The Washington PostDemocracy Dies in Darkness

Transcript: Securing Cyberspace with Sen. Angus King (I-Maine) and FireEye CEO Kevin Mandia

MS. NAKASHIMA: Good afternoon. I’m Ellen Nakashima, a national security reporter at The Washington Post.

My first guest today is Senator Angus King from Maine. He's a member of the Senate Intelligence Committee and co-chair of the bipartisan Cyberspace Solarium Commission.

Welcome, Senator King. It's great to have you.

SEN. KING: Ellen, great to be with you on a very timely topic. I'm absolutely convinced we'll fill the time quite profitably.

MS. NAKASHIMA: Indeed. Let's dive right in, shall we, Senator? Earlier this month, President Biden sat down with President Putin in Geneva and warned him on cyberattacks, including ransomware. He said, "We have significant cyber capability," and if, in fact, the Russians violate basic norms, the United States will respond with cyber in a cyber way. Do you think his signaling to Putin in this way will have any deterrent effect?

SEN. KING: I think it will, and I think it's important. It was a very, very important step, Ellen, because for the past 15 years or so, we haven't had much in the way of a deterrent. We've been a cheap date in cyber where we've been attacked repeatedly in a variety of ways and no real serious response, sanctions here and there, but I believe that having a deterrent is absolutely critical, otherwise they're just going to keep doing it.

Cyber is cheap. Putin can hire 8,000 hackers for the cost of one jet fighter. Think of that for a second, and that means cost is not really any kind of deterrent or disincentive. They're got to feel that they're at risk. I want somebody in the Kremlin, in the Politburo, to say, "Gee, boss, I'm not sure we ought to do this because we're liable to get whacked in some way by those Americans if we follow through." The best cyberattack is the one that doesn't happen.

MS. NAKASHIMA: Well, for years, U.S. government policy has been that we do not have to respond to cyberattacks with cyberattacks. In fact, doing so is not always, as you know, the most effective counterpunch, certainly not alone. When there is a cyberattack that affects our critical infrastructure, like a pipeline, do you think that we should respond in a cyber way, and should we target adversaries' critical infrastructure?

SEN. KING: Well, I don't think we need to be that specific. I don't think we need to say the response has to be cyber for cyber or critical infrastructure for critical infrastructure. I think the important thing is that we have a clear declaratory policy that there will be a costly response, and I don't think it's helpful to be terribly specific about what that would be.

Now, that means something more than we will respond in some way of our choosing.

MS. NAKASHIMA: Right.

SEN. KING: I don't think that's sufficient. I think it has to be specific, and it has to be quick.

MS. NAKASHIMA: In fact, President Biden said we will respond in a cyber way, which I think was what made me take notice. I mean, do you think we should respond in a cyber way to a cyberattack?

SEN. KING: Well, I think that's one of the tools in the toolbox. I don't think it necessarily should be the only tool. There may be others in the way of sanctions or other things that can be done that will send a message that this isn't anything to be trifled with in terms of our country. I'm not prepared to say it should be cyber for cyber, but I do think that what the president did was signaling a deterrent policy is a big step forward, and it's one that I support.

MS. NAKASHIMA: Well, one of our audience members, Mike Russell from Virginia, sent us a question which follows from this line of discussion. He asked, "What role, if any, should the military play in defending critical infrastructure or even the private sector in cyberspace?" And I'd like to ask you if it should specifically be enabled to counter non-nation-state adversaries, for instance, to disrupt networks of criminal ransomware actors overseas, so you could answer both of them.

SEN. KING: My answer to the second question is yes, that to the extent we have the capability--and I believe we do--to disrupt a criminal ransomware attackers or criminal gangs in other countries, we should do so.

I think that--and you played a quote, just before we went on the air. We're really dealing with a new kind of conflict here, Ellen. Traditionally, conflict has been army against army, battleship against battleship. Now we're really talking about a case where 75 or 80 or 85 percent of the target space is in the private sector, so we have to figure out a new relationship.

For example, the federal government has all kinds of capabilities for attributing where a cyberattack is coming from. That's critical. You can't respond if you don't know where it's coming from. Attribution is something that we can do, and we do have assets in CYBERCOM and NSA that can disrupt networks of those who are trying to attack us, whether it's a state actor or non-state actor. It's a different kind of relationship where the private sector--but the private sector on their side, particularly if it's a critical infrastructure, have to be prepared to report these incidents. We can't help unless we know that something is going on, and the quicker we know, the more help the federal government could be.

I think there should be a relationship where incident reporting is mandatory, but that the federal government will use its assets to assist the attacked entity, whether it's transportation, pipeline, grid, telecommunications, whatever, but also, there should be some liability protection if the critical infrastructure entity is following the rules, following the standards, and reports. I think it's a burden and benefit relationship that we have to establish because when the attack comes, it's likely to be on critical infrastructure, not on the Department of Agriculture.

MS. NAKASHIMA: Right. So, you're in favor of the mandatory reporting rule as long as there's some protection against legal liability or immunity from lawsuits would you say?

SEN. KING: Right. Yeah. I'd say, you know, it's a burden and benefit situation where the assets of the federal government in terms of things like attribution and response--

MS. NAKASHIMA: Right.

SEN. KING: I mean, the FBI collected a bunch of money for Colonial Pipeline, and I think there should be a relationship where there are reciprocal responsibilities. And what we're really talking about here is not a heavy regulatory regime, just a regime that says if you have an unauthorized entrance into your system, you're going to let us know, and then we can come to your defense and help out. But it's got to be, as I say, a reciprocal relationship.

MS. NAKASHIMA: Ransomware is a hot topic these days, and the Biden administration, as you know, is reviewing the ransomware policy apart from whether--well, first of all, do you think ransomware payments should be banned? That's a tricky question. And at the very least, should the government make ransomware payments public?

SEN. KING: Well, you're really getting into the details of this. I mean, one of the problems is a company that's attacked, they're reluctant to make it public because it might hurt their stock price or it might have some other effects, but on the hand, if they just pay, that just is going to lead to future attacks.

We do have the capability to deal with these non-state actors or these criminal networks, but we need to know that they're on the attack, and we need to then find out who they are and where they are. And we can start to strike back, but, Ellen, it's very important--

MS. NAKASHIMA: How would we strike back?

SEN. KING: Well, we can strike back in--

MS. NAKASHIMA: Go ahead.

SEN. KING: We can strike back in cyber. We can disrupt their networks. I mean, that's a capability that we have. We've demonstrated that capability. Or it could be sanctions. It could be--we can identify where these people are, who they are. Sometimes we can get right down to the names of the individuals at the laptops in St. Petersburg or Belarus or São Paulo, whatever they are, and then we can apply sanctions.

There are two important points here that we haven't really touched upon. One is this has to be an international effort. It can't be just the U.S. against whoever these bad guys are. We have to establish what I call a "Cyber Geneva Convention." We have to have international norms and standards so that if an attack occurs, these people are pariahs on the world stage, and they don't have any place to hide. And that includes Russia and China. They shouldn't be tolerating this within their borders. Sooner or later, they're going to be the victims of it. That's number one. It has an international face to it.

The other piece that we haven't touch on--and I know you're talking to Kevin Mandia in a few minutes--is the responsibility of the individual sitting at the desktop who clicks on a phishing email. The federal government can do everything right, not that we would or do, but we can certainly try. But even if we do everything right, if somebody in a utility clicks on a phishing email and their credentials get to the bad guys, we're sunk.

It sounds sort of mundane, but part of this, the big part of the solution to this is individual cyber hygiene on behalf of companies, and I think companies--if I was running a major utility, for example, I would be constantly testing my systems. I would be hiring outside friendly hackers to show me where the vulnerabilities are, and I'd be sending my employees fake phishing emails to see who bites. And if you bite too many times, you're going to go find another place to work, but this--you know, as I say, we're talking about sort of these big national issues, but it's also right. Prevention starts at the desktop.

MS. NAKASHIMA: Let's turn to your Cyber Solarium Commission. One of its big recommendations, which was adopted, was to create a national cyber director, and Chris Inglis, who served with you on the commission, was recently confirmed as the first NCD. What should be first on his agenda?

SEN. KING: I think--I hesitate to say because Chris Inglis is a very knowledgeable and capable guy, and I'm hesitant to tell him what he should be doing.

But I think one of the first things I would do would be to call a two- or three-day summit with all the CIOs within the federal government, all the people dealing with cyber throughout the federal government to try to bring some coordination and cooperation across the federal--all the federal agencies. That's one of the problems, and that's why we need it, the national cyber director.

One of my mottos in business was "I want one throat to choke." I want somebody who is responsible, where they can't say, "Oh, no, that's somebody else. That's DHS's problem. That's not the FBI's problem or the Defense Department." That would be meeting number one.

Then the following week would be a meeting with what I call the "SICI industries," the systemically important critical infrastructure, the grid, the pipeline, telecommunications, and get their top people in a room and talk about how we're going to work together. And that's the role that I think the national cyber director has is essentially coordination and convening, and Chris is a great--there could not have been a better person in the country, in my opinion, to be appointed to this position, and I think that's the direction he's going to move in.

MS. NAKASHIMA: So, Chris is not the only senior White House cyber official. As you know, Anne Neuberger is the deputy national security advisor for cyber. They both advise the president. How should they avoid working at cross-purposes? How will they not get in each other's lane?

SEN. KING: Well, I think one of the positive aspects of both of those appointments is that these two people know each other. They've worked together in the past. They're not rivals. There's not a professional jealousy that I know of. Anne Neuberger is immensely capable, and I see them in complementary roles.

The cyber advisor on the National Security Council is a critical role in advising the president and the national security advisor.

By the way, one of the reasons we wanted a presidential-appointed, Senate-confirmed national cyber director is that two years ago, there was no cyber coordinator at the National Security Council. John Bolton abolished it when he was national security advisor three or four years ago.

Cyber is too important to be up to the whim of a particular president or National Security Council chair, and so that's one of the reasons.

The third person you didn't mention is Jen Easterly, who is awaiting confirmation.

MS. NAKASHIMA: Just going to mention her. Right.

SEN. KING: Well, she's awaiting confirmation as the head of CISA, the Cybersecurity Infrastructure Security Agency at DHS, and this is the triumpher. These are the three top people, and, you know, I don't want to sound like I'm sucking up to the administration, but these are the three best people, I think, could have been put in these positions.

MS. NAKASHIMA: Well, you mentioned Jen Easterly. Her nomination had been held up by politics; in this case, by a senator who wanted Vladimir Putin Harris to visit the border. And now that Harris has been to the border, Senator Scott said he's, I think, lifting the hold on the nomination.

Do you know when this nomination will move, and to what extent is dysfunction in Congress making the U.S. more vulnerable in cyberspace?

SEN. KING: Well, Chris was held up for--Chris Inglis was held up for a while. Jen Easterly has been held up, and of course, we're in recess now, so she can't be confirmed. I'm assuming if the hold has been lifted, she will be confirmed, like, the day we get back in a week, a week and a half. It clearly was not good to be without the leadership in these three--in two of the three key positions, but it looks like we now have a national cyber director in place. And if you're the reporter, you just reported to me that the hold may be lifted, so I think that will happen very promptly after we get back.

MS. NAKASHIMA: Yeah. I wanted to just kind of press you on something I asked you a little earlier about the ransomware payments just quickly here. Do you think--I know it's a difficult issue, but just one--do you think they should be banned?

SEN. KING: I don't see how you can say that to a private company. I mean, this is not something I thought deeply about, but a private company has to protect themselves. And I don't think it's a good idea because, of course, every time you pay, you're rewarding bad conduct.

On the other hand, to tell a company, you just have to sit and have your critical data exfiltrated and published or destroyed or whatever, I think that's a tough call.

I think the role ought to be more working with these companies and being tough with them about preventing it from happening in the first place. I'm much less sympathetic to a company that doesn't pay attention to cyber hygiene and then gets hit. That's like you leave your door unlocked and the door wide open, and then you complain to the police about getting robbed. This is a partnership. It has to be a relationship, that the private sector has serious responsibilities, and I don't think any of us realize how vulnerable we are.

Kevin Mandia may be the only guy in the country that knows how serious this vulnerability is. We're all more vulnerable than we think, whether it's in our phones or our internet router or in the network. We really--the joke, the cliché around here is "all of government." This is an all-of-society effort. This is the most serious international challenge we face today.

MS. NAKASHIMA: Senator, real quickly before we run out of time, the TSA out of DHS is finally moving to regulate pipelines after years of doing this voluntary public-private collaboration approach. It seems like the government is finally starting to move in some areas to regulate cybersecurity standards at critical infrastructure. Number one, do you support that idea? Do you think it's good? And number two, how do we do that without turning this into a sort of check-the-box cyber exercise?

SEN. KING: Well, number one, I think it's too little too late. I don't think TSA should have ever been in charge of cyber with the pipelines. TSA is a transportation regulation agency, and at one point, they had, like, two people on cyber, one or two people. I mean, it was just not adequate. I'm not sure they're the right people for this.

The FERC has a very strong relationship with the utilities. The utilities are far ahead of the pipeline companies. Pipeline companies are trying to act like they're not involved in this. They are. They're critical infrastructure.

In New England, 60 percent of our electricity comes from natural gas, and all of it comes through pipelines. If the pipelines go down, the grid goes off. I think we need to step up dramatically the regulation of these utilities, and I consider the pipelines in that category.

The other big vulnerability, Ellen, that nobody has talked about is water systems. There's something like 50,000 separate water systems in this country, and I would venture to say that very few of them have really adequate cyber protections, particularly the smaller ones, and that's something that we really have to get after in a serious way.

MS. NAKASHIMA: That's another area ripe for regulation, you think, that should be regulated?

SEN. KING: Well, it's ripe for regulation or it's ripe for some kind of--what I think, one way to deal with this is to have a friendly hacking group, if you will, within the federal government who can go to these companies and say, "Look, here's how vulnerable you are." There's nothing like a skull and crossbones--

MS. NAKASHIMA: Senator--

SEN. KING: --coming up on the CEO's desktop to let him know how vulnerable they are.

MS. NAKASHIMA: We are running out of time. Before we let you go, you are part of a bipartisan group of senators working on an infrastructure deal with the White House. What do you think? Does the bill pass before the summer is out?

SEN. KING: I believe it will. I think there's universal acknowledgement that we have to do infrastructure, at least this part of it, and there's a consensus on the major elements. I think the deal that was negotiated with the White House is a good one. Now, it's getting tangled up, as you know, with politics, and do they do one by reconciliation, and are they linked and all those kinds of things? I certainly hope that doesn't bog this down. We ought to go forward with the one that we have in hand which, by the way, includes broadband which to me is the essential infrastructure of the 21st century. That's my bottom line. If it has broadband in it, then I think that's an important part of the package.

MS. NAKASHIMA: Well, we are out of time for this segment, unfortunately, but, Senator Angus King, thank you so much for joining us today. I really enjoyed this discussion.

SEN. KING: Ellen, thank you, and I know you are going to get some good information from Kevin coming up, and I hope he doesn't make a liar out of me.

MS. NAKASHIMA: We'll see.

[Laughter]

MS. NAKASHIMA: Thanks again, Senator.

SEN. KING: Thank you.

MS. NAKASHIMA: Stay with us, and I'll be right back with FireEye CEO Kevin Mandia in a few minutes.

[Video plays]

MS. NAKASHIMA: Welcome back. If you're just joining us, I'm Ellen Nakashima, a national security reporter at The Washington Post.

My next guest is FireEye's CEO, Kevin Mandia.

Welcome to Washington Post Live, Kevin.

MR. MANDIA: Ellen, good to see you. Thanks for having me.

MS. NAKASHIMA: Great. Well, let's dive right into the threat that's most in the news: ransomware. There's been loud U.S. government reaction to the Colonial Pipeline and JBS attacks with President Biden warning Putin about ransomware attacks. DarkSide, one of the threat actors, seems to have, well, gone dark. Has the outrage and publicity resulted in any diminution or change in adversary behavior that you can detect, or what trends are you seeing in this space?

MR. MANDIA: Well, that's a great question, Ellen, and it's good to see we're trying to garner a national-level attack, all the ransomware attacks we're seeing.

Right now, as we sit here, we're responding to well over 150 breaches at FireEye. So, from my vantage point, there's still a bunch of ransomware actors. They're acting with impunity. They're acting without risk or repercussions, and I just believe wherever money goes, crime follows. So, if you can hack and make a lot of money off of it, especially anonymously in safe harbors that are 10,000 miles away from where the crimes are being committed, it's not going to stop.

Do I think the next great ransomware attack is around the corner? It might be. I don't think there's a real change in behavior based on the last few months, but I can tell you this, Ellen. It was kind of interesting. Colonial Pipeline, JBS Meat, those happened right before the heads of state spoke, and way in the back of my mind, there's this little spider sense wondering, was that intentional? Was that deliberate? Were those attacks allowed to happen just so that there's more collateral to put on the table and have a discussion? I don't know.

I do know there's an increase in ransomware that's happened really--kind of its evolution mirrors the adoption of anonymous currencies.

MS. NAKASHIMA: Well, let's move to that issue with the ransoms. Some experts said that companies should refuse to pay ransoms because it only encourages the cyber criminals and fuels their activity. The government is reviewing the policy now. What's your take, and what percentage of your clients actually wind up paying a ransom?

MR. MANDIA: Well, a couple ways to address that. First, I think Senator King was right in his assessment of that situation. He said he hadn't given a lot of thought. I don't know if it takes that much thought. I've been thinking about it for years.

You can't just ban the payment of ransomware in isolation. You have to have a multipronged approach to how we as a nation or any nation really or even society is going to address ransomware, and first and foremost, you want to foster, especially for critical infrastructure, health and welfare of their systems, the blocking and tackling necessary to raise the bar on security. Whether that's regulation, standards, or legislation, critical infrastructure needs to have a different risk profile than other infrastructure.

You also need to impose risks or repercussions to the actors. I think it is not fair nor will it have the desired outcomes to just say you can't pay the ransomware extortionist, you can't pay them, without imposing risk to those folks, otherwise here's what you're doing. We're all playing goalie in both the public and private sector, trying to keep the ball from going in the goal, and the person is getting unlimited penalty shots. You got to impose risk or repercussions to the actors as well.

So, you get better baseline for security and benchmarks. You get risk and repercussion to the actors that are doing the ransomware or the nations harboring those actors. I think there's a certain level of behavior that a nation has to follow to earn the right to be part of a global economy. Then I think the third thing is you address the ransomware payments.

And I'll leave this question with this remark. No CEO wants to pay it. It's not the default answer ever. Every time we deal with this, the CEO who owns the incident and owns the response and is figuring out what's the best thing for the company to do has to do the risk calculus, and they don't start with "Hey, let's just pay it." And it's not a flippant decision. It is one based on the risk versus rewards of that particular breach and what's at stake.

MS. NAKASHIMA: What percentage of your clients actually wind up paying the ransom, and what percentage, therefore, end up not having to because they've covered--

MR. MANDIA: You know, that's a great question, and I've asked that same question to our frontline responders. I try to not know. I hate to say it. I don't want to be subpoenaed and have to go to the carpet saying here's who paid and here's who didn't, and I don't always know the answers.

I have been in the room with folks who've deliberated about it, and everybody takes it very seriously.

I think the percentage is going down. The estimate that I would have had maybe six months ago is around 40 percent, but I think it's going down. I think I'm less than two months removed, Ellen, from getting a phone call from a CEO. Right out of the gates, the CEO said, "We've got some encrypted systems." He said the exact number, and he said, "And we're not paying." And that was his default position right from the get-go. I think that is the sentiment that people start with the vast majority of the time, but again, if you're a hospital and you got people in harm's way and you've got health care machines that maybe aren't going to be predictably reliable, I think you have a different risk calculus than a lot of other folks.

So, bottom line, I think the percent is going down. I believe it is way less than half at this juncture, and that trend will probably continue.

MS. NAKASHIMA: What's driving that trend down, Kevin, the downwards trend?

MR. MANDIA: I think a couple of things, Ellen. It's the work you do ahead of time.

Right now, if I'm on a board or I'm the CEO of a company, the question I've got from my IT staff is what's the worst-case scenario if we have a ransomware breakout, and there's two things you try to do for every company out there. You're already doing this, and if you're not, you need to. First, you start thinking about how do we reduce the blast radius. How do we make sure if a ransomware outbreak occurs, it has the least amount of impact, and it doesn't impact our core assets, our most critical assets? People are thinking of reducing the blast radius with micro-segmentation of their networks, with making sure they have privileged account management that's very effective, that really only works in pockets, so you don't have one account that works on 100,000 machines. You may have one account that has admin privileges for 60 machines, and you rotate that account's credentials every six hours or so. Everybody has got to figure out how do you reduce the blast radius.

And then it's also, Ellen, about redundancy or disaster recovery. Just like a hurricane, you got to think of this ransomware as it's lights out on a bunch of machines. I would recommend to every organization, figure out your assets that matter by the criteria. It could be customer, the application, the business process, the people, the geography, whatever those systems are, and get out in front of it saying, "Are those machines secure? How did we back up those assets? Are the backups secure, and how fast can we get them back up and running should they get bricked somehow by being encrypted or some kind of physical disaster?" And that sort of resiliency drill, not everybody can practice it all the time, Ellen, but people have to think about it. And the question every CEO should ask is "How fast are we up and running should a ransomware outbreak hit these 10 systems or these 2,000 machines?" And the answer today could be I don't know, and then the answer in about eight months could be maybe it's two days. But over time, maybe we get to it's three hours, it's four hours, and we can roll back to our state, our known good state of an hour prior to the outbreak.

That's why I think you are seeing less people pay is we're reducing the target area and we're more resilient.

MS. NAKASHIMA: Oh, terrific. You heard Senator King say he was in favor of regulation. He thought it was about time this is happening--

MR. MANDIA: Right.

MS. NAKASHIMA: --critical infrastructure. Do you agree, and what specifically--if you could be brief too about this, but what specifically do you think the rules should look like to avoid not becoming the sort of check-the-box exercise--

MR. MANDIA: Right.

MS. NAKASHIMA: --that doesn't really improve cybersecurity?

MR. MANDIA: Just so you know, as a private-sector CEO, whenever you hear the term "regulation," you have to twitch and say, "No, not that." That's the default answer out of the gates.

But when you break it down, here's the facts. I think regulated industries, ordinarily, when they're regulated in regards to their cybersecurity risk probably are better defended, and I think the risk profile for critical infrastructure probably needs to be different in cyberspace in a lot of industries.

If you're a restaurant, maybe you don't need to have Fort Knox cybersecurity, but if you're a utility or you heard the Senator refer to all the different water utilities out there, we've got a whole bunch of industry in the private sector. We have a lot of critical infrastructure that may be regulation can raise the sea level for their security programs.

You would like to see it not happen, but at the end of the day, if the private sector can't self-regulate, you may have to impose a risk profile from the government with some regulation.

Best way to test it, by the way, don't make it a paper drill. You heard the Senator talk about having good hackers try to address risk. I think the best way to get unvarnished truth is have potentially a federal agency or the private sector test network security. Run real attacks that are very realistic, that could happen, that are emulating the threat groups we're up against, and just see how people do.

If you're a water utility and you're expected to withstand a cyber espionage attack, well, let's do a live fire drill and see how well you do about it, and those exercises, Ellen, are happening more and more. You're seeing the energy come together. They're doing their own drills. The financial services do their own drills. You'll probably see pipelines over time joining one of those ISACs or joining some of those groups that are doing dry runs and simulations to see how they withstand the attacks, and that's the only way to get truth.

Shy of doing that, if it's a paper drill, well-intentioned people will answer all the questions. You'll think you're doing pretty well. You may have raised the bar a little bit, but at some point in time, as a nation, we have to harden our defenses by live fire drills.

MS. NAKASHIMA: Okay. Moving to attribution for a moment, you often hear government officials talk about difficult attribution is. Russia and China like to say as much in order to cast doubt on the U.S. government's assertions that they're behind certain hacking campaigns. How difficult is attribution really, and do you think the U.S. government would have reached the point of attributing to foreign governments as it does now without companies like FireEye and CrowdStrike pushing them along?

MR. MANDIA: Yeah. I think attribution could be had many different ways. I can tell you it's hard to pull the thread on every security incident we respond to, and not every incident is a breach. But when you have a security breach of impact and consequence and we start pulling the evidentiary threads, good hackers can remain at least in the gray area for attribution.

I think we can get the nation that they're in, the geography they're in, but there's got to be other means to get attribution besides just following the evidence back. You can follow bitcoin payments back as best as you can, and maybe we can pierce anonymity that way.

I do know that even if you don't get it right, even if you're not sure who gave the order, whether they're government or just a lone actor, there could be classification that this is a state-level attack versus standard criminal-based attack. I think it's harder to discern the difference, but I do think the label matters because it goes towards liability.

I go back, Ellen, to Anthem getting compromised. It was a nation that compromised Anthem, but nobody did attribution, and Anthem had to take a constant onslaught of plaintiff lawsuits when in reality I believe it was people in uniform that compromised them.

Meanwhile, Sony Pictures gets compromised, and the president did attribution at the time and said it was North Korea. That attribution goes a long way to assisting the victim companies into a recovery and helps deflate some of the plaintiff lawsuits that I don't think are warranted.

We don't want to establish the bar as a nation, that every one of our companies, that The Washington Post should stop the Russian SVR from breaking in, because I think when a nation goes against a company, the nation is going to win in cyberspace over time, so we've got to be careful, and we got to figure out how to label these things appropriately because it will help the victims. It will help insurance companies, and it will actually help the nation in the long term. We don't need perfect--

MS. NAKASHIMA: Should the U.S.--well, so should the U.S. government be doing more to beat back these denials by states and to help these companies by doing more public attributions the way you're saying it happened with Sony and helped Sony?

MR. MANDIA: Well, I think all you need to do, for me, categorical attribution is good enough, meaning it was a nation state that attacked--

MS. NAKASHIMA: I see.

MR. MANDIA: --the victim, Company A, and don't say the nation if it's pie in their face and it impacts other diplomatic efforts on your agenda, but let people know maybe in a back room through a back tunnel, "Hey, we know this is you. We find it unacceptable."

You got to have, in my opinion--here's the good news, Ellen. I'm not a diplomat. I have the easier job of figuring out cybersecurity. You know, at the end of the day as diplomats, I do believe there will be diplomatic solutions. I do believe what we see in cyberspace in aggression, on offense, is directly tied to the geopolitical conditions. It's absurd to think that geopolitical relationships won't impact cybersecurity. I know they will.

For those folks that are chartered with diplomacy, I think that is a valid tool, and we can't just attack cyber defense with technology alone.

MS. NAKASHIMA: Right.

MR. MANDIA: We do need diplomacy, and you heard the Senator say we need international cooperation. He's exactly right.

You're going to see geopolitical alignment, both for economy as well as security, and those countries that are like-minded are going to enforce certain rules of engagement.

MS. NAKASHIMA: The Senator also said he thought it was a good idea to use Cyber Command to punch back overseas, even at criminal actors, for instance, to disrupt ransomware rings. What do you think of that idea, and how effective do you think it will be?

MR. MANDIA: You know, I thought about that a lot for 15 years or more, and there's risks to it, and obviously, I like the idea--and the Senator alluded to this. We have to have a doctrine on proportional response to cyberattacks. We have to respond as a coordinated nation, and now with the national cyber director, you can see that we should be able to coordinate a little bit better, and with the team that we have in the government now, I think we will respond more holistically as a nation to attacks that hit the private sector or the public sector.

But I think that attacks in the cyber domain, the only challenge that I'd warn us against there is the asymmetry of it. We're in the glass house in cyber. That doesn't mean our defenses are bad. What I'm saying is we're in the expensive house. If cyber domain is where we choose to go tit for tat in, the challenge we've got is we stand to lose more as a nation than other nations.

Take, for example, North Korea. I doubt they rely on the internet and interconnectedness like the United States does. So, if we escalate in cyberspace against North Korea and that forces their side to escalate, the damage to our side is far greater.

And I'll leave you with this, Ellen. If they're throwing rocks at our house and we're throwing rocks at their house, they're destroying trillions of dollars in our house, and we're destroying millions of dollars in their house. So, it's too asymmetrical. I think it is a tool, but I think you have other levers that you can pull as well to enforce better behavior in cyberspace.

MS. NAKASHIMA: With the pandemic over the last year, many more people have been working from home. How has that changed the attack surface for criminals in nation states, and does going back to the office change any of that in your view?

MR. MANDIA: I don't think so. I can tell you, yes, certainly, when we all were in the room together, one of the things that I think--I can tell you this. I don't feel like the threat has changed that much in 2020 other than ransomware grew. I can say that by the end of 2020, we had the SolarWinds implant, and then the beginning of 2021, we had Microsoft Exchange zero-days. We had an Accellion zero-day. We had zero-days in SonicWall. That's an escalation, more zero-days being armed by bad guys to take advantage of them.

But, in 2020, the biggest change I saw is people were collaborating slightly less effectively than they used to. At least at the 1A enterprises we talked with, their security staff was in a close geographic nucleus. They all spread out, and I think some of the breaches that we saw were because there's a small delay in coordination and correspondence because they were all remote. And when they're all in the same room together, the security operations center can push their chair back, or even if it's just IT, where security has a side-car job, they had the ability to communicate face-to-face.

I think it took all of the American society--it took all societies a little bit of time to get used to the work from home, but we've got a good battle rhythm now, and I feel the attacks haven't changed too much other than the zero-days increasing in 2021. I think it was just our collaboration and the response that changed it. We might have come down a notch.

You know, our company was used to responding remotely, but I'm talking internal security teams. Their efficacy may have just dropped a tiny bit because they couldn't work as well or collaborate as well together.

MS. NAKASHIMA: Gotcha. Okay. Well, with so many folks working from home, companies are making a big deal about ensuring that employees are educated about phishing attempts and malware, et cetera. Kevin, how do we ensure endpoint security?

MR. MANDIA: Well, you got to go to next-gen endpoint. You know, people hate the whole concept of defense in depth, but I think you really need it. You have to have good network-based countermeasures, good endpoint-based countermeasures. You do want to train your users. That doesn't put an end to people hacking themselves. When you have great hackers targeting your average citizen, the great hackers are going to beat them and dupe them every single time.

In the video we saw in between this, Ellen, the concept of our children using our work machines, our home machines is going to create vulnerabilities. So, we do have to think of upgrading the tech that we use and then testing how effective that tech is against known attacks.

I can tell you the security industry is getting better, and so are these security postures of most organizations. But the additional risk is we used to see all traffic to our networks because everybody was inside the four walls, and that's just not the case anymore. You'll hear people talk about zero trust, that idea that every single resource you access, you're not just building a moat around the castle anymore. You're building a moat around every single system, and you can feel that as people go more to the cloud, more distributed workforce. You can have more of a zero trust-based environment.

MS. NAKASHIMA: Well, as always, Kevin, the time just flew discussing with you, so we have to close here. But I just wanted to thank you very much for a great discussion, and thank you, everyone, for joining us. Kevin Mandia, thanks again. Hope to see you soon.

MR. MANDIA: Take care, Ellen. Thank you.

MS. NAKASHIMA: Please come back and join Washington Post Live tomorrow at 9:30 a.m. My colleague, Geoff Edgers, will interview Kennedy Center President Deborah Rutter.

I'm Ellen Nakashima. Thanks for watching.

[End recorded session]

Loading...