The second day of this year’s annual Threat Conference was filled with prescient discussions of intelligence, foreign threats and preparing for the future—by current members of government from NSA, DARPA and IARPA discussing and sometimes debating issues with former intelligence officials and trailblazers in private industry. Below are some of the highlights of the day’s conversations, in order of appearance.
Building Robust Cyber Defenses
Natalie Laing, deputy director of operations, NSA
On Russian, and other, cyber-aggression: “When you have the ability to have an asymmetric impact on our country or another country that can be penetrated anywhere, it is a cost-effective tool for nation-state actors. It is an efficient tool – it does not require mobilization of troops, it does not require leaving the country, it does not require joining the government if that activity is government-sponsored.
“So this really calls for doing things differently as NSA, as the intelligence community, and between the public and private sector. We have seen examples in the UK’s National Cyber Security Centre. This was not an easy thing to do – it took some monumental policy shifts on the UK side. But physically and on the responsibility side, there was an effort to co-locate their cybersecurity experts, government experts and their law enforcement experts. We need the ability to do this at speed and scale in our community – which is bigger. We cannot afford to not start joining that space more aggressively.
Ellen Nakashima, The Washington Post [Moderator]: "So you mentioned Russia’s move into the information warfare space. [PPDNI] Sue Gordon has publically said that Russia’s hybrid warfare is one of the more significant strategic threats that the U.S. faces now. We have talked about organization of the U.S. for cybersecurity. Are we organized to counter hybrid and information warfare? General Hayden spoke about this a little last night. I am not talking about securing the voting machines, but about the information warfare component. Should there be a robust military or intelligence community to knock out the bots or wage our own information warfare campaign against Russia? What do you think?"
Natalie Laing: " You have seen our Director, Admiral [Mike] Rogers, at CYBERCOM. You have seen other officials – Tom [Bossert] – say the same thing last night. That we have not hit them were it hurts, we have not done anything calculated that has cost them, Russia."
"So I think we are organized the right way, but I don’t think we have taken those next steps. As you can imagine, there has been a lot of discussion about what would those events and capabilities be, what would they look like, where could we create cost on the Russia side. We are very much in that discussion space.
"The final step as an IC and a government, what actually are we going to do? There is a big difference in nation-state offensive cyber. We are not set up that way, right? And that is a good thing from our country perspective. So that is a different calculus for us. I don’t think Russia is cyber-strong, frankly. So that is the space that we are in right now. What next level risk and next level offensive capability are we going to use?"
Nakashima: "What do you mean we are not set up for information state-sponsored cyber?"
Laing: "So in other words, how Russia, from a state-sponsored perspective, handles information warfare. They don’t have that artificial wall between cyber and information operations."
Chris Inglis, Cipher Brief Cyber Advisor and former deputy director, NSA
On Russian cyber-aggression: “Beyond their intentions, it is the recklessness of their actions that I am concerned about. Arguably WannaCry and NotPetya did not play out as the North Koreans or the Russians themselves would have had it. NotPetya had some not trivial effects on the Russian landmass – critical infrastructure within their sphere. So just in 2017, those two attacks alone showed us a bit of an infliction point. Those attacks were impactful by any stretch of the imagination – millions of dollars in damage. They were indiscriminate – you didn’t need to be the target to be the victim. And they were brazen – across anybody’s definition of a red line. The fact that they might not have intended for them to have that effect doesn’t take them off the hook for having that effect. And that is what I am most concerned about.”
Richard Ledgett, Cyber Brief Cyber Advisor and former deputy director, NSA
On cyber-aggression by Pyongyang: “If we are in conflict with North Korea, they are going to use every method at their disposal –that will include destructive cyber activities. They have not exhibited a lot of care about the collateral damage caused by those cyber activities. That makes it dangerous for the corporate world in ways that we haven’t seen in the past.”
Responding to Putin Amid a “Clash of Civilizations”
Mark Kelton, former deputy director for counterintelligence, CIA
“The factor that got us to where we are with Russia, is weak responses or non-response to a whole series of Russian actions. If you look back over the last few years, you can see where [Russian President Vladimir] Putin stuck his toe in the water and moved more aggressively, and then more aggressively still, gauging Western response. He takes Crimea, goes into Eastern Ukraine, expeditionary warfare in Syria, our nonresponse to Edward Snowden, he kills Alexander Litvinenko.
“All of that, from his perspective…incurs very little cost. The recent attack on our democracy, and our response to that and [the poisoning of] Sergei Skripal have caused us to belatedly do some things –arming people in the Ukraine, the closure of consulates, kicking people out. But what is to be done now, and is that enough to alter Putin’s behavior?”
“There aren’t really rules [with Russia]. It is akin to a dance – one side takes a step, the other side takes a step. But the problem occurs when one side stops dancing and the other keeps going. If we don’t respond to the actions that they take, they will keep moving. So there really is no etiquette. There is none. It’s a balance.”
Michael Sulick, former director, CIA National Clandestine Service
“We have assassinations, the Malaysian airliner downed, basically abetting war crimes in Syria and really Putin hasn’t suffered much in return. This mass, unified expulsion [of Russian officials in the U.S. and Europe] really to me doesn’t really damage Putin or the Russian intelligence services – it is a shot across the bow. We still have a lot of tools and to me, the most important are economic. If there is one obstacle to Putin’s historic vision of a Slavophile messianic destiny, it is obviously the economy suffering from oil prices and sanctions. The military adventures are a result of the cutbacks in social services and infrastructure projects at home. Putin has restored national pride, but when does national pride stop compensating for lack of bread on the table?”
John Sipher, former member, CIA Senior Intelligence Service
“At least during the Cold War, the Soviet Union had an ideology to surround themselves around. Right now, there is nothing. It is a corrupt country, it is weak, and Putin has to use fear to keep his people in line. The key worlds that he relies on are intelligence and security services, because he knows that they can be corrupted and bought and the best way to keep them from straying from the flock is to kill a few of them in a criminal mafia sense to tell people not to play footsy with the West. This is a pretty cold, criminal type of behavior, and not really a surprise.”
DARPA: Back to the Basics of Missiles and Space
Peter Highman, deputy director, Defense Advanced Research Projects Agency
“The first two things we were focused on as an agency were missile and space and it’s where we are again today. DARPA currently has over 250 running programs. The annual budget is public and is around $3 billion per year. Nobody in the agency is career on the technical side. Everybody comes in for a limited tour. This means that there are no pet rocks that persist; there are always people coming on looking for new things. The other way the DAPRA model succeeds is that there are no longstanding projects. Out projects also have a lifespan of 4-5 years in the agency.
“DARPA was arguably the main founder of the artificial intelligence (AI) field 50 years ago. Around 80 of our 250 programs have AI involved in some way and 50 of those programs are actually aiming to use AI to push the edges and redefine the future.
“There are some big things at DARPA that I really want to help happen. DARPA’s Microsystems Technology Office (MTO) is now the lead for the government on the Electronics Resurgence Initiative (ERI) where we are reinventing how we build and design complex electronics. There is a big kickoff for that in July and seeing that succeed is huge. Second, hypersonic weapons are big. There is a lot of press about these systems and DARPA is investing heavily and plays one of the leading roles in hypersonics. My job as deputy I see is helping make these two successful.”
‘How the NSA is Preparing for the Global Cyber Pandemic’
Glenn Gerstell, general counsel, NSA
“Despite our best efforts across the government, the threats posed by cybercrime, cyber mischief, and nation state activity have now combined with even greater toxicity to present unprecedented challenges across our personal, professional, and political lives in a way that's hard to overstate. History and our own experience has taught us that we collectively tend to underestimate the gravity – and perhaps the probability – of risks, and that we as a society react only after a crisis or calamity.
“We've seen other nations such as the UK and Canada make strides in adopting unified cyber strategies or national cyber policies. Approaches suitable in other countries might not translate well here in the U.S. for various reasons, but it may be worth examining their approaches to determine what we might learn from their experiences. To facilitate a productive dialogue, what factors would we need to consider in developing a unified approach to cybersecurity here in the U.S.?
“A unified and nationally prioritized federal budgetary authority would clearly be a critical component of a new cybersecurity strategy. To oversimplify the options: in one model, each federal department could manage its own cybersecurity budget – after all, each one knows its own systems, equipment, and requirements the best and can balance its own competing priorities. But another model recognizes that cyber threats and vulnerabilities often cut across multiple departments and agencies, and thus it may make sense to consolidate control of the cybersecurity purse strings so that needs can be centrally prioritized and addressed in a way that is optimal for the entire federal enterprise.
“Attribution of malicious cyber activity should be incorporated in a national cyber strategy. Attribution often requires the expertise of various government components; however, primary responsibility for coordinating efforts to attribute malicious cyber activity could be centralized within one agency. Regardless of how a national cyber strategy assigns this function, I would expect NSA to have an important role to play in the execution of this function, given the agency's expertise in this area.”
(Gerstell’s comments taken from his prepared remarks.)
‘DARPA for Spies’
Stacey Dixon, deputy director, Intelligence Advanced Research Projects Activity
“At the moment we only have one…pure cyber program, and it’s actually trying to forecast cyberattacks. It’s called ‘Cause,’ and we’re trying to see whether in publicly available information there are clues that someone is either selling, acquiring, what malware is becoming more valuable because there’s a demand for it, trying to figure out who the potential victims could be, trying to use the information that’s out there…as a sensor to let you know that something’s going to happen.
“Look at the number of accidents and fatalities we have from people driving cars. Are we expecting machines to be better than that? If we don’t figure out how to have that conversation and really set the expectations for what we expect the machines to do, we may not be able to use them in places where logically they would actually be very beneficial to society.
“The way that we look at DNA sequencing, and figuring out what is dangerous and what isn’t, is somewhat primitive. I think there are compounds of organisms that are very similar, and one may flag as dangerous and one may not because of the similarity of them…if someone genetically engineers something, our systems aren’t automatically going to recognize that it’s a threat, because it’s never seen it before. We want to be able to have systems that are going to be able to say, this is something that we’ve never seen, this is something that is not natural, it’s man-made.”
Editor's note: This article has been updated to include a more complete transcript of NSA official Laing's responses on Russia.
