Today we’ll hear from a wide range of perspectives on how the U.S. government and private businesses are working to protect themselves and us from such threats. First, we will hear from one of the leading cyber voices in Congress, Representative John Katko of New York, who will be interviewed by Post tech policy reporter Cat Zakrzewski.
Then we will hear a view from the private sector with Sean Joyce, the global and U.S. cybersecurity and privacy leader at PwC, and Jeanette Manfra, the global director for Security and Compliance at Google Cloud. They will be interviewed by deputy business editor Damian Paletta.
And, finally, national security reporter Ellen Nakashima will interview Anne Neuberger, the deputy assistant to the president and deputy national advisor for Cyber and Emerging Technology.
I want to thank today’s presenting sponsor, CrowdStrike, and I’ll hand it over to Adam Meyers, the senior vice president of Intelligence at CrowdStrike, to say a few words.
MR. MEYERS: Good morning. Thanks, everybody, for coming today. Very excited to be here and would like to thank all of the speakers and certainly The Washington Post for allowing us to do this, and I think we’ve got a really exciting agenda lined up today.
Really, the purpose here is to bring together a bunch of different voices from the public sector, the private sector, and get into some of the various interesting things going on in space.
So, without further ado, I’ll turn it back over to The Washington Post. Thank you.
MS. LEE: Thank you, Adam. Let’s get started. My colleague, Cat Zakrzewski, will join us on stage with our first guest after this short video.
MS. ZAKRZEWSKI: Hello and good morning. I’m Cat Zakrzewski, a tech policy reporter here at The Washington Post, and thank you for joining us today for our event on “Securing Cyberspace.”
I’m pleased to be joined today by Representative Katko of New York. He is the top Republican on the House Homeland Security Committee.
Representative Katko, thank you so much for joining us, and welcome back to The Washington Post.
REP. KATKO: Thanks for having me, and good morning, everybody. Good morning.
REP. KATKO: I think that’s‑‑you’re awake now. Okay.
MS. ZAKRZEWSKI: Thanks for waking everybody up on this rainy morning.
And, as a reminder to our guests, we want to hear from you. Tweet us your questions using the handle @PostLive, and we will try to get them into the conversation today.
And so, Congressman, I wanted to start out, you’re one of the most engaged members of Congress on cybersecurity. Since you’ve been in the House since 2014, how would you grade your colleagues, Congress’s understanding of the cybersecurity threats we’re facing as a nation today?
REP. KATKO: I don’t know about a grade, but I will say that it has evolved. When I first started on Homeland Security, CISA didn’t exist, the Cybersecurity Infrastructure Security Agency, and the greatest threat to the homeland by far was homegrown violent extremism inspired by ISIS‑type groups. You have like San Bernardino, and you had the Pulse Nightclub and all these terrible tragedies. And we’ve evolved from there to having cyber be the number one threat to our country. People can be in their own rooms in Russia or Eastern Europe or China and launch major cyberattacks, and that’s a whole new dynamic throughout that everyone is coming to grips with as we continue on in Congress.
MS. ZAKRZEWSKI: And as you just mentioned, I mean, over the last eight years, we’ve seen a major evolution. I mean, when you joined Congress, we were talking about the Target data breach and Yahoo.
MS. ZAKRZEWSKI: And now we’re seeing these attacks far more frequently, and they’re far more severe. The video referenced critical infrastructure. What steps does Congress need to take today so we don’t see that exponential increase in threat over the next decade?
REP. KATKO: Well, I think what we need to do is what we’ve already been doing, and that is to beef up cybersecurity funding across the board for NSA, for the dot‑mil regime, for CISA, and I think we need to do more to empower Chris Inglis as the national cyber director. And the way I look at it is you want to look at it from a team approach. Inglis is the head coach. He needs to have the powers of head coach. You have the quarterback. I would say the civilian and dot‑gov domain being CISA. You have the special teams at NSA, and then you have the offense and defense capabilities on the military. We’ve got to make sure that they’re all properly funded, they’re doing state‑of‑the‑art defenses, they’re developing good collaborative efforts with the private sector, and they’re working better together as a team, because that’s why I like using analogy of a quarterback and head coach and all that because they’re all part of the same team, and we need to be working together to achieve the goals. And the goal is to minimize and eradicate cyberattacks having the devastating effects they have on us today.
MS. ZAKRZEWSKI: What do you view as the top barriers preventing those groups from working together as a team today?
REP. KATKO: I think it’s a new thing, to be honest with you. I mean, let’s face it. I was in Congress eight years, and CISA has only been in existence four years. So this is all evolving. So what we have to do going forward is to make sure we understand the respective roles of each, better define them, and then get them to work better together. And that’s why I think the national cyber director was so very important.
MS. ZAKRZEWSKI: And looking back on the time that you spent in Congress, was there a particular breach or hack that you feel was really a wakeup call that helped lawmakers understand how pressing this issue is?
REP. KATKO: I think the wakeup call for the country as a whole‑‑I mean, if you’re a hospital or a school‑‑we’ve had wakeup calls in my district for years with the ransomware attacks. But I think the Colonial Pipeline was such a‑‑such a shock to the system, and when you see people filling up garbage bags of gasoline out of panic at gas stations, you know that you’ve got the attention of people. And that was followed up by the JBS attack and some of the others. Obviously, some of the ones for us, the geeks in the cyber realm, where we know about the more sophisticated attacks like the Log4j and some of those other ones at‑‑could have crippling effects. But the Colonial Pipeline one, I think, really woke everybody up because there’s critical infrastructure 101, and critical infrastructure got attacked. And we weren’t ready for it.
MS. ZAKRZEWSKI: And so you’ve introduced legislation that would call for identifying systemically important critical infrastructure. How would that legislation help prevent another Colonial Pipeline from occurring.
REP. KATKO: Well, the way we look at it is there are 16 critical infrastructure sectors, right? If they’re all systematically important, then none of them are, and, you know, none get the‑‑you got to look at the‑‑the whole idea behind the SICI legislation‑‑is the slang for it‑‑would be to say of all these critical infrastructures, this is the most critical, right? And then you identify it.
But, after we passed the reporting requirements legislation, incident reporting, I’m starting to see within the development of the rulemaking process at CISA that I think it’s going to shake itself out without the necessity for that legislation, someone at legislation that was more‑‑I don’t want to say bureaucratic. What’s the word?–‑‑regulatory in nature, and I think that would be a mistake.
I think we need to continue with the collaborative effort we’re developing with the private sector and CISA, information coming in, taking that information, operationalizing it, and then send it back out in a better way and form. And I think, hopefully, this rulemaking process is going to do that. And I saw one of the RFIs recently, which is very encouraging in that regard.
MS. ZAKRZEWSKI: So this legislation was based on recommendations from the Cyber Solarium.
MS. ZAKRZEWSKI: And some of the Democrats said that your proposal initially didn’t go far enough. Any bill addressing critical infrastructure needs to also address what the companies and government need to do as a result of that designation.
You just said you’re concerned about too much bureaucracy. What’s at risk with having legislation that’s‑‑
REP. KATKO: Well, the risk is, I think‑‑we should learn from some of the past agencies that have been developed and how they’ve grown into regulatory behemoths that somehow lose their way.
I think what happened with‑‑especially with Ukraine in the cyberattacks that happened in Ukraine which preceded the invasion of Ukraine and the threats to the West from Russia, the continued threats today, and the intelligence bearing out that, they’re pecking around getting ready to do major attack, perhaps‑‑I think that showed that we need to be more collaborative with the private sector.
Like, CISA came up with, like, Shields Up, for example. You can go to the website, Shields Up, and you can help your systems right away, and what we’re seeing is that the private sector is incentivized to work with CISA.
If you get a regulatory scheme, it becomes almost like a shirts‑and‑skins game, you know, where they’re on one side and they’re on the other side. That’s what we’re trying to avoid, and I understand and completely respect what people are saying as far as the SICI legislation.
But I think it’s‑‑we can’t lose sight of the fact that the private sector has to have the comfort to work and trust with a teammate, that being CISA, as opposed to more of a dictatorial or rulemaking agency that’s overseeing and causing all kinds of problems with them, because I think CISA is a unique agency in that the synergy between the private sector and CISA is the only way that CISA could be successful. And, if they’re not, if they don’t have that synergy and exchange of information on a fluid basis, like we do in the joint terrorism task forces, like I worked with for 20 years as a federal prosecutor, if you don’t have fluidity, I think you have problems.
MS. ZAKRZEWSKI: So, when we’re talking about such severe attacks on pipelines, on energy grids, can we really leave that up to the private sector?
REP. KATKO: Oh, we’re not leaving it to private sector. No. Make no mistake about it. There’s going to be rules. There’s going to be rulemaking with the incident reporting, and the incident reporting, as it shakes out, I think, will tell us whether or not we ultimately need the SICI legislation and what kind.
There was a disagreement, and rare for most of us in Homeland to have disagreements on cyber between Republicans and Democrats, but that was one area we had disagreement. So that’s why it didn’t get across the finish line. So what I’m saying is the rulemaking process, I think, will shake out a lot of the concerns that both sides have, and then if we need to do something on the back end, we can do it. But I’m not sure we’re going to need to. We’ll have to take a look and see.
MS. ZAKRZEWSKI: And you mentioned the situation in Ukraine, and I want to talk a little bit about what we’ve learned so far from the war. Given the cyberattacks that we’ve seen on Ukraine, do you think that we need to rethink the global cybersecurity norms?
REP. KATKO: Absolutely. Anybody who’s familiar with NATO knows what Article 5 is, and Article 5 is what’s an act of war. And every military in the world now, any credible military, has a pretty significant cyber command, and that’s not just for the heck of it. That’s because that is the modern face of warfare.
So we don’t know what should be considered an act of war yet, but I think we need to decide within our team here with the national cyber director, the NSA, the dot‑mil, and with CISA what‑‑you know, taking but from all, what is‑‑what is considered an act of war in the modern space, or is any cyber attack an act of war? Then you’d need to have that similar conversation with NATO countries, and I think we have to tweak the rules accordingly, right?
Look what happened in Ukraine. Before they went in, like I mentioned, they had massive cyberattacks, which were an attempt to cripple their systems before they went in. How was that not considered an act of war? Right? But is every cyberattack an act of war? I don’t think so, but we have to figure out what the red line is, or if you can even decide what the red line is and have to have those conversations.
MS. ZAKRZEWSKI: What do those conversations look like today? Because I think, you know, Senators and lawmakers first raised that issue back in February when we saw the invasion. So what kind of progress have you made? What kind of ideas have you heard since then?
REP. KATKO: It’s in its nascent stages, no doubt about it, and we have to have more of a discussion based on a forensic analysis of what happened within Ukraine. And, if and when Ukraine becomes part of NATO or if they still share their information with NATO countries, NATO is now, ironically, stronger than it’s ever been since World War II because of Russia’s interference in Ukraine, and that’s exactly what Russia didn’t want to have happen. So, having this discussion is something that the NATO countries and we all have to have.
MS. ZAKRZEWSKI: And I just want to ask really, specifically, because you kind of touched on this in your earlier answer, but should a cyberattack on a NATO country trigger Article 5?
REP. KATKO: That’s a great question. I mean, that’s the discussions we have to have, but like I said, it’s a face of modern warfare is cyber. There’s no question about it, and we need to understand that, digest that, and try and figure out where those new lines lie, because, quite frankly, we haven’t done it enough yet.
MS. ZAKRZEWSKI: And, while we’re on this topic, I also wanted to talk about foreign disinformation. Do you think that the United States is currently prepared for any foreign disinformation we might face during the midterm elections?
REP. KATKO: We weren’t in previous elections. I think we’re getting better every election, but I think the problem we still have is which agency or which entity within government should be spearheading it or should be at the forefront of it.
The rollout of Homeland Security’s Disinformation Board was an utter disaster because we didn’t understand it, and so we can’t have that again.
CISA should play a role but the others too. If it’s a foreign actor, a foreign state, for example, China, Russia, especially Russia, I don’t think CISA should be the only person making decisions on what to do and how to respond. It’s got to be more of a collaborative effort within multiple agencies from the State Department to the White House.
MS. ZAKRZEWSKI: You mentioned the failed rollout of the Homeland Security Disinformation Board. How can the federal government address disinformation at this time when Republican lawmakers are raising concerns about social media censorship?
REP. KATKO: Yeah. And that’s a legitimate concern, and that’s highly likely that Republicans will be controlling the House next term, and so that’s‑‑they’re going to have to engage with Republicans on this. The problem with the Disinformation Board was it was not‑‑it was not a bipartisan effort.
I can tell you from my own work in Congress, the best bills, the best legislation, and the best results are when you work in a collaborative manner. Bennie Thompson and I have worked together very well over the last eight years, and Homeland Security by its nature tends to be more collaborative. We have very serious disagreements with the border. Put that aside, cyber and other areas within the homeland security mission, but we are very collaborative, and cyber is one them. And we need to continue to be that way. You can’t have something as difficult and fraught with possible infringement of individuals’ rights of free speech without having a collaborative effort, and that’s why I think the Disinformation Board was such a failure.
MS. ZAKRZEWSKI: Since the revelations of Russian disinformation after the 2016 election, we’ve seen a greater collaboration between the tech companies and organizations like CISA and other national security agencies. Do you think that’s a positive development?
REP. KATKO: Absolutely. Absolutely. Listen, some people in my party will scream that they’re all just out to get them. No, that’s a bunch of crap. They’re not. Okay. But, at the same token, do we need to have a better understanding of what they do and how they do it?
I mean, look at all the concern now that’s being enunciated because of Elon Musk taking over Twitter. Now the pendulum is swinging the other way. You know, that aside, we need to have a better synergy between the two.
If you’re not getting the theme here, everything I talk about is working together, because that’s something we’ve lost in this country and we’ve lost in Congress, and that’s what we’ve got to do more of for sure.
MS. ZAKRZEWSKI: And I’m just curious because you just mentioned the Elon Musk Twitter deal, and I wanted to ask you, given your work on homeland security, Elon Musk has strong business ties in China. There is talk about whether or not he’s been in direct communication with Vladimir Putin. Do those activities pose a national security risk as he takes control of a major American social media platform?
REP. KATKO: I think you have to get more information. I think it would be irresponsible to say yes or no until we know if he had the conversations and what are the nature and quality of the conversations, right? But, clearly, it’s something we should keep an eye on. Clearly.
MS. ZAKRZEWSKI: Yeah. I mean, he’s confirmed that he talked to Putin at least once 18 months ago, and then there’s a report that he had a more recent call. I mean, this is an unprecedented situation in many ways to have a tech executive have that kind of communication. I mean, what steps could the federal government even take if it turns out that he did have those conversations?
REP. KATKO: Well, I mean, like I said, it’s a murky time, right? And it’s a murky time with Twitter and the government and disinformation and who gets banned and why or should they be banned, should everyone just have unfettered access to the internet, all those types of things.
We’ve done a good job of pointing out the problems, but very few people have talked about solutions, and I don’t pretend to have the solutions for that. But it’s going to be a whole‑of‑government approach to it. We can’t just have one party or the other party doing it, or one agency. It’s got to be people together to really figure out how to best manage this new minefield.
I mean, it’s such a complicated world now. When I was a kid, we had ABC, CBS, NBC, and public television. We didn’t have the internet. We didn’t have 24‑hour news cycles where you can go get your scratch itched and not have to hear an alternative point of view. That’s all we have now, and that’s kind of‑‑and then we have social media overlaying it, and it’s a very difficult time. And it’s like the brave new frontier that we’ve got to figure out.
MS. ZAKRZEWSKI: And so one proposal you’ve introduced, a bipartisan bill to identify foreign propaganda on social media, incorporate labels. We saw some companies do more of this, especially in the fallout of the Russian invasion into Ukraine.
MS. ZAKRZEWSKI: Do you think those labels are effective or do enough to flag this to users?
REP. KATKO: It’s a start. It’s a start for sure. It’s flagging the problem, and it’s identifying a problem. I don’t necessarily think it’s going to be the solution, but it’s a start in the right direction. By passing that, we’d be acknowledging that there is a problem, and that needs to be addressed for sure.
MS. ZAKRZEWSKI: And one of the things that we’ve seen with foreign disinformation is that it seeks to sow discord and amplify existing divisions within the American public.
REP. KATKO: I’ve a little experience for that running for office four times.
MS. ZAKRZEWSKI: And so, I mean, given the political dynamic today and the fact that we have multiple Republican candidates running still on this message of election denialism, does that create an opportunity for foreign disinformation and foreign actors?
REP. KATKO: Perhaps. And I think it’s a very troubling trends within our party, and I’m hoping that that will change soon and it will be tamped down, but it is something that is a very big concern for me.
MS. ZAKRZEWSKI: Have you personally warned members of your party that that poses a potential national security risk?
REP. KATKO: Have I warned them? No. Have I said words to the effect of “are you nuts?” Yeah, I’ve said that. Yeah.
MS. ZAKRZEWSKI: And so, I mean, I wanted to ask you. I mean, obviously, you’re leaving Congress soon. How do you feel about the state of the Republican Party at this moment?
REP. KATKO: Like any party, the bigger the tent the better. I think that we have concerns within the, quote/unquote, family of the Republican Party. I am concerned that both parties have less tolerance for moderation, and I think that if you look at the Democratic side, a lot of the moderates are getting squeezed out, and the same with the Republican side. And there’s an intolerance for anything other than 100 percent or nothing on both sides, and that’s a real concern.
I would say this, and I’ll do this with all of you right here. Raise your hand if you’ve ever been in a personal relationship or you’ve ever been in a business relationship? Everybody has. Raise your hands. Right?
Now, raise your hands if you got 100 percent out of that relationship or deal. No one ever does. So why do we expect it from our politicians? That’s not what our country was founded upon, and so I’m concerned that both parties have gone too far to the left, too far to the right, and, you know, they’ve got to understand that working together with the other side is a good thing.
If you look at Tip O’Neill and Ronald Reagan, what they got done together, diametrically opposed politically, but they did things and came together for the sake of the country. We need to get back to that for sure.
And I wanted to ask about that in the context of cybersecurity, which has been a relatively bipartisan issue during these polarized times.
REP. KATKO: Very much so, yeah.
MS. ZAKRZEWSKI: We’re losing two cybersecurity heavyweights with both you and Jim Langevin, the Democratic cofounder of the Congressional Cybersecurity Caucus. So do you think this bipartisan streak within cybersecurity can continue after you leave?
REP. KATKO: It has to, and I think it will. And I think, by and large, people understand in the homeland security realm, at least traditionally on the committee, that some things are bigger than your party, and a lot of things‑‑I think a lot of people can say it’s easy‑‑we’re all in agreement we want to protect the homeland. We may have difference of opinions around the edges, but we all believe we want to have better cybersecurity. And we all believe we want to have safer systems, and we all believe we want to be able to clamp back at the bad guys. We want to be able to have deterrence. We want better protection. So I think we will, and I think there’s a lot of people coming up that will pick up that mantle.
And don’t forget, when I came to Congress as a federal organized crime prosecutor for 20 years, I did very complicated, crazy cases, and I earned all my gray hairs. But I didn’t know much about cyber before I got here, because the biggest threat to homeland when I first got here, like I said, was ISIS, and those inspired major events.
Now out of necessity, I’ve had to become an expert on cyber, and I think there’s plenty of people coming up that already have a working knowledge of cyber that will be able to pick up the mantle and run with it, no question in my mind.
MS. ZAKRZEWSKI: And given that expertise that you’ve developed on cyber, what assessment would you give the Biden administration’s record so far on cybersecurity?
REP. KATKO: I think they’ve‑‑I think they’ve had great appointments in the leadership positions. I think Inglis is superb, and I think Jean Easterly at CISA is a terrific, terrific appointment, and some of the others that they’ve had. I mean, I think they’ve got a very strong team across the board, and now that they’ve got these great leaders, the trick is going to be able to empower them, properly fund them, and make sure they all get along well in the sandbox. And that’s probably the last part of the puzzle we need to do.
MS. ZAKRZEWSKI: And, as you leave Congress, what is the cybersecurity threat that you’re most worried about?
REP. KATKO: A catastrophic threat on the critical infrastructure sector, may it be at a grid, be at a water system.
Look what happened in Florida. If that guy didn’t stumble across what was going on at that water system in Florida, thousands of people would have been poisoned and maybe killed. That shows the vulnerability of our systems, and what keeps me up at night. When Trump was in office, two things kept me up at night, what he tweeted in the morning before I got up.
REP. KATKO: And the other thing was, was there a catastrophic attack overnight somewhere, and now I worry all the time about cyberattacks because you still hear CEOs and leaders of businesses saying, “I don’t want to hear about cyberattacks. I don’t want to hear that our system has been compromised. We can’t have this. You got to keep it quiet,” and that is the biggest concern. I think people should embrace it and attack it, you know, and don’t sweep it under the rug. And that’s what we’ve got to do going forward, and that’s the whole idea of what we’re talking about today, I guess.
MS. ZAKRZEWSKI: Well, unfortunately, we’re just about out of time. Representative Katko, thank you so much for joining us today.
MS. ZAKRZEWSKI: My colleague, Damian Paletta, will be out here with our next guest after this video. Please stay with us.
MR. PALETTA: Hello and good morning. I’m Damian Paletta, deputy business editor here at The Post, and I’m honored to be joined today by Sean Joyce, global and U.S. cybersecurity and privacy leader at PwC, also former deputy director of the FBI; and Jeanette Manfra, global director of Risk and Compliance at Google Cloud. Prior to joining Google, Jeanette was the assistant secretary for Cybersecurity at the Cyber and Infrastructure Agency within the U.S. federal government.
Sean and Jeanette, thanks so much for being here.
MS. MANFRA: Thanks for having us.
MR. JOYCE: Thanks, Damian.
MR. PALETTA: So, you know, a lot of scary numbers out there about cybersecurity. According to the World Economic Forum, cybercrimes are set to cost governments and organizations $10 trillion by 2025, with a T. I mean, that’s astonishing.
Sean, I want to start with you. What are some of the most prominent and concerning forms of cybercrimes in 2022, and how have they evolved in recent years?
MR. JOYCE: Well, I think that, as anyone knows out there, the threat continues to evolve. So we’ve seen ransomware evolve to something that, I think, probably five years ago hit our personal computers to then organizations. Now we’re seeing ransomware as a service. We’re seeing that tool being sold to different parts of the world and really being propagated in many different places.
So it’s not just‑‑though I would say, like, ransomware is the thing that catches headlines. Many of you have probably heard of business email compromise. Actually, the incident of that is more than ransomware. It’s just that ransomware is getting the headlines. So those of you whose email has ever been spoofed, right, those of you where they frequently send emails to the procurement and say, hey, we’re the new vendor, or send it to this new routing number, the incidence of that is really picking up.
And I think we’ve seen, generally‑‑because the barriers to entry in this area is so low, we’ve really seen a proliferation throughout the world.
MR. PALETTA: And the barrier to entry is low, and I guess all they need to do is get like a 1 percent return on their attack, right, in order for them to be profitable?
MR. JOYCE: Exactly. So that’s where you get to the tools that are being sold, where you don’t need to be an expert at cyber, right? You have that tool. You basically spam a lot of people, and if you hit rates, 1, 2 percent, you still‑‑
MR. JOYCE: ‑‑have a good day.
MR. PALETTA: Jeanette, I was wondering if I could ask you how things have evolved during the pandemic. You know, when I was at The Wall Street Journal years ago and wrote about these big nation state attacks, they seemed to have their kind of approach, but how have things changed during the pandemic when we’ve kind of changed how we work or maybe our vulnerabilities have changed as well?
MS. MANFRA: Yeah. I think, you know, in some ways, the strategies remain the same, right, as just find‑‑use real‑world events to find new targets and new mechanisms. So, you know, you start to see a lot of use of pandemic‑related messaging to use for social engineering and targeting a workforce and networks that are no longer completely protected by like a corporate network because people are out, and you have to rely on VPNs and so targeting of those.
And I would also say‑‑and not saying that this is related to the pandemic, but I think kind of building off of what Sean was saying is an increasing concern, is targeting very vulnerable and critical institutions, and schools, hospitals, and, you know, people in organizations that have very sensitive functions, sensitive data, and holding those sorts of organizations at risk. You see criminals just very willing to do that because they know that they’re more likely to get that payoff, and that combined with, you know, the increasing inner relationships of nation states and criminal organizations, I think, puts us on a very concerning path.
MR. JOYCE: You know, the‑‑I just want to add to what she was saying.
MR. PALETTA: Yeah, please.
MR. JOYCE: So, you know, I think the United States when we look at the nation states, we think of obviously China, Russia, Iran, North Korea, right? What people don’t know is probably there is more volume of attacks between India and Pakistan, China and Taiwan, right? So you’re seeing these nation states much like the criminals, right, really looking at it as part of their hybrid, whether you want to call it intelligence operations or warfare, really leveraging their capability, which is much simpler than, right, an army to actually gather economic advantage or whatever they might be doing.
MR. PALETTA: And if I could just stay in that spot for a second because I’m really interested in the nation state component. There’s a big focus‑‑obviously, there’s two different things they can do. Maybe there’s many more, but there’s information gathering, and then there’s, you know, taking bags of digital cash. So are we seeing‑‑are they shifting away from the information gathering in this day and age and getting more into the ransomware and trying to extort for money, or are we seeing kind of a mix of both?
MR. JOYCE: So I’ll go first. It depends on the country.
MR. JOYCE: Right? If you understand China, 60, 70 percent of their economy is driven by state‑owned enterprises. They are actually stealing intellectual property for economic advantage, right? We as the United States‑‑many countries spy. We spy for foreign intelligence, which is about intent and capabilities.
So you have North Korea. North Korea is doing it for money, right, to fund their economy through mainly crypto. So I think you see different nation states.
We see Russia. Russia is looking at it more as a‑‑I would say a hybrid warfare tool, and, you know, much of what we’ve heard about open-source intelligence, about their interest in our energy and utility sector, right, is more what we would call prepping the battlefield.
MR. PALETTA: Jeanette, do you have thoughts on that? I mean, is there just a completely different strategy in terms of what companies and governments should do in defending against information‑based warfare versus, you know, going after money?
MS. MANFRA: No, I don’t think there’s really different strategies. There’s definitely different strategies that the government and governments globally need to take, but from a defense perspective, the reality is most of these adversaries are taking advantage of known vulnerabilities, you know, sort of poor cyber practices.
MS. MANFRA: And so it is really about making yourself a harder target and dealing with addressing things that are known because they go after the soft targets, and they tend to have sort of a massive widespread view. And they’ll target different organizations. If they can’t get into one, they’ll go to the next one that’s an easier one because there are so many easy ones.
So, from a defense perspective, it is really unfortunately a lot about just doing the hard basic cybersecurity work and doing it consistently.
MR. PALETTA: And, Jeanette, can I stick with you for a second? I mean, so, obviously, the public‑private‑‑there’s a‑‑the government and companies are very interested in defending against this, and they’ve‑‑they collaborate a lot. You know, we saw during the Sony hack and OPM‑‑this is many years ago, but there was a lot of conversations about how could we do better, how can share information. Do you feel like they evolve at the same pace, or does one kind of outpace the other, and is there something that can be done to make sure that they’re all on the same page?
MS. MANFRA: Yeah. I have a lot to say about public‑private partnerships.
MS. MANFRA: So I think the challenge with public‑private partnerships is it becoming too broad and not defining what it is that it’s trying to do, and that there isn’t just one public‑private partnership to solve cybersecurity. So, to me, my experience both at CISA and at Google is the best progress you can make on a public‑private partnership is defining a clear goal that‑‑and an actionable goal that a group of organizations is working together, and it has to be a group of organizations that has the capability to enact that goal.
So from CISA perspective, when we develop the national critical functions‑‑and I know CISA is continuing down this path, it was‑‑really was the intent is, okay, it’s not about solving cybersecurity. It’s about protecting elections or protecting the integrity of the financial system. And then you really start to get into, well, what does a specific company need to know, what sort of intelligence do they need to have in order to take action, what does the government need, and what capabilities do they have in order to enable some sort of outcome. And being really clear and up front‑‑and if you need to get lawyers involved, whatever is needed, but being really clear that this isn’t just a generic partnership, that we’re working together and we have different capabilities to achieve a goal.
So it is evolving. I think there’s more work to be done, of course, but, you know, I’ve seen it now from both sides, and I think int’s really important to have those defined boundaries.
MR. PALETTA: Sean, in your experience, I mean, what are the things that the private sector can learn from the public sector and vice versa? I mean, show us how this‑‑tell us how this relationship really benefits both sides.
MR. JOYCE: So I really like what Jeanette said. So, even when you heard Congressman Katko, I think there’s a lack of understanding of everything out there. So you have‑‑NSA has the cyber collaboration center. The FBI has InfraGard, DSAC, NDAC, right? And then you have CISA with the JCDC, the Joint Cyber Collaborative‑‑or Defense Collaborative. There’s too many entities‑‑
MR. JOYCE: ‑‑and the private sector is confused, right? And there needs to be a focused objective, right?
So I think the first thing is the government does not understand that the private sector is out there, and they just want to know what’s that one number to call‑‑
MR. JOYCE: ‑‑all the time, right?
So I think, you know, in fairness, I think Chris Inglis, I think Jen Easterly and Uber, I think, collectively, they have done a good job incrementally, right? We’re still looking at a 21st century problem in a 20th century way, and I think we’ve really got to change that paradigm.
MR. PALETTA: So it’s not a matter of trust as much as just a confusing system, and when you have a crisis and you need to pick up the phone and call one person, it can be a little bit, you know, unsure about who the person is that you need to reach.
MR. JOYCE: Absolutely. And the idea that the government is truly there to help, right, and not to investigate, not to look at it from a regulatory perspective and how do you actually help‑‑I mean, I think sometimes we forget the world is not made up of Googles, right? It’s mainly smaller, right, small to medium businesses out there that are the fabric of America. So how do we actually help those organizations, right, that don’t have the resources, maybe don’t have the funding? How do we get them to the same level, that basic level of security that we all should have?
MR. PALETTA: So it’s tricky. I mean, in my experience covering Washington, there’s all these bureaucracies that get institutional power, and they don’t want to give it up, right? And so they can get really turfy and kind of defensive. Jeanette, do you think is that something that there’s an effort within the government to fix, or is that going to be hard to get these agencies to, you know, maybe streamline a little bit so that, you know, they can work more closely with companies?
MS. MANFRA: I don’t know what you’re talking about. I’ve never experienced that.
MS. MANFRA: Yes. I think it is, but it’s‑‑so, having spent a long time in the government, there are‑‑there are reasons. So it’s easy to say, oh, they all do cyber, but they do have different authorities, and they have different capabilities that they can bring to bear. So there is, you know, in the sense for the majority of companies and just needing to have some basic information that the government has that they need to be distributing to those, those organizations.
Then there’s, hey, we want to defeat something. We want to get rid of a class of cyberthreats. It’s a different sort of problem with a different group of entities.
I think Representative Katko talked about the football sort of analogy, and I think there’s, you know, promise in that and the national cyber director sort of bringing everybody together to try to coordinate and, you know, equipping and training the different organizations.
I still think, though, having said all of that, there are way too many organizations in the government that have some very similar roles in‑‑whether that’s an industry‑specific role that they’re playing or a broad intelligence‑sharing role that they’re playing, and I to think it would behoove them to start narrowing that down, even if behind the scenes, there’s a lot of different players because they have different authorities. But it is‑‑it is very confusing, and it becomes a high bar to entry for most companies to try to engage with the government. So, if they want to have “I want more incident sharing. I want more intelligence sharing,” most companies want to know, “Well, what are you going to do with it? What’s the purpose? Okay, fine. I’m ready to do it, but who do I need to talk to?” So I see promise. I like the concepts that they’re implementing, but the reality is they’re going to have to make some hard choices, and some organizations probably need to focus on other things‑‑
MS. MANFRA: ‑‑because they just don’t necessarily have the authorities and capabilities.
MR. PALETTA: You both worked in the federal government for many years through different administrations, and I wonder if the kind of turnover at the White House and the turnover in Congress makes it kind of harder to have that kind of conversation, because these conversations take years, right? You can’t just walk in to someone’s office on Capitol Hill and say, you know, “There’s too many people. We’re confused. Can you just please have one phone number to call?” Is it hard from your perspective because of the changes in Washington every few years to have a sort of continuation of that conversation, or is that just part of, you know, what we’re dealing with in our current system?
MS. MANFRA: I would say for the most part, cyber policy and the approach has been pretty consistent since the late ’90s for better or worse, and really, each successive administration has built off of that. I don’t think you’ve seen sort of massive shifts in, okay, now go do this, like you see in some other areas, mostly because it’s been sort of‑‑it’s a very nonpartisan sort of topic.
I think sometimes, back to your previous question, you do have some entrenched interests sometimes in Congress, sometimes in different administrations of which organization they want to empower. So sometimes, you know, that can have some impact.
MS. MANFRA: I will say‑‑and I know we’ve been talking more about government’s role in the critical infrastructure, external cyber‑‑that one of the biggest impacts it has, though, is for federal cybersecurity, and agencies’ inability to have consistent long‑term funding plans to fix some of their biggest challenges around legacy infrastructure and all of that, that’s where I see an inability to have that long‑term budgeting approach, not just for the agencies, CISA, FBI, and others that we’re talking about but for some of the really critical vulnerabilities internal to the government.
MR. PALETTA: And, Sean, do you think that the‑‑I mean, I imagine if you get a phone call from the government, it can kind of‑‑there can be two different reactions if you’re a private company. It can be like how can I help or like what do you‑‑what’s going on here. You know, can you talk a little bit about how‑‑has that evolved in a better way, or is there kind of some inconsistency that continues to be a problem?
MR. JOYCE: I think it has evolved in a much better way. I think CISA has done a great job reaching out. I think the FBI’s reputation as far as reaching out and being more of how are they actually assisting. But I think it is‑‑it goes back to, as Jeanette was saying, understanding the roles of all of these agencies and what they play, and, like, it’s confusing, Damian, as far as like oversight.
MR. JOYCE: All right. So me, when I was in the FBI, I was in front of HPSCI and SSCI, the House and Senate intel committees, a lot, and judiciary. I never went in front of the Homeland Committee.
MR. JOYCE: But we are operationally in intelligence responsible for cyber in the United States.
So, even at a legislative level, at a policy level, and at an executive level, there needs to be more of‑‑I agree with Jeanette sort of that using the strength and fabric of all those jurisdictional authorities by each agency but really a much better coordination and centralization of that work they do together.
MR. PALETTA: And, Sean, can I ask‑‑I mean, so crypto‑‑when there’s a‑‑sorry. I’m going to ask a crypto question in a second, but when cybersecurity is in the news, you know, people see a big breach or a cyberattack, and they think, wow, you know, I can’t believe this retail company or this government agency was so vulnerable. So there’s a real disconnect between what they hear and what they experience because these are the same people that might click on something they shouldn’t have clicked on, and it just takes one millisecond. Can you explain that disconnect, and has there been progress in terms of getting people to understand that this isn’t just something in the news, it’s something that affects them at work or at home, and kind of what the ramifications of that are?
MR. JOYCE: So I’m going to go way back to 1929, right? We had the stock market crash. That actually caused us to come up with GAAP, the generally accepted accounting principles.
MR. JOYCE: Okay. We’re sort of in this era of cyber where every company I talk to on the board, they’re going through some sort of digital transformation. Technology is the central nervous system of the company. The security of that is paramount to the company; yet, right, I think there’s a lack of understanding of how important sort of the risk that they’re exposing themselves to exists.
So, you know, that’s why I–listen, normally, I am not like, hey, regulation, but I think we need something before‑‑like, we’re seeing what happened at Colonial Pipeline. We’re going to continue to see. We’ve seen some ransomware attacks in hospitals, right? What is going to be the point where we’re actually going to say, hey, there is an expectation like GAAP that every company should have some level of hygiene? And that’s what I think is so important.
I mean, I go every time to companies, just like you said, and it’s just like, “I never thought this would happen to us,” or there is a communication disconnect, right? A lot of times, the CISOs do not speak the same language as the CEOs and the boards, and understanding really what is your risk exposure there, I think a lot of times, there’s a gap that companies are missing.
MR. PALETTA: Until they’re all in the boardroom pulling their hair out and calling you because something bad happened.
Jeanette, I was wondering if I could ask‑‑you know, there’s‑‑the term “digital resilience” gets used a lot when we’re talking about cybersecurity. Like, what does digital resilience actually look like in practice?
MS. MANFRA: Those are easy questions. Tres bien.
MS. MANFRA: I think it is a term that’s getting used a lot. I think I would‑‑there’s sort of an organizational answer, and then there’s a broader ecosystem global answer, and I think from an organizational perspective, it’s moving beyond strictly thinking about security and thinking about more of an‑‑it goes, you know, back to the cyber framework, NIST cyber framework and others. It’s like, okay, it’s not if but when. So how do I get myself back up and running? How do I make sure my business is not interrupted? How do I intertwine the work that I do around reliability of my IT systems with security and how that can threaten that? So I think that’s the‑‑sort of the organizational side of it is thinking bigger.
And the pandemic also is a lot of organizations are now being forced to think about how their workforce plays into that and how do they have access and how do I keep that going.
And then I think you have to think about it from a national and a global level as well is there are many adversaries that, knowingly or not, because some of this stuff is so‑‑you know, it’s all so interconnected. An adversary could take down critical functionality of the internet globally with potentially not even intending to, and so how do we think about resilience with all of our dependents on digital infrastructure as a country, as allies, as globally? And that is something that is really challenging, but that‑‑again, that gets to the public‑private partnership when you have most of that in the hands of private sector and what are the requirements that they have to keep that up and running.
MR. JOYCE: I’ll just add to what just Jeanette said. So I look at that as like withstanding direct disruption emerging stronger, and if you want to go right‑‑there’s at the macro level, nation state, but when you go to the company level, they’re talking about disaster recovery, business continuity, knowing what your critical applications are, and this is where like the hyperscale is with GCP, Azure, and AWS. They’re vital because it’s so much easier to have those critical applications, data, in the cloud, different regions, that I think really promotes that resilience that we need.
MR. PALETTA: Great. Well, we could keep talking, but thank you so much. We’re out of time. It was really a pleasure. Sean, Jeanette, thank you so much for joining us today.
MR. JOYCE: Thanks for having us.
And my colleague, Ellen Nakashima, is going to be up next with our guest, but please watch this video. Thank you so much.
MS. O’CONNELL: Well, good morning. My name is Sasha O’Connell. I am an executive in residence and on the faculty up at the School of Public Affairs at American University. It’s a pleasure to be here. We do a lot of work with our next‑generation students who are very excited about efforts around cyber policy and cybersecurity. So it’s a pleasure to be part of the conversation. Thank you, Washington Post and CrowdStrike.
I’m here with two folks who need really no further introduction to this group, I know. Adam Meyers, who we know is the senior VP for Intelligence at CrowdStrike, and Chris DeRusha, a federal CISO and deputy national security director for Federal Cybersecurity. Did I get it all in?
MR. DeRUSHA: That’s right.
MS. O’CONNELL: Before I dig in with questions, I wanted to offer you guys a chance for an opening statement. Maybe, Chris, you could do a little bit on your dual‑hatted roles and explain to everybody a little bit about how that fits into the overarching architecture of government’s efforts in cyber.
MR. DeRUSHA: Yeah, absolutely, Sasha.
So I think for especially our industry colleagues, the way I think about my job is kind of a global CISO or enterprise CISO role, which you may be familiar with in a big multinational corporation. So we sit over all of the federal civilian agencies, setting strategy, policy, performance metrics, and really working with our budget colleagues to ensure that we’re adequately resourcing all the initiatives that we’re setting out.
So, about a year ago, actually, Director Chris Inglis came to me and said‑‑came to OMB and said, you know, “I’m setting up my office. I really think that we would both benefit from having a cohesion and fusion between the oversight work that you’re doing and what I’d like to do in my office,” and that is something that we’ve really both benefited from greatly. And so that’s why I like to say I actually have one job in two offices.
MS. O’CONNELL: Perfect. Adam, anything else before we jump in?
MR. MEYERS: No. Just at CrowdStrike, my role, I guess, as background is that running the intelligence program and track over 186 threat actors across the globe that are engaged in espionage, sabotage, disruptive attacks, criminal activity, and hacktivism. So it’s kind of‑‑
MS. O’CONNELL: A slow job, quiet. Yeah, we know.
MS. O’CONNELL: So, speaking of that, Adam, maybe if I can start with you. So the 2022 CrowdStrike Global Threat Report recently came out. Can you talk a little bit about that and maybe specifically what surprised you in terms of trends that came out in that report and study?
MR. MEYERS: Yeah. I think probably the biggest trend that everybody in this room needs to know about for sure would be we’re seeing a move from ransomware threat actors who are focusing more on data extortion activity, and what this really looks like is‑‑you know, typically, with a ransomware negotiation, the game plan is kind of stretch it out, right, to, you know, 25 bitcoin or you don’t get your files back, and they kind of say, “Well, what’s bitcoin? I’m not authorized,” right, to try to make is a long period and then grind them down on price or whatever. And the threat actors don’t love that. It eats into their bottom line and wastes their time, and they get super pissed about it.
And so what we’re starting to see is that they are now moving to stealing data and then leaking it, and so this, you know, really allows them to change the calculus because when they start to say, you know, what’s bitcoin or, you know, I’m not authorized or, like, all right, well, we’re going to leak 10 gig of your data and let’s see if you figure it out real quick, so it gives them control back.
And then the other thing that is happening is that the calculus of pay or not pay is heavily factored in on when data gets leaked, what are the regulatory compliance and legal impact, so that that can be astronomical compared to the ransom demand.
So we’re seeing‑‑and so your question at the threat report, we saw 82 percent of the ransomware actors in the last year have begun moving to data extortion as well, and we’ve even seen some of them are dropping the ransomware.
MS. O’CONNELL: That is interesting and seems like a significant change.
Can you talk a little bit specifically also about the increase in supply chain attacks? What are you seeing there, and what do folks need to know to protect themselves in that context?
MR. MEYERS: Yeah. They’ve been going on for a while, obviously. Everybody is probably very familiar with SolarWinds, but just last week, I think it was, we found a new supply chain attack that we tracked back to China, and in that case, there was 15,000, I think, potential organizations that would have been impacted by the supply chain attack. And so this is something that I think a lot of nation state threat actors are seeing as a viable and important tool in their tool chain to be able to go after really interesting targets, right, find the software and the services that they’re dependent on, compromise that. And it’s an easy in, and we’ve seen threat actors in the criminal space also doing that. So supply chain is something that I think a lot of people have on the forefront of their mind.
MS. O’CONNELL: Absolutely.
And, Chris, in this context, right, this threat environment, there’s been a lot of activity on the part of the administration around federal cybersecurity. Can you give us a little update on what’s going on there and importantly kind of what do you see over the horizon? What do you see as next steps?
MR. DeRUSHA: Yeah, absolutely. So, you know, as Adam has talked about, the threat landscape is constantly evolving, and so, you know, we put a law into motion when we came into office in, you know, kind of May of last year as we issued Executive Order 14028, which is often known as the cybersecurity executive order, issued a companion, National Security Memorandum, to ensure that we’re doing like activities with national security systems from the DoD dot‑mil side. And so, really, largely, it’s about implementation now. We don’t‑‑Office of Management and budget, we’ve issued over five memorandums of direction. There’s a lot of action out there, and we’ve also just ensured that we’re focusing on organizing implementation now.
So, for example, one of our flagship initiatives is the Zero Trust Strategy that we put out, and what we did there is we ensured that each agency developed an implementation plan and sent it back to us and also put in budget estimates. So now we’re tying our strategic approach, a strategy that we built with industry and public comment, down into budget, strategy‑based budgeting. I mean, this is‑‑we’re really trying to kind of live that ethos.
And so right now it’s largely about ensuring that we’re resourcing those needs and just continuing to see program and figuring out how to measure effectively performance. And to be honest with you, that got tricky after SolarWinds. If you took that moment the right way, you took a step back and said are the ways we’re measuring progress telling us anything meaningful‑‑and we said we’re not sure that they are. We’re telling it’s enough. So we really tried to focus on a lot of the capabilities that take the adversary in lens of how they see us and how they are attacking us and try to drive back our priorities focused on shoring up those risks first. So that’s a lot of the approach we’ve taken. It’s baked into all of the strategies and the policy documents we’ve put out.
MS. O’CONNELL: Perfect. And speaking of other strategies and policy documents, there is so much going on in this space coming out of the White House. We know we’re eagerly anticipating a new cybersecurity strategy coming soon. We hear that’s close. We know coming out of CSRC that CISA and others are involved in public comment period around reporting and mandatory reporting. We know coming out of the White House Summit on Workforce, there is a request for information on solicitation for input on strategies there. Can you help us put all of those pieces in a little bit of context?
And, also, maybe for folks, I know, including my students to‑‑a shoutout‑‑who are online, how do folks who are interested get engaged, stay engaged at every level with all of these pieces in play?
MR. DeRUSHA: Yeah. So a great question. Look, having the opportunity to develop a national cyber strategy is a fantastic one. You can reinforce and kind of pull together all the pieces of your implementations into one coherent place and forecast the direction that you’re headed. So that’s what we’re doing there.
And so everything that you mentioned, all the other initiatives, whether it’s ensuring that we get incident reporting right‑‑and that’s the one request for information you mentioned‑‑workforce. There’s another request for information we’ve put out on the workforce strategy because what we know is there’s innovation locally with nonprofits at states, and we need to capture and understand that. And then our role is to lift it up and to kind of support that from the federal level.
I think the theme of how do you stay involved is we’re going to keep asking for help. I mean, if you look at kind of any of the initiatives we’ve put out, we’re really seeking industry, research community, academia’s input and feedback, whether it’s informal or whether it’s, you know, with formal questions we put out. So keep watching for those things, as there is the number one thing, because we do read and digest the stuff that comes back. And we can’t always integrate everything, but we try.
MS. O’CONNELL: Perfect. Thank you.
And for both of you‑‑maybe, Adam, starting back with you, so much discussion also recently in this context about the need for cyber expertise at the executive level, right? I heard this discussed even earlier this morning, both in government where we are today on that and certainly in the private sector. Can you both offer some insights, where you think we’ve been, where we are, and where we’re going in that regard, with sort of agreement that it’s need? But how are we doing in that space, both private sector and public? Adam, maybe starting with you.
MR. MEYERS: Yeah. I think we’re doing a lot better than we probably were. I think I see more and more engagement at the executive level, at the boards. I mean, that’s where‑‑that’s their top priority these days, right? Like, when boards think about what are the critical risks to their business, cybersecurity is always at the top of that. And the Congressman and I were talking earlier, and he was saying that that was the number one threat, you know. When he came in, it was radical extremists and things like that, but now it’s cybersecurity, and that, I think‑‑the theme of this, right, an all‑hands effort is really what this comes down to, right? It takes public sector, private sector working together and bringing not just at the top but also from the bottom up, right? We need to be bringing more people into the workforce, your students, but I think we need to go even lower in the grade level and start pulling them out of junior high school and things like that and really getting STEM programs going to make this a much more preeminent and well kind of resourced capability.
MS. O’CONNELL: Thanks. Thoughts on that?
MR. DeRUSHA: Yeah, I agree with Adam. In the public sector, it’s definitely getting better, and there’s a lot more awareness than maybe a decade ago and the agency head, the cabinet level, having regular meetings with their IT and security teams and kind of understanding their challenges and how they need to help with the budget side or the human resource side and procurement side, all of the key enablers to being a good CIO or CISO in organization. So that’s definitely a positive trend.
But, look, you know, I will say I’ve seen data recently where it just shows that public sector globally is significantly lagging, right? It’s lagging tech and retail and a lot of‑‑entertainment, travel. And, I mean, that makes sense. These industries are all competing and kind of need to have state‑of‑the‑art digital strategies to survive, and government‑‑as those of you know who do government, I mean, every day is a challenge. Your remit is so large, right, and it’s sometimes hard to kind of have digital strategy at the top of your mind. And so I think that that’s what it is. It’s really educating not just senior leadership, but it’s also just the kind of line leadership across organization, the business for government that where here digital is anything and everything you do, cybersecurity is ensuring you can do that. It’s that simple, and that’s all we’re here to do. And we do understand sometimes we’re being destructive to that mission. We don’t want to be. We as security professionals have to get better about thinking user experience, customer experience. We roll out our security solution; this is something new. So it’s‑‑but we have to meet somewhere in the middle, right? Like, these two sides have to meet somewhere in the middle.
MS. O’CONNELL: And to push on that just a little bit, to get there, something we do research on and programming on and curriculum monitoring we do is inclusivity and diversity, right, of the voices in that space, different perspectives, right, different backgrounds, multidisciplinary. Can you talk about your experiences in that regard in terms of cyber workforce and where you see that in maybe your organizations or private sector and government more broadly?
MR. MEYERS: Yeah, absolutely. You know, I’ve been super fortunate because with the intelligence space, we have people coming from so many different backgrounds. My team is very diverse. I think 33 percent female on the team right now. So that’s, you know, I think well above what the industry standard is, and that’s not common across cybersecurity because it is not a very diverse‑‑or, you know, in terms of personnel, it’s pretty monochromatic.
So I think, you know, one of the things that we’re really working on is our internship program and being able to pull, and I think we hire something like 90 percent of our interns every year, that–it’s incredible. And the interns really are one of the things that are kind of bringing a lot of that diversity into the workplace, so it’s great.
MS. O’CONNELL: Perfect. How do you say, Chris, on your side?
MR. DeRUSHA: Well, you know, for this administration, diversity, equity, and inclusion is just a key principle that we organize around. You saw that in the executive order the president issued in June of last year. That’s about integrating into daily operational activities. It’s woven throughout the president’s management agenda. So I think you kind of have to start there, and it helps matriculate down that that is the expectation of leadership. And you can expect to need to justify your hiring decisions and other things to ensure that you’ve really sought a diverse pool of candidates.
And, listen, like, you have to really work at it. Do you know what I mean? It has to be something that’s important to do, and you really believe‑‑and we do‑‑that you’re going to get better outcomes if you have people who’ve seen the world in a different way and kind of interact and challenge each other in a way that if you have too many like‑minded people, they‑‑you know, they’re not going to do that, just because they don’t know what they’re missing in.
But, you know, I’ll tell you also we have to start building this pipeline younger. And again, back to before this job, I was chief security officer a couple jobs ago for the state of Michigan, you know, did a lot of work with city of Detroit, some fantastic innovation there just, ground up, of nonprofits. People coming from the community are saying we can get really good jobs in this community, and we see the potential. And they’re just creating coding schools and, you know, security programs, lifting each other up. That’s the type of stuff that we want to harness and just say how do we help that. You know, how do we pour water on that?
MS. O’CONNELL: Absolutely. With just 30 seconds left, any final thoughts, what’s so awesome about this platform maybe reaching folks who maybe didn’t think they were interested in this space but are? Any final thoughts or recommendations or inspirational words for folks how to prepare and get engaged in this fight?
MR. MEYERS: Yeah. I think the mantra I’ve been kind of communicating to a lot of people is that with that data extortion and some of the things that we’ve been seeing that we really need to moving to protecting identities. Every hack that you can think of has had a user name and password compromised at some point, and so I think, you know, from my perspective, the mantra needs to be moving from trust but verify to verify then trust.
MS. O’CONNELL: Perfect. Thanks.
MR. DeRUSHA: I’ll speak to your students, I suppose. Think about this. You know, there’s fantastic career mobility in this space. If you’re not sure what you’re passionate about, you can choose a field of cybersecurity, come in, and you can work in any industry because they’ll take you.
MR. DeRUSHA: So just think of it that way if you’re considering whether you want to pursue this as a profession. We need you, and it’s a very rewarding one.
MS. O’CONNELL: Perfect. We’re actually over time. So thank you both so much, and back to Washington Post.
MS. NAKASHIMA: Hello. I am Ellen Nakashima, national security reporter for The Washington Post, and I’m pleased to have here with me today, Anne Neuberger, deputy assistant to the president and deputy national security advisor for Cyber and Emerging Threats, to discuss the cyberthreat landscape.
Anne, welcome to The Washington Post.
MS. NEUBERGER: Ellen, it’s great to see you, and it’s great to be here.
MS. NAKASHIMA: Well, let’s start with sort of a broader geopolitical context. We’ve got the midterm elections coming up in less than a month. Anne, tell us, are you seeing any uptick in malicious cyber activity from any of the major adversaries, Russia, China, North Korea, Iran, in any‑‑in any field, and what, if anything, has changed in the global cyberthreat landscape since this time last year?
MS. NEUBERGER: That’s a really foundational question. So, taking a step back for a moment, as a country, as countries around the world, we’ve become increasingly digitized. Everything we do as individuals, our infrastructure, as countries from power systems to water systems are increasingly connected. So that has provided an opportunity for adversaries of any kind to use cyberattacks either to collect intelligence or to potentially degrade or disrupt.
Following Russia’s invasion of Ukraine and the run‑up, we warned about the threat, given Russia in the past has used cyberattacks to coerce foreign governments, to undermine populations, and that is certainly a threat we’re increasingly concerned about. We’ve watched Russia use destructive capabilities against Ukraine as part of their initial invasion. Our expectation that there would be additional Russian cyberattacks hasn’t necessarily panned out, but we still believe they have the capabilities to do so, and that’s a call to responsibility for us as Americans, as individuals, as the private sector, as the government to double‑down on addressing our defenses.
From a gaining funds through cyberattacks, North Korea is a surprisingly innovative and capable adversary. Hacking specifically the cryptocurrency infrastructure in novel ways to glean large amounts of funds‑‑when I say large amounts of funds, for example, I’ll point to a hack against a particular cryptocurrency platform that gleaned at the time $600 million in crypto. So that is an area we’ve put a lot of focus. The Biden administration has put a lot of focus in really looking to see how do we make it costlier, riskier, and harder for North Korea to fund its weapons program, its missiles program via hacking of cryptocurrency infrastructure.
Iran remains a capable cyberthreat. Iran remains an entity that continues to undermine the Middle East, and cyber is certainly a tool in its toolkit.
And, of course, we’re continuously focused on China, which we believe has a very well‑funded program primarily focused on intellectual property theft, affecting countries around the world, but also really gaining access to critical infrastructure, which we fear could be used in the future to coerce or undermine governments.
So that’s a quick run through the key adversaries you asked about, who each use malicious cyber activity in different ways as part of‑‑integrated as a tool of their national security goals.
MS. NAKASHIMA: And I know the audience here just also wants to know whether, given we’re only a few weeks out from the election, you all are seeing anything new or concerning. I know the FBI and CISA and ODNI have spoken to this, but you from your perch and vantage point overseeing sort of this area, have you seen anything that we should be worried about?
MS. NEUBERGER: Elections are a benchmark of our democracy, and ensuring that they are safe and secure and citizens have confidence in integrity is a priority. I think you saw‑‑
MS. NEUBERGER: ‑‑General Nakasone’s comments yesterday where he noted he’s not seeing specific new cyberthreats. There’s been a great deal of work across agencies, really that lead on this effort. You’ve seen, for example, CISA host a table‑talk exercise, FBI and CISA do a joint public service announcement. So agencies are really leading on this work all the way across from tracking intelligence threats to ensuring we have confidence in election systems, and that there’s a lot of work there. But I’ll reference General Nakasone’s comments, which were really an excellent review of what he saw in terms of no new threats in this area.
MS. NAKASHIMA: And Anne used to work closely with General Nakasone at the NSA, so she knows.
You mentioned Russia has not carried off these sorts of impactful cyberattacks some people feared they would in Ukraine or of the West for that matter. Why do you think that is? To what extent was it the same ineptitude that applied to their overall military invasion, and to what extent was it just improved defense on the part of the Ukrainians and allies?
MS. NEUBERGER: So, when Russia conducted its invasion, we saw that invasion accompanied by initial destructive cyberattacks; first, kind of digital vandalism taking down core government websites, core Ukrainian government websites, and then conducting a disruptive cyberattack on satellite communication systems in Ukraine that had an overflowing effect in Europe. In fact, because of that was really the reason that the European Union and the U.S. supported that, made a point of both attributing that attack on communications infrastructure to Russia and calling it out in that way. But we certainly saw Russia begin its invasion, integrating cyberattacks, and then have seen some follow‑on attacks against Ukrainian infrastructure, but not to the extent, I think, that we expected.
That may be, as you noted, the same degree to which the invasion was kept very close‑hold. Effective cyberattack activity takes planning. There’s also a tradeoff between using accesses for intelligence collection or attack, and it may well be that as the invasion went poorly and continued to go poorly, the priority was placed on using those accesses to Ukrainian infrastructure for intelligence. That being said, it remains a threat, and we continue to be focused on it.
The second point you made is such a key one because those who work cybersecurity can continuously feel, you know, demoralized. There’s always a new article or some new information about the latest attack technique, and as we know, technology is not built today for the threat it faces. And I know we’ll talk a bit more about that later.
So, as a result, folks who work cybersecurity can sometimes feel like it’s a losing battle. I think Ukraine proves the value of preparation and partnership.
After Russia’s first invasion in 2015 and the disruption of Ukraine’s power grid, Ukraine put a focus on really addressing the security of their power grid and made that a priority, investing time, attention, good people. The United States supported it, and other countries supported it as well and really invested a multiyear effort.
And, indeed, in the run‑up, as we saw the intelligence and started to raise concerns regarding a potential Russian invasion, we double‑down on that work. We had a team come from Ukraine, from their core energy provider, working with the Department of Energy. We had teams working remotely to ensure that they were as protected as they needed to be, and I think we’ve seen that that has made a difference. So that, both preparation and the partnership, the recognition that as countries, when we see adversary tactics and techniques, when we learn of creative ways to secure, we share that. That’s another core takeaway from the Russian invasion of Ukraine, and it’s led, in fact, to one of the areas we’ve put a lot of work into, which is doubling down on building a cyber defense capability, a rapid response capability at NATO, so that while Ukraine is not a NATO member, obviously. So that if there are cyberattacks against NATO members, we as a group of countries can pool resources and rapidly respond in an effective way.
MS. NAKASHIMA: Well, for instance, take Albania, which is a NATO member and earlier experienced some series of DDoS attacks from Iran‑‑and I think Politico reported earlier that they were actually considering invoking the Article 5 mutual defense provision, which it sort of says an attack on one is an attack on all, but they didn’t. But, if they had, what could and would the member allies have done in response? Would it have been mainly rapid response sort of incident response? Can you talk a little bit about that, and did we help?
MS. NEUBERGER: So one key focus of the‑‑one focus of the president, of the Biden administration, has been a focus on international norms and a focus on where they don’t exist, creating them, and where they do exist, ensuring that we work on implementation and consequences for violation of them with other countries.
So I’ll note that when Iran attacked Albania, really the‑‑Albania took down their government services. When we attributed that to the Iranian government, we started working closely with our European allies and partners because Albania is on the doorstep of the European Union, a member of a part of Europe, to say when one government attacks another government, that’s counter‑international norms, we need to both call it out and then put in place consequences to show that norms matter. And you saw the treasury’s designation‑‑
MS. NEUBERGER: ‑‑of the MOIS as part of that. We certainly deployed a team to help Albania rapidly recover. Other European governments did as well. I think we see areas to improve our coordination in that space so that we can rapidly put folks on the ground, but we had a team, an FBI team on the ground working closely with the Albanians, helping them recover, and we’re looking forward to continuing to work closely with them to ensure that they can lift up the quality of their cybersecurity moving forward.
MS. NAKASHIMA: Okay. So I’d like to turn now to domestic issues. You know, the strengthening of American critical infrastructure has been one of your‑‑the Biden administration’s major priorities and one of yours since becoming deputy national security advisor, and regulation, which used to be sort of the third rail for policymakers, is actually now one of your tools in your toolkit. This administration, I think, has really shifted the conversation and actions in that area. I think Colonial Pipeline, it was a large part of that, and you were very much in the forefront of that. Talk a little bit more about how the Biden administration, which has already instituted regulations on rail, pipelines, and aviation, but using executive authorities‑‑
MS. NAKASHIMA: ‑‑how are you using these authorities? Are you‑‑what other sectors are you looking at imposing regulations on? What sectors do you not have authorities for that you will have to go to Congress?
MS. NEUBERGER: President Biden initially, really from the outset, said that security abroad begins with security at home. Confidence abroad begins with confidence at home. And a key way to deter adversaries in cyberspace is to know we have confidence in the level of security, that we’ve locked our digital doors and put on our digital alarm system.
That was not the case, right, over the last decade. We talked a lot in cybersecurity about increasing information sharing. We talked a lot about public‑private partnership, but we didn’t talk about the reality that, you know, if you’re living in an unsecure neighborhood, which fundamentally cyberspace is, and you leave the door wide open and a window propped up, you’re not as secure as you need to be.
And so, you know, beginning‑‑at the beginning of the president’s administration, we began with innovative public‑private partnerships focused on industrial control systems, since that’s been an increasing area of focus, given the potential to disrupt an actual control system.
When Colonial occurred, we took a hard look at that and said Colonial gas is status quo, the idea being that you can have a major gas provider serving the entire East Coast, and the Transportation Security Administration, you know, does not have in place a standard for whatever expectations are for the cybersecurity of their networks, what our expectations are for the separation between the IT corporate part of a network and the operational part of a network that runs a major pipeline that can potentially cause a hazardous spill.
So, following that‑‑and a credit really to Secretary Mayorkas’ DHS’s leadership, David Pekoske, the Transportation Security Administrator’s leadership, we did a rapid review of existing authorities, and we saw that TSA had emergency authorities to mandate minimum cybersecurity thresholds for the sectors it oversees, which are the transportation sector, which as you noted has five key subsectors‑‑aviation, maritime, rail, oil and gas pipelines. And TSA began issuing a security directive that summer for oil and gas pipelines. They learned, you know, when that first was issued, companies quickly said, you know, “What’s going on?” And we learned that a foundational step had to be bringing in executives from the sector, Ellen, giving them a classified threat brief, so they were operating off the same information as the government and truly became a partner.
So TSA came to us in the White House and said it would be very helpful if we brought these executives together, provided them a classified threat briefing, and explained to them the context of the kinds of threats they face, much as you asked me in our first question. We brough them in, and TSA adjusted their security guidelines based on a back‑and‑forth with the sector and then used that model for the next, as you noted, for rail.
There are 57 critical rail entities in the country. That’s another key part of the approach, which is to say this doesn’t apply to everyone. A careful look by the sector lead agency who understands the sector, who says who are the big players, who are the players who a disruption of their services would impact Americans broadly would prevent the military from being able to deploy troops in the event of a conflict, those are the ones we’re focused on.
So TSA identified 57 rail entities, 104 air entities, whether airports, airlines, cargo airlines, brought them in, gave them a threat brief, and issued a security directive, and then refines the security directive as well. So you’ll be seeing shortly, very soon, an updated rail directive based on those interactions‑‑the first one was issued in December of ’21‑‑and shortly as well an updated aviation directive, the first one issued last November and updated this winter as well with these interactions. And that gives us confidence in what are the minimum cybersecurity standards in place.
MS. NAKASHIMA: And what sectors might we be looking to next for new standards?
MS. NEUBERGER: The next we will be seeing will be communications‑‑
MS. NAKASHIMA: Communications.
MS. NEUBERGER: ‑‑the FCC issuing a public notice regarding a rulemaking for emergency and public warning systems.
Water. Again, a creative approach the EPA will be using‑‑a thank‑you and a shout‑out to Michael Regan and Janet McCabe at EPA‑‑who are taking the approach to say an existing legislation that calls for safety and security of water, that includes cybersecurity as well.
And then health care, HHS coming out, beginning to work with partners at hospitals to put in place minimum cybersecurity guidelines and then further work upcoming thereafter on devices and broader health care as well.
MS. NAKASHIMA: And are there sectors where you’ll have to turn to Congress for authorities to impose standards?
MS. NEUBERGER: It’s a great question. So looking across the‑‑there are 14 critical sectors with another five subsectors, like I mentioned transportation. Across them, there’s really three categories. In some cases, like I noted in transportation, there are adequate authorities to put in place those minimum cybersecurity guidelines; for others like EPA, creative interpretations that say clearly safety and security means cybersecurity as well. And, finally, for some, like critical manufacturing or DHS’s emergency services or information technology, there are not authorities, and we’re looking carefully at those to say what is needed in this space and how do we approach this.
MS. NAKASHIMA: So the United States has been slow to the regulatory arena. Other countries have gone before. Can you just really, briefly, quickly‑‑what lessons you’ve learned from them and how you’re applying them?
MS. NEUBERGER: So being pretty much last in the race on putting in place standards for critical infrastructure among our peers has, as you noted, a silver lining in that we can learn from so many of our peers. The European Union put in place their first requirements for critical infrastructure several years ago. There’s a second version that updates in a draft. Australia passed legislation, as you know, this past summer that puts in place standards for critical infrastructure and expectations for technology as well, and I want to talk about the technology aspect as well. So those are two examples of countries where‑‑of entities we’re learning a lot about because we’re all using the same technology, and we’re all working to balance, obviously, you know, ensuring that we have confidence in our critical services, ensuring our citizens have confidence in our critical services. And recognizing that these are private sector owned and operated, the private sector must be a key partner in the design but also has a different set of incentives, right, clearly view this‑‑view cybersecurity often as a cost, and we from a government perspective put overall the top priority is avoiding disruption of critical services. So working together gets us to the right balance in that way.
MS. NAKASHIMA: Okay. We have a few minutes left. I wanted to get to ransomware, which has maybe faded a bit from the headlines, but is still a major problem for, as we’ve heard, companies, schools, hospitals. You have a major global ransomware summit coming up at the end of the month. It comes after roughly a year of work, with over 30 partners around the world, including major global south members like India and Brazil. What’s the top achievement you can point to that has come out of that year’s worth of work and effort that we don’t know about?
MS. NEUBERGER: First, as you noted, criminals are really taking a toll, disrupting critical services around the world. We saw Costa Rica, significant impact, really disrupting their government’s operations via what we believe is a Russian criminal ransomware group, Montenegro more recently, hospitals in France and England, hospital chain in the United States, and certainly, over Labor Day weekend, we surged support from the federal government to ensure the L.A. school district could rapidly recover and open schools Tuesday morning.
So ransomware, criminal use of vulnerabilities in technology, and harnessing that is a major‑‑is a major global worry, and as such, we saw the opportunity for the U.S. to lead by bringing partners in around the world, both to build capacity in areas like how do you do block chain analysis so that if a criminal is being paid via the block chain, we can rapidly identify the wallet and work to recovery the funds, work to trace it to who the criminal entity is. Resilience. How do we ensure that we could defend against ransomware, greatly encouraging, for example, backup systems, multifactor authentication. Diplomacy. How do we ensure that it’s a norm not to harbor these criminal actors or to respond when those actions are taken?
So we stood up‑‑as part of the president’s focus on alliances and really the United States being a global leader, we stood up an international counter‑ransomware initiative last October. It was the first virtual session‑‑you know, across that many time zones, everybody was‑‑everybody compromised a bit‑‑with five lines of work in that area, some of the notable successes over the last year.
India and Lithuania, a large country and a small country, both very concerned about Chinese cyberattacks, Lithuania because its principal stand on China and Taiwan, India because of views really China as a peer competitor, they led global resilience exercises, one for the east part of the world where they had roughly 25 countries participating, one with 13 countries on the western side of the world, bringing countries together to share techniques, to share what they knew, and to really partner.
Similarly, the Treasury Department hosted a block chain analysis workshop, bringing countries around the world to teach them how to secure virtual asset service providers, how to trace the block chain and find illicit use of cryptocurrency. And we have some really cool efforts that will be worked on and announced at this two‑day summit at the end of the month.
MS. NAKASHIMA: Do you want to give us a little preview?
MS. NEUBERGER: You know, when Ellen asks, you say all these agencies are super existed about their announcements.
MS. NEUBERGER: So, a little, we’ll be talking about an investigator’s toolkit that our Australian counterparts have built to help an investigator quickly trace. We’ll be announcing the operationalization of the partnership to where‑‑a great example is, you know, we’ve been grappling with some recent ransomware attacks with a new variant. Today in the as‑is world, if in the U.S. we see a ransomware attack and it’s a new variant, there is no quick way to reach out to peer law enforcement entities or intelligence services around the world and say, “Has anybody seen this? Do you know who it is, and do you know how do you defend against it?” That’s something we intend to change, and we’ll be putting in place the operational practices and the law enforcement partnerships to be able to do that as well.
MS. NAKASHIMA: Okay. You mentioned you wanted to talk about technology. Hopefully, this will give you that opportunity and platform. There’s been much attention paid to the Chinese‑‑the threat from Chinese government presence in 5G communications, for instance, in the United States and Europe, for that matter in Africa and Asia. So how much of that is a concern for you? And talk a bit about the‑‑how you’re grappling with that.
MS. NEUBERGER: How we’re grappling specifically with?
MS. NAKASHIMA: With the Chinese government.
MS. NEUBERGER: Absolutely. So there’s two parts to that question. One is China is a major technology provider. China has a set of rules requiring, for example, data providers to share government‑‑to share information with the Chinese government, and we know the Chinese government’s focus on surveillance, use of artificial intelligence to draw insights regarding individuals, surveil, and then pursuit.
So our first focus was in the area of telecommunications networks to say if you have a major Chinese provider in a telecommunication network, it’s virtually impossible to have full confidence in the security of that network. Yes, one can use encryption to encrypt the data on the network, but cables can be tapped, et cetera, and that’s what really led the administration to make a hard push against Huawei and Chinese providers in 5G networks and press for progress in open standards approaches that use cloud and software‑based approaches rather than, you know, hard‑core equipment providers where we lack the confidence in Chinese providers, and open standards allows us to have an economically viable way to compete with Chinese subsidies.
So we’ve made a big push on that. In fact, we’ve had, you know, delegations right now, actually, in India. India, will be rolling out 5G, a very aggressive rollout, by the end of 2023, incredibly aggressive given the scale of India. The approaches used there clearly will have global impact. They’ve banned Huawei from their telecom network, but our goal is also at least having some implementation to use open standards, to bring down the cost of components, and show that it is a viable approach for a large‑scale network.
There are existing rollouts in the United States, in Las Vegas, for example, in Japan, but we know that India is a core market, particularly for the global sat. So that’s been one area of focus as well as a real focus on what are the rules around building software, deploying software so that one can have confidence in it.
MS. NAKASHIMA: Okay, great. I got permission to go a little long because I just wanted to ask you a question about your job. It’s really a brand‑new job. It was‑‑has never existed before in any administration, right, this “deputy national security advisor for Cyber and Emerging Technology.” And at the same time, this shows that how cyber is such a growth industry in government, right? We have CISA. We have this new cyber in diplomatic job at state, and Congress created the job of the national cyber director of the cyber czar, which Chris Inglis has, your colleague. But, at the same time, before‑‑after you came in, you’ve had so many‑‑Chris Inglis has really beefed up his position with more than 60 staffers. CISA is really getting very well established now, and there‑‑how do you‑‑how do you view your role going forward where especially when you have things like Colonial Pipeline, Microsoft Exchange, which are arguably more domestic responsibilities falling under, say, the cyber czar or CISA? How do you see your role evolving throughout this administration, maybe even in future administrations?
MS. NEUBERGER: So the concept behind President Biden, and my boss, Jake Sullivan, creating the role is to say cyber and emerging technology are core parts of our geopolitical approaches. It was the first question you asked me‑‑
MS. NAKASHIMA: ‑‑when you said when Russia was invading Ukraine, clearly disrupting satellite communications was a part of that approach.
Similarly, when we think about Russia’s attempt to coerce or undermine the Ukrainian population, disrupting critical infrastructure, shaking a population’s confidence in their government’s ability to provide for them is a geopolitical approach. Our competition in digital assets, ensuring that we maintain and we’re innovators in quantum, in crypto, et cetera, is so key. So I’ll get‑‑you know, so their core goal is to say we need somebody on the National Security Council‑‑
MS. NEUBERGER: ‑‑team who serves to integrate and bring together our policy and strategy across that, as you noted, and really in our conversation, we talked about so many different components of cyber. We talked about Treasury’s role both in designating and implementing consequences for violation of norms, in pursuing crypto, illicit use of crypto. We talked about CISA’s role from a resilience perspective. We talk about the intelligence community’s role in understanding how countries seek to use emerging technologies or cyber to achieve their national goals. We talk about the FBI in terms of disrupting criminal networks around the world, and certainly state diplomacy, norms, implementation is such a key component.
So my job and really the role of the National Security Council is bringing those elements together so that we have one comprehensive government approach, but working with our allies and partners around the world to do the same, and that we maintain the U.S.’s leadership as an innovator in emerging technology, as an implementer of international norms in areas like cyber as well as focusing on that relentless pursuit of resilience at home.
MS. NAKASHIMA: So coordinating, convening roles, so it’s team sport.
MS. NAKASHIMA: Thank you very, very much, Anne.
We’ll continue to follow this closely, and unfortunately, we’re out of time for today. But, Anne, thank you so much for joining us today.
MS. NEUBERGER: Thank you, Ellen. Thank you.
MS. NAKASHIMA: And thanks to all of you here today for our cyber event and online, our people online for joining us.
This concludes today’s “Securing Cyberspace” event. For more information about upcoming programming, please visit us at WashingtonPostLive.com.
I’m Ellen Nakashima. Thank you again.