Like many cyber experts in Washington, Jamil Jaffer wears multiple hats. He’s worked both inside and outside of government and is currently the Vice President of Strategy and Partnerships at IronNet Cybersecurity, Founder of the National Security Institute at George Mason University and a Visiting Fellow with Stanford’s Hoover Institution.
It seems like a lot, but the underlying cyber network of experts that is moving between the public and private sectors generally have a lot to offer. The Cipher Brief wanted a better understanding of how the conversations that are happening in board rooms, hearing rooms and sometimes, backrooms are making an impact on our overall understanding of cyber threats and how to address them.
As we launch The Cipher Brief’s new Cyber Initiator Group, we’ll be talking with more people like Jamil Jaffer about their efforts and where they’re seeing real impact.
In this case, we caught up with Jamil after a Hoover Institution briefing he held on the Hill with staffers from the offices of some key members of Congress and committees that are working to address cyber issues. He was there specifically to talk about the issue of nation-state threats and how companies and industries and governments think about the threat in very different ways. In the room were staffers, some of them senior members of their support teams. Staffers, of course, make up the backbone of Congress. So, interactions like this generally go a long way in forming the narratives around understanding cyber threats. Those understandings become the basis of information that is given to lawmakers who then vote on policy. As noted above, when we caught up with Jaffer, he had just concluded a briefing on the Hill as part of a series sponsored by the Hoover Institution. We asked him what he was hoping to get out of the meeting.
Jaffer: I want to give these senior congressional staff members a sense of what this cyber threat looks like from an outsider's perspective. What works in the industry on these issues, what works from the academic perspective, what does the threat landscape look like? I was looking to generate some ideas on how they might think about the problem for their bosses, for members of the committees, and what they might actually do in an actionable sense.
One of the things that Hoover is proud of doing, is providing actionable ideas for policy makers and for strategic thinkers. The academic engagement—and Hoover’s record on this specifically—is really one of creating strategic, long-term thinking about big problems in cyber. So, my presentation really focused on big picture threats and some of the ways we might think about these problems or perhaps think differently about these problems. We don’t get into policy prescriptions, but we launch conversations around key areas where staffers are trying to make an impact.
The Cipher Brief: One of the things you talked about was the idea of empowering the private sector and of course, the age-old challenge of coming to some kind of agreeable and workable solution on information sharing.
Jaffer: We've been working on this information sharing thing, in a variety of ways, for a long, long time. In 2007, 2008, I was working in the Bush Administration, at first at the Justice Department in the National Security Division, and then, at the White House, and in both of those jobs, we were working on the President's Comprehensive National Cyber Security Initiative. But what's amazing about it is back then one of the key focuses of the President's Comprehensive National Cyber Security Initiative was information sharing. And fast forward a few years later, I went to Capitol Hill for Congressman Mike Rogers, and we launched the first version of what eventually became the CISA, the Cyber Intelligence Sharing Act of 2015. At that time, we were working on that first version of the bill that passed the House called CISPA. So, we were really trying to get that ball moving and get the laws cleared up so that we could get the lawyers out of the room in an effort to allow operators to share more threat data information with each other. And that process still continues. One of the things that we work on today at our company, IronNet Cybersecurity, is building communities of trust among various companies to share threat data with one another and then also to share that data with government. It’s a relationship-building exercise and it’s a continuing process.
One of the other issues that was raised was companies being required to defend themselves against nation-state attacks. Historically, we haven't expected companies to have to stop nation-state attacks. For example, we don't expect Target or Walmart to have surface-to-air missiles on their rooftops to defend against Russian Bear bombers. And yet today, we expect Walmart and Target to defend against every attacker, whether it's a hacker in his basement, or a criminal gang from Russia, or Chinese-directed IP theft or even more aggressive attacks, and destructive attacks from North Korea or Iran. If you think about it, though, an individual company simply doesn't have the resources or the capabilities to defend against a committed nation state attacker. But yet, we also don't want the government sitting on the boundaries of the U.S. internet and moderating all of the traffic to stop threats. To the contrary, the way we think about it as Americans is that the government should at least help the companies defend themselves. If one day, the balloon goes up and there are significant attacks against the U.S. private sector that cause real damage, the public is going to look around and say, "What was the government doing to help industry? How did they leave industry completely alone to do this?".And so, there have been a lot of recent government efforts via the Department of Homeland Security and other agencies, and yet we know that challenges remain around that. There's an opportunity here to do some new and interesting stuff, but it requires both the government and industry to think about these problems in different ways.
The Cipher Brief: You mentioned the idea of encouraging companies to share information first with each other in trusted groups and then with the government. And, I think that's how a lot of private companies are approaching this with the lack of clear agreement within industry and government on boundaries of sharing. Are you seeing success with that model? And, how do you go about convincing companies to share more information?
Jaffer: That's a great question. At IronNet, we created a sharing alliance of five big energy companies. And those companies are sharing real time information with one another. What's really cool about that is that it means that if something happens below the radar, below the alerting level at company one, and something similar happens at company two, they are both notified of that fact; even if it not a known threat or signature. Just knowing that another company saw something happening below the radar is helpful to identify new, previously unknown threats or behaviors. And we do additional analysis of that material also to better protect the overall ecosystem.
The Cipher Brief: And then, what are the triggers for sharing that information with government if it becomes a serious enough threat? What kind of triggers would it require and how does that information sharing happen?
Jaffer: That's an issue we're still working through with our clients and discussing with the government and various agencies. In a lot of ways it is really interesting, I think we have seen a change a bit with the government and with industry in this area in recent years. Industry seems increasingly willing to talk to government and say, look, we need to tell you about what we’re seeing so that you can exercise your own authorities and do whatever you can do in foreign space or under your own authorities to help stop the attacks.
The Cipher Brief: Do you feel like traveling around and talking with private sector people, talking with government folks about these issues is making a difference? Do you feel like there is a positive impact that comes out of the time and effort that it takes for you to put together presentations and go and meet people face to face?
Jaffer: I really do, and I realize that when you do these presentations for small groups, you're only getting a handful of people. But there is an important role for government to play in the cyber defense of our nation. In today’s risk environment, it’s important that no matter how small the group is, if it's the right group of folks, they can actually have an impact. So I do think it is really important to have these conversations with them.
