Skip to main content

tv   Intelligence National Security Forum Discussion on Cybersecurity  CSPAN  September 30, 2019 4:16pm-5:26pm EDT

4:16 pm
communicators" marsh blackburn on china's huawei company in the u.s., anti-trust issues, and regulating big tech. >> some of these social media platforms that are beginning to deliberate news and have a news feed, individuals want the see them actually have a news director. >> tonight at 8:00 eastern on c-span2. we continue our look at challenges facing the u.s. intelligence community. this discussion focused on cyber security threats and how prepared the u.s. is going into the 2020 elections. the armed forces communications and electronics association and the intelligence and national security alliance are hosts of this summit. [ applause ] >> well, thank you.
4:17 pm
thank you all for coming here. we are acutely aware that we are the first session after you have come back from lunch. we will try to keep you awake and lively as well as we can. we have a terrific group for this discussion today. to my leimmediate left your rig isnd comaer steven fogerty of the united states army cyber command. rick howard, old friend, key security officer at palo alto networks. jeannette mantra, the assistant director for cyber security at the department of homeland security and of course is its still relatively new agency sissa. and tanya ugoretz the deputy direct for cyber at the fbi. this should be a great discussion. tonya, let me start with you and ask you to just describe, if you
4:18 pm
can, the rfbi's role in cyber space and the threat environment, how you think it has changed over the past year. >> sure, thank you, david, and thank you to insa for hosting us today. as we at the fbi look at the threat environment from a macro level it is not necessarily the best news story in the world. but it is certainly complex. we are looking at an environment where there is no shortage of vulnerabilities and opportunities for malicious actors to exploit those vulnerabilities. we see that landscape only growing in complexity as we consider the number of devices that are going to become connected, in the billions over the next few years, many of which don't have security built in. we live in a world where we see nation state actors conduct wholesale theft of permanently identifiable information targeting not just our
4:19 pm
government networks but our citizens as well as health care information and intellectual property. then we have a growing universe of actors who are growing in their capability, a proliferation of tools that are available for them to use. and at the fbi we look at both the national security and the criminal space. so we increasingly see crime and cyber crime as an economy, crime is a service. the growth of organizations and individuals who are marketing different elements that are necessary to conduct cyber crime at scale that only kind of embolden and enable more actors. and apart from this, you have the complexity that apart from federal networks much of what we care about is in the u.s. is in private hands. whether that's critical
4:20 pm
infrastructure or also as we see for example, with ransom wear targeting of other potential victims such as municipalities, et cetera. and then the wild card in all of this is adversary intentions which is where we rely on the intelligence community to help us prioritize and make sense of this complex space, who is it that we really need to worry about, who is most intent and most capable of causing the most harm to us? so that's the big picture for us. so as i mentioned, that's a complex picture. and we feel that often, especially in government, but throughout our society, we reflexively look for a simple answer, even to address as complex a system and problem as i just described. but how we see it at the fbi is that it is only through a woven
4:21 pm
fabric of the authorities and capabilities of all the entities i just mentioned, whether it's u.s. government, foreign partners, the private sector, who have to come together with their authorities and capabilities in an agile way to be able to counter that environment. so that's a long-winded wind up to where do i see the fbi in that? we see it squarely in the middle. i won't speak for other agencies but i will say generally we look to partners like siza who are in the lead in assessing risks to our networks and helping to support through mitigation and defense. we look to our right and we see our partners in the intelligence community and d.o.d. who are taking the fight to our adversaries overseas both seen and unseen. then we see the fbi in the
4:22 pm
middle enabling the activities of the whole range of partners plus the private sector are our unique authorities and presence. and briefly, that comes from a long history, 100-plus years now that we are building on in cyber of having presence in our communities throughout the countries and global where we are engaging in our communities before something happens so that we are ready after something happens to engage victims with the response that they need to conduct investigations and operations focused on two things, attribution, finding out who is responsible, and accountability, whether that's through our own tools in the criminal justice system or providing those nuggets of attribution to other partners who can use their tools to hold our adversaries accountable. >> tonya, we will came a little bit later on to the ransom wear issue which you just alluded to.
4:23 pm
one question coming out of your scene setting there. of the four big state actors we often talk about, china, russia, iran, and north korea, are you seeing a significant difference in the level of activity among those four over the past year or so where we have had a -- obvious low geopolitically a changing environment with all of them? >> i always hesitate to rank because i think it is a pretty fluid situations and different adversaries are focused on -- >> different things. >> -- different things and have different capabilities as well. for example, i think we continue to see china quite active in terms of economic he is espnage which our director has been very forthright in speaking about alongside other agencies. russia certainly continues its malicious cyber activity. and it's no surprise that there
4:24 pm
has been a fair amount of attention to the potential for geopolitical tensions in the middle east, particularly with iran to perhaps manifest themselves in the cyber arena. >> are you seeing any evidence that the rnaians are doing that right now? >> i don't want the speak to particulars. >> jeannette, you heard from tonya where the fbi sits in this. my guess is that siza, which is just about a-year-old now, right, is probably a little less well-known in their role just because it is a newly created agency. tell us a little bit about that. and also tell us how your responsibilities differ from the fib's. >> sure. i think tonya set things up very nicely. in where we sit is there is a lot of people in the government
4:25 pm
and in the private sector increasingly that are very focused on how do we understand the threat? and for us, we believe that threat is just one component of what we need to understand. and you talked a bit about geopolitical dynamics. oftentimes i think we have cyber conversations in a bit of a silo and not thinking about the broader geopolitical dynamics which has been that over the last few decades we've created technologies and ecosystems that have allowed the united states to be at -- at least potential to be held at risk in the homeland. oftentimes that manifests itself through cyber means. not completely. and so my organization, while siza, the cyber security, infrastructure agency was created last year by legislation last november is nearly
4:26 pm
a-year-old, we do have a legacy going all the way back to the founding of the department with many authorities that were given actually dealing with the counter-terrorism issue. and in thinking about what happened with 9/11 and that there wasn't anybody -- and this also picks up on tonya's point about the coordination, is there -- we didn't have somebody who was focused on engaging with the private sector exclusively. not in law enforcement. not intelligence, not from a defense perspective, but somebody who could think about risk, bring government partners together, not be the one to execute, because as tonya mentioned everyone has a lot [ no audio ] but being the one who is bringing everyone together letting the intelligence community understand what would be useful for the private sector to take actions and being in a position to be able to alert and warn when we do learn thing. there was a lot of lessons learned from counter-terrorism. and about two years ago now we
4:27 pm
have started to think about well, how has cyber, and frankly, even the terrorism, bass we actually have physical security responsibility as welt. how has that dynamic and the threats to the homeland really changed? what we realized is that woe ourselves were missing the bigger picture a little bit by focusing on what are we doing for the financial sector? what is i.t. doing? what is coms doing? and really adversary what is they want to do is hold functions of our society at risk. and we learned this through elections. we've learned this through energy engagements, is it's not -- and the interconnectedness of course makes it sometimes easier. so if they want to have a situation where we have a loss of public confidence in our financial markets, there is ways
4:28 pm
that you can affect that outcome potentially. if they want to take out our ability to generate electricity there is ways that you know you can contemplate going about that. but it can't be just a conversation with the utility owners or the global capital market banks. you have to have the service providers in the conversation. you have to have the broader internet ecosystem owners and operators in the conversation. so we have switched to a functional approach. and we released our national critical functions the first time we have ever done this, in april, i believe, it was. and what we are looking there -- that's the foundation of what we believe we are, is understanding what is the risk to the country, help inform the threat with information that we are able to gather, help drive and ask questions of those who collect on the threat to better understand the risk, but also to understand vulnerabilities, and
4:29 pm
really importantly understand the consequence. if you have a very capable actor who has an intent and there is a vulnerability and the consequence isn't a big deal then we have a way to mitigate this. if you have a very significant consequence but nobody is looking the see if there is any actor who can actually affect that consequence then we should probably be pivoting resources to be looking at that as a potential. it is forcing not just us but all of government to think very, very differently, whether this the intelligence community or those of us here on the stage about the role of government and the private sector and the federal government and state and locals, the u.s., and our partners and having much more open conversations about what do we know? what do you know? and how do we share that information and not just hear some i.o.c.s good luck. it is really getting into much more contextual conversations is i think we think that russia might be doing this. actually i don't know if it is
4:30 pm
russia, but we think that somebody is trying to do this here to your systems. are you in the private sector willing to share what could be happening there back with us, back with nsa, fbi, d.o.d., all the different components coming together. that's where we see that we are sitting. we are not going the ones who are going to have every single tool to solve all of these problems but we are positions to be that risk advisor, to understand how is the homeland at risk and what can we do about it? what are the levers that we can pull? who has those levers? and how did we take actions? that's why we are focused. the national critical functions are the core of what is going the drive us and prioritize. we have had success in all of government in thinking differently about the u.s. as a target. how do we orient ourselves to drive down that risk. >> i am glad you mentioned that. and when you said before that
4:31 pm
it's different than just handing people the i.o.c.s, the indications of compromise and say good luck, there was a bit of that going on for a number of years. and usually companies would say to me when they got those warnings which either came out of dhs or fbi, they would say this is great, we saw this four months ago and dealt with it. which takes me to rick, because one of the big changes, it strikes me has been the creation of the cyber threat alliance so that this sharing is much more of a two-way thing. you are going to see things that jeannette or tonya may not see first. or you will see them from a different angle. so tell us a little bit about how that works and a little bit about how it has got to speed up. it is still a pretty manual
4:32 pm
process. >> before i answer that question let me plug your book. before i read david's book if you would asked me what is the book i would want you to read i would have said skifrd stole's cuckoo's egg book? still read that book. after i read david's book, it's david's book, "perfect weapon" we know most of the things he talks about this there but we don't understand it until you read his back. the takeaway i have from it is we have been in a continuous low level cyber conflict since 2010 and we are just now starting to get our hands around it. >> i did not pay rick for any of this. >> i didn't know we were supposed to suck up to the moderator. >> i also want to plug him. >> i will give you a cut of the check. from the commercial perspective, david is right. the thing that the commercial world has realized is that the
4:33 pm
adversaries have automated their attacks and most of us in the commercial space and the government space we are trying to deal with that manually. if you have an information sharing program you are sending it around in spreadsheets and in email. if your organization has the time to even consume those things you may get around to it in weeks to months to never. what we decided to do in the cyber security vendor community is automate the threat of information sharing between security vendors. here's the reason. every security vendor out there worth anything is a giant intelligence collection engine. palo alto network says 70,000 customers all with ten to 200 devices deployed on their networks. we can deliver controls automatically to those devices because they are our customers. unit 42, how many people have heard of unit 4? marketing ducked for us. totally free intelligence if you
4:34 pm
want it. but when they discover something new we can convert that into multiple prevention controls for our product set and deliver it to 70,000 customers in five minutes. five minutes amazing capability. all of the members of the cyber -- lines, 26 in there, at the all have similar capabilities. ours is better. that's the best joke i have. if you guys are not laughing now this is going to be a long panel. they all have similar capabilities. what is not happening from the government side is trusting that system so they can -- if we got information from lots of governments around the world, say we saw this thing and it is very damaging. if you just got it into the cyber threat alliance we could get prevention controls and protect almost everybody on the planet very quickly. we have the fix that going
4:35 pm
forward. >> we will let you guys defend yourselves in just a minute. >> i understand the reasons why we can't. but --? we will get to that in a second. general fogerty, of course before you were in your current role and you succeeded general knack sanny who we will be hearing from later this afternoon, check czech you were at cyber command as well. so you come at this from a bit of a different perspective. and the phrase we have heard since your concept of operations changed just as admiral rogers was leaving office was persistent engagement which is perceived by most people as being largely overseas, in the networks of adversaries, so that you can see a threat gathering before it is delivered, before rick sees it show up in the cyber threat alliance's
4:36 pm
networks. presumably, before jeannette and tonya see them as well. tell us how this works day to day. what does this look like? and in a world where people are concerned about sovereignty, how do we explain to the rest of the world why we can be in their networks and yet we get so upset when as jeannette points out we have got foreign operators sitting in our electric power grid? >> first of all, persistent engagement, i think the big idea there is that we are going to start using the entire operational depth of the cyber domain as wields frame it or the information environment. so we are not going to see red space. we are going to goet the right actors, olympianing, preparing, testing rehearsing. they are trying to defend themselves. we are not going to see grace face so that i am allowing it to
4:37 pm
maneuver out of their sanctuary get into an attack position and start to pummel us. if you think about where we were just a couple years ago that's what it was. it was shields up, we were principally focused on blue space and we were trying to shoot the arrows or block the arrows from penetrating us. tonya said it well, the volume, the velocity, the variety of the threat, it just continues to improve. rick said they have automated this. you are going to be in a defensive crouch, you are just going to bleed out. you are going to get knicked by a thousand arrows or a million arrows. the big idea is that we will manipulate in all of those environments. we don't act by ourselves. we engage with foreign partners, we engage with commercial partners, we engage with our interagency partners.
4:38 pm
it is really building that irk no. now this is an intel audience, what i would say operations in the cyber domain in the information environment are like operations in any other operational domain. they are driven by intelligence. from cyber com's perspective, nsa is its most important parter in -- partner. all of us on the stage have different responsibilities and different authorities. the idea is bringing all of that together. we are not operating, we are not ceding space to the adversary. i am not necessarily crawling through a partner's network. the partner is actually sharing. i'm sharing with them to enable them to defend better, to doe detective, verify, to share back with me. >> i wasn't suggesting you were in a partners network, i was
4:39 pm
suggesting you were in an adversary's network. >> as we should be. >> come out of a 2016 experience, what i was struck in doing the reporting on the book was the number of people in cyber command, nsa, certainly at dhd and fbi who were saying the reason we were taken by despise want because we had radars off, it wasn't a pearl harbor kind of situation it was that we hadn't built the radar to be able the actually it. as now you have been through the experience of the midterm elections where i think john bolton at the white house and director nakasoni have talked about this are you persuaded we have at least built the radar network, that we would see that information again on the cyber side and on the information warfare side. so i think the most important part of our response was we had
4:40 pm
the radar. it just wasn't tuned properlily. >> can you give us an example operationally from 2016? >> yeah. i think frankly we weren't camped out on social media. we certainly weren't will being domestical domestically, i don't think we were partnered as well as we should have been. the lesson learned is first of all you better open your aperture. you better look at your partners, understand with a their capabilities and limitations are. and then you better build sustainable mechanisms that allow you to partner effectively. as rick said i think what we are finding is you have got to automate as much as possible. because we still put a lot of human sweat equity against
4:41 pm
problems that i think -- i mean, i go back to when we were really sucking a tremendous amount of sigant in iraq and afghanistan. i would say i need more linguists. he said you need to ask better questions and we will give you tools so information is not falling on the floor. it is being collected. you can access it. but you better -- you better know the question that you have to ask. and that will allow to you access it. >> i don't think there is an issue of recognizing the adversaries ukt canning influence operations. i think we all get that. the question is do we have a way to counter them? i don't see that. are we working on that? >> again, i think it is the partnership. it's combination of law enforcement. it is a combination of working with our foreign partners. but the other thing i think we
4:42 pm
have got to be very careful about this idea that cyber v cyber. you have got to look at the range of operations that a nation state has. so you can impose sanctions, you can hurt them in the pocketbook. you can prevent actors from traveling internationally. so i think two things. sometimes we can narrowly define the roles. and that will limit our ability to see the problem. and then it will limit the amount of tools we have to apply against the other problem. but i don't see this as just a cyber problem or a cyber response to the problem. i think we have to be much more sophisticated than that. >> we will come back to that in a moment. in the general's answer about 2016, on theian and jeannette you are both intently focused on 2020. tonya, i think you and i were at
4:43 pm
an event earlier in the summer where everybody agreed that whatever it is the russians and other actors are going to do in 2020, the one thing for sure is they are not going to follow the same playbook they followed in 2016. so tell us a lint about what you are doing to begin to think out ahead to what kind of investigators of attack you think you might see and how he would get ahead of it, ahead of the election, both on the social media information warfare side and on the election manipulation si side. >> i think this issue is one of the great areas of growth for probably the government and how government works with the private sector in the time i have been working cyber. as you would hope, we learn and we get better in response to everything we experience the
4:44 pm
nature of these problems requires a coming together of what have traditionally been quite separate areas of responsibility. so i will speak just specifically for the fbi. the issues of foreign influence traditionally are handled as a counter-intelligence issue looking at how foreign intelligence services are looking to conduct their influence activities. whereas the cyber related intrusion activity is looked at as a cyber investigative and an intelligence manner. and that was not only the case for the fbi. but multiply that really in different ways across the government, including focus on functional issues like sidebarer and then regional adversaries li -- like cyber and then regional
4:45 pm
adversaries. what everyone is looking at and marry that up with what insight the private sector has. i think the great growth since 2016 has been in building those structures and communication networks and capabilities where we are now having that conversation all the time lest you think we are just responding to the last thing that happened, i won't go into detail, but it is more expansive than just look at the nature of activity of what happened in 2016. so there is also a level of imagination injected there, too, and analysis of how we think thing might be different in 2020. >> jeannette, let me give you a specific example of that, as we all over the summer heard this because it has been the summer of ransom ware for a number of cities and towns and school
4:46 pm
districts and all of that. a lot of your colleagues have been looking at the question of what if you had a ransom wear issue around election machines in the future? or forgetting election machines, just the registration systems which risk outward face asking on line and therefore a little bit easier for somebody to go and get into. and that's just one of a half dozen scenarios i have heard play out. tell us a little bit about how you are all thinking about getting ahead of these. >> similar to what tonya said i think not just for our agencies but really for a lot of government elections, it was very much a forcing function not just to think about how do we protect our electoral process but how are we thinking about this overall activity where you have adversaries who are thinking across multiple different ways to achieve an impact.
4:47 pm
and one of the first things that we did on elections was to work with election officials to actually understand what the election system -- looks like. and to make sure that everybody actually understands it. we published something called a risk characterize igs. it is a simple sort of info graphic that says this is what happens before election day, this is what the types of systems are that different organizations will use and walk people through that. and the reason that's important and we are taking this model and applying it to all of these different critical function is what is that end to end process look like? not the technical system yet. you need to get to the technical system. but what does that end to end process look like, what does that business look like to deliver this final outcome of a voting result in the case of elections. and then actually assess the risk. and what that started is really
4:48 pm
a -- an iterative process. and say okay, well, you know, voter registration databases was something we were concerned about in 2016 because we had some -- some evidence that that was happening. well, why was it happening? and so there is a lot of questions that now start the come and you can have people this the intelligence community start to look for those answers. and based off of the answers it now informs maybe we didn't understand their everyall intent. you go through this process, no different than every other problem we have to work on. just that this one happens to be on cnn every day. so we think where we learned our biggest lesson is really getting everybody on the same page and understanding and being very public about it, too, is everybody should understand how your country's electoral process looks like. and then we also wanted to be very public and say here's how
4:49 pm
an actor could you know maybe cause some problems. and sometimes it is not even an actual problem, which for cyber people started to get us uncomfortable because there is no actual cybery thing happening. it is a perception that a cybery thing has happened or something like that. but we felt that we had to take in that full realm of possibilities. and then really focus on okay voting machines, there -- it turns out it would be actually really, really impossible probably to have any sort of wide scale impact that was undetected but you could cause chaos by injecting something or somewhere in this process. and knowing that that was probably their intent that allowed us to focus. if you take that model -- we are still taking that model for elections and will continue to row fine that you can start to and you start to understand well here's the company that provides this system and that's companies
4:50 pm
have since allowed us to take apart those systems. >> the companies that make the registration systems. >> and the voting machines nsa d others and say i need you to look and see if anybody it maybe looking at this company or this machine. and now they know it's a high priority alert. are people that i need to get information to with the right context so they can do something. that is the sort of cycle instead of a generic list of hey, there's an advanced atp out there messing with windows. >> that is very different. i remember going to dhs last year of the obama administration? the summer of 2016 while this is going on. and they had secretaries of state that wouldn't return the phone calls. they were afraid the federal government is taking over the system.
4:51 pm
>> that's one thing they were unified on. >> if you ask people about the makers of that software, we engaged with them. let me ask you the next step on this. you can't say very much about what the u.s. government did or didn't do during the mid terms last year but i believe what i read in the "new york times," you know, the failing "new york times" -- >> that makes up for the book plug. >> yeah. we understand there were messages based on the cell phones and individual actors in russia. and so forth.
4:52 pm
they found the system shut down for a while. while you can't discuss the specifics, can you tell us if you're seeing this kind of -- if we're seeing this kind of out ward warden gaugement, is there any evidence you with cite that this kind of action which is intended as deterrents is actually working, recognizing the nakt ev fact that it is difficult? >> i already think cold war deterrents, it was a success. we didn't annihilate each other with nuclear weapons. this is different environment. do i think they're going to come into this space in 2020? absolutely. the big idea of, again, persistent engagement is not the sank wary. make them compete throughout the entire ma and throughout the
4:53 pm
entire environment. i don't know a single thing question do that would prevent them from competing in that. but i want to impose as much cost on them as possible. and again it goes back to if we restrict this to a cyber v. cyber operation or activity, then that becomes pretty challenging. but if i use everything that's available to me as a government, a whole government approach to this, then i think you have a lot of options. and so that -- so, again, that's much larger than cyber command. for mid terms, we did persistent engagement. we acted throughout the entire operational depths so in red space and gray space and in blue space. and we imposed cost. now most of our adversaries, we
4:54 pm
know, they're pretty adaptive. they learn. and i think your point about, you know, are they going to, you know, pull the same play from the 2016 election where it was effective for them? maybe they will. i think it's going to be, you know, they will have taken lessons or likely have and they're going to work very hard to evade our defenses. they're going to try to limit the cost that's we're going to attempt to impose upon them. i think it's going to be rather sporty, actually. . >> they don't differentiate between cyber and information warfare. and you just read the doctrine. you read all of the rest of their materials they have done. and yet we do. and it's a very different
4:55 pm
approach. you've been pushing pretty hard to get the united states into the information warfare side which is difficult thing for democracy to do. tell us a little bit about the concept of that is. >> so you look at our mission for cyber. i have responsibilities. i operate, defend and attack when directed. i have responsibility for information operations. i have responsibility for electronic warfare. when i look at that, if i look at them as stove pipes, then i can certainly create effects. i can impose costed. i can engage in all three of the areas. we think they have to be able toi to integrate the capabilities and really erase those seams and when i look at cyber io and ew enabled from the great intel
4:56 pm
community, that allows me to start what i would call information warfare. and so we are pushing very hard. we're spending a lot of time right now in developing the concepts for that. but what i find is i support my commanders around the globe, army commanders. it's very rare someone comes to me and said, look, i need this cyber capability. they describe the problem they're trying to solve of. and maybe they're trying to get information to an audience. i have a way to deliver that. but i would argue that it's a cyber delivery is probably information operation that i'm conducting. >> can you imagine the united states openly saying that it conducts information operations? >> i think we should, absolutely. so if you look at the idea of persistent engagement where i'm contesting, that is -- that creates -- first of all, that's an operation. i think that creates an idea that we're not going to just get
4:57 pm
pummelled without imposing costs on the adversary. it could be traditional range of adversaries down to criminals. and again, i think what we found, whether it's criminals or it's nation states, you know, our partnership with fbi, with industry, is what has allowed us to get after this in a very different way than we did in 2016. i any that is important. sometimes it's like, hey, look, they're ten foot tall. they're having their way with us. and what i would tell you is as they have learned and adapted, they developed capabilities, we have done the same thing. and it is a very competitive space. >> rick, you made the point of the framework. you've got maybe 50 groups, maybe 250 techniques. that doesn't sound like a huge
4:58 pm
universe for general foor dhs a fbi to be dealing with. . >> like you said, it sound really big because the bad guys automated their attacks. the members of the cyber criminal lines, they believe that there are no more than 100 active cyber operations going on in any given day. right? only 100. half of us thinks it's less than 50. the if you go by the minor attack standard, they went and captured every technique and tactic and procedure that bad guys use and most people think there is a bazillion. if there are 50 adversary groups operating every day and they can do 250 things, that is a math problem even i can solve. the trick to this is automate it. we forget that spectrum of information operations, there is
4:59 pm
a defensive component. the reason we're talking about the election infrastructure is because the cities and the counties and the states run it and they have no resources to defend themselves. most of those folks are two dgus and a dog in the back room. they have a printer and fire wall and they get coffee in the morning. they have no capability to do anything. that's where ransomware is so successful against them. there are over 250 successful ransomware attacks against counties and cities and states in the last five years. most of those leaders elected to pay the ransom because they don't have the resources to prevent it from happening in the first place or to install backup systems to they won't be affected by it. so they pay the ransom so the bad guys said, oh, that's going to be work. i have to keep hitting the cities. the they're going to pay it. we have to find a way as a nation to provide those cities, counties and states resources to
5:00 pm
prevent these kinds of things from happening. >> i want to take this moment just to remind everybody that send in your questions. we'll be taking some questions from all of you. that will be magically appearing on my little ipad here. come back to rick's point before that some of what is seen in the private sector doesn't immediately trusted and acted on by the u.s. government. you as well. in other words there are two ways of sharing a operation. >> well, so i would say there's not full trust both ways. the and i would also try not to lump up every type of information under a broad information sharing umbrella and say that the same sort of criticism applies to all of those. i think that you talked about the radars which i love.
5:01 pm
i've been on a soapbox. it's not just the radar of our intel community that we need to develop. it's the radar that we need to get the private sector and government to take action and they also have a radar for learning us. and how do we kind of coordinate that? when we were first developing our automated indicator sharing system, everybody sort of went into it with this, well, you know, it's cyber. we have to do, you know, they use different terms. machine speeds, cyber speed, super fast. and real time. and if we just find a way to automate indicators, we'll get rid of all of this noise that everybody has to deal with. if you think about it, if i'm delivering a feed, which we are now, we deliver the automated sharing feeds to hundreds of
5:02 pm
organizations, the amount of trust that organization has to have in my feed to automate, not just the injust but the actual action, the blocking action of a my feed, that's a lot of trust. and so when we're talking about automation, i think there's a lot of improvement that has been made in -- we're talking about some of the contextual questions. will you open the systems to dhs and fbi so we can understand and better understand what's going on? we open up and have conversations with the intelligence community and the private sector. those are actually significantly advanceded. i feel like with he have mutually learned a lot as a result. the automation one is really going to take a lot more work to build the trust in the system. we're going to make some changes in ours because we got good feedback. here's some, you know, specific tactical things that will be useful so we can know how confident are you about this?
5:03 pm
what is, you know, os are you concerned about? those sorts of things. with he can make some changes in it. but really when we start talking about automation, you really have to get into the weeds with your partner and you have to really have honest conversations about what would it take. i don't just need you to automate the injust. i need you to automate the actual actions and i need it to start to spread to as many people as possible so that we're all blocking whatever it is one person put in there. so it's actually much more complicated than i think anyone envisioned. i think there's -- the cyber threat alliance worked really, really closely with and we're trying to push the bounds on the things the government shares. there's still a lot of lawyers that get involved in conversations. so there is still a lot of things that the government has to push beyond in order to be
5:04 pm
fully open in this kind of public/private partnership that we're trying to get to. st. >> we have this argument all the time. we want to limit the things with he share. it gets easier to do. we're talking about 50 groups, 250 techniques. with he don't care who you think it was. we don't care. none of that matters. what mat serz that subset of intelligence so that the security vendors who we all have in our networks can actually deploy the prevention controls automatically. >> we actually also attack framework for those not familiar, it is really g we're using it internally. and we're starting to align much of our products and capabilities against it because it really allows you to start to narrow down if this thing is happening and very prevalent, could i deploy technical solutions? should i depli a policy? what are things i can do against that? and the more people that start orienting around this framework and the cybersecurity community at least, i think it provides us
5:05 pm
with a common lexicon for how we're passing that and that will help the automation. >> the take way, please use the minor tack framework. i will tell you that the cities, states and counties, stle no th no controls. >> this gets to a question i was going to ask tonya:what stru. what struck me in texas and the cities and states that have had these ransomware attacks, so far do not look to us to be state attacks but rather individuals, maybe foreigners who are in this for the money. when you went to the states, we went to the municipalities or the school districts or where ever it was and you say let me talk to your cybersecurity officer so that we could, you know, discuss how you might have the automated response here. we would say, we don't have an
5:06 pm
id person. or we have a part time it person. or in the texas case, it actually looked like it was spread to a law enforcement network that seemed to be a trusted network. so while we're up here discussing automating it, you got, as rick points out, a set of targets out here who don't even have the basic infrastructure. >> right. >> that is another target. they're the target. >> right. >> what was your question? what is the victims you have of automation when someone calls the fbi and says can you come in and help us and the crowd said what can cities and counties prevent from being frozen out of the networks by hackers seeking ransom? >> right. so what might actually surprise you is that if you look at the statistics from the fbi's ibt net crime complaint center, i see three.
5:07 pm
the sheer number of ransomware attacks has gone down year over year. that is an incomplete statistics. we're relying on what victims actually report into us. but the trend line we're seeing is that they're becoming more sophisticated and targeted and less open opportunistic. a profit motivated criminal may have just targeted any opportunity, anyone with weak network security. now they're being much more targeted and looking at from what we can tell, the victims who are most likely to pay, who have the highest incentive to pay, who can't afford down time because the files and networks have been incrypted and that is municipalities, hospitals, targets like that which of course, raises the impact of the threat. we have a history of looking at
5:08 pm
not just individual criminals but criminal enterprises. how do you target the key nodes that are enable criminal activity at scale thaernrather focus on the low hanging fruit which may give you impact but doesn't have the larger impact you want on the overall threat. that's how we're approaching the ransomware strains. this is where we had to adapt our traditional model where we have 56 field offices scattered throughout the country that focus on a range of crimes in their geographical area with cyber threats and something like ransomware, that doesn't scale. you can't have 200 investigations open across the country on one strain of ransomware that is infecting that many victims. so what we do is we designate a single field office that is subject matter and expert and
5:09 pm
lead in investigating and finding those responsible for those most prevalent strains and then all the intelligence and information feeds into that main office and with support from headquarters, they get with other partners in the intelligence community, that's how we identify what is responsible. and then sequence actions among us which could be with our partners here. it could would be foreign law enforcement it could be with the about it coin wallets that they're using and we look at what sequence of actions is most likely to disrupt and take down this activity? >> tonya, do this by example if you can. i understand it's on going. you're limited. but in the texas case that you've seen, there seemed to be a single strain that you saw here. it was a strain that we have
5:10 pm
only seen since april. tell us how you dealt with that. >> i'll tell you an example i can talk about in more detail, the sam-sam ransomware which 2015 to 2018 infected hundreds of victims worldwide. exactly that type of victim that i mentioned, the city of atlanta was one. they got the most press. because the amount it cost them to remediate far outstripped the ransom that was being charged. let me just -- can i take an aside here. i keep seeing in the press that there is confusion over what the fbi's position is over paying ransoms. so let me be unequivocal. we do not recommend paying the ransom. you don't know who the money is going to. you don't know what type of additional criminal activity it might fund. there is no guarantee you'll get your files decrypted. and it encourages this activity. >> you saw a town in florida
5:11 pm
announcing they were paying the ransomware and in baltimore they're up to $18 million and climbing and far in excess of, as you say, what the ransom was. >> yes. >> while i hear the fbi washing, i would way the economic signal is running in the other direction. >> hopefully it's highly regrettable for those municipalities and other viction that faced at their very difficult position. but that is a signal with regards to defenses which is part of your original question in terms of making sure you're maintaining off line backups so that your backups that you're creating of the networks are not connected to your system and those can't be incrypted as well. educating your workforce on the common ways in which ransomware is enabled through spear fishing and other means, to educate them
5:12 pm
to prevent those types of infections. and then coming back to your question about how we organize around it. so in that sam-sam case i mentioned that had such a global impact, we had the individual offices responding to particular victims. we're collecting evidence. we're trying to gain the nuggets to help us identify how the ransomware is working. there were foreign victims as well. so we're using our oversea cyber leg groups to engage with those victims. long story short, all of that information comes together and then we turn to our partners to help us with the puzzle. in this case, we worked with private sector virtual currency experts who were able to help us trace the bitcoin wallets being used by the adversaries and we identified two individuals who looked to be responsible. they happen to be located in
5:13 pm
iran this is around the time when the u.s. government was decide wl deciding to stay in the jcpoa. there was a high level of interest knowing whether these iranian individuals that had had impacted u.s. cities, a port, and other targets were acting as individual criminalors on behalf of the iranian government. this is where we turn to the other ic partners. what do we collectively know about the individuals? and there is a back and forth. based on the nalgs of that collective of agencies, we're able to determine a few key things. much of the activity is conducted in off hours. so likely not part as someone's day job.
5:14 pm
they also had some extravagant travel. and they just come into a lot of money personally. and one had recently been fired from a government affiliated job: job. so that led us to the conclusion that they were acting as individuals. treasury and through sanctions against the individuals. as well as some of the entities that were enabling the virtual currency and use bitcoin wallets. with uns thonce that indictment publicly announced, all the malicious activity ceased. so that is a snapshot of not only how we deal with ransomware but how that woven fabric i mentioned at the outset each of the different pieces and private
5:15 pm
sector and government bringing their capabilities and authorities and expertise can blend together. >> thank you. we have two questions from our audience here that are related and directed to you. the first one is will cyber warfare eventually lead to the demise of the war? because why would you place one's forces athe risk to destroy an adversary when can you use cyber tools to paralyze it? and then a relateded question that came in. asks whether or not -- well, cyber conflict is portrayed as a short of war operation f the u.s. was to engage in a shooting war with an adversary, what kind of cyber attacks could we anticipate as a compliment to battlefield operations? how would the fbi be prepared to
5:16 pm
fix critical information? >> so i cyber gives options. it's additional options to a commander. and as we looked at some of the cyber offensive cyberspace operations we've conducted, some cases you could have conducted a strike. some cases cyberspace operation was conducted in conjunction with a kinetic strike. my responsibility is to provide my commanders that i support the full range of options. and then make recommendations on how to best integrate the capabilities that i provide. some cases unique capabilities to compliment what they're trying to accomplish. so i don't, again, i think this idea this is a binary, you know, capability, you have cyber and you can bring your adversary to your knees -- >> i often remind people in the
5:17 pm
early days after the invention of the airplane, people thought air war was going to be separated from everything other kind. and we learned otherwise. >> but we find against some targets that cyber gives very good capabilities, creates very important effects for a commander. and in competition short of war, short of conflict, then i think cyber as part of, again, that whole range of capabilities of a nation state and diplomatic information, et cetera, et cetera, right on down the line. that i want to be able to provide leadership options and sometimes they may choose cyber option. sometimes they may not for a variety of reasons. >> dhs has primary responsible for cyber protection. until we hit a magic point where
5:18 pm
an tack is so big, you get to call the general and say it's your problem now. the question is where do you step in in protection of infrastructure when you're actually moving from the day to day low level conflict to something more heightened? >> i would say this is not yet clearly defined. i think there is preparedness, bucket of pro vengs aevention a of them need work. and how does that actually work within the government? we issued some doctrine, all of us together, putting that out. but on the preparedness side, it is understanding from an adversary perspective, what do
5:19 pm
we know if year in escalation of tensions. how would they seek to target? what functions? what entities? and so how are we with that knowledge focused on and building more resilience and hardening the systems? and then that gets into more of what i call on the prevention is how are we tuning our collective and warning capabilities and when things happen differently on the geo political side and tensions start to escalate, we know how to shift our, again, pointing to rick as i have a private sector representative. sort of collectively everybody who is involved in having visibility or ownership over the critical functions would sort of, you know, escalate in the level of alertness and how are we getting that information? so that if whether it is cyber com or other intelligence entities or partners are able to say okay, you and whatever country are starting to get
5:20 pm
towards a war. here's the sorts of alerts and warnings with he need to start putting out. we've seen them try to do something. let's go act. then something does happen. en that you're talking about everything up to an actual declared war and something does happen. an adversary has done something within the united states. we're still the lead for leading the response within the united states. we have a national response plan. but we have now done several xer s exercises. there are a lot of gaps in seeking emergency doctrine from a cyber perspective. i'm just being very blunt. this is something we really to work on. now when we're in a state of war and our soldiers are out fighting overseas, we're still in the homeland working with
5:21 pm
north com to protect the united states. so there is really no sort of it's not my problem, its now your problem. >> at that point it's everybody's problem. >> still everybody's problem. >> rick, we're going to give you the last word here because somebody's asked what are the cyber function that's are most right for auto make but which today are not? it strikes me that this situation we're discussing would be one of the most right. >> it's very practical and it's coming up with the standard of how you put the information together. the cyber threat alliances come up with the adversary play boom which is basically the minor attack techniques and procedures plus indicators of compromise plus a little context. written package so six helps you automate stuff. so we share that with each other. we can get the entire world on that standard, it becomes easier to automate these kinds of things. >> well, we are not out of
5:22 pm
questions but we are out of time. >> i want to thank all four of you for what's been a really rich conversation. and really appreciate it. i thank all of you for your great questions. >> awesome. >> thank you. >> week nights this week, we're featuring american history tv programs as a preview of what is available every weekend on c-span3. tonight, gary adelman of the american battlefield trust covers the whole civil war in 56 minutes. this talk kicks off a nice of programs from a getiesberg heritage center. you can see it tonight at 8:00 eastern here on c-span3 and enjoy american history tv this week and every weekend on c-span3. in his first public remarks since leaving the trump administration, john bolton talked about north korea. he said military force needs to be on the table. >> one is the possibility limited though it may be of
5:23 pm
regime change in north korea. second, we should look at and zous zus with china and we should have done it long ago aiming toward the reunification of the peninsula under a freely elected government like that in south korea. and third, if you believe, and you may not, that it is unacceptable for north korea to have nuclear weapons, at some point military force has to be an option. now this is obviously the most controversial subject and many people say it's just unimaginable. unimaginable that you would use military force. so let me quote to you the words of general joe denfer, the chairman of the joint chiefs of staff on his last day, i might say as chairman. he's done an outstanding job. he said this to the aspen
5:24 pm
institute seminar in the summer of 2018. on this question of what's unimaginable. general said, as i told my counterparts, both friend and foe, it is not unimaginable to have military options to respond to north korea's nuclear capability. what is unimaginable to me is allowing the capability to allow nuclear weapons to land in denver, colorado. my job will be to develop military options to make sure that doesn't happen. i think general dunnford is completely correct. >> you can see the full speech in washington, d.c. we'll visit for you tonight starting at 8:00 eastern on c-span. >> the house will be in order. >> for 40 years, c-span has been
5:25 pm
providing america unfiltered coverage of congress. the white house, the supreme court, and public policy events from washington, d.c., and around the country. so you can make up your own mind. created by cable in 1979. c-span is brought you to by your local cable or satellite provider. c-span, your unfiltered view of government. zblfr t >> the center is recommending how the u.s. should respond to smuggling migrants into the u.s. for work. the panelists discuss policy changes to address the issue through governmental and ngo


info Stream Only

Uploaded by TV Archive on