The DOGE effect on cyber: What's happened and what's next?

Transcript - The DOGE effect on cyber: What's happened and what's next?

Dan Lohrmann: Good morning, wherever you're at -- and if you're in the East Coast, good morning and welcome to our telecast. Today we're really excited about the CISO Insights episode. I'm Dan Lohrmann. I'm really just geeked about the turnout for this. We have actually record turnout, Earl, and just really excited about this episode on DOGE and the DOGE effect on cyber. What are your thoughts as we head into this topic today?

Earl Dury: This is a pretty interesting topic; normally, our topics are a little bit more broad. This is like one of the few times that we've narrowed in on a very specific thing, and I think we got two great guests to get us that conversation.

Yeah, this is gonna be pretty good. And like you said, over 5,000 people registered for this episode, which is crazy. I appreciate everyone signing up for this, right? Over 48,000 subscribers. The word is definitely getting out that we're talking about cool things here and that we bring good guests on.

This is just gonna be another one of those good episodes, I think.

Lohrmann: Yeah, and I think that, just wanna let everybody know that our previous record was back last November. We talked about cyberwar. We have the same two guests. Let's bring our guests online now, and we're gonna let them introduce themselves, in case somebody is wondering why.

My background here is a little bit different than normal. Just as we're talking about this, I'm in an undisclosed location in Hilton Head Island, down in South Carolina, with my family. Little bit … little different background, little different environment, but real excited to have our two amazing guests with us.

I wanna start off with Michael McLaughlin, who's from Buchanan [Ingersoll and Rooney]. And really excited about having you, Michael, back again on the show. So, can you give us a brief background on your career in cybersecurity?

McLaughlin: Certainly. Thanks, Dan, and thanks, Earl, for having me. As Dan said, my name is Mike McLaughlin.

I co-lead the cybersecurity and data privacy practice group at the law firm of Buchanan, Ingersoll and Rooney, where we specialize in cybersecurity incident response, particularly in critical infrastructure sectors. By way of background, prior to practicing law, I spent 12 and a half years active duty in the Navy as a counterintelligence officer, last six of which I was at U.S. Cyber Command as a senior counterintelligence advisor, and then at the Cyber National Mission Force as the chief of counterintelligence and human intelligence.

And while I was there, I had the good fortune of teaming up with a journalist by the name of Bill Holstein and co-authored a book called Battlefield Cyber: How China and Russia are Undermining Our Democracy and National Security. Happy to be here.

Lohrmann: Fantastic. It's great to have you back, Michael.

And equally excited about having Richard Stiennon in from IT-Harvest. Richard and I have known each other for a long time, worked together on a lot of different opportunities and different shows and different media formats, let's say that. But Richard, it's great to have you back. Give us a bit of background about yourself, your books, all those books behind you.

I know it's amazing, but tell us about your background.

Richard Stiennon: Thanks, Dan. It's hard to introduce myself when it's you. I'm introducing myself, too, because obviously you and I go back at least 20 years. I've been in cybersecurity and lived here in Michigan for the last 30 years. And part of that, I graduated from PricewaterhouseCoopers as an auditor, essentially a security auditor to Gartner, where I was VP of research covering security.

I've had a couple roles in industry including CMO at Fortinet, chief strategy officer at a cool company called Blanco. But along the way, I've primarily been an industry analyst and I've got my own firm: IT-Harvest. I've written going on … I think this is the 11th book I've written, so this just coming out in a couple weeks.

Security Yearbook is a complete history of the industry. I took advantage of my exposure to all the pioneers in the industry over the years to get them to be interviewed for the book. And it also includes a directory of all the vendors, so I can track the market down to a very granular level and a macro level.

So that's what I do practically all day.

Lohrmann: Fantastic. I really appreciate both of you being on, and I think we're gonna have a real exciting conversation coming up. I wanna start off with a view from the audience, and we really wanna put up a poll question now. You wanna just gonna have one poll question today, but we would really like everyone to participate in this.

It's really important. Get a gauge of where you're at with this topic, and you should be seeing that pop up on your screen now. The question is this: Have you personally been impacted either directly or indirectly by the DOGE effect on cyber? And we give you five options here: Yes, in a major way -- such as, 'I lost my job.

B is: Yes, to some extent; C: Not really yet, but I'm worried; D is: Not really yet, but I'm feeling really good about the situation. Or E: No, but I think these changes are long overdue. I'm glad this is happening. So, I'd really love to hear your thoughts on this. I wanna just mention briefly before I just ask the panelists their view on this question.

The DOGE effect. And we're gonna dive into this in a moment with details behind it. So maybe what do we mean by the DOGE effect? It could be a direct cut that happened from the Department of Government Efficiency in the federal government, led by Elon Musk and their team. Or it could be steps that were taken by your state government, your local government, a federal agency that might in fact not be directly a DOGE cut but was done in anticipation or before, or other types of actions to really see cuts happening right now. So, start with McLaughlin: If you could just give us … what are your thoughts?

Are you seeing, and we're gonna get into the details of what you're seeing, but overall, what are your thoughts on this poll question specifically? Are you thinking most people would say 'Yes, in a major way' or 'No, not really yet'? What are your thoughts in general?

McLaughlin: I think it really depends on the industry.

So, if from a cybersecurity perspective, if your primary clients are in the private sector, you're likely not feeling the effects of this just yet. Whereas if you are in cybersecurity and you're a value-added reseller to the federal government, you're gonna start seeing those impacts almost immediately as government contracts get canceled and the federal government tries to collate all of their spending, either within the GSA or within the DOD more broadly or the federal government more broadly.

I think where we're gonna start to see this really trickle down is, and it could be, this could be a double-edged sword. One of the concerns that I personally have is the drawing down of the federal workforce in a time when we already have a cyberskills gap. Those individuals who are at CISA, for instance, and who are highly skilled, highly trained, highly educated, all on the federal government's dime, that are supporting critical infrastructure sectors or state and local sectors for cybersecurity, where we find them without a job now it could ultimately benefit the private sector because they can go and reuse their skills or apply their skills directly to companies in the commercial sector or to state and local governments, which could potentially be a net positive.

But the drawdown at the federal level also means that skill gap is going to only widen at a time when we really need to be buckling down and looking out for the concerns and threats that are coming from primarily China and Russia.

Dury: Doesn't that, to some degree, assume that those roles were actually doing something?

I've been hearing all this stuff, and I think it's gotten so highly politicized that we're not actually looking at like the foundation of what this thing is. It should be looking at efficiencies. And so, if you have five people doing the job of three, you really need two.

I think we're putting a whole lot of emphasis on assuming things as opposed to just saying maybe these people are actually doing some rational thought.

McLaughlin: And I don't disagree that, oh, I'm sorry. Go ahead, Richard. I've spoken enough.

Stiennon: Yeah, let me jump on that, please: Talk efficiency, let alone the rationality.

If it were true that a hundred red team pen testers inside CISA were not needed, and we only needed 20, then you should be able to determine that in less than the 24 hours it took for some 19-year-old kids to come in and make the decision to fire them. Those are ad hoc, irrational decisions being made today.

And it's so obvious that there's no question and there's no ability for anybody to step in and go there, government is inefficient, and so they, they're doing something good here. We don't know that. There's plenty of reason to think the government is inefficient. I'm, I have always been a critic of CISA and the government security agencies before that for inefficiency or just not doing their job in the most effective way.

And yet CISA is sitting there with a red team of a hundred people while they have so much better than general services doing the A, B, C, D, E, F grades that they used to do. So CISA was finally having impact. It took us 15 years to get here, 15 years of breaches, OPM, the defense industrial base, the Pentagon emails.

Every single time nobody knew what to do. There was a call for a cybersecurity czar, we finally got it. As a matter of fact, the first Trump administration appointed the first director of CISA. We were finally getting somewhere, and now it's being torn apart in front of us.

Lohrmann: This is a little taste of where we're going with this conversation. Earl, hold that thought. We're gonna jump in. This is really excellent. We just wanna whet your appetite. We're, we whet your appetite with this poll results. Lemme give, go over the poll results, go over a couple slides, and we're gonna dive right in because this panel's discussion is gonna get lively here. Get ready for some fireworks, guys. Okay. Results. This is, Yes, in a major way this is impacting my job: 3% of the people. Yes, to some extent: 19%. So we're in about the 22% range are Yes. Yes, to some extent. Not really yet, but worry -- there's our big winner for the day: 61%. We got a lot of worried people on the line here watching this. Not really yet, but feeling good: 6%. No, and I think these changes are long overdue: 8%. So less than 10% are down in about, we're about 14; 50% down in the bottom, not really yet, but feeling good, and no, I think these changes are along overdue.

So interesting. Thank you for those. Thank you for answering that. We're gonna get to your questions later.

I do wanna bring up some slides and just introduce what some of the thoughts I had initially around this. Just teeing this up just to get some people thinking in reference to 'What do we mean by the DOGE effect?' I wanna start off with state groups impacted by the DOGE effect. So, this is from Government Technology magazine. And this was about a week old, so this may obviously be updated and changed. Interestingly enough, as you look at the states that are putting together DOGE-like groups -- for example, down in Florida, Governor Ron DeSantis established a Florida Department of Government Efficiency DOGE Initiative, named after the federal group through Executive Order. Task forces is on a one-year mission to overhaul state government operations driven by strong emphasis on cost reduction and innovation, et cetera.

You can read the quote. Before we go to the next slide here, I wanna point out a couple quick things. These are not all Republican states. We have, we have New York State, we have Hawaii that are doing the same kind of initiative.

The ones in yellow have not yet been started … yet. The ones in green have already been started, so this is happening around the country. Let's go to the next slide. And then we see some impact already. Deloitte, this was from last week on Friday: 'Deloitte to Lay Off U.S. Consultants After Government Cost Crackdown.'

It says they're cutting their workforce. Big four accounting firms. Didn't specify, a firm did not specify how many employees would be targeted. Would be modest personnel action. Basically, we're seeing some layoffs related to consulting firms. Next slide. And as we think more about the challenge related to this article, from Time Magazine, 'Cybersecurity experts are sounding the alarm on DOGE.' There are many articles out there like this. This is just one example going to Time Magazine. You can see this headline, 'Cybersecurity experts are sounding the alarm on DOGE,' … 'DOGE has fired top cybersecurity officers from various agencies, gutted, CISA,' et cetera.

A lot of outrage by a number of people. And then, the issues around court filings, we're starting to see those staffers violated Treasury Department policy by sending an email containing unencrypted personal information. So again, different opinions around that. And then the last slide, I just wanna show this up quickly.

One more example. And this is around DOGE drove layoff announcements to their third-highest level ever in March. So, if you look at the 'federal government announced plans to ax 216,215 jobs,' which is 80% of the 275,000-plus jobs announced by the U.S. employers in March. So again, this is overall.

This is an overall cuts perspective. I wanna go around and give you each a little bit more time on this first question and let each of you respond. And, Earl, I let you jump right back in there, but can you describe what you've seen as these effects on cyber to date?

Again, if it's efficiency cuts, I think we have different opinions on this question. What are the impacts on cyber that we've seen to date? Earl, we'll start with you, but then we'll go around and talk to Richard and Michael.

Dury: I don't know that we can actually tell the impact right now.

I think to Richard's point, some of it is, things are happening now; we have to wait to see what the fallout is. And so, the conversation is really around: Do we think these things should happen to begin with? And in that sense, this is probably where Richard and I differ a little bit because, if you look at just the federal government in general, so the federal government has like over a million employees, somewhere in that ballpark, so that's a very large organization. You have several organizations in there that are doing cybersecurity. So, whether it's the NSA, the DOD, the CISA or whatever, and they're all ramping up. CISA ramped up 3,000 employees over the period of four or five years. And so, they were ramping up fast, and they were trying to figure out their role in the landscape.

To me, this is just almost like a natural reaction to the fact that you scaled up a lot of organizations quickly, maybe didn't have a defined 'rules of engagement' of what each group was doing, and now you see some overlap, and you see some opportunities where you can streamline these things and say, 'This is your role' versus 'This is what your role is, and this is the fallout.' So, I'm probably a little less alarmist about it than other people are, just because this is what happens. This is how business works. This is how everything works, is you have a problem, you scale up quickly to solve the problem, and then you retreat from that over time as you get your arms around it and you think it out so that it becomes a little bit more right-size to the way that you think it should work.

Richard, dive in.

Stiennon: I certainly agree that it's too early to count the impact of DOGE on cybersecurity. Just the way, when OPM learned that Chinese hackers had gotten into their systems and exfiltrated 1.86 million private records of people who had applied for security clearances, that's "Oh my God, that's horrible," but what's the impact?

Right? Which person was approached by a Chinese agent to turn them because they have a drug addiction or something, right? That falls out years and years later. So in the exact same way DOGE has brought in people that have not been background-checked and violated every single policy and control that everybody on this call thinks that they believe in, including background checks for touching sensitive information, having the right to and need to access that information, and basically granted superuser access to a bunch of 18- and 19-year-olds who've come into Treasury, have access to the treasury payment systems and software, are able to change that software and the effort to improve it.

And that's a horrible thing in itself. But is it an impact? It's not an impact until they go, 'Oops, I just uploaded a new GitHub repository and I'm rewriting the COBOL into Java,' which is actually what they're doing. And 'I crashed the Social Security website on Monday,' which is exactly what happened.

It's back now. I checked. Huge impacts from those kinds of missteps that are easy to predict, right? You put a percentage chance on 'em, a hundred percent is the answer, and we're gonna see that fallout, but it'll be too late to do anything. It'll be way, way too late. As some people have mentioned. Once you grant access to a critical system. OPM is one of them. All of OPM's information has been accessed by these DOGE hackers. Once you've done that, you don't know if it's secure. You'll never be able to put the genie back in the bottle. And you have to assume that it's been compromised. And by 'compromised,' means it is in the hands of our adversaries in some way, or will be shortly.

McLaughlin: Now, if I can really quick, just because I think we need to back up semantics, but words matter. 'DOGE hackers' is not correct. These are employees of the federal government.

Stiennon: They're literally hackers. They're literally hacking fast.

McLaughlin: They're literally employees from the federal government.

They're not the bad hackers. They're the kind brought-on staff by the executive branch. And now they are performing a function as directed by the --

Stiennon: -- Violating existing policies and controls on hiring people.

McLaughlin: The two employees of the OPM who were Chinese, who were of Chinese descent, that enabled the breach and compromise of 20 million records back in 2014, they had gone through extensive background checks, and they did far worse than DOGE employees that we're talking about. Just make sure we're using proper terminology. That's all. To say 'hackers' -- they are IT professionals.

Stiennon: They brag about their hacking activities, they are hackers. They don't get to say they're not hackers until they --

McLaughlin: In their current function, are they performing red team, blue team pen testing? Are they going and doing bug bounties? No. In their current function, they're not hackers; they're IT professionals who are hired by the federal government to perform a function.

And the reason I'm bringing this up, Richard, and I completely understand and very much appreciate the passion here, and I am equally as passionate, I assure you. The reason I bring it up is because we're in such a politically charged climate that as soon as we start saying things and we use different terminology, it's going to force this conversation into one that's more political. And I think we need to be a little bit more objective and look at it.

And I agree. We don't know what the long-term outcome's gonna be. We don't know what the impact of the individual cuts or the changes that DOGE is making are gonna be. They may be incredibly positive, they may be net neutral, they may be incredibly detrimental. But both to your and Earl's point, it is too early to tell, but we have seen --

Stiennon: -- It's not too early to tell that it's a disaster, that it's the wrong thing, that it broke laws, and it's invading privacy.

Dury: This is interesting because Dan wrote an article, and in that article there is a video that's in there by Secretary Bessent from the Treasury Department -- and I'm not saying you're wrong and I'm not saying he's right, I'm just saying like the story he tells about all of these DOGE activities is completely the opposite of what you just laid out, in terms of who these people are, what access they have, what changes they're enabled to do, the oversight that they're under, and apparently, according to him, there's only two of them in there. It's not there's a roving hoard of barbarians running through Treasury, breaking into things; it's two guys doing some things.

Stiennon: Trump-appointed head of Treasury. I --

Dury: I am going, I'm going off of the statements of the CEO of a business. The top guy at the organization who is supposed to know everything and who is supposed to be accountable for everything is saying, 'This is how I'm operating with these DOGE people in my organization.' It's no different than if someone at Ford says, 'Hey, I hired some people to come in and do an efficiency routine at Ford, and I hired Accenture to come in and do it.' There is no difference, but yet for whatever reason, we're reacting very negatively here. But when Ford does it, it's: 'Oh, they're doing things for the stockholders and producing stockholder value.'

So to me, it's just what the reaction to it is, not based on logical thought. It's based on political affiliations, and I just wish we could kinda look at this more in terms of this is what every organization does [from] time to time, is they come in and they look at everything and hopefully they're cutting waste out so that we get more value for the people who are funding these organizations.

Stiennon: Yeah, that's, it's great to be open-minded and all the rest. I don't have a political affiliation. I've been an independent my entire life. I'm a libertarian. I don't like tyranny and government overreach. You can't take somebody off the street whose job was literally to hack, who is a hacker, and give them a different job. And now they're not a hacker. These people are demonstrably immoral, have treated data improperly, have stolen it and leaked it on purpose in their previous employment. What's to stop them from doing that? And this one, especially when they're working for a man who has outside interests. You have to admit, he is the CEO of X, and he does have his own AI agenda, and he is taking all the information from OPM and Treasury and Health and Human Services [ ... How is that even remotely legal in business as usual?

McLaughlin: So, Richard, when Beto O'Rourke was a congressman, was he also a hacker?

Stiennon: Beto O'Rourke was a hacker congressman for sure.

McLaughlin: And so we're saying when he was a member of Congress, we would qualify him as a hacker?

Stiennon: Yeah.

McLaughlin: This is what I mean by name. He had a different job in that case.

Stiennon: Yeah. If you hired me as a member of Congress, I'd still be an aerospace engineer.

McLaughlin: But you wouldn't be performing that function as a member of Congress. You wouldn't be building and designing aircraft.

Stiennon: If I was on the committees that oversaw those, I'd know a little bit more than some of the other kind.

McLaughlin: And you're making my point. Exactly. So, don't you want someone who actually has real-world experience in these areas? Who's able to come in and consult on this exact type of work that we're talking about with a cybersecurity workforce, understand what the requirements are.

Stiennon: If they had ever stepped into a role where there's 3 million employees and help fix things, they can't step in.

McLaughlin: But that's not what they're, but that's not what they're doing. They're looking at the systems.

Stiennon: They don't have authorization to look at the systems. They're just granted access to systems without proving that, 'Oh yeah, I've looked at a million lines of COBOL code and refactored it before.' None of them have.

None of them are, none of them have any of the qualifications expected to make the decisions that are being made. And I think, come on.

Lohrmann: I'd like to hear from Michael, what are your overall thoughts? I know you responded when you first answered that. And by the way, thank you, everyone. We already have 12 questions coming in. They're coming in fast, so we'll get to some of those in a few minutes. I'd love to hear Michael's thoughts overall. Do you, to date, right now, do you think the moves … all of us have said it's too early to say, yeah, what the long-term impact is gonna be. Go ahead.

McLaughlin: So I, yeah, I've got mixed feelings. I think like a lot of people, you look at some things and you can say, 'Yeah, I see how this, there's a net positive here.' I see others, and I think they're detrimental. On the positive side, look .. and Richard, you talked about CISA and this going back 15 years in reality, CISA was stood up in 2018 under Trump 1.

McLaughlin: We've had Chris Krebs as the first director. The issue we had with CSA going from 2018 to today is it's an agency in search of the mission. They have been, essentially mission has been largely bastardised, where it went from focusing entirely on the 16 critical infrastructure sectors and the .gov domain to expanding into election security, expanding into the JCDC and the cybersecurity advisory committee.

It's escaping me right now which ended up being essentially an in-crowd for cybersecurity executives to hang out with Jen Easterly. Now, when we look at SSA's mission, we say if we get back to really what it's supposed to be doing, as directed by Congress under Cyber Incident Reporting Infrastructure Act, CISA is the only entity in the federal government that has been directed to be the focal point for cybersecurity reporting and to coordinate cybersecurity reporting and functions across the federal government. Every other federal agency has overreached. So, when you've got the Department of Agriculture with their own cybersecurity regulations, and you've got the TSA and the SEC, all of which are overlapping, all of which cause a quagmire and a lot of confusion for the private sector, it's a problem. And that overreach, that bloating, that doesn't do anything to help the cyber skills gap or the cybersecurity workforce. And so to that end, if we're gonna consolidate requirements, if we're gonna consolidate who is responsible for what aspects of cybersecurity, I absolutely agree it should be consolidated in agency … Congress to do it and then appropriately.

And then you take it back from there and say, Okay, if the SEC is not gonna be doing cyber-reporting anymore, and it's just gonna be CISA, great, but then we also need to make sure that CISA is appropriately funded. We have the right personnel there. Back up even further than that, really, where incidents occur are not necessarily at the federal government level.

Yes, that does happen, but it's more times than none. And I don't know the exact percentage, but cyberincidents affect the private sector, and largely the private sector has been left to its own devices to defend itself and to defend their network, even against nation states. So, if we wanna redeploy assets, I think what the administration has done to say, 'Look, we are gonna push this down to the state level. We're gonna push funding down to the state level, even if it's, we're just talking about critical infrastructure that are within the states so long as it's appropriately funded.' That makes sense because you're putting more ammunition closer to the fund. So, I would say that's on the good side. Lemme just, I can, I'll pause there and I can talk about plenty of bad too.

And I think, I just wanna mention, and Richard knows my views on this, we were at one of my tech news sessions a while back, and I shared one thing, I see good and bad as well. So, I just wanna let people know. I will tell you that when I was CISO for the State of Michigan, and when I first became the first CSO in 2002, and I worked across Governor Engler, Governor Granholm, Governor Rick Snyder; so it was Republican, Democrat, Republican….

So, it became really bipartisan across. People thought everything would go back, when the parties changed, but in Michigan that did not happen. We went through a lot of cuts. Most state governments do have, balanced budget amendments or constitutional responsibilities in the state constitutions to bounce the budget every year.

So, they don't have the deficits obviously we have at the federal level. On top of that, there were lots and lots of cuts over the course of about 15 years in Michigan government. I tell you, we had furlough days. We had three rounds of early outs each time out of maybe 55,000 state employees, which I know is very small compared to the federal government workforce. I get that. But in a microcosm, we went to a much more centralized model. And I blogged about this. We'll post this in the notes. You can go read the articles about the details behind this, but we had furlough dates, we had cuts, we had salary cuts, we had staffing cuts. There was a lot of morale issues that hit the state of Michigan through these cuts.

I know other states have gone through similar processes. I will tell you, in the end, we did have, some of the benefits we did see in Michigan in my experience, were a much clearer mission; the overlaps that we talked about in the federal government, a lot of that we had in state governments. And Agency said, 'Look, you get my people, we're gonna centralize this, but you also get all my problems.' And in many cases we had, we lost some of those people, so we had a more streamlined team. The team was much more focused and we actually … a lot of those, turf battles went away. And so, we were able to have one centralized cyber team for the State of Michigan.

Again, not nearly as large as the federal government, I understand, but the benefits of that were immense. And we did see, and Richard, the stories in Michigan, you did see out of those teams some amazing accomplishments, and really leading the nation in cyber for more than a decade by our Michigan team.

So, I do see where efficiency can really lead to a better end result for cybersecurity. And I know, Rich, I'll let you respond to this. […] would you agree that in Michigan it was a good thing? And how would you see that differently? […] What's going on right now in the federal government.

Stiennon: Man, I feel so nostalgic. You're describing a world where smart, dedicated people get together and make decisions about how to become efficient, how to combine functionality, and how to execute it. And that's exactly what the federal government needs, and it's exactly what we don't have. Never in the State of Michigan did an outside billionaire come in and be asked to appoint people to come in and cut your employees in every department without asking your permission, without going through a process, without evaluating those employees using or suggesting things like their Social Security numbers, and in an even number. So, we are going to ask those first. That's how you cut the government in half, ridiculous, off the cuff. I don't even wanna say these are Republican playbooks. These go all the way back to some really weird right-wing conspiracy theorists and EMC.

Lots of podcasts with Peter Thiel and Elon Musk, all backing these really stupid things. Their goal to be, to tear government down, make it not work and they're being very effective at actually doing what they say they're doing. And they're nowhere. Does anybody talk like you or Michael about improving things through government, combining forces, et cetera?

None of that. That's not actually what's happening. It's just slash and burn and break things really fast.

Lohrmann: Earl, you wanna jump in? Thoughts?

Dury: Man, this is getting all over the place on me. So I agree with you, Richard, in, in one sense, because the scope of my answers are typically trying to stay with the cybersecurity stuff, so CISA and some of these other things, but when you get into the broader effect of what's going on, then it starts to get a little bit more shaky because I don't think, like the Department of Education, obviously the goal there is just to get rid of the Department of Education. You're not looking for efficiencies and you're not looking to, get rid of overlaps and things. You're just getting rid of a department. So that's a different approach. I put that in a different category than what I'm talking about when I'm addressing the CISA situation, because like in the CISA situation, to go from 6,500 employees, subtract out 1,300, I fall more in line with the way that Michael is looking at the way that CISA is being handled.

Dury: But that's totally different than the way that I think about how they're handling some other departments like USAID and Department of Education. To me, those are two different arguments. But I can see how they can get conflated, because it's the same entity that's sitting over top of that. But I do believe that the directive from the administration is different in those two situations.

Stiennon: Yeah, I don't think they know what to do with security. They know something about it, and that it's important. But let's look at the org chart. 'Oh, my God, what are all these red teamers doing there? What possible function could they have? Let's get rid of them. Boom, we're more efficient.'

'Let's cancel all the contracts that we had with the other agencies to help them with their security too. 'Cause … what do we need that for?' It's just ad hoc decision-making going on. It's easier because there is a platform agenda in Project 2025 to get rid of the Department of Education.

That's great. Doesn't mention the CISA as much. So, we're just following a playbook and you, I can play 'em. Of course. And obviously, we don't want to get too broad in our discussion here. So, I'm not gonna even go to the rest of what's going on out there.

Lohrmann: Let me jump in, guys, with some questions from the audience. I had tons more questions that we can get to. Maybe we'll get to some of these on our list, but we're already 37 minutes into the show, and then we have more than a dozen questions here. I'll -- it looks like almost 20 -- so I just, I'm gonna jump around here a little bit. Michael, I'm gonna throw this first one over to you. So several people make statements about different things. I'm gonna jump to question three. We have on the list here: 'It appears that this strategy is to cut X number of positions at Agency Y without necessarily understanding the duties or performance of what those people are doing or of what those FTEs are doing. Can someone speak to the pros and cons of this approach?' First, Michael, do you agree with that's the approach? Maybe you don't agree, but any thoughts on that question?

McLaughlin: Yeah, so number one, I, to be clear, I don't know what the methodology is that they're using, and I can't seem to define it based on just looking at the outcome.

So maybe that is the approach, but I can't speak to that one way or the other. What has been reported, and what we've seen come out of DOGE, is things like requiring the federal workforce to provide the five things that you did that week. When I was in the military, we called that a weekly activities report, and we had to submit that up to either the commander or our next-level supervisor every single Friday. So, this where we had people coming back and saying, 'This is outrageous for me to have to justify my own work.' It's not outrageous, and it's not justifying your own work. It's putting information out to your manager so that they understand what it is that you're doing, so they can best allocate resources and use you appropriately.

Now, if you can't justify with five things, or you can't state five things that you did that week and send that to your manager, then we've got a bigger problem from both an efficiency perspective and a fraud, waste, and abuse perspective when it comes to our federal workforce. So, some of the things that are coming outta DOGE, I can't say definitively, it's they have a quota for certain agencies and they're just gonna do a cut across the board.

Some of them are I think, a little bit more thoughtful than that.

Dury: Yeah, and I, when you look at that activity report as well as the fact that they were really trying to drive people back into offices, to me, the goal in those cases was really just to squeeze out excess in the government.

It wasn't really this fine-tuned thing of saying, 'Hey, we need four accountants instead of six, or we need five accounts-payable people instead of the eight that we have.' It was really more about, 'Hey, we think the federal government has gotten' -- and, again, these aren't my terms, this is just kinda my view of what's going on, there's this perception that I feel that the administration has, that the government got big, lazy and bloated, and so they're just trying to take huge cuts at it and say, 'Look, if you can't get yourself back into an office, how valuable are you? If you can't answer five questions of what you did this week, how valuable are you?' I'm not saying these are the right ways or the wrong ways, and I, if I was the CEO of a company, I don't know that's the way I would right-size my organization. But this is the way that the Trump administration has decided to right-size their organization.

So, I don't know that there's like a ton of malice in there, but it's just the way they chose to do it well.

Stiennon: The evidence of malice is right there, because it wasn't 'Send your five activities to your manager,' it was 'Send them to Elon Musk.' So over a million people were asked to report their activities to a single email address.

That's just not on, that's just not that's just not --

Dury: He touched on that because, no, it just doesn't work. The first cut wasn't even really to see what was in the email. The first cut was to figure out if someone would actually send an email, so they set this bar like really high or really low, however you look at it.

So, they set the bar really low and said, 'Hey, can you actually send an email?' Because they wanted to know if there was actually a person at the other end of the email that they were sending to, and then it was, 'Hey, what's your five things that you've done? Recording from somebody? Or did you just figure that out?'

No. This is what Elon Musk said; this was actually an interview that Elon Musk said is, 'We sent these things out to figure out there was actually a person that was manning the other end of this email,' so that --

Lohrmann: Michael, what were your thoughts? Jump in, because you said that's not what happened.

McLaughlin: Because it's not; the emails were supposed to go directly to the supervisors, and they went through a chain of command, and it was also to keep supervisors accountable to make sure that they had an understanding of what was going on within their own organization. Now, separate and apart from that, what Earl hit on with respect to the return to the office and that being in the office five days a week. Part of that, I agree. I think that squeezing the federal workforce to say, Who's actually motivated to be here? How many people do we have working in an office in D.C., or do we have an office allocated in D.C. and they're living in Tennessee? Quite a few, and that's as a result of COVID. Wrong or indifferent, that is a fact. And so, if we wanted to enforce certain types of workplace requirements, this is one way to do it. If we wanna see who is actually motivated to stay within the government versus who is only doing it because it's the easy button […] and you're able to work from home in Tennessee and have a federal job in D.C., but you wouldn't be able to get that same type of compensation where your home is in Tennessee.

That's something different. When we look at that, the problem with the model, and […] I'm not all rosy here. Part of the bad is there are certain people who require those types of accommodations, who are great federal employees, and they are absolutely the people that you want in those positions that we're squeezing out.

And so, in some cases, we're throwing the baby out with the bath water, and we're losing great talent in the federal government as a result of these cuts. And unfortunately -- and maybe this is where that initial question came from -- it's not so much that there is a quota that we're, we are cutting a certain number of jobs or X number of jobs from Agency Y. I think it's more we're looking across the board, and we're saying who are those that are not coming into the office?

Or who are those that we are having to provide accommodations for, and how much do they really want to be in the federal government? And if we need to make cuts, those are gonna be the ones that are gonna be the first to go. The problem is, that's not really qualitative, and […] that's less of a subjective take on workforce allocation and resourcing than it really should be when we're looking at talent, particularly in cybersecurity.

Dury: Yeah, and I think that's, I think your point -- that's my sticking point too -- is that comes across with, there's like the main mission it seems to me was to shrink the size of government. So that's probably the very highest idea that Trump had is, 'Hey, we just need to shrink the size of government.'

And then, how each individual agency had to deal with that was its own thing. Now, the topic of what we're talking about is how does that impact cyber? I think that's the part that I can't really get to because it's one thing to say we're gonna lop off a bunch of FTEs out of the government. The other thing is, like, how are we gonna make sure that we don't screw up the capabilities of each one of those agencies? And that's the part that I'm not sure how that's actually getting done. I probably lean more toward Richard in the sense of: How are we individually figuring out how we don't overcompensate in each agency, so that we're not screwing up the functionality of that agency, which is a different story than how do we shrink the size of government?

Lohrmann: Yeah, let's jump, guys, to a couple other questions that are related to this. 'Cause I think you did a great job, [… What's] happening with the loss of institutional knowledge? And that you brought that up, Michael, which, I think that you answered that question.

It was a really good point, Richard. I wanna go back to one of the many comments that are very sympathetic to your viewpoint on this, and give you what's listed here is question seven listed in our […] We're getting tons of questions in. So, thank you, everyone. Keep sending them. We'll get to a few more of these before we wrap up, but if it were a country, cybercrime would be the third largest GDP.

How could it possibly make any sense to cut resources from a nation's cybersecurity team right now? If people were being mugged on every street corner, would you cut law enforcement? Also, please pronounce, I'm not sure what that last sentence is there. CISO. Yeah. CISA. Yeah. It is CISA. I understand that.

Okay, cool. Richard, thoughts on that one?

Stiennon: Yeah. First of all, there's a complete misconception that cyber crime is a $10 trillion business, right? That was made up by a marketing person who's, who was trying to make a splash. So, he just made that number up, right? It's closer to a hundred billion dollars a year.

So, nowhere does it fall into comparing to GDPs, except for very tiny countries. So if it, and I got the right question, right? How could it possibly make sense, to cut resources from the nation's cybersecurity team right now? Okay. So that's, so all that given, this is why the United States has to figure out cybersecurity, I've always been a proponent that the federal government should get its own house in order before it starts telling us what to do.

And that, is, was finally the case with the Biden administration executive order with that, the one that came out in May of their first year. And it basically laid out how the federal government was going to improve its security. And, also, the first time a government executive order on cybersecurity that didn't refer to risk management principles.

It talked about zero trust. And basically, we're gonna roll out MFA everywhere, and we're gonna do encryption at rest everywhere. And that was like the beginning, right? For all of us. This is 20-year-old knowledge that was finally being applied to the U.S. federal government. It was great baby steps.

That's where we had to go. And, unfortunately, we're just setting the clock back. We're gonna go all the way back to 2012, start over-lecturing the government and how to do this security stuff.

Lohrmann: So, let's keep going with these questions, guys. I wanna do rapid fire. Get this from the … Michael, actually, Earl, but Dan --

McLaughlin: Go ahead, Dan.

Can I jump on that? Can I jump on that one as well? 'Cause I think there's -- and I agree with Richard -- I think there's an area, though, that we're missing here with respect to cybercrime and rolling back those resources. I think we look at federal resources. I would love to poll the group and say: How many times have you had the FBI swoop in when you have a cyberincident, how many times has Cybercom come to your rescue?

How many times has CISA come in and said, 'Oh, you've got a ransomware incident; here's all the information you need. Let me get on your network; let me secure you.' And the answer is never. That's never happened to any company, to any CISO, to anybody on this call because it just does not happen.

So, the rollbacks from a cybersecurity perspective for the federal government are not actually impacting anybody on this call from that perspective, largely the federal government has left the public or the private sector to its own devices. So, to say that at a time when cybercrime is at an all-time high, how is the rollback of federal government funding, federal government personnel or resources directly impacting anybody in the private sector right now?

And I'd say the answer is public-private partnership sharing of threat intelligence, maybe. But even that, it's never timely. You're never getting signatures in a real time manner. And at best, you are hoping that the federal government is not going to issue an enforcement action against you, like they did the SolarWinds.

Stiennon: Right? There is something the federal government could be doing and had an infrastructure to do that over the years. That was to support and get Russia to support the international treaty on cybercrime. And that would've been a way to stop 99% of all ransomware. Because if Russia's law enforcement started prosecuting and turning ransomware activists over to us, then it would just dry up.

But that's not the case. Obviously, pressure on the Russian government to stop supporting their cybercriminals, and North Korea as well, would've had a huge impact. And as a matter of fact, it'd be a devastating impact for the cybersecurity industry that I'm such a big part of, because all the cybercrime would go away.

[…] McLaughlin: And so, I agree with you, but that has nothing to do with the resource cuts that we're seeing right now. That's a diplomatic effort. That's, there are a lot of other overtures and geopolitical drivers that are really gonna impact ransomware, and it's not the federal government or CISA or anybody else swooping in to secure private sector networks.

Lohrmann: Totally agree. Guys, there's 29 questions. We're not gonna get to all these. I'm gonna jump to a couple more real quick, rapid fire. Then we'll do a wrap-up. We got about 10 minutes left here. Maybe, Michael, just answer this briefly: […] The differences between private-sector CEO and how they're accountable to a board, versus public-sector agency heads. So I guess what they're getting at here is, How is this different? Like, what a company might be doing or any thoughts around that?

McLaughlin: Yeah, so as in the private sector, if you are an officer or director, you have fiduciary responsibility to that company. You have to respond. You have to answer to the board of directors; you have to answer to shareholders. You have to make sure that company is doing everything it can to preserve shareholder value or ownership interest in that company. And you can be removed if you're failing or breaching your fiduciary duties.

Typically, there's an employment agreement that goes along with that, that you have to be fired for cause in order to not have a huge payout. And if you're not fired for cause, and the company looks at that and says, 'If we're just firing you for convenience, then we have to pay you X on your contract.' And so, the company weighs that in its calculus as to whether or not it's gonna remove somebody from that type of position.

That doesn't exist in the public sector. If you're in the federal government, you serve at the privilege of the commander in chief or, if you're in the military or if you're in the federal government space, you basically can be fired on a whim, if the president deems it so. And so anything at that, if you are under this administration, if you're disloyal, that can be cause for termination, and you don't really have a lot of recourse in that regard.

So, what's the difference between what somebody does in private sector -- CEO or the head of an agency. An agency still has a responsibility, or the head of an agency still has a responsibility. They still swore an oath to uphold, to support and defend the constitution and answer the lawful orders of the president and those appointed over them. But at the same time, they can be terminated in a way that a CEO may not be able to without significant financial harm to the company.

Lohrmann: Fantastic. Thank you for that. I'm gonna do one more quickly, and then we're gonna do a wrap-up with each of you. There's a number of different ones in here, by the way. There's a number of questions related to workforce development. What steps should people be taking around hiring responsibilities at state and local levels? We're gonna cover that next month in our topic around careers and cybersecurity and finding a job. And just a lot of these questions.

We'll take these; we'll capture these and get a number of these career-related questions nailed. That in that regard. Richard, any final thoughts on this? And it'll give me – Earl, jump in here too, but we're making cuts very quickly. There may be opportunities for our adversaries to take advantage of any of our missteps.

This is question 19. Doesn't this make it less safe overall until we really get figured out what we're doing? What is the perspective on that? How does this affect the overall economy of the U.S.? There's a lot of other questions in here … a lot of different questions in here. But any thoughts on your premise earlier -- if those are just joining us, maybe feel that this is making us less safe. What are your thoughts on that? And Michael just mentioned it, as well.

Stiennon: Yeah. So I came prepared for this call, Dan, because I think that you and I talked about on a previous podcast and the concept of your first slide of the DOGE effect, right? So, in other words, all the great things that Elon Musk is doing in federal government is being picked up and recreated in state governments.

Now, mind you, you point out some of them aren't red states. But I would just like to read from Timothy Snyder's small little book On Tyranny, which became popular during the first Trump administration. Rule no. 1: Do not obey in advance. Do not do things because you think the almighty leader is gonna look on you pleasantly because you did. And […] these individuals think ahead about what a more repressive government will want and then offer themselves without being asked.

And that's exactly what we're seeing with the states: Follow suit with DOGE. And we're gonna see equal disaster to what Texas is experiencing, thanks to DOGE non-cyber related. Their medical budgets from HHS have been cut $12 billion. They've had to cancel plans for opening up, I believe it's 50 emergency measles vaccination centers.

Well, over 500 children to have measles … to have died … I think there's reports of a third. We're in a disastrous time, and Texas is talking about cutting their health services even more on the state level.

Dury: Would that be news? Yeah. I don't even, I don't even know how to follow up on that one. Yeah, Earl, I don't have a book; I don't have a book to read from, but yeah, I just, I've been in large companies for a long time, and I know that over time, organizations tend to grow larger, not smaller, and periodically you gotta go through there and you just have to readjust and you have to examine things and you have to get rid of things that are maybe no longer needed or don't align with the mission of the company anymore, or the mission of the agency.

And so, I'm just reserving judgment a little bit longer as to what all this is gonna shake out into. Do I think it's being done great? No, I can think of many ways where I would go at this a different way, but that doesn't change my mind in terms of should this be done, I think it just makes sense periodically for every organization to come through and, open the doors, open the cabinets, look at what's in there, who's in there, what they're doing and make adjustments.

And so, for those 61% of the people that are worried, I understand why you would be worried, but I also don't share that worry right now. Right now, I'm just waiting to see what's gonna happen. And I would hope that people just allow some of this process to happen so that we're not conflating ideals with reality. We, every organization, has to do this periodically.

Lohrmann: So, Michael, maybe final thoughts. We'll go around quickly. We're almost outta time here. It's hard to … a lot of different topics. There's a lot more questions coming in, over 30 questions we got in. Any final words you would leave with our audience? Michael McLaughlin, and then we'll quickly go around maybe just 30 seconds each, and we'll wrap this up. Mike?

McLaughlin: Yeah, I think my … when it comes to cybersecurity in particular for the country, the soft underbelly is and has always been the private sector, and that's what is targeted 99% of the time. It's not the federal government, and so the private sector needs to recognize that we have certain responsibilities as whether you're a CEO and you have a fiduciary responsibility, or you're a CISO or you are a cybersecurity engineer, to make sure you're safeguarding your systems and make sure you're advocating appropriately for budgetary resources to be able to effectively safeguard your systems.

That's not gonna change no matter what happens with those, no matter what happens with the federal government. If we as cybersecurity professionals continue to focus on that, we are gonna be doing right by national security.

Lohrmann: Thanks for that. Richard: thoughts? 30 seconds.

Stiennon: Yeah, I am so amazed at the questions we're getting. If, with your guys' permission, we can talk about answering a bunch of 'em right in written stuff between our two blogs. It's just really good discussion. Thanks for holding it, guys.

Lohrmann: Thank you, Richard. Really appreciate you being here. And Michael as well. Earl, final thoughts?

Dury: No, I like the conversation and just be clear: I don't think everything that's being done is great, and I don't think everything that's being done is horrible. I think we just gotta wait and see how that goes, and hopefully, we just stay calm about it and get through to the other end of it.

Now, I would also say there, our episode next month is about shortages of cybersecurity talent. So, there's supposedly -- and I don't always agree with these numbers either -- there's supposedly 600,000 unfilled cyberjobs in the U.S. This is a good opportunity to transition some really skilled people or people that, you know, are no longer in federal government into some impactful private organizations so that they can shore up that underbelly that Michael's talking about.

So, this is maybe a transfer of wealth when it comes to cybersecurity talent.

Lohrmann: Great. Thank you all so much. We thank the audience for joining us today. We're out of time right now, and thank you, our panel. Great job, Richard. Michael, as you always really appreciate it. Thank you for all your questions, and we will do our best to try and get at some of these within our next episode and in our blogs. But for now, so long and have a great day.

Dury: Alright, thanks. See you, Nick.