Is the Government’s Version of All In the Family a Reality Show?

The Aspen Cyber Summit focused on the federal government’s need to work collaboratively with the private sector in order to protect the nation’s critical infrastructure. It was called “Exploring Collective Defense in a Digital World,” and the emphasis throughout the two days was most decidedly on “collective.” It could have been called “We’re All In This Together.”

But just a few weeks earlier, Josephine Wollf, an assistant professor of cybersecurity policy at Tuft University’s Fletcher School of Law and Diplomacy, wrote an article that suggested government agencies had serious problems working with each other. Specifically, she noted serious tensions between the offensive and defensive sides of the government’s house. As I prepared for the conference, I wondered whether any of this would come up.

The New Kid on the Block

In “CISA Can’t Succeed in the Pentagon’s Shadow,” Wolff argued that the U.S. Department of Homeland Security has never been given enough power to properly defend the nation’s critical infrastructure, which is what its Cybersecurity and Infrastructure Security Agency (CISA) was created to do. CISA actually has several important roles, including working with regional officials to help secure elections. But the main focus for this conference was its role in helping to protect U.S. critical infrastructure by working with the companies involved, about 85 percent of which are in civilian hands.

Since its inception in 2018, CISA has been overshadowed by the Department of Defense, Wolff wrote. The National Security Agency and U.S. Cyber Command are the real powers in charge, she said. The Biden administration has expressed a desire to “marshal a whole-of-nation fight to confront digital threats,” Wollf noted. But to do so, she continued, “it needs to embolden CISA so that it can begin to compel businesses and critical infrastructure operators to take the necessary steps that will actually protect the country’s most vital systems and networks.”

She suggested that one recent development might be a hopeful sign. In July, Jen Easterly was confirmed as CISA’s director. Easterly is a former NSA official herself. She helped launch Cyber Command. So “it’s possible to interpret her new position as a sign of just how far the two departments have come in finally being able to work together and how well established and respected the DHS cybersecurity operations finally are,” Wollf wrote. It’s also possible to view Easterly’s selection as a sign that the military has achieved hegemony, she added, pointing out that the top cyber officials in the White House, Chris Inglis and Anne Neuberger, are also former NSA officials.

Easterly was the conference’s first speaker. She spent much of her time reviewing her 10 weeks on the job. She had plenty to say about collaborating. The most eye-catching piece was the new group CISA established in August: the Joint Cyber Defense Collective (JCDC). The partners include all of the government’s heavy hitters: DoD, NSA, Cyber Command, DOJ, FBI, and more. From industry they’ve lined up Amazon Web Services, AT&T, CrowdStrike, Google Cloud, Microsoft, et. al. No signs of any friction there.

Interestingly, her bookend as the day’s last speaker was Rob Joyce. Joyce is the government’s fourth leader in the cyber realm, and he has not only spent much of his career as an NSA official, he’s the only one of the four who is there now. He heads its Cybersecurity Directorate. Earlier in his career there he led the offense. His new job mostly involves intelligence.

Between Easterly’s presentation and Joyce’s, lots of examples of partnerships were discussed. (I wrote about some of them here.) But there was also talk about the need for an offensive response to the onslaught of attacks. “We can’t only play defense,” said Kevin Mandia, CEO of FireEye. He wasn’t alone in urging more from the government. One example that drew praise from many quarters was the clawing back of at least some of the ransom that Colonial Pipeline paid to regain control of its data. In this instance, the FBI rather than Cyber Command was credited for the accomplishment.

The NSA Takes the Stage

When Joyce finally took the stage (yes, most of the panelists were really there), he was joined by journalist and author Garrett Graff, who directs cyber initiatives for Aspen Digital. Graff’s first question was about a warning the NSA had just released concerning VPN vulnerabilities. “This was a document,” Joyce responded, “that talked about what you should have in consideration for securing your VPN. And it was done jointly with CISA. They are our deep partner these days. There’s almost nothing we put out that we don’t do jointly with CISA—often CISA, NSA, and FBI together.”

There was more along these lines. For instance, Joyce said that NSA has stood up its own Cybersecurity Collaboration Center to build relationships with private industry. It lacks the scope of CISA’s JCDC, but it is a notable development for an agency with a go-it-alone ethos. But Joyce was not there to discuss his agency’s conversion to collaboration. The topic of the session was “The Next Generation of Threats,” and Graff skillfully probed for answers.

During the first year of the Trump administration, Joyce served as cybersecurity coordinator on the National Security Council for about a year before the position was eliminated. Graff asked him what’s changed four years later. “The idea that cyber crime has become a national security issue,” Joyce replied. “That to me is a dramatic change. And you see the government utilizing all elements of our power to include the foreign intelligence team, the offensive cyber team in the efforts to work against ransomware.”

So what are the country’s top threats? Joyce listed ransomware as No. 1. No. 2 is disinformation, he said, which is both “a cyber security problem and a malign influence problem.” After that comes the nation-state threat. “Russia, China, Iran, North Korea: they roll off so easy,” he said, “because those are the big ones we always see doing very obnoxious things in cyberspace.” And the last is critical infrastructure. It’s an area that “we’ve always known and worried about,” but in the last five years it’s grown urgent to lock down “for our national security.”

“You are the author of what is probably the most famous line about nation-state cyber threats,” Graff said. “Russia is a hurricane; China is climate change.”

It’s still true, Joyce said. Russia is a disruptive force, often seeking to tear down adversaries by disseminating misinformation and malign information. And they actively gather intelligence on both governments and critical infrastructure. All make them dangerous, he added.

China still looks like climate change to him. “Scope and scale,” he said, “China is off the charts.” The number of cyber actors “dwarfs the rest of the globe combined,” he observed. “You talked about the difference four or five years ago to today,” he said to Graff. “The difference I see is we respected them less. It was always broad, loud and noisy.” But what they’re finding, he went on, is that based on those numbers, the elite members of that group “really are elite.” That makes them a sophisticated adversary.

The required response? Understand, disrupt and find ways to push back, Joyce said. “Defense is really important,” he acknowledged. “But you also have to work to disrupt.” The strategy is “continuous engagement,” he said. “We’ve got to put sand and friction in their operations so they don’t just get free shots on goal.”

When people hear terms like “continuous engagement,” he went on, “they think offensive cyber. It is,” he said, “but I would say that the releases we’ve done jointly with CISA and FBI about the N-day vulnerabilities that those [adversary] teams like to use, that knocks them back just as much, and is just as important.” As is working with the international community to establish “the expectation that these things won’t be tolerated,” he added.

What about Bitcoin, Graff asked. Is ransomware a cryptocurrency problem as much as a criminal problem? “Certainly without profit there is no ransomware problem,” Joyce agreed. And crypto is the mechanism. But he called it both “a benefit and a liability.” The transactions can be watched. “They’re all very public,” he said. “The question is, can you de-anonymize and connect them?” That’s the challenge.

The other big challenge is quantum-resistant cryptography. When quantum computing arrives, unless they’re prepared with cryptography that can withstand it, security will quickly dissolve. Confidentiality algorithms, encryption algorithms, and authentication protocols will all be vulnerable, Joyce said. Now is the time to plan, he explained. That’s their Y2K problem, but “orders of magnitude bigger.” Asked how it’s coming along, Joyce said “I’m feeling really good.” For the classified networks, “we already have the protocols and the encryption technology,” he said. And they’re working with NIST to select commercial standards. “After you have all those things,” he said, “it’s the retrofit—it’s the get it into everything and build it backwards.”

The Bottom Line

So what are we to make of Wollf’s concerns that CISA has been minimized? And if she had a point, were the conference presentations reassuring? To some extent, I think they were.

Even if the conference primed the pump for partnership, it does say something that so many individuals, including speakers from the private sector, spoke about the need for collaboration. Likewise, the decision by CISA and the NSA to create organizations designed to facilitate more effective cooperation between the public and private sectors—and in CISA’s case, between government agencies as well—doesn’t guarantee these will yield results. But it proves it wasn’t just talk.

As for the way the government balances the two sides of its house, it’s no secret that the offense in cyberspace has long outstripped the defense. And that’s not going to change just because people talk a good game. It’s also true that the offense is always going to get more credit (when its activities are made public). But if there was ever going to be a time to recognize that the country needs both sides functioning effectively, this is it.

I think it does make a difference that Easterly made a name for herself at the NSA. And she has decades of high-level, relevant government experience. But what may be even more important is that defense suddenly seems top of mind. The country may never have appeared more visibly vulnerable.

The public heard about SolarWinds, and it sounded bad. But it was hard for a lay audience to understand what had happened. And then it only seemed to be about spying. Colonial Pipeline was very different. It was the infrastructure. And there were tangible results. Long lines at gas stations were on the evening news. All of those scattered ransomware attacks suddenly hit home in a big way. And they have not abated.

Where was the government?

At the conference, Rob Joyce talked about getting “left of theft.” We need to be able to prevent these attacks, he said. “We really don’t want the government, or any institution, to be really good at incident response. We’ve got to get ahead of that.”

It’s been a humbling time. The president of the United States had a talk with the president of Russia and told him the attacks had to stop. But they haven’t. The talk about cooperation at the Aspen Cyber Summit didn’t feel staged to me. It seemed to come from a bit of humility and a sense of necessity.