Intellectual-Property Assets Are Getting More Valuable
As a foreign intelligence agency were responsible for understanding a broad range of threats. Presented by governments to the United States, one of those threats include our cyber threats how nations may be using cyber to achieve their national objectives that might be intellectual property theft for example, to counter department offensively valid by accelerating foreign governments ability to actually productized particular RDA for weapon that may be targetting critical infrastructure of a country. As part of threatening that country or as part of putting pressure on a given country. How are we doing against the cyber threats are we? Barely keeping up, are we catching up? Are we getting ahead of the game or? Is it always going to be hard for the defender. Overall technology is getting more secure. Technologies Belt more securely today. So. The fundamental resilience is is improving known. You have open source products. We have lots of is looking at a given technology and helping find vulnerabilities and address them. That being said for an ever-more connected economy in ever more connected society, and as we build more connections, sometimes systems that were not necessarily built for those kinds of connections we bring and introduce new risks on the third poll the positive side there's far more awareness about those risks and how to approach addressing them identifying what are the most important assets to protect. Seems to be an effort on the part of NSA to kind of open up a blackbox and Kinda shut the reputation no such agency we want to be trusted to achieve or we believe we can uniquely contribute to team USA on either the first step. Is conveying who we are conveying the culture. That's here the commitment to American values. Certainly. When a part of our mission is an intelligence mission in a democracy, you have an obligation to ensure that the Americans. We serve feel they understand the values by which we live. And neuberger is the current director of the national security. Agency's Cybersecurity Directorate. She has held a variety of jobs in both the public and private sectors. We just sat down with an to talk about her career, her and her director. It's multiple responsibilities and how she sees a cyber threats facing our country. I'm Michael Morale and this is intelligence matters. So an welcomed to intelligence matters, it is great to have you on the show. It's great to be here. So I think the place to start and is with your career before you joined the national security. Agency. You had a career in the private sector. Can you tell us about that and tell us what you did in the private sector and then what drew you into government, service. Sure. So I was in running technology at a at a financial services company during that time period when financial services companies really moved off mainframe environments to the Web. Decline server technology. So that piece of both taking an operations and emission and its associated technology and people and culture really Shaked shaped the way I approach a lot of those problems today. And I was raised in in a family where my dad came as a refugee all my grandparents came as refugees to the US and they just. Constantly instilled in US how grateful we should be for the opportunity to be born in America and raised in America, with its freedoms with its ability to pursue one's dreams and and that we owed it for that and. I was driving home from from work in. In two, thousand six, we just done a large acquisition of. Companies of banks, custodian operations. And on the radio, they were talking about the bombing of mosque. Samara Moscow in smaller rock and just the. Soldiers dying civilians dying and the troubles there and I I still don't know why but I thought of my dad and. That's myself. Perhaps now's the time to repay a little bit of of that in some way and. I've been a graduate student at Columbia had a I had a professor tell me about the White House fellows program and encouraged me to apply and I kind of I have to admit was a bit of the New Yorker Countless New York ever. kind of put that aside and for whatever reason I just felt that calling at that moment called him and said I'll apply and fast forward I was assigned to the Pentagon. With zero military background. And you learned a lot about the culture very drawn to that shared commitment and spent a year in the Pentagon worked for the navy and then came to NSA. Couple years later. What did they doing at the Pentagon and the Navy? So I was the deputy chief management officer, the Navy essentially, the Navy had a number of broad enterprise wide technology efforts which they were working again, bring that you people mission. Technology Triangle. And they asked me to help work on a couple of working directly for the secretary of the Navy figure out why a of them were struggling and then help them get on track. So I worked on that and I often get asked by people. How did YOU END UP AT NSA? A pretty funny story in that I had a seventy six year old and I was commuting from Baltimore and the. The work life balance was a bit tough and I met somebody and he asked me about. How he was doing and I commented that I really love the work but it was a little hard for me to do the juggle. And he said, you know I happen to know that NSA standing up you director NSA standing up cyber command and I know they need people with your kind of of background. So how about if I make a phone call there? And I went for an interview commute was thirty minutes and it sounds so foolish but. That was pretty much what it took. Interesting interesting. So the private sector and then the Department of Defence which is as you know this huge enterprise and then NSA and this is a this is not an easy question I know about kind of the similarities and differences of those three different experiences. It all begins with people. In every organization missions have to adapt and change They adopted change in the private sector because perhaps you have a competitor, perhaps the customer spaces adapted. Certainly financial services saw that we're the scale of data was just increasing the scale of trains was increasing and the traditional manual processes couldn't keep up. So we automation with needed to reduce errors and help us keep on track with we're trading was going. Technology could deliver on that, but the the business of the organization had to change to fully take advantage of the technology and the way people did that mission and use technology had to change along the way. So I think in each of those organizations that taught me that for that, that triangle has to be kind of guided together to get to an outcome mission technology and people if you really want to be able to fully. Whether it's take advantage of a market or stay ahead of an adversary in our own mission here in the ICU dod that triangle has to work together and you have to communicate every those three planes together when talking about why the changes needed. So an in your tenure at NSA, you've served as its first chief risk officer. The assistant deputy director of operations, the head of the Russia's small group, and now the head of the Cybersecurity Directorate. Can you take us through your trajectory there how did your responsibilities differ from roll to roll? Absolutely, and so I came into an Santa's small team part of a small team that was standing up cyber command, the chief risk officer role was. was created after the media leaks period of two, thousand, thirteen where we learned that. Really appreciating risk mount looking at in a holistic way across partnership risk operational. Risks Technology risks. We learned that we needed to adapt the way we looked at risk and then change according to that. So I think in each of those roles. Either, the adversary was changing around us a threat was changing around us. We. Wanted to take advantage fully of an opportunity and I was responsible for taking the big picture strategic goals, translating those two measurable outcomes and objectives and helping you know contribute, communicate the why and then bringing the team of people along to get their each other's efforts was a bit different. But you know. We talked about the risk of doing the risk of not doing weighing that appropriately we talked about the insuring that as we approached new missions policy and technology move together, and certainly when we looked at the elections work in two, thousand, eighteen, the Russia's small group work we saw we're adversaries of have used influence operation since the time of Adam and Eve perhaps would have changed was again the ability to use social media to both focus and directed to have larger impact. So focusing on the Russia's small group for just a second and what was that what was the what was the mission and what were your responsibilities with regard to the two thousand eighteen election's to the extent that you can talk about that. Absolutely. So the mission was ensuring the integrity of the two thousand eighteen midterm elections ensuring that we I understood the threat second that we appropriately tipped all the information we had about the threat to key partners across the US government. Certainly, FBI from a counter infants perspective digest from Cybersecurity of elections, infrastructure perspective, and they finally that we would support Cyber Command. If if authorized to impose costs, it's were attempts to disrupt. Disrupt the election. So. After the two thousand eighteen election's president trump publicly confirmed that cyber command played a role in deterring the Russians in two thousand eighteen are they're important lessons from what happened in two thousand eighteen about how we as a country can defend ourselves against this this insidious threat. Yes. So you know across the government, we look at two key polls. Integrity one is attempts to malignly influence population whether that is to highlight social discord to highlight issues that divide the population or to. Hand up sheer inappropriate. You know share information as part of shaping individuals ideas, and then the second is potentially interfering hacking into elections infrastructure as part of efforts to change the vote and I think the first pieces, the value of resiliency. The sense that you know once trust is lost, it's very hard to regain. So the knowledge for the American public that there are hundreds of people across the US government committed to and working to ensure the integrity of our elections. When it comes to counter influence though the biggest resilience as each of us. As Americans when we're reading something asking who might be trying to influence me what is the source of that information I fully confident in that source of that information. And then finally the role of the role of technology and the role of Public Private Partnership. In as part of elections integrity. So for us in the intelligence community were constantly watching for which adversaries maybe seeking to to shape a populations thinking to shape an election and then rapidly tipping that to partners or. To the private sector to ensure that they're both aware of techniques and our countering them on their platforms. So we've since learned shocked last week the updates from deny that the Russians continue to engage in election interference, the Chinese, the Iranians, and the punchline of all that for me is it's really hard to deter. Foreign interference right and I'm wondering if it's something special about foreign interference or if it's more about cyber at the end of the day and the difficulty of seeing cyber attributing it if you see it, how do you think about that question absolutely I think it is more about cyber than about elections from a cyber perspective when we look at fully both protecting cyber infrastructure and then to your second point about attribution, there's complexity laying what we call the red on top of the we may see threats. That are talked about strategic perspective and then we partners across the US government a looking to see where does that present itself? Where are the given vulnerabilities in a given infrastructure? The powers when you can lay the two together and say, here is a nation state that has intent to interfere in whatever that is an election critical infrastructure. I Pete Best and then translate that to the tactical level to say that network scanning or that vulnerability in hardware or software may well be used to achieve the objective putting that in place, and then most importantly preventing it because at the end of the day riding report about a victim and notifying the victim is far less satisfying than being able to put that together and prevent the adversary cheating their objective. So we've already started to shift now into your new role, right which was relaunched in October I believe. So be great if you could, and if you could explain for our listeners I, what NASA's two main missions are. Again and then cybersecurity and the difference between them just to give folks here level set absolutely. So Ns as a foreign intelligence agency were responsible for understanding a broad range of threats. Presented by governments to the United States, one of those threats include our cyber threats how nations may be using cyber to achieve their national objectives as that might be intellectual property theft for example, to counter the department defensively Thallady by accelerating foreign governments ability to to actually productized particular rnd for weapon that may be targetting critical infrastructure of a country. As part of threatening that country or as part of putting pressure on a given country. So that is the threat information on the second side. And say has cybersecurity mission. We're celestial known We build the keys codes and cryptography that's used to protect all of US government's most sensitive communications thinking nuclear command control weapon systems, the president's communications with allies, and we provide technical advice to mitigate those same threats that I talked about. So the really the he integration of the two missions where we think the magic is where we can say here's what we think adversaries are seeking to do, and here's how from a cybersecurity perspective we recommend you protect against. So so what motivated and the relaunch of the directorate and has its mission changed at all really good question. So we recognize that we were at a crossroads with national security as both technology and society ships were happening. We saw only kinds of technology that people want to from small satellites to Internet of things and each of those presents huge advancements. But they also present cybersecurity risk. Along with that, we saw various nation surtees. New Technologies think North Korean crypto currencies to get around sanctions to achieve their own objectives and we said we really need to up our game to more quickly be understanding those threats and ensuring that. We could both provide advice to build new technologies as early as possible, but also to counter adversaries use of those same technologies to achieve their national security. We're GONNA take a quick break to hear from our sponsor. Dumb. We'll be right back with more discussion with an neuberger. At Lockheed Martin, we're on a mission. Your mission. Not just the next mission but the one that's two steps ahead. That's why we've not only taken the lead in hyper sonics, but we're helping you integrate technology faster than. It's why we're not only developing the laser weapons systems you'll need but deploying them in the field. Our mission is to build the integrated solutions you can depend on because the world is depending on you. So and what are the what are the primary areas of Focus for your directorate? What kind of people work there? What's their skill set and what kind of customers do you serve? Questions. So the first parties. Operationalizing Intelligence. How do we ensure that from the intelligence that we see we took anything that's unique. And timely quickly so that we can prevent the victim. So that's the first, the first piece of of work, our areas of focus are. Both understanding that giving guidance encryption, we believe encryption. A key protection particularly in telecommunications environment that in many cases is entrusted. So both in building the government's special encryption, modernizing that as well as providing advice and insights on how to best use. Encryption the text of people who work cure are like we see him any organizations abroad gamut we have intelligence analyst. We have country-specific experts have a broad swath of technical experts, encryption network technologies, hardware, and software vulnerability analysts as well but the power is weird that can be integrated where you can say. How do you build on route of trust all the way through to an end point? Had you properly defend network and take a step back and do risk analysis to say? We are the gaps in your resilience and we're should your next dollar investment to closest gaps Right, and then what about customers is your is, is it just the Department of Defense? Is that the US government is even broader than that? How do you think about who it is you're working for? Yup Great Question. So there's a specific set work we do for what we call national security systems systems carrying classified information national security information the director. Vanessa is also the national manager for National Security Systems, that's the authority under which as I mentioned, we have we build the keys codes and cryptography responsible for distributing threat information as well. So those are across the US government with a particular focus on duty. Weapons Systems. And Related Systems. A second set of key partners and customers are dhs I. D. H., S. and its role supporting critical infrastructure. And, the sector specific agencies, and like I said the the real magic of understanding the critical infrastructure, we're it's key gaps and vulnerabilities are and being able to marry that up with what a foreign government may be intending to do and providing focused insight. Across the US government, there is broad use of commercial technologies, particularly duty and and national security system. So you may have seen when we're issuing advisories were also issuing advice on how to secure and configure those commercial technologies well because we see that. Those are used all across. Sensitive, systems as well. Your director has issued I think a dozen or so. Advisories about cybersecurity threats. Can you talk about why you guys do that? What the criteria is for quitting one of those out and then how do you think about the impact they have? Do You keep metrics on that? How do you think about? Advisories absolutely. So. Our advisories other way we really do them for three reasons. One is if we see a nation state actor using a particular vulnerability against the system care about we find that it really drives urgency of action people run faster when they're pursued, and if we can say, this nation state actor is using this vulnerability. Here's the mitigation advice to protect yourself against that we see impact and I'll talk about that how we measure that impact at the end. The second thing is there's a deep expertise here because we build and we break encryption. So encryption related technologies like the peons like you. You may recall the windows ten cryptographic vulnerability in January. Those are areas we focus on because we know those are sometimes hard to understand technically hard to implement. So if we can give very practical advice, them will issue those as well to help that be put in place, and then the third would be where there's a timely need and we're getting a lot of questions and we feel that putting out a product helps guide people and thinking about how to think about security I'll give an example. As. As covid. Pressed a lot of organizations across the US government particularly duty as well to move to telework. We started getting a lot of questions about secure collaboration. which commercial tools were safe to us and our goal was teaching people how to evaluate what safe to us. So we issued a product we're laid out the different attributes like. Code is available for review its end to end Krypton and a few other such attributes, and then we rated different secure collaboration publicly available tools against them and the cool part was we had companies call and say, well, you didn't get something quite right or can we be included as well and we said absolutely, we issued a second version and then we have another one coming out next week because our goal was making it as useful as possible and also helping teach people. How to assess. Different. Products for security. You ask the question about how we measure impact. So there's three different measures we've been using. The first is, do we see patch rates go up? They'll do we see for vulnerabilities that we've talked about here is a foreign actor might be using a boehner ability to achieve an objective. Can we watch those patriots go up and it was really cool to see. And a number of cases we've we've watched that increase. The second piece is there is a very capable and active cybersecurity industry has the information shared enable them to better protect. Sensitive US government national security systems networks, and you know in the case of the Xm vulnerability that we issued, we're advisory where we talked about the particular unit of Russian intelligence using the XML male vulnerability. It was really great to see five different cyber-security entities using that to identify other. Russian intelligence infrastructure and then take that down. So that was success for us that we made it harder for that adversary to achieve its objectives, and then the third one is really the feedback on the number of downloads and the feedback from administrators saying this was useful. This was unique timely and actionable could act on it, and then in May you guys took what I thought was an unprecedented step of actually openly attributing the exploitation of vulnerability to the Russian, Gru. and. That seemed to rare to me and I'm wondering why you decided to actually name Russia in this instance. So I it is rare because as you noted earlier, implicitly attributions hard. You may have seen a prior product where we highlighted one st state using another country's. Infrastructure to achieve its objective and then highlight he just hard attribution is. So when it's done, it needs to be done with precision to be confident. In that and we chose to do it because. We see that it makes targeted network owners more quickly patch and secure and build the resilience of their systems network administrators have way more vulnerabilities to address than they have time for or frankly money for and way more alerts than they can act on. So we can say this particular vulnerability is being used by a nation State Intelligence Service. We see them we see network administrators moving quickly and addressing it, and that's a fundamental goal. Fundamental goal is improving cybersecurity. If you kind of step back and look at look at the big picture here, you know, maybe from a thirty five thousand foot level how are we doing? The cyber threats are we barely keeping up? Are we catching up? Are we getting ahead of the game or? Is it always going to be hard for the defender. In this game in because the guy on the offense can always come up come up with something new how you think about sort of where we are in the history of of the threat of cyber and defense against it. I think we points overall technology is getting more secure. Technologies built more securely today. So the fundamental resilience is is improving you know when you have open source products, we have lots of is looking at a given technology and helping find vulnerabilities and address them. That being said were an ever more connected economy in an ever-more connected society, and as we build more connections, sometimes two systems that were not necessarily built for those kinds of connections. Data Systems. In that way, we bring and introduce new risks. On the third poll on the positive side, there's far more awareness about those risks and how to approach addressing them identifying what are the most important assets to protect and ensuring good practices are in place and it's far easier than ever to put that in place. So I think it's a mixed story on the one hand more more technologies built more securely, and there are communities of individuals working together to ensure their secure on the other hand far more. Technology some of which. Is connected in ways that bring risk in ways that we always have to and I guess the third part, which is where we started adversary seeking to take advantage of those risks to achieve their objectives. So. If you if you were standing in front of a large multinationals board of directors in you're talking to them about cybersecurity. What's the one or two things that you would absolutely want them to take away from from your conversation? What is the tangible thing you most want to protect and what's the intangible thank you most want to protect. So if you're drug company, what is the intellectual property that's going to be your next potentially big drug big driver of economic growth, big driver of healing, and then second what's the biggest intangible? Thank perhaps, that's your reputation. The way you treat your employees, the price, the prices that you charge and what you're, what you're. How much you mark that up. Make sure that you're protecting both carefully make your your cyber security commensurate with with the risk presented to you if you lose either one. And you mentioned you mentioned Skater Systems and I'm not sure that all my listeners know what those are just explain that and then is there something? Is there something special about protecting data system from protecting? Normal network absolutely. So Skater Systems are essentially control systems for the core areas of infrastructure in a given country in a given company. So think power systems clean water drug manufacturing. and. Those are. Those are often complex system. So what's unique about them is you know those systems over the years were often built four reliability in the event of a bad storm that power system would come back online with confidence as. More technologies got connected. So for example, the ability to measure. Use of power the ability to measure confidence in in water and chemical level. Some of those systems got connected to network systems that provide a way to access them. One of the joint products we recently issued between Ns. WAS An ICS product because there had been some public articles about. a given attack against skater systems in the Middle East, and we wanted to ensure that we together with. One of our closest partners was providing technical advice to. Skate entities in the US based on what we were learning about those attacks. So interest, a couple more questions you've been terrific with your time. Seems to be an effort on the part of an essay to kind of open up the black box and showed the reputation no such agency right. Your conversation with me thinking example of that why is that a priority for for the agency and for General Nakasone? I in the cybersecurity mission fundamentally if we're not trusted we can't achieve our intact. People take advice from those they trust and the power of. Across the US Government Team USA work cyber. There each organization plays its position within that role. You Know My counterpart at Digest Chris Crabs often talks about them being the national risk managers. At an essay, we believe what we can bring uniquely is that integration of intelligence series of seeking to do what their capabilities are, what their infrastructure looks like and how to defend against cyber security advice to counter that, and that's always continuing because technologies change adversaries, goals change, and the resilient always has to be increased to meet that. So we want to be trusted to achieve what we believe. We can uniquely contribute to team USA on cyber. The first step to doing that is conveying, we are conveying the culture that's here the commitment to American values, and certainly WanNa part of our mission is an intelligence mission. In a in a democracy, we have an obligation to ensure that the Americans we serve. Feel they understand the values which we live. So your your former colleague and my really good friend Glenn Gerstl road. Op Ed about a year ago about what he saw the. Profound implications of the Digital Revolution on national security, and he raised a lot of concerns and among those was the sheer pace and scale and volume of technological change and. And data that's GONNA force intelligence agencies including NSA to fundamentally change how they do business I was GonNa say thinking big picture about those kinds of challenges. What are you trying to tackle I? Would've the adjustments look like, how do you? How do you think about the challenge that Glenn laid out? Absolutely, so I from the perspective of large amounts of data and ensuring, we can make sense of them. Ensuring that we can do big data analysis to help. Triage the information we identify and determine what are people are big assets put their time on to determine he's and how to act on them. So for example. We we're looking at machine learning to classify malware and we're certainly looking at. Machine learning potentially to help us identify vulnerabilities scale particularly when we look at systems that represent thirty years of technology like muffins systems, how do you secure a weapon system? That's been out there and represent each phase of technology and have confidence in its resilience and in command and control. And then finally. We have an obligation to both bring those technologies to be on our mission and understand how adversaries might use that and manage that accordingly. So for example, as we think about artificial intelligence and the potential to automatically. Direct weapon. In the United States we have strong values around how we would think about automation versus human control. In other countries around the world, there might be different ways that those kinds of decisions are approached. So how do we ensure that we both? Bring that integration of. Compliance and technology to the way we pursue it but also be aware of those gaps and keep an eye on the risks of those gaps. And you mentioned you mentioned people and you mentioned people a couple of times and and just took two questions about that. One is given the competition that you face with all of these cyber security firms and. Your folks must be very attractive to them, and their skills are quite valuable in their private sector. How how difficult is it for you to recruit and retain talent? Really thoughtful question because you asked two questions in their recruit entertained. So. From the recruit side, we get really great people. On the routine side. We have a really compelling mission. and. What brings keeps people. Here is the sense that they're contributing to something bigger than themselves. That is challenging fulfilling. It's on us as organizational leaders to ensure that each person has that opportunity to contribute what they can uniquely bring chew to that mission. And one of the one of the cool aspects of the Cybersecurity standup has been people who have left to call in and say, Hey, I'd like to come back I learned a lot. In the private sector, the missions, calling me and like to contribute again, and we've hired a number of them back and continuing to increase that and part of the message we have when people if people do decide to leave is to say that is great. You will continue to contribute to the nation's security. You'll learn a lot in the five at sector, and if you ever want to come back the doors open. What do you? What do you want the American people to know about the women and men who work for you. That, they're committed to the values. That this country was established for. That there are significant threats to the United States, our allies and to those values, and that not always can we talk about those threats because? By impact sometimes intelligence community, even the security mission has to operate in those shad in the show does so. Trust our values, trust that we are proud Americans. We swear an oath to the Constitution of the United States, and if you do question it or if you want to learn more roll up your sleeves and come into the for a few years and get to know what yourself because each person has unique abilities and a unique ability to contribute to their to their country in whatever way they choose whether that's government are in the private sector. But if you ever doubt it come on in and work here and and raise your voice and be a part of it. It sort of takes you back to what your parents taught you to. It really does it my dad grew up in in communist Hungary and In the beginning when I came into government, he would call me on the phone sometimes and switched to a foreign language and. I realized that for him growing up in another country. Is that complete trust of government that I American born? You know have that doesn't mean it's trust and verify it's from verify but there are things that I take for granted growing up in this society that I don't know if he ever will. So being able to look at things through his eyes and through mind make me realize how fortunate we are to be here and how much we have obligation to. To ensure it stays that way. And thank you so much for joining us and thank you for your service. Thank you so much for your time.