But what have the Americans given us? – IVLP Programme Report

IVLP – “Promote cybersecurity” project report

In the fall of 2024, I had the opportunity to attend a professional program in the United States. This was organized in the “Promote cybersecurity” project, which is part of the more than 60-year-old International Visitor Leadership Program. The Embassy of the USA in Budapest selected and invited one expert from each of 15 European countries. During the three-week trip, we met the professionals and leaders of numerous organizations, attended many official and cultural programs and also had the opportunity to watch the elections as closely as possible on the spot.
The goal of the program was that representatives of certain special fields in states cooperating with the USA should learn and understand how the given activity works on the American side. Learning about the organizations, their leaders and methods is expected to improve cooperation and develop professional, scientific, economic and cultural relations.

We visited four states and five cities. In their own way, all of them are the center of a certain state or district of the USA. I am summarizing for each location the goals and the conclusions drawn as well as the useful knowledge and the connections we acquired.
If you would like to know more about the topic, you can find out more details in a longer series of articles, where I will also share contacts and links.

Washington, DC

We started in the capital, where we achieved a double goal: on the one hand, we learned about the political, legal and administrative functioning of the country, and on the other hand we met the federal organizations that are most important to us in the cybersecurity profession. We visited the Pentagon (Department of Defense), the Truman Building (Department of State) and met professionals of the DHS (Department of Homeland Security), CISA (Cybersecurity and Infrastructure Security Agency) and NIST. We went to the Georgetown University and had a workshop with a professor from the National Defense University.

Conclusions

Federal lawmaking is a very cumbersome and difficult process in the United States. Unfortunately, laws with a significant impact in most cases do not make it through the two houses or the presidential and supreme court levels. You will understand how difficult it is if you think of the number of times previous presidents tried unsuccessfully to pass laws, for example, related to cybersecurity. For this reason, they operate on the basis of executive orders or presidential or departmental regulations. However, they determine the operation of their own offices, but they measure results and efficiency not only based on expectations but also along KPI values.

Interestingly, the consequence of this is that goal-oriented, cooperative operation has developed between state agencies and private sector organizations. Well-equipped agencies actually strive to achieve practical goals since defense organizations have significant resources compared to the European conditions, as well as NIST and universities supply the most advanced processes, methodologies and knowledge almost to the entire world. They are open to each other and to “customers” and share knowledge and resources.

It is important to emphasize that they try to provide help in many ways to their allies, including Hungary; on the one hand through the embassy, and on the other hand the FBI, the liaisons of the Department of State and various cybersecurity organizations of the Department of Defense actively support the allies in their fight against cybercrime as well as crime against state actors committed in the cyberspace. This is most often realized in the form of CTI or other information exchange, knowledge sharing, training, and participation in exercises.

Orlando, Florida

Florida is one of the most populous states, the center of space research, the scene of very successful university research and an important technology center as, for example, the largest gaming development companies are also located here. Of course, tourism is also important as many people visit, for instance, the Disney and Universal parks.
Here, we saw the technology sector, the incubator in Orlando as well as visited the UCF university and the Kennedy Space Center.

Conclusions

Active university life and the favorable living space have turned the region into a very effective innovation center. We understood how universities and companies work together: companies support the cybersecurity faculty, and the faculty implements CTFs and development programs of significant professional and social impact in cooperation with start-ups and young researchers. We had the opportunity to meet all sides in this value chain.

One of the most important new development plans is currently the security of circuits, embedded systems and processors. The university presented the latest research results and how professionals are trained in this field. They see exploited or forced vulnerabilities taking place at such a low level, possibly through the compromise of suppliers, as a significant challenge. If a chip turns out to cause a data leak, complete systems and software based on them, and even complete business processes can stop for a long time, since replacing such a component can take months or even years.

Denver and Colorado Springs, Colorado

Denver lies at an altitude of 1500 m, while Colorado Springs lies at 2000 m on a dry plateau at the eastern foot of the Rocky Mountains. The state is located practically in the middle of the USA, at a well-protected place, with cool, predictable weather, so perhaps it is understandable why it is such an important place for example for the air force and also for cybersecurity; at the same time, it is a significant business center with its skyscrapers, and lately it has become very successful in sports (NBA, NHL, NFL, MLB).

Here, we had the opportunity to understand and personally observe the technical details of the elections as well as to meet the deputy attorney general, the city and county CISO and lawyers specializing in data protection.

Conclusions

The elections are technically conducted differently in each state, and the presidential elections are almost always accompanied by local matters. The voter registry is public, what is more, anyone can find out whether another citizen has cast a vote. At the same time, the election is secret, which is why they use a very complex procedure to ensure that the votes are anonymous but traceable – like on a production line, where product “traceability” can be followed electronically. All votes are scanned and also stored on paper.

Disinformation and misinformation campaigns are mainly encountered among cyber defense threats, which are mostly managed by means of communication, but at the same time DDoS attacks also occur. Spearphishing / smishing attacks are common, so a verification procedure has been developed, which is also a solution for deepfake attacks.

Data protection was the other main topic, where we understood how different the situation is for everyone, including US citizens and businesses, compared to the EU. Namely, because there is no uniform data protection. There are regulations in some industries (e.g. concerning children, finance, healthcare), but these are not complete either. In most states, it is completely legal to sell personal, and even health data, which you can obtain as the owner of a website or an application, for instance.

For this reason, lawyers and prosecutors can primarily deal with cases involving violations of privacy rights or other violations of law, while data theft or data loss is not a reason in many cases. On the other hand, this picture is very complicated at international companies, since other European, Asian or American rules must also be observed in addition to the GDPR.

Seattle, Washington

This city is located almost at the Canadian border, with wet and pleasant weather, wealthy neighborhood and important industrial areas thanks to the huge companies that have settled here. The most interesting thing for us was the presence of Microsoft, and we had the opportunity to visit the cyber defense and cybercrime center. We visited the county’s emergency control center, which also serves as a center for major cyber-physical events. We consulted with the leaders of the OT security department and the undergraduate and graduate students of the local Everett Community College and discussed practical experiences and the possible effects of the election results (Trump), which we witnessed right on the spot, with the lawyer of the international law firm K&L Gates specializing in cybersecurity matters. We evaluated the three weeks at a workshop and, of course, toured the city.

Conclusions

As far as Microsoft is concerned, perhaps the most interesting change is that Ms now sees itself as an AI company, it is in every sentence in their internal communications and they claim to actively use it in all areas of information security, whether it is detection, behavior analysis, threat intel analysis, risk assessment or even cybercrime. It is also known that Ms specialists work closely with the FBI and other agencies since they have a significant share in both public and private infrastructure, they are always among the first to notice when a new campaign is launched and close Ms–authority cooperation is necessary for stopping or identifying Azure tenants.

The operation of the King County Emergency Operations Center is a learning experience. It is necessary as it serves a population the size of Budapest on one of the world’s most active seismic fault lines, where industrial activity is also very significant (this includes Microsoft’s Redmond campus that has 125 buildings and can accommodate 60,000 persons). What can be learned from them is local and national cooperation. This has a very practical methodology: starting from the local sheriff’s office, all sectors (communication, city management, road management, etc.) are involved in regular exercises and in the development of processes. At the elections, for example, the police, municipalities, IT and communication specialists were on duty in order to intervene effectively and immediately if necessary. Their home is an island system that can operate for weeks with its own water and electricity supply, radio system and all-terrain vehicles.

And then what have we got from them?

From the viewpoint of IT security, many things are strange, or can sometimes be even annoying in the USA from a European perspective, such as the use of amazing resources in an apparently wasteful way, or the total confusion of some regulations, or even simply the prices. But overall, the most important lesson for me was that each of these countless actors knows what they have to do, and they help the others as partners. The most important thing is not regulation but practical cooperation. This includes standards issued by NIST, CISA training, or the sharing of threats and vulnerabilities with each other.

All this has created a very mature, experienced community. Although there is much to be done at social level and at small companies, many of the good practices can still be adopted – moreover, we as allies and friendly countries can also count on their direct help.