Coratti: Hello. Good morning, everyone. I see some of you standing back there. We’re bringing in chairs, so everyone will have a seat. Thank you so much for joining us this morning. My name is Kris Coratti. I’m the vice president of communications and events here at The Washington Post. I’m really thrilled to have you all here for our first Cyber 202 live event. For those of you who don’t already subscribe, The Washington Post’s Cyber Security 202 newsletter provides insider analysis on the latest cybersecurity news and its effects on policy. So this morning, you’re going to hear from the officials who are charged with protecting government systems and the nation’s critical infrastructure from cyber threats. But before we begin, I want to briefly thank our presenting sponsor, Hewlett Packard Enterprise. You’re going to hear from them a little later in the program. And our supporting sponsor, UMBC.
Threat Detection, Intelligence Sharing and Cutting-Edge Research
So now I want to go ahead and get the program started and welcome to the stage The Washington Post’s Ellen Nakashima. She’s going to lead our first discussion. Thank you. [APPLAUSE]
Nakashima: Good morning, everyone. I’m Ellen Nakashima. I’m a national security reporter with The Washington Post and it’s so great to see such a big crowd out here today. I’m moderating the first discussion about cyber threat detection and prevention and then we’ve got several more great panels to really deepen the policy debate around how we protect the United State and our democracy against attacks through cyberspace from foreign adversaries. And I’m really delighted to introduce to you my two guests because though they and their agencies are not generally in the headlines, what they do is so important. To my immediate left is Tonya Ugoretz. She’s director of the Cyber Threat Intelligence Integration Center, or CTIIC at the Office of the Director of National Intelligence. It’s been around since 2015 and Tonya is a career FBI intelligence analyst who steeped in counterterrorism and cut her teeth in the days after 9-11 and her analyst’s teeth, and so much so that she became in 2003, the first analyst to serve as the FBI director—then Robert Mueller—daily intelligence briefer. She was Mueller’s daily intelligence briefer. So you know she’s incredibly smart and her background is so relevant to her current job because she heads an organization that was modeled after the National Counterterrorism Center, or NCTC, which as you know, was set up post-9-11 to address criticism that the intelligence community had missed connecting the dots, the intelligence thoughts that might have thwarted the Al-Qaeda attacks.
So CTIIC, which fuses the streams of intelligence from across the government or intelligence dots on cyber threats, provides assessments, including the all-important attribution or who is behind a cyberattack, who done it, to our policymakers. Next to Tonya is Jason Matheny. He is director of the—let me see if I can get this right—Intelligence Advanced Research Projects Activity. Not agency activity or IARPA. And I think of IARPA as sort of the DARPA of the intelligence community. Where DARPA gave us the internet and stealth aircraft, IARPA is working on everything from face recognition to keeping bioweapons out of the hands of bad guys, to quantum computing. And the agency or activity, I should say, couldn’t have found anyone more qualified or overqualified, I should say, to head it than Jason.
As he has worked at the World Bank, Oxford University, Johns Hopkins Applied Physics Laboratory, the Center for Biosecurity, and Princeton University. And in his spare time, he co-founded not one, but two biotech companies. And because he clearly couldn’t figure out what he wanted to do in life, he’s got a Doctorate in Applied Economics, a Master’s in Public Health, a Master’s in Business Administration, and a master’s and a bachelor’s from the University of Chicago. So Jason’s a true renaissance man.
Matheny: Dilettante. [LAUGHTER]
Ugoretz: It sounds like you can’t hold him up.
Nakashima: Before we begin, I’d like to let our audience in the room and watching online know that they can tweet their questions to our guests and #202Live. That’s #202Live. And I’ll try to get to some of your questions later in our conversation. So what a week this has been in the world of cyber. Just last Friday, as you know, now Special Counsel Mueller indicted 12 Russian military officers for hacking into the Democratic National Convention in 2016 and releasing the stolen emails in an effort to influence the election. That same day, Director of National Intelligence, Dan Coats, Tonya and Jason’s boss, warned that the system is quote “blinking red just as it was in the months prior to 9-11.” Only this time, he said, “It’s our digital infrastructure that’s under attack.” And he also warned that Russia was the most aggressive foreign adversary in cyberspace. So spell it out for us, Tonya. As the integrator of threats from across this spectrum, what are you seeing Russia do? Does it pose a cybersecurity threat to the integrity of our midterm elections? Are you seeing activity there?
Ugoretz: Thank you, Ellen, and thank you to The Washington Post for the opportunity to speak here today. I think in 2001 when the CIA director used the term “the system is blinking red”, it was to get attention. At that time, it was to get the attention of our policymakers that there were significant threats we were seeing in the counterterrorism space. Director Coats in his address to the Hudson Institute last week used similar terminology again to get our attention. But in this case, it’s not the attention of our policymakers. That’s already very highly focused on cyber threats. I think you hear it in the worldwide threat assessment that the DNI has given in the past few years in which cyber threats lead as the number one, year-over-year.
You heard it in the remarks of Director Ray, Secretary Nielsen, the deputy attorney general this week. And so we’re very much focused on cyber threats. With regards to Russia, I agree with the DNI and others characterization that they are the most aggressive foreign actor that we see in cyberspace. There’s for good reason, a lot of focus on their activity in 2016 against our election infrastructure and their maligned influence efforts. But I think it’s important to widen our view and to also look at the other public announcements that DHS, the FBI, and the administration just this year about Russia’s cyber efforts against the U.S. and against our allies. The NotPetya attack. This was malware that infiltrated a Ukrainian accounting software system and manipulated the way that the company pushed updates to its customers so that instead of getting your normal software update that we all click yes to on our computers, it downloaded malware instead. According to the administration’s statement, that was the single most destructive and costly cyber attack in history.
We also saw DHS and FBI this year issue a technical alert so that defenders could protect against Russian activity in our critical infrastructure systems. This described Russian cyber actors’ efforts to infiltrate and conduct intrusions into different sectors of our critical infrastructure, including energy and water and manufacturing. So the aggression is widespread. It’s against multiple sectors. It’s against multiple types of networks and so I think that call to attention that you heard the DNI give—as I said, it wasn’t just aimed at the government. It was really aimed at all of us because it really does require not only a whole of government but a whole of country effort to be aware of what we’re facing and to combat it.
Nakashima: And I want to get back to that, but I want to let Jason come in here for a second. Jason, your agency does over the horizon research. So you’re focused more on what’s coming than rather what’s in the here and now. So give us a sort of cyber weather forecast on what you see is shaping up to be the most significant threat of the future and what are you doing to counter it.
Matheny: Yeah, so one of the trends in cybersecurity is something that’s sort of boring, which is that 70 to 80% of the attacks, both from state actors and from cybercriminals are social engineering attacks. They’re really attacks that are meant to manipulate the behavior of users. The most common form of a social engineering attack is phishing. So somebody sends you an email, tries to get you to click on a link that then gets malware in your machine. So that’s a boring problem. It’s not technically very interesting but it’s enormously costly and represents by far the largest share of the kinds of attacks that we have to deal with. On the technology side, looking at the horizon, so the next five-to-10 years, both defenses and the threats themselves in social engineering attacks are becoming more sophisticated thanks to advances in machine learning.
So one type of advance is that we can develop better filters for being able to recognize a phishing email. And you already see internet providers start to use this. So if you’re checking Gmail and you’ll see a little warning message that says, “This email looks like a scam”, that’s because there’s a filter that’s been trained on a bunch of training examples of real phishing attacks and they’ve trained a machine learning system to recognize what those look like. But there’s now an arm’s race because the people who are developing phishing attacks are also using machine learning in order to figure out ways of making more subtle phishing emails that bypass those filters. I think what we’re going to see is a much greater degree of sophistication in the machine learning that’s applied to this so that every day, you’re going to see a significant advance on both the offense and the defense happening really at machine speeds. So that the cyber actors can in a way create industrial scale phishing attacks so that they automatically generate these phishing emails in very large numbers. The internet companies will need to be developing defenses that are just as fast and just as scalable. That’s right now, I think what we consider one of the artist problems in cybersecurity.
Nakashima: That’s scary. Do you think the companies can develop these defensive fast enough and powerful enough to counter the offense?
Matheny: There’s a longstanding debate in cybersecurity theory about whether there’s offense or defense dominance in cyber. That is, is it inherently harder to defend a system than it is to attack it. And we don’t think so. We think that, in fact, the advantage goes to whoever assembles the largest number of training data. So examples of say, phishing emails. If the defenders were willing, either due to policy or culture, to share more training examples, they could create much more training data than the attackers could. So if Google and Microsoft and others, Apple, pooling their training datasets of phishing attacks, they would have a much larger training dataset than any attacker would and they could create then more robust defenses more quickly than attackers can.
Nakashima: Interesting. So that’s a challenge to all of the tech companies out there to try to start pooling their data and they’ll also have to do so in a way that doesn’t, I guess, raise privacy concerns and issues.
Nakashima: You have to get that at a different panel. So Tonya, news broke last night that the Justice Department has a new policy to disclose the existence of influence operations or information warfare attacks against the political processes of the United States when the intelligence communities has high confidence that of the foreign actor behind it and is also fairly confident that it won’t blow sources and methods. Obviously, this is an issue that is very much in the forefront today, as we are very concerned about whether Russia will seek to interfere and meddle in the midterm elections through hacking and disinformation. What do you think, first of all, of this idea? And second, what role would CTIIC play in integrating the intelligence that might feed this decision to disclose?
Ugoretz: Thank you, so I think that the decision to publicly name and disclose when there are maligned influence efforts. It’s very much in line with what I was just describing and what the DNI was advocating in terms of thinking about the American public, U.S. companies, the private sector as customers of the U.S. government. As an intelligence analyst, we’re always taught to think number one, about who our customer is. And often, that’s a senior policymaker. It’s usually another agency within the federal government. But increasingly, we have to be thinking more broadly. The U.S. government does not have the monopoly on intelligence when it comes to cybersecurity.
There is a very robust cybersecurity industry in the private sector and we need to look at new ways of partnering with them, feeding their information into what we see from classified intelligence sources so that we can create a holistic picture of the threats that we seek. So I think the more that we can create a dialogue and mechanisms for sharing information between government and private sector back in the other direction, as well as with the American public, notify victims. Whether they’re the victim of a cyber intrusion or a maligned influence campaign. I think that will help all of us be better able to play defense against some of these efforts.
Nakashima: Did CTIIC play any role in infusing the various streams of intelligence about the Russian hacking related to the 2016 election?
Ugoretz: Yes, so I appreciated your comparison to NCTC. It’s a very kind one. I’ll mention CTIIC is much, much, much smaller than NCTC because we have a bit of a different mission. Our personnel number are in the dozens and we’re a multi-agency workforce, which means that about 80% of that several dozen people who I lead come to us from other agencies; CIA, NSA, FBI, Department of Energy, et cetera. And so that is what really positions us to integrate all of the different streams of information and intelligence that we’re seeing across the interagency. So in the 2016 case and even currently, our main focus is on creating situational awareness of the current threats that we’re seeing. That means weeding through an awful lot of information and answering the question: what do our decision-makers most need to pay attention to? And that involves contextualizing it, putting it in context so that we know where does this fit with the bigger picture of threats we’re tracking?
Nakashima: How much did you put the Russian hacking of say, the Democratic National Committee or other parties in 2016 into the forefront of policymakers’ decision-making?
Ugoretz: So we were certainly featuring that in our situational awareness products as it was unfolding. We’re also present—
Nakashima: Early on, would you say?
Ugoretz: Mm-hmm, yes. In fact, CTIIC became official in December 2015. That was when we first stood up and so we were kind of present for the cycle of what occurred in 2016 and we were very much involved in highlighting intelligence that the interagency saw on that matter. We also play a very privileged role of participating weekly in meetings that are led by the National Security Council, in which all of the departments and agencies that are involved in cybersecurity gather around the table and discuss, “What are the current threats and what are we doing in response to those?” And I’m privileged each week to lead that meeting with an intelligence briefing that helps form the basis for that discussion.
Nakashima: Forgive me for coming back to it, but I’m so interested in this because back in 2016, early on—maybe June, but June certainly. May, June, I know the FBI was very confident that Russia GRU—the GRU was behind the hack. Yet, it wasn’t until October—October 7th that the DNI and the Homeland Security secretary actually made their public attribution. Why did it take so long?
Ugoretz: So public attribution and other response options are always a policy decision. The intelligence community is charged with, as DNI Coats put it the other day, “Seeking the truth and then speaking the truth.” We provide the best intelligence we have at the point in time that we have it. Despite what you might think, the popular notion of CSI, cyber and how it really works, it’s often not the instant that something happens. We often learn details of activity later, out of order, in bits and pieces, and then part of the job of an integration center like CTIIC is to pool all of that together. So again, the decision—the unprecedented decision to issue a public statement regarding the activity that we saw, that’s ultimately for the policymakers to make.
Nakashima: And if the policy that the Justice Department announced last night were in place—had been in place then and so maybe the government might have made their attribution statement earlier. Do you think it would have made a difference, Jason, Tonya, in a body politic?
Ugoretz: I think it’s hard to say. I try to avoid speaking in hypotheticals, but I’m really heartened to see the steps that many agencies are taking to apply the lessons learned and what we’ve learned from an intelligence standpoint about how our adversaries are using cyber means to achieve their strategic objectives. Because that’s really what it’s all about. It’s not just about cyber. It’s not just about maligned influence. It’s that whole toolset that our adversaries are using to achieve their objectives.
Nakashima: Right, now, Jason, Tonya’s center CTIIC doesn’t focus on information warfare attacks against social media from things like Russian bots or automated software that generates tweets that might stoke social divisions. But is IARPA doing any research or conducting any projects in this area that that might be relevant to detecting and thwarting such assaults?
Matheny: Yeah, we have in a few different areas. So one is we’ve had a research program, a piece of which is to understand, can you detect bots that are in social media accounts. Can you detect sock puppets, which are manipulated accounts that are being used to express certain opinions or judgments? Can you detect those automatically since it’s—there’s so much many such accounts it really is impractical to do it using human analysts. We’ve also done work in looking at manipulation of shared databases, like Wikipedia. So can you detect when somebody is manipulating Wikipedia pages through malicious edits that are intended to be part of a disinformation campaign? You can. Now, it depends on the individual page and the topic, how long a malicious edit is going to stick around. And Wikipedia is pretty rigorous in the way that it establishes forms of control and protection to prevent high-frequency malicious edits. But it’s something that I think will require continual defense. And that’s another whole domain in which cybersecurity and information security, more broadly is really important.
A third area is trying to understand more about Russian disinformation. And domestically within Russia, the primary means of disinformation is less censorship and more overloading the media and social media accounts with engineered data. So much broader use of sock puppets than censorship. Which is in contrast, I would say, to China, for example, in which the censorship is very highly engineered, also heavily automated through sets of censored keywords that trigger a censorship event. In Russia, we see much more emphasis instead on simply creating a huge volume of controlled information, much of it disinformation, in order to drown out the genuine data. So that’s another area where we need to continually develop tools to detect that kind of disinformation.
Nakashima: Is information warfare something the United States should contemplate using against its own adversaries to achieve its own strategical in any way or is it just too much of an ethical and moral minefield there?
Matheny: Well, I can’t take the policy perspective on this, but from the technological perspective—
Nakashima: You can try. [LAUGHTER]
Matheny: I think that focusing on defense makes a lot of sense. In part because if we can build up the body of data of a variety of different disinformation campaigns that we’ve seen historically, particularly in new social media domains, then we really have a perch from which to develop robust defenses. Part of this is a hard-social science problem, which is in general, as citizens, we need to be more skeptical about information that we see on social media. So the same advice that you’re probably giving to your kids about just treating any information that they see on their social media accounts with some degree of cynicism. We as a general citizenry also need to have that same level of skepticism. That’s a really hard social science problem and we face the same thing in cybersecurity; how do you get individual users to be more skeptical about the emails and links that they’re receiving? How do we get people to be more skeptical about the information streams that they see in social media?
So there’s that social science problem. There’s the technological problem, which is to what extent can we detect when a disinformation campaign is happening? That’s sort of breaking from the normal conduct of discourse and debate within these forums. We’ve done work on this DARPA has done work on this. We’re seeing how many of the social media companies doing their own research on this. It is a really hard problem, but I think it’s tractable.
Nakashima: Fascinating. Now, I don’t want to let this panel go without Tonya, without you telling us about what I think is perhaps your greatest—your center’s greatest success story, which is attribution of WannaCry. You’ve mentioned NotPetya, which was attributed to Russia. But WannaCry was also another huge cyber event, right? I think it affected more than 300,000 computers in over 150 countries. It sort of jammed up the National Health Service in Britain. Tell us about what your role was—your agency, your center’s role in gaining attribution and why was it such a success?
Ugoretz: Sure, so as you described, WannaCry truly was a massive global ransomware attack.
Nakashima: Last year.
Ugoretz: Last year, yes, in May of last year, in which North Korean cyber actors used malware to essentially brick computers worldwide, hold them for ransom, and used—basically, took advantage of a known vulnerability in order to do that. I mentioned CTIIC’s size and the difference in our role between NCTCs, and that’s because we’re very much in a support role. Our aim, in addition to integrating information, is kind of bridging the seems across the federal cyber community, the intelligence community, network defenders, incident responders, law enforcement, and helping information move across those various parts of our cyber community. And that’s very much what we did here. I mentioned we’re multi-agency through our work with DHS. In those first days when WannaCry was hitting over a weekend, like most attacks seem to do, we were aware of information that DHS has gleaned through their great partnerships with the private sector. So as the network service providers were working on mitigating the attack, trying to shut it down, they were also learning information about how it had first formed. Think about a medical type of infection, where it’s very important to know how it got started so you know how to stop it.
Well in this case, as private sector companies were learning how WannaCry had spread, they were able to gather data that showed that those early infection points. DHS had that by virtue of their private sector relationships and we asked, “Could we share that with the intelligence community? Because we think it could be valuable.” DHS went back to the private sector partner, got their permission, we shared it with the intel community. And it helped give us a sense early on about how the infection had spread. And the intelligence community was able to come to a fairly quick assessment but with low-to-moderate confidence that it was North Korea and cyber actors behind the attack.
But then collectively, we just kind of just weren’t satisfied with that. Private sector cybersecurity researchers felt really confident it was North Korea and it’s important to establish high confidence in these types of attributions so that we potentially position our policymakers to consider response options. So we and other colleagues in the office of the director of National Intelligence gathered analysts from around the community and said, “Let’s relook at everything we have and let’s see if we can’t make additional progress on this attribution.” And we relooked at that data that came from the private sector and I think realized what we had.
Some of our partners in the interagency were then able to take that, do additional work, and ultimately acquired kind of that last bit of information that helped us say with high confidence that it was North Korea behind that attack. So I point to that as a success story not because CTIIC did the attribution or we—you’ll ever see a piece of paper with our seal on it that tied it all together. The importance was having the relationships and the trust to be able to go to different partners and say, “This part of the community needs this piece of information that another part has. And also, to be that kind of nudge to the community.” There’s so much happening, as you saw just this week, and it’s so easy to move onto the next thing. But we try to be that small, neutral voice in the middle that helps bring folks back to and move forward and make progress on issues like that.
Nakashima: Fantastic. So on that note, unfortunately, I think that’s all the time we have. But in just such a short time, we’ve covered so much ground and you’ve told I think the public here some things that—both of you—that we never knew and that hopefully can help us find better ways to counter—in the whole of country, better ways to counter cyber attacks from foreign adversaries. So let’s give Dr. Tonya Ugoretz and Dr. Jason Matheny a big round of applause and we’ll move onto the next portion of our program.
Coratti: I’d now like to introduce two industry thought leaders in IT and cybersecurity from Hewlett Packard Enterprise, one of the few commercial organizations that has adopted government best practices into their cybersecurity strategy.
Antonio Neri, President and CEO of Hewlett Packard Enterprise, and Liz Joyce, the Chief Information Security Officer of Hewlett Package Enterprise will be joining us to talk about the tools HPE uses to combat cyberthreats, and how security is central to their mission of supporting their customers globally. I’d now like to welcome to the stage Antonio and Liz. Thank you. [APPLAUSE]
Joyce: Hi, so thanks, Kris. Really happy to be here today, to talk about something that’s very important to us at Hewlett Packard Enterprise—cybersecurity. So, as Kris may have mentioned, I am actually going to talk a little bit about the sort of evolving threat landscape and how that’s changed, and what we do at HPE in order to deal with that and address it. Then I’m going to hand it over to Antonio.
So, I’ve been working in cybersecurity for 20ish years, and really the threats landscape has changed significantly. So, when I started out, cyber events happened maybe at least once a year—at least something that was headline-worthy. The scale of them—we were horrified when it was maybe 10,000 or 100,000 records that were involved in a data breach. And usually, the attackers—the people who were responsible were what we referred to as script kiddies, but that’s completely changed, and you’ve heard part of that in the earlier panel today.
So now we are talking about a scale and a sophistication and a speed of cyberthreat that has completely shifted how we have to think and what we have to do. So, instead of things happening on a yearly basis, we’re now dealing with threats that really are occurring on a daily basis—big headlines. And we’re talking about millions and millions of records in a single data breach. So, as we look at that, we also look at the profile of the adversary that we’re dealing with.
And it’s not script kiddies anymore; as I mentioned earlier, we have now nation states as well as hacktivists, who are doing things for ideological reasons. And additionally, cybercrime is big business. It is a one trillion dollar business globally—that is a lot of motivation and a lot of resource that we have to respond to. And on top of all that, my job used to be a lot easier, where basically we could take our critical assets, drop them in a data center, stick up a firewall and feel good about things.
Whereas today, we’re in a highly-connected mobile hybrid environment, and your data is sitting in a data center, in a cloud, on devices on the edge. And for those devices, we’ve hit a tipping point this year where the number of devices now significantly outnumbers the number of human beings on this planet—it’s about 11 billion to 7 billion, and all of those things have data, and how are we going to protect that data?
So, as we look at it as a company, we really think about things holistically and very pragmatically. And when we do that, we think about the simple things of people, process and technology, but with a very new lens of the threat landscape we’re dealing with. So, when it comes to technology, for instance, we adamantly believe that security has to be built into the very core of what we do. It is about securing your applications with your development lifecycle. It is about building into your firmware and your hardware—what we call the silicon root of trust. And it’s also about how you protect all your data—everything from how you deliver your service, how you interact with your customers and organizations. You have to think about security from that point.
We also look at the speed at which a threat occurs. Weaponization used to take months. Now we’re talking in terms of weeks and days and sometimes hours from point of vulnerability to when something is weaponized. So, as we look at that technology piece, we have to also apply artificial intelligence and machine learning to be able to quickly detect—so that intelligence is incredibly important in order to be able to respond—and speed of automation and how you respond really deals with, allows us to react quickly.
And then on process, as Kris already mentioned, we’ve adopted best practices from all over. We’ve taken from the government the notion of a fusion center, where that really shifts our operation from being something that is reactive, after an event has occurred, or while an event is occurring, to something that is truly intelligence-driven and proactive.
And then the final piece of what we look at is, obviously, people. Cybersecurity skills are really hard to find these days. The latest reports are stating that we are going to have over three million vacancies in cybersecurity by 2020, so if you can’t find the resources as an organization, you really have to invest in developing and supporting those resources. But, to add to that, it isn’t really just a subset of your organization that looks after cybersecurity; everybody is touching the digital world. And so we take it seriously and look at the fact that everyone in our organization, no matter what your job is, no matter what your role is, is trained on cyber.
So, with all of those different components moving, what do we worry about going forward? Well, it’s manipulation of data. So, I don’t know if you’ve heard about, there’s a project that was run out of MIT, and an AI was built, and his name was Norman. And he was affectionately named Norman after Norman Bates in the Alfred Hitchcock movie, Psycho, because Norman is the first psychopath AI. And the premise of the research was that while we often worry about the algorithm, what is the effect of the data that actually trains that algorithm?
So, Norman was image recognition, and instead of being trained on the standard set of images, they trained him on very graphic depictions of death that were taken from the internet. And as a result, when Norman was presented with an ink blot graphic, where other AIs saw a black and white baseball glove, Norman saw basically a man with a machine gun committing murder in broad daylight. That’s a very different outcome.
So, as we think about the world that we live in where we have AI machine learning and it’s part of our financial institutions, industry, our defense systems, we have to look at protecting our algorithms, but we also have to look at the integrity of the data that we trained them on. So, it’s a lot to think about, and a lot of the things that we talk about, and why we take it so seriously.
And so, Antonio, maybe you can share your perspective.
Neri: Sure. Well, good morning. First of all, I want to thank The Washington Post to give us the opportunity to speak to you today, even though we have limited time. Again, I am the President and CEO of Hewlett Package Enterprise. To Liz’s point, think about even our own company. We are a company of 66,000 employees that operates in 170 countries, that generates an enormous amount of data, and most importantly, an enormous amount of intellectual property. So, how do we protect that intellectual property?
I was just here upstairs hosting a CIO roundtable with many of the government agencies, and I can tell you, 80% of the time in that conversation was dominated by cybersecurity. And so, when we think about cybersecurity, we think about cybersecurity in the context of how we build cyber controls and practices in our technology and in our own processes. And one way to do it, obviously, is by Liz and my team working together with my engineering team, thinking about what are the toughest issues the customers are dealing with?
The reality is that the data is exploding, and 75% of that data actually is not created in the cloud or in the data center; it’s created here. In fact, many of you are holding phones and digitizing this conversation, or you’re doing something. Everything computes in our life. But fundamentally, it’s how we protect that interaction between the user and the data in a way that protects our intellectual property, because data is the new currency.
So, we think about protection in three forms, right? So, one is, obviously protection built in the core. Second is detection. And third is recovery. Because the fact of the matter is, something is going to happen, and the question is how you recover it as fast as possible. So, in the context of our innovation agenda, thinking about this edge-to-cloud architecture, where edge is an extension of the cloud, and at the core of that is this data fabric, how we build cyber controls and practices at the core of the data fabric.
So, an example of that is what we have done with our silicon root of trust at the infrastructural level, so how we build security at the core of that infrastructure. So, every server platform we sell today actually has a silicon root of trust, think about the fingerprint. Every human has one fingerprint that’s unique, and in that case, we put those cyber capabilities inside that platform. Think about the fact that now we have encryption in everything we do, so our storage platform has encryption built in our hard drives, in our flash solutions.
And when you go to the detection side of this, think about this edge where you’re connected wirelessly. Today, now we can actually monitor the behavior. The users on the network to understand what6 they are doing, and ultimately score the user in a way that we have not been able to do before, not just at the infrastructural level, but at the application level.
And last, but not least, is how we recover. Because in the end, when you see some of the cyberattacks, it takes sometimes weeks and months. A few months ago, we had a cyberattack in one of the enterprise customers that had to rebuild their entire server virtualization for them, and it took them weeks to recover. So, we think about this as a continuum, but the one thing we’re doing, because we have a very large infrastructure ourselves, it’s how we work together between Liz’s organization and my team in the engineering side, to figure out how we actually productize this solution so that we can sell it to you and you can deploy faster.
But ultimately, our core mission, our core purpose as a company, is how we advance the way we live and work, and at the core of that is not only protecting ourselves, but making our contribution, so we can provide sustainable technologies and ultimately a moral code, particularly as we think about embedded technologies like AI, how they are utilized the right way. And this is a very important aspect that obviously is becoming a big debate—you get the case of Norman here, but the reality, we need to think about this in the context of the society and the way we live, but ultimately also, protect the business, and then make that contribution to the society in a way that, honestly, has to be accelerated.
So, unfortunately, we only have a little time, but I’m really proud of the work we are doing. We are here to help you in any way, shape or form. We already have solutions available to the market. Please engage us with your toughest problem. We would love to help you.
So with that, I would like to now pass it back to The Washington Post, because our time is up. All right? Thank you very much.
Is the United States on the Right Track on Cybersecurity?
Leonnig: Good morning, everybody. I’m Carol Leonnig, and I’m a national investigative reporter at The Washington Post, and I’m really pleased to be here today with Mike Rogers and Chris Painter. This week President Trump, lawmakers and the national security community have been discussing Russia’s meddling in the 2016 election, and I’m really delighted to welcome these leaders in their field to talk about it. I also want to say, in a free-wheeling way, that I don’t think we could have timed this event better, based on the Monday through Friday that we’ve just experienced.
Mike Rogers was the Republican Chairman of the House Intelligence Committee until 2015, and earlier in his career was an FBI agent. He’s now a national security commentator on CNN and the host of a popular show, “Declassified,” which explores the stories of American spies.
Chris Painter, also with us, was the former Coordinator for Cyber Issues at the State Department, where he was the nation’s top cyber diplomat, serving under both President Trump and President Obama. Before joining the State Department, Chris served in the Obama White House as the Senior Director for Cyber Policy and the acting Cyber Coordinator of the National Security Council.
Thank you both for being here. I’d like to remind our audience in the room that online you can tweet your questions to us and I’ll try to ask some of them at the end, and please use the hashtag #202live. I will try to get to them later if I can.
So, again, I can’t imagine a better week to have both of you here, talking at The Washington Post about our cybersecurity as a nation, and our position on the world stage. I want to start by asking you guys a big, open question. What did you think about the president’s comments standing next to Vladimir Putin on Monday? Mike, let’s start with you.
Rogers: Boy, look at the time. [LAUGHTER] Obviously, to me it was very, very concerning for a couple of reasons. A, the set-up to Helsinki, I think, candidly was a disaster. So, you had the President of the United States really crossing Europe, insulting many of our allies, and a little bit rude. My mother used to say rude is a very poor imitation of a strength. And, when you do that you are setting the table for exactly Vladimir Putin has been telling and doing information operations into Europe, right? That the democracies are bad, that the NATO is causing friction, NATO might not want to be the—you stop pushing NATO into the border areas and certainly the former republics of Russia—all of those things are messages that the Putin regime has been promoting. That fell into that trap.
And then when you get to Helsinki, there’s two things that really bothered me. One, saying to the president, I can’t—I don’t want any leaks, so I’m going to do this on my own. I guarantee that Vladimir Putin was prepared for that meeting and understood exactly what he was going to get out of it. I don’t think the president was exactly prepared for the meeting and didn’t know what he wanted to get out of it. Advantage again, Vladimir Putin. Pitting—going against the very services that are trying to ask Russians who are in the intelligence services and defense and science, hey, we need you to work with us to make Russia a better place. Would you cooperate and provide information? That’s what spies do. And to have that message at that time, where the President of the United States is questioning our intelligence services and Vladimir Putin is definitely questioning U.S. intelligence services, I though was just a recipe for disaster.
And I’ll tell you the last piece of this. It plays right into the information operations that he has been conducting and continued. The very next day, or maybe it was two days, he had an open press conference—he being Putin—with his Russian ambassadors, talking ab out how successful the Helsinki summit was, and that there are intelligence services and other actors in America working against the president, and relations with Russia.
At the same time, he also showed a new advanced military order in technology. This was all part of a scripted information operation campaign. And then now, because he was the only one in the room, gets to leak out what he wants to happen in that meeting. And what he leaked out just today was that they wanted a referendum in Ukraine. Advantage again, Putin. There was no one in the room to say, no that didn’t get discussed, or it was raised, but not finished. All of that, advantage Putin. That’s what I worry about.
I just worry that they’re not—the president himself does not take seriously the ability and capability of Russian intelligence services to mount very successful information operations, one of which was targeting U.S. campaigning.
Leonnig: And maybe that’s the title of our session: Advantage, Putin.
Chris, I know how concerned you are about this.
Painter: Yeah, absolutely, I agree with what Mike said. I’d go—in the cyber lane, I’d say that there were a couple of things that summit unfortunately showed. One was undercutting our position, in terms of both the Russian hacks on our election, but also in providing any kind of cost or deterrence of Russia’s behavior in the future; and two, a lack of preparation. And let me hit both of those quickly.
One, you know, one of the things that no one’s really done a good job of so far is really imposing costs on bad state actors for the activities, and when I say costs, I mean credible and timely costs that will both punish them for what they’re doing, but also dissuade them from doing this in the future. That’s kind of part of classic deterrence. Now, there are a lot of great people you will talk to today who are trying to protect our systems; that’s another part of deterrence. But, imposing those costs means that bad actors think twice about it, and we haven’t—we’ve done some sanctions, we’ve done some other things to Putin, but we really haven’t done something that really hits him in a way that makes him change his mind.
And, interestingly, in this administration, we have had some good things that have happened. We’ve had, for instance, the National Security Council call out Russia specifically, attribute Russia for the not petty big worm attack that really caused a lot of damage around the world. We’ve had some other sanctions levied on Russia. But all of those things are substantially undercut if you don’t have consistent, high-level, and strong messaging from the top, from the president. And what we saw during that summit was exactly the opposite, calling into question the intelligence community; calling into question whether Putin did it. If I’m Putin—put yourself, any of you who want to—put yourself in Putin’s shoes looking at this. Is that going to dissuade you from doing this in the future, or is that imposing any kind of cost of any kind on you, or is that an encouragement to do it again? I’d argue it’s the latter.
Now, lack of preparation is the other issue that I wanted to raise briefly, and we can revisit some of these things later, too. You remember, one of the things that struck me at the summit was not just the would not comment. One of the best internet memes of that I’ve seen is Darth Vader saying, “Oh, I meant to say, I’m not your father,” [LAUGHTER] so, you know it wasn’t only that, it was also the president saying President Putin has made an incredible offer. He’s made an incredible offer to use our—what’s called mutual legal assistance system—to allow the FBI to go interview the 12 folks, 12 people who were indicted, Russian intelligence officers, and it’s a quid pro quo, you know. We get to go and talk to Bill Browder, who has been a long-term Putin foe, and also, my former colleague, Ambassador McFaul, which would be unprecedented for a lot of reasons.
Anyone who was prepared for that, who talked to their Justice Department, who had talked to their National Security Council, would know to reject that out of hand. I was a prosecutor for many years; Mike was an FBI agent—the number of joint cases I did with the defendants was none. You don’t do that. It just doesn’t make sense to do that. And when it’s a case where you’re prosecuting Russian intelligence, the only thing that’s going to happen is you’ll have a stage show, even if something maybe like this happened, on one side, when they’re being interviewed—which would never really happen—and it’s a way for the Russians to get more information on sources and methods and investigation to figure out how Mueller is able to put together this very detailed indictment.
So, you have that, but then you couple it with you’re throwing an ambassador under the bus and doing other things that no one would really think of, and it took three days to walk that back. That, I think, could have been handled if he’d really had some preparation.
Leonnig: I’m going to ask you guys if—those were great reactions—I wonder about two things. This is going to sound simplistic, but when we go to bed tonight, are we less safe as a country because of what the president said and the message he telegraphed to Putin? Because of what you just described, Chris, there is very little deterrent when the top guy is not communicating the same message. Are we less safe?
Painter: I would say yes. So, you’ve had Dan Coats say consistently—and not just Dan Coats, but every DNI has said Russia is the most sophisticated and one of the biggest cyber actors, not just against our elections, but really across the board. So, if you’re taking away one of the tools to try to deter them by basically undercutting any message, I think that makes us less safe.
Rogers: I don’t think it’s the end of the world; I don’t think we should run around with our hair on fire but it’s very concerning to me just the direction that the president is taking on this. When you really look at the cyber arena, very concerned. We know that the Russians have continued to use cyber influence operations around the world, including the United States. There’s a great website of which I help with—it’s called Hamilton 68—where they track these bot operations from Russia trying to influence whatever topic of the day, and the volume hasn’t gotten smaller; it’s gotten bigger.
And when you add AI—artificial intelligence—on top of these bot operations and networks, it means they can get information to the place faster than you can find and disrupt it. And so, they’re getting better at it and they’re being more aggressive about it. This is the part that I worry about. And I think the president conflates the fact that the Russians are trying to use these influence operations, and they don’t care—you know, candidly, they were trying to bruise up Hillary Clinton in the beginning, as well. And why? Their polling wasn’t any better than America’s polling—they thought Hillary Clinton was going to be President of the United States, and so they went after her with a vigor, and they were causing—their theory was, let’s bruise the American president, whoever that is comes out of the American presidency, so that it gives a leverage and it gives us an opportunity to message around the world. That’s where they were going.
We all should be concerned about that. The fact that president conflates his legitimacy of his presidency—I think, Mike Rogers things—with anything related to this topic is causing problems in unleashing the entirety of the U.S. government to help us push back on this problem. That’s the part where I get concerned.
The other piece, the national security institutions are not, I don’t believe, will let the president go too far in some of this. I wish he would be better prepared; I don’t think he should do another summit here. You don’t want to roll out the carpet for a guy that’s murdering dissidents, murdering reporters as we speak, occupies 20% of our ally, the country of Georgia, annexed Crimea—I mean, the list is huge and long. You don’t give him a reward by parading him with a state dinner in Washington, D.C. That sends the wrong message.
Leonnig: And Mike and Chris, you’ve both talked about the community and the systems and how those could be damaged, but ultimately those are; made up of people. What is the message that the president is sending to, what many Americans consider our patriots, intelligence agents, FBI agents, operatives, even double agents for Russia that are working for us? What’s the message to them. Last night, three FBI agents resigned. Are more resignations and, I guess, abdications coming?
Painter: Look, I hope not. I think it does send a dispiriting message to them. I mean, these are people who are professionals who work day in and day out. Both of us have worked closely with FBI agents, with intelligence community folks, with prosecutors. I’m glad that a lot of people in my former office in the State Department are still there and still in their posts. I think that’s really important. But it’s hard to do that when your value is constantly questions, and I think that does send the wrong message.
Now, the other thing I worry about is structurally. So, getting rid of, for instance, the Cyber Coordinator at the White House—I think that’s a problem. I think one of the issues we have in this space is to mainstream this issue so that senior policy-makers don’t think of it as this boutique cyber issue, but a real national security issue, and without that person there who could also herd the cats throughout the inner agency, and make sure that there are good initiatives across the board to deal with, for instance, election interference—that’s a problem.
And then the last thing I’d say is what we still haven’t heard, and this is remarkable to me, is we still don’t even have a declaratory policy in this area. We don’t have—the president hasn’t come out and said, if this happens again there will be consequences. And that’s a base. That’s a foundation. That’s not enough, certainly, but that’s the foundation for a lot of other things. And I think a lot of the people in the government are waiting for that leadership, and if they don’t see it—again, I think it has an impact on them. I hope they stay; I think a lot of them are doing great work. I think a lot of people in this administration are doing great work, and that needs to continue.
Leonnig: But, not to get too personal, isn’t that why you left the Trump administration?
Painter: Well, it was time to leave. I’d been in government for 27 years in various capacities, as a prosecutor and others, and I had decided at some point I would leave anyway, and part of the reason was my office at the State Department was essentially disappeared, which was a problem, and that made little sense, given all the threats we were facing. And I know they’re reconsidering that now, which is great, and I think they should. There’s been some Congressional action on that, too. But I think there was a feeling this wasn’t made the priority it needs to be, and that has to come from the top. It’s great that everyone who does this makes it a priority, but if you don’t have that leadership in the White House, that coordinator, the President saying—he doesn’t have to say it every day, or the Secretary of State doesn’t have to say it every day, or the Secretary of Defense—but they have to say it consistently, this is a priority.
Leonnig: That it matters.
Leonnig: I’m going to ask you about the FBI agents, your peers, but I also want to ask you about your peers in the House, and their effort to try to impeach Rod Rosenstein. The Mueller investigation started off by looking at the crime of the interference. It’s looking a little bit more at, was the president trying to thwart that probe, and was anybody trying to hide something else about the fruits of the crime that they may have benefited from?
Tell me a little bit about your FBI agent friends, what they’re saying, but also your House Republican friends.
Rogers: I do think there’s—here’s the good news about the FBI: when you sign up for the FBI and you take that oath of office and you get those credentials, it is a proud moment in anyone’s life to be able to have that ability and responsibility charged to you on behalf of the American public. Most people see that first, I will tell you that. And so, it’s dispiriting when you’re doing your work, and you might be doing an organized case, or a child pornography case, or a white-collar case, or working counter-terrorism or counter-intelligence cases. It’s dispiriting when the general conversation is, boy, the people of that organization are corrupt; they’re politically biased’ they’re fill in the blank.
That is—I mean, every agent has a political opinion—or most do—and they understand the importance of checking that at the door. Because you’re talking about taking away somebody’s freedom, put them in jail—very, very, very—it has huge consequences. So, yes, they are. I have talked to many of them. I’ve actually talked to small groups of them who are just looking for, hey, we’re going to continue to do what we have to do, but really?
And so, I worry about that, and I worry about this notion that they can’t separate the two. Could there have been an individual problem? Absolutely. Does that mean the FBI’s culture is now corrupt? I think I would passionately argue that is not the case, and they should start to be careful. You need these agents out on the street with credibility when they open up those credentials that it means the full force of effect of support of the American people and their elected leaders to do their job. They need to get that straightened out in a hurry; and I don’t care how mad they are—they need to understand that this is bigger than the next election, the next quarter, tomorrow, the next news cycle. This will have long-lasting effects that they have to appreciate, and beginning to right that picture.
As far as the FBI, we’ve had this problem in the FBI for 10 years now, that people walk through their careers; they get to a certain point; they get these leadership in cyber—you know where I’m going with this—
Painter: Oh yeah, I do.
Rogers: And somebody knocks on their door and says, “You know what? We’ll triple your salary if you come work for us.” And if you’ve been slogging away as a public servant for y our career, and you’re married and you have kids and they’re getting in college, and somebody walks in and says, “Hey, thanks for your service in the bureau. Come on over,” I can’t say, I don’t think the resignations that you saw, and it didn’t all happen in sequence—the short period of time—it has been about a month, I think over a period of time. All of them are going to well-paying cybersecurity jobs in the private sector. Why? They can’t get enough people. They’re dying to have that extra expertise, and the pressure on these people is immense.
By the way, we had the same problem—for a while when I was chairman I used to have to go to New York, it seems like about once every month, to say stop stealing our people in the agency, the CIA—please stop it. You know, it’s just hard. You want them to make their own choices; the government spends a lot of money training them; they are highly-skilled, highly sought-after people in the private sector, and it’s hard. That part’s just hard.
So, I just don’t believe that the FBI piece was related to anything Trump-related; I think it was all personal economics that led them to make these decisions.
Painter: I would agree, but I would say that people don’t go to work for the government for money. They go because of sense of mission, because they really want to do something that’s going to help everyone.
Rogers: For the first 20 years.
Painter: For the first 20 years. [LAUGHTER] But still, even within that, I think that people pride in their work, and if there is a constant assault it does have an effect, especially when you have these other money options out there.
Leonnig: So, back to Rod Rosenstein. Everyone’s wondering what’s going to happen with the Mueller investigation, and it’s moving rather rapidly with including the recent indictment of the central crime, the 12 GRU intelligence officers accused with some pretty intense behind the scenes details about how they hacked into Democratic servers. Some House Republicans have been talking about impeaching Rosenstein, and being pretty clear that they don’t trust him to oversee the Mueller investigation, and pretty clear that their goal is to end the Mueller investigation.
What do you hear from them, Mike, and both of you, what do you think about that? Do you agree with this effort?
Rogers: I passionately disagree with the effort. I don’t think it’s going to happen. I think cooler heads will prevail along the way. And listen, let’s take a step back. If you look at the body that’s being presented of information, you had agents who said they were going to do something about it in their personal texts and things—the optics of this are bad, right? And the FBI needs to work to correct this as rapidly as they can. That should not be allowed to permeate anywhere around an investigation. And I give Mueller credit. Once he saw those—and by the way, that wasn’t the purpose that these folks were referred to an investigation; they were conducting themselves in a way that wasn’t consistent with FBI rules and regulations—that’s why they got referred. They looked at the emails—or the texts, excuse me, and he said, oh, that’s a problem. He did something. He removed them from the investigation. It’s pretty hard for me as an old FBI guy to say that wasn’t the right series of events for all of it to happen.
Now, the problem is, all that information is now being said that that influenced the entirety of the investigation. I just don’t think they’ve made their case yet. If they believe that, and then there’s more there, bring it on. I mean, I’m certainly willing to listen. I don’t think they’ve made their case on that.
I think, again, these are the same group of members who wanted to stop this from the very beginning; they want to stop it today. They passionately believe it’s political. I don’t think that there’s malintent, that they’re only doing this for political reasons. I think they passionately believe that there was some ill intent by the bureau and by both the attorneys and the FBI agents to do something against the President of the United States. And by the way—and this is why I caution it—one of the statements to Putin, by the way, to his Russian ambassadors following the Helsinki summit was that there are forces within the government of the United States trying to work against the White House.
That is a dream come true if you are a Russian intelligence officer trying to recruit somebody around the world, or stopping a Russian intelligence officer from actually cooperating with the CIA or FBI somewhere. That’s why they need to be really careful about how they move forward on this.
Leonnig: You guys, you talked a little bit about how the president, in your view, can’t separate the interference of the Russian intelligence officers with his legitimacy as a president. Everybody agrees Russia interfered; every in the intelligence agency believes, and now Putin admitted yesterday that he wanted Hillary Clinton to win. The last piece is, did it affect the election? Do you guys think it affected the election?
Painter: I think it’s impossible to tell. Did it affect the election? Absolutely. No one—it affected it in some say. Did it have a dispositive effect? I don’t think we know, but you don’t spend money on advertising campaigns if you’re not trying to affect an outcome. So, people spend in campaigns, as you know, lots and lots of money to try to affect an outcome. Did it have a suppression of the vote component? Did it change other people? We don’t know, and so I think it’s unfair to say it had no effect; we know it had no effect. We don’t know.
But we don’t have to even cross that question to say this is impermissible, that this attempt to do this is impermissible. And I think that’s really important. And just, on your last question, look, I think it would be a ridiculous mistake to go after Rod Rosenstein. The other thing is, I worked for and I worked with Bob Mueller over the years, and he is everything that people say he is. He really is the epitome of impartiality, of thoroughness—I think he’s demonstrated that.
We should let this investigation run its course; it should run its course, and I think it will really help us get through all of this. I think that’s an important part of this.
Rogers: And to stop acting guilty. He feeds into the narrative. That’s what drives me—
Painter: And I also think this confusion between the—
Leonnig: Stop acting guilty is an advantage. Okay—
Painter: It confusion with the legitimacy versus person—I think part of the problem is, if you mentioned cyber to Trump right now, I think he’ll immediately code it as Russia and not want to hear about it. So, it actually affects not just the election issue, but really cyber security at large as a priority.
Rogers: And one thing we should worry about. I don’t think it influenced the election; I think the numbers were baked in on people who believed Hillary was crooked. That was baked into the election before they got there. I do think it had an impact, and the one impact that we should be very concerned about is, they very aggressively tried to pit groups of Americans against other groups of Americans.
They pitted black activists groups against white supremist groups and tried to get them to show up at the same place—I mean, this gets my blood boiling. They tried to pit Christian groups against Muslim groups. And they tried to do this across the country, and they tried to do it in small and subtle ways. And what they were looking for is the added-influence operation effect of being able to take that image or those conversations and then broadcast them louder and to a more broad audience. And it wasn’t just to the United States; it was around the world. They want the world to believe that the United States doesn’t like each other so much, they’re stopping to function as a democracy. That’s their message. That’s what they want.
Painter: And you know what that leads into? And I was speaking in Australia and Sydney University, and Chinese student said, “Isn’t this experiment you’ve had, given all the messiness and all of the division—isn’t this experiment you’ve had with democracy—aren’t you ready to move onto a more stable system like we have?” Obviously, I said no, but that is being used by some of our adversaries who have very different systems, to go around the world to countries who’re on the fence and say, “Why do you want that? Don’t you want what we have?” And that’s really damaging.
Leonnig: What is your biggest fear right now, guys? Is it about what’s next? Is it Putin meeting with the president again in September? Is it a new attack from the GRU, or another division of the Federation? What’s your biggest fear about what could happen next? Many people saw this week as a very dramatic inflection point for this presidency, attacking our own country on foreign soil. What do you worry about next?
Rogers: I have said this often, and I think it’s even worse now. America is in a cyber war; most Americans don’t know it. And I am not convinced we’re winning. And if we don’t have ahold of the government—even the Obama administration had some difficulties putting their arms around it. If you remember the whole Snowden affair slowed everything down, where they did a very successful job. Well, by the way, he’s living—oh, in Moscow, that’s right. They did a great job of slowing down any progress of getting the whole of government to come together—and I mean all of it—to try to push back on what is a growing threat.
I mean, the Russians—they just did a report, DOD—that the Russians were in our electric grid. They’re not there just to see how it works; they’re there to figure out how if they needed to and wanted to could shut off our lights. And they have become much more aggressive. So, you have information operations, which is different from cyber-destructive attacks, and theft of intellectual property.
So, we have China is on the increase; Russia’s on the increase. We are debating amongst ourselves on some very small things and a very big threat picture. That’s what worries me most about what I see.
Painter: And I agree. I think that the election interference is one big thing that, frankly, the cyber community, which I was part of—we didn’t’ really see this coming. We were—it’s a cyber-enabled influence operation, it’s a hybrid threat. We need to do a better job of getting different communities together to fight things like this. But the things that were on our radar, we’re still concerned about. We’re worried about the infrastructure attacks. The DHS/FBI bulletin that went out about prepositioning of malware on the electrical grid—that’s a huge potential issue.
Exposure because of the internet of things or 5G. There are so many different things where we know dedicated nation states and other organized groups are trying to target us, and if we’re not sending the message, if we’re not actually trying to deter them, that’s an issue. And they’ll come back and they’ll do it stronger, and they might not do it during peacetime, but if we have a conflict, they’re going to take our systems down, and that’s a problem.
And one thing that worries me even more than all of that is the integrity of information. So, it’s one thing if there’s a denial of service attack and I can’t get to my website for a couple of hours. It’s another thing, as my friend the former President of Estonia, Toomas Ilves, has said, if somebody breaks into my hospital; changes my blood type, and the next time I get a transfusion, I die.
Or, they affect the financial data in the stock market so you can’t close. Or you affect military systems. So, there’s a range of different threats. I don’t like using these terms that people use of cyber-911 and things like that, because I think that when you don’t see that people just lose interest again. I think we need to look at all these threats and we need to take them for what they are, and I think we need to be very strong about going after them, and that requires leadership and it requires organization.
Leonnig: And if the leader, as you both have summarized, is not signaling any interest or devotion to the topic, are we prepared for all of the scary things you just described, Chris and Mike, our lights being shut off without our knowledge, our water being infected, our blood types being changed, our stock market being crashed? Are there people in the trenches stopping this from happening?
Painter: There are people in the trenches doing some good work—you’re talking to Chris Krebs later—I think that’s someone in DHS that’s been doing a lot of work, including with election systems. There are people in the intelligence community doing good work. There’s people in Justice and at the State Department doing good work. But it has to be unified. It has to be this all of government approach, and it has to be not a boutique issue, but a priority. And it also has to be a global effort.
We made a lot of effort in reaching out to other countries and building alliances on this; that has to continue. It can’t just be the U.S. versus the world. When we’re responding to these threats we need our close allies; we need to recruit other allies.
Rogers: We are not prepared for—we are barely keeping. If you talk to CISOs who are in financial institutions, you know, they shake a lot and they sweat and they don’t sleep much, because they are overwhelmed at the sheer level. So you used to have criminals only trying to get in—now you have nation states trying to get in, which makes their job incredibly difficult. And we’re all going to pay a price for that.
Without a concerted effort this is only going to get worse. And we know who the four bad actors in cyberspace are, from a nation state perspective: North Korea, Iran, Russia and China. And we really need to have a whole of government approach to this. I talked to a lot of people across the U.S. government today. We are not prepared I the way we should be prepared, in the way we have capabilities to be prepared. But without this group effort in understanding what the threats are, I’d argue—
Painter: And actions speak louder than words, but there’s some good language in the national security strategy about timely and effective consequences for bad actors, but unless we do that, it doesn’t matter what’s written on all those pages.
Rogers: And even the DOJ announcement, just quickly—I’m sorry—
Leonnig: I’m sorry, we’re running out of time, but these guys are so great.
Rogers: You’ve got me on this—announcing that they’re going to go tell people that they’re under attack. Clean up on aisle nine, right? By the way, you’re getting ravaged, and I just wanted to show up and tell you you’re getting ravaged. There’s not a lot that we can do. I mean, that is the wrong time to be there. That’s why this is so important to get ahead of this problem.
Leonnig: A lot of cleanups on aisle eight, nine, and seventeen.
I can’t thank you both enough. Chris and Mike, thank you. Really scary and super-helpful and educational. Thank you. I hope you all enjoyed it.
Protecting the Homeland: The Known and Unknown
Hawkins: Good morning. I’m Derek Hawkins. I’m a cybersecurity reporter at The Washington Post, and I am the author of The Cybersecurity 202 newsletter. I’m pleased to introduce my guest, Christopher Krebs. He is the Under Secretary of the National Protections and Programs Directorate at the U.S. Department of Homeland Security. He is a Trump appointee. He was officially confirmed in that role in June after having previously served as Assistant Secretary for Infrastructure Protection. Before joining DHS he was director for cybersecurity policy on Microsoft’s U.S. government affairs team where he led the company’s work on cybersecurity and technology issues.
His agency has the immense responsibility of protecting the nation’s critical infrastructure from cyber threats, whether that’s power plants, healthcare, waste-water treatment plants. And, of course, he is leading some very important work to help make our elections safe. So thank you for being here, Under Secretary. I’m wondering after Trump’s meeting in Helsinki with Putin this week the president said he is protecting elections and standing up to Russia’s malign influence. Do you agree with that?
Krebs: I absolutely do. Look, he was pretty clear on Tuesday. The intelligence community assessment puts the blame for 2016 election meddling squarely on Russia. And the president is fully behind that. And I have in my organization the responsibility for supporting state and local election officials on protecting their systems. I’m fully empowered, have all the resources I need to do that. And we are working very closely with state and local officials. At this point through The Election Infrastructure Information and Analysis Center we’re working with all 50 states. We’re providing a range of technical services, from vulnerability assessments to remote-scanning capabilities, to a number of states. We provide information intelligence. But we also provide training through a number of the training platforms that DHS has. But also we’re doing exercises in instant-response planning.
Hawkins: And how much of that direction is coming from the White House though? Is Trump telling you to do this?
Krebs: Well, I think we need to be clear that I don’t talk to President Trump. I’m an Under Secretary, right?
Krebs: But Secretary Nielsen engages the president and the national security advisor and her peers across the interagency on a regular basis on election-security issues.
Hawkins: But is there an overarching strategy from the White House that coordinates some of the different agencies’ responsibilities, how we respond to election-security threats?
Krebs: So we have clear direction. Right? But at the operational, technical, agency level I work very closely with the FBI, with the intelligence community, with the State Department on a range of election-security and countering foreign information operations activities. Could we do a better job of coordination? Absolutely, but we’ve got to—
Hawkins: What do you need to do better?
Krebs: Well, so the last panel put it out very, very well, that this is in a sense kind of a new front in the online battle space. Information operations is, frankly, not something that we’ve had to deal with over the last eight years. And the Department of Homeland Security, when you think about when we were established in 2003 after the 9/11 attacks, we were a counterterrorism and antiterrorism organization. Look at the way the risk landscape has evolved since 2001 to today. We have very clear nation-state adversaries that we’re going toe-to-toe with, hand-to-hand combat on a day-in-day-out basis. And the organizations from a legal-structure perspective it’s more of a lagging indicator.
I mean, look. Derek, we’ve talked about this, and you’ve written about it. I have a piece of legislation up on the Hill working with Chairman McCaul and Chairman Johnson just to change my name as an organization from NPPD, which I’ll give five bucks to anybody in the audience that knows what that means, to the Cyber Security and Infrastructure Security Agency.
Hawkins: That legislation has been languishing for quite a while. Who is against it?
Krebs: You know, I don’t know anybody that’s against it. I just think—
Hawkins: What’s the hang-up then?
Krebs: You know, I don’t know. I don’t know. I think maybe what we need to a better job of, from the department but also industry, is communicate why this is so important, why we need to do this. It’s going to help me recruit. It’s going to help me cement my position across the federal family. But also it’s going to make things easier for me. When I go out into the field and provide technical assistance and instant response services to the critical-infrastructure community across the private sector and across the state and local market, of who it is, who I am, and what I do. And honestly that’s part of the reason that we had some initial challenges—one of the reasons that we had some initial challenges engaging the election community last time around, because it was some random—you know, NPPD; it sounds like a soviet-era intelligence agency. You know, it doesn’t tell anybody what we do.
Hawkins: Mm-hmm. What other challenges are you facing when you go out and talk to the states about election security, when you advise them on how to improve their election systems? What do you need to do better—[OVERLAPPING]
Krebs: So this is a really interesting area because what I’ve seen over the last year—and I’ve been involved in the Department of Homeland Security’s critical infrastructure protection activities since their inception back in the 2000s. I have never seen a level of engagement so rapidly and so deeply across any infrastructure sector like I have with elections. So in the last less than a year we’ve established a number of coordinating mechanisms, an ISAC which is an information sharing and analysis center—and I’ll try to keep this at an acronym-free zone—an information sharing mechanism that has close to 1,000 members in five months. That’s unheard of across the critical infrastructure community.
Now, when we talk about challenges there are still concerns about federal government intervention with elections. They are, by the Constitution and by statute, administered and the responsibility of state and local governments. That is still the challenge that we’re facing. Now, it is a matter of trust. So we have got to build strong partnerships, and we have to establish trust with those folks. Trust takes time. It takes constant engagement. It takes personal outreach. I’ve been over the last six months on a, frankly, kind of a road show across the country for primary day. I’ve showed up, talked to secretary of states, talked to election directors, asked them, “What do you need? How am I doing? How can I help you better?”
Hawkins: What are you hearing from secretaries of state about what they need? What do they need most?
Krebs: So I think what they need—well, money. Everybody needs money. I need money. They need money. These systems are expensive to replace. And state budgets are generally not constructed for widespread IT, capital investments on a snap basis. Now, these aren’t snap necessarily, but if you’re telling me that you need to replace $80-million worth of equipment right now, that’s a hard sell at the state level.
Hawkins: Congress has sent some money to the states to do just this, $380 million back in March. Last I checked, all the states have requested that money. Most states are spending against that right now.
Hawkins: But you talk to secretaries of state and they almost universally say, “This is just a start. This isn’t enough.”
Krebs: Yeah, down payment.
Hawkins: “We need money on an ongoing basis.” Congress just signaled this week that it’s not ready to send more money to the states. Just yesterday it voted down what would have been another $380 million to do that, to replace these voting machines, to patch these vulnerabilities, to hire IT staff. How is that affecting their preparedness not just in 2018 but 2019 and 2020?
Krebs: So there are a couple of things in there in that question. So first is the $380 million that went out to the states in the FY18 omnibus, $380 million that was distributed based on 2010 Census-based registered voters. So in some cases you’ve got states that get $13 million. In other states you may get $3 million. That’s a lot, to be clear, but it’s not enough if you’re talking about a state that has to replace all of their DREs, which is the—
Hawkins: New Jersey, Georgia—[OVERLAPPING]
Krebs: Yeah. And, you know, in some cases we’re talking about $80 million to—
Hawkins: DREs, by the way, are the electronic touchscreen voting machines that are hack-prone, basically, right?
Krebs: Yeah, well, they have certain vulnerabilities. Now, those can be there are compensating controls, but, yeah, you want to—we’re kind of digressing here, but you want a voter-verifiable paper trail for any voting system. And you want to do post-election audits. Those are the things we recommend, but both of those if you don’t have them cost money. So where is it coming from?
So here is my sense of what’s going on right now. States need money. Yes, they need money to replace these systems. They need money to institute post-election audits. Where is that money going to come from? It is the responsibility of the states to administer elections. It is the responsibility of the Department of Homeland Security and the federal government to provide for the national security and national defense of this country. There is a discussion that needs to happen between those two things. What I think we need to do in the very-near future is rather than just say, “We need money; give us money,” it’s, “We need X amount of money to address X threat and buy down X amount of risk.” We have to be much more precise, much more—
Hawkins: States have to be much more precise?
Krebs: I think so. I think if a state needs money, they need to say what they need it for and how much they need. And that’s going to help inform and drive the conversation on the Hill. Otherwise just a general statement of, “I need a billion dollars,” well, “For what?” So we work closely with states to help them understand what the risk –and they know what the risk is. These secretaries of state, election directors, they are natural risk managers. Even before the Russians came knocking they were dealing on a daily basis or on Election Day with power outages, tornadoes, hurricanes in the Southeast. Civil unrest happens on primary days. So they manage risk; they work through contingency plans. This is just another significant risk profile for them.
Hawkins: There’s another risk I want to talk about. And this is something I hear from secretaries of state, from election officials. I’ve also heard it from your colleagues at DHS. And this is the idea that voter confidence is a risk that’s really hard to mitigate. And I’ve heard this described as the biggest election-security challenge that we face. When the president contradicts himself on the Russia threat, how does that affect voter confidence?
Krebs: Well, look. I think the bigger issue here is just, as you said, it’s voter confidence in general, that we have the Russians trying to undermine our democracy. The intelligence community assessment is very clear. Again, the president has supported the ICA and endorses the results or the findings.
Hawkins: Well, he’s gone back and forth on that.
Krebs: Yeah, but look. I take the president at his word. When he says on Tuesday that he endorses the ICA, that’s what I work with. But there’s the headlines here—
Hawkins: Is that what you tell the people that you’re advising out in the states when the president says these things? I mean, I what do you tell them?
Krebs: Here is what I tell the states: “We know we have a risk; we know there’s a threat; let’s work together to close out that risk.” The headline is here. The operational space is here. I live in the operational space. That’s where I have to get my job done, not in the headlines, in the operational space. So when I go out and I meet with secretaries of state, again, I ask, “What do you need? What are you concerned about?” Yeah, there are a lot of situations where folks are—there’s public confidence, and that is in part driven by the fact that we continue to have in the headline space, “The Russians are hacking the election.” We’ve also really got to be clear on what the Russians had access to from a technical, cybersecurity perspective in the ’16 elections. There’s the administration of elections, which is voter registration and all the kind of frontend stuff that’s not at all connected to the other half of the equation, which is vote—
Hawkins: What do you mean by frontend stuff, just to be clear?
Krebs: So it’s voter registration; it’s development ballots.
Hawkins: Voter registration systems?
Krebs: Yeah. But it’s not the tabulation, counting of votes, and reporting of votes. Separate. Generally speaking, best practice over in the voter-tabulation and counting space, they’re not connected to the internet or otherwise significant compensating controls around those systems.
Hawkins: You know, something I wanted to ask about, these state voter registration systems being a target. So Special Counsel Mueller’s most recent indictments kind of spelled out some new details about how carefully crafted these attacks were and these probing where we knew for example that hackers breached a state voter-registration database. We didn’t know that they stole—until last week—that they stole information on 500,000 voters. Did it scare you to read that?
Krebs: So let me kind of unpack that a little bit. We knew that they had exfiltrated, stolen, voter registration information out of that state voter-registration system. We did not necessarily know—I didn’t necessarily know—that it was 500,000. We thought it was in the 100,000 or so at the time a year or so ago when the intelligence community assessment was reported. That 500,000 number is due to additional investigation as a part of the Mueller investigation, which is firewalled from the rest of DOJ, the rest of FBI, DHS, and the intelligence community. So I found it interesting, sure. Is there additional undermining of voter confidence possible there? Yeah, maybe. But let’s, you know, going back to—
Hawkins: Well, how do you counter that?
Krebs: Education and awareness. Here’s the thing. We are out there on a daily basis working with state and local folks, and in part we provide risk and vulnerability assessments. Through those vulnerability assessments we get in their systems, we try to look for vulnerabilities throughout, and we’re generally finding three common trends across those systems. First is they run outdated operating systems; they’re not on the most modern systems. The most modern systems are just by their default nature generally the most secure. Second is they have some patch-management and vulnerability-management challenges. So when the operating system or whatever pushes a patch it takes a lot longer or in some cases they don’t actually patch that software. And the third things is just a misconfiguration error.
So the voter registration database that was accessed by the Russians in ’16, there were some misconfiguration errors. So we share that information not just with the folks that we’ve done vulnerability assessments for but more broadly across the country. So, again, back to that voter registration and the awareness piece. Worst case scenario, the Russians get in there—and just like Chris Painter said about integrity of data but also the availability of data—if they had gotten in there and deleted files, corrupted files, doing something like that, the way the system by law is—not just the technical system but the broader election system is constructed is that if you, anyone in this room or watching online, show up to vote and something is wrong with your registration, either you’re not in the system or—they’re, “Sorry, your clearly not a woman and yet this says you are,” you have the right, by law, to request a provisional ballot.
So even though you’re not in the system you can request a provisional ballot, and your vote will be counted. Every state is a little bit different in how they administer provisional ballots. But nonetheless you have the constitutional right and the ability to vote. It takes a little bit of time. It can be disruptive on election day, and it can cause a little bit of concern. But this happens already without Russians getting involved. LA County a couple of weeks ago—
Hawkins: Maryland a couple of weeks ago as well.
Krebs: —Maryland a couple of weeks ago, same thing. It’s critically important that state officials communicate with the voting public to let them know their rights. Now, again, worst case scenario they delete those files; you cast a provisional ballot; your vote gets counted. That’s a sign of resilience in the system. It can take a hit, experience some difficulties, but you still get to the end result. And I make this terrible joke based on a comedian, Mitch Hedberg, who passed away, but it’s the equivalent of an escalator. When an escalator breaks, it turns into stairs. You can still get where you’re going. It takes a little bit more effort, but the system works. And that’s what we’re trying to reinforce with elections.
Hawkins: You recently said that we haven’t seen any activities along the lines of what we did in 2016.
Hawkins: What do you mean by that? And what do you do if you start seeing an uptick in that type of activity?
Krebs: So the broader challenge is, particularly in this town, we have a threat-intelligence problem. And what I mean by that is that I see intelligence, I see reporting on stuff every day that would look, absent context, concerning. What we’re saying with, “We haven’t seen a campaign on the scale of 2016 of concerted attacks against election infrastructure, concerted attacks against campaign—” Yes, Microsoft made an announcement yesterday about three campaigns being targeted. That is concerning. And so we’re going to work with them. We’re going to get that information. The FBI has worked with them to share information, to shore up defenses. And that’s what we’re doing, is—
Hawkins: Did learning that change your approach or cause you to rethink anything you’re doing?
Krebs: No. Nope. Because here is why; I don’t need to see evidence; I don’t need to see threat intelligence that they’re launching another attack on the lines of 2016 because we know they have the capability and they have demonstrated the intent. That’s all I need to knock on the door of a secretary of state and say, “Hey, we’ve got a problem here. We’ve got a risk in the system. We need to work together.” And that’s the biggest issue as I see it. For too long whether it’s in a company—and Chairman Mike Rogers just mentioned this about the challenges he sees with CISOs that are just getting beat up every day. No company out there, no state out there is going to be overcome this challenge by themselves. We have to work together.
We are pushing a collective-security model, a collective-defense model where we work together to manage risks, to counter the threat over there—and that’s the intelligence community and that’s the Department of Defense—and we buy down, we address risk here domestically. And that’s where my organization is at.
Hawkins: Well, speaking of working together, the Justice Department just announced this new policy that is going to start alerting the public about foreign influence campaigns as part of its efforts to combat these attempts to disrupt U.S. democracy. Where do you fit into that? Where does your agency fit into that?
Krebs: So there are a number of efforts afoot across the U.S. government to counter the influence operation space. Now, this is a little technical and there’s a bit of a taxonomy that we built out, but foreign—and the way I prefer to talk about it is foreign interference. Because, look, foreign influence, that’s why we have a Department of State. That’s why other governments have ministries of foreign affairs. Foreign influence is diplomacy. The problem is when foreign influence—
Hawkins: It’s also a law enforcement kind of now, though.
Krebs: Yeah, but when foreign influence crosses the line of sovereignty, national interest, or values, that’s when we get into a foreign interference space. So when we map—
Hawkins: Does DHS have a formal role in this though?
Krebs: Yeah, so the department—
Hawkins: In what the Department of Justice is doing?
Krebs: We work alongside the Department of Justice, the FBI and their foreign influence taskforce. Secretary Nielsen established a countering foreign interference taskforce several months back. So what the FBI is very focused on, law enforcement action against specific actors. What my team is doing is working alongside the FBI, working alongside the intelligence community to understand broader trends, to understand broader techniques and tactics that adversaries use.
Let’s also be clear that foreign interference is bigger than trying to undermine an election. They’ve been doing this for years. They try to undermine our confidence that our system works, our government system, or society works. Our open access and freedom of speech, they’re attempting to undermine that to point out that America is failing. And it’s not. And so what we are doing, again, is identifying trends, building case studies, sharing across the interagency, sharing with private sector, but also trying to figure out how to get more of that information out into the general public about, “Hey, here is how you spot an influence operation underway. Here is the information that you’re being presented, and here are ways to think critically about the information that you’re looking at.”
Hawkins: Are you sharing information about specific threats with social media companies for example? I know last month that you met with Facebook and a number of other companies in Silicon Valley.
Krebs: Was that last month? That feels like it was a year ago.
Hawkins: Maybe it was longer ago.
Krebs: Yeah, I don’t know.
Hawkins: Are you sharing information with them? Are you telling them what they need to brace for?
Krebs: Yeah, the government works with the social media companies, absolutely. But in my team—
Hawkins: NPPD is your team?
Krebs: Yeah, my teams has historical relationships with social media, with technology companies, with telecommunications providers, historical relationships based on cybersecurity indicator threat sharing .
Hawkins: But you talk to them and they say, “We need this information.”
Hawkins: Yeah. And are they getting it?
Krebs: The government is working with those folks, yeah, providing them—again, what I’m looking for is trends on activities, whether it’s from intelligence holdings, looking at classified activities and bringing them down to an unclassified space to help them refine algorithms, to help them figure out what it is that they’re doing to counter threats on their platforms.
Hawkins: The previous panel talked about the need for this sort of whole-of-government response. That seems to fit into that. How important is that, and do you think the Trump administration is really moving in that direction? Because right now I see a lot of agencies doing a lot of things on their own. You know, NSA and Cyber Command teaming up; I see what you’re doing with DHS; I see what the Justice Department announced just last night. Is that a whole-of-government response? If so, you know, where are the instructions on that coming from?
Krebs: So it is. There is a whole-of-government effort afoot.
Hawkins: Is there someone heading that up in the White House?
Krebs: Yeah. I mean, look, it comes from the National Security Advisor that cybersecurity is a top priority for this administration. There was an executive order released last year, 13800, that reinforces and reemphasizes our approach to cybersecurity. What we are doing—
Hawkins: Is there a whole-of-government response specifically though to election security?
Krebs: Yeah. Yeah. Again, I work every day. My team at the operational level works every day with the FBI, with the intelligence community, with state and local officials. There is a whole-of-government effort. To the broader point of coordination, I have—you know, this is my second time in government. Back in the Bush years I was at DHS as well. I have never seen the level of cooperation and coordination across the federal family. And I’ve got to—you know, frankly, I have to attribute it to the nation-state space, in part, in part attribute it to the nation-state space, because we have just a clear adversary. It’s remarkable how acute the risk space is and how everybody has clarity of mission and purpose of what we’re doing on a day-to-day basis. And, frankly, it helps me from a recruiting basis that I can get out there and I can communicate. It’s like, “Hey, look. We’re sitting out here hunting for Russians and Chinese on U.S. government networks, on private-sector networks, on critical-infrastructure network every day. I mean, what more could you want in a job?”
Hawkins: Are there other threats that we’re maybe disregarding because we’re so focused on Russia right now?
Krebs: I don’t think there are threats we’re disregarding. I think that in the headline space there are threats that are not given their due. I’m telling you right now, China is the long-term strategic threat for this country. And it’s not just from a direct technical cybersecurity perspective. But look at the way they do strategic investment. CFIUS [ph] rules have to change because they are pivoting around our approaches. So there are, you know, Chairman Rogers mentioned the big four, between Russia, China, North Korea, and Iran. I mean, these are the nation-state adversaries that we see active every day in this space.
Our challenge is understanding what they are trying to do, what their capabilities are, and what their intent is. That’s the intelligence community space. My job is saying, “So what? What does this piece of intelligence mean? What is the context? What are the potential consequences?” and then asking a second question of, “What are we going to do about it?” So to your coordination, it’s not just about government working together; it’s about industry and government working together. We have to have integrated, cross-sector, government-industry collaboration in the cybersecurity space, in the critical-infrastructure protection space; and that’s where we’re going. We’re in the process of launching a national risk management initiative that is going to focus on those activities, working with the Department of Energy, working with the Department of Treasury, working with the sector-specific agencies that have exquisite and unique understanding of sector-specific technical aspects and bringing them in to a coordination capability that supports cybersecurity expertise and industrial-control systems expertise.
Hawkins: Unfortunately, that’s all the time that we have for today. I want to thank you, Under Secretary Krebs, for being with us.
Krebs: Thanks, Derek. Thank you.
Hawkins: I’d also like to let you know that you can see highlights from today’s program and learn more about upcoming events by visiting WashingtonPostLive.com. Thanks to everyone in the room and everyone online who joined us.