fall of 2022. After nearly a decade plus as a federal civilian, I was able to jumpstart my career in the federal service with the Department of the Navy. I worked in the standard missile program office doing foreign military sales for a few years, and then I got pulled into the Pentagon, the OpNav staff, which is responsible for Title 10 responsibilities for expeditionary warfare. In 1995, when I was there I got chosen to be a defense fellow for Mike Gallagher, who recently left Congress but represented the eighth district in Wisconsin. He was a Republican and he was also a chairman on the Cyberspace Solarium Commission, which I supported for a while.

I was the legislative affairs director and strategic communications lead for them. And so really got my feet wet in cybersecurity in a great way with the Solarium Commission, which had active participation across the legislative and executive branch to include the public sector and private sector partners. I then left the Solarium Commission and went to the CISA. I did legislative affairs for them and I was around for when the CIRCIA legislation was really kicking off. That legislation is the mandatory incident reporting requirement for critical infrastructure and covered entities. So I stuck around there for a year and a half and then I got a wonderful opportunity to make the jump to the private sector, and that’s when I went to Forescout.

Active Cyber™: Sounds like a really a nice path to where you are. Very, very rich experiences, I assume, in the cybersecurity policy space, and especially interesting with the Solarium experience. Was Chris Inglis on that Solarium committee with you as well?

Ms. Ali King: He was indeed, yes. Chris was a great addition to the group and we really benefited from him.

Active Cyber™: I’m sorry to see he left as a national security advisor recently. Was Jen Easterly also with you at CISA when you were there?

Ms. Ali King: Yes, she was the Director at CISA and I got an opportunity to work with her previously when she was a red team member on the Solarium Commission. Director Easterly really has brought a tremendous amount of leadership and vision to CISA. It was one of the youngest agencies in the federal government, and I’m very grateful for the opportunity to be able to work and connect with her there.

Active Cyber™: I know that one of her primary initiatives right now is securing our critical infrastructure. I know that CISA has a lot of stuff going on there, including the whole KEV [Known Exploited Vulnerabilities catalog] stuff with the vulnerabilities, and also she’s got a lot of outreach going on with the critical infrastructure members. Can you discuss a little bit about what you learned at CISA and other places about what we need to do for the critical infrastructure? Because at the TechNet Cyber Conference, I kept hearing how that was a place where our main nation state threat adversaries are going after right now.

Ms. Ali King: So just to put a current marker down, if you go back to January of this year, the four major cyber principals, federal cyber principals you had at the time, were testifying on the threat of Volt Typhoon to our critical infrastructure – Paul Nakasone [at NSA/Cyber Command], you had Jen Easterly at CISA, and then you also had ONCD [Office of the National Cyber Director] testifying as well. And then of course FBI Director Ray. So back in 2019, the CCP put malware on the Linux systems of the several telecom companies on Guam that support our three military bases there. And that really was the tip of the iceberg that those four principals were discussing – the threat of this malware, which has permeated across many critical infrastructure OT systems stateside that support not only the military but the general population. And so there’s a lot of conversations around how, while there’s always been a huge focus on the IT systems and the security there, the real Achilles heel that we have from a health and safety perspective is being able to defend our critical infrastructure from sophisticated nation states.

Moving ahead, that’s a key focus for me here at Forescout. But we knew even back when I was at CISA that this was a serious issue because nobody can forget the impact that Colonial Pipeline had on this space. And that incident really kickstarted the federal government especially, coming from as high on the White House to be able to address this issue. So when I was at CISA, Executive Order 14.0.2.8 – Improving the Nation’s Cybersecurity – really was in the forefront. CISA took a lead on being able to organize across the civilian executive branch, including the drive towards the zero trust model and what needed to be in place across the board to ensure that not only the principles and the standards were well understood across the executive branch, but the resources, the mentality, the policy and the training also was understood and incorporated within the budgets of these departments.

Co I really got my feet wet from a legislative affairs position because the CIRCIA legislation, which is now in rulemaking – the draft rule was released a couple months ago – looks to finally have a comprehensive and timely understanding of how significant the threats are across the board in the United States from malicious actors that are attacking our critical infrastructure through digital means and otherwise. So yes, it was a great experience working with CISA under Director Easterly’s leadership to really have an understanding of what investments and policy are necessary to drive and reduce the risk across the board across all 16 sectors of our critical infrastructure.

Active Cyber™: I felt when you’re going through this process and you’re seeing some of the threats and the significance of them, it’s like, well, it felt like we were asleep at the wheel for too long with the critical infrastructure and now we’re kind of waking up to it as we start to see the threats. I mean, you also heard about the threats affecting our port systems, things like that and it seems to be pervasive. So I’m glad that we’re really taking an active interest. At the same time we’re talking about zero trust. And I think that’s great. I think the whole concept of zero trust has been around for a while, but I think it’s finally getting to a mature capability that you can actually run with. I think Forescout is at the head of the line for zero trust because of its whole support behind Comply-to-Connect and things like that. So can you tell me a little bit more about how Forescout has positioned itself for zero trust and how it’s there to protect the software supply chain?

Ms. Ali King: Sure. So first and foremost, just to address the OT piece, there was this myth or misconception or just really overly positive narrative that we don’t really need to worry about OT systems because there’s an air gap or moat that will protect them from the IT standard business systems. That is completely a farce in a paradigm that’s long since past us if it ever existed at all. And it’s specifically the rise of all of these IoT devices –  Internet-of-Thing devices – that we’ve seen just flood the market and has bridged the IT and the OT together. This has really created a new attack surface that allows these malicious actors to be able to get onto the networks and horizontally move across OT because these systems are very old, a lot of them, they’re capital-intensive investments that were meant to last decades, not months or even years.

So that really has driven a huge issue for us across the board to ensure continuity of operations without creating really serious health and safety issues. And you’ve seen that problem firsthand with the Iranians attacking those water treatment facilities in the United States and the list goes on. So the thing that I really like about our company – Forescout – is that we provide everybody who uses our tools and services with unmatched visibility across their network, any device at any point in time. And it’s not just seeing these devices, whether they’re an IT device, an IoT or an OT device or even a medical device, but you have a continuous understanding of what they are – the hygiene, the updates, and the IP address associated with these devices. Knowing what’s going on there really allows you to kind of dig into those specifics, allows you to actually do some assurance and security across these devices.

If we go back to zero trust, there is no single silver bullet solution that’s going to allow you to buy your way into zero trust. I know there’s a lot of marketing around – “hey, if you buy this, it’ll satisfy your requirements.” However, it’s important to understand that foundationally speaking, having that visibility that a tool that ForeScout provides is so important because it allows you to really amplify the investments that you’ve made throughout your security stack. So once you realize what your risk posture is, you know what’s necessary for to defend the most critical aspects of your networks and your systems. Using this knowledge, you can make specific investments in tools that allows you to buy down your risk. So what’s great about Forescout is it gives all those tools in your stack unmatched continuous visibility that really allows them to excel and for you as the operator to get the biggest return on investment across all those capabilities that are necessary. Those capabilities will then feed into the policy piece of zero trust, which ensures that you have least privilege access for users across the board, gives you network segmentation, tells you what’s going on with your workload, and really digs into how you move your data around and what you do to continue to ensure that you’re protected. Protected even from the worst pieces of even insider threat, which we like to joke is kind of negative trust, but it’s so important on this zero trust journey because it never ends and it’s not something you can simply buy.

You think of it as a triangle. You have the tools that you need, the policies in place to make sure you’re really amplifying those tools, and then the training of every single person that touches your network. If you do those three things, it really will put you in a much better position especially when you assume breach. You’re able to respond quickly and mitigate some of the more critical damage that can be done by nefarious actors.

Active Cyber™: I like the concept of education that you mentioned there too of the user. One thing I’ve always thought about was how we can simplify security so that I can look at my PC or my laptop or my phone and make a determination of “have I been hacked?” Can I actually put a firewall rule out there? Can I actually understand what this intrusion detection information is about? So I was thinking about how it could be possible to take something that’s complex and simplify it to your basic user level. Provide a way of educating them and letting them participate in the security of their own device. And so that brings me to concept of AI in a way. How is Forescout leveraging AI in its stack or how’s it looking at AI right now? I think everybody is taking a look at it for now.

Ms. Ali King: Great. And so within our product line, we do have AI that is going to be leveraged for us to be able to ensure that the best practices and the automation that goes into being able to leverage our tool is applied in concert with what is already in place. One of the things that we are doing early on is we’re a strategic partner with Microsoft, and so if you see Microsoft Pilot, there is some Forescout available within that specific tooling set.

And for us specifically, I think people need to understand that AI is a tool. I think that calling it artificial intelligence is a misnomer. It should be more like augmented intelligence because it isn’t a magic trick. It will do some interesting things in a novel way, but it certainly does not negate the responsibility that users have, that software companies have, to ensure that we are doing the foundational requirements around cybersecurity.

Alot of people know that you really need to have already done the basics and be really good at it before you can leverage the benefits that AI is going to provide you. Because it’s not going to get you off the hook for doing some of these foundational things within your system. And if you are a buyer who is like, “well, I’ll just have AI do this for me, it’ll be fine,” I think you’re going to be somewhat disappointed with what you get on the back end of that. I like AI. I think there’s certainly some opportunities to be able to evaluate the data and patterns that we’re seeing across the board for some of these threat actors that allows us to do more predictive modeling that can be fed back into the larger community. So from an OT perspective or a critical infrastructure, we have 16 sectors. Being able to understand the data that you would apply across something like a Cyber Readiness Check (CRC) that CISA provides, I think could be very much a game changer and can really take this discussion and goal of public-private partnership, which really needs to translate into operational collaboration, to the next level.

Active Cyber™: Sounds great. I like that. So you were talking about some White House cybersecurity reports and there’s a 2024 report cyber report that’s out. I assume you have a lot of insight into what that government report is about. Can you kind of break it down for us a little bit and give us some information about it?

Ms. Ali King: Sure. So I really have to tip my hat to this administration because they have been very active in the policy space and we saw that on the heels of Covid-19, and then of course with the Colonial Pipeline, and with ransomware really wreaking havoc across the board affecting hospitals, municipalities, or even schools like the LA County school system. These are all pretty big issues. And so in 2024, the administration actually put out quite a bit of doctrine and policy. The last one that they did was the posture statement, which I thought they did a really good job of trying to approach this from an objective perspective of what cybersecurity looks like across the country, how we must become more resilient, and the White House focus on pushing initiatives to include Secure-by-Design, Secure-by-Default. This is ahead of understanding what resources and gaps exist at a strategic level that we need more leadership across the board to tackle.

Active Cyber™: Sounds good. I agree with you, this administration has been very active in putting out what I would consider some good doctrine stuff regarding cybersecurity and things that need to happen. Specifically, I really like the concept behind Secure-by-Design. Just interesting to see what you feel has been the industry’s reaction to that approach. And the reason I bring that up is because I remember back when there was something called Common Criteria and behind Common Criteria were the same kind of concepts of making things Secure by Default and Secure by Design. But Common Criteria got twisted in a way by industry where instead of really focusing on the functions that were supposed to be secured, they focused on the easy path – that is, the process by which the functions were going to be assured. And so as a result, the focus of CC has become a marketing-oriented focus instead of a technical “Secure-by-Design” focus. How do you think Secure-by-Design is going to go? What’s been your thoughts on how industry has been reacting to it and do you think it will be a success down the road?

Ms. Ali King: Yes, so this is a really hard area to tackle and it’s something that the Solarian Commission did express some recommendations and thoughts on in the report that they provided. I guess that was five years ago, but CISA and Director Easterly has really kind of taken the bull by the horns. Secure-by-Design/Secure-by-Default acknowledges that you either are going to pay for cybersecurity upfront when the software is being developed into products before it goes to market, or you’re going to pay for it on the backend, where you’ve got really buggy software that nobody really put a huge amount of critical investment around trying to secure and it’s somebody else’s problem. So you either pay for it upfront or you’re going to pay for it on the backend. The problem is on the backend, it just creates this huge risk exposure that has permeated into all aspects of our lives because we’re digital now. So not following a secure by design approach has created an unacceptable level of risk to the general population across the board, whether it’s the water sector or the energy sector or FinTech. There’s many other instances where it’s created huge amounts of problems.

There has been an acknowledgement that you’re going to have to shift the balance of cybersecurity risk to the right. You got to start at ground zero, which is really looking at the software and making sure that there has been standard principles applied to its development and testing to ensure that you’re not just doing this garbage in garbage out perspective. You really want to put more emphasis on having security being a principal consideration and an attribute that the market is going to want to buy instead of just trying to get something out as quickly as possible, as cheap as possible.

So there is an effort to create an addendum to this cybersecurity 2024 document that’s more focused on OT because a lot of the same principles absolutely apply. It’s just your approach and methodology on how you’re going to be able to execute that will be different for OT. And at this last RSA conference back in May, CISA was able to get dozens and dozens of companies on board, to include Forescout, to say, “we are going to pledge to take on board the principles of Secure-by-Design as part of our business model, and we’re going to look to play an active role in ensuring that the products that are hitting the market are more secure.”

Active Cyber™: So that’s great. I can see OT having a few issues because of the long lifespan of OT equipment. You get it out there and it’s out there for a long time. So you definitely want secure by design. It’s almost like, okay, this is going to go into space and you can’t get it back to fix it. So kind of like James Webb went out there and you couldn’t do anything else to it. So I can really see secure by design being a good thing for OT, but it’s going to take a while for its impact to be felt because it’s going to take a while for those old OT systems to get replaced.

Ms. Ali King: Correct. To your point Chris, because these systems are purchased to last up to decades at a time, we have a lot of brownfield there. And so for new systems, absolutely I think that you have an opportunity to start fresh from scratch. But to your point, there has to be an acknowledgement, an understanding and appreciation that there’s a different way to approach the OT space just because it’s already there, it’s not entering into the market. There is a group of cybersecurity companies that have come together to form a nonprofit 5.0.1.C3. It’s called the OT Cyber Coalition, and we currently have 18 companies to include Forescout as an executive member. We are working very closely with CISA and other key stakeholders in the government to include folks in ONCD to have an opportunity to look at vendor-agnostic approaches to these OT cyber challenges. The document that I believe those folks are working on, it’s in draft, they’re still playing around with the title, but it’s “secure-on-demand.” It’s something that I just want to put on your radar for when it does get released. I think that document is going to help us have a better appreciation and understanding of how to tackle this problem.

Active Cyber™: Yes, that sounds really good actually. I was thinking that companies’ offerings like Forescout would be perfect for the interim period where you have to fill this gap between where you’ve got the new systems Secure-by-Design, and you’ve got these other legacy systems that have been around a while. Seems like tools like Forescout can help you get to the behavioral visibility for these OT systems to make sure that they’re behaving the way they should be and in a secure way? And you got to take in consideration not just the security, but the safety and reliability of those systems too. So all that together I think it is great for companies that provide this visibility and comply to connect functionality to make sure that the behavior of these systems is good. So I think it’s great that this coalition’s out there and that it’s working on a document.

Ms. Ali King: You mentioned Comply-to-Connect, but there’s just one thing I just want to highlight again to give more credit to the current administration and cybersecurity on a whole which is very much bipartisan. I think where things do split is when you get more into regulatory challenges. But if you put that aside, I just want to highlight for anybody who is listening to this or reading your website that I’m really encouraged over the last few years because we’re finally in a position across the federal government, whether you are a national security system or you are just a standard digital network and system, that there are requirements now that says you have to do continuous monitoring of your IT, your OT and your IoT. And that update was seen through OMB in December 2023, and there is a requirement in there that says by 2024 you got to be able to do this. Of course from the national security systems through NSA, there has been directives that are pushing out the same. So you finally have parity across the board that says you have to have not only this visibility, but any point in time you need to be able to tell us what is on your network. If you do not know or you choose not to see what’s on your network, you really are opening yourself up to some, I hate to say it, pretty serious issues that could have national security consequences attached to them.

Active Cyber™: That’s interesting. It’s not easy to know what’s on your network. I know when I was a SOC manager for a large Army network, having people go off and on the network and just being able to reconcile information from the various tools that would go out there and scan assets – well, it was hard to come up with a single version of the truth about what exactly I had in inventory on the network. So I still think that’s going to be a problem.

Ms. Ali King: I certainly think so as well. But what’s encouraging for me on this is Comply-to-Connect. That’s the DOD’s approach to being able to institutionalize policies and procedures that ensures the right people, the right devices have been thoroughly vetted to be able to connect to the network. And then on the civilian side of the house you have the CDM (Continuous Diagnostics and Mitigation) Program that’s administrated by CISA. It’s a little over 10 years old. It is a different approach, but it has the same objective. And what they’ve been able to do as well is provide tools and services across the federal civilian agencies that allows them to do this foundational asset monitoring and reporting. They are able to aggregate reports across the board that feeds finally into a functioning dashboard. So CISA has that full OV of what’s going on, whether it’s in the Commerce Department or it’s in Department of Education or any place that you would want to pick that’s under their purview at any point in time.

So continuous monitoring, along with binding operational directives and help from CISA and their hunt teams really has made a tremendous difference. I’m encouraged on where we are. It’s something that we need to continue to scale and to become more efficient across the board because the workforce challenge is very much a real issue for us. But I think we’re making progress. I certainly don’t want to say that we have resolved any of our foundational issues, but the progress is something that I’m encouraged to see and I hope that investments into the tools and the people continue.

Active Cyber™: I agree a hundred percent with what you just said as far as that encouragement is concerned, but there’s still a lot of work to be done. But you’re right, I think we’re definitely on the right path and we have made progress over the last five, 10 years. I was actually a CDM solution architect for a company, and so I’m pretty familiar with that program at the time, and I remember it was focused on IT enterprise-based type stuff. Have they extended it yet to OT systems?

Ms. Ali King: So the OTPs have been extended and that is within the OMB’s directive of 2023 that says you have to do IoT and OT asset inventory as part of your FISMA. That is something that is included in the CDM Program and you can even see it in the House version of the FY 25 NDAA. So Congress is paying attention saying, “OMB says you shall do this, and we as Congress are foot stomping that even to more effect.” And so I think by the end of this year, early next year, it will be interesting to see to what level the departments and agencies that fall under CDM Program have been able to achieve that objective because it is part of the zero trust strategy that all the departments and agencies are supposed to be working towards.

Active Cyber™: One type of technology that I’ve been also very encouraged by, but I don’t see a good uptick on it yet – and maybe I’m just not seeing it – but it has to do with confidential computing. I know all the big hardware and software players have a version of that. You got the Nitro by AWS, you got Google with AMD stuff. Apple just announced their stuff for confidential computing, and they’re actually extending it to your laptop, not just the server infrastructure, Microsoft has something there too and it’s provided through your Intel and NVIDIA types of chips. So is Forescout taking advantage of this technology and what it offers because I really feel that having universal confidential computing is a foundational step since it’s hardware-based and is designed to provide a really good root-of-trust to move security forward on.

Ms. Ali King: At Forescout, we have foundationally focused more on traditional NAC (Network Access Control), but we are partners with Google and with Microsoft, and so I’m aware of this confidential computing, the end-to-end data security within cloud and the keys that go along with the data processing. But we don’t really play that much in that area, but it certainly is another layer of protection that is necessary because we know a lot of these malicious actors are going towards the data. I’m delighted to see that more companies that play in this space are adopting this as foundational to their offerings.

Active Cyber™: Sounds good. So one last area I’d like to cover with you gets into something that I think you coined as smart policy. I’m interested in what’s your feeling on what Congress should be doing and what other legislation you think is necessary to push us forward even better than we are right now? I see the Select Committee on China actually pushing very hard on tight controls on what we’re doing with China as far as cyber and other stuff is concerned, and I kind of like what they’re trying to do there. I think they’re addressing the threat upfront, but what else do you think Congress should be doing and how do you feel about that?

Ms. Ali King: Sure. So there’s two things that I think are good governance that I’m delighted to see. Last year Senator Eric Schmidt, a Republican from Missouri, the junior Senator, put forward language in the NDAA for the Department of Defense that said, “cybersecurity tools need to be competed on best-in-breed and total ownership costs to the government.” I think it’s very much the prerogative of the Department to be able to select and procure the tools that they want to defend their networks, their systems and their data. But competition is important and that really opens the door for everybody to compete on merit and what makes the best business sense for the government. And so I am hopeful that the DoD continues to utilize competition as a means to really get the best tools, services, and investments needed to be able to protect the DoDIN and other critical areas. You never know when the next best startup is going to enter the market and if they can’t compete for the work, or even current companies can’t compete for the work, I think you really have a challenge on your hand.

I would encourage competition across the board and that also feeds into Executive Orders that have come out of the current administration that talks about fair and open competition. I want to highlight that piece. The next piece that’s in play now is acknowledgement of the threat around Operational Technology (OT) that we have from a nation state, specifically the CCP. We have to acknowledge that from a health and safety perspective. The United States has a huge global footprint from our military. We’re in over 70 countries and I think there’s over 800 installations, so that’s a big attack surface. Not everything is first among equals in terms of criticality. So it’s really important that the DoD understands that for critical OT systems that are attached to hospitals or buildings where we have personnel there, we need to adopt something called cATO or continuous authorization to operate.

cATO just puts more oversight and requirements from a health and safety perspective on these specific buildings and these OT systems that support them to ensure that we don’t have an actor that’s tampering with the HVAC system or the many systems that support a hospital and all the critical things that go on there. I think having that acknowledgement and recognition that we need to go the extra mile – to check the box “you can jump on the network”- is not going to be sufficient moving ahead. So I am delighted to see that Congress is paying more attention in that space. I do want to highlight that there are about seven years of OT requirements from previous NDAAs that the DoD needs to play catch up on, specifically, understanding the OT systems that support major weapon systems. That’s where I get really nervous because if you even look at what happened with Typhoon and Guam, that really is an indication to me that why would the CCP ever want to go kinetic with us?

They don’t. It’s very expensive, it’s messy. It’s much easier to cyber attack your critical infrastructure because it’s going to delay or degrade our response. It’s hard to respond if your power’s out, your satellites have been attacked, your water systems aren’t working. There’s many different things that we take for granted that our military needs to be able to project power and to be able to fulfill their critical missions at the snap of a finger/drop of a hat. I think we have a real Achilles heel problem with OT. And so you definitely see that in our bases in the Indo-PACOM area. But who’s to say that it isn’t the prerogative of the CCP, if they have the ability to do so, to be able to really ensue panic and mayhem stateside? And that’s what those four principal cyber directors were testifying about back in January on the CCP committee, of which my old boss Representative Gallagher was the chairman, is that we really have to get sober and serious about the very real threat that we have here and abroad from the CCP.

And it’s not just hanging it on the military. This is an “everybody problem.” This is something that unfortunately is going to require a much heavier lift than the DoD can do on their own. NSA is limited in their authority. Cyber Command is limited in their authority. So we really need to find opportunities to collectively address these problems. I do think the CFI [Charging and Fueling Infrastructure] legislation, once it does go into effect and it’s going to be challenged because of Chevron decision with the Supreme Court, very much is a starting place and it’s something that I think that we all have equity in.

Active Cyber™: Yes, you made a great point there. I was just thinking about the NATO bases that we’re tenants on and the other places that we depend on the existing country infrastructure to some extent for our bases over there. Turkey comes to mind, Kuwait comes to mind, places like that, and if adversaries can just affect those infrastructures there, it could have a drastic effect on our readiness.

Ms. Ali King: I think so. I mean, you can’t completely eliminate all risk. That would be great if we could, but I don’t think that’s practical. And so Congress, through many of these NDAA requirements, is really putting the onus on the DoD. They are saying, okay, where are your major weapons systems, your requisite capabilities, and what are you doing to understand the interdependencies that exist on civilian critical infrastructure? Because naturally there are things that you can do to ensure that there are additional power sources or water sources that are available. But I think that there’s also, from what I’ve been able to see, a reluctance to really kind of flip over the rock and see how bad the problem is. DoD says “Nothing has happened yet. We’re doing really well. I really want to talk about this weapon system.” They don’t want to talk about the water or the power or anything else that is contingent on this weapon system working when it needs to work. This means adopting a supply chain perspective, really adapting that zero trust mentality that we need to start digging down in to ensure that we have a good handle on the vertical because I don’t think we are there yet.

Active Cyber™: One last question. Along the line of impending threat, I see the possibility of quantum attacks on the crypto portions of the infrastructure. What is your feeling about that and do you see that we’re heading in the right direction from a policy and legislation perspective?

Ms. Ali King: Well, I think we need to highlight safe languages that are more resistant to the threat of quantum. Understanding that that’s in the forefront goes back to the objective of Secure-by-Design and really ensuring that from the beginning that we take these things in consideration. You can’t engineer everything out. And quantum is something that my colleagues that are working in ONCD are focused on. They’re approaching it from an objective perspective. Those are problems that are hopefully years down the road, but all encryption to some degree is perishable. It’s kind of like dairy. It’s only going to last for so long. And so it’s important now that we continue to really put heavy emphasis on those memory-safe languages and continuing to understand what needs to be incorporated in our products and services that’ll allow us to buy down that risk. 

Thank you Ali for this journey into government cyber policy and voicing the absolute need for cooperative public-private efforts to protect our critical infrastructure. I know I will be tracking upcoming legislation and executive branch efforts that continue to bring attention to this matter, thanks to your pointers.  And thanks to my subscribers and visitors to my site for checking out ActiveCyber.net! Please give us your feedback because we’d love to know some topics you’d like to hear about in the area of active cyber defenses, authenticity, PQ cryptography, risk assessment and modeling, autonomous security, digital forensics, securing OT / IIoT and IoT systems, Augmented Reality, or other emerging technology topics. Also, email chrisdaly@activecyber.net if you’re interested in interviewing or advertising with us at Active Cyber™.