On Iranian and North Korean cyber activity:
Those two actors are very different in their motivations and how they proceed. The Iranians view their cyber activities as proportional responses to things being done to them, things related to sanctions of various kinds. They also view their activities as part of their goal to be a regional dominant player, and so cyber is an important component of that.
The North Koreans, on the other hand, use cyber as a means to also avoid sanctions, but in a very different way. They’re using them for overtly criminal activities, like their theft of funds from the Bank of Bangladesh, other bank robbery-sort of things that they’ve done, and their use of the WannaCry tool to attempt to get ransom payments from people. And then their alleged activities in the theft of bitcoin as well.
I think with Iran—we need to engage Iran as a regional player, look at what motivates them, what are the levers that would let us be successful in attempting to modulate their behavior. In the case of North Korea, they’re acting like an outlaw, so that’s a different set of levers we would use.
On why the U.S. government curtailed the use of Kaspersky Labs software, and whether additional international software companies will see bans by the U.S. government:
There are two countries that I principally worry about in this space. One is Russia, and for obvious reasons; there’s a law that requires all Russian companies operating anywhere in the world and all companies from anywhere operating in Russia to, on demand, provide information to the organs of state security.
The other country that I worry about in that space is China. China is strong in communications and information technology, and their companies are essentially state-owned enterprises that are, again, legally required to provide information on demand to the Ministry of State Security.
When entities from those countries are in U.S. networks, that’s a cause for concern.
The Kaspersky decision was evidence-based. It wasn’t on a whim or “just because they’re from Russia.” There was actual evidence—I can’t talk about that, because it’s classified—but there was actual evidence that indicated they were doing things we would not want them to do in U.S. networks. So I think, in those cases where there is evidence, you will see actions like that.