TRANSCRIPT: Russia's Cyber Attack: An Act of Espionage or War? Jeh Johnson's Perspective
Jeh Johnson:
Very often nation states create for themselves some degree of separation with the bad actor. So they can say, "Wasn't me." And in my personal experience in national security, I've had very, very senior officials of foreign governments look me in the eye and lie to my face. It wasn't me. It wasn't me, it was some other guy.
Ian Bremmer:
Hello and welcome to the GZERO World Podcast. Here you'll find extended versions of interviews from my show on public television. I'm Ian Bremmer, and today we're taking a look at a massive Russian cyber hack of US companies and government agencies. What does it say about America's preparedness for the realities of the 21st century? Nothing good. Was it business as usual for the spying game or an act of war? I'm talking with former Homeland Security secretary Jeh Johnson. Let's get right to it.
Announcer:
The GZERO World Podcast is brought to you by our founding sponsor, First Republic. First Republic, a private bank and wealth management company, places clients' needs first by providing responsive, relevant, and customized solutions. Visit firstrepublic.com to learn more.
Ian Bremmer:
Jeh Johnson, he was Secretary of Homeland Security under President Barack Obama. Jeh, thanks so much for joining me on GZERO World.
Jeh Johnson:
My pleasure, Ian. Looking forward to our discussion.
Ian Bremmer:
I want to jump right in to this massive Russian breach into both the public and the private sector. Give us a little rundown given your expert perch of what you think we've just seen.
Jeh Johnson:
Well, Ian, when I was at Homeland Security, I used to tell people, let's prepare and plan for the next attack, not the last attack. I used to try to encourage my people to think aggressively to try to stay one step ahead of the enemy. Unfortunately, bad cyber actors like this most recent one are increasingly aggressive, tenacious, ingenious. This attack using software upgrades was both ingenious and ironic. Using a software intended to promote cybersecurity as the tool to implant malware was extraordinarily clever.
And it's highly regrettable that some of our most sophisticated actors in this country, in cyberspace like the Department of Homeland Security or other elements of our national government, didn't catch this sooner. It took FireEye apparently to catch this. And so my assessment of this is, it is yet another example of how the bad guys continue to stay one step ahead of the good guys in trying to defend against this kind of thing. And as I sit here, I think we are yet to fully understand the extent of the damage caused by this attack, and most fundamentally, whether it is simply an act of traditional surveillance, which many governments engage in, or it is some form of offensive attack, which would merit a very, very serious response in my view.
Ian Bremmer:
For those that are just kind of watching the headlines around this, should we be a little shocked that this actually could have happened at the hands of a foreign government?
Jeh Johnson:
No, we should not be shocked, unfortunately. And your question is a very legitimate one. The one thing I will say is when you're on defense, when you're in national security, when you're in homeland security, there are a lot of bad things that we do prevent from happening that somebody like you and me in private life don't hear about. And it is the reality that one failure will be the equivalent of a thousand successes. So there are a lot of cyber attacks, a lot of attempts at infiltration that are prevented and caught that you don't necessarily hear about. It's the big one, like the current one that we do hear about and obviously need to be concerned about.
Ian Bremmer:
Is there anything that we know thus far that implies that this was more than just espionage? Because again, I've heard lots of intemperate things on the internet, shocking, including from members of Congress saying, "This was an act of war." Is there any reason to believe that is the case from what we know so far?
Jeh Johnson:
Well, in reacting to a national security event, I rarely take my guidance from individual house members reacting on Twitter. And I recommend that you not do that either. So there are indicators when you implant malware that it could be done for all sorts of reasons. When I was in Homeland Security, the cyber intrusion that I would worry about most is a national actor, a nation state actor, one of the more sophisticated ones, implanting malware in critical infrastructure. And it lies in wait to be triggered at a moments notice to do something, whether it is to ex-filtrate data, whether it is to degrade something, whether it is to destroy something, whether it is to change an identity, you don't really know until the trigger is pulled.
I gave testimony before Congress a couple of years ago, and one of the things I addressed in my testimony is under what circumstances a cyber attack should be considered an act of war. And my basic conclusion was that if the cyber attack amounts to physical destruction, loss of life, like any other more traditional kinetic attack, then that should be considered an act of war. And so we do get excited about these things as we should be, but we have to also consider the other side of the equation, which is what is the United States capable of doing? How might the United States respond to this intrusion in ways seen or unseen? And so we do have awesome capabilities in cyberspace ourselves as a country.
But going back to your original question, Ian, cybersecurity is a public-private partnership. There are cyber experts in government, there are cyber experts in financial services, there are cyber experts in the defense industrial base. And apparently this intrusion was far-reaching. It stretched into the private sector, some of our most sophisticated actors in the private sector. And so we don't know the answer to the question, to what extent should this be considered an attack? And we don't know whether we've discovered the full extent of it. We don't know whether it's implanted in a system that you and I use every day and we just haven't discovered it yet. So hopefully, cyber experts are on the case now because we know the signature of this actor hopefully and can act on that.
Ian Bremmer:
What do you think the Russians, assuming as Secretary Pompeo said, that they're responsible for it? What's the potential, what can they do with this sort of information?
Jeh Johnson:
Well, if one assumes that this was espionage, then the Russians know a lot more about people like you and me or people in government or our capabilities or what we are talking about within government or within some of the more sophisticated elements of the private sector. If this is a different form of malware with offensive features to it, one could eliminate data, one could alter data, one could degrade a capability, one could shut down a capability and critical infrastructure. Frankly, the possibilities are enormous. And so I look forward to hearing the public congressional testimony of our national security officials about exactly what they think this malware was implanted for. We just don't know, Ian at this point. It's still early. We just don't know. One thing that the public should be most upset about is just weeks before this attack was discovered, president Trump fired our government's senior cybersecurity official, Chris Krebs.
Ian Bremmer:
Yes.
Jeh Johnson:
Who by all accounts was doing a good job as an appointee in the Trump administration. He was the head of CISA, which is part of DHS, and by all accounts was doing an excellent job. He was doing exactly the job that a president should want someone in that position to do, but he was fired because he was not on the same page in terms of the election outcome. And so CISA, the agency of our government, principally responsible for our cybersecurity, is leaderless right now at a moment of great stress in a moment of cybersecurity crisis.
And rightly, over the last four years, state election officials, along with the Department of Homeland Security, did a lot of good work to harden the cybersecurity of state election systems, voting, voter registration roles. But still, if you're in this space, you have the sinking feeling that a sophisticated nation state actor is probably moved on to something else, to a different form of attack. And they did what they did in 2016. So now we need to be worried about what it is they're going to do in 2020 that's totally different, totally new, different victims, which is why I said earlier, I used to tell my people all the time, think about the next attack, not the last one.
Ian Bremmer:
So I want to get to your views of what you think the next attacks might be and how our policy should change. But first I should ask you about what the response should be with the Biden administration coming in. So far what I've seen has been a little bit of naming and shaming from some members of cabinet and a couple of consulates are closing. At this stage, is that appropriate or should more be happening?
Jeh Johnson:
Assuming this was done from a Russian platform at the behest of the Russian government, the intelligence officials in the Russian government, then I think the response has to be twofold. One, governments really don't like it when you sanction their people, when you sanction government officials or go after them criminally, even though it may be just in absentia. The other is, I believe that for an attack like this, an in-kind response is appropriate. In other words, you don't necessarily respond to a cyber attack kinetically cyber for cyber to demonstrate our own capabilities. Ultimately, Ian, when you're dealing with nation state actors who are really sophisticated in this space like the Russians or the Chinese, there is no complete line of defense. We cannot erect a wall that will prevent all such attacks. The way to end these attacks is simply to make the behavior cost prohibitive, to put in place sufficient deterrents so that the rational state actor will say, hey, this is going to cost me too much if I continue on this path. And obviously we have yet to do that with the Russians.
Ian Bremmer:
What would you like to see? I mean in terms of a doctrine of deterrence, which may not only include hit back measures, could also include offensive capabilities. What do you think it looks like for the United States and or our allies?
Jeh Johnson:
Three things. There is an overt attack like killing General Soleimani of the Iranian government in December a year ago. That's overt. It's in your face. Then there is covert action where the target is not even sure where the attack came from. And then there's that middle ground where something is technically covert, but you want the target to know it was me. But you leave yourself some room of deniability publicly. And when you're dealing with cyberspace, very often, the response is in that middle ground. The other facet of your question, which I would like to address is very often nation states create for themselves some degree of separation with the bad actor. So they can say, "It wasn't me." And in my personal experience in national security, I've had very senior officials of foreign governments look me in the eye and lie to my face. It wasn't me.
It wasn't me, it was some other guy. Because they'd like to believe that by creating some form of separation, some degree of separation, some degree of deniability, they get to deny plausibly to their United States counterpart. And so it's my assessment that foreign governments do set up these degrees of separation, which is a fiction in a way, so that when the bad actor goes out and does something they say, "Wasn't me. We'll try to bring them to justice for you, but it wasn't me. I'll come back with an investigation in about two years to tell you who it was, but it wasn't me." And frankly, much of what you and I would consider warfare is conducted through proxies these days. Through proxies in cyberspace, through covert action such that each side gets to try to pretend it wasn't them. Which is why the Soleimani attack a year ago was something that was really eye-catching because it was the United States and we basically said, "Yeah, it was us. What are you going to do about it?"
Ian Bremmer:
So let me widen the aperture a little bit. Four years ago, then President Obama invited President-elect Trump to the White House and reportedly told him that the biggest national security threat he had to worry about upon assuming the presidency was North Korea. Here in 2021, how do you assess and prioritize national security threats to the United States and the incoming president?
Jeh Johnson:
Everybody's talking about China. China is a multifaceted concern. They are a competitor in many, many ways, economically, militarily, and the like. And because they are the other major global economic power in the world, I would rate China as the number one national security concern of the incoming administration right now.
Ian Bremmer:
Jeh, there are plenty of things that we could probably talk about as how Trump has degraded American national security. Can you tell me one thing in your view he has done to improve US national security?
Jeh Johnson:
Great question. I was on a panel where I asked somebody else the exact same thing. Well, two things. One, I think under Jim Mattis' leadership, and Jim is a good friend of mine. This outgoing administration, did a lot to continue the effort we started under Obama to degrade ISIS. They took the fight to ISIS and Iraq and Syria and ISIS is all but obliterated. So that's number one. Number two, I thought that this administration was clever and possibly a little lucky in striking the chemical weapons facilities in Syria. In other words, they crossed the line. So we responded without there being a serious response coming from the other side.
One could say that about the Soleimani strike. I thought, frankly, and still think the Soleimani strike was hugely risky. Turned out the Iranian's response was measured. But I thought that was a hugely risky gamble to take to cross the line into overt warfare, basically by taking out one of their general officers. And the response was measured. So whether it was just good fortune or it was smart decision making or whatever, I give this administration credit for the times it has acted in response to crossing a line in a way that did not have serious consequences.
Ian Bremmer:
And if you were to sit down, as I'm sure at some point you will, if you haven't already, to the incoming Secretary of Homeland Security, Alejandro Mayorkas, what sort of advice would you provide in this environment?
Jeh Johnson:
Where do I start? Well, first I would say, Ale, I'm glad it's you, not me. Welcome. And regrettably, the immigration issue overwhelms whoever occupies that job. The job of being Secretary of Homeland Security is border security, but it's also maritime security, aviation security, port security, cyber security, training federal law enforcement officials, Secret Service, protecting our national leaders, the Coast Guard. I could go on and on. But the immigration issue overwhelms everything. And no matter what you do in the immigration space, you're going to make somebody angry and unhappy. And so you do the best you can to make the best judgments in support of the American people, in support of our border security, our homeland security, but be humane at the same time. And that's a tough line to walk when you're facing pressure from numerous different directions. And appoint good leaders, appoint good component heads who will focus on all those other aspects of homeland security while you focus on the things that are drawing your attention.
Ian Bremmer:
Outline an incremental change in immigration policy that could actually improve the situation. Something that's doable in your mind.
Jeh Johnson:
Well, we were that far away from fundamental immigration reform six years ago when the Senate passed legislation which died in the house, which would've done a whole lot of things, it would've provided a path to citizenship for those who have been here for 10 years living in the shadows. We need to codify DACA, protecting the Dreamers in legislation. And then Republicans want more border security, and there are smart ways to improve border security through technology, through increased surveillance, not just building a wall for the sake of a wall, not just hiring more border patrol agents for the sake of hiring more people in green uniforms. There are smart ways to go about that. And so comprehensive immigration reform would've embraced a path to citizenship, protecting those who were here, who've been here, who are not criminals, and improving border security and a whole lot in between. So we've charted that out already. It's just up to our Congress to have the political courage to take on this very tough issue.
Ian Bremmer:
So before we close, you have said that you absolutely will not play an official role in this incoming Biden administration. Why such a definitive statement?
Jeh Johnson:
I was just looking at the reality of things. I was considered for Secretary of Defense by the President-elect. It was a great honor to have that interview. Frankly, this would not have been an ideal time for me to return to Washington for a lot of reasons, including personal family considerations. But I could not have said no to the job of Secretary of Defense if asked, and that's what I was considered for. And right now, I'm happy in private life here in my Midtown Manhattan law office. Life is good. Perhaps sometime in the future I may have an opportunity to serve the country again, but right now, I am content to practice law, pursue my hobby of model trains in the basement of my house in New Jersey, and do public interviews like this one with you.
Ian Bremmer:
You heard that? Do not count out former Secretary Jeh Johnson going forward. Thanks so much. Great to see you, Jeh.
Jeh Johnson:
Thanks, Ian. Take care.
Ian Bremmer:
That's it for today's edition of the GZERO World Podcast, like what you've heard? Come check us out at gzeromedia.com and sign up for our newsletter signal.
Announcer:
The GZERO World Podcast is brought to you by our founding sponsor, First Republic. First Republic, a private bank and wealth management company, places clients' needs first by providing responsive, relevant, and customized solutions. Visit firstrepublic.com to learn more.
Subscribe to the GZERO World Podcast on Apple Podcasts, Spotify, Stitcher, or your preferred podcast platform to receive new episodes as soon as they're published.