Skip to main content

tv   Aspen Institute Discussion on Cyberattack Deterrance  CSPAN  May 31, 2019 3:44am-5:11am EDT

3:44 am
and then his confidence in himself as that vehicle. and the idea that because she did not have pain in that moment that she was definitely healed. and his very dramatic approach to faith healing is one i found to be somewhat manipulative. q&a sunday night at 8:00 eastern on c-span. next, a look at recent cyber attacks on companies like sony and yahoo! and how to determine if the hacking is from war and governments. this discussion at the aspen institute in washington, d.c. is an hour and 20 minutes.
3:45 am
>> thank you for the opening remarks, and to georgia tech for partnering on this event, and my welcome to all the attendees to washington, d.c. and to the aspen institute. the aspen institute cyber and technology program fosters collaboration between technologists and policy makers, with the goal to be more of a do tank than think tank, and really trying to focus on finding solutions to the critical challenges that we're facing in our digital age and with emerging technologies, with the recognition that right now we're not where we need to be as a country, and in order to get there, it's going to take continual focus, and either coming up with new ways of reducing current vulnerabilities or better understanding of the motivations of those who are trying to attack us and ways to deter their activity. i want to recognize our speakers and thank them for joining us today. we have with us, tonya, the ctac.ng director of
3:46 am
we'll describe a little more where the acronym came from and why it was created. and tonya is now the deputy assistant director of the f.b.i.'s cyber division. that's a specialized division within the f.b.i. that focuses on cyber stress. she's one of the first analysts at the f.b.i. that had the opportunity to meet when i was there, and she worked for former director mueller. that will be the last time we need to mention anything about director mueller today. i don't think so anything else is going on. he was not easy to work with, and he's not the easiest person to brief, because he wants to you get straight to the point and deliver the pertinent facts. tonya certainly earned her chops in that role. aaron has replaced tonya as only the second director of this cyberthreat integration center
3:47 am
that was created to take into account all the intelligence that's being gathered across the variety of government agencies and coordinated so that there's a finished product when it comes to cyberthreat. so thank you for joining us. and dr. milton muler, completely different than mueller, although they might be spelled the same way, professor from the georgia institute of technology and director of the internet government project so. please join me in giving them a warm welcome. today's discussion is going focus on the role of deterrence in cyberspace, and it's a bit of a controversial subject as to whether or not you can figure out with enough certainty who's doing what in order to deter the activity. we'll talk about the state of attribution and how the
3:48 am
implementation of tools to try to deter activity, tools that could range from different legal authorities from the criminal justice system to sanctions to actual cyber operations in kind, to depending on the type of attack, use of military force, how that range of tools can be calibrated to optimize impact and to deter nation state activity, in particular nation state activity from russia, china, iran, and north korea, but also nonstate criminal actors, terrorist groups. increasingly i think we're seeing activity out of vietnam. let me start with tonya and a description of exactly what this stands for. if there's one thing you bring home, it will what about the acronym is, but also its genesis and how it was created. >> sure, thanks, john, and thank you all for attending today. john alluded to the prevalence
3:49 am
of acronyms in the government. typically we refer to three-letter agencies. well, this is a five-letter center. and when you have an acronym in the government with that many words in it, you can be assured that a lot of people in government spent a lot of hours defining the organization very specifically. so the cyberthreat intelligence integration center, the name tells you exactly what its role was intended to be, focused on cyberthreats, and by that was meant current threats, what activity and threats are we currently facing of most significance in the u.s. government. and then intelligence integration, rising that there are many agencies across the -- recognizing that there are many agencies across the u.s. government and in the private sector generating information
3:50 am
that's really critical and has to be brought together in order to inform an integrated understanding of the threats we face so that we can communicate that understanding to the people in positions of authority who need to make decisions about how we're going to counteract that activity. so ctiic is a center under the office of the director of national intelligence. it's one of four multiagency centers. and the value there is bringing together representatives of those different departments and agencies who come to the table with their information, their subject matter expertise, their unique perspective, and try to bring that together into a whole. it sounds pretty common sense, but it didn't exist before 2015, and there were two key incidents that really raised the imperative for the creation of the center, and those were the hacks of o.p.m. and sony, where i think officials like john and his colleagues in the administration were furiously trying to piece together bits and pieces of the story of what
3:51 am
was happening, what was being impacted, what are we doing about it, and having to do to multiple agencies in order to bring that together. >> that's what i remember, when we were responding particularly to the north korean attack on sony, in link to our discussion today around deterrents, when convened around the situation room, speaking with other national security threats, one, it's the only time in my career i had to brief the president on the plot of a movie. those who have seen "the interview," doesn't make a lot of sense. that's now ctiic's job. but two, when we tried to come up with a normal way to frame the meeting would be the intelligence assessment as to what happens, we had multiple assessments from multiple agencies. unlike when we did terrorism, you had the national counter terrorism center, there was one approved view of the intelligence community,
3:52 am
sometimes with dissent, and then we would base our response based on the intelligence community's assessment of what happened. it was clear that there was a gap when it came to cyber, and those such mechanisms existed. let me segue from there to you on, number one, how are we doing? is that gap closed? and two, what are your top priorities? >> so thank you. it's a pleasure to be here as well, especially with my partner, tonya. i've been in the f.b.i. as an agent for over 22 years now. so with the last several years spent in cyber division, so i feel very fortunate to be here with tonya and to continue building upon what she really put into place, and she did some very important foundational work in that center, and we benefited greatly from her work, and now it's just a matter of seeing where we can take it from here. but in a nut shell, some of the things that we do very, very well are building awareness. when things happen anywhere in the world, it's confusing
3:53 am
approximate n that moment, about -- it is confusing in that moment -- trying to figure out what is really happening, how wide spread is it, how many people are being harmed by it, who else could be harmed by it, what efforts are there in place now, and what efforts are we gathering together to respond to it. what does the response look like? how effective is that response? is that response only going to help us in this particular situation, or can we get a better, larger response that might help us prevent it from spreading further? and then we eventually start talking about the attribution. all these things are happening at the same time. and they're happening within the f.b.i. and the c.i.a. and the n.s.a. and d.h.s., and any number of agencies that have a role responsibility in cyber. so it is very hard and very challenging to get the government to speak with one voice and to come to sort of a
3:54 am
consensus, an understanding of what it is that's even happening right here, right now. and that's very frustrating at any high level of government when they're trying to make decisions on activities, on actions, on coordination, and what we want to get as an intended outcome. we talk about deterrents ahead of time or responses that response will have an immediate effect, but also hopefully a future effect. so ctiic was very critical in providing that central location where we could build that awareness, get that common intelligence picture, look across the community, integrate that intelligence across, and deliver a cohesive threat picture. and then the third that we're working on right now is more about identifying opportunities. they put a lot in place in that effort, but we're looking to continue to expand that, because
3:55 am
we see a need. in government, you would think, again, some of these common-sense things just take time. you would think it's common sense to say, well, who's capturing best practices? typically each agency is capturing them for their own agency, but who's looking across government to capture some of the best practices across government so that we can capture, how did we work well together, and where can we improve going forward? as well as were our efforts effective? did we accomplish the intend outcome? >> could you explain best practices? what does that mean? what type of practices are you assessing best practices in terms of cyber hygiene, protecting their systems from attack, best practices on attribution, best practices on -- >> from our perspective right now, it's really about capturing how is the government working together across all the agencies and entities that have a very important role to play, as well as private sector and anyone else who may have an interest.
3:56 am
how did that work? did we work effectively? was it efficient? are there efficiency that is we could gain by doing things differently? how much time did it take us to do certain things? how did we approach certain things? what do we need to have in place to make things go faster next time, to make things work better next time, so that we can learn as we go through each of these incidents -- >> so this was a response? >> response oriented, yeah. >> ok. >> so ctiic is looking to capture some of those, not necessarily for each individual agency and their incident response to the incident, but across government. how did we work together? >> would it include an evaluation of how -- let's say it's a federal government agency that's been -- o.p.m. there's a nation state actor who's intruded upon a u.s.
3:57 am
government system. would it include an evaluation of how they did in responding to the incident? >> it could. right now what we're really looking at, how did we work across? did we communicate across? did everyone know who had equities in the space? did everyone know who had capabilities in a particular space? so, for example, certainly agencies may have capabilities or certain private sector companies may even have capabilities that could come into play to stop an event when it's occurring that because maybe people didn't know about it. it wasn't employed quickly, or it took too much time. so we look to gain those efficiencies and capture those from one incident to the next. and it's still a very new effort for us. we're still building on that. >> all right. you've been involved in an effort to establish an independent transnational attribution working group with a group of cyber researchers at other universities, and could you walk us through what that project is and how it's going? >> sure. again, let me thank aspen for this -- and georgia tech for setting up this event.
3:58 am
i think it's a critical issue. the relationship between attribution and deterrent. we've been focused as researchers and policy researchers on the attribution side of it, because obviously we're not in a position to make a deterrent action based on an attribution, but what we started maybe about three years ago, we started studying how do attributions actually happen, particularly in the international space. we discovered a very disorganized process. it wasn't just a matter of different agencies not coordinating with each other, and it wasn't specific to the u.s. government. it was, you had private actors making attributions. security research firms have a great deal of the capability in terms of collection. they have infrastructure for collecting information and analyzing it, and they make their living in effect protecting or trying to protect
3:59 am
corporations and others from these attacks. and we discovered that the u.s. government didn't have a very well established process. you know, sometimes they would make attributions by means of a press release. sometimes they would make it by means of an indictment. we really like to see the indictments coming out, because that was a very systematic and formalized way of doing it. but anyway, we thought the problem here, from the u.s. government-centric perspective, the reorganizations have taken place, and they look pretty good. it's great to have greater coordination across the silos of government departments. but if you step back and look at it from a transnational perspective, where you have different nation state actors, you know, in a state of anarchy, and i don't mean chaos, i mean literally the dictionary definition of anarchy, no central government, we don't have a satisfactory attribution process. no government necessarily trusts another government, and governments are not transparent enough in terms of, they're not
4:00 am
going to reveal their sources and methods for getting the information. maybe we can collect information. governments have a tendency to not make an attribution at all. there would be strategic situations in which it might be in the interest of a government to say, we are just not going to
4:01 am
say anything about this. we are not setting ourselves up as the solution. we are to build a capability independent and neutral, transnational, we are currently working with a swiss university and the university of toronto and in zurich, trying to build a neutral, transnational attribution capability not aligned with any particular nationstate. >> a lot of the third-party vendors in this space, for profit, outside of government, make attributions, when it is a nationstate, they tend to call it by codename but not say the name of the state. going back to the first case i mandian group have done great work doing attribution,
4:02 am
they called it att1. the numbers have grown. will your group name china behind att1 or doesn't use a codename to generally describe the type of behavior? it is true. terminologyture or could benefit from standardization. bear the same as cozy mayor? they have a tendency to be cute with their naming. sort of like congressmen and acronyms on legislation. they are vying with each other with the cutest name or label. our group, is just forming, we are not doing anything. that makes me really have a lot of credibility here.
4:03 am
but when we come down to it, the point would be for us to be able to say, well you know, the russians are blaming it on syria or syria is blaming it on the united states, but we think the attribution is not credible or it is credible. josh: turning there, in terms of the current threats that we are facing, and we will start with you, tonya, but what do you think from the perspective of the fbi, who are the greatest threat actors and what makes them the greatest threats? tonya: as your question indicates, we commonly focus on the who, and in this course, you see the same top actors typically named to russia, china, iran, north korea. josh: and director of national intelligence? tonya: yes.
4:04 am
but as we look at threats currently at the fbi, we are also looking beyond individual actors and types of threats to something that analysts referred to as the convergence. if you look at that threat we are seeing across the cyber community this period of a , wholesale data theft, that we experienced, probably every american citizen through the data breach of equifax, the breach of opm, and to many other different types of breaches to name, nearly all of us have been the victims of some theft of our personally identifiable information. if you add that to a broadening attack surface, by which i mean many millions of potential
4:05 am
points that are connected globally through which a determined adversary could achieve an intrusion -- think about how many items you have in your home today that are connected to the internet and how many you had even just a few years ago -- each one of those presents the potential of vulnerability. theft of data, broadening attack surfaces, which means more opportunities for adversaries, and you add to that the proliferation of publicly available tools and capabilities for a whole host of actors to do nefarious things. we are no longer talking about only the most sophisticated nation-states, but increasingly sophisticated cyber criminals and other actors who are able to openly acquire capabilities. you take all of those together, you have to squint pretty hard to come up with a rosy picture coming out of that. it is really the convergence of those things that i think causes
4:06 am
us greatest concern because taken together, those owner vulnerabilities, those activities we are starting to see manifested and attacks and intrusions that get at the very core of what underpins our trust in a lot of things. in our democracy through the attacks that we saw on the election, and are very -- our very information and computer networks, and our supply chains, so something as simple as being able to trust that when you get a pop up box on your computer telling you that your software needs to be updated, you can have enough trust and integrity of that that you feel confident clicking on it -- that has been eroded because the single most damaging cyberattack globally to date was caused by the compromise of a piece of ukrainian accounting software whereby that outdate -- update mechanism was
4:07 am
compromised and spoofed, and introduced malware that caused billions of dollars of damage globally. that is probably a long way of saying, i think it is increasingly, we are looking at a level up and across of different trends we are seeing to look at the threat they pose potentially together. >> let me follow up on one part of that description of the convergence. you spoke about the increasing prevalence of tools that are available to criminal groups and other groups and there was recently reporting in "the new york times" about an attack on the city of baltimore that said the attack was committed using a tool the u.s. government created. i am not asking you to comment on the report, but i would like to ask both of you, if there were no u.s. cyber tools
4:08 am
available -- would we still see the same sophistication on the part of the threat actors? tonya: i do not think threat actor sophistication is dependent on u.s. tools. i think we see tools of increasing sophistication and capabilities from all sorts of sources and increasingly shared, sold, bartered in market places worldwide. you alluded a couple of years ago, we would not have typically assessed a sophisticated cyber program, yet now that community of countries with authentic cyber capabilities continues to grow. i do not think that is dependent on tools from the u.s. >> my view on that would be very similar. i would guess that if there were no u.s. tools, the u.s. would
4:09 am
probably not be as safe as we are either, because every nation is looking at ways to increase their cyber capabilities in some way, shape, or form. it only makes sense for us as a country to do the same and make sure that we are leading in a lot of efforts for our own national security. the development of tools itself is happening everywhere and it is happening in nation-states, terrorist groups, bedrooms and basements across america, it is happening absolutely everywhere. i do not think there is any one area or entity that we could look to and say you could stop this year, you can stop a tremendous amount of activity and have great impact. instead, we have to acknowledge the fact that every, everywhere there are tools being developed for various reasons to exploit vulnerabilities for any numbers of reasons.
4:10 am
those are exploited for nation-states interests, terrorist interests, criminal interests, and they affect us in a broad range and wide variety of ways with everything from our corporate structure all the way to the industries that we rely on every single day whether it is banking or road or hospitals or first responders or any number of things that we look to all the way down to the individual level. you look at, there are certain ways that criminal activity has gotten so broad that we wonder at what point is that a national security interest and is that a national security threat? you look at the whole broad range and you think, there is no one way. there is no one solution and we have to look at the threat and we have to look at the way the threat intersects with unmitigated vulnerabilities, and
4:11 am
that is where we have our risk and we have to look at all the ways we could possibly reduce that risk and reduce the attacks. john: do you agree that the top threat is the convergence or would you use a different phrase? erin: i do not know if i would say, i think there is validity in looking at that convergence. there is benefit in describing it that way so that we can understand it. across government, we have all set a lot of the same things -- we have all said a lot of the same things regardless of how you term it. it is how you describe it and how you understand it. i think we understand it very similarly, maybe from different perspectives. certainly, historically, she sat in my chair and i sat in hers. we have a clear understanding the ways that all of these different actors pose a threat and we also have become very accustomed to seeing blended threats.
4:12 am
that is another term. the blended threat being nation-state actors that take advantage of contractors, freelancers. you have individuals that become very cyber savvy and have great capabilities and they develop great capabilities and maybe they do not necessarily get direct employment with foreign governments, but they are utilized by foreign governments and they are leveraged by foreign government so they can conduct whatever malicious activity is desired at a time. or, they take advantage. the whole landscape is so complicated and there is so much going on in the cyber threat landscape. i do not think any one of us posing that- is there is one particular thing. john: back in my day, they said the attribution is hard and now they are saying it is even harder. the same actor you look at one
4:13 am
day is a crook and the next day is a russian spy. why do you think you can do attributions in this environment and be certain of who did what? >> 100% certainty would always be elusive, but definitely the ability to make reliable attributions has developed along with the skills and the awareness of the threats. a counter war so to speak in terms of people trying to obfuscate attribution. there would be technologies to mix up the comments and put it in different languages which is one known example of what you -- of how you can obscure attributions. i want to jump back a little bit. for fun. when you initially asked the question who is the greatest threat actor, my knee-jerk response would have been the united states precisely for the reason that you mentioned. the u.s. has so many powerful
4:14 am
capabilities that seem to have the state. -- seem to have escaped. the cyber weapon is not a very good metaphor, and we cannot think about this as releasing biological weapons, and what is happening, i would not call it convergence, but diffusion of knowledge of how to do these things. the insecurity of some of the exploits that we ourselves developed is coming back to bite us, but even if that had not happened, the diffusion of knowledge is proceeding apace. it is probably incorrect to focus on the russians or the chinese and to just say we have a generic problem with cybersecurity that needs to be addressed through a variety of levels of organizational, national, and transnational policies. i do not think it helped -- it
4:15 am
might help with the department of defense, the military to say, this is the threat actor, the nation-state actor that we are most concerned about, but in terms of general cybersecurity, it does not help much to say the russians or the chinese, or the iranians. it is a generic problem and we never know who is going to take advantage of the vulnerabilities and it could be someone we did not expect to doing something incredibly destructive. john: is that right? if it is just a generic problem then that implies that for most, it is not that important who is behind the keyboard and who the actual threat actors are. it is a disease rather than a crime so you just need the right antibiotic. so do you think it makes a difference to figure out the actor behind the keyboard, and is it possible?
4:16 am
tonya: to close out your analogy, people are not taking their antibiotics, they are not taking their vitamins. by and large, people, generally, and i mean individuals, organizations, companies, you name it, are not doing the set of basic things that we have all come to consensus on would -- would mitigate the majority of the malicious activity. that would certainly help. i do believe in the fbi and the justice department believes that attribution, and sometimes i think we rely too heavily on that word -- holding people responsible and identifying who is responsible and holding them accountable is critically important for a few reasons. one, we talk more broadly about establishment of international norms and trying to develop rules and regulations by which to civilize countries will -- by which civilized countries
4:17 am
will operate. what we agree we will do and not do. we will not be able to hold countries or actors accountable to those if we do not know who is responsible for activity. secondly from the department of justice and the fbi's perspective, really the criminal justice system is based on identifying those who are responsible for activity and holding them accountable, and that gets at the other term and that is deterrence. the recent national cyber strategy identified that law enforcement actions serve as an instrument of national power in part by deterring militia cyber activity. cyber activity as one tool in the government's toolbox to establish deterrence. what does that mean? it means that our investigations are a means of identifying who is responsible for malicious
4:18 am
cyber activity and we heard, and thank you for the compliment on , as my director likes to say, nothing says attribution like an indictment because it is a very detailed, painstaking march through the evidence that identifies who was responsible and why the government feels that way. it shows and demonstrates to our adversaries and also to our partner governments that we feel so strongly about the evidence behind the attribution that we are willing to stand in a court of law and make our case. the use of law enforcement actions in indictments to identify who is responsible and hold them accountable is actually the envy of some of our partner countries. i know that because they tell us that. but it is only one step. investigations and intelligence,
4:19 am
both of which the fbi thinks is a step towards identifying who is responsible and holding them accountable, that could be through indictments but it also informs a whole host of government actions, sanctions, diplomatic actions, maybe military or other operational activity. it was good to see our eu partners recently developed a regime by which they have the ability to impose sanctions and -- in response to malicious cyber activity. i think you see international partners, like-minded countries coalescing around this approach. we cannot have those norms or means of deterrence if we do not have the underlying attribution. milton: can i follow up on that? we had a student to a research project on visibly correcting all of the fbi attribution cases and trying to assess the degree
4:20 am
to which they were effective at deterrence. what we discovered is that there is a big cleavage between state actors and cyber criminals. if you are talking about indictments of cyber criminals, these indictments are extremely effective. a lot of these people will end up getting extradited and arrested, they end up in court, and obviously that is a pretty strong deterrent. with the state actors, it is a different story. there is no evidence that they are deterred specifically by being named, however, as tonya was indicating, you have a variety of other tools. attribution to a state actor has to be coupled with a response strategy that is suited to the particular adversary. john: let me push on that a little bit. in terms of the study, i am curious. how do you categorize -- there is an individual name of a
4:21 am
russian hacker that hacked into emails,stole 500,000 turned the search tool into a site where it directed you to an erectile dysfunction site and collected on the ad revenue. the indictment that was produced by doj said he was acting on the control of russian intelligence agents but they would take things like the stolen email to do queries. is he a criminal or a nation-state? the iranian actors who were involved in the financial sector that affected hundreds of thousands of customers and cost tens of millions of dollars, and they also hacked into the bowman dam in new york -- they were not
4:22 am
members of the state. they were two groups loosely affiliated with the state, so how do you analyze? do they fall under criminal are nation-state, so how do you analyze it? milton: you want to go first? erin: i can. that is when we look at the blended threat. we talk about how do we look at deterrence -- how are we anticipating it? to go back to some of these points, you have the specific deterrent effect and the general deterrent effect. we would look at both of those. one, specifically we might be able to stop a particular actor. generally, we might be able to stop a particular activity. there is a lot of thought that goes into what is the intended effect that we are trying to have? the government looks at that and -- at that in a number of different ways, very holistically, and we bring in numerous agencies and we have
4:23 am
countless conversations about what does this need to look like? who do we think is really behind this, can we attack this with confidence, and what is the intended outcome we intend to have? sometimes there is a particular deterrent, making sure that individuals know we can identify them and stop a particular activity from occurring. sometimes it is much more general and that is when we talk about the whole host of options we can get into. i know maybe a little bit later. but i wanted to talk about it is not just stopping one particular actor. there is a whole messaging and intent behind that and it is all about making sure that we are sending a message that as americans, we are not allowing certain activity to occur or continuing to occur. it violates our laws and affects our way of life. it affects our national security and the personal security of americans.
4:24 am
we want to preserve our way of life and we want to protect the american people, all of which are in the national strategy that all of our calculations, all of those thought processes go into, we look at achieving those outcomes. when we talk about that blended threat -- milton: times up. [laughter] erin: train is coming. we talk about the blended threats and we look and see can we determine the extent the individual was controlled by or cooperating with a nation-state actor. that is a part of the evidence we evaluate and bring to bear across all of government. sometimes we look to our foreign partners as well who have key pieces of information that they are willing to share. they have come to the table because we recognize that we do have to collaborate and cooperate internationally if we are going to preserve freedoms and security on the internet. that applies to everyone.
4:25 am
there are certain countries that have been willing to make public statements as well. they are included in some of those collaborative planning sessions, and outcomes. the degree to which we can attribute certain activities or actors, not just specific persons, but also a nation-state, a lot goes into that. we want to make sure we are comfortable, confident with the evidence that we bring forward, but that does change the calculations. we do not want nation-state actors to take advantage of individuals, to hide behind the activities of certain individuals to usurp our laws and usurp the protections we have in place against the nation-state activity. and that can include the sanctions. when you talk about an individual who can find creative ways to be very profitable. we have sanctions against certain countries for reasons. there are reasons behind those.
4:26 am
we want to stop certain activity and want to deter certain activity, so you have financial reasons, economic reasons that you put those sanctions in place. to allow them to utilize individuals to get funding or bring money into the country for the nation-state's use, that usurps those sanctions and it violates u.s. law. john: you are talking about north korea? erin: pick one. [laughter] there could be many that applies to. it is important for us to look at it and not just stop with the threat actor, but determine if there is more behind it. john: we have talked a little bit about the benefits of being public with attribution, but there has been criticism. attribution without deterrence, without imposing some type of pain or penalty on the actor actually encourages others to take some more action. we have talked a lot about russia in this panel, tonya alluded to the attack that
4:27 am
started in ukraine. it was essentially a ransom worm, a type of code that propagated itself, hit numerous other companies around the world, and that is where you get instabilities. $500 million in shipping alone, $300 million in fedex, and other places around the world. hospitals, businesses. we also have another public announcement today that russia meddled in our 2016 election and they did so by breaking u.s. law, stealing information, and releasing as part of the strategy of ruining the election. there are indictments that they were attempting to do the same thing in 2018, and that they are determined to do so in 2020. let's start with russia for a second. we have had public or
4:28 am
-- we have had public attribution, whether it is that ukrainian activity or the russian activity. without additional steps to punish is it still effective or , does it send the wrong message? open to all. milton: i think the case in russia is very clear that attribution by itself is not a deterrent, and it is coupled with other kinds of actions on our part, and we do have to look at these attacks in the broader context. most of the iranian attacks are actually retaliatory. we started it. and then once we broke off the nuclear treaty and suddenly the iranian attacks with the blurring line between private and public started increasing again and because we have no relationship with the government, the indictment with the iranian actor means we are not going to get cooperation from them in terms of bringing that person to justice.
4:29 am
it might be encouraging the iranian government to allow this kind of cyber criminal activity. i think with state actors, it becomes a function of a broader foreign policy constellation of actors and you really have to look at what kind of incentives you create through your broader range of foreign policy, and not just our cyber deterrence in our indictments. erin: one of the things that keeps coming to mind is one of the other pillars of cyber strategy which is preserving peace through strength. it is imperative that we get to the individuals behind the keyboard and also the intentions of the nationstates that they support. that is all a part of what the broader intelligence community works on and we do that and so many ways. some are public, some are not,
4:30 am
and there is a variety of reasons that we do things the way we do them to make sure that we are building the most credible and reliable intelligence threat picture that we can possibly bring to bear to when we bring that intelligence isthe table and you can say this cyber event occurring but other events are occurring and we have to look at cyber by itself. we will look at the actions of other nationstates, what are their policies and how are they behaving, are they violating any other laws and hurting americans or american interests or the american way of life in other ways? nationstate actors behaving becomes the topic of conversation across the community and relative partnerships. we take painstaking effort at time to figure out the intended outcome. you may say we have not stopped iran from attacking us or china
4:31 am
from stealing from us. i do not know that is the intended outcome for each another operational activity or for certain actions we feel we must take in response to what is happening to our people. say, canok at it and we stop the attacks against our financial institutions so that we can conduct financial activity with confidence and it will be available to the american people and will not hurt our economy, that is a different question. you can say, can i get to that intended effect? if so, how? what are the best ways? stopping iran cyber activity against the united states, all of it, is unlikely, all of the activities are china against the united states is unlikely but where can we have impactful outcomes so that we can preserve
4:32 am
american way of life and safety and security. thoughts,e quick aspects to attribution within the u.s. government, the artform of combining technical data and subject matter expertise and activity over time and the intelligence and law-enforcement to arrive at the assessment of who is responsible. there is the policy division and acted by policymakers who determine when and whether and in what form to act on that attribution, and whether that is done behind the scenes or publicly through public indictments or sanctions or other forms. i wanted to differentiate back. -- that. i would be interested in trends you see over time and the impact of nationstate attribution.
4:33 am
i think it is too soon to tell in a lot of ways but the long-term impact of that will be. i think it is good to look back a few years and realize we are in early days of actually doing attribution publicly and being willing as a government to do that. and i think we have come a long way in the past few years in figuring out what that looks like, and how and when we do it. to build on erin's point, it is not to stop activity or raise costs, or make it more difficult for the adversary to highlight that we see what they are doing. if they do not want us to continue to do what we are doing, they will need to make changes. it increases our ability to share information with the private sector and others than to harden their networks, all of which compounds and makes it
4:34 am
harder for those trying to conduct the activity. erin: to hit home the point. we want it to stop. we want malicious activity against our people to stop. if we can get to that in a variety of ways, that is a big part of the goal. we know that we are not going to stop all programs that foreign governments have against the united states in order to preserve their power, but we want to make sure that we will protect our people, and make sure that we have the best intelligence and information, and we bring all of that together in that calculation so we are talking about what else should couple this public or private attribution. what else can we bring to bear? a lot of messaging goes into this.
4:35 am
sanctions can go into this. the listing or imposing. it is not always about imposing. sometimes it is about lifting or incentivizing activity, conduct, and behavior by promoting things that we would like to promote and see what might benefit the whole of society. there are a number of those levers. when you push and pull, how that works and what it looks like. who else is involved and who else is affected by it. we are in such global times that the u.s. is almost never alone in any of these situations. when there is a massive attack it is usually affecting other countries as well. and they have considerations. are we going to work collaboratively together? against this common problem in some way. maybe a public way. those are all of the things that are happening behind the scenes when you have an event occur. john: we will open up for questions shortly.
4:36 am
let me do one last question to the group before we take questions to the audience. i have heard a complex calculus of carrots and sticks that sometimes include public attributions, sometimes it is private. and the deterrent action is private. and then we have the good professor starting a group that, without coordination with the government, intends to make public attributions going forward. we will use that to open it up. what will the private sector, those commercial entities, and nonprofit entities have in this complex calculus of how to reach the best deterrent approach? erin: the private sector is the -- has a huge role to play. over 80% and probably higher than that of our infrastructure
4:37 am
is operated by the private structure. that is what we want to encourage and what makes america so great. when we look at the private sector there, i think about so many different ways that everything from the intelligence sharing. and we are consumers. we do use private sector information to help us understand the threat picture as another source of information, because they are oftentimes closer to the activity and have better access about where they sit. the government is not the internet police, we are not all over the internet figuring out what is going on. we should not be there, and we are not there. that is not our space. the private sector is. and they are the internet service providers, and network defenders, and are out in many places that are very useful to this problem set. we looked at them for solutions. another way that i think about
4:38 am
this, when cars were invented. huge innovation. changed the world in so many ways. we love cars. everybody loves their cars. we love to get around and drive around, but there were dangers. there are car accidents and people die. early on, there were significant problems associated with dangers in driving cars. what happened? the whole society had to look at the problem set and see how they would figure this out. some people decided that regulation was needed. some in industry decided that i can put seatbelts and cars. and, maybe not what i am required to do, i will put airbags in cars. maybe i will start designing safer cars and use that as a feature so that i will draw in more buyers, because i see that buyers want safer cars. if i can make them safer, they will buy my car.
4:39 am
i will not do what is required of me, but go the extra mile to make it safer. and then what happened? consumers did a few things. consumers made the increased demand for safer cars, and two, they had to put their own seatbelt on. they had to take the individual action that was critically important to safety. i think we are looking at that here. i look at the whole problem set and see the private sector playing a huge role, but all the way from government, private industry, down to the individual level. milton: i would just say that i hoped that someone from microsoft would be here. they have taken the lead in promoting this idea that digital geneva convention and now something called the cyber peace institute, is another effort, similar to ours, obviously backed by more money
4:40 am
to create a transnational organization to promote cyber norms and to do some kind of vetting of attributions. not really clear what they are doing about attributions yet. the point is, the private internet service provider is looking at second by second, all of the data. they know and have the logs. they are in the best decision to stop, and 80% of the actual threats that you encounter are already intercepted or recognized by the people who are running the internet services. and then you have the whole specialized industry of cyber threats, intelligence or cybersecurity companies that are filling the need for that.
4:41 am
i think that the private sector has an incredible role. tonya: to give you one sign of how important the fbi cyber division things the private sector is. the team is called mission-critical engagement. that is how we view it. two reasons behind it. one, the government does not have the monopoly on intelligence about cyber activity as dr. mueller alerted -- alluded to, that is increasingly in the hands of commercial companies which have a whole different means of access and sensors, that are essential to feed into the government and society trying to understand what is happening. government does not have the monopoly on intelligence and the government is not the sole target. as erin said, so much of critical infrastructure is in the hands of the private sector.
4:42 am
we need, and are moving to a new paradigm of relationships of information sharing, of threat intelligence between the government and the private sector. the dni, last year alluded to a mindset shift of as a primary -- as the private sector as a primary customer for intelligence. if you say that to an intelligence officer, their mind just goes poof. how do i protect my methods? how do i decide what to share? how do i do this in a way that protects my long-term abilities to collect intelligence on the most significant threat while also meeting our responsibility to help protect that infrastructure and innovation. i think there is really interesting activity going on in multiple agencies trying to pilot different answers to that question. i think our ability to do that
4:43 am
and move beyond the tremendous leaps that we made post 9/11 and how we share information, but what still remains a very transactional process, collect intelligence, classifying it, downgrading it, trying to get it where it needs to go. how do we move and evolve from that in a way that this threat demands? that is our core question. john: let us open it up. >> hello. i am a reporter of "radio free asia." there was a talk about a north korean attack on american infrastructure or financial institutions, and crypto currency exchange it to steal the money.
4:44 am
i want to know, what you are focused on to deter a north korea cyberattack? john: that is for you. [laughter] >> we look at the various threat strains that come through. it is not anyone in particular. if you look at the activity, we have seen a number of different attacks from different nationstates. there is the criminal side of it, the intelligence side, and so much that i do not see one particular thing that we would say we would focus on. we are looking at all of it and trying to figure out more about the crypto currency. i know there is a huge effort in the fbi, and several other entities across government looking at ways to stop malicious activity around crypto
4:45 am
currency. that alone is getting a lot of focus in government if that helps answer your specific question. because we recognize that crypto currency is a thing, a relatively new thing, and it comes with a variety of issues that we need to learn more about and figure out so that we can stop malicious behavior related to crypto currency and currency going to places where it should not or is not supposed to. there is a huge effort going on on that one in particular. with respect to nationstate's abilities to into critical infrastructure, we have seen some of that and alluded to a different nationstate actor getting into dams, and other nationstates with the capabilities of getting into various aspects of critical infrastructure. there are a number of ways that government is looking to increase protection.
4:46 am
regardless of the particular nationstate conducting the malicious activity. everything from dhs having a specific focus on critical infrastructure protection to, we talked about the fbi having their mission-critical engagement with all of the various infrastructure providers, and the government, we look at what is the intelligence across the community, what is that telling us as far as the holistic picture about the things we need to be concerned about. are there things we can share further with the owners and operators of our critical infrastructure to harden our target against the activity we are seeing? hopefully, we want to stay as far ahead of it as we can stay so that we prevent the activities instead of reacting to them. milton: there are two parts to that, one to explain what the problem is when it comes to crypto currency and what the fbi
4:47 am
initiative is around crypto currency. with my private sector clients i am starting to see intrusions that look like sophisticated nationstates, it is a full alarm, and then using the full toolset of a nationstate, what they actually do with the access that they have gained is that they bitcoin mine. in other words they use the computing power of the private entity to create coins which gives you a small payment. it would not be worth it with your own power but because you are using somebody else's power, it is a good scheme. that is one trend, there may be others. erin, the question was about north korea. you did not use the words north korea, and i'm wondering as government officials now, you have been careful not to talk about nationstates and their particular activities.
4:48 am
is that because of government officials you are not supposed to do that? or how does that jive? i turn this to you, tonya, because you talked about the initiative to make the default sharing. we are all private now. can you tell us more specifically what is north korea is up to or are there reasons where it is not a good idea? tonya: i said russia, china, iran, and north korea. [laughter] not intentional at all and it is important to name adversaries and what they are doing. the way we look at it, we have to put cyber in its context. cyber is a means by which criminals or nationstates achieve their objective. for criminals it is a way to make money. for nationstates it could be a means to make money, as in the case of north korea, or to do other things. this kind of gets to intent
4:49 am
behind activity, which is a particular area of focus. the who and the why behind cyber activity. the indictment that you alluded to earlier, it really encapsulates the north korean activity in a nutshell. it was focused on one actor, but the activity was not exclusive to one actor. a person responsible for attempted theft of $81 million from bangladesh bank. be want to cry ransomware attack that if acted millions of people worldwide and 150 countries. as well as the effort against sony. what do we take away from that in terms of the focus of north korean cyber actors? sanctions are having an economic impact, so it is a means to make money, whether it is through crypto currency mining tour
4:50 am
-- mining or bank theft. there are still continued concern about the integrity and image of the north korean government, which the government felt was undermined by the movie that you alluded to. and then want to cry, the government does not know what the impetus behind it. clearly ransomware, you would assume that it was intended to have some sort of financial benefit, but it was not engineered in a way that victims could pay the ransom, so maybe it was a tool that got out of control prematurely. >> could i ask that we collect three or four questions, we spent 10 minutes on one question. maybe we could give everyone a chance to ask? >> couldn't agree more. thank you for that. i have a 1:30 i need to get to. thank you for talking to us. this is something i care deeply about.
4:51 am
something that i worked on in my graduate school studies, and i want to thank you guys for bringing up fbi's critical mission engagement department. i want to do the same thing in the private sector. i know, and all of the things that government is doing to try and work across departments and with the private sector. but what organizations are doing this in the private sector and what company specifically? i know that you have utilities, communications, and they are working individually. is there an organization doing something in the private sector of what the public sector is doing? a professor of security from umuc and i work with the fbi and have been for 10 years. i go back a ways. i wanted to know if a five
4:52 am
letter organization, how you are integrating with the fusion centers that we had around the country that collect threat information, and the threat center that john runs over at dhs. the pinnacle, and i am sure there are external private sector organizations. i know a couple out there. erin: i can certainly speak to that. maybe somebody could follow up a little bit more on it. with respect to the fusion centers across the country, my last count was 78-ish. those were established so that we could leverage information sharing with state and local partners in a more effective and efficient manner, and across other federal agencies as well. those fusion centers were established so -- they are
4:53 am
headed different ways depending on how you look at them. the main point is the information sharing with the federal, state, and local trouble in the area. dhs has connectivity, where each one of the fusion centers. the fbi has participation in all of the fusion centers. some of that might be full-time, some of it might be part-time. there is at least some level of participation across the country. you will find other agencies with varying degrees of participation depending on the area. those fusion centers have direct conductivity with dhs through a system. they are electronically connected as well. not only do they get information and information sharing, they are also connected in a way that has been useful for much broader information sharing across the u.s. that information can feed up into dhs, fbi, or any of the other agencies.
4:54 am
the national cyber intelligence coordination center, i think that is right. reporters, do not report me on -- do not quote me on that. i know ncic. we use the terminology every day. their responsibility is that they have forward deployed personnel as well. across the country. many of whom have relationships or a direct presence in the fusion centers that have state, local, and all the way up to the federal. that information can be given to dhs and be actionable across government. where i sit, initially it was a cross the intelligence
4:55 am
community, but by the very nature of cyber, the various partners that we bring in for that collaboration and coordination can be broader, and it has included dhs on a regular basis. it has included other partners and can include state and local, but it has included the private sector from time to time. it is much more common to see dhs and fbi to see the more common relationships with private sector partners, but from time to time, seatac has provided a valuable role in providing a forum for all the stakeholders to come together against a problem set. thinking of terms as, is there a place in the private sector and have a similar experience? i may not be the best person to answer that. what i do know is that companies across america have determined that there is a great need for this kind of intelligence information sharing and cyber
4:56 am
intelligence, and cyber gathering. it is not just cyber. it could be any sort of infrastructure protection. it can be an asset protection between private sector entities, but in some way shape or form, some companies have an aspect dedicated to that engagement as well as the protection. whether you find up in -- find that in security and under the chief information officer, and security officer. there are many ways it can be structured in different companies that provide that engagement back to the government. milton: just answer it directly, there two things. from the private sector, one is the cyber threat ordinance, a new consortium that is trying to put together an integrated consortium, and the other are the sector-based information sharing and intelligence
4:57 am
-- analysis organizations that have been around since the clinton administration. the one i know the most about is the banking ones and there are ones for other sectors. i think those are 12 or 16 of them. they are private sector-based, but they interface with governments. they have good infrastructure and some of them have good reputation especially in the banking world. john: let us do a rapidfire round because we have five minutes for the folks who have their hands up and i ask you to keep your questions not comments. >> senior fellow at university of pennsylvania. and csis. question has to do with the point that tonya made about basic hygiene and other good practices. i set up the market oversight investigations post-enron, and
4:58 am
basically the easiest way to stop market manipulation was to stop markets. are there any guidelines to how to do the trade-off between mission and security? john: this gentleman here. i want to take all the questions and we will respond. >> sean with "cyber scoop." point taken about private sector visibility. more and more companies are making attributions regardless whether they name the actual governments. the threat group names. how often you differ significantly in your assessment of attribution from major companies, and what implications does it have for how you assess the threat and decide to act? john: one more.
4:59 am
>> derek johnson, this is for erin or tonya. there are two items in the fbi budget request i want to ask about, one was $70 million in additional funding for enhanced information sharing capabilities and a request for 25 new data analysis positions. i am curious what you all are hoping to get out of those resources, where would they be focused and what are you hoping to do with them that you cannot do today. john: i will let you choose among the questions.john: i wile among the questions as we go. tanya: i will take the last one. happens in u.s. budgets, there is more among the terminology there in the top line. for the department of justice and the fbi there are a host of
5:00 am
things that do not necessarily pertain to cyber division, which i represent, but which could include technology requests that support a host of fbi programs including our operational technology division that develops tools, even our counterterrorism division focused on terrorist use of cyber exploitation of social media. that is one caveat i would introduce that the term cyber could mean a host of things. in terms of the cyber division budget and the fbi cyber program overall focused on intrusions. what we are looking to be able to do is raise the cyber capability of the entire organization. we are a very decentralized organization. most of our work focused on our 56 field offices, our legal at cachet. to ensure there is capability, retention, that lives
5:01 am
the cyber capabilities of the bureau overall and increase our technical capability to handle data that is associated with cyber investigations. probably what you alluded to with some of the data analyst positions. it is interesting in the fbi. i am an intelligence analyst. when i came into the bureau in 2001, much of the discussion was focused on the work of agents, then it broadened out to agents and analysts. talking about cyber intrusion, we're talking about analysts, i.t. specialists, computer scientists, a host of skills and capabilities we need to bring on and that is some of what that request reports. john: could you address sean's questions? >> i thought that was
5:02 am
interesting question. i think the fbi people have to answer that. whether differences between the attributions and the private sector ones? i would not know the answer to one side of that question. >> has the private sector differed with the government attribution? >> there had been interesting attributions that sometime unsettle what governments have been telling us. i cannot come up with specific cases. i cannot come up with particular circumstances or statistics. what i can say is the private sector has often come to the table to talk about attribution. they are in included partner in a lot of what we do, whether directly through the fbi interaction.
5:03 am
question is more further times you've seen the private sector make the wrong attribution because you are prohibited or for government reasons you not corrected them publicly so those relying on attributions, have you seen the make mistakes on attribution? erin: i did not come with an answer on that. john: they're wondering if i should be relying on these i'm taking defense -- tonya: attribution is often not a one and done thing. the private sector and commercial cyber security companies often look faster because they are quicker to publicly attribute, not always to a nationstate but to a threat actor or agency. the process is iterative.
5:04 am
there been times where we have arrived at different conclusions , but that evolved. that is something we are increasingly trying to get policymakers comfortable with. there is an increasing interest in faster attribution to inform actions. the first answer might not always be right or it might be than what confidence a u.s. policymakers comfortable taking action on. there has to be a comfort level in knowing that one can assess with a certain level of confidence than initially what the attribution may be but we have to be open to getting more information as our knowledge base increases and being willing to evolve that attribution. john: we hit our time, that if
5:05 am
you are interested in this type of discussion, i want to thank the guests. on october 2 in new york city we will be having our fourth annual public cyber security forum. if you are interested in attending, i encourage you to or to reach him. the information is on the website. with that you can join me in thanking our guest. [laughter]
5:06 am
-- [applause] >> sunday on "book tv" at noon, live with author and biographer evan thomas, his latest book is "first -- sandra day o'connor." >> she knew when you had to stand up to somebody and also when you had to retreat. also how to avoid controversy. very pragmatic, very practical.
5:07 am
skill she brought to the u.s. supreme court. >> his other books include the ike'sen, i ask the -- bluff, and being nixon. >> watch in-depth live with evan thomas on book tv on c-span2. >> your some of our future programs this weekend on "book tv." saturday we are at the 2019 pan america literary gala. awards were given to bob ward word, professor and lawyer anita hill and richard robinson. the event was hosted by comedian john oliver. >> pan-american it is powered like a nationwide membership of writers with novelists, journals, nonfiction writers, as he is, play writers, screenwriters publishers, agents -- really, agents?
5:08 am
they get a piece of pan-american as well? good for them. >> then sunday, in his new book spying on the south, the late author tony horwitz recounts the travels of landscape architect who wrote about life in the south during the lead up to the civil war. 20tape this program on may and died on may 27. it was the vividness of his writing about the south in that era and my curiosity of how he got from there to central ofk and also his mission yes, i'm going to cross this divide and try and understand what is happening in this country at this moment. >> and at 9:00, 60 minutes correspondent scott kelly on
5:09 am
major news events he has covered as a reporter and his thoughts on a free press. his latest book is "truth worth telling." he is interviewed by david gregory. >> what is the fastest way to destroy a democracy? is it war? is it terrorism? is it another great depression? i think the fastest way to destroy democracy is to poison the information. that is what we are seeing. we have moved from the information age to the disinformation age. >> watch this weekend on "book tv" on c-span2. >> next, recent college commencement speeches by ,resident trump, maxine waters and former deputy attorney general rod rosen's time. will also show a 2013 commencement speech by robert mueller.
5:10 am
yesterday, president trump spoke at the commencement for this year's graduating class of the air force academy in colorado. he talked about his administration's military policies, including his proposal to develop 's. the speech is happening our. half an hour.is [applause]

28 Views

info Stream Only

Uploaded by TV Archive on