WEBVTT 00:00:12.045 --> 00:00:14.047 Hi, I'm David Don, 00:00:14.047 --> 00:00:18.251 and this is "Policy Questions With," a series where we explore 00:00:18.251 --> 00:00:22.322 the intersection of policy, technology and business. 00:00:22.422 --> 00:00:25.025 With me today is my colleague, Noopur Davis, 00:00:25.025 --> 00:00:28.495 Comcast Chief Information Security Officer. 00:00:28.595 --> 00:00:31.965 Noopur oversees our cybersecurity and product 00:00:31.965 --> 00:00:36.236 privacy functions and earlier this year was appointed by the president 00:00:36.336 --> 00:00:41.241 to serve on the National Security Telecommunications Advisory Committee. 00:00:41.307 --> 00:00:43.676 Noopur, great to have you with us today. 00:00:43.676 --> 00:00:45.278 Thank you for having me. 00:00:45.278 --> 00:00:45.712 So, Noopur, 00:00:45.712 --> 00:00:49.916 talk to us about the latest cyber threat landscape and how we deal with that. 00:00:50.016 --> 00:00:53.853 We really deal with kind of every aspect of the cyber 00:00:53.853 --> 00:00:56.256 threat landscape that you can think of. 00:00:56.256 --> 00:00:59.325 Comcast really looks at cybersecurity 00:00:59.325 --> 00:01:02.328 from three kind of points of view. 00:01:02.362 --> 00:01:05.632 By the way, these are called the pillars of cybersecurity. 00:01:05.732 --> 00:01:09.069 So that's confidentiality, integrity and availability. 00:01:09.135 --> 00:01:11.905 And all three of those are super important to us. 00:01:11.905 --> 00:01:16.743 So confidentiality is about our customers' data and our customers' information. 00:01:16.743 --> 00:01:20.447 We take that super seriously that we need to protect that. 00:01:20.447 --> 00:01:22.982 Availability though, is just as important. 00:01:22.982 --> 00:01:25.151 You know, we are the nation's critical infrastructure. 00:01:25.151 --> 00:01:29.689 I think half of the US broadband traffic flows through our systems 00:01:29.789 --> 00:01:32.392 and people live their digital lives on our platforms. 00:01:32.392 --> 00:01:36.563 So the availability of that platform is super, super important. 00:01:36.663 --> 00:01:40.266 So we deal with threats that are to the availability of that 00:01:40.266 --> 00:01:44.437 platform, threats to the confidentiality of the data that we protect. 00:01:44.704 --> 00:01:48.508 So we see just about every kind of threat that you can imagine. 00:01:48.608 --> 00:01:50.910 So obviously you're an expert in this field. 00:01:50.910 --> 00:01:53.913 We don't only think so, but the federal government does as well. 00:01:53.913 --> 00:01:56.149 And I understand you were recently appointed 00:01:56.149 --> 00:01:59.119 to the president's Security Advisory Committee. 00:01:59.385 --> 00:02:02.388 Can you tell us a little bit about the end stack and what it does? 00:02:02.622 --> 00:02:06.359 Yeah, that was a real honor and 00:02:06.426 --> 00:02:07.160 really, I 00:02:07.160 --> 00:02:10.897 did call my mom that day and, you know, shared that with her. 00:02:10.997 --> 00:02:15.368 And as an immigrant, it really is a special 00:02:15.468 --> 00:02:17.470 privilege to be able to do this. 00:02:17.470 --> 00:02:22.542 But the end stack is a group of executives that represent telecommunications 00:02:22.542 --> 00:02:27.847 companies, security companies, technology companies, product companies. 00:02:27.947 --> 00:02:32.986 And we come together and look at the resiliency, 00:02:32.986 --> 00:02:36.356 the security, the protected state 00:02:36.422 --> 00:02:41.161 of the telecommunications infrastructure for this country. 00:02:41.261 --> 00:02:46.666 And we advice the president, the president through 00:02:46.733 --> 00:02:49.736 various roles in the White House, 00:02:49.936 --> 00:02:55.275 comes to us with some specific problem areas to focus on. 00:02:55.341 --> 00:02:59.479 We of course, pick those and then we come together, debate 00:02:59.479 --> 00:03:04.150 and then come up with a set of advisory guidance. 00:03:04.217 --> 00:03:06.519 So recommendations on cyber security. 00:03:06.519 --> 00:03:08.388 Recommendations on resiliency, 00:03:08.388 --> 00:03:11.391 cybersecurity protection, all of those. 00:03:11.424 --> 00:03:14.694 What are your thoughts about the role of government and working 00:03:14.694 --> 00:03:18.631 with some of these federal agencies to secure our networks? 00:03:18.731 --> 00:03:21.167 Yeah, you know, there are some parts of the government 00:03:21.167 --> 00:03:25.738 I absolutely love to engage with and they really, really help us. 00:03:25.838 --> 00:03:28.741 And my favorite is NIST, you know, 00:03:28.741 --> 00:03:32.745 the National Institute of Standards and Technologies, and they produce 00:03:32.745 --> 00:03:37.183 frameworks, standards, guidelines, and it really become 00:03:37.250 --> 00:03:42.589 kind of a way to guide the industry, not just us, on how to be better. 00:03:42.655 --> 00:03:44.324 I love some of the guidance 00:03:44.324 --> 00:03:47.327 that is coming out of CSA and the White House. 00:03:47.493 --> 00:03:52.632 the recent guidance on secure by design, secure by default, the guidance on zero 00:03:52.632 --> 00:03:56.669 trust maturity, all of those things are really, really helpful. 00:03:56.769 --> 00:04:02.508 The part which is not helpful and, you know, takes me away and distracts 00:04:02.508 --> 00:04:08.715 my team from our core mission is regulations that are 00:04:08.781 --> 00:04:13.553 too prescriptive and too directive. 00:04:13.653 --> 00:04:16.823 And the reason is that, you know, you end up 00:04:16.823 --> 00:04:21.494 spending a lot of time in things that may not even be relevant 00:04:21.694 --> 00:04:25.231 by the time that you know, you're actually implementing them. 00:04:25.298 --> 00:04:27.567 So love some parts. 00:04:27.567 --> 00:04:30.570 Some parts become distracting from our core mission. 00:04:30.637 --> 00:04:34.507 So really partnership and not mandates is what you're talking about. 00:04:34.507 --> 00:04:38.344 Partnership is amazing. Guidance is amazing. 00:04:38.411 --> 00:04:41.614 Mandates is where it really becomes hard. 00:04:41.714 --> 00:04:46.019 So let's look at some of these examples that you're working on. 00:04:46.119 --> 00:04:49.088 Secure Internet routing is an important topic, 00:04:49.088 --> 00:04:51.291 and I know there's proceedings on this. 00:04:51.291 --> 00:04:53.192 What are your thoughts on that? 00:04:53.192 --> 00:04:55.962 So this is a complicated topic. 00:04:55.962 --> 00:04:59.332 So I'm going to spend one minute in the technical part of it, right? 00:04:59.632 --> 00:05:02.902 So, Internet routing is based on a set 00:05:02.902 --> 00:05:07.907 of protocols called the Border Gateway Protocol, BGP. 00:05:07.974 --> 00:05:11.077 And BGP directs 00:05:11.077 --> 00:05:15.248 how packets are routed between networks 00:05:15.315 --> 00:05:19.819 and the government is worried about, and probably rightly so, 00:05:19.919 --> 00:05:24.157 that the BGP protocol itself can be abused, 00:05:24.157 --> 00:05:28.394 so it can be hijacked, it can be, packets can be rerouted 00:05:28.628 --> 00:05:33.132 to destinations that you're not supposed to get to. 00:05:33.199 --> 00:05:34.133 And of course, 00:05:34.133 --> 00:05:38.371 when a threat actor does that, they do that with a bad purpose in mind, 00:05:38.438 --> 00:05:43.576 The good news is that Comcast and other ISPs, we've been focused on this 00:05:43.576 --> 00:05:46.579 for over two years and we have implemented 00:05:46.579 --> 00:05:50.717 a set of controls called the Resource 00:05:50.817 --> 00:05:53.720 Public Key Infrastructure, RPKI. 00:05:53.720 --> 00:05:56.289 And what that does is that it 00:05:56.289 --> 00:05:59.826 cryptographically signs those routes. 00:05:59.892 --> 00:06:03.796 And so not only do we sign, cryptographically sign our routes, 00:06:03.796 --> 00:06:08.000 we also validate that routes coming in to us are cryptographically signed. 00:06:08.101 --> 00:06:12.105 What does that all mean to a consumer? Most consumers won't even notice, 00:06:12.372 --> 00:06:15.742 because we try to keep security invisible. 00:06:15.842 --> 00:06:19.946 We want security to be there so that a consumer can 00:06:20.046 --> 00:06:23.683 trust that where they're going is where they're meant to go, 00:06:23.750 --> 00:06:27.086 that the information that they received has not been tampered with. 00:06:27.186 --> 00:06:30.757 But we try to do that in a very unobtrusive way. 00:06:30.823 --> 00:06:32.625 And is it something we do on our own or 00:06:32.625 --> 00:06:35.628 it requires everyone to be part of this system? 00:06:35.695 --> 00:06:39.632 So that's a really good question, because us doing it 00:06:39.665 --> 00:06:42.668 on our own, it improves the situation a bit. 00:06:42.902 --> 00:06:45.838 But this is really a global problem. 00:06:45.838 --> 00:06:50.910 And so any enterprise network, any federal network, 00:06:50.910 --> 00:06:54.747 any government network, some that are outside the jurisdiction of 00:06:54.747 --> 00:06:57.583 the United States, even, 00:06:57.650 --> 00:06:58.885 they all need to be 00:06:58.885 --> 00:07:02.955 doing this kind of protection for this to be globally effective, right? 00:07:03.189 --> 00:07:08.828 So we do some local optimization, but we really need global implementation. 00:07:08.828 --> 00:07:09.829 Yeah. 00:07:09.829 --> 00:07:13.399 So let's look at another one that I'm familiar with, which is the FCC's 00:07:13.399 --> 00:07:17.637 inquiry into a cyber trustmark for Internet of Things devices, IOT. 00:07:17.703 --> 00:07:18.738 What are your thoughts on that? 00:07:18.738 --> 00:07:22.708 Is this, is this a good area for the government to be getting involved in? 00:07:22.775 --> 00:07:27.046 Yes, because this is something that consumers really want. 00:07:27.046 --> 00:07:33.085 They in survey after survey, consumers say they will, they want secure IOT devices. 00:07:33.186 --> 00:07:36.823 So we of course, want to make sure that those devices are protected. 00:07:36.923 --> 00:07:39.659 And if you are a customer and use our gateway, 00:07:39.659 --> 00:07:42.962 we have a capability called Advanced Security 00:07:43.029 --> 00:07:46.032 that you just get by default and it will protect 00:07:46.032 --> 00:07:49.035 everything that is connected to your home wi fi, right? 00:07:49.268 --> 00:07:54.340 So we invest a tremendous amount on the protection 00:07:54.574 --> 00:07:58.478 and the security of those devices, from everything from the code that goes in, 00:07:58.711 --> 00:08:02.148 to the default configurations, to how we build them. 00:08:02.215 --> 00:08:05.918 So we call it chip to cloud security, right? 00:08:05.918 --> 00:08:08.120 So, I love the 00:08:08.120 --> 00:08:12.158 idea of that Trustmark because again, it's not a mandate. 00:08:12.258 --> 00:08:14.794 It's a incentive 00:08:14.794 --> 00:08:19.031 because we are responding to something our customers are already asking for. 00:08:19.131 --> 00:08:22.735 The cyber Trustmark will now put a little mark on the device 00:08:22.802 --> 00:08:27.039 which says this device is compliant with the standard 00:08:27.039 --> 00:08:32.311 that the government is defining in collaboration with industry. 00:08:32.378 --> 00:08:35.147 So a perfect example of 00:08:35.147 --> 00:08:38.150 collaboration between government and industry. 00:08:38.284 --> 00:08:40.720 So another example of the government 00:08:40.720 --> 00:08:44.090 looking at cyber in a surprising new way, 00:08:44.090 --> 00:08:47.894 the FCC recently announced that it's going to look at 00:08:47.894 --> 00:08:51.731 new regulations for ISPs involving Title II. 00:08:51.797 --> 00:08:55.735 It's been a controversial subject for, I think over a decade now, 00:08:55.801 --> 00:08:59.472 but in their most recent proposal, they've made the case that they need 00:08:59.472 --> 00:09:04.243 this Title II authority in order to deal with cybersecurity. 00:09:04.343 --> 00:09:04.810 It's interesting 00:09:04.810 --> 00:09:08.180 because you just mentioned you're working with the FCC on the Trustmark, 00:09:08.281 --> 00:09:12.418 so explain to me what your thoughts are on using Title II 00:09:12.418 --> 00:09:16.088 for some cybersecurity or privacy basis. 00:09:16.188 --> 00:09:21.160 You know, the question I always have is what gap is this trying to fill, 00:09:21.260 --> 00:09:24.096 you know today between the White House, between CSA, 00:09:24.096 --> 00:09:28.568 between DOD, between FBI, 00:09:28.668 --> 00:09:33.205 between NIST, and we work with all of them. 00:09:33.272 --> 00:09:35.808 Every aspect of this is covered. 00:09:35.808 --> 00:09:39.478 And, you know, ISPs are are trying and 00:09:39.478 --> 00:09:42.682 and really investing a lot in this area. 00:09:42.748 --> 00:09:46.819 So my question always is what gap is this trying to cover 00:09:46.919 --> 00:09:51.591 and what amount of resources will it take 00:09:51.591 --> 00:09:55.795 to address, you know, new regulations that are not needed 00:09:55.861 --> 00:10:01.233 versus the amount of resources that we need to really 00:10:01.300 --> 00:10:04.971 fulfill core mission, which is to protect our customers and our infrastructure. 00:10:04.971 --> 00:10:06.606 And you mentioned a bunch of agencies, 00:10:06.606 --> 00:10:10.443 but the FCC is also one we work with regularly on cyber as well. 00:10:10.443 --> 00:10:13.112 So why they need additional authority is unclear. 00:10:13.112 --> 00:10:15.881 That's the part that is unclear. 00:10:15.881 --> 00:10:18.684 So let me pivot to one other very important policy issue, 00:10:18.684 --> 00:10:22.688 which is getting everyone connected to broadband. 00:10:22.788 --> 00:10:26.158 It is topic number one in Washington. 00:10:26.225 --> 00:10:31.030 The federal government has allocated over $40 billion in what's 00:10:31.030 --> 00:10:35.901 called the BEAD program to bring broadband to unserved areas of our country. 00:10:35.968 --> 00:10:41.107 I speak with a lot of elected officials, community officials, and one of the areas 00:10:41.107 --> 00:10:46.445 that's not getting a lot of attention in my mind is cyber security. 00:10:46.512 --> 00:10:50.416 What advice would you give a community leader 00:10:50.416 --> 00:10:53.419 when looking at partnering with an ISP 00:10:53.519 --> 00:10:58.357 around cyber and incorporating cyber into their plans? 00:10:58.457 --> 00:11:00.526 First of all, I think it's amazing that 00:11:00.526 --> 00:11:03.696 we have this program and that we are going to reach into communities 00:11:03.696 --> 00:11:08.200 that we've never been able to reach and provide broadband services. 00:11:08.267 --> 00:11:12.238 The advice I would give and again, as I say this, 00:11:12.304 --> 00:11:15.541 it is with full recognition that companies 00:11:15.541 --> 00:11:20.079 like ours, with everything that we invest, we are still on a journey, 00:11:20.179 --> 00:11:23.249 But having said that, you know, we have a team. 00:11:23.249 --> 00:11:27.286 I have a team of well over a thousand people across the globe. 00:11:27.286 --> 00:11:30.289 We have 24/7 follow the sun model. 00:11:30.489 --> 00:11:36.028 We're watching and protecting and defending and hunting 00:11:36.028 --> 00:11:40.199 and I mean doing all of those things to protect this network. 00:11:40.266 --> 00:11:43.969 A network isn't just, you know, some wires, right? 00:11:43.969 --> 00:11:49.809 It's the switches and routers and firewalls, the software, 00:11:49.809 --> 00:11:54.880 the cloud component, the applications, the customers' data that you are going, 00:11:54.914 --> 00:11:59.318 you need to protect to deliver a service to that customer. 00:11:59.418 --> 00:12:02.421 The back office systems that manage all of that, 00:12:02.455 --> 00:12:05.558 that ecosystem is not, 00:12:05.758 --> 00:12:08.694 you know, child's play to protect, and 00:12:08.694 --> 00:12:12.064 it is super important for the confidentiality 00:12:12.298 --> 00:12:15.568 of the people who are going to consume that service 00:12:15.634 --> 00:12:19.038 and then the availability of that service for those people 00:12:19.138 --> 00:12:22.007 to make sure that cyber is considered as we are 00:12:22.007 --> 00:12:25.010 building out these new systems. 00:12:25.244 --> 00:12:28.748 So cyber is not last on your list of considerations? 00:12:28.748 --> 00:12:32.918 Oh my gosh, no, I think it should be like number one, two or three, 00:12:32.985 --> 00:12:34.587 definitely not the last. 00:12:34.587 --> 00:12:35.287 And it's not something 00:12:35.287 --> 00:12:37.089 you just do once when you're building the network, 00:12:37.089 --> 00:12:39.125 but something you maintain and upgrade and... 00:12:39.125 --> 00:12:43.629 Constantly, because the threat actors don't stay static. 00:12:43.729 --> 00:12:47.767 They are constantly evolving and the threats are constantly evolving. 00:12:47.767 --> 00:12:52.171 So it is something that you have to watch for and defend actively. 00:12:52.171 --> 00:12:54.473 It's not some passive thing you do. 00:12:54.473 --> 00:12:58.277 I mean, I literally have a team called Threat Hunters, 00:12:58.377 --> 00:13:02.782 and they hunt for, you know, issues in the network. 00:13:02.782 --> 00:13:05.551 Terrific, well this has been a great discussion. 00:13:05.551 --> 00:13:09.555 Before we let you go, we do have one question we like to ask our guests. 00:13:09.555 --> 00:13:13.659 It doesn't have to be in the cyber realm, but what emerging tech excites 00:13:13.659 --> 00:13:16.028 you the most right now? 00:13:16.128 --> 00:13:18.397 I think generative AI, and I know 00:13:18.397 --> 00:13:22.368 that there can be no conversation these days without mentioning that word. 00:13:22.434 --> 00:13:26.605 But the reason that I'm excited about it is that now there's a dark side 00:13:26.605 --> 00:13:28.474 and there's a light side. 00:13:28.474 --> 00:13:30.943 I'm going to focus on the light side for now. 00:13:30.943 --> 00:13:35.281 I think it's going to open up a lot of new 00:13:35.347 --> 00:13:38.584 areas for cyber defenders. 00:13:38.684 --> 00:13:43.689 It's going to force multiply the way that we are able to defend. 00:13:43.789 --> 00:13:45.057 Now there's the dark side 00:13:45.057 --> 00:13:48.894 because the threat actors will also be able to do certain things. 00:13:48.894 --> 00:13:51.864 But I'm going to focus for a bit on the light side. 00:13:51.964 --> 00:13:52.832 Well, it sounds exciting. 00:13:52.832 --> 00:13:54.633 Thank you so much, Noopur. Of course. 00:13:54.633 --> 00:13:56.502 This is great. 00:13:56.502 --> 00:13:59.805 And thank you for joining us for this great conversation. 00:13:59.905 --> 00:14:03.542 This has been "Policy Questions With" ...Noopur Davis. 00:14:03.609 --> 00:14:04.944 We'll see you next time.