This transcript has been auto-generated using Adobe Premier Pro.
00;00;01;23 - 00;00;37;18
Gregg Sofer
Ever wonder what is going on behind the scenes as the government investigates criminal cases? Are you interested in the strategies the government employs when bringing prosecutions? I'm your host, Gregg Sofer, and along with my colleagues and Husch Blackwell's white collar internal investigations and compliance team, we will bring to bear over 200 years of experience inside the government to provide you and your business thought provoking and topical legal analysis as we discuss some of the country's most interesting criminal cases and issues related to compliance and internal investigations.
00;00;37;24 - 00;01;07;20
Gregg Sofer
Welcome back to the Justice Insiders podcast. I'm your host, Gregg Sofer. And today we're lucky enough to revisit a topic, cybersecurity that is on the minds of many business leaders throughout corporate America. But before we get into that, I want to introduce my guest today. We're lucky to have Erik Dullea, who was a partner at Husch Blackwell for several years, but he left in 2022 to take a really interesting position at the National Security Agency, the NSA and its Office of General Counsel.
00;01;07;20 - 00;01;26;14
Gregg Sofer
And he served as the acting deputy associate general counsel for the NSA's cybersecurity practice group. Last month, fortunately for us, Erik returned to Husch Blackwell to head up our cybersecurity practice. So he's a perfect guest to discuss this topic. Erik, welcome back to the firm and to the Justice Insiders podcast.
00;01;27;01 - 00;01;32;17
Erik Dullea
That's right. I'm very happy to be back with Husch Blackwell and I appreciate the invite and the chance to talk today.
00;01;33;06 - 00;01;57;28
Gregg Sofer
And we're happy to have you here. Folks should know that Erik also had a impressive career as a U.S. naval officer. And you can look at his full bio in our show notes, and I encourage you to do that. So on July 26, 2023, the SEC issued this new rule, and like a number of other rules that they've issued and major changes, it was on a 3-2 vote, which was an interesting concept in and of itself.
00;01;57;28 - 00;02;33;19
Gregg Sofer
When you change the whole landscape of corporate reporting and you get it only done by a 3-2 vote, but they did adopt this new rule, which requires the disclosure of material cybersecurity incidents and cybersecurity risk management strategy and governance with respect to public companies, including foreign private issuers, I wanted to start with something, some sort of basic. So if you can help level set us, Erik, with your expertize and really this rule I think mostly has implications for timing and we'll get into that in a little bit.
00;02;33;19 - 00;02;43;02
Gregg Sofer
But I thought maybe you could describe for our audience what exactly is a cybersecurity incident and what is cybersecurity risk management?
00;02;43;27 - 00;03;20;25
Erik Dullea
All right. So the regulation defines a cybersecurity incident as an unauthorized occurrence or a series of unauthorized appearances on or conducted through the companies information system. And then here's the next important part that jeopardizes the confidentiality, integrity or availability of the companies information system or any of the information that resides there. And so in my mind, that means that you're looking at one event or a string of events where you have unauthorized access and it's on the companies information system.
00;03;21;11 - 00;03;54;28
Erik Dullea
I'll talk about that here in a moment. And jeopardizes that what was typically called a CIA triad or a well-known cornerstone of i.t. And security concepts of confidentiality, integrity, or availability of the system or the data on the system. I think that's interesting because they are talking about putting a qualitative or a risk measure into the definition that you have an event that jeopardizes but may not actually harm the system or the data that's on it.
00;03;55;16 - 00;04;07;07
Erik Dullea
So right off the bat, looking at the definition that has a qualitative component in it, that corporate leaders are going to need to be factoring into their analysis in their decision making.
00;04;07;20 - 00;04;24;19
Gregg Sofer
Yeah, what struck me is that it didn't even matter really whether or not there was an actual theft, for instance, of information that that qualitative aspect you're talking about could be triggered even when the company doesn't actually lose any of its data.
00;04;24;26 - 00;04;58;19
Erik Dullea
Correct. And for me, what I haven't seen as the ripple effect, but may or may not happen because really haven't gone into effect yet. So we're going to wait and see what additional interpretations or guidance comes out from the SEC as we get closer or we get to the first test cases of companies that are in the unfortunate position of dealing with a material cyber security event, what will be the threshold of their jeopardy that will trigger that definition?
00;04;59;05 - 00;05;27;07
Erik Dullea
And it may be a question of if there is a software vulnerability that's identified and disclosed to the marketplace. And when a company uses that software, has there been a an intrusion that may have occurred? But if they can't ascertain whether the data or their system was actually damaged or resulted in data theft, were they still in jeopardy?
00;05;27;07 - 00;05;30;04
Erik Dullea
And will that still be a reportable or disclosure? All of that.
00;05;30;15 - 00;05;49;26
Gregg Sofer
Yeah. And then you bring up another, I think, critical point, which is this doesn't have to be the company's internal proprietary owned software. Right. This rule encompasses a analysis vendors as well. Is that right?
00;05;50;07 - 00;06;23;04
Erik Dullea
You can certainly count the way and the distinction that the commission gave is they did not want to ignore the reality in today's environment of cloud service providers and a, you know, the possibility of companies contracting away ownership of an i.t system that if you are if a company is using a system, even though they don't own it, then they still have an obligation to be evaluating whether an incident is material and whether it needs to be disclosed.
00;06;23;04 - 00;06;31;13
Gregg Sofer
Okay. And the rule and we'll get into some of the details of this also just generally does very much focus on materiality, is that right?
00;06;31;23 - 00;07;04;25
Erik Dullea
It does. And the rule incorporates the historical securities definition of materiality. And I will freely admit I am not a securities lawyer. So that is not something that I am well versed on. In short, it's intended to look at whether a piece of information would in the mind or the eyes of a reasonable investor affect their decision to make an investment decision, or it would affect their knowledge about the company from an investment standpoint.
00;07;05;18 - 00;07;27;09
Gregg Sofer
So just in the first few minutes of this conversation, we see there's a tremendous amount of judgment, some terms that are certainly not defined without opening up a whole series of case law and other statutory interpretations. I mean, this is a very complicated legal landscape.
00;07;28;06 - 00;08;22;00
Erik Dullea
It is. And I, I believe that a fair amount of thought and planning are going to be required by corporate leaders that are have the responsibility not only for a a short notice disclosure of a material cyber security incident, but for their annual reports that they will need to put some thought and some planning into how they are going to disclose the risk management processes and strategies that they use, the resources that they bring to bear, disclosing or identifying third party assessors, consultants, etc. that assist with those risk management activities within the company and avoiding putting it, in a sense, a blueprint of the company's network or defensive posture out for the world to see.
00;08;22;13 - 00;08;44;25
Erik Dullea
Because understandably, your annual reports, 8-K filings are public documents. So the world can read them. That's important from an investor standpoint, but it also means that malicious actors are going to have the ability to read them and take that information and put it into their planning as they're targeting your future becomes.
00;08;45;09 - 00;08;57;03
Gregg Sofer
Well, that's an interesting concept and I'm sure the SEC got plenty of commentary on that. What are your thoughts about the balance between letting the bad guys know how you're doing things and letting investors know it.
00;08;57;17 - 00;09;40;18
Erik Dullea
As some of the best advice I've seen from other staff leaders in this area was to look for consistency in how those annual reports and discussion on managing risk for cyber events are are addressed in contrast to managing other physical risks that we may see, whether it's a complex facilities or in a hurricane or tornado alley in some of those areas where you have known types of risk and also taking into account the language that they in that they provide to their insurance carriers on how they are identifying the risks so that they can get the coverage that they need without running afoul of the misrepresentation there.
00;09;41;01 - 00;09;53;26
Erik Dullea
So I would look for trying to be consistent with other types of threats and not treating cybersecurity differently from the other risks in the physical environment that a company needs to discuss.
00;09;54;15 - 00;10;24;04
Gregg Sofer
So again, we're talking about a company having to first be able to define what a cybersecurity incident is and then decide whether or not it's material. And then the rule seems to me, puts a very, very short timeline for business days from a determination that you have a material cyber security incident to the time of reporting on the company on a Form 8-K.
00;10;24;04 - 00;10;45;27
Gregg Sofer
And it's the new 1.05 section on Form 8-K. And that's going to require the company to make that public report and file it with the SEC. And given all of the complexity of trying to make these judgment calls, what kind of pressure does that put the company under and how how should a company deal with that?
00;10;46;15 - 00;11;20;17
Erik Dullea
Their are competing schools of thought on that timeline and we talked about it in the blog that are that Andrew Specter and I wrote for the firm a week or two ago the timeline. I think of it as being either a two step board or two timelines that are running in parallel. The first thing that the SEC said, that the final rule is that once an incident is discovered, a company must begin making a materiality determination without unreasonable delay.
00;11;21;06 - 00;11;49;10
Erik Dullea
So the SEC is expecting that the company is going to begin a process of evaluating the incident to assess the materiality, the level of damage the brought, the scope and other factors that the company would or its team would put in based on its business operations. Once they have made the determination that the event was material, that's when the four business day clock begins to run.
00;11;49;10 - 00;12;37;23
Erik Dullea
On getting the filing to the SEC. So in the adopting release, what the SEC acknowledged is they don't expect that it will be a week between discovery and recording. They they think that that would be an uncommon situation that a company would be investing in that they do think that it will take longer. What I would offer up though is acknowledging this is part in in the third part of our blog where we go through some of the suggestions is that for any cyber security incident that a company is dealing with, evaluating whether it could be material or deciding that it's not material as part of their thought process, it should be added to their
00;12;37;23 - 00;13;13;29
Erik Dullea
playbook and their escalation procedures and then have some documentation that would say why they made the decision that it wasn't material and have at least a document that memorializes the fact that they thought about it. Here's the information they looked at. Here's the decision they reached and keep a copy of it. Because that way when the SEC enforcement decision or any other regulator or agency with enforcement power came in to ask about it, that group would have the benefit of 2020 hindsight that the company's leaders didn't have while they were going through the events.
00;13;13;29 - 00;13;40;02
Erik Dullea
They can at least show that they followed their process. They thought about the requirements of the rules. They looked at the facts, they made a decision. And at that point, the debate is not to be focused on those qualitative measures of was it material or not? And it was the decision of reasonable or not, rather than being caught unaware and saying, well, of that, they can't prove that they went through that analysis.
00;13;40;15 - 00;13;53;21
Gregg Sofer
So certainly, given this potential enforcement regime, point number one is make sure you have a plan, make sure it's been well thought out, looked at by experts, and that you follow it when one of these incidents takes place.
00;13;53;21 - 00;14;23;01
Erik Dullea
Exactly. And I also think that for those plans, practicing them is a significant benefit that is often underappreciated. If you write a perfect, glowing, in-depth, lengthy plan and it sits on a shelf and nobody looks at, it's relatively useless. And we all know from competitive sports, from military quotes and so on, that no good plan survives first contact with the enemy.
00;14;23;01 - 00;14;54;29
Erik Dullea
Or I think it was Mike Tyson that said no big plan survives getting punched in the mouth, that you're going to deviate from a plan no matter what you write, because each situation is going to be different. But if a company's leadership team is accustomed to the idea of talking about this type of process and thinking about some of the what ifs that will occur, and they're used to getting on the phone or talking to H.R., talking to their communications group, talking to the i.t group, getting the requisite stakeholders involved.
00;14;55;15 - 00;15;02;06
Erik Dullea
They're going to perform much better than if they have never practiced or or thought about what they would do in real life.
00;15;02;17 - 00;15;24;01
Gregg Sofer
That makes a lot of sense. And we talk about this with respect to other compliance programs. Also, actually, the worst thing you could do is have a compliance program that looks shiny. There's a big, thick notebook on the shelf, never gets practiced, never gets resourced, never gets tweaks, never gets modified to reflect changes in the company's business. And so I absolutely agree with that.
00;15;24;01 - 00;16;07;08
Gregg Sofer
Don't agree, though, that Mike Tyson would have ever changed his plan even after getting punched in the face. So walk us through sort of how this happens in real life, right? A company finds out that they've had some sort of cybersecurity incident. Right. And it's the timeline that has always, always intrigues me and always sort of befuddles, I think, folks, because the problem is this is all easy to talk about in theory, even with that great plan that we're talking about, even after you've exercised a few times and tweaked it and made it nimble, the problem is making that final judgment about when to make this kind of report.
00;16;07;08 - 00;16;38;29
Gregg Sofer
I mean, this is a big deal, right? You're a public company and you suddenly announce that publicly that you've had a cyber incident depending on your your business. This could be devastating to the stock price, for instance. And I think what we've talked about on the show more than once is if you make an incorrect filing with the SEC based on incorrect information, because you did it quickly and you still needed more time, then you risk having filed something that is is wrong, is inaccurate, and it's in and of itself.
00;16;39;07 - 00;17;04;00
Gregg Sofer
Well, we'll now gather very significant scrutiny by enforcement authorities. I notice the rule also talks about the fact that you're required once you launch one of these things to amend it if necessary, if you learn additional facts. I'm really interested to hear sort of in real life how this process goes, because you're talking about often dynamic situation and you're on the clock.
00;17;04;10 - 00;17;13;21
Gregg Sofer
Maybe it's that longer clock for materiality, but you're still on a clock. You still have to make a call at some point. Is it time or is it our time? What are your thoughts about that?
00;17;14;07 - 00;17;47;16
Erik Dullea
That's an interesting question and I agree with you. These situations are extremely dynamic and the conclusions and the determinations that an organization might be making 72 hours into this problem may not be the same ones that they are holding at the 96 hour or 128 hour, five, six, seven days later. So your information in the immediate beginning of a crisis like this is probably incomplete.
00;17;48;00 - 00;18;19;14
Erik Dullea
There's a chance that some of it will be inaccurate and not because anybody's lying or trying to cover things up. Each person that is a source of information has a limited vantage point or perspective on what they're seeing and what they know. And it's going to be up to the incident response team at the company to take some of those disparate pieces of information and put them onto the table and start to build the jigsaw puzzle from scratch without knowing necessarily what the color of the box looks like.
00;18;19;22 - 00;18;37;08
Gregg Sofer
Eric That's a great point. Speaking of post breach investigations, back in December, we had Jay Town on the podcast. Jay's a former U.S. attorney and currently vice president and general counsel at Gray Analytics. We asked him about the importance of investigations to a cyber response plan, and he had this to say.
00;18;38;03 - 00;18;58;13
Erik Dullea
But one thing I would caution companies from doing is asking the right guy to do it or their system to do it, because you are now putting this entire heap of of the regulatory landscape on their results. And if they are wrong and they knew or should have known to look further, just didn't have the capability because a lot of i.t.
00;18;58;13 - 00;19;21;17
Erik Dullea
Folks in your companies, in your firms, wherever, they don't have the chops to perform these services now. Now you're really kind of rolling the dice with what the actual truth is. And so I would I would suggest it's always a wise investment to have a company like Gray Analytics on your incident response plan right in your cargo pocket ready to speed up.
00;19;21;29 - 00;19;31;09
Gregg Sofer
Erik, what's your sense of Jay's advice, especially in light of the new SEC rules? I mean, how valuable are outside consultants, including law firms, to the incident response plan?
00;19;31;23 - 00;20;00;27
Erik Dullea
I generally think that you would want to have an outside expert for the forensic and the analysis piece of the cybersecurity incident. Our departments within organizations are wonderful. They have a, you know, a demanding job that while they may have a decent budget, they are always taxed and maxed out on capacity standpoint. And their function is to keep the network running.
00;20;01;19 - 00;20;46;14
Erik Dullea
So their job is to keep people connected to a lot of employees day in and day out, to be doing their job. The analytical idea of containing the problem and then eradicating the intrusion is not necessarily in their skillset. So there's a benefit to having a an outside forensics company that would be available. I know this would be would be on the lawyer's pitch for services, but the case law in recent years has looked at forensic reports for cyber events and started to erode the ability to cloak or cloud those reports and those final products under attorney client privilege or trying to work product the way the best practices.
00;20;46;14 - 00;21;08;14
Erik Dullea
If a company feels that that is something they want to protect because they are mindful or expecting that litigation will be on the horizon, would be to have outside counsel that would, in a sense, be the quarterback of an incident response team. The outside counsel hires a forensic group to perform the report or to perform the analysis excuse me.
00;21;08;28 - 00;21;25;29
Erik Dullea
And the forensics company is advising and informing the outside counsel. So they are the forensics group is telling the lawyers what went on from a technology standpoint so that the lawyer can build the strategy and then start to advise the client.
00;21;26;19 - 00;21;47;21
Gregg Sofer
Got it. So we've really focused on the SEC's new rule. But when one of these events takes place, it's not that everyone inside the company and all the attorneys and experts are only thinking about this 8-K even now. What are the other things that the company has to worry about? I mean, this again, this is a multi-headed problem.
00;21;47;21 - 00;22;07;05
Gregg Sofer
You have potential civil lawsuits. You have you have to shut this down as fast as possible. There could be disruptions of the company's core business. Talk a little bit about how you have to you have to juggle all of that along now with following this new SEC rule.
00;22;08;01 - 00;22;35;15
Erik Dullea
I would typically say that the the first 72 and 96 hours after discovering an incident are going to be an intense level of activity for the organization. You're going to have to figure out you understand immediate understanding of the scope or the breadth of the problem. And then you're going to have to figure out how to communicate with all of the stakeholders.
00;22;35;15 - 00;23;02;10
Erik Dullea
That would be part of the incident response team. When you're looking at larger corporations or organizations that are, you know, view themselves as more likely to be threats to attacks, do they have an alternative communications platform? Because if you have an intrusion on your network and you're sending emails back and forth and the intruder is still on your network, there's a good chance that they will be seeing those communications.
00;23;02;28 - 00;23;39;20
Erik Dullea
So some companies will have, well, you know, alternative comms platform that they would use in order to have the stockings off of the network when there is a concern that they might not be able to communicate confidentially on network until the problem's been contained, you know, and the next step is going to vary by a particular business. But internal communications to the employees is something that really needs to be thought about in the planning process.
00;23;40;03 - 00;24;03;19
Erik Dullea
If you have a ransomware event and everyone comes into the workplace on Monday morning and all of their screens have skull and crossbones and messages on them, and you have part of your workforce that's working remotely. How are you going to inform them of that? The company is aware of it and taking measures to address it, but they're not.
00;24;03;19 - 00;24;39;07
Erik Dullea
Ask them as well to refrain from commenting out in the public with social media platforms. There's you know, it's probably a given that someone will have a Facebook post or a social media post up that will mention something about this incident. Before the company was ready to go to the public and say that they're responding to that. So so the timeline by which or the company's ability to control the timeline will probably not be as pristine or as manageable as they expect.
00;24;39;07 - 00;24;57;29
Erik Dullea
There will be injects from the outside that will turn that game plan off. And while you will have to respond to those, you do still need to keep your eye on the ball and continue to move forward with the other steps in the playbook on working to contain the problem and then eradicate it and then start to recover.
00;24;59;00 - 00;25;23;20
Gregg Sofer
So within this complex legal and logistical environment, I'm curious about your assessment of the threats out there. And again, I'm not asking you this in your in your former capacity. We're not asking you in any way talk about for the for the Department of Defense or for the US government, but from from your private sector experience, what's the threat environment look like today?
00;25;23;20 - 00;25;32;29
Gregg Sofer
Is it increasing? Is increasing in sophistication, is increasing in volume? What should what should companies be looking at when it comes to the threat environment?
00;25;33;24 - 00;26;17;26
Erik Dullea
I would say this scenario has not gotten better. And there are a couple of reasons for that. The the number of bad actors that are out there run the gamut of nation states, the processes that nation states use to do their dirty work, where they want to have some plausible deniability. Organized crime, unsophisticated crime or criminals and, you know, hacktivists, people that have a social agenda or a particular cause that they believe in, that are looking to disrupt a particular business because they don't like that industry.
00;26;17;26 - 00;27;10;01
Erik Dullea
While the largest number of perpetrators could be those unsophisticated criminals, there is now a marketplace that's sometimes colloquial, colloquially or referred to as ransomware, as a service that your technical, well-versed, sophisticated criminals will rent out their malware code to an unsophisticated criminal. To that use as a target or a tactic to try and hit more victims. So the prevalence of these attacks can be going up even if the number of, you know, technically sophisticated criminal operatives is staying the same or going down as governments around around the planet try to limit their activities.
00;27;10;22 - 00;27;39;27
Gregg Sofer
So you've described a tangled web of bad actors out there as well, this enforcement regime. And we're really focused on the SCC and the SCC out in front here, protecting investors rights and information. But the SCC is only one small part, actually very small part of the U.S. government. And there's a lot of other government agencies involved in the cyber security area.
00;27;39;27 - 00;27;53;23
Gregg Sofer
And even the rule references, for instance, a number of other federal government agencies. Can you can you walk us through a little bit the complexities with the sort of whole of government approach or the lack of whole of government approach or coordination here?
00;27;54;03 - 00;28;16;16
Erik Dullea
Sure. I would say that the whole of government approach is is evolving and it is being built as we speak. And any time the federal government is looking to make changes, they have a balancing act of acknowledging what is already in place and what may have been put in place in somewhat of a patchwork environment and where they want to go in the future.
00;28;16;16 - 00;29;00;02
Erik Dullea
So we changed the process of getting through. The change can be a bit difficult when it comes to the entirety. I think a good example of this is one of the what I've seen that might be a challenge would be the one process by which a delay can be obtained on the disclosure of a material cybersecurity incident. What the final rule says is that if there is a material cybersecurity event and if it poses a risk to either national security or public safety, the SEC will accept a written letter from the U.S. Attorney General.
00;29;01;02 - 00;29;45;17
Erik Dullea
Then they will allow the company to wait 30 days before they file their disclosure. That is the only mechanism in this rule by which that materiality determination, timeline can be passed. This is my national security background, probably coloring my opinion. I will admit that there are, as you mentioned, Gregg, a whole of government tangled web of interagency points of contact and resources that are available to the private sector, typically within their industry sector to assist with the cybersecurity of that.
00;29;45;17 - 00;30;26;26
Erik Dullea
You may have a similar opinion just from your time in the government. Interagency coordination, in my opinion, is an important activity, but it's a slow moving activity because there are a lot of stakeholders and they do try to get to consensus. If you are in a let's use the critical infrastructure environment for a moment because there are 16 industry sectors there and we have a presidential policy directive that came out in 2013 during the Obama administration that looked to improve the cybersecurity resilience posture for the for those critical infrastructure sectors.
00;30;26;26 - 00;31;07;10
Erik Dullea
So it's called PPD 21. And that policy document from the White House instructed the executive branch on how they were supposed to coordinate and be available to the private sector in the critical infrastructure spaces to provide consultation and resources and mitigation if requested on a cybersecurity incident. For each of those 16 sectors of critical infrastructure, there was a lead agency or a sectors civic agency now known as a sector risk management agency or SRM.
00;31;08;06 - 00;31;32;19
Erik Dullea
There's a specific agency that's involved or is the primary point of contact. So, you know, I'm sticking to my words from the defense industrial base. It's the Department of Defense. That would be where a defense contractor would think about going if they were looking for help, if it were ironically the what the food and agriculture industry for there.
00;31;32;19 - 00;31;58;16
Erik Dullea
It's a co agency. We have the Department of Agriculture and you have Health and Human Services that are both a point of contact. If it's the financial sector that was victimized, a bank or some other financial institution was looking for help, they would go to Treasury. So in theory, over the last ten years, those agencies that are the sector specific are US maze.
00;31;58;25 - 00;32;24;01
Erik Dullea
I've been engaged in outreach to their private industry counterparts to be available as a resource to start building some of that trust and some of that collaboration. What the SEC's rule does, in my personal opinion, is now say, despite all of that, if you've got a problem and you've identified a material event, we want you to get a hold of the US attorney General and ask them for extension.
00;32;25;11 - 00;32;57;29
Erik Dullea
That coordination process is going to take time. So I think that it makes sense that if a publicly traded company that is in a critical infrastructure sector should start building that relationship of either knowing where their local FBI field offices and at least finding out who a point of contact is that they would reach out to when they're facing once look like this or talk to their sector agency counterparts to figure and ask that.
00;32;58;00 - 00;33;19;18
Erik Dullea
Ask the DOD, ask Health and Human Services. If I am dealing with an event, how would we get to the US Attorney General if we have looked at it? You have told us that you think this is a national security or public safety problem. That's again, some of that wiring, your thought process and questions that should be asked well in advance.
00;33;19;18 - 00;33;29;13
Erik Dullea
But I fear that it's going to just not work well in practice or in reality as compared to what looks good on paper.
00;33;29;13 - 00;34;00;18
Gregg Sofer
Yeah, I had a very similar reaction to this. I worked for a U.S. attorney general, and I can tell you just within the Department of Justice, it takes a long time often to get something reported up to the attorney general. This says the maximum delay permitted under the exception will be 60 days. It's not unusual. It takes 60 days to get something to the attorney general just through that from the FBI, through the FBI's bureaucracy, all the way into the Department of Justice and then through its bureaucracy to get up to the attorney general.
00;34;00;29 - 00;34;21;06
Gregg Sofer
So speed is not necessarily one of the attributes or often attributed to this kind of approval. And there's lots of other things that are being looked at every day to the Department of Justice that are emergencies. I just think you're right. On paper, this looks a certain way as a practical matter, how much of an exception this is?
00;34;21;16 - 00;34;38;28
Gregg Sofer
It seems to be almost unlikely to work ever, at least the way it's written and in the way that real life will probably make it play itself out. But I guess, as with everything else, with a new rule, time will tell and we'll have to see. But 100% agree with you that planning for this is important.
00;34;38;28 - 00;35;11;01
Erik Dullea
Yeah. And and the agencies know this as well. I mean, the FBI, to their credit, updated their website earlier this month, this month. And on the cybercrime pages have acknowledged that there is going to be and they are already in consultation with DOJ on how to move a request for an extension through the pipeline. What I see as being a problem is for defense contractors, and I say that just more so because that's the space I work in.
00;35;11;20 - 00;35;36;05
Erik Dullea
They may already be working hand in glove with either the DOJ or defense side or Cybercrime Center DC three, or they may be working or have a collaborative relationship with one of the intelligence community members and that they will have that trust in place and be used to working with their counterparts there to protect their networks and to protect the country.
00;35;36;20 - 00;35;56;05
Erik Dullea
Now, if we're gone, if the FCC if decided that that working relationship has to be superseded and the private sector company has to change horses and go over to the FBI when they've been working with a DOD component for the last five years, I I think that that's not the best approach here.
00;35;56;14 - 00;36;17;07
Gregg Sofer
Great point. And and I can tell you, again, from my experience that the FBI, at least the agents on the ground, they may say, well, we don't want this publicly made available to the bad guys right away because we'd like to go catch these guys. And then so you're going to have that balance that also has to be handled in.
00;36;17;07 - 00;36;22;16
Gregg Sofer
I don't see a lot of places in the current rule for waiting for that to happen either.
00;36;24;13 - 00;36;58;02
Erik Dullea
No, you're absolutely right. I think the exemption for the extension is based on a risk to national security or public safety. Aiding a law enforcement investigation may or may not fall under that umbrella in the US. Excuse us. They haven't told us. And I would say the same thing with intelligence gathering. If this is something that the intelligence community wants to be aware of and wants to make sure that they can take advantage of for defensive purposes, is intelligence gathering going to be considered part of national security?
00;36;59;04 - 00;37;37;27
Erik Dullea
I don't know that FCC have the opportunity to have delved into those nuance questions yet. And they may be something that now that the office of the National Cybersecurity Director on TV was asked for comment, they extended the deadline. So tomorrow comments are going to be due by October. They're looking for feedback from the public on harmonizing across the critical sectors, some of these regulations for commerce, the cybersecurity, to try to get some uniformity in this in the regulations, even though we are a sectoral based compliance regime.
00;37;38;09 - 00;37;47;06
Gregg Sofer
Right. So I'm sure the rest of the government is in the process of catching up with this rule. And we're going to have to see how that harmonizing, as you say, takes place.
00;37;47;18 - 00;37;48;09
Erik Dullea
Absolutely.
00;37;48;18 - 00;37;56;12
Gregg Sofer
Well, thank you so much, Erik, for coming on to Justice insiders. Really appreciated your insight here. And it's a fascinating conversation. I hope you'll come back and join us again.
00;37;56;20 - 00;38;02;03
Erik Dullea
Definitely. We look forward to having discussions. We'll see how this real pans out.
00;38;02;03 - 00;38;20;08
Gregg Sofer
Uh, thanks for joining us on The Justice Insiders. We hope you enjoyed this episode. Please go to Apple Podcasts or wherever you listen to the podcast, to subscribe, rate and review the Justice Insiders. I'm your host, Gregg Sofer. And until next time, be well.