Skip to main content

tv   Washington Journal Mark Montgomery  CSPAN  January 5, 2022 5:48pm-6:33pm EST

5:48 pm
journal" continues. host: joining us is mark joining us now is mark montgomery senior director of cyber technology innovation and senior adviser for this cyberspace solarium commission. thanks for joining us. a couple of things about your organization what is the foundation defense of democracy particularly when it comes to cyber issue what's your main point of interest? >> reguest: it's a nonpartisan nonprofit think tank in washington that looks at a number of security issues and specifically it has three centers one on military power
5:49 pm
one on economic power and one on cyber and technology innovation. cyber technology center focuses on how we make our critical infrastructure more secure for criminal actors. host the wind it comes to the other, you're their title this cyberspace solarium commissioned what is that specifically lacks >> guest: this cyberspace solarium commission was set up by the national defense authorization authorization act came about because senators like john mccain where were for at the time were becoming increasingly uncomfortable with their ability to deal with cybersecurity threats particularly below use of force in other words threats done by nationstates or criminal actors said didn't engender a response from united states so senator
5:50 pm
mccain's conclusion was it was not working throughout cyberspace net thatt lower-level malicious actors could do quite a bit of damage to our national upper structure so he did what any congressman would do which was set up a commission and the reason he believed in this was because he had been working for 10 years to try to get cybersecurity more secure to working with the executive branch and it just wasn't happening. so working with democrats and republicans in the house and senate they all agreed and the commission was set up in senator mccain a really smart man on how to get thingsge done he made sure we had for congressional members. senator angus kingr of maine te independent caucus of the democrats senator ben sasse jim langer then democrat from rhode island and senator mike gallagher republican of wisconsin. in addition we had for executive
5:51 pm
branch managers and the director of the fbi the deputy director, excuse me the deputy secretary of defense the deputy secretary of homeland security and the deputy director of national intelligence in addition we had six outside experts who could oversee government officials think tank leaders of those commissioners were supportedal a staff and studied this dutch a tory -- in the case of one year to come back with real solutions. so nine months issued in 2020 and since then we spent the last 18 months to legislative cycles fiscal year 2021 in fiscal year 2022 cycles trying to turn the recommendations of that commission into line we have been highly successful.
5:52 pm
we have had 82 original recommendations 50 of which were legislative and the measure between 60 and 80% of those recommendations are either in law or being carried out by the executive branch which is a high strike rate and in fact it reached its natural length by congress and now it's a non-governmental organization led by the same congressman sitting outside experts and i'm the executive director and a 501(c)(3) nonprofit will continue to advocate for implementing all those are airshow reports are a hoax. >> host: as far as the issues in the world of cyberthreats many americans today serve ransomware but you spoke on an op-ed when it comes to water systems in the united states. what got you're just in that? >> guest: the commission pointed out there are threeco or
5:53 pm
four of critical infrastructures and 16 critical infrastructures by executive order. you may remember that president biden show this list to lipresident putin and he said sy away from these critical of thee structures. several of them concerned is greatly one with pipelines and another was water and health care provisions. the commissioners asked a bunch of us were different think tanks to take a look at some of the issues in detail. thenc one that concerned me and the reason i take that personally was because i think water is a critical infrastructure that's at the nexus of national security and economic stability and public health and safety. water is in all of them and it enhances the other and informs and enables the other critical infrastructures for by the military energy infrastructure relies heavily on waterst for
5:54 pm
structure in its system so if waters and functioning in a certain region is likely rapidly thereafter energy will -- energy production will not be functioning so seeing this as a critical and the structure and the weakest link in these critical infrastructures we did a study onic it. >> host: so the op-ed talks a lot about the specifics and you read abouts an experience of the small town in florida. what was that experience and what does this say about the larger issue of our water system? >> guest: it was an old font florida 11 months ago just before the super bowl and what happened was a malicious cyber actor still not identified had gotten into the system probably. either a pre-existing flaw or
5:55 pm
delivery of spear fishing and that hasn't been revealed yet by the fbi and was able to manipulate the system and what this person target was a little unusual in the sense that they took complete control and locked up their parties and they instead decided to change the chemical -- so the amount of why that controls the acidity of water. low levels makes the water more -- to drink at high levels can make the water a danger to help and to attempt to increase the level of lie in the water. the malicious actor was doing this atg the same time around e system at the same time an
5:56 pm
operator was sitting in the console so the operator was able to see this an appropriate activity going on. in the rate he saw it twice. the first thing he didn'tt do anything about an hour later he reported it to his bosses and they were able to stop this potentially harmful change in the chemistry but it really was a random act of love that we are both a stop as. it points to the fact that her systems are incredibly vulnerable to malicious acts by either criminal actors are nationstates and their a number of other examples. they weren't exploited in the same way that initial services or banks have. it's t a much more lucrative ac. the water critical infrastructure is exceptionally vulnerable to cyber penetration. host the hour guest with this
5:57 pm
until 8:45 and if you have questions about the vulnerabilities that he i talks about and for highlights in the report in the op-ed called (282)748-8000 democrats to 027,488,001 for democrats. mr. montgomery you can talk about other cases as well? >> generally what makeste us vulnerable particularly in the water industry is versus how much the industry spends on its cyber security and the second is how well does the government agency that spared of that industry supported. both of those are flawed and don't give an example. financial services, the banks took over 20 years to learn hey we are really susceptible to and
5:58 pm
we are being targeted heavily by cyber criminal actors so some banks have spent upwards of $700 million a year on cybersecurity. that's more than most federal agencies except the department of defense. that's more than most international countries. an individual u.s. bank is spending that and they are highly supported by a heavy regulated and the department of treasury. that's a marriage that leads to high cybersecurity. tens of thousands of banks in americahe specifically say our biggest banks. when it comes to water, water utilities are generally about 80% publicly owned and operated by your county, your town and some kind of local government
5:59 pm
organization. that is not the definition of an organization that will be rich with excess funds or able to rapidly give the grantor funding to solve the security issue so they are very much governed by bonds to raise money and a very slow not agile response mechanism and they are really complicating factor is two decades ago they heavily automated the water industry in other words take the man or the woman out of the loop. at the time there didn't appear to be a cybersecurity threat. now 20 years later there's a big cybersecurity threat with these heavily automated systems and we don't have the excess funds to payxc for them so we have got to
6:00 pm
do more and spend more money on cybersecurity. in that regard the government, the sect their mandate to the environmental protection agency or epa has not done properly resourced to ergen eyes to support the utilities and their cybersecurity efforts. the federal agencies have a lot of important roles and than they spend their effort on important issues likee moving lead based piping in our water systems and working on climate change issues. they have not focused their multiple administrations in a bipartisan way they have not focused on cybersecurity. asy a result they are very ill prepared to support a industry in terms of cybersecurity and the best example of this is their office of water cybersecurity probably has under five people in it and when you compare that to 55,000 water
6:01 pm
utilities and 15,000 wastewater utilities and five people trying to help 70,000 bureaucratic organizations, that's not the type. what you need is a good government support agency married with the good well-funded industry and that's when you have tight cybersecurity. >> host: mark montgomery with the foundation for the defense of democracies center on cyberand technology innovation talking about cyber concerns particularly with infrastructures to talk about -- james in washington d.c. good morning you are first up. >> caller: thanks for having me. my question to mr. montgomery is what is our energy grid at risk as well and the second question how do we move forward with legislation? how do we get our legislative ranch to act on this because it
6:02 pm
seems like we are now on the 21st century that should have been1s taking care of in 1990 to be honest with you. >> guest: those are two great questions. first of all energy is in a better position. a lot of the energy is privately-owned and not publicly owned and they have the ability to address rates. does allow them to respond to these cybersecurity issues more agilely and it's more around 10 to 15% publicly owned electrical utilities versus the 80% i mentioned with the water. the department of energy has been an exceptionally good agency. they have applied themselves and an assistant secretary while deals a cybersecurity that happened during the trump administration and so far it has not appointed somebody and on occasion the secretary of energy
6:03 pm
has indicated -- i hope secretary granholm is unsuccessful in that effort. in general should does make sure there's enough funding for the organization and its literally 20 to 30 times the size of this water equivalent but it should be the sameen size. energy is secured and it needs to have the opportunity to be secure and have the same kind of nsa department of homeland security report about water that caused us to write the op-ed similar to the energy sector as well. they are under assault both from criminal actor is particularly with ransomware. also from nationstates that implant malware into our electrical power grid and there've been reports on that.
6:04 pm
of course energy is tied to water. if the water filled energies in trouble so energy has concerns. the legislature has done more -- the u.s. congress has done more in the last two years than they have done in the previous 20 years on cybersecurity legislation. i would consider the last three years of cybersecurity a bonanza. there were 40 new legislative laws passed three years ago and 60, two years ago and 40 last year. the national defense authorization act and the bill with legislation passednd within the bipartisan infrastructure plan for example. you are correct in saying they haven't done everything they need to do and in fact in the report we detailed career for different areas where legislative action is still
6:05 pm
required and i give you one specific one. it's extremely disappointing and frustrating that while we do set aside $14 billion so about $3 billion a year in very specific grants to water utilities. cybersecurity is competing with those. the they say you can spend this grant money on droughts, severe weather issues, natural disasters, rising sea levels or cybersecurity. so basically they say here's some money for an apocalypse or water cybersecurity. 99.9% of it is spent on the cyberapocalypse and not water security. easy to ignore the very short term. in long-term and advocated failure to follow cybersecurity
6:06 pm
upgrades means you are not worried about sea level rising and natural -- the utility is that identify risks in the system go beyond their ability to fund and they have a place to go for grantor low-interest loan depending on the size and the use of that utility. >> host: some of theni recommendation on this issue makes when it comes to the governor making the policy the epa and the management agency directing cybersecurity and direct the infrastructure security agencies to support a cybersecurity programs. let's hear from e. and in florida on the republican line. >> caller: hi. i just wanted to thank you first
6:07 pm
of all for being here. i really appreciate being able to talk to you. i may ucf graduate. i'd been in central florida for quite some time and i will say the water here has been for quite some time and i'm just curious in your personal opinion what can the central florida environment due to improve the water here because it's really been absolutely. >> host: there in florida the system you are speaking of how modern are the systems in a critical location and how would you describe that?
6:08 pm
>> guest: the caller hits on a great point which is it's really and consistent and they are very small water utilities that have a real challenge in upgrading and improving the quality of the drink ability of the water and the security that goes with it.t in fact there is 60,000 drinking utilities and americans over 40,000 the surf less than 3000 people seek and imagine just getting the payments from the 3000 people there is almost no room for long-term investment. really that's where the government has to come in. when you set up a system like this where something is distributive as it is in the government does have to come and help a little and water, like energy and transportation are one of the things that
6:09 pm
government revised the backbone to public utilities so that's a great example. let me talk about one of our recommendations on how to help. we have a program the department of agriculture is has this great program called the circuit rider program. imagine men on horseback riding aroundri the water utilities. it's a small water utility that serves farms in rural areas and they are not on horseback and they are probably in an f-150. how should my piping be laid out and what's the pressure on this manhole supposed to be an important step like that. they get on the computer and give cybersecurity advice. whatever a small program in small rural areas to fund 50 cybersecurity circuit 5 riders d
6:10 pm
this is working with the national water association one of the associations for the small rural laces and now you haveav two guys men and women running around servicing these rural and farmland areas and they are probably not an f-150. a prius and a drive round with a computer saying let me run some penetration testing and let me examine your system and help get it up is that those are not subject to ransomware. these small systems are vulnerable to criminals as bigre systems are go with that program we could rent for $5 million a year and really enhance and diagnose the smaller industries to help getle the water, get the cybersecurity of the water on par with some of the other issues to the circuit rider program. >> host: from clarke in florida hi on the democrats
6:11 pm
line. >> caller: good morning. i care about cyber. i also care about industries and pollution and runoff and surge. me personally would rather have -- monitored and that money going toward that direction. >> host: that was clarke and let's hear from debbie on the democrats line could you are next. >> caller: good morning mr. montgomery and "washington journal." as a tax credit and a public service since waters is inextricably tied to energy why to not all oil companies pay for it and why it is that not get regulated through the department of energy as a mandatory service
6:12 pm
>> guest: i think the use of the water would be energygy production and they do pay for the water they get is the cooling medium so they have that requirement how muchw that is charged for is something that could be. the truth is the water utilities have not been good with the money they have with infrastructure so i'm nodding sure increase that rate would necessarily increase the cybersecurity must we had a lien on the utilities to say hey it's time to make that investment. you have a lot less people standing watch operating valves and pumps in the large rural system better pumps that are 20 or 30 miles away from the headquarters in the distribution
6:13 pm
manifolds for the reservoirs and such. that's all been automated. they need to make the investments in cybersecurity and i would like to keep management with the epa they are responsible for the element of water and they do work on the lead pipe abatement and they do a lot of great work of the epa. they just need to come up to speed on this cybersecurity. >> host: mr. montgomery we saw multitrillion. infrastructure bill passed this week signed into law by the president. how much is that dell was cybersecurity shows prigioni critical infrastructure that you does describe? >> guest: that's a great point and i will say when he it came out the president said this bill does allow for cybersecurity. it'syb one of the first upper
6:14 pm
prescient bills that highlight cybersecurity specifically. here is where it's less of owen. 1.2 trillion which is 1,200,000,000,000 there was 2 billion worth of cybersecurity and when you do the math that's two over 1200 so that's a little over zero-point --% so it's great great that there's 2 billion there. i want to keep it in perspective. it was a small percentage overall and what it did was it gave specific money to the cybersecurity t infrastructure o a critical agency that's really the quarterback of the federal government cybersecurity response. they work with the federal agencies and they work for the transit white house. they are kind of that quarterback the works on those
6:15 pm
issues and they were given $500 billion worth of funds for different things to do including what's called the cyber response and recovery fund which is for providing money after-the-fact after there has been some kind of cyber event or crisis to help restore systems rapidly and get them up andy going. it's something our commissioner have been asking for 42 years and also a billion dollars to state and local governments for cybersecurity. some of that could go towards water. i think by not having a direction to do it a lot less than we would hope would go to that. that's going to go to the cybersecurity modernization under the state and local governments. this was in thete covid response when the excessive number of people were applying for an employment relief in the state and local systems were really under duress as they were outdated and outmoded.
6:16 pm
the money for cybersecurity i think a lot of that would be spent on what i call i.t. modernization which improves very little. not efficiently. finally the money image and earlier about $14 billion overall for grant programs over five years for water utilities and my concern there is cybersecurity was the foresight of the apocalypse. at least historically are the last 15 years cybersecurity within avalon. the money doesn't get >> and it has a lot to do withit utilities are spent at how they are organized into these grants. >> host: will go to ryan in benton harbor, michigan. >> caller: good morning. thank you mr. montgomery.
6:17 pm
recently we foundea out the lead in the water situation is the worst in the whole country. we are about 50 minutes from flint so what i want to ask is i don't see theth urgency coming n at all. i want to know how that system works with the money that which is spent on infrastructure and how do we follow the money to make sure we are getting the proper response is we should and in the future if this doesn't happen again where it set up and we say hey now we need it whether it 100 years from now or whatever because i know the infrastructure would take 100
6:18 pm
years. >> guest: there is money for those sorts of things also. the epa is in a bipartisan way over number fears trying to identify needed investments in water infrastructure and there is a significant act log of hundreds of millions of dollars if you look at the latest studies. there's also a lot of money in this infrastructure bill ander generally the epa to deal with this. i think the administration took that very seriously. >> republican line. >> caller: my question is why are these systems clues to outsiders? why are extremely limited people able to access this and make
6:19 pm
changes and how can people from the outside increased -- in your water system? >> guest: that's a great question out tell you they should be closed. they are talking to systems downrange to communicate. what's generally happening i think the mostly likely source f penetration by the adversary malicious actor is spear fishing. two operators enable a piece of mao were and the adversary is now on the system. i will telle you and general three things you can doer is cybersecurity that will make you 99.9% secure and one is a complex password and never two is multi-backup identification number three don't answer e-mails from nigerian princes
6:20 pm
more specifically. if you do those three things don't hit links from unknown sources. he do those three things you're going to make yourself and your company and your water utility more secure. unfortunately those are not practice and your identification is not required. those are the things that i would think would it improve cybersecurity. >> host: stephen in salem oregon on the independent line. >> caller: can you hear me? i would like to comment about sustainable energy and being off the grid eliminating having to build the cybersecurity plan for it.
6:21 pm
i want to say cybersecurity -- [inaudible] so thank you for getting that information out there and i like to get ideas when i hear people speaking. i also wanted to say that. have a great day. >> host: mr. montgomery when it comes to recommendations when it comes to this issue with the cybersecurity oversight program and to amend the american water of the structure at and assessments, are there not programs already for the government and industry on these issues? >> guest: surprisingly there's
6:22 pm
very little on water and i compare that to the think tanks we'll tell you we don't just haveag one federal agency regulating our cybersecurity that three or four so what i would tell you is there was a law passed several years ago in the water infrastructure act and in their they have water utilities conduct risk assessments and create long-term emergency response and recovery plans. the epa can provide guidance on how to do this risk assessment at in the area's epa has not only not provided it. until recently they actually said we are not giving a standard for doing this risk assessment on cybersecurity and i think that's a real fault. they should be providing some kind of standard to be looked
6:23 pm
at. i make the point that i really think we need a joint industry government sector and probably there's an oversight function of the epa. the folks managing the standards development needs to be done by the water industry. there are a lot of good water industry associations. there's something called water information sharing group and there's a debbie sec which is w scc water counsel that works between the government and its association and they can provide that standard. most importantly the national
6:24 pm
information standards technology is to send the technology from the department of commerce and they provide different pieces of technology. they can help develop the standards and they can work together and consult with different stakeholders and eventually build a regulatory regime if that's necessary and if he can dogu it through a joit oversight that would be great. epa needs the leadership of the epa is the years if not decades away from being in a position to regulate this industry because of their current of investment in the organization. that's how i see that as a joint government industry that has to be heavily industry-led at least for the first decade.r th >> host: a caller from louisiana democrats line to go
6:25 pm
ahead. >> caller: i want to mention something. mark it seems from my understanding that the epa is a malfunctioning organization. the more i listen to you explain a lot of things it really comes to what they do and i keep hearing how they are not doing this and they could be doing that and the reason they are doing this, what i'm thinking is our folks in washington who are in control of the epa, they need to go in there and i would say restructure everything and replace people if that's necessary because mark this is so important. i give an example. >> host: were a little bit of
6:26 pm
time caller. mr. montgomery go ahead. >> guest: i would sharpen it a little bit. the epa does a lot of things well. they do this partly because i don't resource and the callers said they are not organized so we recommend organizing them. the bidenor administration -- te trump administration gave an increase or made million to 10 million of over the years in the biden is giving 10 to 14 million. the real amount that's needed is around 25 to 50 million. you don't tripled government agencies, it's like earning oil in a barrel but it's three to five years for this office. the support element in the private sector they are required by law to provide us as citizens
6:27 pm
could oversight. we want a high-performing cybersecurity program at the epa and the report -- the support from says a and the department of congress and the department oft energy and i really think that the solution but it requires money. small money in the overall epa budget that requires money and organization to get it right. >> host: mark montgomery with the foundation of democracy. mr. montgomery thank you for being with us today. >> guest: thank you pedro. i really appreciate you tackling this issue.
6:28 pm
6:29 pm
the supreme court is considering challenges to the administrations vaccine mandate for help their workers and companies are private businesses that employ more than 100 workers. will have live coverage of the oral arguments friday starting at 10:00 a.m. eastern on c-span. you can also go to or use their free video app c-span now.
6:30 pm
.. we watch online any time ♪ ♪ clark's presidents conversations while in office. many conversation on podcast presidential recording took season one focus on the presidency of lyndon johnson. you heard about the 1964 civil
6:31 pm
rights act of 1964 presidential clinic, the march on selma and the war in vietnam. not everyone knew they're being recorded. >> certainly johnson secretaries new. they were tasked with transcribing many of the conversations. in fact they made sure the conversations were taped as a johnson with a signal to them through an open door through his office and there's a break. >> you also hear some blunt talk. >> i want to report a number of people the day he died. [inaudible] i promise i'll go anywhere i will stay right behind his black group. >> sees ben now mobile app.
6:32 pm
>> attorney at general merrick garland spoke of the one-year anniversary of the attack on the u.s. capitol. he provided an update on the justice department role investigating and prosecuting those responsible. in the justice department this is 30 minutes. [background noises] [background noises] [background noises]


info Stream Only

Uploaded by TV Archive on