CVE at a Crossroads: Global Standards, Local Failures, and What Comes Next with Nick Leiserson
Season 2 Episode 44 •Show Notes
Cybersecurity veteran Nick Leiserson joins Cyber Focus this week to break down critical governance gaps in the Common Vulnerabilities and Exposures (CVE) system and what’s at stake if they’re not fixed. He and host Frank Cilluffo explore the risks of global fragmentation, the lingering fallout from the F5 breach, and why policy tools like Executive Order 14028 remain stalled. Leiserson warns that the U.S. court system faces an under-the-radar cyber crisis, and shares specific, actionable funding priorities Congress should tackle now. From software supply chain failures to operational coordination gaps, the episode provides a sharp look at what’s missing in the federal cybersecurity response—and what can still be done to fix it.
Main Topics Covered
· Why CVE is the global “lingua franca” for vulnerabilities—and what happens if it fails
· How a near-shutdown exposed CVE’s fragile funding and governance model
· The F5 breach and what it reveals about persistent risks in the software supply chain
· Missed opportunities in EO 14028 and regulatory inertia in implementation
· Why the U.S. court system breach is a cybersecurity crisis hiding in plain sight
· Urgent spending needs: water system grants, K-12 cybersecurity, and court system defense
Key Quotes
“CVE… It’s the universal language that we can all look at and understand what we’re talking about. And today in 2025, we totally take that for granted.”
“The worst case is fragmentation. The second worst is [when] government comes in and says, we’re going to supplant the expertise that’s been built up over 25 years” —Nick Leiserson
“[Some ask] ‘Didn’t we put a bunch of policy in place to stop SolarWinds?’ The answer is we did. If you look at Executive Order 14028… it came out in the immediate aftermath of SolarWinds, and it has not been implemented.” —Nick Leiserson
“This is just one of those things that’s vaguely terrifying, and it takes a lot to terrify me after 15 years in this space. But as best we can tell from public reporting, either there’s been one continuous breach since 2020, or at least similar types of actors are continually being able to get into the federal court system.” —Nick Leiserson
“[F5 is] one of these bits of technologies that most people would not immediately wake up and say that’s essential to our economy, our national security, our public safety. But it is.” —Frank Cilluffo
Relevant Links and Resources
Institute for Security + Technology report on CVE reform
Executive Order 14028 – Improving the Nation’s Cybersecurity
CISA’s Known Exploited Vulnerabilities (KEV) Catalog
FCC K–12 Cybersecurity Pilot Program
Guest Bio
Nick Leiserson is Senior Vice President for Policy at the Institute for Security and Technology. He was a founding member of the Office of the National Cyber Director, where he led national cyber policy development and helped launch the National Cybersecurity Strategy Implementation Plan. Previously, he served as Chief of Staff to Rep. Jim Langevin and helped enact dozens of recommendations from the Cyberspace Solarium Commission. A longtime strategist on Capitol Hill and in the White House, Leiserson is known for translating complex tech policy into action on issues ranging from regulatory harmonization to software liability.
Transcript
1
00:00:00,000 –> 00:00:01,000
Nick Leiserson [00:00:00]: CVE is an example of like, well, we already got it right. There already is this one universal identifier that’s used, and what we don’t want to see is that going backwards.
2
00:00:01,000 –> 00:00:02,000
Frank Cilluffo [00:00:11]: Welcome to Cyber Focus from the McCrary Institute, where we explore the people and ideas shaping and defending our digital world. I’m your host, Frank Cilluffo, and this week I have the privilege of sitting down with a longtime friend and colleague, Nick Leiserson. Nick is currently a senior Vice President at the Institute for Security and Technology, has served many, many years on Capitol Hill, probably the most informed staffer on Capitol Hill, working anything cyber long before cyber was cool, and was also instrumental in our work on the Cyber Solarium Commission. Nick, privileged to sit down with you today. Thanks for joining.
3
00:00:02,000 –> 00:00:03,000
Nick Leiserson [00:00:50]: Thanks, Frank. Longtime listener, first time guest.
4
00:00:03,000 –> 00:00:04,000
Frank Cilluffo [00:00:52]: Well, I’m thrilled you could be here, and I thought we’d start. You and your colleagues at IST recently out a report on CVE, or the Common Vulnerabilities and Exposures program that CISA is administering. What led, firstly, if you can sort of talk our readers through why the CVE program is significant, what it is, and more importantly, and just as importantly, what led you to draft this report now.
5
00:00:04,000 –> 00:00:05,000
Nick Leiserson [00:01:20]: Absolutely, yeah. So CVE, I like to think of it as sort of the lingua franca for your vulnerabilities. It’s the universal language that we can all look at and understand what we’re talking about. And today in 2025, we totally take that for granted. If you start talking about vulnerabilities, a CVE number is sure to follow if you get anywhere deep into the conversation. But when you look back at what the landscape looked like before the CVE program, in the original paper from MITRE, a couple guys at MITRE who were network defenders and they said, hey, we are getting alerts from our vendors and they’re all talking about different things, but when we start picking away at what is underlying these actual vulnerability alerts we’re getting, it seems like they’re talking about the same thing. And they said, wouldn’t it be better if we had a harmonized way to talk about this so we would know, oh, I’ve already mitigated that problem. I can move on to the next thing. I like to think about it in contrast to, say, challenges that we have with threat actors, where I sure as heck can’t keep them all straight in my head. If it’s UNC, XYZ, Volt, Panda, or whatever else it may be, and obviously threat actors are harder. It is a harder challenge to deal with than vulnerabilities where there are ones and zeros of code and there’s a lot more certainty you can find.
6
00:00:05,000 –> 00:00:06,000
Nick Leiserson [00:02:42]: But if you look at those challenges and compare it to vulnerabilities, in vulnerability space, we know what we’re talking about in the CVE program, which grew up from doing a couple of vulnerabilities at a time to now there are tens of thousands that they process every year. It’s used across the world and it is a huge value add both to cyber defenders and to folks looking at how to improve secure by design. So this is why it was so important that this pillar of cybersecurity critical infrastructure continues to prosper.
7
00:00:06,000 –> 00:00:07,000
Frank Cilluffo [00:03:12]: Do you think we’re going to have a day where, I’m going to pull a threat actor, so it is confusing. Every vendor has their own taxonomy and name for different actors. Do you think we’ll ever see that coming together? Because I’m not sure, most of our viewers and listeners probably are aware, but for example, the Typhoons, Microsoft, everyone calls it something a little different though.
8
00:00:07,000 –> 00:00:08,000
Nick Leiserson [00:03:38]: Right, and I think it’s going to be challenging because they’re marketing dollars to be made and saying, you know, here it is. And it’s also going to be challenging because the ground truth is harder to come by. But we have seen efforts this year from industry to start to say we need to have some more of a taxonomy. And we’ve seen MITRE, who’s involved in the CVE program as well, with their attack framework, also start to say, well, can we at least deconstruct which pieces a threat actor is interested in so we can look at a profile. But you know, you look at the challenges that exist in trying to deal with threat actor identification and management and say, yeah, isn’t it great we don’t have to deal with that in vulnerability management? That is because of the CVE program. But the CVE program is 26 years old and some of it has not had major look at in those 26 years externally and cracks are beginning to show.
9
00:00:08,000 –> 00:00:09,000
Frank Cilluffo [00:04:32]: Give us that status update. What are some of the concerns from a governance perspective or anything else?
10
00:00:09,000 –> 00:00:10,000
Nick Leiserson [00:04:38]: Yeah, so we kind of, you know, CVE was when I was on the Hill and then at the White House, I would call it was in my like 3 months away bucket of, starting in 2016, some of those cracks started to show in terms of how the existing governance structure, could it expand to deal with the massive numbers of vulnerabilities the software has eaten the world. But it was always on the like, ah, you know, I’ll get to it. It’s important, but not quite urgent enough to deal with.
11
00:00:10,000 –> 00:00:11,000
Frank Cilluffo [00:05:09]: Things are on fire. It’s all right. Yeah. Five alarm, four alarm, three alarm. Yeah.
12
00:00:11,000 –> 00:00:12,000
Nick Leiserson [00:05:14]: Last year we got pretty close because the National Vulnerability Database, which is run by NIST, it had some funding issues and it is built on top of CVE. And at the White House, there were lots of conversations. We were getting calls. One of my colleagues, Drenan Dudley was, who was a budget wizard, was trying to work with NIST to figure out, how do we get funding for this program because it is relied on by the community. And in April of this year, we saw a similar funding problem where the CVE Advisory Board got a letter from MITRE that said, there are contract issues and unless they get resolved in the next 24 hours, we have to shut down. And that caused a huge tectonic shift in the community, and people in industry, people in international governments calling, folks in CISA, folks in the broader community to say, what’s going on and how do we fix this? And that immediate crisis got fixed, the contract was fixed and CISA is back to funding the program. But it exposed a lot of challenges that had been underlying and sort of brought them to the fore.
13
00:00:12,000 –> 00:00:13,000
Frank Cilluffo [00:06:29]: So crisis averted. Yet where should the CVE program, what should it look like? And clearly internationally, it plays a significant role as well. And I know other countries have similar programs. What are your thoughts on that?
14
00:00:13,000 –> 00:00:14,000
Nick Leiserson [00:06:48]: Yeah, so where we started with the paper was looking at, well, what’s the thing that we’re trying to avoid? And that’s fragmentation. I mean, you and I talked before about the importance of cybersecurity, regulatory harmonization, of saying we need to get people on the same page. We do not want to spend time on compliance that should be spent on security. And CVE is an example of like, well, we already got it right. There already is this one universal identifier that’s used. And what we don’t want to see is that going backwards. And when you had this funding crisis, all of a sudden people started to say can we rely on this program? Right? It’s got one funder.
15
00:00:14,000 –> 00:00:15,000
Nick Leiserson [00:07:29]: It’s not been terribly transparent. The governance structure is definitely not what you would expect for a program that’s this important for our global cybersecurity. So we started from the premise of how do you avoid fragmentation? And core to that, we have a couple of things we had in mind. Right? First and foremost, we have to be clear what we’re talking about. And one challenge that we ran into immediately is people said to us, well, what about NVD, the National Vulnerability Database in the United States? What about the European Union Vulnerability Database? What about Japan Vulnerability Notes? There are a bunch of other databases. And we said, right, right. People should do that.
16
00:00:15,000 –> 00:00:16,000
Nick Leiserson [00:08:10]: There are national security reasons to, there are regulatory reasons to. But we need a policy framework where we can say, this part of the system needs to be global, needs to be singular. That’s where it derives the value. And then you build national or regional vulnerability management programs on top of that. And that’s the policy framework that we lay out in the paper is you say, look, you want to have a global vulnerability catalog that has a diversity of funding. It isn’t just reliant on a single government to provide that. It has transparent governance structure that includes representatives from other governments, and that is to ensure that this harmonized identification system remains.
17
00:00:16,000 –> 00:00:17,000
Nick Leiserson [00:08:56]: And then on top of that, you bring the value add that’s important for your national security. Or things like CISA’s Known Exploited Vulnerabilities Catalog, which has been greeted by acclaim in the community because it helps people prioritize. But it’s based on what CISA has observed. And it’s like, great, CISA should keep doing that. That’s a core part of our National Vulnerability Management Program, but that’s separate and apart from the global identifiers. CISA keys their KEV catalog to these CVEs, and that’s what we want to continue, and we want the Europeans to do the same.
18
00:00:17,000 –> 00:00:18,000
Frank Cilluffo [00:09:28]: So just help our viewers understand how it is administered today, so in terms of CISA’s role and obviously MITRE and others who help support that effort.
19
00:00:18,000 –> 00:00:19,000
Nick Leiserson [00:09:39]: It’s a great question. So, essentially, right, MITRE created the CVE program and largely administers it for CISA through one of their federally funded research and development centers with the Department of Homeland Security. There is also an advisory board, the CVE Board, that is made up of volunteers, many of whom have spent literally tens of thousands of hours building this program, no compensation, just because they believe it’s good for the Internet. But they do not have any real control over the system. It’s just MITRE and CISA. And there is also, again, no diversity of funding. The only dollars that are coming in is through CISA. And from our perspective, we look at this and we look at the administration’s priorities and saying, hey, we, the United States, have been subsidizing security in a whole host of domains for a long time.
20
00:00:19,000 –> 00:00:20,000
Nick Leiserson [00:10:38]: This would be one of those cases where, you know, Uncle Sam has been paying for 26 years for the globe to have this benefit, and we need it. We get benefit too, but we need to see other folks pony up as well.
21
00:00:20,000 –> 00:00:21,000
Frank Cilluffo [00:10:49]: And would you see industry playing a role and a new governance structure where…
22
00:00:21,000 –> 00:00:22,000
Nick Leiserson [00:10:53]: Absolutely.
23
00:00:22,000 –> 00:00:23,000
Frank Cilluffo [00:10:54]: Bigger seat at the table.
24
00:00:23,000 –> 00:00:24,000
Nick Leiserson [00:10:55]: Yeah. I think that, again, from our standpoint, we start from the premise of fragmentation is what we’re trying to avoid. Governments are the greatest risk of fragmentation. The EU already almost fragmented and it was only thanks to US companies, US government going to partners in the European Commission and ENISA and saying no, no, no, guys, like, you need to create your EUVD. You’re required to do it by law. That’s well and good. And in our policy framework we would call that a regional vulnerability management program.
25
00:00:24,000 –> 00:00:25,000
Nick Leiserson [00:11:25]: That’s great, but index it to CVEs. And they did, but I’m not sure they would make that same decision today based on the challenges earlier. So governments need to be involved and then industry also has to have a seat at the table, whether that’s directly as part of the governance model, whether it’s through a more powerful advisory board. The worst case is fragmentation. The second worst is government comes in and says we’re going to supplant the expertise that’s been built up over 25 years and say no. You know, the analogy I use when we launch this is the 10,000 meter screwdriver and being like, oh yeah, from way up high, we’ll tell you exactly how to do this thing. That’s not going to help.
26
00:00:25,000 –> 00:00:26,000
Frank Cilluffo [00:12:07]: So how do you think it plays out?
27
00:00:26,000 –> 00:00:27,000
Nick Leiserson [00:12:09]: Great question. From our perspective, right, and if you look at the recommendations we put in the paper, we really lean in on the need for US leadership here. Right? Like, we have already done yeoman’s work in single handedly funding this program for 25 years. But we need some more leadership to lay out a strategic vision. And I think CISA is starting to get down that road. They put out a vision statement in September, but I’m afraid it’s not quite as inclusive as maybe it needs to be.
28
00:00:27,000 –> 00:00:28,000
Nick Leiserson [00:12:39]: And really where that inclusivity is, first and foremost, is with other governments. And it can’t just be the Five Eyes. Right? Again, to prevent fragmentation, EU is the 10,000 pound gorilla that we need to include in these conversations. ASEAN partners too would be great. Singaporeans are really good on this stuff. But our proposal is to say like, this is actually something that the new National Cyber Director, Director Cairncross is like right in his wheelhouse, because this is a whole of government challenge. It needs one voice going out there to say, yep, we can go negotiate out some framework that’ll ensure there’s continued funding from a diverse stream of folks and also bring industry to the table, which I know Director Cairncross has really leaned into in his first couple months on the job.
29
00:00:28,000 –> 00:00:29,000
Frank Cilluffo [00:13:31]: Well said. And I would just underscore and foot stomp that the governance structure could never be in the hands of Beijing, Moscow, Tehran, you name it, so Pyongyang and others. Let’s transition to perhaps the, it’s got all the hallmarks of SolarWinds, but obviously we don’t know the consequences and the implications fully. But the F5 breach, again, a soft, technology that 80% of the Fortune 500 utilize in one fashion or another, helps with filtering and directing Internet traffic. And again, it’s a little bit like SolarWinds that everyone’s got it under their hood and they didn’t realize it, or at least I wasn’t fully read in on that. Let’s talk about the F5 breach, why it matters and what we know so far.
30
00:00:29,000 –> 00:00:30,000
Nick Leiserson [00:14:27]: Yeah, I think the SolarWind analogy is really, really apt because it’s something that is critical to the functioning of the Internet, it’s used all over the place. And most people don’t know because it just works, right? It’s like you don’t have to think about, when you’re sending a request in, which web part is actually going to be commercial, right? Which, which web server it’s going to serve. And F5’s technology has been critical to that. But what they announced on October 15 in a regulatory filing was that in August they’d learned that there had been long term persistent access to really some of the crown tools of their network, which included their development environment. So where they’re writing the software that powers the tools that they provide. Again, for me, that was immediate alarm bells to SolarWinds, because if you look at SolarWinds, this is where the Russians were. And the good news we can hope is that it was discovered by the victim, SolarWinds obviously discovered by Mandiant, who had a call up SolarWinds and say, we don’t know how we got breached. It took us a long time.
31
00:00:30,000 –> 00:00:31,000
Nick Leiserson [00:15:34]: We figured out it was you. So it is possible that this stuff hasn’t been operationalized yet, but it’s also possible that we just haven’t picked it up yet because as we’ve seen through some of the other typhoon activity, the Chinese are getting really good at operational security. And it may also be that we pay the price for this in four years where people are looking through the source code and say, okay, now we’ve got the SparkNotes, right, now we can go and develop our vulnerabilities in a way that is really informed by what’s actually going on under the hood. So that’s all really concerning. There’s also an immediate tactical problem which is, there is a patch released with the announcement with 44 vulnerabilities that were documented internally to F5 at the time. And that means that, as best we can tell, the bad guys got access to those as well and may have been able to develop exploits. So like key messages, if you’ve got any of this technology patch. But I think the part that’s really interesting to me as a policymaker is, if this is, it sounds so much like SolarWinds.
32
00:00:31,000 –> 00:00:32,000
Nick Leiserson [00:16:50]: Didn’t we put a bunch of policy in place to stop SolarWinds? And the answer is we did. Like if you look at executive order 14028, came out of the Biden administration in May of 2021, I was still on the Hill at the time, and we looked at it and it’s like this is tailor made to deal with challenges from SolarWinds, both on the operator side where we’ve actually seen it work really well. I mean I think it is criminally under reported, underappreciated, how good the State Department actors were that uncovered the storm 0558 actors. Like, that was government cyber professionals who are uncovering a persistent Chinese cyber campaign because of reforms we made in 14028. Great. But on the software supply chain security side, which was really the bulk, like looking at contractors to the federal government and putting more requirements in place for them to have secure software.
33
00:00:32,000 –> 00:00:33,000
Nick Leiserson [00:18:00]: That came out in the immediate aftermath of SolarWinds and it has not been implemented.
34
00:00:33,000 –> 00:00:34,000
Frank Cilluffo [00:18:06]: And you know, to me, and again, I’m pontificating here, I don’t have all the facts, but it seems like a prelude to the typhoons in many ways because I mean one thing that has been publicly disclosed is source code was stolen and also undisclosed vulnerabilities. In essence zero days that are at least one actor new. But all things said and done, that’s a pretty big deal given our dependency, again, on one of these bits of technologies that most people would not immediately wake up and say that’s essential to our economy, our national security, our public safety. But it is.
35
00:00:34,000 –> 00:00:35,000
Nick Leiserson [00:18:50]: Oh absolutely. And it is very consistent with tactics that we have seen particularly from sophisticated nation state actors.
36
00:00:35,000 –> 00:00:36,000
Frank Cilluffo [00:19:02]: It’s a little bit like living off the land because the dwell time was pretty long, right?
37
00:00:36,000 –> 00:00:37,000
Nick Leiserson [00:19:05]: Yeah.
38
00:00:37,000 –> 00:00:38,000
Frank Cilluffo [00:19:05]: They notified quickly. So I think based on what I’ve seen, as soon as they identified they went to justice and they did do their notifications quickly, but they were in the system for a while.
39
00:00:38,000 –> 00:00:39,000
Nick Leiserson [00:19:19]: Yeah, long term persistent is what they said. So yeah, that is not precise, but it is concerning. And the, tactics-wise, going after edge devices, right, things that are not your normal laptop or table desktop, although not so much today, is where we have seen attackers move, especially for initial access in the typhoons all over the place. And it’s just further evidence.
40
00:00:39,000 –> 00:00:40,000
Frank Cilluffo [00:19:49]: Got all the hallmarks.
41
00:00:40,000 –> 00:00:41,000
Nick Leiserson [00:19:50]: Right. Listen to NSA when they say, like, go defend these things. Because Rob Joyce was beating this drum in 2017 and saying protect your edge devices. And that is one of the better predictions that you will ever see in cybersecurity land. But again, I think as a policymaker you look and say, we were so close, right? We had the right ingredients in 14028 to be able to address these kind of issues and to say protect your development environments because we know the bad guys are going to go after them. And yet the FAR Council has never even issued a draft rule implementing the secure software supply chain requirements from 14028.
42
00:00:41,000 –> 00:00:42,000
Frank Cilluffo [00:20:33]: Yeah. And I would not be surprised if another shoe drops on this particular case, to say the least. And more importantly, it just underscores yet again the challenges around supply chain security. Right? So even beyond F5, it took companies a long time to even recognize and identify whether or not they had SolarWinds in their systems. We can’t afford that this go around, can we?
43
00:00:42,000 –> 00:00:43,000
Nick Leiserson [00:21:03]: Absolutely not. And again, we have tools to address that in train. It’s just that they have been stuck in this regulatory body. And I am a firm believer that the government should lead by example. And one of the ways that you lead by example is through your procurement power and saying, we are going to be secure by demand. We are going to demand better actions from our vendors and from our suppliers. But that only works if you can actually implement it. And we are failing at the last mile here where we’ve got all of the ingredients in place for tools that will actually affect this.
44
00:00:43,000 –> 00:00:44,000
Nick Leiserson [00:21:49]: But then they go into the FAR Council and they disappear. And it was very heartening for me to see the current administration doubling down and saying in their EO, yep, we’re not rescinding 14028. The FAR Council’s latest unified agenda says, yep, we’re going to keep moving forward with these new rules. I’m just like, after four years plus, almost four and a half, we need sustained attention from senior leadership to say, no, you, you actually have to do this. And cyber might not be the thing that’s first and foremost on your mind, but it is where our nation state adversaries are going.
45
00:00:44,000 –> 00:00:45,000
Frank Cilluffo [00:22:29]: And it’s the difference between nouns and verbs and actually doing it. So one of the, the other, so this is software, and we’ve also got supply chain issues around hardware. Then you’ve got, really confounding is firmware. So we’re nowhere. We’re very early innings in being able to have any visibility into our supply chain. Is that fair?
46
00:00:45,000 –> 00:00:46,000
Nick Leiserson [00:22:52]: Yeah, absolutely. And it’s something that I think…
47
00:00:46,000 –> 00:00:47,000
Frank Cilluffo [00:22:54]: Which is scary if you think about it. If you don’t know what’s in your system, I mean, if you’re eating poison all day, you die. So we’ve got to figure out what that ingesting all this could look like. Right?
48
00:00:47,000 –> 00:00:48,000
Nick Leiserson [00:23:08]: Yeah. Looking at ingredients lists, right, is the analogy that’s normally used for good reason. Right? Which is, I think a lot of folks that are outside the cyber policy domain don’t really have a great sense of how little we might know about what components are on that motherboard. It’s just kind of like shows up and it’s there.
49
00:00:48,000 –> 00:00:49,000
Frank Cilluffo [00:23:28]: It works sometimes.
50
00:00:49,000 –> 00:00:50,000
Nick Leiserson [00:23:29]: Right.
51
00:00:50,000 –> 00:00:51,000
Frank Cilluffo [00:23:31]: And if it doesn’t work, it’s, it’s expected that it doesn’t work. Which was an old World War II, UK, that’s how they deceived the Nazis in terms of radar. So there are analogies here. So early innings, what else should we be thinking in terms of F5? Do you think that there’s been any impact of the lapsing of CISA 2015 and sharing of information with the government? I think we’re still early stages, so we don’t know. But I’d be curious what your thoughts are there.
52
00:00:51,000 –> 00:00:52,000
Nick Leiserson [00:24:05]: Yeah. I mean, my general hope on CISA 15 at the moment is that the lawyers don’t listen to your podcast. Right? Like, because that is the thing. One of, one of my colleagues at IST was like, Megan Stifel, who is a former Justice Department official, was like, yeah, the problem is, as it always was, the lawyers. That’s the problem with this lapse.
53
00:00:52,000 –> 00:00:53,000
Frank Cilluffo [00:24:31]: Absolutely. Put the lawyers in the driver’s seat, not the security.
54
00:00:53,000 –> 00:00:54,000
Nick Leiserson [00:24:36]: They are back in the room to the extent that they’ve caught up on it. And my concern is the longer this lapse goes, the more likely the lawyers start to say, yep, we need to be in these conversations. And it’s why it’s so critical that we get a reauthorization. And while I am, as a, you know, former Hill watcher, current Hill watcher, former Hill denizen, very confident that when the government reopens, we will get a short term extension of these authorities, that is no substitute for a permanent reauthorization. And we need to find a vehicle that we can get a permanent reauthorization on because otherwise all the wheels are just going to be spinning. Much like this government funding fight right now to get an extra three months of CISA 2015 liability protections.
55
00:00:54,000 –> 00:00:55,000
Frank Cilluffo [00:25:26]: And trust is everything here. And if the government isn’t seen as a trusted partner, if it can’t live up to its end of the bargain, you’re going to see industry maybe look at this a little differently. It’s taken so long to get us to where we are, which is nowhere where we need to be. To step backwards a decade would be negligible. It would be wrong.
56
00:00:55,000 –> 00:00:56,000
Nick Leiserson [00:25:51]: Yeah, it’s, it’s, very much so. And it’s similar to, you know, like we need to see some more leaning in with industry on some of the critical infrastructure partnership authorities that allow the sector coordinating councils to talk about policy. Like you hear testimony after testimony from folks in industry saying please bring this back because it was an effective tool for talking with folks. And that’s separate from CISA 2015. It’s like all of these to ensure that the government continues to be looked at as a trusted partner. Communication is 90% of the battle. And when you can’t have communication because you’re afraid it’s going to be FOIA because of the Federal Advisory Committee act, for whatever reason, that’s when trust starts to break down.
57
00:00:56,000 –> 00:00:57,000
Frank Cilluffo [00:26:38]: Well said. We’re coming near the end of our time. But you’ve also written a bunch about breaches in the US Court system, which I’m not sure most people have been paying a whole lot of attention to. Anything you want to bring up here for, for our viewers and listeners.
58
00:00:57,000 –> 00:00:58,000
Nick Leiserson [00:26:56]: Yeah, this, this is just one of those things that’s vaguely terrifying and it takes a lot to terrify me after 15 years in this space. But as best we can tell from public reporting, either there’s been one continuous breach since 2020, or at least similar types of actors are continually being able to get into the federal court system. And I think it’s really important that policymakers look at this as a case study for what happens when a well and truly sophisticated adversary gets onto something that’s really important. Because the courts have been raising this as an issue for years and they have done an admirable job from my standpoint as the administrative office of the courts saying, we have a problem here. This is something we need to resource against. And what they have not found is super receptive voices in Congress or even in the administration, is something that we tried to help them with, but trying to get support. You know, the branches are distinct for a reason and there are good, good elements to that, but this is one of those areas where it’s falling down.
59
00:00:58,000 –> 00:00:59,000
Frank Cilluffo [00:28:08]: Is this a funding issue primarily?
60
00:00:59,000 –> 00:01:00,000
Nick Leiserson [00:28:10]: It is absolutely a funding issue and it really speaks to, again, like policymakers. I really like this as a case study because a lot of the challenges that they’re facing are applicable in other scenarios. And you just see it so clearly with the courts where they’re asking for more funding, they’re getting some of it and that they have to use just to instrument to be able to see, oh, we are well and truly owned, but they didn’t get enough money to actually fix the problem.
61
00:01:00,000 –> 00:01:01,000
Frank Cilluffo [00:28:41]: Yeah.
62
00:01:01,000 –> 00:01:02,000
Nick Leiserson [00:28:42]: And it’s just terrifying.
63
00:01:02,000 –> 00:01:03,000
Frank Cilluffo [00:28:42]: And we’ve seen that movie before. Right? I mean, in terms of back office functions and criticality to actually getting things done, it’s amazing. Whether it was health care sector, we’ve seen a turnaround there, or law firms themselves, and they hold a lot of sensitive data.
64
00:01:03,000 –> 00:01:04,000
Nick Leiserson [00:29:04]: Absolutely. But I mean, this is, this is one of the cases for me where it’s like, this is the US Government where we know that, you know, there is sensitive information that would be interesting to nation states there. So from a confidentiality standpoint, it’s a problem. But from an integrity standpoint, it is off the charts. Right? Like, if people lose trust in the court system, that is being held at risk right now. And I do not know, like, the courts have been trying to broadcast this for years and it has not landed. And that is an active, ongoing, we’re being held at risk today, that is not really getting attention that I think it deserves. And again, really points to challenges in how you think about cybersecurity policy solutions of being like, we can’t just give you enough to be able to tell, oh yeah, I’m owned. We got to be able to come in with actual solutions so that we’re not just like, okay, now we’re aware that you’re here, but we can’t really do anything about it.
65
00:01:04,000 –> 00:01:05,000
Frank Cilluffo [00:30:10]: I often say policy without resources is rhetoric.
66
00:01:05,000 –> 00:01:06,000
Nick Leiserson [00:30:13]: I use that line all the time, Frank.
67
00:01:06,000 –> 00:01:07,000
Frank Cilluffo [00:30:15]: Is there anything beyond resources that, or is this largely…
68
00:01:07,000 –> 00:01:08,000
Nick Leiserson [00:30:20]: They are very eager for operational collaboration as well. And again, like I lived through some of these challenges that we had with Article 1 when, you know, thanks to some very forward looking folks in the Committee on House Administration, they said, what if there’s a major breach of Congress? We don’t have inherent capabilities to respond to it. Like, you’re going to exceed what we can do as just the House very quickly. But how do we bring in the FBI in a way that preserves, or CISA or Cybercom or anyone, that preserves constitutional prerogatives for the legislative branch? And like we need something on steroids real fast to look at that issue for the courts to say again, the US Government might be party to some of these cases. There might be files that are protected from the Department of Justice from being seen at the moment. Like, these are hard problems to deal with, but they are problems we should have solved 10 years ago.
69
00:01:08,000 –> 00:01:09,000
Nick Leiserson [00:31:25]: We need to solve them today. We cannot just sit here and say, yes, we recognize nation states have access to our court systems. What are you going to do?
70
00:01:09,000 –> 00:01:10,000
Frank Cilluffo [00:31:33]: Nick, you’ve laid out so much here, we could go on for hours. And in all sincerity, so much to think about. But the tyranny of time requires I be a little bit of a tyrant. And I’m going to ask one last question. What questions didn’t I ask that I should have?
71
00:01:10,000 –> 00:01:11,000
Nick Leiserson [00:31:51]: Well, Frank, you brought it up, resources. And again, I cannot tell you how many times, you were the first person that I heard with the policy without resources is rhetoric. We talked about that in the White House all the time. And it’s still appropriation season. Hopefully we will no longer see a lapse. But there are a couple of things that are really important on the spending side that I think it’s worth.
72
00:01:11,000 –> 00:01:12,000
Frank Cilluffo [00:31:16]: Top three list?
73
00:01:12,000 –> 00:01:13,000
Nick Leiserson [00:32:17]: Yeah, top couple. So one is a very bright spot from the administration’s budget request is for the Environmental Protection Agency grants for cybersecurity for water. The Biden administration put some money in there in the FY25 budget. It was not funded by Congress. The Trump administration doubled down, like, it really needs to happen. Water is very vulnerable.
74
00:01:13,000 –> 00:01:14,000
Frank Cilluffo [00:32:44]: From a public safety standpoint, it’s at the top of the list. And it’s by no means at the top of the list of security.
75
00:01:14,000 –> 00:01:15,000
Nick Leiserson [00:32:49]: Yeah. And one other area like that that I would highlight is K through 12 schools. The FCC ran an incredibly successful pilot in trying to bring more cybersecurity resources to K through 12 schools. Over the last year, it is done. It is a perfect pilot program where it’s like, let’s try it out. Let’s see if it worked. Like gangbusters, it did. It’s been incredibly effective.
76
00:01:15,000 –> 00:01:16,000
Nick Leiserson [00:33:14]: But it needs Congress to stand in as part of Universal Service Fund reform and say on a permanent basis, we’re going to ensure that you can use some of the money you’re getting from the Universal Service Fund not just to buy state of the art 2001 basic network appliance firewalls, but the tools that you actually need to protect yourself today.
77
00:01:16,000 –> 00:01:17,000
Frank Cilluffo [00:33:37]: Nick, thank you for spending so much time with us today. Thank you for all your hard work in this space. I failed to mention even your National Cyber Director role when I introduced you, so you’ve done so much that I had already forgotten about that. So thank you for all you’ve done. Thank you for spending time with us and keep doing good things.
78
00:01:17,000 –> 00:01:18,000
Nick Leiserson [00:33:56]: Thanks, Frank.
79
00:01:18,000 –> 00:01:19,000
Frank Cilluffo [00:33:57]: Thank you. Nick. Thank you for joining us for this episode of Cyber Focus. If you liked what you heard, please consider subscribing. Your ratings and reviews help us reach more listeners. Drop us a line if you have any ideas in terms of topics, themes or individuals you’d like for us to host. Until next time, stay safe, stay informed, and stay curious.
