EXCLUSIVE INTERVIEW – As he scans the global threat environment, Dana Madsen believes he has identified a new "inflection point" when it comes to malicious activity in cyberspace. And Madsen is one of the CIA’s top experts when it comes to the cyber threats writ large – serving as Deputy Director of the Cyber Threat Intelligence Integration Center (CTIIC) in the Office of the Director of National Intelligence (ODNI).
In an interview with The Cipher Brief, Madsen noted that just a few years ago, cyber espionage was concentrated on the theft of intellectual property – a basic shift from traditional spy craft to the domain of cyberspace. Now, Madsen says, there are a host of new threat actors, many linked to America's adversaries on the global stage, and increasingly they are taking aim at critical infrastructure – penetrating electric grids, health care networks, water supply systems, and more – both to disrupt operations and to establish a persistent presence.
Madsen, who – as his job title suggests – helps manage the integration of all intelligence gathered on cyber threats, says that while the challenge is steep, growing private-public partnerships may hold the key to mitigating the problem. He says that when such partnerships work, they help marry the government’s ability to collect sensitive information on a huge scale with the private sector’s knowledge of the infrastructure and systems that are under threat.
Earlier this month, Cipher Brief Cyber-Tech Senior Editor Ken Hughes spoke with Madsen on the sidelines of the 2024 Threat Conference in Sea Island, Georgia.
The interview has been edited for length and clarity
The Cipher Brief: Can you describe the mission of the Cyber Threat Intelligence Integration Center (CTIIC)?
Madsen: We were founded in 2015, almost a decade ago, based on lessons learned from the North Korean hack of Sony Motion Pictures. And so we bring together a couple of different functions. Regarding policy support, we think about integrating the Intelligence Community’s (IC) equities and interests in support of the White House policy process. We also think about strategy and investment for the cyber enterprise within the IC, but we also have an analytic function and we think about ways to integrate the IC’s analysis that are tailored to the needs of the policy community that we support. And then one other thing we do, our newest function, is our strategic cyber partnerships office that thinks about ways to partner with the private sector to the benefit of the cyber mission.
The Cipher Brief:Out of the array of current national security threats, what single one concerns you the most?
Madsen: We are dealing with a very complex threat environment. The one thing that I've seen in the presentations [at the Cipher Brief Threat Conference] is that the threats are intertwined in many different ways. So what happens in Ukraine has consequences globally. And we've seen some of the implications and potentialities of the strategic competition with China.
But one thing that strikes me is that cyber is increasingly an element of all of these aspects of the geopolitical competition, because cyber has increasingly become a means of national power that our adversaries are using, oftentimes below the threshold of armed conflict.
The Cipher Brief:Regarding partnerships between the private and public sectors,it seems that while the government has the ability to collect a lot of sensitive information, it is the public sector that owns much of the infrastructure that is actually threatened. How do you bridge restrictions on disseminating classified information to a sector that may not be equipped to receive and properly handle it?
Madsen: You've described the situation quite well because (it is) the private sector, the critical infrastructure owners and operators who are at the front line of the threat, whether the sector is being attacked by ransomware, or by a cyberattack from actors like the PRC [People’s Republic of China]. One of the key things is we each have a piece of the puzzle – the Intelligence Community that looks overseas, the law enforcement community that looks both overseas and domestically, and our cyber defenders, such as the Cybersecurity and Infrastructure Security Agency (CISA), that do cyber remediation, and then the private sector.
One of the challenges is finding opportunities for how we can combine at the speed and scale of the threat the respective views of the threat actors and what they're doing, to reach a holistic understanding.
In terms of the public-private collaboration, one of the things that we need to think about is common thresholds for action, where we both care about the threat and we know we can come together to share that information. There are challenges for the IC to consider: How do we more rapidly share information at lower classification levels, or find alternate ways to share the insights we have, maybe from commercial cyber data?
I would also emphasize that information flow from the private sector – the owners and operators that are looking at their networks or the cybersecurity firms that have vast troves of telemetry data – that's also important to us. How do we think about the bi-directional information sharing and how do we figure out how to do that together as partners?
The Cipher Brief: You mentioned earlier in the conference a particular threat actor, the “Cyber Army of Russia Reborn.” Does that name suggest this threat actor had a prior existence?
Madsen: They may have. I've focused on them over the past year because they have represented an inflection in the threat landscape. CARR is the shorthand for the group. They are pro-Russian and what they've learned to do is take relatively low-sophistication cyber techniques and have impacts on physical processes and critical infrastructure. Think the water sector, think the agriculture sector.
Fortunately, nobody's been injured and public health has not been at risk, but you can imagine that prospect, as they're manipulating some of the vulnerable devices. I think one of the key takeaways from this is for critical infrastructure owners and operators to recognize that they are a potential target for actors like this, as they opportunistically scan the internet for easy to exploit cyber hygiene flaws. It's important to think about and pay attention to those basics of patching, passwords, configuration.
The Cipher Brief:Are there any indications that the CARR cooperates or is in any way aligned with other attacks on the water sector, especially from China or Iran?
Madsen: That's one thing we're looking at – how do they act, and who are their partners that they act with. But I think one thing that's interesting is that this is a new technique or tactic that they've used that we may see other actors replicate, much as hacktivists and other groups do. You'll see one hacktivist group do something and then you'll see others basically using copycat techniques because it's a way of giving visibility to whatever particular cause they're trying to promote.
The Cipher Brief:Is there any discernible link between CARR and Russian intelligence?
Madsen: That's an important question as well. At a minimum, one of the challenges that you have with Russia, which is a factor that is at play with groups like CARR but also with the ransomware actors, is that it's a country that provides a safe haven for these actors to operate. Whether or not they have explicit command and control or direction of the activity, that safe haven is an important factor where they don't need to be as worried about conducting activities and having the attention then of Russian security services.
The Cipher Brief: Finally, what are your thoughts on how best to communicate the scale, scope, and importance of national security threats to the American public, one of the key themes of this conference?
Madsen: Some of the things we've tried to do at CTIIC is look at how to disseminate information at the unclassified level and analysis at the unclassified level — having recently published trends in ransomware activity or graphics that look at some of the recent activities by groups like CARR, where they used cyber to cause physical effects. Across the broader U.S. government, there's clearly attention to this.
One of the success stories of recent years are the cybersecurity advisories that have come out, as we've seen actors like Volt Typhoon targeting our critical infrastructure where CISA, elements of the IC, industry, and foreign partners come together to tell a story and advise how to remediate this activity. I would note that there are other elements of government that do a great job also publishing basics of cyber hygiene, cybersecurity, and there are plenty of free government resources out there for critical infrastructure owners and operators. But I think it is an important thing that we need to talk about with the American public.
Read more expert-driven national security insights, perspective and analysis in The Cipher Brief