Patchwork cyber laws cost the government money, Amazon security chief says

Following an executive session at Amazon’s flagship AWS Washington, D.C. Summit late last month, Amazon’s Chief Security Officer Steve Schmidt sat down with Nextgov/FCW for an exclusive interview to discuss myriad cybersecurity policy topics, including threat intelligence, cyber regulations and what’s on the rise for election security this November.

This interview has been edited for length and clarity.

Nextgov/FCW: You discussed the cybersecurity workforce on stage. Officials recently testified about the cyber workforce gap, with at least half a million jobs needing to be filled across the public and private sectors. You have a unique perspective on this one as a security practitioner who interacts frequently with the government. How do we solve this problem?

Steve Schmidt: I think that the most important thing to look at is the supply of people with expertise as a pipeline. So we have to address it at each position along the lifecycle of the employee. Are we encouraging people in middle school and high school to get the right skills which will prepare them to learn the details of how to be a cybersecurity professional down the road?

A lot of those skills people think about as particular technical things. They’re actually not. They’re usually more around logic, reasoning and understanding cause and effect analysis. And then they focus on building on that with particular technical expertise down the road, whether that’s software engineering, or systems engineering or network engineering. 

The last part is that not everybody who’s a cybersecurity expert has a degree. And I think the government is getting to the point where they’re realizing that requiring a four-year degree is actually handicapping their ability to hire really good people. A four-year degree is a very good starting point. But if somebody’s got a lot of experience in this space in a reputable company already, a four-year degree or the absence thereof shouldn’t hold them back.

Nextgov/FCW: The White House is looking into cybersecurity regulatory harmonization. From your view, what’s the risk of inconsistent cyber regulations? 

Schmidt: Generally speaking, the concern that we as a company — and in fact, our industry as a whole — is inconsistent regulation means that we’re not really sure what to do in each jurisdiction at what point in time. Just in the federal space itself there are reporting requirements that differ between FedRAMP and what CISA wants and what the SEC wants, et cetera.

And all it does is add cost. It adds cost to everybody. A lot of people think the government doesn't really bear that cost. Actually, the government does, because the government is a customer of all of the companies that are in our industry, and we have to build the cost of doing that business into the services that we provide. Things that are unnecessary overhead need to go away because they’re not effective. They don’t bring value to the government or to the customer.

Nextgov/FCW: You mentioned the SEC’s cyber reporting rule, which has gotten pushback on a bipartisan basis. It requires publicly traded companies to report a cyber incident within four business days. Is that enough time?

Schmidt: The concern that most of us have in that space is what are you going to get in four days? And the reason there is actually very practical: Forensics takes time. There’s only so much analysis you can do with [security] logs in whatever time period. Four days is arbitrary. It’s just something that someone picked as opposed to being something based on a particular intended outcome. What if something changes after that reporting occurs? Investigations evolve over time.

Nextgov/FCW: Pivoting to school cybersecurity — Amazon almost a year ago now made commitments to bolster schools’ cybersecurity posture at a White House event with other tech vendors. How's the engagement process going for Amazon’s program? What are some of the broader school cyber trends you’re seeing?

Schmidt: School systems have the same problems that everybody else does: They don’t have enough cybersecurity talent. And in fact, they’re often not given the funding necessary to hire or acquire the talent that they need to support themselves.

If you look at a school system, the money that they get is limited. They tend to focus on the things that are delivering value to the students directly. And IT security is not necessarily the highest on that list. They are in a position where they’re at a relative disadvantage compared to a company akin to Amazon, where we can focus extensively on cybersecurity. So lots of schools are super interested in getting on board with the program.

Nextgov/FCW: On the never-ending topic of artificial intelligence — when we fuse cybersecurity with AI systems, is AI better now for offense or defense in cyberspace?

Schmidt: I don’t think it’s better for one or the other. I think they both can benefit from it. It depends entirely on how you use them. The way that adversaries are using AI tools tends to be to make less sophisticated adversaries more effective, and to allow more sophisticated adversaries to be more efficient at what they do. But the same thing is true for cybersecurity personnel.

For example, a lower level engineer on my team can take advantage of the knowledge of our more senior engineers by using our AI-enabled tooling to get answers based on data that we got from the more senior engineers. We can do things more effectively because the tooling can automatically build answers to questions it anticipates that the newer engineer is going to have to ask.

Nextgov/FCW: How do you track adversaries’ use of AI? Is it through telemetry or intelligence-gathering tools?

Schmidt: Interestingly, you can build AI tools to identify the use of AI tools. For example, let’s take phishing. When an adversary creates a phishing message, they’re trying to get you to click on a link. They used to do that through human typing on a keyboard. Now, quite often, they’re using AI tools to build that message. Because AI tends to speak in repeatable patterns or with definable phraseology or with particular words, we can use AI to identify language that was likely created using an AI tool. Again, it can help the defender as much as it helps the attacker.

Nextgov/FCW: On nation-state hackers and cybercrime groups, what are the big trends on your mind right now? Has Volt Typhoon come up on your radar recently?

Schmidt: Volt Typhoon is a well understood threat in a lot of ways. So it can be used as an example representative of many other threats. Because there’s been so much study of it, we have a lot of detail on how they operate, the tools that they use, how they target people, et cetera. 

We can apply the same learnings that we get from Volt Typhoon to other actors. And one of the biggest learnings that we got there is the necessity of cross-organization collaboration. It’s not sexy, it’s not a “cool” tool. But what it means is that we see some portion of the picture. Our colleagues and other businesses see some other portion of the picture or the government sees a different portion of the picture. So there is no one entity that can see all of these things. Unless we put all of those together, we will not be successful as defenders.

Cybercriminals tend to be motivated typically by money. There's an ego component to it as well, but the money part is actually relatively straightforward to understand: They’re looking for the lowest investment which achieves the highest yield at the lowest risk. You can look at the targeting patterns that they use, and they’ll go after what they consider to be less defended organizations who have money, like, for example, going after a school district with ransomware.

Nextgov/FCW: Last question — are we prepared for a secure election this November? We hear frequently that election infrastructure will be secure this year, but that disinformation could have a significant impact.

Schmidt: Disinformation is definitely a real thing. It is a real problem out there and it’s something that we have to continue to focus on. I think that the security of the election systems themselves is largely a local situation. And so I don’t think you can make a broad comment about it across the country as a whole. And that is both one of the benefits and the challenges of our decentralized election system in the U.S.