One of my SANS students challenged me recently that I haven’t posted on my blog in awhile; I realized I hadn’t and checked today and found that it’s been almost a year since my last post. So first of all, apologies on the delay. I’ve been busy (Dragos, Inc. has been expanding rapidly and we’re about to reach 60 employees, my wife and I welcomed our first born into the world, and industrial cyber attacks haven’t exactly slowed down) however, no excuses, I should post and share my experiences more and appreciate the folks who take time to read. This post comes as a request to some attendees at one of my SANS @Night talks where they asked me what the experience was like and how it happened. I feel that it’s really not transparent how someone gets to testify in front of the Senate and what all goes into it so I hope this post is useful to illuminate the experience a bit. The recorded testimony can be found here.
How I Got Invited
I imagine most folks’ path to testifying in front of the Senate is different. I also assume for most they are seen so widely outside their own community as an expert that it’s a natural thing. My experience was a bit different. One of the things that motivates me a lot is educating people especially on topics of intelligence and industrial security. The intersection of those fields with policy is pretty clear and unavoidable. I’ve also always been a bit outspoken about individuals speaking on and influencing technical discussions without having technical experience. This has led me to getting involved in educating policy folks on topics of industrial cybersecurity, especially critical infrastructure. An ex-Senate staffer I ran across asked if I’d be interested in offering some sessions for Senate and House staffers on the topic of electric grid cybersecurity. Over the course of about a year I would routinely go to DC and spend a few hours talking about how the power grid works, what cyber threats actually do, and demystifying a lot of the hype (yes our infrastructure operators have made fairly resilient infrastructure, no cyber threats aren’t magic or all powerful, and no Ted Koppel’s book is not accurate in the real risk). In addition, I got invited to speak on a panel on cyber threats to the grid at the Siebel Scholars’ conference with a panel made up of Richard Clarke, Kevin Mandia, and Liam O’Murchu (which was moderated by Ted Koppel…super nice guy, he just didn’t write a technically accurate book). While at the dinner another Senate staffer liked what I had to say and offered to keep in touch, I exchanged cards and that was that.
Eventually it was the staffer from the Siebel event that emailed me out of the blue one day asking if I’d be willing to testify in front of the Senate’s Committee on Energy and Natural Resources on cyber threats to U.S. infrastructure. Because I had spent time with other staffers in the Senate the recommendation went over well as a few of the other staffers knew me and agreed I’d be good to have on the panel. What I also really enjoyed was finding out that both Republican and Democrat staffers had recommended me; I joked with them that they all thought I was on their “side” and that they couldn’t figure out where my politics actually fell (to be honest I’m not political, just opinionated) but in truth they were all just on the same page of wanting to protect infrastructure and didn’t care about the politics around it.
Preparing for the Testimony
In preparation for the testimony I used YouTube to watch other testimony to the committee on the subject of cybersecurity and determine what type of questions the Senators had previously. I also pulled the written testimony of Thomas Rid and Kevin Mandia, two individuals I respect in the field that have also testified, and looked at their style of writing and what they chose to highlight. I then prepared my written testimony on the key points I wanted to get across. For my testimony the three key points were essentially:
- that industrial cyber threat landscape is largely unknown so we cannot just adopt IT cybersecurity frameworks/regulations/best-practices into industrial networks because they were built off of risk observed against cyber threats targeting the Enterprise networks and how to handle them
- that regulation has served a purpose (such as NERC CIP for the power grid) and helped the industry but that we have exhausted reasonable regulations and the industry is struggling to innovate or do real defense in the face of new regulations that come out every few years
- that the Department of Energy’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER) that was being formed at the time has a unique opportunity to help work with private sector and form partnerships not only with asset owners and operators but also the private sector security community; many of the government’s actions right now in reaction to fear of cyber threats are quickly pushing them into being competitive with private sector firms that are actually better equipped to deal with certain situations and we should all attempt to play to our strengths instead of competing
It was interesting to try to distill everything I ever wanted to say down to effectively seven pages (found here) and to do so in a non-technical audience of policy makers. Some of my points, such as highlighting that technologies such as artificial intelligence aren’t a silver bullet for security, were put in to directly counter some of the things the Senators had been told in previous testimony that I felt mislead them. I then sent out my testimony to people I knew and trusted around the community who helped me steer clear of any wording or language that might come off wrong. As an example, I was mentioning “NERC” “DOE” and “energy companies” so I sent my written testimony to people I trusted at NERC, DOE, and numerous energy companies to make sure I was representing them the best I could. I.e. don’t get in front of the Senate on TV broadcast across the country and talk out of turn about matters that impact others.
What I didn’t expect was that the list of people testifying goes public well before the hearing so people reach out to you and the Senators about you. I had various interests groups email me trying to get their points included in my testimony; almost exclusively it was groups I’d include in “the crazies” category. The two most surprising was a group that wanted me to bash NERC and tell the Senators how the grid was so fragile and needed new oversight and something about EMPs (please stop with the EMP stuff) and then a member of the industrial community emailed some Senators directly and, from what was explained to me later by a staffer, essentially petitioned them not to listen to whatever was going to be said about cyber threats and instead to realize that level 0 sensor cybersecurity is the only relevant topic. I consider this person a friend and long-time community member and do not think he was being malicious but to be honest I found that to pretty rude because it, intentionally or not, was a distraction and could have subverted the points of the people that were presenting on the topic. (I’ve avoided the level 0 debate in the community because it becomes almost fanatical but in essence my position is that all the risk we’re seeing due to cyber threats does not start at a sensor level and if you do not learn what the adversaries are doing, how they’re doing it, and counter them before it ever gets to that level you will lose out). I only include this discussion of unexpected components to testifying to note to everyone that Senators and staffers get all sorts of things sent to them all the time. You really need to be active in the process to counterbalance the viewpoints but also ensure you do so in a manner that is conducive to the overall narrative.
Delivering the Testimony
For the verbal testimony itself you cannot read from your seven page written testimony. The Senators have a very limited amount of time to hear testimony and ask questions and they want every second to answer as many questions as possible. They are extremely busy and this is genuinely the time they’ve dedicated to focus on this specific topic. So you get five minutes to summarize your points, they’ve read your written testimony in advance, and they get a few minutes to ask you questions back. Who they ask questions to is entirely dependent on the Senators and who they want to talk about and on what subjects.
I have to admit I was actually pretty nervous delivering my written testimony. This was a recorded event and not even live. I’ve been on live news before on channels such as CNN and Fox in front of millions of people and felt more confident. I speak at a lot of venues. I’ve keynoted numerous conferences. And none of it compared. This was nerve wracking and I had to steady my hand by holding the paper in front of me. I also made a deliberate choice to speak fast and get through as much material as possible in the five minutes, I knew the Senators had already read the testimony (or at least their staffers did) and that they had prepared questions, so my verbal testimony was intended more for those that watched the hearing after the fact. When it got time for the QA session I was back in my element and felt confident. But that verbal testimony was the most nervous I’ve been in awhile.
I found the most important part of the verbal testimony was to try to answer the Senator’s questions as quickly and coherently as possible. I also found that all of their questions were extremely reasonable. Even those that appeared to have an agenda actually only were getting clarification on points they had previously been told by others. And to be honest, more lobbyists and self-interested people try to speak to Senators than folks doing the mission. What that meant to me is a clear understanding that some of the Senator’s views in topics such as just disconnecting the grid from the internet were based off of other people and not some agenda of their own. To be honest I found that the Senators all cared deeply about the topic and were highly professional. The country definitely feels divided these days but in the hearing I was in, at least, everyone there seemed to sincerely care about infrastructure security with no partisan political games tied to it.
At the end of the testimony I also felt that I won some major kudos points at home. My son was being born that day and my wife and I both felt that I should still go and testify; she is an immigrant from Holland and I served my country in the military so we had this extra sense that this was something patriotic that had to be done; so she gave me the go-ahead (luckily I didn’t miss my son’s birth though). The Senate was apparently informed about my son’s imminent birth and just how awesome my wife was being by letting me go…so on official record, at around 2:06:17…Senator Murkowski and the committee congratulated my wife and thanked her, and I got on official record “she’s awesome” so in essence…I win.
It’s really difficult these days to talk about politics with how decisive it gets especially in the media. We have things that make us very passionate and strike at the core of who we are and what we believe in. I’m not political at all and even I’ve been extremely bothered by some of the things I’ve seen such as the consistent attack on the U.S. Intelligence Community. However, testifying to the U.S. Senate was the most lifting political experience I’ve ever had. I swelled with pride in a way not easy to describe and felt the joy in this grand experiment we call democracy in a way I found unexpected and amazing. I would encourage the technical practitioner community to engage your elected officials and their staffers. Seek to educate others. And if you get the chance to testify to take the opportunity and try your best to represent the community well in doing so; it was an amazing experience that I highly recommend.