Meeting

Cyber Collaboration in the Age of Hybrid Warfare: A Conversation With Jen Easterly and Paul Nakasone

Tuesday, October 11, 2022
Speakers
Jen Easterly

Director, Cybersecurity and Infrastructure Security Agency; CFR Member

Paul M. Nakasone

General, U.S. Army; Commander, U.S. Cyber Command; Director, National Security Agency; Chief, Central Security Service

Presider
Dina Temple-Raston

Host and Executive Producer, Click Here Podcast, Senior Correspondent, The Record; Former Investigations Correspondent, NPR; CFR Member

TEMPLE-RASTON: Well, welcome to today’s Council on Foreign Relations meeting with CISA director Jen Easterly and General Paul Nakasone. I’m Dina Temple-Raston, and I’m the host and executive producer of the Click Here Podcast, which is about all things cyber and intelligence. Which is why I’m here. You may remember me from NPR. So if you feel more comfortable closing your eyes when I speak—(laughter)—I’m used to having that happen, and please feel free to do that.

So as probably everyone here knows, Jen Easterly of CISA has been behind the so-called shields up campaign to protect the U.S. from cyberattacks. And General Nakasone is the head of the NSA and CYBERCOM. And today we’re here to talk about cyber collaboration in the age of hybrid warfare. And it’s a rare treat to have both of you together on the same stage. So please join me in welcoming them to the Council on Foreign Relations today. (Applause.)

So, General Nakasone, I wanted to start with you. Russia is top of mind now, not just because of Ukraine but also because—as you said in the green room—we’re thirty days out from the midterm elections, which is astounding to me. What’s surprised you most about how the war in Ukraine has unfolded in the cyber realm?

NAKASONE: So I think a couple things. And before I begin, first of all, thanks to the Council on Foreign Relations and, Dina, yourself. And really nice to be back with Jen, my colleague and good friend.

As we think about Russia and Ukraine, you know, I would say the first thing that we certainly point to is the fact that we have learned a tremendous amount in terms of, you know, how do we look at cybersecurity and how do we look at it differently? When we talk about the Hunt Forward teams from U.S. Cyber Command, we can certainly talk about the public piece that has been so, I think, helpful to what has gone on. I think the other piece is due credit to the Ukrainians in terms of what they’ve been able to do to harden their networks, to understand what is going on, to be able to be a step ahead of what the Russians are doing.

TEMPLE-RASTON: Well, so this gets me to the point of Hunt Forward, which I think is an initiative that’s quite interesting. I wondered if the reason why we hadn’t seen more from the Russians in the beginning of the war—I know there were lots of attacks—but something that wasn’t more crippling was because of Hunt Forward. That, in fact, teams were there for ninety days before the—U.S. teams were there for ninety days before the invasion. Did you guys find things and sort of take them away? When they went to go and be used, were they not there?

NAKASONE: So this is really an interesting story. As I’ve talked a little bit about this, we sent a team on the second of December, led by a Marine Corps major. And her guidance was this: Hey, go help them and make sure that they’re ready in terms of anything that may occur. She called back within the first two weeks and said: Hey, instead of coming home for the holidays, we’re going to be here for a while. First lesson learned, presence matters. We’ve learned that again in terms of not only were we able to assist Ukraine in terms of the networks they looked at, but interestingly enough as you have a presence on the ground all the malware that’s coming in, it's coming to this team to say: Hey, can you help us? And so while I would certainly not say that’s the key reason, I think it’s a contributing factor. You know, having ten folks on the ground that are tied back to our command and our agency, that’s a power that I think is really helpful.

TEMPLE-RASTON: And you said it was ten people that you—

NAKASONE: Begins with ten, and then we surged to well over thirty. And so we had flooded the zone. And in terms of—just to kind of give you a metric, you know, since 2018 we have done thirty-seven operations, twenty nations, on fifty-five different networks. This is, you know, an opportunity for us to help our partners. It’s also a way that we think about how do we secure the United States and how do we look at the malware that we see? Because every time we see it and then we share it with industry, we inoculate all of that badness that comes with those actors doing that type of work.

TEMPLE-RASTON: So can you explain how that works, Jen? So they find something bad in a Ukrainian infrastructure network. How does that information flow to you? And how does that then flow to American industry?

EASTERLY: Yeah. It really speaks to—we were talking a little bit earlier about this virtuous cycle. And it’s about collaboration, which is, of course, what this whole talk is about. And I was mentioning to Dina that where you see things on foreign networks through Hunt Forward or persistent engagement missions, and you share that with the wider community, we use that to inoculate the dot-gov, the federal civilian executive branch that we’re responsible for protecting. And it also goes to industry, whether it’s the DIB, but it also goes to the wider industry, other sectors where we work as the national coordinator for critical infrastructure security.

So it’s a bit of a virtuous cycle because we will also see things on the dot-gov or from our industry partners that we can give back to Paul and his teams, and they can actually do something about the infrastructure. And so that level of collaboration—certainly I have not seen that before. I didn’t see it when I was at Morgan Stanley before I came back to CISA. And I think it’s one of the great things that we’ve been able to put together over the last couple years.

NAKASONE: It’s about getting to scale, Dina. It’s this is what we learned, right? It’s not, hey, I can help, you know, ten thousand, a hundred—we’re talking 400 million, 1.5 billion end points that now have the information that this malware’s being used. And think about that. If you are an adversary producing these types of tools, suddenly with the work of, you know, CISA and Cyber Command and NSA, we have that ability—working with the private sector, that’s so critical—to be able to provide that information.

TEMPLE-RASTON: And is it happening now just because we’ve reached critical mass? Or is it happening now because industry understands it better, the DIB, defense industrial base, understands it better? Why do you think this collaboration—aside from the fact that you have worked together a lot—why do you think that this collaboration is working now?

EASTERLY: I mean, I’ll start. I think some of it is the amount of laws in place that we didn’t have in place. There was a lot that came with the establishment of CISA in 2018, and really the NDAA in 2021, that gave us the ability to set up something that we call the JCDC, or the Joint Cyber Defense Collaborative. Which is unique for two reasons, in particular. First, it’s the only federal entity that, by law, brings together the whole federal cyber ecosystem.

So CISA, NSA, FBI, CYBERCOM, DOD, DOJ, ODNI on one platform to work with the private sector, our international partners, our state and local partners, so that we can create shared situational awareness of the threat environment and a picture that enriches what the private industry knows, what the state and local governments know, what our international partner knows, so that we can put that picture together, connect those dots in a way that we’ve never done before, and then drive down risk at scale.

So we stood that up in August of last year. We’re very closely connected in with Paul in the Cyber Security Collaboration Center. And the other point that I would make is one of the things that we developed is what we call the JCDC alliance, which are the twentieth biggest technology partners. So think internet service providers, cloud service provides, infrastructure, cybersecurity vendors. Why? Because they underpin all of our critical infrastructure. And that’s the technology that gives the visibility to be able to understand malicious activity before it actually occurs.

I don’t think it was lost on anybody that SolarWinds was first discovered by FireEye, a private-sector company. And they’re very likely to see malicious activity here at home on critical infrastructure. And so pulling that all together, enriching it with what NSA and CYBERCOM sees, what FBI sees, what we get from our international partner I think gives us a picture in a way that we’ve never had before, so that we can actually drive down risk to the nation at scale.

TEMPLE-RASTON: And is this sharing happening in real time, or—

EASTERLY: In real time, in a way that is responsive and transparent and value-added. And, you know, who would have thought that a tool like Slack would have been able to actually motivate real-time sharing? But having seen this from the private sector before, where we didn’t have this kind of real-time—it was much more episodic, much more ad hoc, go visit your FBI bureau once a month. And now we’re in the same sharing channels, putting that picture together, doing the analysis of it, and ensuring that we can create that picture in a much more proactive way.

NAKASONE: I think another thing that I would just add to that, Dina, is I think we’ve gotten very good with our competitive advantages as well. What’s the competitive advantage of the National Security Agency? We do foreign intelligence, and we have a very, very technical workforce. What’s the competitive advantage of U.S. Cyber Command? We have a lot of capacity and we have experience doing these type of operations. And then, I think, really credit to what has gone on, is I think we’ve also figured out—if you’re going to operate in this space, we’ve got to operate in a manner that can share rapidly.

So that means, for the most part, it has to be unclassified. And we’ve looked at this really hard in terms of, you know, either we’re—I think gotten much better at sanitizing the information, because it’s not necessarily, you know, what the information is saying, a lot of times. For us, it’s where it’s coming from, right? And so that’s what we are looking at really hard. And I think, you know, Jen can talk to this as well, these cybersecurity advisories that go out and says, hey, this is what our adversaries are doing against us, you know, you’re an IT administrator out there and you get word from CISA or NSA or FBI saying, hey, these are the top twenty vulnerabilities. You should fix these first. We think that’s powerful.

TEMPLE-RASTON: And does that change the adversary’s behavior? Can you see that?

NAKASONE: We have a learning adversary, certainly. But, you know, I think that we’re a believer in—and not to speak for you, Jen—but I think that we look, first of all, in saying: Hey, let’s eliminate all the low-hanging fruit that our adversaries are coming after us. And so if you start taking a look at what we’re going after, fix these twenty things. Start with that.

EASTERLY: Yeah. I mean, it is about creating friction to the adversaries, at the end of the day. I think it’s a really—you talked about the product that we just put out. And I think it’s a great thing that we are multi-sealing almost everything, because it shows the coherence of the U.S. government. Not NSA, FBI, CISA coming at you in different signaling. And so I think that’s one of the best things that we’ve worked on over the past year. But I think it’s worth pausing on that. We were talking about CVEs. Who knows what CVEs are, because it’s nerd-speak. But it’s just essentially common vulnerabilities in software.

All software has vulnerabilities. But the truth is, even though our adversaries are highly resourced, highly sophisticated, they go after the same common vulnerabilities that have been out there for a while that are just not patched. And so it’s not like they’re using very sophisticated zero-days to go after our infrastructure. And that’s why we have this agency. We can actually raise the bar. That’s what Shields Up was all about. Here are the things that you can do to mitigate risk on your network. And a lot of it is the basics of patching those vulnerabilities that we know have been exploited by nation-state adversaries.

 TEMPLE-RASTON: So Ukrainian intelligence warned of Russian cyberattacks targeting local partner energy sectors. Is that something you’ve been seeing as well? And how do you assess the risk to the energy sector since winter is coming, to use that term?

EASTERLY: Winter is coming. Yes, well done. (Laughter.) You know, let me just say a couple things and Paul can weigh in here. One, I give a lot of credit to the intel community in terms of their ability to help us understand that threat environment. A lot of that intel was also—we could share it with all of our partners. Some of it was declassified to enable us to really have warning—early warning. And I think that was a game-changer, frankly, in terms of getting people prepared. And that’s what we did. We worked with all of the critical infrastructure sectors, all of them.

Now, we know the Russian playbook: malicious cyber activity. They have gone after energy. Certainly, that’s one of the reasons why I think the Ukrainians have done so well, because they’ve been the cyber sandbox for the past ten years, and it’s enabled them to get better, get more resilient, build their defense. And I think it’s a great new story because so can we. But we said we were very concerned about attacks against the energy sector. And we’ve been working very closely with the energy sector.

Look, I know it’s been about eleven months now, but we are not at a place where we should be putting our shields down. The environment is very difficult. The Russians are very unpredictable. Their back is up against the wall. We’ve seen these horrific kinetic attacks against civilian infrastructure. And we may be seeing a lot worse coming. So we need to ensure that we are prepared for threats, for incursions against our critical infrastructure—whether it’s state-supported actors, criminally aligned ransomware groups, or even the cascading attacks with attacks in Ukraine that could bleed over to Russia or could bleed over the U.S. As we saw, NotPetya in 2017. So I continue to say, we have to be vigilant. We have to keep our shields up.

TEMPLE-RASTON: Go ahead.

NAKASONE: Please.

TEMPLE-RASTON: Have we had close calls? (Laughter.)

EASTERLY: So I think we’ve seen, certainly from what we get from our critical infrastructure partners, we have seen an uptick in things like reconnaissance and scanning—

NAKASONE: We see scanning all the time. I mean, just to—

EASTERLY: All the time—

NAKASONE: All the time. We are looking and seeing scanning. This is why this campaign against malware, I think, is so important. Being able to stay ahead of the adversary. What are they using? If they’re using that, let’s share with a series of, you know, cybersecurity firms, to have them rip it apart and see if they can attribute it. And then if they can attribute it, or even if they can’t, let’s go ahead and publish it, because suddenly, you know, then it’s signatured across the entire internet.

TEMPLE-RASTON: So is the classified part the who did it, the whodunit part it, as opposed to what it is? So do you—what is it that you’re declassifying? The malware itself, or—when you talk about declassifying—

NAKASONE: A lot of times it’s how we obtain the information.

TEMPLE-RASTON: I see.

NAKASONE: And so again, to my point, I think what we have done across the intelligence community—and I think done very, very well—is to take a look at are there other ways that this information could be obtained? And if it is, you know, is it really necessary to—you know, to classify it as such.

TEMPLE-RASTON: I see. So sources and methods are put aside, but, here, you can find this on this—

NAKASONE: So we’re always—exactly. So we’re always very concerned about sources and methods. But then take a look at, you know, how else could this obtained?

TEMPLE-RASTON: Got it. So, Jen, yesterday there was a series of denial-of-service attacks.

EASTERLY: There was?

TEMPLE-RASTON: There were. (Laughter.) I know you know about it. Against U.S. airports—LAX, Atlanta, Chicago. And just to be clear, these DDoS attacks were just against public websites. They didn’t take down any airports. But you can’t help but notice the timing of it was quite interesting. Just as there was a barrage in Kyiv, there was this DDoS attack. How can you tell if a series of attacks are part of a broader campaign, say, given what’s happening in Kyiv? And should we be concerned about Russian escalation? And what form do you expect it to take?

EASTERLY: Yeah, I mean, as I was just saying, I think we should remain very concerned, very vigilant about potential attacks on U.S. critical infrastructure. The distributed denial-of-service attacks were a nuisance, at best. We were in touch with our state and local colleagues last week. We were in touch with the airports over the weekend. Yes, there were some website defacements, but at the end of the day there were no operational impacts. And that’s the important thing. Nothing that impacted the critical services or the airports. And so I want to be careful about not overblowing this. There were some inflammatory headlines that hit the papers over the weekend.

But I do believe that we need to, again, be very vigilant because this could be the leading edge of other types of attacks. But we are in a very sensitive place right now where we could see deliberate attacks in terms of retaliation on our critical infrastructure. We could see ransomware on our critical infrastructure, and we could see cascading attacks from Ukraine that affect other things. And just to put a point on it, when people say things like critical infrastructure, it’s almost that nerd-speak thing we were talking about, because it sounds like, oh, infrastructure, that’s something that other people worry about. But all it is, it’s how we get gas at the pump, and water, and food at the grocery store, and money from the bank.

These are the systems and networks and data that underpin our lives. And so this is what is at risk. This is what is vulnerable, because we are all connected in this technology ecosphere. And so we absolutely need to continue to be very vigilant.

NAKASONE: So, Dina, I think on top of that what I would say is it’s—you know, also this discussion that you’re having with the National Security Agency and other elements of our IC, and the broader international partners to say: Are you seeing something here that is unique? Is this something that is a leading indicator? Is it the edge? Who is doing this? Who are the actors? Is there an MO that we’re seeing here that’s been traditional? These are things that we work very, very carefully with in terms of looking at all sixteen sectors of our critical infrastructure. But to Jen’s point too, it’s also what’s the public sector saying? What’s private sector saying? What are the things that we are, you know, seeing in terms of trends across a number of different countries that give us a—you know, sometimes a head start.

TEMPLE-RASTON: Got it. So let me shift gears a little bit and talk about the midterm elections. Can you talk about what you’re seeing? Has the playbook changed? Or is it sort of the same—is it a bit retreading?

NAKASONE: I’ll start, and why don’t you jump in.

TEMPLE-RASTON: Go for it.

NAKASONE: OK. So, for us, this is our third election, 2018, 2020, and now the 2022 elections. We are seeing obviously a number of different actors that continue to operate in terms of influence. We are seeing no significant indications of, you know, attacks that are being planned right now. But this is, again, for us a matter of vigilance. Much in the same way Jen talked about our critical infrastructure, elections are our critical infrastructure.

So how have we organized ourselves? Well, first of all, we’ve organized ourselves as part of a broader whole-of-nation campaign. Our responsibilities? Let’s generate insights. And then let’s share that insight with CISA, FBI, others that can really utilize that insight here in the United States. And the last thing is, how do we act? You know, how do we inform? How do we act, if necessary, against a broad range of adversaries that might be either having the capabilities or the intent to interfere with our elections?

TEMPLE-RASTON: Can you give us an idea—and then I’ll let you go, Jen—about one of these insights that you’ve come up with?

NAKASONE: Well, so one of the insights, obviously, is we have sent a number of Hunt Forward teams across very select countries to look at what our adversaries might be doing. What are the tradecraft that they might be employing against folks that we have seen operate before? And what we are doing then is taking that back and saying: Hey, is there anything different here? Have we seen any new tools? Is there any new tradecraft they might be utilizing? Are there new operational places that they’re, you know, running out of?

TEMPLE-RASTON: And the answer to that is?

NAKASONE: So not yet. But again, that’s—you know, so we still have twenty-nine days till election. And so every single day is a day that we’re very, very focused on this.

TEMPLE-RASTON: Right. Jen, did you want to speak to that too?

EASTERLY: Yeah. Well, not to that exactly. (Laughter.) I would defer to the director of NSA on what we’re seeing across red space. But, look, Paul mentioned elections are critical infrastructure. They were designated in 2017. We serve as what’s called the sector risk management agency, which means we work with state and local election officials—remember, the federal government does not run elections. It’s all run and administered by state and local. And, you know, frankly, I think it is a much more difficult and complex threat landscape than we have ever seen. Of course, there are cybersecurity threats from nation-states and cyber criminals. There’s insider threats from people who have access, or had access, to sensitive data and systems. There’s physical threats—which is pretty horrific when you think about these—physical threats to election officials and election infrastructure. And then threats of disinformation, right? Very, very difficult environment.

So we’re working with all our partners, to include NSA, and CYBERCOM, and FBI, and local law enforcement, to make sure that state and local election officials have the resources, the tools, the capabilities, the information they need to be able to run safe and secure elections. But I will say, in this environment, it is particularly difficult, given the disinformation piece. I think that’s something that’s changed pretty significantly since 2020. And it’s because—

TEMPLE-RASTON: It’s better now? It’s more sophisticated? How do you mean it’s changed?

EASTERLY: Better, yeah.

TEMPLE-RASTON: It’s better.

EASTERLY: I think, you know, because there’s a significant portion of the American public—not a significant—some portion that does not believe in the legitimacy of the 2020 election, despite the fact that there is no evidence, based on recounts and audits, that any voting system was changed, or altered, or deleted votes, or suffered any sort of compromise. No evidence, based on all of the paper ballots that existed in a close election, no evidence of any significant fraud. And so this is really, really important that we recognize that we absolutely have to focus on ensuring that state and local election officials have the information that they need so that Americans go to the ballot box and have confidence when they—when they have their vote.

NAKASONE: So I would add the foreign influence piece to this. And this is—this is where I’m sorry that Chris Wray can’t be with us, because the Foreign Influence Task Force, the FITF, that has, you know, really done—this is their third election as well. They do incredible work in terms of taking the insights that we are able to garner from outside the United States, and then being able to work with a series of U.S. social media providers to say, hey, looks like these folks here are violating these terms of service. This is a very, very powerful element in terms of being able to get after that foreign influence piece.

TEMPLE-RASTON: When Meta came out with—Facebook Meta—came out, I think, just in recent weeks about an influence campaign that they saw on the part of the Chinese. It seemed a bit remedial, but at the same time influence on the part of the Chinese. Was that a shocker to you?

NAKASONE: I’m not shocked by any nation that is looking to, you know, conduct influence operations against the United States, particularly our adversaries. I mean, that’s just—I think that’s the way that business is being conducted by our adversaries today. They see an opportunity. They see a series of issues that—you know, that they think are divisive, that they can feed into. They see platforms that can be able to message this at a pretty low cost.

TEMPLE-RASTON: Right. And not—and not that difficult to do, in terms of they don’t need to use zero days to do it. They don’t have to burn much of anything.

NAKASONE: Correct.

EASTERLY: But that’s why we have to be making it harder on them. And that’s what I think the collaboration that we’re trying to forge across the federal government with our industry partners, with our state and local partners, with our international partners, with academia, with the research community, that’s the only way we’re going to be able to come together and recognize collectively driving down risk to the nation. It’s really—when you think about using all of the tools, we have tools offensively, we have tools based on entanglement and norms. But the only thing that we really have agency over is our own technology ecosystem. And so we have to ensure that we are protecting our critical infrastructure that Americans rely on every hour of every day, and driving down that risk.

TEMPLE-RASTON: So let me ask a quick China question, because we’re here at the Council on Foreign Relations. And that is, to you, Jen, what specific measures have you directed CISA to take to address Chinese espionage either against government agencies or, as we were talking before, against infrastructure?

EASTERLY: Yeah. So our mission is to lead the national effort to understand, manage, and reduce risk to our cyber and physical infrastructure. So we are not discriminating against one nation-state adversary or one cybercriminal. In fact, we don’t do attribution. Now, we do have a lot of insight, working with our partners, in terms of nation-state capabilities. Paul and I and the FBI just put out this product last week about twenty most commonly exploited vulnerabilities by China. But we’re really focused across the board, even with our intentional focus on Russia right now. We sort of see Russia as the very urgent threat. Almost, Russia’s the hurricane, China is the climate change.

And so what I do this really important to pause on, Dina, is to think about where we’re going to be in the next ten, fifteen years if we don’t make the right investments in technology, and human capital, and intellectual capital. We just started with 52 billion (dollars) in the CHIPS Act. Because if we don’t, I really fear that we and the rest of likeminded nations in the West are going to lose that battle for technological innovation, whether that’s artificial intelligence, or 6G, or biotech, or smart cities, or a secure internet. I think we need to be very intentional about dealing with all of the challenges that we see from a very capable adversary. And it’s less about the asymmetry of capability, more about the asymmetry of values, because our values are very, very different.

NAKASONE: And so I think the foundational piece of what Jen is just talking about is really this foundation of cybersecurity. I mean, this is what our department has learned again, as we move forward with our National Defense Strategy, you know, how do we have deterrence by denial? We have that based upon really good encryption. Where does that really good encryption come from? It comes from the National Security Agency. Type-one encryption, that ensures that, you know, our most sensitive communications, our weapons platforms, operate and they operate securely. And so, again, what we are doing here I think is, you know, as we think about the future, as we think about, you know, the pacing challenge of China, how do we ensure that our weapons, our data, our networks are secure?

TEMPLE-RASTON: Got it. So let me just quickly ask, General Nakasone, the record reported that General Dunford was doing a review of the dual hat. We talked—I was talking to Jen about this earlier. We talk about dual hat all the time. Dual hat, meaning CYBERCOM and NSA. Have you talked to General Dunford? Is this dual hat analysis different from what we’ve done in the past? It just seems like it comes up a lot.

NAKASONE: So, again, we, as a department and the Director of National Intelligence, are looking at, you know, the structure of, you know, is it—is it in the best interests of the nation to have one person lead both U.S. Cyber Command and the National Security Agency? General Dunford, has been around to talk to a number of different folks. I have been able to talk to the committee and so have had an opportunity to share my views.

TEMPLE-RASTON: And has anything changed? We seem to have this conversation about dual hat a lot.

NAKASONE: Well, you know, I think that, you know, I would just offer, from my perspective as the person that holds those jobs today, is that I see the tremendous value in being able to operate at speed, being able to operate with agility, and being able to operate with unity of effort, with one person that’s leading both those agencies. But at the—you know, at the end of the day this will be a decision, obviously, that the policymakers will decide on.

TEMPLE-RASTON: OK. So we’d like to go to questions from the CFR members. And I’d like to invite you to join our conversation. Just want to remind everyone that the meeting is on the record. And please just raise your hand. I’ll recognize you, and then somebody will come with a microphone. And if you can identify yourself and ask a question.

This gentleman here.

Q: Thanks so much. Julian Barnes, New York Times.

I wanted to ask you—we saw over the weekend kinetic strikes by Russia against Ukrainian critical infrastructure. Some power plants and some—as well as just sort of terror strikes. We did not see overall in this war really effective cyberweapons by Russia. And I wonder what your big takeaways are about this first war of kind of near-peer cyber powers. Both Ukraine and Russia are capable cyber actors. And what lessons for your command and your office are you taking away from this war? Are cyberweapons overhyped? Is this more of a niche capability? Is this more of a temporary affect? Your thoughts.

NAKASONE: Thanks, Julian. Three thoughts.

So I think, first of all, presence matters. I talked a little bit about the presence of a Hunt Forward team in Kyiv as the—as the crisis was unfolding. Again, being able to be there and understanding what’s going on on the ground, because you will recall that there were a number of destructive attacks that take place in January. The actual satellite communications capability in Ukraine comes down in February. Being able to understand the tradecraft from an adversary, presence matters. You know, real presence matters.

Second thing is, is that I have learned that partnerships are exponentially powerful in this domain. The private sector, when they can reach 400 million, 1.5 billion endpoints; when you can utilize and work with the private sector to share information, indicators of compromise, those type of things; suddenly, you, as I was speaking earlier, inoculate tremendous amounts of, you know, surface attack area that no longer is there.

And then the final piece is I think the work that the intelligence community did in terms of being able to publicly release some information, as Jen said, built a coalition, disrupted an adversary, enabled a partner.

That’s what I’ve learned.

TEMPLE-RASTON: The gentlemen in the front in the striped shirt. Identify yourself, please.

Q: Hi. My name is Harvey Rishikof. I’m with the American Bar Association.

I guess—you guys are doing an amazing job, and one of the issues from the legal perspective is general counsels are concerned about sharing information, as you both know, and a lot of them would like to see some remedies in indemnification issues, which has come up a great deal over the last decade. And I’m curious about your sense of do you think you have enough tools in the toolbox to get the information you need.

We have entities such as the clouds, which we know have unbelievable amounts of information. But their sharing is not as good as we would like, I think, for many of us who work in this space.

I’d like to hear your—both your thoughts—and if you could whisper into the Congress’ ear, are there any other additional authorities or indemnifications you both would like to see.

EASTERLY: Yeah. Well, a couple of things.

So, you know, we’re not a regulator. We’re not a law enforcement agency. We’re not an intelligence agency. We are entirely a voluntary partnership agency, and the magic of CISA is really predicated on creating trusted partnerships with all of our stakeholders, whether that’s the private sector or our international partners or our federal partners, and I have been incredibly impressed over the last year by the partnerships we have forged with the cloud service providers, the ISPs, the backbone infrastructure, the cybersecurity vendors, in terms of sharing information that they realize is critical to driving down risk to the nation in real time.

I had not seen that before in government or in the private sector. So on a voluntary basis to include what we asked for in Shields Up, which is to lower those thresholds, we’ve gotten an incredible picture that’s been enriched by what we get from Paul, what we get from international partners.

All that said, I think if you’d asked me this question a year ago I would have said we need a cyber incident reporting legislation. So we were very happy to be able to get that in March and we’ve been working closely with all of our partners. We just issued a request for information. We have listening sessions. All my time spent at the NSA was good for listening. (Laughter.)

And so anyway—so we are really trying to be consultative, transparent, and, for me, what’s really important, based on my time at Morgan Stanley, is we look to harmonize these burdens on the private sector, because if you’re an incident responder under duress you want to be able to provide information that’s needed to protect the larger sector but also to really understand what’s happening, and I don’t want to put that burden on them nor do I want to be burdened with erroneous noise.

Now, all that said, I don’t think at this point in time we need additional authorities. As you know, in CISA 2015 we received the most expansive information-sharing authorities that provides liability protection. The question is—and we don’t share it with regulators, by the way. We do share it with the FBI because, of course, they want to pursue cases. They want to do investigations.

But in terms of indemnification, I don’t think we’re necessarily there yet in terms of making a strong argument on the Hill because there are still a lot of companies that are getting breached based on the fact that they are not doing the right things to protect their networks like patching known vulnerabilities.

And so I think it’s very hard to necessarily make that strong argument that you should be indemnified from a reputational or a regulatory perspective if you provide information on an incident.

NAKASONE: So, Harvey, I think I would offer that, from my perspective, the department has provided Cyber Command and NSA with a tremendous amount of authorities—first of all, the DIB delegation in terms of our being able to operate with the defense industrial base.

The second is, you know, the idea that, you know, the recent NDAA decisions in terms of being able to share more broadly with a series of different companies that have to do with our foreign adversaries has helped us immensely. So I have nothing that in my mind right now says I need to have further authorities.

I would offer that we do have a lot of ideas and a lot of lawyers still at the agency and the Command, though.

TEMPLE-RASTON: And there used to be—during the public-private partnerships there used to be a real issue about private companies not wanting to share things that they thought was competitive—that their competitors might be able to use.

How have you gotten over that?

EASTERLY: Yeah.

So, look, I mean, at the end of the day, we do two things with this information. We render assistance if a victim needs our assistance. Sometimes a big company can go to an IR provider. But most importantly, this information is not used to name, to shame, to kill anybody’s reputation, or to stab the wounded.

This is, really, all about using that information to protect the larger sector and to get a whole—to get ahead of other victims and I think, increasingly, as we talk about, you know, cybersecurity becoming a kitchen table issue because ransomware is now, sadly, a kitchen table issue, I think people get that.

I think they get that that information, just as in a neighborhood watch where, you know, your neighbor gets robbed you’d want to know that so you can actually be prepared, I think it’s everybody realizes we are all in this together.

And so there’s not a competitive nature. There wasn’t—at Morgan Stanley we were highly competitive with JPMorgan and Wells and Bank of America on people and on business.

We were not at all competitive on security because we realize this was about protecting this sector, protecting the national security of the U.S.

NAKASONE: Here’s the interesting thing, too, as Jen was mentioning slack channels.

So we have over two hundred and fifty companies that come in to our cyberspace collaboration center outside of the—you know, the wires of NSA at an unclassified level to have a conversation, and I think the important piece to emphasize here is it’s a two-way conversation, right.

It’s not as though we’re throwing information. Here, here’s a bunch of stuff. Take a look at—it’s, hey, what are you seeing? What are the latest trends? What are the tradecraft they’re utilizing? This give and take is really important to build, first of all, insight and situational awareness and, secondly, credibility. That’s the big change for us.

TEMPLE-RASTON: The gentleman over there in the red tie. second row.

Q: Thank you. Sam Visner with the Space Information Sharing and Analysis Center.

First, I want to compliment both Director Easterly and General Nakasone. Some of us have argued for many years that the private sector has a bigger attack surface and there’s a lot of information to be gleaned and, in essence, the balance of trade should be moving in terms of getting information from the private sector. And we are seeing a—slowly but surely the corner is being turned in terms of the federal government receiving and making good use of that information and sharing some of that and sharing its own information back.

My question is for Director Easterly. Would you be possible—would it be possible for you to comment on the status of the discussion about taking our critical infrastructure sectors and beginning to consolidate them into what are called systematically important critical infrastructure, or SICI? Thank you.

EASTERLY: Yeah. So thanks so much for the question.

So let me just put it in two parts, right. We have sixteen critical infrastructure sectors, some subsectors. Every critical infrastructure sector has a sector risk management agency, so Paul for the DIB, Treasury for finance, Energy for energy. We serve as the SRMA for eight sectors, meaning that we work closely to provide information, to help assess risk, to respond as necessary.

But we play a really important role in statute, which is the national coordinator for critical infrastructure resilience and security, and what that is a recognition of is, like, frankly, you can’t just worry about one sector. We could spend $4 billion in technology at Morgan Stanley, but if the telcos went down or if we didn’t have power it didn’t matter.

And so we think of things as functions—national critical functions—and we published a list of fifty-five and I think we really have to think about how you coordinate across sectors.

Now, within the thousands of, frankly, critical infrastructure sectors that go down to K through twelve schools, small hospitals, water facilities, there are those that are systemically important entities.

There was some discussion about whether there needed to be legislation. The Cyberspace Solarium Commission did some terrific work except they called it SICI, which is, like, a terrible acronym for anything. (Laughter.) So we changed it to systemically important entities and, regardless of legislation, we’re actually defining those in concert with our critical infrastructure partners.

Now, those are—the critical infrastructure that is so vital to our national security, our economic prosperity, and our public health and safety, that corruption, disruption, destruction would actually have a significant impact on the U.S.

So we are doing exactly that and, you know, I’m sure we’ll be working with the Space ISAC. So look forward to having those discussions.

Q: Thank you.

TEMPLE-RASTON: So at DEFCON this year they actually hacked into a console of a John Deere tractor—

EASTERLY: Yeah. It’s fantastic. (Laughter.)

TEMPLE-RASTON: —and put a game of Doom on it. Is a tractor critical infrastructure?

EASTERLY: Yeah, John Deere, part of critical manufacturing. Absolutely. Absolutely.

I mean, you’d be surprised. There’s not much that’s not critical infrastructure, frankly.

TEMPLE-RASTON: Well, if all the tractors went down at once it’d be—

EASTERLY: A disaster. Yeah.

TEMPLE-RASTON: —you couldn’t, yeah—(inaudible).

The gentleman in the front row with the green tie.

Q: Thank you. Alan Raul, Sidley Austin.

Director Easterly, you mentioned you’re not a regulator and, of course, General Nakasone of NSA is not a regulator, but there are regulators out there. And while you don’t stab the wounded, the regulators often are in the business of stabbing the wounded, or so it seems.

They’ve become very prominent players in the cybersecurity field. They’ve set standards. They require public disclosure frequently and reporting, and they’re not always consonant with the confidential relationships that the NSA has, that the FBI has, that CISA and other cybersecurity players that you collaborate with have.

So you’ve got the new statute that you mentioned, the Cyber Incident Reporting for Critical Infrastructure Act with certain deadlines that you’re going to set and standards and so on.

But the Securities and Exchange Commission, the Federal Trade Commission, the state attorneys general, the New York Department of Financial Services, and many others set standards. They require public reporting.

Is there any collaboration that is—would be valuable or harmonization that would be valuable with all of these other agencies that are also setting standards, trying to help but sometimes stabbing the wounded?

EASTERLY: Yeah. Thanks, Alan.

So I think it’s absolutely imperative that we look to harmonize all of the legislation that’s being put in place, certainly, first and foremost, from a cyber incident reporting perspective.

But there’s other types of regulation that’s been leaned into over the past year with respect to TSA, for example, on the security directives, and, of course, we’re both aware of some of the FCC rules that are going on.

One of the good innovations of CIRCIA, as we call it—from our Irish background—is the fact that we had to set up the Cyber Incident Reporting Council and the whole point of that—it’s actually led by the secretary of DHS.

It includes most of the federal agencies and all of those regulators that are relevant, and the whole point is to harmonize our ability to prevent the burden that gets placed on the private sector from asking similar questions but slightly differently with different standards, and so I think that’s really where our focus is.

Now, in terms of, you know, regulatory penalties and all that, that will—that’s—you know, I’ll set that aside. But we are really working hard to make sure that what we are asking of the private sector from various parts of the U.S. government is, in fact, consonant and harmonized so we’re not placing that burden.

TEMPLE-RASTON: Person way in the back, please.

Q: Hello. Melissa Bert from the Coast Guard, and great to see you both here. Thank you for coming to speak with this group.

What I’m interested in is Director Easterly’s perspective on—we talk a lot about prevention and sharing information and that type of thing. But in terms of response on U.S. soil, are we completely reliant upon whoever it is that has the infrastructure? Or it seems like we sort of find out about—like, Colonial Pipeline, we find out about things much later.

Do we have—are you building capability to know if people are adhering to any of these reporting standards?

EASTERLY: Yeah. So I mean, it’s all part of this paradigm shift, frankly.

We’ve been talking about public-private partnerships for decades and I think the term is pretty hackneyed at this point in time. And so what we’ve been trying to do at CISA and, frankly, working very closely with all of our partners is to transform this whole idea of partnership into real-time operational collaboration.

So we are getting those insights so we can take those dots, connect those dots, and drive down risk to the nation at scale, and from what I’ve seen over the past year—and this is not with legislation in place yet. We’re still working through the rulemaking process. This is in a voluntary way.

Take Log4Shell, for example, where we led the federal response working with all of our partners. Terrific collaboration with the technology and with researchers that gave us amazing insights into what they saw across the ecosystem. Take all the points—

TEMPLE-RASTON: Could you explain what that is? I don’t know that everybody understands Log4j, necessarily.

EASTERLY: Yeah. Nerd-speak. I’m sorry. I said I wasn’t going to do that.

So Log4j, Log4Shell, is, essentially, a very serious vulnerability in open source software that was incredibly ubiquitous, easy to exploit, and, thus, was very, very serious. And so when that was revealed in December we, essentially, marshaled the federal government—we were very worried about incursions on federal-civilian networks, as I’m sure you were on the DODIN—to work together to ensure we were putting out authoritative guidance of how do you find this vulnerability and how do you mitigate it.

And so it was the—sharing that information. I think part of this is, really, a shift in terms of our approach. We’re really trying to approach things with humility and gratitude, and those are not words that you hear a lot in government. I know you use those words quite a bit, frankly. It’s things that I learned from working together with Paul over many decades.

But to be transparent, to be value added, to be responsive, to take feedback, to use what we get from the private sector and to actually enrich it and make it good for the rest of the sectors is really a different type of approach that we’re trying to effect here and I think we are starting to see some real positive impact from it.

NAKASONE: So, Admiral, if I might. And, certainly, the domain and the—you know, the domestic space is not where we operate. But I think what your question really points to is how do we achieve a level of agility to be able to address a number of different threats that we may or may not be able to predict in the future.

Ransomware is a really good example, right, in terms of how do we focus our efforts and how do we get greater agility. In my mind, agility and greater agility come from really good partnerships, comes from exceptional intelligence, comes from being able to operate with, you know, private sector partners.

Those are all the things, I think, that really are very important for us to be able to think about because we’re not going to be able to predict every single threat. It just isn’t going to happen. But what we can do is figure out what are the agile means upon which we can address any threat.

TEMPLE-RASTON: And ransomware is borderless. So if it works in one place it’ll work in another. So there’s a reason to share for that reason.

NAKASONE: Exactly.

TEMPLE-RASTON: The gentleman in the middle there with the beard.

Q: Hi. Doug Ollivant from New America.

I think it’s safe to say that on the kinetic side since—am I on?

Am I good now? Now?

TEMPLE-RASTON: Yes.

Q: Hi. Doug Ollivant from New America.

I think it’s safe to say that since February, on the kinetic side we’ve been very surprised by what we’ve learned about Russian capabilities at the tactical and operational level.

In your realm, you know, acknowledging that, you know, and February wasn’t a binary switch for you, is there something new that you’ve been surprised by, that you’ve learned, or in your world was March of ’22 not significantly different from January of ’22?

EASTERLY: It’s for both of us?

Q: Sure.

EASTERLY: Yeah. I mean, what I’ll say is I think we were surprised that the Ukrainians were able to withstand the cyberattacks that they dealt with.

You know, obviously, we’ve been very riveted on the horrific kinetic attacks, you know, that have, really, been criminal in nature, quite frankly, going after civilian infrastructure and civilian targets, and I think in many ways they have overshadowed the cyber activity that occurred against government networks, against critical infrastructure, against the VSAT networks.

But I’ve been incredibly impressed. We were talking about our friend, Viktor Zhora from SSSCIP, of the resilience—

TEMPLE-RASTON: Basically, the CISA of Ukraine.

EASTERLY: —capability—yeah, essentially, the Ukraine cyber defense folks—on their capability to withstand the attacks. And I think it’s a great news story in terms of your ability to learn because, of course, you know, they were the victim of many of these attacks.

And the other great thing that I’ve seen is, really, the power of international partnerships. We’ve been working with the Ukrainian Computer Emergency Response Team known as CERT because we serve as US-CERT, but our partners from Latvia, Estonia, Lithuania, Poland, the Czech Republic, in a fantastic sharing platform to, essentially, get ahead of potential cyber activity, and I think that’s also something that has helped given us insight about what could, potentially, happen here but help us drive down risk to, essentially, a borderless global cyberspace.

NAKASONE: A lot of times in the department we’ll talk about imposing cost, right. We’ll say, we’re going to impose cost on our adversaries. I think the thing that I’ve learned over the past several months is how different we can define impose cost.

Several years ago, Dina showed up at Fort Meade to do an interview with me. In fact, it was early on in my tenure, and I think about all the security folks about passed out having a reporter in the conference room. (Laughter.) But nonetheless, we talked about imposing cost against ISIS, as you recall. And I said, hey, we did all these operations and they were, for the most part, offensive cyber operations. And I think what I would share with you is that what we’ve learned over the past several months is, wow, the power of State and Treasury and Justice and Energy, and then being able to release information—oh, by the way, the private sector in terms of what we’re seeing that impact having on our adversary.

That’s a lesson learned for me that’s, like, really powerful to think about adversaries in the future—how am I going to be able to bring that type of action with a number of really important partners and synchronize it in terms of when we need it. We’ve learned a lot on that.

TEMPLE-RASTON: If I can build on Doug’s question for just a second.

One of the things that we heard from Ukrainian CERT that they were surprised about was that they get the sense that Russians are really good at planning long-term cyber operations that are very complicated and everything else but they’re not awesome at turning on a dime and coming up with something creative and that that has been part of the problem.

Can you guys comment about that?

NAKASONE: So I can’t talk about the Russians. I can talk about us. (Laughter.)

I know we are very good at that and that is our strength and that’s—

TEMPLE-RASTON: As opposed to—

NAKASONE: Well, I mean, again, so this is—you know, how do you judge your success? You judge your success in staying ahead of your adversary.

TEMPLE-RASTON: Right.

NAKASONE: That’s something we do very, very well at the agency and the command in trying to figure out the next axis, the next tool, the next operation. So if that’s—

TEMPLE-RASTON: Were you surprised by how much more creative you are than maybe (an adversary ?)? (Laughter.)

NAKASONE: Personally, not me. I would say that, you know, what I am always very, very appreciative of is the creativity of those that I get to work with. Yes.

TEMPLE-RASTON: Jen, do you want to talk about that?

EASTERLY: No. I mean, I think we feel the same about our workforce—you know, CISA’s workforce at NSA and CYBERCOM.

At the end of the day, it’s all about the talent of the people who are doing these operations, whether it’s the defenders or the folks who are working intel or doing the hunt forward missions, and, you know, that’s where the creativity lies and that’s what’s going to enable us to be successful in protecting the nation.

TEMPLE-RASTON: In the orange shirt.

Q: Nancy Gallagher from the University of Maryland.

I want to go back to some of the comments you made about protecting elections and the fact that there’s, you know, lots of ongoing influence operations and reasons to worry about exploitative or disruptive attacks, even if we’re not seeing current evidence of that happening.

And I’m wondering, in your information-sharing model how does it work when some of the threat actors you worry about are foreign and some of them are domestic, and some of the people who are sharing information are mandated not to collect and share information about domestic players and others have business reasons to not necessarily want to share that information—the sort of privacy information about customers.

NAKASONE: So I can speak for my authorities, which, obviously, are outside the United States and being able to focus on what our adversaries are doing there and the type of tradecraft and activities that they’re planning to do.

I mean, we see that rapidly. We see what their intent is a lot of times and then being able to share that with—you know, FBI and the Foreign Influence Task Force is so critical for us. In terms of the domestic piece, I would have to, obviously, defer to those that have those authorities.

But, again, we have not had an issue with being able to identify a number of the activities outside the United States, particularly as we talk with our partners, because it’s not just the United States that is facing, you know, influence and interference attempts by adversaries against their democratic processes.

This is something we’re seeing across the free peoples. And so being able to share that information is the key piece.

EASTERLY: Yeah. And from our perspective, I’d say two things.

First, we work very hard to be able to provide accurate information about election literacy. So if you go to our rumor control or our rumor versus reality page, some really important information about the security of absentee ballots, about drop box, about vulnerabilities on election infrastructure.

So we make that available to state and local officials and they can use that information, and we really amplify their voices as the trusted voices in communities. Shocker—the federal government is not always considered a trusted voice and we don’t run or administer elections.

So really ensuring that our partners have the tools that they need to deal with physical threats, cyber threats, insider threats, and misinformation and disinformation, is what we do and we work very closely with what’s called the EIISAC, the Election Infrastructure Information Sharing and Analysis Center, and that really is the hub for information shared across all of the states to get out to state and local election officials down to the county level.

TEMPLE-RASTON: Up front here. There we go.

Q: This is a question for both of you. Thank you.

TEMPLE-RASTON: Could you—sorry, could identify—

Q: I’m Tarah Wheeler from the Council on Foreign Relations.

The first attack I’m thinking of when I think about the sharing of information is NotPetya in 2017. The question I would have, especially for General Nakasone but, certainly, please, Director Easterly as well, is this.

You’re sharing information now horizontally. How do you share this information over time? We know that the 2017 NotPetya attack was an attack by Russia on Ukraine very specifically, and I think we in the cybersecurity community have seen this as an ongoing attack over time.

How, through changes of administration and through changes of personnel, have you built this long-term knowledge of how to cope with an ongoing and persistent threat from Russia to Ukraine and other conflicts that have existed and, certainly, started with massive cyberattacks?

NAKASONE: One of the things that we did in 2019 was realized that our agency wasn’t structured to be able to get after our two major missions, one of them being foreign intelligence, the other being cybersecurity.

So, from that, we stood up a cyberspace collaboration center. Why is that important? Because we’re outside the confines of the National Security Agency. So being able to go there, actually being able to have conversations, actually have engagements at the unclassified level. Incredibly important.

It also is the ability for us to continue that dialogue, you know, just not episodically but over a period of time with a number of experts, to take a look and see what are the trends, what are the anomalies, what are the things that we have to be most concerned about.

And then on top of that is then how do we amplify that with a series of partners when we do become concerned? You know, how do we bring in the FBI, how do we bring in CISA, and then how do we bring in the private sector? That’s the way that I think we would address it.

Jen?

EASTERLY: I mean, I’d say, look, I think your question is really important to think about sustainability because, you know, life is a contact sport and personalities matter and it matters that, you know, we’ve been friends for decades.

But getting those institutions in place and institutions that, frankly, are learning institutions and growth mindsets, and that’s really what we’re trying to build. You did some great work around WannaCry in 2017 and, of course, NotPetya. Those are two major events that I experienced from the private sector when I was at Morgan Stanley.

I would say the most important thing over the last five years in cyber is the establishment of the Cybersecurity and Infrastructure Security Agency to be America’s cyber defense agency here at home to help protect critical infrastructure, state and local entities, and the American people, and I think if we’re able to build this agency to be the agency that the nation deserves as a close, trusted partner across the federal government, across industry, across state and local, across international, we will ensure that we are internalizing all of the lessons that we have learned over the last five, ten, fifteen years to enable us to secure the nation, going forward.

TEMPLE-RASTON: I’m sorry to say that we have run out of time, and this always happens.

Thank you so much for joining today’s meeting and please join me in giving General Nakasone and Director Easterly a warm CFR welcome. (Applause.)

(END)

 

Top Stories on CFR

Mexico

Organized crime fuels Mexico’s election violence, plus Europe’s Southern Cone cocaine pipeline
Organized crime’s hold on local governments fuels record election violence; Europe’s cocaine pipeline shifting to the Southern Cone.

Blog Post by Shannon K. O'Neil and Will Freeman April 24, 2024 Latin America’s Moment

Defense and Security

Challenges Facing the U.S. Military, With John Barrientos and Kristen Thompson

Podcast
John Barrientos, a captain in the U.S. Navy and a visiting military fellow at CFR, and Kristen Thompson, a colonel in the U.S. Air Force and a visiting military fellow at CFR, sit down with James M. Lindsay to provide an inside view on how the U.S. military is adapting to the challenges it faces.

Podcast with James M. Lindsay, John P. Barrientos and Kristen D. Thompson April 23, 2024 The President’s Inbox

Myanmar

The Bottom Is Falling Out for Myanmar’s Junta
The Myanmar army is experiencing a rapid rise in defections and military losses, posing questions about the continued viability of the junta’s grip on power.

Blog Post by Joshua Kurlantzick April 22, 2024 Asia Unbound