Safeguarding these systems is an enormous challenge, one that demands coordination across many organizations, and today we’re fortunate to be joined by leaders from our homeland security and intelligence services along with their counterparts at major technology companies who will discuss their efforts to deter foreign cyber threats. We’re also joined by officials who have held responsibility for our national security at the highest levels. We’ll hear from Secretary of Homeland Security Kirstjen Nielsen, whose department plays a leading role in all aspects of our nation’s cyber defense, and in just a moment David Ignatius will sit down with two highly accomplished public servants. The first is President Obama’s homeland-security and counterterrorism advisor, Lisa Monaco, and the second is one of our country’s most brilliant military tacticians and the former director of the CIA, General David Petraeus. But first we have a brief video to set the stage for this conversation.
David Petraeus and Lisa Monaco on America’s cybersecurity posture:
Ignatius: So good morning, ladies and gentlemen. I’m David Ignatius. I’m a columnist for The Washington Post. It’s my pleasure to have all of you here with us this morning and with two panelists I greatly respect who are going to help us think about this very complicated new problem of cyberwarfare and cybersecurity. Lisa Monaco has been living this problem as much as anybody in government, first at the FBI, where among other things she was briefly, I think, chief of staff to Robert Mueller—
Monaco: It wasn’t so brief. I didn’t feel that way anyway.
Ignatius: —who has gone on to other things, as we know. Lisa had many senior positions, Assistant Attorney General at the Justice Department and then moved over to the White House under President Obama, where she was head of Homeland Security and counterterrorism in the White House, one of the truly difficult jobs in our government and by all accounts did it marvelously. General David Petraeus is well-known to everyone in the audience, I’m sure, one of the most distinguished military leaders of this generation. I’ve known General Petraeus for 15 year, I think.
Petraeus: At least.
Ignatius: So we’ve seen each other. I’ve had the great opportunity to watch him as a commander in many different places. Just to summarize, as you know he was in the first wave in Iraq going through Baghdad to Mosul. As things were becoming more and more difficult in Iraq General Petraeus led what we call the surge which was a moment in which in that very difficult war things actually seemed to be going right in terms of reduction of violence and protection of human life there. He went on to become CENTCOM commander, one of the most important four-star commands and then was asked to leave that to become commander of the ISAF, a coalition of forces in Kabul, Afghanistan, and then he became director of the Central Intelligence Agency. So he has seen both from the military tactical level and from the strategic CIA level the issues of cyber that we’re going to discuss.
So I want to ask each of you to begin with this very directly. I want you to begin by scaring us, scare this whole audience and tell us briefly in a minute a cyber story that will make people understand why this danger is so serious. Lisa?
Monaco: So I didn’t get the nickname Dr. Doom from President Obama for no reason. It’s because I was always worried about the worst case scenario and I always brought him bad news. On the cyber front, look, I don’t think you have jobs like David and I had without worrying about the cyber 9/11 that has been talked about in a cyber attack with kinetic effect, physical effects, but I will tell you one of the things I worry most about is the cyber attack that is unseen, that shakes our confidence in the integrity of information. Now, obviously we’ve seen that on a massive scale to some degree with disinformation operations, but what I’m talking about is the cyber activities that shake our confidence in things like the integrity of the markets. Right? The ability of a cyber actor to change the integrity or alter the integrity of information to make us question whether the trades, millions of which go on every day in this country and around the world, whether we can have confidence in the resolution of those trades, so things that really shake our confidence in the integrity of that which is integral to our daily lives. And you could go on to a list of things, financial transactions, health information, et cetera, so I worry very much about that.
Ignatius: Just to underline that, imagine a world where you could not when you woke up one morning establish your ownership or the pricing of any asset that you hold as an individual investor, as a great corporation, or a financial institution.
Monaco: Mm-hmm. Right.
Ignatius: So Dave, I’ll ask you the same question. Scare the heck out of us on this cyber front.
Petraeus: Well, Dr. Doom has already done a pretty good job. And, you know, we’re entering the era that might be termed the weaponization of everything, but I’d bring back the scary scenario, again, to the cyber equivalent of a weapon of mass destruction. In other words the ability to shutdown the electrical grid of a large part of the country, say the Eastern seaboard, and keep it down, and that in the hands of an extremist group, so not another state entity that can presumably be deterred but an extremist group that’s shown a willingness to blow itself up on the battlefield to take us with them. I don’t know how you keep that group from hitting the send key if they ever get that capability.
Now, this is a remote prospect. I think there’s been a good caution about why this would be very, very difficult from FERC and from the others who are in the energy business, but it is not an impossible possibility, and I think that would be very, very dangerous and have the effects indeed of a weapon of mass destruction.
Ignatius: I want to invite the audience both here in the room and the online audience that’s watching a streamed video of this to send any questions that you’ve got that I can put to Lisa Monaco and General Petraeus. The address is hashtag #PostLive, so please send me questions. And let me turn to the very immediate question of how the Trump administration is doing with the challenge that you just described. And I’d ask each of you, starting with Lisa, to evaluate what their doing right and what they’re doing wrong. What concerns you in the way that they’re dealing with this question—we’ll get to the larger question of Russia and Russia’s activity—I mean really just in terms of organizing for the basic cyber threat?
Monaco: So I’ll start positive, which is to say I think in large measure this is a story of continuity building on work from multiple administrations. I think the Trump administration has actually if you look at it continued a lot of what was going on in the last administration. Here I would point to things like basically an approach that says, “We are going to determine who done it, who was the malicious cyber actor, call them out, and impose costs.”
That’s something that you saw the Obama administration do beginning with the five members of the People’s Liberation Army in China where we indicted those individuals for stealing intellectual property. That’s a case I began when I was assistant attorney general at the Justice Department. And then you can track it all the way through to Sony, to Iran, to Russia. I think the Trump administration has basically kept that philosophy but accelerated it and rightly so. I believe we should be calling out and imposing costs against these malicious cyber actors. They kept in place things like the sanctions regime that the Obama administration started, to impose sanctions, giving the authority to impose sanctions against malicious cyber actors.
But where I would say they have gone, I think, very dramatically and dangerously astray, that is in the accountability and responsibility in the White House and in the government writ large for cybersecurity issues. They have gotten rid of, inexplicably, the role of the cyber coordinator. Rob Joyce, who held that job in the Trump administration until about six or seven months ago, I think, is a tremendously talented, career professional from NSA. He held that role, by all accounts did a very good job, and it makes no sense and I think actually is governmental and management malpractice not to have somebody who is focused in the White House 24/7 and 100% of his or her time on the cybersecurity threat which we and the intelligence community have said for five years running is the greatest threat we face and, in fact, above and beyond terror.
Ignatius: Lisa, just explain—because few people have had the experience you have had—what difference does it make if you don’t have Rob Joyce coordinating cyber. What’s missing? What stops happening?
Monaco: So—and we’ll get to this later in the discussion, I think—there’s myriad responsibilities and roles across the federal government for cybersecurity, in the Department of Homeland Security for protecting critical infrastructure, in the FBI for investigating particularly state-actor cyber threats, the Secret Service, obviously NSA and Cyber Command for our offense cyber operations, so you have a whole range of roles and responsibilities around the federal government. It will surprise no one to know that that isn’t always without friction. You need one place in the federal government, and that happens in the National Security Council in the White House to bring all those people around the table to move out on a strategy and on a policy. That policy is set rightly from the White House, from the president, and then implemented and coordinated out of the White House and out of the National Security Council.
You would never imagine that you wouldn’t have a national security advisor to make sure everyone is rowing in the same direction on Iraq policy, on China policy, on Syria policy, you name it. The same is true on cybersecurity, and it is such a great threat and such a great challenge that not having somebody focused 100% of his or her time, I think, is a tremendous gap and irresponsible. And I would say the structure in the White House that has now for more than 10 or 12 years running been the structure for Homeland Security and counterterrorism and cybersecurity at least domestically, that structure has been the Homeland Security advisor role, the role I had, the role that Tom Bossert had, John Brennan, Fran Townsend, Ken Weinstein going back to the Bush administration. That role was responsible for cybersecurity. They had a cyber coordinator who reported to the homeland security advisor and the national security advisor. Getting rid of that structure, I think, is a real mistake.
Ignatius: Dave, what grade would you give this administration on this issue?
Petraeus: Well, let me just describe it which is better. First of all, I agree with Lisa has said. I think you have sort of an understandable pause or lag when any new administration changes, if you go from one party to the other. But now I think there’s a regaining of momentum and really an acceleration that’s going on. You have the national cyber strategy that’s been announced. I think it was PPD-20. You have now legislation advanced through the House that will strengthen very substantially within DHS the National Cybersecurity and Critical Infrastructure Protection Agency, elevating it from an office within a directorate to at least being the equivalent of FEMA and the Coast Guard and TSA and so forth.
I personally think it could be elevated even further, but that is a good start. You have other legislation in the House that will help with the hiring of talented people by DHS again and throughout the federal government. All of these are issues that needed to be addressed. Now they are being addressed by a combination of, again, DHS and Congress with the administration pushing this. And so I think you see some momentum gathering now in response to a recognition of the very severe threats that are out there.
Ignatius: So we’ll have Secretary of Homeland Security Kirstjen Nielsen here with us in a few minutes, and maybe we can kind of set the stage for her and help the audience think about questions for her. One that we write about a lot in the newspaper is whether this administration, the president, but key officials like Secretary Nielsen have really addressed directly enough what our intelligence chiefs say was a deliberate Russian attempt to manipulate our elections in 2016. That is continuing. And so let me ask each of you to briefly assess how you think on that particular issue this administration and Secretary Nielsen are doing.
Monaco: I would give Secretary Nielsen great credit for accelerating and improving upon the relationships with the state and local officials who are responsible for voting in this country. I mean, let’s remember voting is not a federally administered apparatus in this country. It is rightly in the hands of state and local officials. Thousands and thousands of precincts and counties are overseen by state and local officials, and so they’re administered at the state level. That means you need a robust engagement with state and local officials from the federal side, and that has been in the hands of DHS and in the hands of Secretary Nielsen. And I think she and her team have done a very good job of building what I call kind of an infrastructure, a scaffolding that the federal government and the state and local officials can share information.
They’ve created an election coordinating council. And what I’ve heard from talking to state officials who are in charge of securing the voting infrastructure, they see a real improvement and a very good effort by DHS on that front. And then the other thing I would say is I think Secretary Nielsen and the leaders of the intelligence community have been out in a unified voice talking about the continued Russian threat against our elections. I wish it were a more unified voice from the White House as well.
Ignatius: Dave, I’d be interested in your assessment of that and maybe to add just one additional element, what more you think ought to be done in a period where it appears from everything we read the Russians are being extremely aggressive in the use of these weapon.
Petraeus: Well, first of all I think you also ought to mention what Congress has done in this regard. Obviously there’s been some reservations in the White House about how hard to pursue this, to put it mildly. And Congress has. You know, this is where it’s important remind—I often do with foreign audience—that foreign policy in the U.S. isn’t just created by the chief executive with the support of parliament as is the case in many other countries. Here Congress very much has an independent voice, and they’ve been the ones who have pushed the sanctions on Russia, which the president at times has signed reluctantly because otherwise his veto would be overridden. And so good on them for that, I think.
Look, clearly a message has to be sent to Russia. And the new cyber strategy that’s been announced actually allows a great offensive activity to be determined. You’ll have to see what are standing rules of engagement, as they say, that will guide this if it’s wielded by Cyber Command and their assets which include NSA of course. But, again, you can pursue this in a host of other ways as well. Some of this has been done. Again, there has been pursuit in the legal realm, there’s financial; all of these opportunities are there. And I think actually it comes back to where it’s awfully nice to have a coordinator in the White House who could coordinate all of the activities of all of the different executive branch departments and agencies in having a concerted effort that shows the Russians very clearly that there is going to be a very significant price to pay for trying to undermine our faith in elections and trying to enflame debates as they have sought to do and as they did quite effectively actually in the lead-up to the previous election.
Monaco: David, can I say one other thing? I think two areas where I would like to see Congress act and they have not yet, which is to pass the Secure Elections Act, which inexplicably has not garnered bipartisan support. It has bipartisan authors, but it has not been pushed through Congress. That would provide funding to states to shore up their cybersecurity of the voting infrastructure.
Petraeus: And pretty modest funding, by the way. I mean, this is not break-the-bank kind of spending.
Monaco: Right. And unfortunately—that’s the other point I would make, which is to say this is not a one-and-done effort.
Monaco: Right? There needs to be a sustained support for states to shore up their cybersecurity and their election infrastructure going on out for many years to come. The technology changes; the tactics of our adversaries changes and evolves very rapidly. We have to be in that game. So I think they should be working on that diligently and setting a path for the future. The other thing is I think that they should require a report from the intelligence community 60-90 days out to the Congress about what efforts are being made by any state or non-state actors for that matter to interfere in our elections.
Ignatius: So here is an interesting sign that out there in the country people are worried about this. These are two messages from social media that just came in on the hashtag #PostLive line. Bruce on Facebook asks, “What’s the likelihood of a cyber attack on our midterm election?” In other words, is this coming at us? And Mike on Twitter asks pretty much the same thing; “What are the chances a malicious state actor could hack into our state voter registration databases?” Dave, here’s somebody saying, “Is this going to happen to us in two months? What’s going on?” What do you think?
Petraeus: Well, I suspect first of there will be attempts. Keep in mind that this is 50 different state election apparatuses that are out there, some of which have been shown to have vulnerabilities.
Petraeus: You know, one of the recent hacking conventions recently did it right in front of everyone and so showed the vulnerabilities that do exist. And, again, we’ve seen what happened back in 2016 very, very clearly, so I think the prospects are quite real that you will see some of this. This, by the way, comes back to why it is very important that DHS elevates the role of this what will now be National Cybersecurity and Critical Infrastructure Protection Agency at least to the level of, again, FEMA, TSA, and all the other operating elements within DHS. Although, again, I would take it farther and take it all the way to an independent—[OVERLAPPING]
Monaco: Yeah, on that point I think David and I disagree a little bit on this. I absolutely agree with him that there should be an elevation of the current apparatus and the current office and entity in DHS that is responsible for this work. That, in fact, was a recommendation from the bipartisan Commission on Enhancing Cybersecurity that President Obama put in place to make a report to the next administration. That was bipartisan, purposely bipartisan, and independent commission headed by Tom Donilon and Sam Palmisano, former head of IBM, and that was one of their recommendations that they made. And I would like to see more of those recommendations being taken up by both Congress and the administration. So I absolutely agree that DHS, the apparatus in it that deals with cybersecurity and particularly with the private sector needs to be elevated.
I wouldn’t go so far as having a whole separate agency and for the following reason. If you make the analogy to the terror threat, after 9/11 we created the Department of Homeland Security in response to the rising terror threat, but DHS is not the only entity in the federal government that has very real responsibility for identifying and stopping terrorist attacks. I think cyber is the same in terms of its crosscutting nature, and even more so, on steroids. Right? So you could create a separate agency, but then what does that mean about the role of the FBI, the role—
Petraeus: Oh, it still has to—it envisions very much that it would be overseeing the role of FERC and of Treasury and FBI, all the other departments that have responsibility for the specific areas of critical infrastructure. Again, a very good first step, elevate it within DHS, see if it can actually perform the roles that it’s really not performing right now. The sharing of intelligence information, for example, threat information is really quite—it’s a grab bag, and most or many firms out there have not chosen to be part of the consortium that actually does share these different threats real time. So there’s an enormous amount of effort that you need, more legislation, you need policies, you need regulations, and then you need actual oversight of all of this, which I think this entity would do. Again, see how it does within DHS, if still not capable there can it attract the IT talent from Silicon Valley as NSA and CIA are still able to do to a reasonable degree. That’s a big test as well.
Ignatius: Just pus this question of the bureaucratic organization chart, which may sound dull but really isn’t, a little further. We all remember after the catastrophe of 9/11 that we realized that there was information in the system that just didn’t interconnect.
Petraeus: Sure. Yeah.
Ignatius: And I think one of my personal nightmares is after we have a catastrophic cyber event we’ll discover that all the ability to deal with it was there but it was Balkanized.
Petraeus: This is mine as well. Yeah.
Ignatius: And so when General Petraeus says, “We need a separate cyber agency,” he is saying something really visible where somebody is accountable.
Petraeus: Which brings it all together. You’d have a plug from CIA, from NSA, from FBI, all these different entities.
Ignatius: So let me ask each of you, you know, the trickier part of this, as you know but few people do, is on the secret and military side. We have just split the National Security Agency, which has the historic expertise and knowledge and personnel for dealing with cyber issues, from Cyber Command, which is the military command.
Petraeus: Actually we haven’t yet.
Monaco: We haven’t yet.
Ignatius: Well, I mean, the plan is to do that.
Ignatius: And so I want to ask each of you, before we go over that—I don’t want to say cliff, but to jump over that—is that a good idea? Dave?
Petraeus: Well, I’d want to see what the organizational architecture will look like after this, keeping in mind that Cyber Command, the four-star headquarters, should be a headquarters. Generally four-star commands aren’t great operational entities, having commanded Central Command and reminded our staff members generally that that should be done by the three-star, joint taskforces or others. And so seeing how this will be organized, what will the roles and missions be of NSA in this new entity, what will the roles and missions be of the Army, Navy, Air Force, Marines, Cyber Command elements that are under it, how will this all be apportioned, and how will it operate. By the way, we have an example because, of course, General Nakasone, now the Cyber Command commander was the commander of the Army Cyber Command, and that was the headquarters which did Joint Task Force ARES, all publicly revealed, which took on the mission of in cyberspace going after the entities within the Islamic State that were active on social media and so very, very effective, frankly, as you also had conventional and special operations forces going after it on the ground. That’s the kind of campaign we’re going to see in the future, and I’d want to understand, again, what will the role of Cyber Command headquarters be relative to these other entities. And for the time being I would still keep him dual-hatted, in other words the director of NSA as well as the head of Cyber Command given that there’s nothing equal to NSA when it comes to intelligence gathering in signals, cyber, and some other domains of intelligence.
Ignatius: Lisa, your view of it. Maybe explain why some thoughtful people think it might be damaging to the country to split these two.
Monaco: Well, look. There’s long been a debate. And, in fact, during the Obama administration this debate was had multiple times. And earlier in the Obama administration the decision was made not to split these two. And I think there has been concern in the past about making sure that you have clarity about the offensive role of Cyber Command and, you know, do we want to signal to our international partners and allies that we are kind of weaponizing cyberspace. I think that those concerns we largely overcame them. And, in fact, at the end of the Obama administration our decision and recommendation to the new team was to in fact split them, however—and this is a big however—to not do it as if a light switch, to not do it very rapidly. And I think for a lot of the reasons that David is saying, there needed to be a tail on this. There needed to develop a set of rules and responsibilities and very importantly build up the capability within Cyber Command just so people understand the dual-hat. And I think General Nakasone is a tremendous leader for NSA, I should say, and I saw the great good work he did when he was in the Army and head of cyber command there. What it means is that Cyber Command is actually being provided its support by the experts at NSA. And so what you want to do over time, I believe, is have these separate but have a self-contained existing expertise in Cyber Com, so you’re not kind of using both, using the experts at NSA to do both jobs.
Ignatius: So we just have barely a couple of minutes, and I want to ask one closing question, and that goes to the question of deterrence of our adversaries. Looking at the reports from DHS and other agencies about continuing Russian attacks on our infrastructure, on other targets, you would have to say that our adversaries are not now being deterred. So my question—let me start with you, Dave—are we going to have to give our adversaries a punch in the nose, to put it bluntly, before they stop doing this stuff?
Petraeus: Well, we’re going to have to impose—I think there will have to be greater penalties is the bottom line. The question is, of course, is the best defense a good offense when it comes to cybersecurity if you are the one in the biggest glass house about to throw rocks? And this will have to be tested over time. There will have to be some introductory steps. We’ve shown that there are penalties, legal penalties, financial penalties, and some others. We’re going to have to increase those and, again, encompass some others, including, I think, some offensive use.
Ignatius: Lisa, a punch in the nose?
Monaco: Look, I think there has to be cost and there has to be visible costs, and it has to be shown that it is our default position that we are going to call out malicious actors and impose costs. Those costs won’t always be cyber costs. Right? So we’ve got to get out of this mindset that it has to be cyber for cyber. Cyber tools should be on the table as a response, but we need to use all of the tools in our arsenal, military, cyber, intelligence, law enforcement, financial sanctions, diplomacy. All of those need to be on the table, and we need to use all of them, and we need to be willing to use all of them and, importantly, be willing to have the conversation about using all of them because each one won’t always be the right fit.
I think deterrence looks like it has to have at least two elements. There has to be norms of behavior. We have to be very clear about what we find unacceptable, and we have to bring the international community and lead the international community on that. But then there also has to be actions, and that means imposing costs for malicious activity.
Ignatius: Folks, these are two of the most knowledgeable people who have served in our government on these issues. We’re really lucky to have them here this morning. Please join me in thanking them for coming.
Petraeus: Thanks, David.
Monaco: Thanks, David.
Content from Accenture:
Graff: Good morning, everyone. I’m Garrett Graff. I’m the director of the Aspen Institute's cybersecurity and technology program, and I’m here with Gus Hunt of Accenture Federal Services, the former CTO of the CIA who has been following these issue for a long time. And we’re going to have a short conversation here about cyber resiliency, which is a topic Gus and I have talked about for years. And I’m curious, Gus, if you could lay out a little bit of sort of why you think the answer to a lot of the problems that Lisa Monaco and General Petraeus laid out there is shifting the way that organizations think about the way to respond to cyber attacks?
Hunt: Yeah, sure. So quickly let me set a definition on cyber resilience as the one that we’re trying to use, and it’s the ability to continuously—and I want to emphasize that word continuously—deliver the intended capabilities and outcomes despite an adverse cyber event. And today and, you know, through a lot of our past whenever a cyber event occurred it was fundamentally all hands on deck, you know, shut systems down, business stops, mission stops, everything grinds to a halt. And it becomes a very expensive proposition then to remediate, to fix, and do all these things like that. Right?
What we really have to think about and turn this on its head—and I think we have the capabilities today if we put them together the right way to do this—is to really think about how we deliver this continuous set of operations in spite of the fact that your adversary may have successfully penetrated your network or something along those lines, so the ability, again, to continuously deliver the intended outcome across the board.
Graff: And so that sounds like something that makes a lot of sense. So why is this something that companies are struggling with in thinking through cyber incident response?
Hunt: Well, there’s three fundamental reasons that come up in this. One is that almost every corporation who has been around, every business, the U.S. government, every agency that’s been around for a while has this enormous mountain of legacy applications and systems that just it looks insurmountable to try and address this problem and solve it, because to do this, what I just described, you really have to rethink the complete design of how you go at this. And this is the opportunity to play, I think, that things like IT modernization presents within the U.S. federal government as a play and something that I think every business ought to think about as they look to modernize their systems and things like that. But when they look at it, it looks insurmountable. It looks just too difficult accomplish.
The little cost wheels start spinning away going astronomically ever higher across the board, and so to them it just looks like it’s too hard to accomplish. And, of course, the reality is it is very hard; there is no easy button to do this. And I think it’s important for business and mission and federal agencies to keep in mind that they got to their current position one step at a time, one app at a time, one dataset at a time, one business need at a time. Right? And the only way you’re going to get out of this is the same way, one step at a time, and you just have to get started.
And we can talk about what it takes to get started, but the second reason I think they find it hard is that too often they make it an IT or a cyber-security issue, and the reality is that this is about business; it’s about mission. Right? And IT and cyber are there to enable the mission and the business to accomplish their goals. And so if you really think about it the importance of resilience the way I defined it, the ability to continue to operate, is a business/mission outcome. Business mission continues to function. And so business resilience, IT resilience, and cyber resilience all go absolutely hand in hand across the board.
I think the third reason that they’re having difficulty with this is that the technology maturity to keep this continuous operation mode is just recently beginning to come about. Right? It’s matured to the level where we can begin to put it together, and this involves weaving together cloud technology capability, data-centric security operations, software-defined networking, in a way that allows us to actually change the game with a cyber adversary and raise the cost to them to make it much more difficult for them not only to attack us but even to find us and those types of things.
Graff: So you talk about this from an IT modernization standpoint. And one of the things that is so challenging in this space, as you know from coming from the government side and now being on the private sector side, is the sort of legacy systems problem that most organizations stand with. I forget what the exact statistic is, but most companies deal with it, most CISOs deal with an average of something like 30 or 40 different security products that they’re responsible for managing. And you sort of see—you and I were talking earlier about Wired magazine’s article this month about the Maersk and NotPetya ransomware attack, $300 to $400 million worth of damages to Maersk. It would have been sort of far worst except for this one server that had actually been knocked offline earlier that morning in Ghana, and but for that one server that was offline because of a power outage their systems actually might have been down for months instead of weeks. And so when you’re thinking through how from a global, international, corporation, interconnected supply-chain-management standing, how do you begin as an organization to even understand what the IT needs are for figuring out what was going to represent resiliency for you?
Hunt: Wow. So, boy, that’s a really loaded question. [LAUGHS]
Graff: But I think it sort of gets at one of the fundamental cyber challenges, which is most of this is actually an IT problem, not a security challenge.
Graff: This is passwords; this is patches. You know, by the time someone is attacking your system is sort of too late to start.
Hunt: Right. So we advocate very, very strongly that you need to be brilliant at the basics, so you’ve got to do your patching; you have to keep up with who’s got access to what and clean your access control, cleaning up. You know, you’ve got to keep your rules and everything all current and up to date. All those things are absolutely, critically important to be able to do. Brilliant basics is the fundamental. Right? It’s like the foundation of your house, a strong foundation and everything gets built on it. But I think what’s critical for people to remember is that brilliant basics is a retrospective set of actions; I am fixing problems of yesterday that I find about today. All right?
And that’s been the biggest issue with the way we’ve approached cybersecurity in the past, which is as a set of retrospective actions. We have actually allowed the adversary to define how we engage. Let’s not do that. Let’s take pages out of their playbook and let’s redefine how to engage so that they’re the ones that are trying to play catch up with us across the board. So this is where things like being very much proactive—right—hunt, don’t wait, do pressure test your environments across the board, take advantage of threat intelligence so that you can focus on the problems that are most acute to your business area or your needs and other things like that. We have to apply all those things. Right?
But then going back to where we are on cyber resilience, it’s about then really getting yourself, to use the DOD term, left of boom. We have to really think about how we build and deliver our systems for the future so that they themselves are natively, naturally resilient to what’s going to happen inside of the environment. And so this requires a design framework and a model that isn’t in the mindset. We had talked about the difficulty that organization have in doing this. It really is a shift in mindset thinking, so I’ll give you a couple of examples, this push to the cloud.
The U.S. government has got a massive push to the cloud, a really good idea. A lot of people want to go there for efficiencies and cost reasons and whatnot across the board. It’s actually a cybersecurity/resilience play. So the very thing that enables you to be cost effective in using the cloud, which is elasticity—you only pay for what you consume—if you turn that on its head it becomes the very reason why I can become resilient and resistant to attack, because I can turn off stuff based on time, reimage clean from my vault so I’m running something new that I know doesn’t have any problems with it, and I can point it, move it some place else inside of a cloud environment so that the adversary doesn’t know particularly where it is right across the board.
Data-centric security, harden your systems from the inside out. Right? So assume the adversary is going to get in and therefore build the system with encryption and tokenization and anonymization and redaction and all those up front from the very, very beginning. You know, software-defined networking is the next one, of course, that comes along. Right? There’s an old adage around software-defined networking that, “If they can’t find you, they can’t attack you.” Right? And so the purpose of software networking is to constantly change your routes, and now there are ability now to do this midstream, mid session. I can dynamically shift routes where I’m trying to move my stuff through the cloud or whatnot, never dropping a packet, but do so in the middle of a session so that I can terminate one aspect of it and reappear someplace else. And how does the adversary follow that trail? So there’s a whole bunch of these things that exist today and are now real today and very powerful today, and what we haven’t done is put them together holistically to deliver the resilience outcome that I think the nation and our citizens deserve.
Graff: All right. Thirty second or less here because Ellen has got a great panel coming up next here. You’re talking about sort of a culture fix to an IT problem. So how does an organization outside of the CIO or CTO’s office drive the culture necessary to bring about resiliency?
Hunt: So the cultural change aspect is always the hardest thing for anybody to be able to do. What I would recommend and I think is really important is that organizations need to adopt DevSecOps now for practices. And the value proposition of adopting those two is that it actually requires the IT, the cyber person, and the business person to be present at the table as decisions are made about spending any dollar that’s going to then go at it. So some of the dollars drive business, some of the dollars go to IT, some of the dollars go to cyber. You make coherent, transparent decisions; that transparency drives trust; that trust helps to drive the culture change. Without that I think this is almost too hard to do, if you just approach it as an IT or a cyber issue.
Graff: Great. Gus, thanks for joining us.
Hunt: Thanks, Garrett.
Graff: And back to Ellen Nakashima and The Washington Post—
Hunt: All right. Thanks. Appreciate it. Okay.
Global threats to U.S. national security:
Nakashima: Well, thank you. Good morning, everyone. I’m Ellen Nakashima. I’m a national security reporter here at The Washington Post, and I am joined by a stellar panel of cybersecurity experts and scholars who are going to discuss with us here today the most pressing threats to the United States, at least by our top nation-state adversaries in cyberspace: China, Russia, Iran, and North Korea. Starting from my left, we have Dmitri Alperovitch, cofounder and chief technology officer of the cyberfirm CrowdStrike, and an expert on cyber threats posed by all four adversaries. Next to Dmitri is Michele Flournoy, former undersecretary of defense for policy from 2009 to 2012, where she advised the defense secretary in national security and defense policy. And next to Michele is Karim Sadjapour, senior fellow at the Carnegie Endowment for International Peace, and known as the smartest man in Washington on Iran, and James Mulvenon, the vice president of the intelligence division at Defense Group, Inc., and a specialist in the Chinese military and influence operations.
During the discussion, if you have questions for our panelists, please be sure to tweet them to #PostLive. That’s #PostLive, and I’m just going to dive in here because we don’t have a lot of time. I wanted to start with you, James, on China. Last week, the president warned that China was seeking to meddle in the U.S. elections. Do you see any evidence of that?
Mulvenon What Washington is confronting is something that they had not really paid a lot of attention to for a long time, which is that China has a global influence operations campaign of fairly large scale, under its United Front Work Department. And it had gone largely unnoticed, until people start picking away at it. But there’s a key difference in the sense that they’re more focused on making sure that there’s a positive portrayal of China, and to downplay criticism of China, rather than in the Russian case, to seek to disrupt our democratic processes and undermine the legitimacy of our system.
Nakashima: And real quickly for the audience, the United Front Work Department is?
Mulvenon So, the United Front Work Department is a very large organization within the Chinese communist party that is dedicated to the propaganda and covert influence campaigns about the portrayal of China abroad, to actually further China’s national interests. And it has a—there are now a lot of reports in Australia and New Zealand about the activities of this organization, and now we are taking a very long look at it in the United States.
Nakashima: But are you seeing anything that looks to be in the way of interfering in or trying to influence either the political campaigns, or meddling in infrastructure? Anything related to the midterms?
Mulvenon Well, I think we’re going to—we’re potentially going to find out some interesting things in Vice President Pence’s speech tomorrow, where there’s a promise that they’re going to reveal some of the digging they’ve been doing on this. There is some discussion, for instance, about Chinese campaign finance issues at the local and state and senate level, and I think we’re going to need to dig deeper on that, because I personally have not seen any concrete evidence of the same level of meddling, particularly directed towards the midterms.
Nakashima: Dmitri, would you like to also weigh in? You’ve also studied China and cyber.
Alperovitch: Yeah, so, in 2015, the Obama administration struck an agreement with China to stop commercial espionage for the purposes of helping Chinese private and state-owned enterprises, industries, and for a little bit afterwards, we actually saw a dramatic decline in Chinese intrusion activity in the United States. There was still activity focused on the national security, sort of traditional espionage, but intrusions into private industry have dropped by over 90%, based on our numbers.
However, I can tell you that unfortunately now, the Chinese are back, and we’re seeing a huge pickup in activity over the course of the last year and a half, and now days, they are the most predominant threat actor that we’re seeing breaking into institutions all over this country and western Europe.
Nakashima: And are you seeing anything aimed at election infrastructure at all?
Alperovitch: We’re not seeing much on elections, but every sector of the economy is getting infiltrated and IP has been stolen, just like it was prior to the agreement.
Nakashima: Okay, and are we seeing any activity by China in social media, sort of taking a page from what Russia did in 2016?
Alperovitch: No, it again is very oriented on creating a positive image. The Chinese government, in particular, has been really put on their back heels by the Trump administration trade policies. It has dramatically undermined the narrative that Xi Jinping had been pushing, that this was China’s century, the China dream. They’re still recoiling a bit from all of this external pressure, and trying to figure out how best to respond, and their natural reaction is, let’s mobilize our friends that we’ve built all of these relationships with over the years, and that has mainly been the focus of the information operations messaging.
Nakashima: So, Michele, which is the bigger threat, then, to the United States today? Do you think is it China or is it Russia?
Flournoy: I think they’re both quite substantial but different in character, as has been described. China, so far, has been going primarily after both intelligence targets and also the theft of intellectual property that gives them economic advantage. Russia has been—this has been a bit more of a KGB type of approach, using Putin’s old playbook, which is really—cyber is part of a larger set of influence operations, trying to undermine democracy as an alternative to authoritarianism, by getting inside our system and creating chaos and disruption and doubt. And so, the social media campaign, the hacking of elections, all of this is really trying to undermine American’s faith in democracy and to make American and our system look, to the world, very messy, very polarized, very dysfunctional, which only helps sort of Putin.
In addition, he has tradition intelligence missions that he uses cyber for, such as collecting on military targets, trying to penetrate key parts of the critical infrastructure on which the military would rely to actually project power in a crisis, and so forth. So, I would say they’re both very substantial, and they both need our attention, but they’re somewhat different in their focus, at least right now.
Nakashima: What do you think, Dmitri?
Alperovitch: Yeah, I agree with Michele that they have different priorities, and certainly in the long term, probably not just in cyber but in geopolitics, China is a long-term threat. It’s a much more powerful country. The military is growing in capabilities, particularly regionally, and we should be concerned about them in the long term. In the short term, certainly Russia can cause us a lot of trouble, and they’re taking full advantage of that.
Nakashima: Right, so, short term, Russia is probably a little more immediate, but in the long term, when we look at the strategic landscape, China is the greater threat. Okay. So, Michele, you pointed out that Russia carried off one of the most brazen information operations, attacks on the U.S., in modern history in 2016. Both the Obama and Trump administrations imposed a series of measures to punish and deter Moscow. Have any of those measures had any real impact in changing Putin’s behavior, and changing Russia’s behavior, [OVERLAPPING] that you’ve seen, from both the Trump and the—
Flournoy: Not so far. I think in order to really deter Putin, several things have to happen, and I don’t think these have happened yet. A very clear declaratory policy that draws some lines, and says, “We will take certain types of attack as an attack on our vital interests, on our democracy, and you can expect substantial costs or consequences as a result.” So, we have to communicate kind of what we hold dear, and be clear that we will impose costs, not necessarily exclusively in the cyber domain, but using all the instruments of our national power. That’s thing one.
And then, thing two is then we have to actually respond in ways that are effective, but not escalatory, and that is the real challenge. I do think this administration, at least in its documents, it’s published a new national cyber strategy, and a new defense strategy, and it does have some new concepts, like defending forward, which is authorizing the defense department, for example, to disrupt or defeat, halt cyberattacks at their sources, which is a new posture. The Congress in the recent Defense Authorization Act gave the department the authorities—the legal authorities to actually do that. What we don’t know yet is how is that actually going to work in practice? What level of decision maker actually authorizes that, given the risk of blowback or retaliation or escalation? How do you get an integrated approach and a broad strategy across the whole of government if this is just DOD acting alone?
So, there are a lot of unanswered questions, but at least in their documents, and the public statements from people like National Security Advisor Bolton, they intend to take a more aggressive posture to try to create some measure of deterrence.
Nakashima: I’ll ask you a question to get clarity on this. So, until this strategy, the DOD didn’t have the authority to halt attacks at their source?
Flournoy: Previously, it was focused on defending the .mil, the military’s own networks, and then working with the private sector to improve their capacity to defend .com.
Nakashima: And now?
Flournoy: And now there is authorization anyway to both defend forward, which is to do offensive cyber that disrupts attacks at their source, and also asks DOD to be prepared to actually help defend key parts of critical infrastructure, again, particularly those elements like the electrical grid, and transportation, that are most essential to being able to mobilize and use our military forces in a crisis.
Nakashima: Let me open this up to the full panel. Anyone can answer this. If you were the secretary of defense—you, Michele, or anyone else—under this new strategy and under a new executive order that gives the secretary of defense more latitude or authority to undertake offensive actions below the use of force against foreign adversaries, what measures would you direct cyber command to take to deter Russia right now in its aggressive malign actions against the U.S.? Does anyone want to take a stab at that?
Mulvenon I think first you need to frame it properly and you need to say that we are in a deep deterrence hole right now, with respect to both Russia and China. Over the last 20 years, there have been a series of escalating attacks by both actors that have undermined U.S. interests, and from the perspective of both Russia and China, they have not found our pain point yet. For a long time, we—
Alperovitch: They keep looking.
Mulvenon They keep nudging, and for a long time, they looked at our declaratory policy as Michele mentioned, and the declaratory policy was, we will only respond if it results in the loss of human life. Well, there’s a heck of a lot of terrible damaging things you can do to U.S. national interests short of actually killing someone. And so, that really didn’t become a good operative definition for what our declarative policy should be.
Nakashima: Doesn’t our declaratory policy also include damage or destruction?
Mulvenon It could include damage or destruction that is equivalent to nuclear attack or something like that, but my bottom line is to say when you’re in a deterrence hole, they first thing you need to do is stop digging, and the second thing you need to do is recognize that a single action is not going to be sufficient to restore deterrence stability to that domain; that you have to have a consistent series of response actions, again much more focused on deterrence through punishment than denial, because you can’t deny the targets set in cyber. It’s just too much of it. It’s connected to everything, so it has to be deterrence through punishment, and you have to be consistent.
And my view is, we’re going to have to go through a series of Berlin Airlifts and Cuban Missile Crises, before either Moscow or Beijing believe that we’ve actually returned ourselves to a level of deterrence stability.
Nakashima: So, Michele talked about a declaratory policy. Does that mean we should have an explicit series of red lines? For instance, with respect to Russia, if you hack into voting systems or machines, we will then take—do X or take some sort of punishment, responsive action. How explicit should we be? And where should you draw the lines that would require a forceful response, be they sanctions, or other actions.
Flournoy: My own view is that we should be very explicit. You have to think about what you want to do publicly, versus what you want to convey very clearly and privately, but what kinds of attacks we consider beyond the normal sort of intelligence reconnoitering that countries do to one another, and what we consider to be an actual attack, and how seriously we will take this. I don’t think we want to be exactly—totally explicit about what exactly we would do in response. I think we want to suggest certain levels of consequence, but I would think we need the freedom to tailor responses in a given situation.
I also think it’s worth thinking about what may work for deterrence with Putin and Russia may be different than what would work with China, or with Iran, or North Korea, because deterrence is about getting at what different leaders hold dear, and the answer to that question has to be tailored to the specific adversary.
Nakashima: So, can we do a quick lightning round on what pain points you might press for, for Russia, Iran, North Korea, and China? What to start, James?
Mulvenon Well, as Dmitri mentioned, the executive order that actually called for cyber sanctions against senior Chinese state-owned enterprise officials, if they materially benefitted from Chinese state cyber espionage, there’s a lot of lessons to be drawn there, which is money talks. And those individuals, unlike the very low-level operators that the Justice Department had indicted a number of years earlier, those people were powerful, they were connected directly to the leadership in Beijing, and I would argue that that executive order and the threat of real sanctions, and not just because they wouldn’t be able to go to Davos or pay their daughter’s Harvard tuition out of their ill-gotten gains, but also because it just was a serious blow to very senior people who were really more communist party apparatchiks than commercial executives.
Immediately got to the Chinese to the table, and Meng Jianzhu and other senior people came here and said, “We’re ready to negotiate. What do we need to do to deal with this?” And I think the same would be true—I think we can walk it across in terms of actually hitting the financial pain points of central leaders, who are often themselves kleptocrats, and have amassed large fortunes.
Nakashima: Yeah, the same economic sanctions on Russia haven’t really, as you’ve noted, moved—changed their behavior, and they’re much more willing to accept a level of pain, so what would you do?
Flournoy: Yeah, I think for Putin, there are two key issues: one is getting at his own legitimacy, or perceptions of his legitimacy with his population, and we know that there’s ample evidence that is known in the intelligence community about Putin’s own corruption, and also a number of topics on which he clearly lies to his own people. So, the whole question of outing Putin on some of these issues, and then I think the other thing is he’s extremely reliant on the oligarchs around him for financial and political support. And again, creating some difficulties and pain for them, to get them to lobby him to tone it down, I think those are the kinds of levers we need to explore more fully, in addition to things like sanctions and diplomatic repercussions.
Nakashima: What about you, Dmitri, on Russia? You’ve thought a lot about that.
Alperovitch: Well, I do think that at some point, we should be thinking about if you can’t beat them at this game, can you join them? And should we be engaging in our own information operations? Do some of the things that Michele is talking about to make it clear that two can play this game. Let’s be clear, when you look at the capabilities of our cyber command, they are head and shoulders above everyone else, including Russia, so can we unleash some of those capabilities of cyber command, NSA, and other intelligence agencies to actually do more in this space, and actually have effects beyond just sort of the kinetic focus that they traditionally try to think about, of can we disable this node or take down this? Let’s integrate our defense system, but can you actually do information operations—
Nakashima: What do you mean by that? Deception? Disinformation?
Alperovitch: All of the above, potentially. We should be thinking about how to use all toolkits of our power, including cyber, to achieve our effects.
Flournoy: I would add a slight footnote. I actually think what is most terrifying for Vladimir Putin is truth, is accurate information, and rather than thinking up a lot of deception measures, which has, I think, issues in terms of how our system works and our values and so forth, I think it’s more about outing him and those around him, about the truth of their ill-gotten gains, their actions, their corruption, their involvement in all kinds of illicit activities and so forth. So, I would start by just sort of making the truth known and using that as an information operation before I’d go down the road you’re talking about.
Nakashima: Point taken.
Alperovitch: Well, if you look at what they did in 2016, a lot of what they put out was actually truthful, as well, so it doesn’t have to be all deception.
Nakashima: Karim, what about Iran? To the extent that we want to make Iran behave, or change its behavior in malicious actions in cyberspace, what do you think their pressure or pain points would be? And then also, we can talk a little bit more about what you think they are doing now, will they do now that the U.S. has pulled out of the Iran nuclear deal.
Sadjapour: It’s a good question. Just for broader context, Iran is a third-tier cyber power with China, Russia, United States being first tier powers, European countries being second tier powers, Iran is really a third-tier cyber power, but what we’ve learned is that third tier cyber powers can have a huge impact on fifth tier powers like Saudi Arabia. Iran’s attack on Saudi Aramco was perhaps one of the costliest cyber attacks in history. And oftentimes, the most damaging cyber attacks don’t necessarily need to be that sophisticated, like Russia’s attack on the DNC proved.
So, Iran is a very motivated actor, and it can inflict a lot of damage. What Michele just said about Russia, I think also applies to Iran, in that I’ve always thought one of the best things that the U.S. government can do in its Iran policy is simply reveal to the public, especially to the Iranian public, how much Iran is spending on Shiite militias, on Hezbollah, on Bashar Assad and Syria, the Shia militias in Iraq, the Houthis in Yemen, because this is at a time of enormous economic duress in Iran. Iranians—one of the slogans people have been chanting when they take to the streets is “Forget about Syria, think about us.” So, I think to the extent you can just reveal—make public what Iran has been doing in the region, what it’s been spending in the region, that would actually be very impactful.
Mulvenon And by the way, Ellen, having sat in some of the same policy and legal kinds of discussions internally that Michele sat through, there’s a tremendous blockage within the U.S. government’s system about telling lies abroad. Even though Congress has modified the laws that govern that to make it easier, we could actually rely on this, and we could say, “Well, our own system legally prevents us from telling a lot of untruths abroad, therefore everything we’re saying has to be true.” There will always be a percentage of the global population that thinks we’re pathological liars, but for some people, that will have a circular tightness to it that will be appealing.
Nakashima: Karim, recently we saw Iran ran some large information operation on Facebook, and Facebook took down a number of Iranian accounts that seemed to be promoting Iran’s policy goals. What do you make of that? Was Iran dipping its toe into the waters of social media manipulation? How does that fit into Iran’s larger use of influence operations? Should we be worried about it at all, or not?
Sadjapour: So, Iran operates in the cyber world the same way they do in the physical world, which is via proxy. They have their regional proxies. They like to try to maintain plausible deniability, and they like operations which are potentially very high impact and low cost, and cyber checks all of those boxes for them. They have plausible deniability. The folks who are their kind of cyber mercenaries aren’t necessarily—they work perhaps under the umbrella of the Iranian revolutionary guards, but in many cases, they are private citizens who are not card-carrying believers of the Iranian revolution.
And I think disinformation campaigns on Facebook, on social media, those are fairly cheap, and potentially high impact. What we haven’t seen is attacks on U.S. infrastructure, things that people may have been anticipating in the aftermath of the Trump administration’s pull out from the Iran deal. My sense is that at the moment, Iran is trying to project this notion that they are the responsible actor, and Trump’s United States is the rogue actor. Iran has maintained its commitment to the nuclear deal. This is a temporary phase, I would argue. It’s not going to be like this forever.
Another kind of notable statistic about this was over the last five, six years, there were hundreds of incidents of Iranian harassment of U.S. ships in the Persian Gulf, and the last year, it’s almost come down to zero. They haven’t really been testing missiles, either. But I expect that as things begin to escalate in the coming year between the U.S. and Iran, the cyber attacks will probably also increase.
Nakashima: What about North Korea, Dmitri, with denuclearization talks going on between Pyongyang and Washington? Do you think we’ll similarly see a ratcheting down of its malicious activities against the U.S.?
Alperovitch: Well, there are a couple things that are very interesting about North Korea. One, I would actually argue that they are one of the most innovative cyber powers, so when you look at sort of history, they were one of the first nation-states to actually use disruptive attacks at scale, back in 2009 against South Korean infrastructure, and then many other attacks that followed, on wave after wave. And really, they’ve perfected the use of South Korea, essentially as a testing ground for their cyber weapons, and a free fire range, if you will.
They also were one of the first ones to use influence operations against Sony, and I would argue that the U.S. government at the time really underestimated the power of leaking of emails. They focused very much on the destruction of the network and not the fact that employee’s data and emails were leaked out and terrorized the Sony employee base. And you could argue it’s been a blueprint for some of the other doxing operations we’ve seen from other nation-states afterwards. And of course, they engaged in traditional cybercrime operations, both breaking into banks and cryptocurrency exchanges in order to help fund their regimes.
So, they’re on the forefront of innovation in many of these areas, not necessarily technical capabilities but in terms of how you use cyber to achieve national goals. But one of the more interesting things is that we actually have had deterrence—effective deterrence of North Korea so far, in terms of targeting the U.S., with Sony being the one exception, they have not targeted the U.S. WannaCry was a kind of global attack that actually did not even have much impact here in the United States, mostly in Europe and Russia, interestingly enough. But with regards to direct attacks on our infrastructure, even though they have the capabilities, and they’ve demonstrated many times over in South Korea, they have not done it against us?
Nakashima: Why not?
Alperovitch: It’s an interesting question. I think that they have felt, at least until recently, that there was a possibility of kinetic retaliation against them, and they did not want to overtly attack the United States. In fact, even if you look at their activities in the last couple of decades in the kinetic space, yes, they’ve shelled South Korean islands, they’ve killed some South Koreans, they have never done that against a U.S. military force there. So, they’re clearly afraid of us at the moment, at least. We’ll see how things progress. But in terms of their activity now, what we’re seeing is actually ramping up of intrusion activity related to traditional espionage. They’re targeting South Koreans; they’re targeting policy people working on negotiations, just like any nation-state would in order to give them a better hand and try to understand what the other side is thinking. We’re not seeing them at the moment engaging in destructive attacks, and we’ll see how long it holds, but they’re certainly on a charm offensive right now.
Nakashima: Karim, do you see any evidence that Iran and North Korea are working together on cyber attacks or cyber operations?
Sadjapour: I’ve often found in researching this stuff that those who know don’t talk, and those who talk don’t know. So, I suspect there is collaboration between Iran and North Korea and Russia, but they don’t do these things in an open light, so it’s very difficult to prove. But I suspect they certainly have learned from one another, and shared information from one another.
Mulvenon: By contrast, one of the most prominent Iranian hackers, who was doing research on attacking critical infrastructure, was a guest scholar at Tsinghua University, China’s MIT, for two years, learning about critical infrastructure and embedded control systems. That’s not to a level of state to state cooperation but certainly was an interesting phenomenon to watch.
Nakashima: So, Dmitri, in general, how big a threat are Iran and North Korea? If you have China and Russia at the top, which one would you say is next?
Alperovitch: Yeah, the way I would rank them is certainly you have Russia as the number one cyber power out of those four, from a technical capabilities perspective; China close behind, then a little further down, North Korea, and then Iran. But Iran is trying to catch up very rapidly to the others, and North Korea, I would say, is also improving dramatically, and is certainly trying to reach China’s capabilities from a technical perspective.
Nakashima: Okay. In the half a minute we have left, I guess I wanted to just sort of ask any of the panelists here, the White House just announced a cyber strategy that you may have heard about or read about and wondered whether you thought that would be an effective tool to counter these top four malicious cyber actors.
Alperovitch: I think one of the most important things in that strategy was a declaratory policy that we will do attribution alongside with allies, and we will punish threat actors, and we will do so routinely. I think that’s a very welcome change, where for the last 20, 30 years, the U.S. intelligence community have always often known who the threat actors were, but rarely talking about it publicly, and also never engaged in actual punishment efforts against those threat actors. So, that change in policy is very much welcome.
Flournoy: The parts of the strategy that I think are really important but don’t get as much attention is deterrence in declaratory policy and operations are building international coalitions of like-minded states to share information, tools, approaches to bolster deterrents as a coalition. Really developing our private sector partnerships, particularly private sector companies that operate and own most of our critical infrastructure. We know it’s important, but we haven’t cracked the code on doing that well, in my view. And then finally, with cyber workforce development. We have a shortage of people in this country, both private sector, and definitely in the public sector, who are really expert, and can take these challenges on.
We need to fundamentally think about how do we recruit those people? How do we develop them? How do we incentivize them to stay? How do we create a highway of people going back and forth between Silicon Valley, say, and the government? And really focus on the human capital dimensions, which aren’t as flashy as some of the things we’ve been talking about here but will be really essential to our success.
Nakashima: Well, thank you very much. That concludes our discussion this morning. I’d like to thank Dmitri and Michele, Karim and James for being with us, and now, my colleague Cat Zakrzewski will take the stage for the next segment. Thank you.
Addressing threats to the private sector:
Zakrzewski: Hi everyone. My name is Cat Zakrzewski and I’m a technology reporter and the anchor of the upcoming Technology 202 newsletter here at The Post. It launches later this month, but you can sign up right now on The Washington Post website. I’m pleased to have Ann Johnson with us today. She’s the corporate vice president of the cybersecurity solutions group at Microsoft. We’ll be talking this morning about privacy, information sharing, and other cybersecurity issues from the vantage of the private sector.
Before we begin, a reminder to tweet any questions for Ann using the #PostLive. So, Ann, many people in this room were likely impacted by a corporate data breach in the last year, whether it was the Equifax data breach that was discovered, or the Facebook breach that was discovered just last week. So, maybe just to kick off this conversation, could you tell us a little bit about what you see as some of the common mistakes that companies are making when it comes to cybersecurity?
Johnson: Sure. That’s a loaded question. So, look, consumers and corporations are impacted by breaches on a daily basis. There’s an old saying in cybersecurity that there’s two type of companies: those that had been breached, and those that don’t know they have been breached. And what we find—I lead the incident response practice for Microsoft for our customers globally, and one of the things that we find is that companies are not always as disciplined as they could be, with rigor around cybersecurity controls. And I’m not talking about the acquisition of new technologies or new tooling; I’m talking about the use of things like multi-factor authentication, the use of passwords for their domain environments.
There are things that we see that with password sharing, with the reuse of passwords, with passwords being fundamentally weak, and unfortunately, with passwords being weak, it’s an area of attack. It’s a prevalent area of attack. We still see about 80- to 85% of breaches start with some type of phishing attack, so that’s the email you get into your inbox that looks like it’s from the legitimate source, but it’s not. You click on the link, you enter your credentials, and then your credentials are stolen. And that is the most common type of attack, still, and we’ll talk, probably, a bit about password lists, but that’s one of the things we’re doing to try to address it.
Zakrzewski: And so, when you mention that these social engineering attacks are the most common way that a lot of these breaches start, are companies allocating their budgets properly to address that when they’re spending on cybersecurity?
Johnson: The interesting thing is yes, companies, though the spending on cybersecurity has increased every year for the past about five years, and it continues to increase, what I think we as an industry can do better on is education. I think we’re spending a lot on tooling; it is a large population of users. Some of them are not digital natives, so if you think about the workforce today, we have multiple generations, and some of them didn’t start with technology. I think we spend enough money probably on tooling; I don’t think we spend quite enough money on user education.
Zakrzewski: And so, what are some user education initiatives that have been effective, particularly at Microsoft?
Johnson: Sure. We phish our employees, so we send out an email that looks like a legitimate email, as a phishing attack to our employees. And then based on who actually clicks on those illegitimate links, we can then tailor an education program to either that business unit, or even to that individual. We do regular, recurring training on what to look for in a phishing attack, what to look for in a suspicious type attack.
I was talking to another government entity on a global basis recently, and the observation we made—and I’m old enough that I lived through the historic Cold War, and you would see in government buildings, you would see messaging and signage and things about don’t talk about this, and don’t do this. We don’t have that same type of passion around cybersecurity and that same type of visibility, so one thing we’ve advocated, and you’ll see in our elevators in our building, is an education.
So, the average person will walk in the elevator and see something about a phishing attack. You’ll see it on the monitors we have around our buildings. It’s just that kind of pervasive getting it into the psychology of individuals, so every day, they’re thinking about what could happen in a phishing attack, but also what a phishing attack actually looks like.
Zakrzewski: And so, Ann, I just wanted to get into the headlines from this week, and there’s been a lot of attention on this breach at Facebook that was announced on Friday, and it’s one of the first major breaches we’ve seen in the post-GDPR era, after that rule went into effect, and we saw Facebook disclosed it within three days, and I just wanted to ask you, what impact do you think the new rules with GDPR and breach notification will have on industry?
Johnson: It’s an interesting question because as I watched Facebook’s response, there were a lot of things they did right in their response. But when you’re doing incident response, like any investigation, it doesn’t just happen overnight. So, you have this balance of needing to notify, but you’re notifying with an incomplete set of information, and information that is going to dynamically change. And I think that is the biggest challenge to corporations right now, is they will be forced to notify by some of these privacy laws that are coming with breach notification periods, but they’re going to be notifying a large consumer base of folks that are not necessarily technology savvy, with incomplete information, which could then send panic, depending on how it’s covered, depending on how it’s communicated.
There’s a lot of information that will get out there that will change dynamically over time, and the folks that are responding to it, I don’t mean the Facebook or the corporations—the individuals responding to it, and how they handle their account, they’re going to have to do maybe one or two steps to actually make their account secure as the information changes, and we find out more about the breach. And I think that’s the biggest impact of GDPR, if you think about the breach notification laws. There’s one being thought about in the U.S. There’s laws in China, Brazil that are coming online.
If you think about all of those laws, they’re going to dynamically change the way companies do incident response, because they actually have to have a notification that’s most likely during the course of an active investigation, and that changes the dynamic significantly.
Zakrzewski: So, what are some things that companies can do to kind of make sure that customers are getting that information during these evolving situations?
Johnson: It’s difficult but we have a pretty hard stance on privacy. So, you’re going to have to balance—we have a hard stance at Microsoft about privacy, customer data, how we handle it, but yet, you balance that against that breach notification, so companies are going to have to give, and they’re going to have to be incredibly responsible in their breach notification. Providing the information that is required under the breach notification doesn’t necessarily, though, give the consumer the information they need to protect themselves online.
So, it is a balance of making sure that you have a—in my view, we have a moral responsibility to make sure people can stay safe online, independent of a breach notification law. So, you want to give the maximum amount, a very descriptive and prescriptive information at the soonest point you can, while also being compliant. And you should be doing that regardless of whether you have to be compliant or not. There have been breaches in the past that have been—I’m not going to say hidden. That’s too big of a word. But there have been breaches in the past where the notifications may not have been soon enough as we would have liked them to have been, and it didn’t give consumers the opportunity to respond quickly enough to protect themselves.
Zakrzewski: And so, while we’re on this topic of GDPR, just wanted to talk to you a little bit about what Microsoft’s transition was like. What were the biggest challenges for Microsoft as this law went into effect?
Johnson: Like for all corporations, it was a fun time. We took a stance that we were going to be GDPR compliant in May, around the globe, so not just in the EU. We said it’s a good standard, it’s a good baseline for privacy, we know that there are other privacy laws that are coming along behind GDPR, and we felt it was a really good baseline. But we also felt, because of our ethos around privacy, that it was something that we should set an example; that we should be fully compliant, we should be private, and that EU standard was a really good standard.
So, as we went through the process of understanding of where our data was, classifying the data, making sure that if I asked to be forgotten at Microsoft, no matter where I was around the world, that we had these skills and the tooling to automatically to forget, because that, I will tell you in talking to customers globally has been their biggest concern, is we don’t even know where necessarily your accounts are. We can’t identify them, and we don’t have automated tooling to remove you from every system. So, it was something that we took a laborious effort around within Brad Smith’s organization to make sure that we had the right tooling in place, so that we could be fully compliant in May, and we were fully compliant in May. There was also a tremendous amount, again, of employee education, user education that went around that time.
Zakrzewski: And so, we’re sitting here in Washington, and there’s a lot of discussion right now on the Hill about privacy, and whether we should have a federal law in the U.S. addressing privacy. So, I’m curious, looking at GDPR, after your transition, what are something that lawmakers should look to in GDPR as they shape legislation here addressing privacy?
Johnson: I think the fundamental thing is that a user’s information, whether it’s a corporate or a personal information, is your information. You should be the owner of your information, and you should be able to determine what happens to your information. It’s our stance, by the way, at Microsoft, with our corporate customers and our consumers, that your information is your information, and we have an obligation, regardless of legislation, to keep that information private. And I think that if you take that as a baseline, then whatever regulations that you build from—the baseline of a corporation or an individual’s information—is their information and they are the ones that have a right to that information. Whatever legislation you frame around that will be with the right intent.
Zakrzewski: Interesting. And so, what are your thoughts on the California state privacy bill that is set to go into effect in 2020? Because it seems like that will also have an impact on the conversations around legislation at the federal level here?
Johnson: California is always such an interesting state, because—I lived there for a long time, also. They tend to be on the leading edge, and testing the waters, or what I say, breaking glass at times, around a lot of the legislation they pass, and sometimes it will get pulled back a little bit, but they’re always testing the waters to see how far they can go, because again, they’re taking it from what I believe is a very principled view of how things should be. Now, is that a practical view of how things should be? At times, yes.
I find their privacy legislation, though, that they are putting in place, not to be any more onerous than others that I’ve seen. I’ve seen the drafts of the China law, the Brazil law, and obviously, I’ve studied GDPR, so I don’t find their privacy legislation to be any more onerous than others, but it will be a litmus test of what can actually be held in the United States, and what we can do on a national basis.
Zakrzewski: And so, today we’ve heard a lot of discussion about cybersecurity threats to the public sector, and I just wanted to talk to you a little bit today about the relationship between the government and the tech industry when it comes to addressing cybersecurity. What kinds of things could be done to improve cybersecurity, information sharing, and that level of cooperation between these two groups?
Johnson: So, as you know, Microsoft, along with a lot of our peers, do a lot of sharing with the public sector. We actually have sharing relationships with all the Five Eyes, and we do a lot of—we have a very close relationship with the U.S. federal government with regard to threat sharing. That sharing is necessary. I actually am less concerned, to be candid with you, about the sharing between the private sector and the public sector, than I am about the sharing in the private sector. We are not as rigorous as we could be as a security industry in sharing with our peers.
Now, we’ve taken some actions in the past 6 to 12 months, things that we’ve done with our intelligence security association, which shares threat directly with our peers, and competitors, by the way. We do a lot of sharing with threats; we do a lot of sharing from our machine learnings. We see something like six and a half trillion raw signals—so, low fidelity signals on a global basis of what could be a threat. We distill those down on a daily basis. Our peak day was like 15 billion, what actually were events we thought we needed to at least put in our machine learning engine for investigation.
We share that output. We share that output with our peers that have signed—that have joined our intelligence security association, but it’s those type of security, industry sharing amongst the private sector that I don’t see as sophisticated as I would like as we see with the private-public sector sharing.
Zakrzewski: Interesting. And so, what is holding the private sector back from having better sharing practices?
Johnson: It’s interesting. I’d like to—I’m going to take the higher road and say it’s not because it’s competition. I’m going to assume that that’s a baseline. I think it’s a lack of mechanisms. It’s a lack of consistency of how we look at information, so there are no standards necessarily, when you see threats signaling. What does it mean? There’s no easy way to pass that. There’s not a mechanism to do it. Until we had the cloud, we couldn’t even see things on a huge global scale at near-real time like we can today. It’s one of the benefits of the cloud in security, is that I can actually see something in Beijing before it ever hits the United States, potentially.
I think all of those things are in place. I will tell you that the Financial Services ISAC is the gold standard for information sharing, from my point of view, and I think that that is a model that all the other ISACs are adopting. As I see the maturity of the health ISAC and the manufacturing and regulated industries, I see those maturing, but I think that then the technology companies also—there have been a lot of starts and stops with the technology companies on mechanism for sharing, and I think a lot of it comes down to the mechanism to begin with. When it becomes hard, it goes in that hard to do task, and you don’t do it. We have to make it easier.
Zakrzewski: So, could you tell us a little bit more specifically about what your conversations look like today with a company like Facebook or Twitter or Google, when it comes to these practices?
Johnson: Absolutely. So, we’re having conversations with them on twofold. One of the conversations we had was with our tech accord, where we said we won’t help any nation-state hack civilians, basically. I’ll put that in the highest level. There’s a lot more detail to that, but that’s the highest level. The second thing is on information sharing, and it largely is wrapped around nation-state, by the way; threats we’re seeing, signaling we’re seeing, things that we’re seeing. If we see that a sector in the United States, a particular sector is being attacked by a particular actor, and we have reason to believe that it’s valid, then we’re going to notify our peers, also. We have a very explicit relationship in how we share with those type of peers, and how they share with us, also.
Zakrzewski: How does that work when you think about Microsoft’s global presence, and sharing with foreign governments?
Johnson: Yeah, it’s an interesting question. We have a government sharing program that is regulated by local laws and regulated by the fact that we’re a United States company. So, we will share with global governments if they are part of our government sharing practice, and if we’ve both signed on and we said, “This is the limitations, and this is what we can share,” but we do have a lot of rigor around what we will share with different government agencies globally.
Zakrzewski: Earlier in the conversation when you were talking about just the number of threats that Microsoft sees on a daily basis. You mentioned artificial intelligence. How essential is AI to the future of the private sector’s battle on the cybersecurity front?
Johnson: As you and I discussed earlier, I’m writing a whole series of blogs on AI. I’ve been in technology and security long enough that I don’t chase the shiny object, whatever the newest shiny object is. So, I decided to take this mission of writing a blog series on what is the practical application of artificial intelligence in security? What can we actually do with it today, versus what’s this big pie in the sky promise? And I will tell you the ability to synthesize six and a half trillion potential events—low fidelity signal—that’s something that when you look at machine learning, and you layer artificial intelligence on top of it, you can get smarter about faster.
And that’s what it’s about; it’s about being able to detect faster and being able to separate what’s a real threat versus what’s a false threat and giving your admins—someone on stage earlier talking about the cybersecurity hiring shortage globally. It’s millions of people. It depends on what stat you look at, which means the people you have, you want working on real data. You want them working on real things that are actionable, and you want them working on the highest priority tasks. So, the ability of AI to deconflict for your security admins is one of the most practical use cases today, and we’re using it today, and we have some examples of that, because I think that is probably a thing that we can actually be super tangible to anybody, and I see a lot of organizations, by the way, using AI in that way today, as they bring it to maturity.
Zakrzewski: So, I’m just curious because I just moved to DC from San Francisco, and it felt like when you’re meeting with technology companies there, they’re all constantly talking about AI and cybersecurity. What areas do you think that might be overhyped in?
Johnson: I don’t think that it’s, like everything, a be all end all. I don’t think that those six and a half trillion signals suddenly get better and become the one thing. This is the one thing we have to chase. I still think it becomes a lot of things that we have to chase, and what’s most important? I’m studying particularly how AI can help us with malware detection, and be more predictive, by the way, so if we see an attack in a certain region or sector, can we predict where the next attack is going to be, better it ever happens? Can we model that with AI?
I’m doing a lot of things—research right now in IOT detection. Remember, there’s a lot of devices—if you think about your home, your Nest, or your ring doorbell, or whatever it is, there’s a lot of also legacy devices, older devices that were built and you can’t even change the password on, and they’re talking to the internet. So, I’ve been doing a lot of research of how we can actually do better detection with IOT devices and how they come into your environment, where they touch, what they talk to, and being, again, predictive about their behavior with using AI.
I think that’s an interesting—it’s not there yet, but I think that’s an interesting use case, versus, like I said, some of the—we’re going to solve security through AI. I just think you can’t make that statement about anything. To start with, you’re never going to solve cybersecurity. Solve is a big word. It’s part of our ecosystem now, just like burglary, robbery, whatever it is. Cybersecurity is going to be around forever. We just want to stay a step ahead of the bad guys, just like we do in any other type of crime.
Zakrzewski: You kind of alluded to this earlier, but as we look at what’s next for the industry, every time we have a major breach, there’s a lot of warnings and reminders to consumers to change their passwords. Why, in 2018, are we still using alphanumeric passwords?
Johnson: That’s a great question. So, we are on a mission, I think you’ve heard in a lot of what Microsoft has said over the past 9 to 12 months, to be passwordless. Now, what does that mean? It means that passwords as we think about them are going to significantly change. It means that if you think about your phone, I have an iPhone that I carry, so I authenticate to that iPhone with my thumb or my face. All of my applications, I have an authentication method that’s not a password anymore, by the way. I’m using my thumb or I’m using something else to authenticate.
That’s what passwords should look like to your consumers and your corporate entities, by the way, over the next 18 to 24 months, so that the means of authenticating is frictionless, so it’s easy for people to use. They’re not having to remember a complex password, and then it’s the same password. Here’s the challenge: most people reuse the same password for their six and ten sites that they use, because it’s the one they remember. When that get breached, those six to ten sites that they’re using online, they’re also compromised. We just want to take that away and say, you’ll never have to remember, think about, change a password in the future. We want you to authenticate in ways that are easier for you to authenticate, and still things that are incredibly unique to you, like your face, your thumbprint, or your voice. And by the way, an ear is just as unique as a fingerprint, so things like that is what we’re trying to build into the ecosystem.
Zakrzewski: Really interesting, but what happens when I have a password that’s stolen, I can change my password, but obviously when you have facial data or fingerprint data, you can’t change that once it’s been taken by someone. So, can you talk at all about how the industry is thinking about that issue?
Johnson: Yeah, the security around—so, without getting super-duper technical, the hashing, the algorithms, the security around securing that biometric data is very, very strong. By the way, I never say anything can’t be hacked, because anything can be hacked, okay? But the security around that data is incredibly strong, and if by chance, your facial recognition was compromised in some way, and reused, you still have your ear, you have ten fingers—you have toes, by the way. We don’t want to go there, but you do have toes. But there are other ways—voice. You think about me, I have a very unique voice. It wouldn’t be easy for someone—yes, they could record my voice and attempt to reuse it, but they’d have to be saying the right words.
And by the way, that’s a common—what we call vishing attack, so voice phishing attack right now is to actually get you on the phone and have you say yes. And that yes, they will reuse in different systems. So, it’s something when you—I just don’t answer any unknown numbers anymore. It’s my own security control. If it’s an unknown number, I feel if someone wants to reach me, they’re going to leave a voicemail. I will not answer a number that isn’t from someone that’s programmed in my phone any longer. But there will always be—the joke is why do people rob banks? Because that’s where money is. There will always be hackers. They will always be thinking of new and innovative ways to steal money or to steal information.
Zakrzewski: I want to be mindful that we have Secretary Nielsen coming on stage next, and I know she’ll be discussing election security with my colleague Derek, and so, I just wanted to ask you, what role do you think the private sector has to play as we think about security heading into the 2018 midterm elections?
Johnson: So, I think we all have a responsibility in the—especially the private tech sector, and we’ve rolled out programs globally in our Defending Democracy program, where we’ve rolled out something called Account Guard, where we’re actually giving away to any political campaign, any candidate, security tooling free. So, if you’re already using your Microsoft Office 365 email, we’re going to give you the security tooling free as part of our Account Guard service. If you sign up, we’re also going to be hunting on your behalf, and looking for those potential nation-state indicators into your campaign, and we think it is a responsibility that we have as a company that functions in the United States to do this, regardless of what side of the aisle you sit on. We also think it’s a responsibility we have globally, so we’re offering this out to global governments, too.
Zakrzewski: We talked a little bit earlier about partnerships between various tech companies and whether information sharing could happen. How is that working, looking at election security particularly? How much are you in contact with the other technology companies, like Facebook and Google, who are also addressing this problem?
Johnson: As I mentioned earlier, we share indications of nation-state attacks, and that’s regardless of industry segment, etc. It would be the same type of sharing.
Zakrzewski: Got it. Well, that’s all the time we have today. Thank you, Ann, for being here, and now please welcome my colleague Derek Hawkins, who will lead our final conversation of the morning with Secretary Nielsen. Now, please welcome my colleague, Derek Hawkins, who will lead our final conversation of the morning with Secretary Nielsen.
One-on-one with Homeland Security Sec. Kirstjen Nielsen:
Hawkins: Good morning. My name is Derek Hawkins. I’m a national security reporter at The Washington Post focused on cybersecurity. And the author of the Cybersecurity 202 newsletter. I’m joined by the highest ranking official at the Department of Homeland Security to discuss the Trump administration’s cyber agenda. Secretary Kirstjen Nielsen is the sixth secretary of Homeland Security. Previously, she served as White House deputy chief of staff. And before that, chief of staff to then-secretary of Homeland Security, John Kelly.
Madam Secretary, thanks so much for being here.
Hawkins: We’re a month away from the midterm elections.
Nielsen: Yes, we are.
Hawkins: How much more secure are we? [LAUGHTER] I’m glad we got that out of the way. [LAUGHTER] How much secure are we this time around than we were two years ago?
Nielsen: So, we have made tremendous strides. I think everybody that is part of the ecosystem can take quite a bit of pride of that. DHS is now working with all 50 states. As you know, we’ve created all the governance functions that are attendant to critical infrastructure sectors, such as the sector of coordinating council, the government coordinating council. We have an information sharing analysis center.
We have sensors, network intrusion sensors out, such that about 90% of people who vote in this election will be voting in an area that’s covered by a sensor. We have HIRT teams ready to go. We’re doing vulnerability assessments, hygiene scans. We really and truly are throwing anything and everything we have at it, at the request of state of locals in support of their efforts.
Hawkins: And do you feel like you’re getting enough participation from state and local governments? I know there’s been some reticence from a lot of local election officials about the federal government’s role in election security. How do you feel about that?
Nielsen: I think, you know, the partnership just continues to grow. I mean, ISAC is a perfect example. This is the fastest growing ISAC we’ve ever seen. In six months, we have over a thousand participants. And I think that shows that we have overcome the trust deficit that perhaps existed in some relationships at the beginning. But it’s very strong. States are taking this very seriously, all the way down to the county level.
Hawkins: And you mentioned the ISAC, which is the center for state and locals to share election cyberthreat information. And you said more than a thousand have signed up so far, but there’s 10,000 local election jurisdictions around the country. What about the other 9,000? What’s your message to them? Where are they?
Nielsen: Each state is different. You know, I feel like I say this in every part of DHS. So whether it’s an airport, in this case, an election system, you’ve seen one, you’ve seen one. So they are managed at a local level. They are tailored to what works for the particular electorate. So in that case, some states are choosing to use organic capability. Some are choosing to hire—
Hawkins: What do you mean by that, “organic capability”?
Nielsen: In other words, just through their CIO or their CISO. You know, they might have a team in and of itself that can address the vulnerabilities that are found on the system.
Hawkins: And are those teams strong enough to defend against a nation state?
Nielsen: So it’s a combination. Some do that, some are hiring third parties, some are working with us. There are some states that are utilizing the National Guard. There’s a variety of ways in which you can bring your capability and capacity up to speed. Each state is doing it a little bit differently.
Hawkins: You’ve said that DHS hasn’t seen the same scale of Russian election interference as it did in 2016. If you do start seeing that type of activity again, what’s your plan for dealing with it and how does it differ from two years ago?
Nielsen: So two ways. First of all, the information sharing is much stronger than it ever has been before. So working very closely with the intel community. The moment that we see something significant, we are, in conjunction with the IC, sharing with our state and local partners. And it’s not just the owners and operators, so that’s another big difference. In some cases, the state election official or the Homeland Security advisor is not necessarily the owner-operator of the electoral processes. So we’re sharing with all those people because they all play a particular role.
So the sharing is quicker, faster, and more tailored. We’re pulling more, collecting more from the intel community. And then through the sensors, we can real-time see, based on a given threat indicator, if there is any intrusion in the system.
For election day, we’re setting up a situational awareness room, sort of a virtual place where everybody can share quite quickly. We are actually pre-deploying some HIRT teams, some incident response teams, so that should there be any concern, we’ll be there to support our partners if they need it.
Hawkins: Where is this situational awareness room going to be and what’s it going to look like?
Nielsen: It’ll be in D.C.
Hawkins: It will be in D.C.?
Nielsen: It’ll be in NCCIC. Yes. So the National Cybersecurity Communications Integration Center at DHS.
Hawkins: You know, it took DHS more than a year to notify states that Russian hackers had scanned their systems, and in a couple cases, actually penetrated them. Will we have to wait that long to find out if it happens again this time around?
Nielsen: Absolutely not.
Hawkins: Why is that?
Nielsen: Now we know who to call. I mean, that seems like such a basic point, but I referenced it earlier. Traditionally, DHS works with the owners and operators of a given sector. But in this case, those owners and operators were not always the elected officials, nor were they our more traditional partners, such as a Homeland Security advisor. Now we have everybody on speed dial. I have been around the country talking to different secretaries of state, for example. Certainly, Chris Krebs, our undersecretary, and Jeanette Manfra, our assist secretary, have.
But we have constant conference calls. We hosted one recently with Facebook, so that the social media companies could also begin to work directly with the states on the influence part of this. As you know, we have lead for the infrastructure piece, but we all continue to remain concerned about just the meddling.
Hawkins: Sure. As you mentioned, DHS does a lot to advise state election officials on ways to improve their cybersecurity. What happens when DHS goes into a state and says, “Okay, here’s Arizona, where you’re most vulnerable. Here’s Michigan,” or whoever, where your main vulnerabilities are? What happens if they don’t have the money or the resources to make the fixes that you recommend?
Nielsen: So, a lot of our—well, all of what we offer is voluntary and free to them. With the sensors, we offer two free sensors per state. Many states have chosen to purchase additional ones. As you know, there’s 380 million that’s being allocated through the Help America Vote Act. So that will help different states increase their infrastructure and their systems.
But what we do is we supplement, so we’re not meant to supplant. But if they need particular help on a vulnerability assessment or hygiene scan, we then offer that. I think the clip you showed—I think, if it’s the one I’m thinking of—what I was trying to say there is, of the 16 sectors, we are absolutely prioritizing any request that comes in for any for our tools. So we’re sort of providing assistance in kind, if you will.
Hawkins: But do the states need more money? You talk to pretty much any secretary of state—
Nielsen: If you ask the states, I think they would say “yes.”
Hawkins: What do you say?
Nielsen: You know, I think they need consistent funding, and that’s always a difficulty across the Homeland enterprise. We have the same issue with Homeland Security grants. You fund something one year, and then the next year there’s a shortfall, and what do you do then to maintain the capability and capacity? Some states have done this very well. Ohio, for example, has a system where they have used state funds to upgrade election infrastructure, but asked the counties to match. So it’s a partnership at the state and local level to make sure that they have what they need.
But states need to be budgeting it, they need to be thinking through. And if they need federal assistance, they need to be making clear what the specific ask is.
Hawkins: So would you call on Congress to send more money to the states?
Nielsen: The states are our partners. If the states need more money, they should absolutely go to Congress and ask for money.
Hawkins: Does the federal government need to take a greater role in election security?
Nielsen: I don’t think so. I mean, I think we have a very good mix right now, both on the intel piece—so if you start way left, if you’re thinking of a physical event, way left of boom. On the awareness, the training, the hygiene scanning, the workforce development, all the way through that incident response and how we get the system, any critical infrastructure system, back up and running.
I think we have the right mix. It’s a voluntary partnership in this particular sector, but that’s constitutional. State and local elections are run by state and local authorities.
Hawkins: President Trump made a pretty shocking claim last week. He said China is attempting to interfere in our upcoming 2018 election. “They do not want me or us to win.” Has DHS seen attempts by China to interfere in U.S. elections?
Nielsen: So this is where I always have to pause and make sure we’re talking about the same thing.
Nielsen: So there’s probably two—some people say three—but at least two categories that we’re worried about. One is the direct attacks on election infrastructure. That is where DHS has the lead. The other is this more nefarious, frankly, but also nebulous area of foreign influence. That can be done through state spokesmen in a foreign country. That can be done through state-run media. In Russia, that could include RT and Sputnik.
In the case of China, it’s part of a more holistic approach to influence the American public in favor of China. Russia is more—at the moment—focused on sowing discord on all sides, and through that chaos, hoping to promote their own policies. So it’s slightly different. China’s playing, perhaps, a longer game and more holistic game. Russia is being pretty noisy about it right now in terms of not just their use of state-run media, but also what we attribute to be social media personas.
Hawkins: But respectfully, in the past two years, as we’ve talked about election interference, we usually hear that referred to in the—or when we talk about—I’m sorry—when we talk about election interference, we usually hear that from intelligence officials in reference to Russia’s activities, in reference to cyber activities. Are we seeing those types of things? There’s a difference between an attempted hack on a political organization, for example, and planting a favorable ad in a local newspaper or something like that, or broadcasting from a propaganda channel. Are we seeing the same sort of cyber interference from China?
Nielsen: So, to answer that two ways, one, we currently have no indication that a foreign adversary intends to disrupt our election infrastructure. But I will immediately follow that with, this is a point in time. We know they have the capability and we know they have the will. So we’re constantly on alert to watch. But what we see with China right now are the influence campaigns, the more traditional, long-standing, holistic influence campaigns.
Hawkins: Why does the White House seem to have such a hard time focusing on Russia, which is where the intelligence community says the major threat is?
Nielsen: I think the president has been clear, I’ve been clear, the intel community has been clear. We all support the intel community assessment from 2017. Actually, you know, I would also say to those in the audience, it’s worth rereading. There’s a lot in there that is still very relevant today, including an entire annex, in that case, on Russian propaganda and how they actually use state-sponsored media and others to try to influence and sow discord in our society.
But I think we’ve all been clear. The ICA is pretty clear with respect to interference attempts in the 2016 election by Russians.
Hawkins: Yes, but does it make your job harder? Does it make it harder for DHS to get local election officials on board, to take action on election security when the president refers to the Russia investigation, Russian interference as a hoax, as he has?
Nielsen: So when you say “Russia investigation,” which—
Hawkins: The investigation in Russian interference.
Nielsen: Okay. So, I think, the ICA. I mean, we have a conclusion on 2016. What we’re working on now, day by day, is making sure that we update state and locals on anything we see that changes. So, no, I don’t think so because I think that information-sharing partnership is there. So we’ve been clear in the past, now we’re looking at today and moving forward. But always, I want to stress the capability and will is there. So we would all be foolish if say today that we don’t see any indication to pretend or assume that we won’t see one tomorrow. We have to be ready and prepared.
Hawkins: Do you feel like you have the full-throated support of the president in your election security efforts?
Nielsen: I do, yes. He takes it very seriously.
Hawkins: You’ve talked about deterring cyberthreats by replacing complacency with consequences. How do you do that? How does the United States do that when the president has been so accommodating to some of the leaders of the countries that we know attacked us, not just Russia, but also North Korea?
Nielsen: So we actually have a full suite of consequences that you’ve started to see in different ways. At DHS, for example, as you know, we have lead for the network defense of the Civilian.gov agencies. As part of that, we’ve used our binding operational and directive authority to take companies offline that we know pose a threat. For example, Kaspersky.
We’ve also seen indictments. We’ve seen sanctions. We’ve seen attribution. We’re using the CFIUS process to think about supply chain. So we’re really looking at it full and that’s the diplomatic, as well. And then there are seen and unseen. And then also we’re looking at much more proactive defense that we have used before. And what I mean by that is sort of disrupting the connections, communications, as well as actually disrupting the infrastructure.
But I do think the national cybersecurity strategy that was just released makes it very clear, there will be consequences, there will be a price to pay, before and after the activity. And we will all work together as a full government.
We’ve also been working very closely with our allies. I was just at a Five Eyes ministerial about a month ago. We talked quite a bit about this. Depending on which Five Eye country you are, you see attempts to interfere elections, both from China and from Russia, and we’re all uniting in our—not just our attribution, but in levying consequences against those countries.
Hawkins: Does it really qualify as a whole-of-government response if the president isn’t out saying unequivocally, every day, “This is where the threats are. We know this is a problem”?
Nielsen: I think whatever the president’s say is, that he agrees with the IC. The IC is out there almost every day. I’m out there almost every day. NPPD is out there almost every day. So we continue to raise—and I would say state and locals as well. I mean, they are taking this very seriously and doing all that they can to make sure that there’s redundancy and resilience, as well as actually to protect on the front end, their networks and systems.
Hawkins: Over the summer, the Justice Department announced a new policy that is going to start alerting the public to malign influence campaigns, some of these social media and disinformation campaigns that you mentioned. DHS is obviously intimately involved in that, as I understand it. Can you give us an update on the progress that you’ve made? Have you worked more closely with social media companies? Have you been able to identify any new threats?
Nielsen: Sure. So, yes and yes. FBI has lead for that particular line of effort, but we also at DHS have a countering foreign-influence taskforce that we plug in with the FBI. Together, we’ve met with social media companies. We’re trying to identify known false personas. You know, I encourage everybody, if you are reading something or you link to something and it suddenly takes you to RT and Sputnik, be aware. I mean, those are state-sponsored news outlets. They are not independent.
So a lot of this, too, is just awareness, raising awareness for all citizens as to where to seek their news and what assumptions they should make about what they read in terms of who’s printing it.
Hawkins: Is DHS sharing specific information with social media companies? I know there was some concerns about that. Undersecretary Krebs went out to Silicon Valley to meet with some of those companies about whether or not DHS was sharing enough information with them. Are you sharing specific information about the campaigns that you see, or is it more just kind of a general, “We’ve observed this kind of malign activity on your platforms. You need to do something about it”?
Nielsen: So it’s come combination of all of the above. We share as much as is appropriate within the legal constructs of the law and privacy. But we absolutely—to the extent that we know specific personas are false, we share that with them.
Hawkins: Do you attribute with them—[OVERLAPPING]
Nielsen: Sometimes we can and sometimes we can’t.
Hawkins: Why not?
Nielsen: For example—well, attribution can sometimes be difficult, as you know, for a whole variety of reasons. What we will see, as an example, is constant scanning of systems throughout critical infrastructure. So even at that phase, we will alert that we’re seeing that well before we can attribute it and well before there’s any compromise. It’s just the scanning. You know, it’s that equivalent to someone checking to see if there’s any windows open. At that stage, we let all of our partners know, “We’re seeing this activity. Take a look at it from your side.” We do provide those threat indicators and then they use those through a variety of our programs, automated indicator sharing, or through the ISEC and the Albert sensors, to understand what is happening on their networks.
Hawkins: And we’ve seen some of this in the electrical grid, as well.
Hawkins: And now, obviously, Russians are not in a position to cause widespread blackouts. I think there was some confusion about that. But what are they doing there?
Nielsen: So, they are—in my opinion—they are doing research. They want to know how it works. Perhaps to—you know, use a phrase—to prep the battlefield for a future disruption or a future attack. We do see scanning often. As you know, we all did witness the blackouts in 2015 and ’16 in Ukraine. We also saw a massive Russia-led critical infrastructure campaign from about 2016 to this year. We put out a technical alert with the FBI. But that was industrial control systems at large and it was a multistage attack. It was quite sophisticated. It used a third party to get into a system, to get credentials, to then put in malware, to then activate the malware, to then get additional information to scan the industrial control systems to see how they work.
So I think they’re active. I agree with you. By the way that our grid is right now and the distributed nature, we do feel that there is resilience built in. We continue to work with the sector. But we’re also trying new things. The Department of Energy is very active, as well, as the sector-specific agency. We at DHS are trying out a pilot called “Project Sentry” where we will look at that boundary between the business system and the operational system to see if there’s any crossover because that’s the other area that we’ve been closely tracking. When you get into one system, do they have the capabilities through that door to get into the industrial control system?
So a lot of activity, watching it very closely. But they do have some capability, absolutely, to disrupt ICS systems.
Hawkins: We’ve heard a handful of reports from tech companies, like Microsoft. This came up a little bit in the last discussion, about Russia, potentially other adversaries, targeting the email accounts of congressional candidates, of Senate staff. Are we going to hear anymore from DHS about the specific threats that you’ve detected?
Nielsen: So, yes. But I would also say that we—as you know, we do everything based on a voluntary model and trust. So generally speaking, we do not out the victims. We notify the victims. We and/or the FBI. In some cases, the victims choose to make a public announcement and sometimes they choose not to. But we work with them and give them as much information as we can.
I will say, we are seeing more and more sophisticated spear phishing attacks. They use very traditional stagecraft to find out everything about you—you know, what your dog’s name is, what you like, what your parents are, who your parents are—so that when they send that spear phishing email, it does in fact look like it’s from somebody that you know, about something you recently talked about, so that you’re more likely to click on it.
So the hygiene scans become very important. We’re offering that to state and locals in the election context. But just in general, to make sure that we’re all constantly updating passwords, access control, making sure we know who’s on the system and why, and if they have an authorized use to be on the system. All of that becomes very important to try to counter that more sophisticated attack.
Hawkins: And we saw some of that in 2016.
Nielsen: We did.
Hawkins: State election officials were targeted. Some voting vendors, I believe, were targeted. Are you saying that you’ve seen more of that? Who is being targeted here?
Nielsen: Yeah. I don’t know that we’ve seen—I would refer to IC. I don’t know quantifiably if we’ve seen more. But we absolutely see attempts to scan systems, to spear phish, to get—[OVERLAPPING]
Hawkins: Election officials?
Nielsen: Not election officials, just general campaign officials, some of the campaigns. We haven’t seen any major compromises of yet. But again, it’s that preparatory work that should raise everybody’s shields and make you more prepared to look for the next shoe to drop, right? What are they going to do next after they get a credential, for example, or after they have access to you email.
I think what we saw in 2016 is they gathered emails and then they dumped the emails, the publicized the emails. They didn’t try to alter. There’s no evidence they altered any of the information, but they obviously had a motive that was nefarious behind hacking and grabbing that data, and then publicizing it in an unauthorized fashion.
Hawkins: Can you say anything more about the victims of these types of attacks this year? Any more about who has been targeted?
Nielsen: No. Not at this time. [LAUGHTER]
Hawkins: Okay. There’s a bill moving closer to the goal line right now in Congress that would essentially put DHS in charge of civilian cybersecurity and create a cybersecurity agency within DHS. What’s the hold up? Why hasn’t Congress been able to pass that?
Nielsen: I’m tempted to give you my cynical answer. I’ll try not to give you that one.
Hawkins: We’ll take the cynical answer. [LAUGHTER]
Nielsen: The Cybersecurity and Infrastructure Security Act, it has bipartisan support. What it is meant to do is to recognize the import of the mission that we have at DHS. We are responsible, as I mentioned earlier, for federal efforts when it comes to both protecting critical infrastructure, working with the owner-operators in private sector, but also to protect all those Civilian.govs. That’s all of the civilian agencies and all of their networks.
To do that, we have to have both a name that indicates that is what we do, and we have to be able to streamline the organization so that we can become more operational. We also want to pivot—this is a main part of our strategy at DHS that was also reflected in the national strategy—away from particular assets and systems to a much more holistic view of systemic risk, those cross-cutting interdependencies, and how we can all play a part, looking at the weakest-link problem to attack it.
That is what CISA will let us do. Why hasn’t Congress passed it? Calendars are tight. It’s an election year. They’re not in as much as they might be in another year. It’s difficult, I think the leadership would say, given other priorities, to schedule the vote. But it is a priority of both sides. It’s bipartisan.
Hawkins: Is it really just kind of a procedural thing? Are there holdouts? This doesn’t seem particularly controversial.
Nielsen: We’re not aware of any holds. Early on, there were some holds because there was some concern that the bill gave DHS new authorities. It doesn’t do that. DHS is one of those—it’s probably the only one of its kind. We were created late in time, as you know. We are only 15 years young or old, depending on how you look at that.
And what that means is we are put together by a bunch of legacy departments. We have hundreds of committees of jurisdiction. DOD has four. So when you look at it that way, you have to get all committees to agree to move forward in some of these areas. That takes time. But we passed all those hurdles. We answered all those questions. We revised the text as necessary. I’m very hopeful that we get this on the president’s desk for signature this year.
Hawkins: It seems like there’s still some skeptics, though, in government, former officials. And we just heard from General Petraeus, who has sort of expressed some skepticism about whether DHS really has the tools it needs to carry out this mission. And he wrote an essay recently in POLITICO where he said DHS has too many cybersecurity responsibilities on its plate. And he called for this national cybersecurity agency. What do you think of that?
Nielsen: We are the national cybersecurity agency. I think that’s why we need CISA to just make that clear. I would answer that two ways. My concern is, first and foremost, just a pragmatic concern. It has taken DHS a good bit of time to integrate all of our myriad of missions to organize properly and then to ensure that we have the authorities, tools, and resources to meet that mission.
If we stop right now, in the middle of this tremendous increase in attacks in the cyber realm, to take parts of FBI, take parts of DHS—and by the way, at DHS, it’s not just NPPD, it’s Secret Service, it’s ICE, it’s Coast Guard. They all have cyber roles—to take part of CTIC, to take, perhaps, part of NSA, put that all together in a major government reorganization and pretend that it could immediately effect change in this realm, I think is not accurate. I do not believe that that is the way to go.
What we should do is take all of the capabilities, all of the trust, all the multiple of partnerships that we’ve built, both international, with the private sector, with state and locals, and the interagency, and strengthen it, and continue to build on that. But the groundwork is strong. The framework is strong. All the governance is in place. All we’re looking now is to refine and, in a different way, tailor what we offer.
As you know, we just announced the National Risk Management Center. Part of that is to do that. What is the next level of maturity in terms of both understanding risk and then making sure that what we offer is useful to our partners. So it’s the ability to ask them, “What is it that you need? Let us help develop it and then give it.” You know, let us help you, help you sort of approach.
Hawkins: We’re almost out of time, but I want to ask one last question. Your department has so many cyber priorities, from cybersecurity, which we’ve been talking about today, to counterterrorism, to immigration, to border security. What would you say has been the hardest part about heading up the Department of Homeland Security since your first day on the job last December?
Nielsen: December, yes. It might be a bureaucratic answer. My biggest concern is that we are not poised to anticipate and defend against emerging threats. So it could be cyber. You’ve heard me speak a lot about drones. It could be evolving threats within the chemical and bio realm. But we traditionally have not had the procedures in place. Again, remember, we have 100 committees we have to get something through to get authority.
I worry about that. Things are developing so quickly given our connectivity, given the pace of innovation, that I worry we won’t have time to develop what we need to respond to the evolving threats. That’s been the most difficult, to change our posture to one that is much more forward-leaning and anticipatory, horizon scanning, addressing today’s threats. But being prepared today for what will come tomorrow.
Hawkins: And what’s the biggest obstacle to reaching that poise?
Nielsen: You know, part of it is Congress. We’ve got to re-organize the way Congress does oversight for DHS. We need oversight. A hundred committees is not workable. Just with drones, I had six different committee chairs tell me that drones were in their authority. That’s just not workable when you’re trying to do something quite quickly.
And drones is a perfect example. I mean, the reason we need authority is because the laws are so outdated that for DHS to have the ability to identify and monitor or track a drone, I would need a warrant. Drones fly 150 miles-per-hour. When one is flying at a soft target, I will not have time to get a warrant. But we’ve been talking Congress about this for a year and it’s another example where I still have not received the authority we need to protect the homeland.
Hawkins: It sounds like you’ve got your work cut out for you. [LAUGHTER]
Nielsen: It’s a good challenge.
Hawkins: Well, unfortunately, that’s all the time we have for today. Thank you, Secretary Nielsen.
Nielsen: And I want to thank you and I want to thank you for having this. As you know, it’s National Cyber Security Awareness Month. We greatly appreciate you holding this type of event. It’s a team effort. I’m sure you’ve heard that throughout the day. We all have to play a role. This truly is a weakest-link issue. So thank you very much for having us all here.
Hawkins: Our pleasure.
Nielsen: Appreciate it.
Hawkins: Thank you. And that also concludes—by all means.
Hawkins: And that also concludes this year’s Washington Post’s Cybersecurity Summit. To watch highlights from today’s program, go to WashingtonPostLive.com. Thanks everyone for being here.