TRANSCRIPT: How the US will fight cyber wars
Jen Easterly:
I worry about the next 10 years being a decisive time when we will be able to win the battle or lose the battle for technological innovation.
Ian Bremmer:
Hello and welcome to the GZERO World Podcast. This is where you'll find extended versions of my interviews on public television. I'm Ian Bremmer, and on this episode, the global cyber landscape has never seemed so dire. From Russian backed ransomware attacks against America's largest oil pipeline to the phone scammer who just won't leave you alone during dinner. We're living in a brave new world, but before you change your computer password again, I'm here to tell you that it's not all bad news. Despite the many, many threats we face, my guest today is optimistic about the state of America's cyber defenses, and she should know. Jen Easterly is director of the Cybersecurity and Infrastructure Security Agency known as CISA, the US government agency tasked with keeping our country safe from all cyber threats, foreign and domestic. Let's get to it.
Announcer:
The GZERO World Podcast is brought to you by our founding sponsor, First Republic. First Republic, a private bank and wealth management company, places clients' needs first by providing responsive, relevant, and customized solutions. Visit firstrepublic.com to learn more.
In a world upended by disruptive international events, how can we rebuild? On season two of Global Reboot, a Foreign Policy podcast in partnership with the Doha Forum, FP editor-in-chief Ravi Agarwal engages with world leaders and policy experts to look at old problems in new ways and identify solutions to our world's greatest challenges. Listen to season two of Global Reboot wherever you get your podcasts.
Ian Bremmer:
Jen Easterly, thanks so much for joining us on GZERO World.
Jen Easterly:
Great to be here, Ian.
Ian Bremmer:
So I want to start with just a little easy one, which is your organization, CISA. A lot of people, if they've heard of it at all, probably it was when Chris Krebs was unceremoniously dumped by Trump for saying that he was monitoring the elections and nothing untoward. Tell us a little bit about what your organization is responsible for, your remit, both in the US and globally.
Jen Easterly:
Yeah, great. And Chris was the founder of the agency. It's actually the newest agency in the federal government. We were set up in 2018 to really be America's cyber defense agency and that firing was really a moral courage moment that helped put CISA on the map. I think many people did not know what CISA was or what we did, and now people understand the value that we can bring. Our mission is to lead the national effort to understand, manage and reduce risk to the cyber and physical infrastructure that Americans rely on every hour of every day. When you say things like critical infrastructure, though Ian, people think it's a really technical term, but at the end of the day, it's the water, it's the power, it's how we get gas at the pump, how we get food at the grocery store. So it's really those networks and systems and data that underpin everything we need to run our lives. And so we are responsible for working with our partners to protect and defend that infrastructure.
Ian Bremmer:
Now, I want that agency to exist and I'm glad that you're running it, but of course, when you talk about critical infrastructure in the United States, at least most of that is owned by, run by, managed by the private sector, not by the US government. And God willing, that's not going to change anytime soon. How do you do your job effectively given that you have no control over the actors that are actually doing the defending?
Jen Easterly:
Yeah, it's the best thing about being the leader of this agency because it's all about partnerships at the end of the day as you said it, and that's the way it should be. Over 80 some percent, the majority of critical infrastructure is in private hands. And so the challenges in this role are very different from other roles where I've been in the army, overseas in combat, in the Intelligence Community at NSA and the White House doing policy where arguably the federal government has monopoly power.
In cyber security, the federal government is just a partner, a partner with state and local colleagues and a partner with industry. And so we have to work together collaboratively, realizing that government can't solve this problem, industry can't, state and local colleagues can't, so we all have to work together to drive down risk to the nation. It's very instructive. Before I took this job, I was working at Morgan Stanley doing cybersecurity defense and leading resilience, and when I was still there working on the transition, SolarWinds happened. And a lot of people took different lessons from SolarWinds. But one of the big lessons that I took was that it wasn't the Federal government, it wasn't the incredible Intelligence Community or some other capability that we've been building that discovered that massive espionage campaign that affected-
Ian Bremmer:
It was a cyber company.
Jen Easterly:
It was a cyber company. It was my good friend Kevin Mandia at FireEye. What that really told me is we have to work hand in hand with these companies to be able to see the dots, connect the dots, and drive down risk to the nation at scale, and that's behind things we've been building, like the Joint Cyber Defense Collaborative, some of the partnerships with all of the technology companies. It's just a recognition that this is not something the Federal government can do alone.
Ian Bremmer:
What is it that every member of Congress needs to know better so that you can do your job better?
Jen Easterly:
I have been incredibly impressed since I took this job and encouraged, frankly, because we live in a world, in a country at least where partisanship affects a lot of things, but frankly, it has not affected cybersecurity. We have incredible support from both sides of the aisle and some real champions on both sides of the aisle of folks who've gotten incredibly smart on cybersecurity and who have enabled, CISA in particular, we've benefited from a lot of work of people like Congressman Jim Langevin, Congressman John Katko, Senator Angus King, Congressman Mike Gallagher, the senators who are in charge of my oversight committee, Senator Rob Portman, Senator Gary Peters, some terrific support of people who have actually done the work to learn about these issues so that they can help make CISA as successful as where we need to be. And frankly, you see it reflected in increase in budgets every year, increase in authorities, increase in responsibilities.
But one thing that I would say made a watershed moment, and that was this congressional commission, which was the Cyberspace Solarium Commission, and that came together over the past several years and it had a couple congressmen and a couple senators on it, and they used the 75 or so recommendations to actually drive legislation. So nearly half of those 75 recommendations ended up in the 2021 NDAA, the defense bill, and that was this marriage of really smart people coming together to make recommendations and then actually getting it in legislation. And that has been, again, incredibly encouraging. And since I took this job over the past year, today's my, by the way, one year anniversary. Since I took this job, we have had support on both sides of the aisle.
Ian Bremmer:
Let me ask you, you said that 80% of critical infrastructure is in the hands of the private sector. I want you to give me your back of the envelope percentage, in terms of the significance of the threat environment from other countries as opposed to from criminal actors that are not affiliated with governments.
Jen Easterly:
Yeah. So the reason why I can't give you a great back of the number, maybe I'll say it's 50/50, Ian, but the reason why we don't have great data is because there has never been a mandate to report things like cyber incidents to the US government. And so certainly we see nation state attacks, big breaches that make their way into the news. Certainly SolarWinds, the attack we saw in Colonial Pipeline, JBS Foods, Kaseya Software, Equifax a couple years ago. So those things that hit the news, the attribution ultimately comes out. Some are nation states. The big four are of course China, Russia, North Korea, Iran. And then you have a whole ecosystem of cyber criminals to include those who are deploying ransomware. And some of those groups are aligned with nation states. Some of them are given safe haven, some of them have a sponsorship, but very hard given that we don't have a baseline of data.
It's why, again, going back to the Congress, they actually passed earlier this year a groundbreaking set of legislation, the Cyber Incident Reporting for Critical Infrastructure Act, which for the first time, they've been trying to get this thing passed for over a decade, for the first time, there will be a requirement for critical infrastructure to report to CISA if they have a cyber incident. So we can not only use that data to render assistance to warn others, but also to get a much better understanding of what's going on so that we can be able to react and respond and to drive down risk in a much more systematic way.
Ian Bremmer:
So a lot that we don't know, and we don't know because right now the incentives and the requirements to report are not close to what they should be. On the China side, one thing that I've always found interesting is how behind the curve the American government has been in assessing Chinese technological capabilities. Ten years ago, nobody in Washington remotely believed that the Chinese could be at parity with the US in technology and basic technologies by 2022. And here I'm talking about productive technologies. I'm talking about parts of AI. I'm talking about voice recognition, facial recognition. How confident are you that we understand China's offensive cyber capabilities that they could deploy against the United States?
Jen Easterly:
I think we have a very good understanding of the major threats out there from adversaries. So we have huge capabilities, as you know, in the Intelligence Community. We've been building capabilities to understand from a military perspective. Our north star, we are the defenders. So my whole life is about cyber defense, but in order to be a good defender, we have to understand the offense as well. And that's why my time in the Intelligence Community really has helped me be a better defender. But at the end of the day, you bring up something that I really worry about. I worry about the next 10 years being a decisive time when we will be able to win the battle or lose the battle for technological innovation. When you look at things like who is setting the standards for technology these days, most of the chairs and vice chairs of those committees are Chinese. So the government has a very heavy hand in what are going to be those technology standards of the future.
I worry about things like how are we going to get ahead of 6G when we failed to do it with 5G? What about artificial intelligence? What about biotech? What about quantum? One thing that I'm starting to put a big focus on at CISA working with our international partners is smart cities. When you think about everything getting digitized, that's so great. Everything's so much easier when everything's smart, but think about the risks of that. And so there's so much that we need to do to truly invest in research, in people, in technology and capabilities to be able to stay ahead of this power curve when it comes to technology innovation.
Ian Bremmer:
Is it a plausible scenario that in the next 10 years the Chinese could become technologically dominant compared to the United States?
Jen Easterly:
I think it's a concern. I think it is a concern. And so that's why I think we need to ensure we have the alliances. We are building the right incentive models. We are investing in the research to keep the edge on technological innovation. It is not at all clear that we are always going to be dominant in that, and that's why the investment is so important.
Ian Bremmer:
Now given how much we're hammering the Russians and given how badly they've been performing militarily in the field in Ukraine, does that also translate into Russia's cyber future, that China's really where we should be more worried about, even though the Russians historically have been the bigger concern?
Jen Easterly:
The certain answer is no. You've heard the old trope that Russia is a hurricane, China is climate change. And certainly if you look at the long-term, when we think about the size of China, the investments that they're making in their capabilities, yeah, a serious long-term concern, particularly about some of the emerging tech issues that I just addressed. But they are both, along with Iran and North Korea, very formidable adversaries from a cyber perspective. They have placed a lot of investment in all of their capabilities and in their people, and we should not take the wrong lessons from the fact that Russia has not done as well as many of us expected militarily in Ukraine.
And so we have been for several months now running a campaign called Shields Up to help everybody understand that we are in an elevated threat environment. We know that the Russian playbook is all about using cyber to go after critical infrastructure. We've seen that many times in Ukraine. We've seen it here in the US, and we need to be prepared to be able to respond to any sort of attacks, whether it's a direct attack on our critical infrastructure, whether it's a cascading attack as we saw with NotPetya in 2017, or whether it's a ransomware group that might be aligned that could give Russia some plausible deniability, but could have a serious impact as we saw in Colonial Pipeline last May.
Ian Bremmer:
I want to ask you about that because of course, we all remember the Colonial Pipeline hit, and shortly after that Biden met with Putin and brought the issue up very forcefully and said, "If you guys don't cut it out, even if it's not the government directly, even if it's a criminal actor, that there's going to be hell to pay." And my understanding from the White House is that the Russians did indeed back off significantly on attacks on American critical infrastructure after that. Now that was before the Russian invasion of Ukraine. That was before the unprecedented US and other allied sanctions against Russia. I have to presume that we expect that there's going to be a full-throated cyber response retaliation from the Russians. Have we seen any of that so far since February 24th?
Jen Easterly:
So we have seen, and as the President mentioned a couple months ago, we have certainly seen evidence of planning for potential cyber attacks on critical infrastructure. Again, this is not something that surprised us. It's why we have been working for months and months to warn critical infrastructure and state and local partners of the potential for attacks against critical infrastructure and why we have been hammering away on all of the things that small businesses, large businesses, individuals, CEOs, security teams need to be doing to mitigate risk to our networks and our systems and our data. So this is not a surprise that there could be a potential attack for retaliatory purposes given sanctions or given frankly how we've come together so strongly to impose costs against Russia. So we continue to be prepared for it. And as the President made it very, very clear, if Russia does conduct some sort of disruptive cyber attack against US critical infrastructure, we will respond in a time and manner of our choosing. I'll of course defer to the policy folks because that response could take many forms.
But I think one of the great things that we've seen in the past few months is how strong our alliances across the world, NATO and globally, frankly, to include from a cyber defense perspective, have come together to ensure that we are collectively supporting Ukraine, which has done pretty incredibly frankly from a cyber defense perspective, but enhancing resilience, enhancing our defenses and committing if appropriate to use tools for response.
Ian Bremmer:
And we've seen the South Koreans join in on that, the Japanese. No, it has been quite impressive. But am I to understand that since the invasion of Ukraine, you have not seen significant cyber attacks, successful or unsuccessful, against critical infrastructure in the United States from Russia?
Jen Easterly:
We have seen no cyber attacks, as we would say, on critical infrastructure of any note that we know of. Again, there are cases where there may be an impact, but certainly given our role in protecting and defending critical infrastructure, that would very likely have been something that came to us. So no, we have not, but we continue to tell all of our partners that we are not out of the woods. We need to continue to stay vigilant and keep our shields up and keep focused on maintaining security and resilience capabilities for the nation.
Ian Bremmer:
Are you a little surprised by that?
Jen Easterly:
We have not seen significant attacks. I think I would've expected to see something at this point in time, and obviously there's a lot of thinking around this. In my mind there's probably two things. One is if you go back to the Joe Nye article, Deterrence and Denial in Cyberspace, which I think well laid out how we think about deterrence in cyber. So deterrence by punishment, I think there's a little bit of a fear of escalation if there was some type of an attack here. So certainly the warnings that have been given. I think we've seen some cascading effects, certainly with ViaSat, which was aimed at Ukraine, but had effects in Europe. But I think in general, most of the significant attacks have really been within Ukraine. So I think there's a little bit of deterrence by punishment.
But I'd also like to think, Ian, that there's been some deterrence by denial. I think we have really raised the red flag on this, given a sense of urgency. We have briefed our critical infrastructure partners at all levels, thousands of people around the country, hundreds of briefings. We have briefed at classified levels. We've worked with the Intelligence Community who have been incredibly supportive to aggressively declassify information that can be used in an actionable way to defend networks. So I think part of this is really digging in on defense. I think there's a concern about escalation for retaliation, and I also think there's just a huge focus within Ukraine, given that it hasn't gone as well as what was originally expected.
Ian Bremmer:
I'm thinking about the Russians, the Chinese, large state actors with massive capabilities. You also mentioned North Korea and Iran. We haven't talked much about terrorist organizations. And of course the thing about terrorist organizations is it's very hard to apply Joe Nye's theory to them, because punishment, if you are prepared to literally destroy and don't have demands, deterrence isn't very effective. And I'm wondering, given the level of terrorist attacks that have been out there, why you think we haven't seen more effective cyber capabilities for major terrorist organizations?
Jen Easterly:
Yeah, it's interesting. My last job before I went to Morgan Stanley was a senior director for counterterrorism at the NSC, and this was during 2013 to 2016. So this was the rise of ISIS, all of the attacks around the world. And it was a question we often wondered. There were low level attacks, things like doxing, so taking names and putting them out publicly and threatening to go knock on their door and create physical harm. But we have actually not seen any sort of development by terrorists of significant cyber over the past couple years. And they've made it easier because a lot of these, as a service tools, like ransomware as a service are much more widely available. So sadly, that ecosystem has been democratized. You have hacktivists and we've seen a bit of that with the defacements and the distributed denial of service.
And then you have cyber terrorism. And frankly, I always think of it as a low probability, but high impact. So if terrorists did get their hands on sophisticated cyber weapons, I think that would, because there really isn't the deterrence impact as you just said, but we have not seen that. So not saying it wouldn't happen, I don't want to have any failures of imagination. So I am always trying to look around the corners and build a workforce that looks around the corners, but it is not a threat that is high on my landscape right now.
Ian Bremmer:
So then final question around that is when I was growing up, and you too, we were very worried about the proliferation of nuclear technology, weapons and capabilities, and the Americans and the Soviets had arms control, but we also all wanted to ensure that the nuclear club stayed as small as possible. We devoted a lot of effort internationally to that. I don't hear or see us devoting a lot of effort to the prevention of proliferation of dangerous cyber capabilities. And I'm wondering why you think that is and what can and should be done?
Jen Easterly:
Well, to state the obvious, it's incredibly difficult to be able to verify whether somebody is developing or the amount of cyber weapons that they have in the way that we could actually verify nuclear capabilities and come together and have an agreement on a treaty. In some ways, it's even complicated, although I do think we're getting better at this, to attribute a cyber attack. If you go back to several years ago, remember the Sony attack, it actually took a while to have that attributed.
Ian Bremmer:
They said it was North Korea. Well, didn't it go through Albania or something like this at the time?
Jen Easterly:
Well, these attacks bounce through everything. Nothing goes direct. And so there's still a challenge in attribution, but again, in terms of developing these capability, you're exactly right. There's dozens of nations now that have developed what we call offensive. That's point one. Point two is these types of capabilities may start out for things like collecting intelligence, which is lawful in many cases, but then they can be used for destructive or disruptive purposes, which you certainly wouldn't want, particularly if it was against critical infrastructure or against cyber responders or against emergency responders. So, we do not have those rules in place. This is where I think, and I'm a bit of an norm skeptic, I have to say, but I do think at least articulating what we think should be absolutely out of bounds as a normative point I do think is important. Things like civilian critical infrastructure. Things like, again, first respond capabilities, things like computer emergency response teams.
So I think that at least in terms of how to articulate some sort of, I wouldn't call it necessarily a treaty, but the articulation of those norms, which have been done by the GDE, the UN group that laid out 11 norms and then the open-ended working group. So I think that's probably the right direction to go in and the best we can do.
Ian Bremmer:
Jen Easterly, thanks so much for joining us today.
Jen Easterly:
Thanks so much, Ian. Great to be with you.
Speaker 4:
That's it. For today's edition of the GZERO World Podcast. Like what you've heard? Come check us out at gzeromedia.com and sign up for our newsletter, Signal.
Announcer:
The GZERO World Podcast is brought to you by our founding sponsor, First Republic. First Republic, a private bank and wealth management company, places clients' needs first by providing responsive, relevant, and customized solutions. Visit firstrepublic.com to learn more.
In a world upended by disruptive international events, how can we rebuild? On season two of Global Reboot a Foreign Policy podcast in partnership with the Doha Forum, FB editor-in-chief, Ravi Agarwal engages with world leaders and policy experts to look at old problems in new ways and identify solutions to our world's greatest challenges. Listen to season two of Global Reboot wherever you get your podcasts.
Subscribe to the GZERO World Podcast on Apple Podcasts, Spotify, Stitcher, or your preferred podcast platform, to receive new episodes as soon as they're published.